When you shouldn’t trust a trusted root certificate

Root certificates are the cornerstone of authentication and security in software and on the Internet. They’re issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are. We have talked about certificates in general before, but a recent event triggered our desire for further explanation about the ties between malware and certificates.

In a recent article by RSA FirstWatch, we learned that a popular USB audio driver had silently installed a root certificate. This self-signed root certificate was installed in the Trusted Root Certification Authorities store. Under normal circumstances, you would have to agree to “Always trust software from {this publisher}” before a certificate would be installed there.

However, the audio driver skipped this step of prompting for approval (hence “silently” installing).  The silent install was designed to accommodate XP users, but it had the same effect in every Windows operating system from XP up to Windows 10. The installer was exactly the same for every Windows version. Ironically enough, the certificate wasn’t even needed to use the software. It was just introduced to complete the installation on Windows XP seamlessly.

Why is this a bad thing?

Root certificates can be installed for purposes such as timestamping, server authentication, code-signing, and so on. But this particular driver installed a certificate valid for “All” purposes. So any system with these drivers installed from any of the vendors will trust any certificate issued by the same CA—for “All” purposes. Under normal circumstances, only a certificate issued by Microsoft would have “All” in the root certificates “Intended Purposes” field.

Having a certificate in the Trusted Root Certification Store for “All” intended purposes on a Windows system gives anyone that has the private key associated with the certificate the ability to completely own the system on which it is installed. The impact is the same as for any Certificate Authority (CA) behind certificates installed on Windows systems.

certmgr

An exception is that in some instances large companies may choose to do the same with the intent to perform SSL decryption at the perimeter for outbound traffic. So, not only does silently adding a root certificate break the hierarchical trust model of Windows. It also gives any owner of the private key that goes with that certificate a lot of options to perform actions on a computer with that certificate installed.

How can they be abused?

An attacker who gets ahold of the private key that belongs to a root certificate can generate certificates for his own purposes and sign them with the private key. Any certificate with the root certificate already in their Trusted Root Certification Store on a Windows system will trust any certificate signed with the same private key for “All” purposes. This applies to software applications, websites, or even email. Anything from a Man-in-the-Middle (MitM) attack to installing malware is possible. And as if this wasn’t bad enough, security researchers at the University of Maryland found that simply copying an authenticode signature from a legitimate file to a known malware sample can cause antivirus products to stop detecting it, even though it results in an invalid signature.

Methods of abuse

There are several ways of abusing certificates by criminals. They can:

Of all these methods, it stands to reason that stolen certificates, especially those intended for “All” purposes, are the most dangerous. So introducing one of these just because you want to install a driver or to enable easier customer support, and not letting the user know, is inadvisable at best.

If you think that the number of certificates in use by malware authors can’t be that large, have a look at the suspects that have been reported at the CCSS forum.

How can I remove certificates I don’t need or trust?

A list of known signing certificates that are being abused by threat actors has been made available at signedmalware.org. As explained earlier, using signing certificates gives criminals a lot of options to bypass system protection mechanisms, which is why you might want to remove those from your machine. There is also a test site where you can check if any of the software programs that are open to an MitM attack are active on your system.

To delete a trusted root certificate:

  • Open the certificates snap-in for a user, computer, or service. You can do this by running certmgr.msc from your Run/Searchprograms box or from a command prompt.
  • Select Trusted Root Certification Authorities.
  • Under this selection, open the Certificates store.
  • In the details pane on the right-hand side, select the line of the certificate that you want to delete. (To select multiple certificates, hold down control and click each certificate.)
  • Right click the selection you made and in the action menu, click delete.
  • Confirm your choice by clicking yes if you are completely sure that you want to permanently delete the certificate.

Please note that user certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.

You might want to back up the certificate by exporting it before you delete it. For the procedure to export a certificate, see export a certificate.

If you want to look at the Thumbprint, aka serial number, of the certificates, you can use this Powershell command to list the non-Microsoft certificates in the Trusted Root Certification Authorities:

Get-ChildItem -Path cert:currentuserAuthRoot -Recurse | select Thumbprint, FriendlyName, Subject | ConvertTo-Html | Set-Content c:userspublicdesktopcertificates.html

This will create a html file on the public desktop that shows the list by Thumbprint (in reverse order) and where you can look up the Friendly Name and Subject that belongs to a Thumbprint.

exported certificates list

For those that do like to keep an eye on things, there is a guide by Xavier Mertens for a piece of code that alerts you about changes in the certificate store.

Conclusion

Since root certificates are intended to heighten security, it should be clear to those issuing them that they should be treated as such, and not as something that they can install willy-nilly whenever it suits their needs. The whole point of prompting users is to establish a chain of trust that they should be able to rely on. And in this case, the prompt was bypassed only to enable installation on a no-longer-supported operating system. That both ruins user trust and introduces unnecessary security risk for a rather shallow reason.

The post When you shouldn’t trust a trusted root certificate appeared first on Malwarebytes Labs.

Go to Source
Author: Pieter Arntz

Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within libxls

Vulnerabilities discovered by Marcin Noga of Cisco Talos

Talos is releasing seven new vulnerabilities discovered within the libxls library: TALOS-2017-0403, TALOS-2017-0404, TALOS-2017-0426, TALOS-2017-0460, TALOS-2017-0461, TALOS-2017-0462, and TALOS-2017-0463. These vulnerabilities result in remote code execution using specially crafted XLS files.

Overview

libxls is a C library supported on Windows, Mac and Linux which can read Microsoft Excel File Format (XLS) files ranging from current versions of XLS files down to Excel 97 (BIFF8) formats.
The library is used by the `readxl` package which can be installed in the R programming language via the CRAN repository. The library is also part of the ‘xls2csv’ tool. The library can also be used to successfully parse Microsoft XLS files.

Please note that the update is only available via svn currently.

Details

TALOS-2017-0403

An exploitable out-of-bounds write vulnerability exists in the  xls_mergedCells function of libxls 1.4  A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.
Full technical advisory is available here.

TALOS-2017-0404

An exploitable out-of-bounds write vulnerability exists in the read_MSAT function of libxls 1.4.
A specially crafted XLS file can cause a memory corruption resulting in remote code execution.
An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.
Full technical advisory is available here.

TALOS-2017-0426

An exploitable stack based buffer overflow vulnerability exists in the  xls_getfcell function of libxls 1.3.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.
NOTE: This vulnerability does not affect the readxl package that can be installed in the R programming language.
Full technical advisory is available here.

TALOS-2017-0460

An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULBLANK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.
Full technical advisory is available here.

TALOS-2017-0461

An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULRK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.
Full technical advisory is available here.

TALOS-2017-0462

An exploitable integer overflow vulnerability exists in the xls_appendSST function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.
Full technical advisory is available here.

TALOS-2017-0463

An exploitable out-of-bounds vulnerability exists in the xls_addCell function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.
NOTE: This vulnerability does not affect the readxl package that can be installed in the R programming language.
Full technical advisory is available here.
Product Website:

Go to Source
Author: Talos Group

Powered by WPeMatico

New Android Trojan malware discovered in Google Play

A new piece of mobile malware has been discovered in Google Play masquerading as multiple apps: an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app. According to Google Play data, all were last updated between October and November 2017.  These dates are likely when they were added to Google Play, based on their low version numbers (e.g. 1.0, 1.0.1).

We named this new malware variant Android/Trojan.AsiaHitGroup based on a URL found within the code of these malicious APKs.

Click to view slideshow.

For the sake of discussion as we analyze this malware, let’s concentrate on just one of its associated apps, since they all share the same behavior. We will focus on a malicious QR scanner app named Qr code generator – Qr scanner.

Surface analysis of Trojan AsiaHitGroup

AsiaHitGroup has several layers of maliciousness. It starts innocently enough with an icon created on the mobile device after install. Click on the icon, and it opens a functioning QR scanner, as promised.

Click to view slideshow.

However, this QR scanner is short lived. You only get one chance to use the app, because after clicking out of it, the icon disappears! Out of frustration, you may immediately go to your apps list to uninstall this bizarre-behaving QR scanner, but good luck finding it. If you are looking under the Q’s for Qr coder generator or Qr scanner, it’s not there. It’s not even under the icon’s name, Barcode reader, which is shown briefly before vanishing. Instead, this deceiving app is called Download Manager in the app list. Unless you know all the apps on your mobile device exceptionally well, it’s near impossible to discover this app name.

Diving deeper into Trojan AsiaHitGroup

If the behaviors listed above weren’t enough to conclude this QR app is malicious, it gets worse. The first step performed by the malicious app in the background is checking the location of the mobile device. This is done by using the website ip-api.com which provides Geolocation using IP. If the location is in an area that satisfies rules within the code, then it proceeds to the next step. This next step is to download an APK by visiting a website that contains download instructions.

Code from http://[hidden_domain]/api/custom/dynamic-fragment with instructions to download an APK

{"id": "duy.van.dao.dynamicduy.20171005.16", "files": [{"id": "duy.van.dao.dynamicduy.20171005.16", "md5": "4662e8537751c49beb06309a989796fc", "url": "https://[hidden_domain]/hoanghai27/dynamic-fragment/raw/master/dynamic-plugin-v22.apk"}], "version": "20171005.16", "fragments": [{"code": "duy.van.dao.dynamicduy.20171005.16", "name": "duy.van.dao.dynamicduy.MainFragment", "host": "dynamicfragment"}]}

Unfortunately during testing, the APK could not be downloaded via the malicious QR app—most likely due to my location. However, I was able to manually download the APK using the URL provided within the download instructions. The behavior of this downloaded APK was that of a Trojan SMS (which is why I subsequently named it Android/Trojan.SMS.AsiaHitGroup). Based on all the references to Asia within the code, my assumption is you must be in Asia for this malware to fully function.

Add some adware into the mix

Even if the malicious Trojan SMS fails to download, there is yet another layer to the malevolence.  Hidden within the malicious QR app is another APK waiting to do its biding. However, this hidden APK is a less threatening, adware-pushing app.

The hidden adware app comes with an unusual service name: vn.solarjsc.fakeads.ShowAdsService.  Within this service, there is reference to the same domain that was used to gain download instructions of the Trojan SMS. Although I was unable to verify, this domain may also contain the “fakeads” referenced in the service name. Regardless, rest assured we are detecting this hidden adware app as well as Android/Adware.AsiaHitGroup.

Google Play: not quite flawless

Even with the introduction of Google Play Protect, there appears to be no fail-proof way to stop malware from entering the Play store. This is where a second layer of protection is strongly recommended. By using a quality mobile anti-malware scanner, you can stay safe even when Google Play Protect fails. We (obviously) recommend Malwarebytes for Android. Stay safe out there!

Malicious APK samples: use at own risk

Android/Trojan.AsiaHitGroup

MD5: 178E6737A779A845B8F2BAF143FDEA15, Package Name: duy.van.dao.qrcode
MD5: 7EEC1C26E60FEDE7644187B0082B6AC4, Package Name: com.varvet.barcodereader
MD5: 7CEDA121F9D452E9A32B8088F50012B8, Package Name: com.maziao.alarm
MD5: B481CE9D0B7295CDA33B15F9C7809B95, Package Name: com.magiaomatday.editimage
MD5: 60A71632004EE431ABB28BF91C3A4982, Package Name: com.maziao.speedtest
MD5: N/A, Package Name: com.ruzian.explorer

Android/Trojan.SMS.AsiaHitGroup

MD5: 3CC02E4FECEB488B084665E763968108, Package Name: duy.van.dao.dynamicduy

Android/Adware.AsiaHitGroup

MD5: 995D5DC873104B5E42B3C0AF805359DB, Package Name: com.offer.flashcall

The post New Android Trojan malware discovered in Google Play appeared first on Malwarebytes Labs.

Go to Source
Author: Nathan Collier

Microsoft Patch Tuesday – November 2017

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.

In addition, an update for Adobe Reader was released which addresses CVE-2017-16367 / TALOS-2017-0356 – Adobe Acrobat Reader DC PDF Structured Hierarchy ActualText Structure Element Code Execution Vulnerability which was discovered by Aleksandar Nikolic of Cisco Talos. This vulnerability manifests as a type confusion vulnerability in the PDF parsing functionality for documents containing marked structure elements. A specifically crafted PDF document designed to trigger the vulnerability could cause an out-of-bounds access on the heap, potentially leading to arbitrary code execution. More details regarding this vulnerability are available here.

VULNERABILITIES RATED CRITICAL

The following vulnerabilities are rated “Critical” by Microsoft:

Multiple CVEs – Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the scripting engine of Microsoft Edge that could allow an attacker to execute arbitrary code. These vulnerabilities manifest due to Microsoft Edge improperly handling objects in memory. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit these vulnerabilities. Successful exploitation of these vulnerabilities could allow an attacker to execute code within the context of the current user.

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11836
  • CVE-2017-11839
  • CVE-2017-11840
  • CVE-2017-11841
  • CVE-2017-11861
  • CVE-2017-11862
  • CVE-2017-11866
  • CVE-2017-11870
  • CVE-2017-11871
  • CVE-2017-11873

Multiple CVEs – Scripting Engine Memory Corruption Vulnerability

Multiple remote code execution vulnerabilities have been identified affecting the scripting engine in Microsoft browsers. These vulnerabilities manifest due to the scripting engine improperly handling objects in memory. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code within the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked “safe for initialization.”

The following is a list of CVEs related to these vulnerabilities.

  • CVE-2017-11837
  • CVE-2017-11838
  • CVE-2017-11843
  • CVE-2017-11846
  • CVE-2017-11858

CVE-2017-11845 – Microsoft Edge Memory Corruption Vulnerability

A remote code vulnerability has been identified that affects Microsoft Edge. The vulnerability is related to the way Microsoft Edge accesses objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with the same access rights as the current user. Scenarios where this vulnerability would likely be exploited include web-based attacks where a user navigates to a malicious webpage designed to exploit this vulnerability, or via the use of a malicious email attachment that the user is convinced to open.

Multiple CVEs – Internet Explorer Memory Corruption Vulnerability

Two remote code vulnerabilities have been discovered that affect Internet Explorer. These vulnerabilities are related to the way Internet Explorer accesses objects in memory. Successful exploitation of these vulnerabilities could result in the execution of arbitrary code with the same access rights as the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where a user navigates to a malicious webpage designed to exploit this vulnerability, or via the use of a malicious email attachment that the user is convinced to open.

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11855
  • CVE-2017-11856

CVE-2017-11869 – Scripting Engine Memory Corruption Vulnerability

A vulnerability has been identified in the scripting engine of Internet Explorer that could allow an attacker to execute arbitrary code. These vulnerability manifest due to Internet Explorer improperly accessing objects in memory. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit these vulnerabilities. Successful exploitation of these vulnerabilities could allow an attacker to execute code within the context of the current user.

VULNERABILITIES RATED IMPORTANT

The following vulnerabilities are rated “Important” by Microsoft:

CVE-2017-11768 – Windows Media Player Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects Windows Media Player. This vulnerability manifests due to Windows Media Player improperly disclosing file information. In order to exploit this vulnerability an attacker would need to authenticate to an affected system and execute a program designed to exploit this vulnerability. Successful exploitation of this vulnerability would allow an attacker to enumerate the existence of files stored on an affected system.

Multiple CVEs – ASP.NET Core Denial Of Service Vulnerability

Multiple denial of service vulnerabilities have been identified that affect ASP.NET Core. These vulnerabilities manifest due to .NET Core improperly handling web requests. These vulnerabilities could be exploited remotely by an unauthenticated attacker. Successful exploitation could result in a denial of service condition.

The following CVEs are related to these vulnerabilities:

CVE-2017-11788 – Windows Search Denial of Service Vulnerability

A denial of service vulnerability has been identified that affects Windows Search. This vulnerability manifests due to Windows Search improperly handling objects in memory. This vulnerability could be exploited by sending specially crafted messages to the Windows Search service. Additionally this vulnerability could be exploited by an unauthenticated remote attacker via Server Message Block (SMB). Successful exploitation of this vulnerability could result in a denial of service condition on affected systems.

CVE-2017-11791 – Scripting Engine Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects Microsoft browsers. This vulnerability manifests due to Microsoft browsers improperly handling objects in memory. This vulnerability could be leveraged by an attacker to obtain information that could be used for subsequent attacks against an affected system. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability.

Multiple CVEs – Microsoft Edge Information Disclosure Vulnerability

Two information disclosure vulnerabilities have been identified that affect Microsoft Edge. These vulnerabilities manifest due to Microsoft Edge improperly handling objects in memory. These vulnerabilities could be leveraged by an attacker to obtain information that could be used for subsequent attacks against an affected system. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability.

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11803
  • CVE-2017-11844

CVE-2017-11827 – Microsoft Browser Memory Corruption Vulnerability

A remote code execution vulnerability has been identified that affects Microsoft browsers. This vulnerability manifests due to the way in which Microsoft browsers access objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with the same privileges as the current user. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability or convincing a user to open a malicious email attachment.

CVE-2017-11830 – Device Guard Security Feature Bypass Vulnerability

A security feature bypass vulnerability has been identified that affects Device Guard. This vulnerability manifests due to the way in which Device Guard incorrectly validates untrusted files. Successful exploitation of this vulnerability could allow an attacker to make an unsigned file appear as if it is signed, allowing an attacker to execute malicious files on affected systems.

Multiple CVEs – Windows Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been identified that affect the Windows kernel. These vulnerabilities manifest due to the Windows kernel failing to properly initialize memory addresses. These vulnerabilities could be leveraged by an attacker to obtain information that could be used for subsequent attacks against an affected system. Exploiting these vulnerabilities would require an attacker to authenticate to an affected device and execute an application designed to exploit this vulnerability.

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11831
  • CVE-2017-11880

Multiple CVEs – Windows EOT Font Engine Information Disclosure Vulnerability

Two information disclosure vulnerabilities have been identified that affect Microsoft Windows Embedded OpenType (EOT). These vulnerabilities manifest due to the way in which the font engine parses embedded fonts. Successful exploitation of these vulnerabilities could allow an attacker to obtain information that could be used for subsequent attacks against an affected system.

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11832
  • CVE-2017-11835

CVE-2017-11833 – Microsoft Edge Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects Microsoft Edge. This vulnerability manifests due to the way in which Microsoft Edge handles cross-origin requests. This vulnerability could be leveraged by an attacker to determine the origin of webpages within an affected browser. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability.

CVE-2017-11834 – Scripting Engine Information Disclosure Vulnerability

An information disclosure vulnerability was identified that affects Internet Explorer. This vulnerability manifests due to the scripting engine in Internet Explorer not properly handling objects in memory. This vulnerability could be leveraged by an attacker to obtain information that could be used in additional attacks. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability.

Multiple CVEs – Windows Kernel Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities were identified that affect the Windows Kernel-Mode Drivers. These vulnerabilities manifest due to the Windows Kernel failing to properly initialize memory addresses. These vulnerabilities could be leveraged by an attacker to obtain information that could be used in subsequent attacks to further compromise an affected system. Exploitation of these vulnerabilities would require an attacker to log in and execute a program specifically designed to exploit them.

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11842
  • CVE-2017-11849
  • CVE-2017-11853

CVE-2017-11847 – Windows Kernel Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified that affects the Windows Kernel. This vulnerability manifests due to the Windows Kernel failing to properly handle objects in memory. Successful exploitation of this vulnerability would require an attacker to log on to a system and execute a program specifically designed to exploit this vulnerability and could allow an attacker to run arbitrary code in kernel memory.

CVE-2017-11850 – Microsoft Graphics Component Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects the Microsoft Graphics Component. This vulnerability manifests due to the Windows GDI component disclosing kernel memory addresses. An attacker could leverage this vulnerability to obtain information that could be used for additional attacks against an affected system. Successful exploitation of this vulnerability would require an attacker to log on to a system and execute a program specifically designed to exploit this vulnerability.

CVE-2017-11851 – Windows Kernel Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects the Microsoft Graphics Component. This vulnerability manifests due to the Windows GDI component disclosing kernel memory addresses. An attacker could leverage this vulnerability to obtain information that could be used for additional attacks against an affected system. Successful exploitation of this vulnerability would require an attacker to log on to a system and execute a program specifically designed to exploit this vulnerability.

CVE-2017-11852 – Windows GDI Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects the Microsoft Graphics Component. This vulnerability manifests due to the Windows GDI component disclosing kernel memory addresses. An attacker could leverage this vulnerability to obtain information that could be used for additional attacks against an affected system. Successful exploitation of this vulnerability would require an attacker to log on to a system and execute a program specifically designed to exploit this vulnerability.

CVE-2017-11854 – Microsoft Word Memory Corruption Vulnerability

A remote code execution vulnerability has been identified that affects Microsoft Office. This vulnerability manifests due to Microsoft Office improperly handling objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code within the context of the current user. In order to exploit this vulnerability, an attacker would need to create a specially crafted file and convince a user to open it within an affected version of Microsoft Office.

CVE-2017-11863 – Microsoft Edge Security Feature Bypass Vulnerability

A security feature bypass has been identified in Microsoft Edge that could allow an attacker to load a page containing malicious content without the user’s knowledge or consent. This vulnerability manifests in the Edge Content Security Policy where certain specially crafted documents are improperly validated. An attacker could exploit this vulnerability by convincing a user to navigate to a malicious page or by injecting malicious content into page, such as an advertisement, thereby bypassing the Content Security Policy.

CVE-2017-11872 – Microsoft Edge Security Feature Bypass Vulnerability

A security feature bypass vulnerability has been identified in Microsoft Edge that could allow an attacker to bypass Cross-Origin Resource Sharing restrictions. This vulnerability manifests as a result of Edge improperly handling redirect requests and following redirect requests that should otherwise be ignored. An attacker could exploit this vulnerability by creating a specially crafted web page designed to exploit this vulnerability and convincing a user to visit the web page. Attackers could also leverage vulnerable or compromised web pages exploit this vulnerability.

CVE-2017-11874 – Microsoft Edge Security Feature Bypass Vulnerability

A security feature bypass vulnerability has been identified in Microsoft Edge that could allow an attacker to bypass the Control Flow Guard. This vulnerability manifests as a result of the Edge Just-In-Time compiler incorrectly handling memory operations in compiled code. An attacker could exploit this vulnerability by creating a specially crafted web page designed to exploit this vulnerability and convincing a user to visit the web page.

CVE-2017-11877 – Microsoft Excel Security Feature Bypass Vulnerability

A security feature bypass vulnerability has been identified that affects Microsoft Office. The vulnerability is related to Microsoft Office failing to enforce macro settings on Excel documents. Exploitation of this vulnerability does not result in code execution and requires an attacker to create a specially crafted file that is opened in an affected version of Microsoft Excel.

CVE-2017-11878 – Microsoft Excel Memory Corruption Vulnerability

A remote code execution vulnerability has been identified that affects Microsoft Office. The vulnerability is related to Microsoft Office not properly handling objects in memory. Successful exploitation of this vulnerability could result in an attacker gaining the ability to execute arbitrary code within the context of the current user. Exploitation of this vulnerability requires an attacker to create a specially crafted file that is opened in an affected version of Microsoft Office.

CVE-2017-11879 – ASP.NET Core Elevation Of Privilege Vulnerability

An open redirect vulnerability has been identified at affects ASP.NET Core. Exploitation of this vulnerability could result in privilege escalation. In order to exploit this vulnerability an attacker would need to create a specially crafted URL which could be used to redirect the victim’s browser session to a malicious site and obtain login session information.

Multiple CVEs – Microsoft Office Memory Corruption Vulnerability

Multiple remote code execution vulnerabilities have been identified that affect Microsoft Office. These vulnerabilities are related to Microsoft Office not properly handling objects in memory. Successful exploitation of these vulnerabilities could result in an attacker gaining the ability to execute arbitrary code within the context of the current user. Exploitation of this vulnerability requires an attacker to create a specially crafted file that is opened in an affected version of Microsoft Office.

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11882
  • CVE-2017-11884

VULNERABILITIES RATED MODERATE

The following vulnerabilities are rated “Moderate” by Microsoft:

CVE-2017-11848 – Internet Explorer Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects Internet Explorer. This vulnerability manifests due to the way in which Internet Explorer handles page contents. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability. Successful exploitation of this vulnerability could allow an attacker to detect navigation of a user leaving a malicious web page.

CVE-2017-11876 – Microsoft Project Server Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been discovered affecting Microsoft Project. It is related to the way in which Microsoft Project Server improperly manages user sessions. The victim must be logged in to the target site in order for this vulnerability to be exploited. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of this vulnerability. Successful exploitation of this vulnerability could allow an attacker to access content that the attacker is not authorized to access or impersonate the user within the web application. It could also enable the attacker to inject malicious contents into the victim’s browser.

CVE-2017-8700 – ASP.NET Core Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects ASP.net Core. This vulnerability could enable an attacker to bypass Cross-Origin Resource Sharing (CORS) configurations. Successful exploitation of this vulnerability could allow an attacker to access content that they are not authorized to access from within a web application.

Go to Source
Author: Talos Group

Muddying the Water: Targeted Attacks in the Middle East

Summary

This blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a group Unit 42 is naming “MuddyWater”. This blog links this recent activity with previous isolated public reporting on similar attacks we believe are related. We refer to these attacks as MuddyWater due to the confusion in attributing these attacks. Although the activity was previously linked by others to the FIN7 threat actor group, our research suggests the activity is in fact espionage related and unlikely to be FIN7 related.

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.


Introduction & Overview

The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes. Which in turn, closely resembles a previous article by Morphisec. These attacks have also been tracked by several other researchers on Twitter and elsewhere.

The activity has been consistent throughout 2017 and, based on our analysis, targets or is suspected to target, entities in the following countries:

  • Saudi Arabia
  • Iraq
  • Israel
  • United Arab Emirates
  • Georgia
  • India
  • Pakistan
  • Turkey
  • USA

The malicious documents were adjusted according to the target regions, often using the logos of branches of local government, prompting the users to bypass security controls and enable macros. An overview of the technical changes seen in the past year is given in the graphic below, note that raw IOCs present in this graphic can be found as text in the Appendix at the end of this article.

MuddyWater_1

Figure 1. An overview of the delivery of POWERSTATS, C2 URLs used, and other changes in the malware


MuddyWater in the Middle East

The attackers behind MuddyWater have been active throughout 2017, with targets across the Middle East and surrounding areas, a summary of the decoy documents observed is given in Table 1.

Of course, being named in a decoy document doesn’t mean any of these organizations have been attacked themselves or are involved in the attacks: the MuddyWater actors are abusing the trust these organizations’ names and/or logos command for their malicious purposes.

Month File Name or Decoy Document Theme Suspected Target Region
Nov 2017 The NSA

Telenor.doc

Unknown

Pakistan

Oct 2017 Circulars.doc

dollar.doc

Pakistan Federal Investigation Agency

CV of Middle Eastern Civil Servant

Turkey

Pakistan

Sep 2017 Iraq National Intelligence Service

Kaspersky Security solution 2017.doc

Iraq
Aug 2017 Arab Emirate سری.docm

Iraq Commission of Integrity

Arab Emirates
Jul 2017 Requirements of the Sago.doc

CommIT-Document.doc

Confidential letters.doc

Saudi Arabia

Arab Emirates

Pakistan

Jun 2017 Iraq Kurdistan Regional Government

RFP_VOIP.doc

Iraq
May 2017 RFP.doc

Requirement.doc

Iraq Kurdistan Regional Government

Georgia

Iraq

Mar 2017 court.doc Georgia
Feb 2017 CERT-Audit-20172802-GEO.xls Georgia

Table 1 – A summary of the lure documents observed in the MuddyWater attacks.

All of these documents we observed and outlined above are related via:

  • Shared C2 infrastructure.
  • Use of the non-public PowerShell backdoor previously described by Morphisec and MalwareBytes (which we refer to as POWERSTATS).
  • Shared attributes of the malicious documents used in attacks.
  • Shared attributes as to how the documents were delivered.

Based on these connections we can be confident that all the files and infrastructure we give in our appendices are related, since more than one of these can be used to link each of the samples discussed in each case.


I download my tools from GitHub, and so do my victims.

The tools used by the MuddyWater attackers have been well documented by the previously cited research and a common theme of previous reporting was the open source nature of much of the toolset used by MuddyWater: Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation etc.. In some of their recent attack documents, the attackers also used GitHub as a hosting site for their custom backdoor, POWERSTATS. Specifically, the following GitHub repositories appear to be controlled by the MuddyWater threat actor(s):

  • [unknown SHA256]
    • Downloads payload from: hxxps://raw.githubusercontent[.]com/F0R3X/BrowserFontArabic/master/ArabicBrowserFont.exe
  • [unknown SHA256]
    • Downloads payload from: hxxps://raw.githubusercontent[.]com/F0R3X/BrowserFontArabic/master/FontArabic.exe
  • 9b5e36bb7518a9e333c31d09b589102f89e3425571dd434820ab3c437dc4e0d9 (and several others)
    • Downloads payload from: hxxps://raw.githubusercontent[.]com/ReactDeveloper2017/react/master/src/test/test.js

Interestingly, both profiles were populated with forked repositories to give them an air of legitimacy as shown in figure 2. The POWERSTATS malware was compiled as an exe using PS2EXE. However, this was a minor anomaly, as it was only seen in this case: raw scripts being used in all other cases.

Muddywater_2

Figure 2 – The GitHub profile for F0R3X containing both legitimate forked code and the binaries created by the attacker. Note that the username could be a small joke on the attackers’ part regarding the attribution to FIN7.


Pwn one to pwn them all

In some of the instances we observed what appeared to be compromised accounts at third party organizations sending the malware. In one case, the attackers sent a malicious document which was nearly identical to a legitimate attachment which we observed later being sent to the same recipient. This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it.

This targeting of third party organizations to attack further targets is a risky move on the attackers’ part, as it potentially reveals their activity within the compromised third party organizations to the new target (those receiving the malicious documents


Making sense of MuddyWater

When we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the Middle East, we were somewhat confused as the previous public reporting had attributed these attacks to FIN7. FIN7 is a threat actor group that is financially motivated with targets in the restaurant, services and financial sectors. Following the trail of existing public reporting, the tie to FIN7 is essentially made based on a download observed from a MuddyWater C2, of a non-public tool “DNSMessenger”.

For example, Morphisec wrote:

“Later in our investigation, the same command server also delivered a variant of the DNS messenger similar to that described by Talos. The domain names differed but the script adheres to the same logic (including the logic function).”

The DNSMessenger malware is an obfuscated and customized version of the popular DNS_TXT_PWNAGE.ps1 script available on GitHub and is also referred to by FireEye as POWERSOURCE. The use of the DNSMessenger tool appears primarily linked to FIN7, with no other samples being attributable to MuddyWater.

This led us to query the relationship between the newer attacks we were looking at and the alleged FIN7 link. As part of this research, we came up with the following hypotheses along with their likelihoods, and a rationale for each one.

1) The FIN7 threat actor is also involved in espionage in the Middle East – Unlikely

Whilst this may seem an attractive hypothesis to some, there are aspects on the technical side that simply don’t add up. Primarily, there are significant disparities between FIN7 and MuddyWater, specifically in terms of:

  • Malware unique to FIN7, or commonly used by them has not yet been seen in any MuddyWater investigations (except for the single observation of the DNSMessenger sample)
  • Other non-public malware and tools used by MuddyWater have not been observed in our FIN7 investigations.
  • From an infrastructure point of view there is no overlap between the two sets of activity, the only overlap is the use of the unique tool “DNSMessenger”

When these points are considered together in conjunction with the significant difference in targeting they make a strong case for classifying this activity as distinct from FIN7 activity.

2) The DNSMessenger malware is a shared tool, used by FIN7, MuddyWater and perhaps other groups – Unlikely

We have attempted to find examples of code available in public data sources that would generate the variation of the DNSMessenger malware and had little luck in doing so. Even though the code for DNSMessenger is publicly available following research into attackers published by 3rd parties, attackers would have to write the corresponding server side to use it, and as such they may well choose to use the public DNS_TXT_Pwnage.ps1 script instead.

Despite this, based on the chain of analysis above we cannot discount the notion that DNSMessenger is shared by multiple attackers, including FIN7 and MuddyWater.

3) There was a mistake in the original Morphisec analysis which linked these attacks to FIN7 –  Possible

Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn’t possible for us to verify this link.

4) The attackers realized they were under investigation and planted a false flag – Possible

The attackers realized they were under investigation and planted a false flag on their C2 server, uploading a copy of the FIN7 DNSMessenger code which had been previously mentioned (and was since publicly available) by FireEye and delivering it to researchers to trick them into mis-attributing the campaign.

Indeed, the sample shared by Morphisec on PasteBin is identical to the one dropped by the sample discussed in the FireEye FIN7 SEC campaign blog except for the final line.


Final thoughts

Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network. In any case we will continue to track their activities to provide protections for our customers.

We hope the analysis presented shows the importance of drawing your own conclusions based on the data available to you, not just taking the conclusions given in the public domain at face value. This is especially true when actors who rely on slightly modified (and publicly available) open source tools are in play. Copycat threat actors can easily mimic attackers who use open source tools which can confuse attribution efforts meaning more than one aspect of the attacks observed must be considered when clustering.

On top of this, whilst the vast majority of threat analysis in the public domain is repeatable and correct, in some cases it can be difficult to verify the analysis available. When it is hard to reproduce the analysis the confidence in any conclusions drawn must be lower than it would otherwise be, since you cannot know for sure that what is stated is true.

Palo Alto Networks customers are protected from this threat in the following ways:

  • WildFire and Traps detect all the malware supported in this report as malicious.
  • Traps customers can deploy Heuristic methods to detect attacks that use these techniques.
  • C2 domains used by the attackers are blocked via Threat Prevention.

AutoFocus customers can monitor ongoing activity from the threats discussed in this report by looking at the following tags:


Appendix A – C2 Addresses

148.251.204[.]131

144.76.109[.]88

138.201.75[.]227


Compromised Legitimate Sites

106[.]187[.]38[.]21

arbiogaz[.]com

azmwn[.]suliparwarda[.]com

bangortalk[.]org[.]uk

best2[.]thebestconference[.]org

camco[.]com[.]pk

cbpexbrasilia[.]com[.]br

cgss[.]com[.]pk

diplomat[.]com[.]sa

feribschat[.]eu

ghanaconsulate[.]com[.]pk

magical-energy[.]com

mainandstrand[.]com

riyadhfoods[.]com

school[.]suliparwarda[.]com

suliparwarda[.]com

tmclub[.]eu

watyanagr[.]nfe[.]go[.]th

whiver[.]in

www[.]4seasonrentacar[.]com

www[.]akhtaredanesh[.]com

www[.]arcadecreative[.]com

www[.]armaholic[.]com

www[.]asan-max[.]com

www[.]autotrans[.]hr

www[.]dafc[.]co[.]uk

www[.]eapa[.]org

www[.]elev8tor[.]com

www[.]jdarchs[.]com

www[.]kunkrooann[.]com

www[.]mackellarscreenworks[.]com

www[.]mitegen[.]com

www[.]nigelwhitfield[.]com

www[.]pomegranates[.]org

www[.]ridefox[.]com

www[.]shapingtomorrowsworld[.]org

www[.]vanessajackson[.]co[.]uk

www[.]yaran[.]co

www[.]ztm[.]waw[.]pl

coa[.]inducks[.]org

mhtevents[.]com

skepticalscience[.]com

wallpapercase[.]com

www[.]spearhead-training[.]com


Appendix B – Related files

sha256 Overall Description
d2a0eec18d755d456a34865ff2ffc14e3969ea77f7235ef5dfc3928972d7960f Loader script from 144.76.109[.]88
1421a5cd0566f4a69e7ca9cdefa380507144d7ed59cd22e53bfd25263c201a6f MuddyWater Macro
4e3c7defd6f3061b0303e687a4b5b3cc2a4ae84cdc48706c65a7b1e53402efc0 MuddyWater Macro
8b96804d861ea690fcb61224ec27b84476cf3117222cca05e6eba955d9395deb Lazagne
16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db PS2EXE PowerStats (GitHub)
cf87a2ac51503d645e827913dd69f3d80b66a58195e5a0044af23ea6ba46b823 PS2EXE PowerStats (GitHub)
3030d80cfe1ee6986657a2d9b76b626ea05e2c289dee05bd7b9553b10d14e4a1 Decoded PowerStats payload
99077dcb37395603db0f99823a190f50313dc4e9819462c7da29c4bc983f42fd Lazagne Runner Script
1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce MuddyWater Macro
2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1 MuddyWater Macro
367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433 MuddyWater Macro
58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d MuddyWater Macro
58898648a68f0639c06bedc8242ca48bc6ec56f11ed40d00aa5fdda4e5553482 MuddyWater Macro
81523e0199ae1dc9e87d2b952642785bfbda6326f22e4c0794a19afdf001a9a3 MuddyWater Macro
90b66b3fef77962fbfda364a4f8799bfcc9ab73772026d7a8922a7cf5556a024 MuddyWater Macro
96101de2386e35bc5e38d32524a02c6c5ca7cc6624e656a629b2e0f1693a76fd MuddyWater Macro
964aaf5d9b1c749df0a2df1f1b4193e5a643893f251e2d74b47663f895da9b13 MuddyWater Macro
97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc MuddyWater Macro
a3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5 MuddyWater Macro
fcfbdffbcad731e0a5aad349215c87ed919865d66c287a6723fd8e2f896c5834 MuddyWater Macro
2bb1637c80f0a7df7260a8583beb033f4afbdd5c321ff5642bc8e1868194e009 MuddyWater Macro
58aec38e98aba66f9f01ca53442d160a2da7b137efbc940672982a4d8415a186 MuddyWater Macro
605fefc7829cfa41710e0b844084eab1f180fe513adc1d8f0f82501a154db0f4 MuddyWater Macro
e8a832b04dbdc413b71076754c3a0bf07cb7b9b61927248c482ddca32e1dab89 MuddyWater Macro
5d049bd7f478ea5d978b3c78f7f0afdf294a94f526fc20ffd6e33022d40d15ae MuddyWater Macro
12a7898fe5c75e0b57519f1e7019b5d09f5c5cbe49c48ab91daf6fcc09ee8a30 MuddyWater Macro
2602e817a67949860733b3548b37792616d52ffd305405ccab0409bcfedc5d63 MuddyWater Macro
42a4d9527063f73004b049a093a34a4fc3b6ea9505cb9b50b895486cb2dca94b MuddyWater Macro
5ed5fc6c6918ff6fa4eab7742c03d59155ca87e0fe12bac339f18928e2924a96 MuddyWater Macro
a2ad6bfc47c4f69a2170cc1a9fd620a68b1ebb474b7bdf601066e780e592222f MuddyWater Macro
c23ece07fc5432ca200f3de3e4c4b68430c6a22199d7fab11916a8c404fb63dc MuddyWater Macro
cb96cd26f36a3b1aacabfc79bbb5c1e0c9850b1c75c30aa498ad2d4131b02b98 MuddyWater Macro
ed2f9c9d5554d5248a7ad9ad1017af5f1bbadbd2275689a8b019a04c516eeec2 MuddyWater Macro
fe16543109f640ddbf3725e4d9f593de9f13ee9ae96c5e41e9cdccb7ab35b661 MuddyWater Macro
886e3a2f74bf8f46b23c78a6bad80c74fe33579f6fe866bc5075b034c4d5d432 MuddyWater Macro
8ec108b8f66567a8d84975728b2d5e6a2786c2ca368310cca55acad02bb00fa6 MuddyWater Macro
96d80ae577e9b899772a940b4941da39cf7399b5c852048f0d06926eb6c9868a MuddyWater Macro
bb1a5fb87d34c63ade0ed8a8b95412ba3795fd648a97836cb5117aff8ea08423 MuddyWater Macro
d65e2086aeab56a36896a56589e47773e9252747338c6b59c458155287363f28 MuddyWater Macro
588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f MuddyWater Macro
917a6c816684f22934e2998f43633179e14dcc2e609c6931dd2fc36098c48028 MuddyWater Macro
db7bdd6c3ff7a27bd4aa9acc17dc35c38b527fb736a17d0927a0b3d7e94acb42 MuddyWater Macro
de6ce9b75f4523a5b235f90fa00027be5920c97a972ad6cb2311953446c81e1d MuddyWater Macro
a6673c6d52dd5361afd96f8143b88810812daa97004f69661da625aaaba9363b MuddyWater Macro
40a6b4c6746e37d0c5ecb801e7656c9941f4839f94d8f4cd61eaf2b812feaabe MuddyWater Macro


Appendix C – Proxy URLs found from POWERSTATS samples from October 2017 onwards

hxxp://106[.]187[.]38[.]21/short_qr/work[.]php?c=

hxxp://arbiogaz[.]com/upload/work[.]php?c=

hxxp://azmwn[.]suliparwarda[.]com/wp-content/plugins/wpdatatables/panda[.]php?c=

hxxp://azmwn[.]suliparwarda[.]com/wp-content/themes/twentyfifteen/logs[.]php?c=

hxxp://bangortalk[.]org[.]uk/speakers[.]php?c=

hxxp://best2[.]thebestconference[.]org/ccb/browse_cat[.]php?c=

hxxp://camco[.]com[.]pk/Controls/data[.]aspx?c=

hxxp://cbpexbrasilia[.]com[.]br/wp-content/plugins/wordpress-seo/power[.]php?c=

hxxp://cbpexbrasilia[.]com[.]br/wp-includes/widgets/work[.]php?c=

hxxp://cgss[.]com[.]pk/data[.]aspx?c=

hxxp://diplomat[.]com[.]sa/wp-content/plugins/wordpress-importer/cache[.]php?c=

hxxp://feribschat[.]eu/logs[.]php?c=

hxxp://ghanaconsulate[.]com[.]pk/data[.]aspx?c=

hxxp://magical-energy[.]com/css[.]aspx?c=

hxxp://magical-energy[.]com/css/css[.]aspx?c=

hxxp://mainandstrand[.]com/work[.]php?c=

hxxp://riyadhfoods[.]com/css/edu[.]aspx?c=

hxxp://riyadhfoods[.]com/jquery-ui/js/jquery[.]aspx?c=

hxxp://school[.]suliparwarda[.]com/components/com_akeeba/work[.]php?c=

hxxp://school[.]suliparwarda[.]com/plugins/editors/codemirror/work[.]php?c=

hxxp://suliparwarda[.]com/includes/panda[.]php?c=

hxxp://suliparwarda[.]com/layouts/joomla/logs[.]php?c=

hxxp://suliparwarda[.]com/wp-content/plugins/entry-views/work[.]php?c=

hxxp://suliparwarda[.]com/wp-content/themes/twentyfifteen/work[.]php?c=

hxxp://tmclub[.]eu/clubdata[.]php?c=

hxxp://watyanagr[.]nfe[.]go[.]th/e-office/lib/work[.]php?c=

hxxp://watyanagr[.]nfe[.]go[.]th/watyanagr/power[.]php?c=

hxxp://whiver[.]in/power[.]php?c=

hxxp://www[.]4seasonrentacar[.]com/viewsure/data[.]aspx?c=

hxxp://www[.]akhtaredanesh[.]com/d/file/sym/work[.]php?c=

hxxp://www[.]akhtaredanesh[.]com/d/oschool/power[.]php?c=

hxxp://www[.]arcadecreative[.]com/work[.]php?c=

hxxp://www[.]armaholic[.]com/list[.]php?c=

hxxp://www[.]asan-max[.]com/files/articles/css[.]aspx?c=

hxxp://www[.]asan-max[.]com/files/articles/large/css[.]aspx?c=

hxxp://www[.]autotrans[.]hr/index[.]php?c=

hxxp://www[.]dafc[.]co[.]uk/news[.]php?c=

hxxp://www[.]eapa[.]org/asphalt[.]php?c=

hxxp://www[.]elev8tor[.]com/show-work[.]php?c=

hxxp://www[.]jdarchs[.]com/work[.]php?c=

hxxp://www[.]kunkrooann[.]com/inc/work[.]php?c=

hxxp://www[.]mackellarscreenworks[.]com/work[.]php?c=

hxxp://www[.]mitegen[.]com/mic_catalog[.]php?c=

hxxp://www[.]nigelwhitfield[.]com/v2/work[.]php?c=

hxxp://www[.]pomegranates[.]org/index[.]php?c=

hxxp://www[.]ridefox[.]com/content[.]php?c=

hxxp://www[.]shapingtomorrowsworld[.]org/category[.]php?c=

hxxp://www[.]vanessajackson[.]co[.]uk/work[.]php?c=

hxxp://www[.]yaran[.]co//wp-content/plugins/so-masonry/logs[.]php?c=

hxxp://www[.]yaran[.]co/wp-includes/widgets/logs[.]php?c=

hxxp://www[.]ztm[.]waw[.]pl/pop[.]php?c=

hxxps://coa[.]inducks[.]org/publication[.]php?c=

hxxps://mhtevents[.]com/account[.]php?c=

hxxps://skepticalscience[.]com/graphics[.]php?c=

hxxps://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs[.]php?c=

hxxps://wallpapercase[.]com/wp-includes/customize/logs[.]php?c=

hxxps://www[.]spearhead-training[.]com//html/power[.]php?c=

hxxps://www[.]spearhead-training[.]com/work[.]php?c=

The post Muddying the Water: Targeted Attacks in the Middle East appeared first on Palo Alto Networks Blog.

Go to Source
Author: Tom Lancaster

Analysis: How Malware Creators Use Spam Emails to Maximize Their Impact

If it works, why change it?

This is what malware creators must think when planning a spam campaign to spread their malicious code to as many potential victims as possible.

Spam has remained a preferred attack vector for decades since its emergence in the early 1990’s. We could say that spam is as old as the Internet itself! And malicious actors have never ceased to take advantage of this opportunity so they can achieve their wicked goals. Let’s see how.

 

What is spam

Source

More than half of the security alerts we issued this year showed how cybercriminals used spam campaigns to spread malware (be it financial malware or ransomware) to reach as many potential victims as possible. According to the IBM X-Force Threat Intelligence 2017 report, spam has increased its volume by 44%.  Even worse, almost 44% of spam emails contain malicious attachments. How bad is it?

85% of those malicious attachments are designed to spread ransomware.

Have you seen how much a Bitcoin goes for now? The most famous cryptocurrency of them all peaked in November 2017 at $7800 and the trend is upwards. If they encrypt your data, they will usually demand Bitcoin as ransom. Every single day, the cost of an attack grows higher.

But if this is so common, how come spam emails still work?

We wanted to get to the bottom of this. This article will show you why using spam to deliver malware is so popular with malicious hackers. Let’s start with the “why”.

how email is used to hack you

Why do cybercriminals prefer spam as an attack vector?

Although they don’t lack creativity when it comes to modifying malware strains to become more powerful, more harmful and more difficult to detect and remove, attackers still rely on spam campaigns because of several factors:

Spam is pervasive.

The numbers have been declining or increasing over the past 6 years at an unpredictable rate, with a single certainty: spam is here to stay.

cisco total spam volume

Source: CISCO via ZDNET

Spam campaigns are cheap.

And cybercriminals are just as lazy as you and me.

This fantastic report revealed that 83% of all spam is sent during weekdays, with spammers being the least active on Monday and Friday. Just like us, they have the Monday blues. Unlike most of us, their job is also automated.

Cybercriminals rely on botnets to do the work and send spam emails to targeted victims. Botnets are networks of infected computers whose resources are used to deliver attacks against other unsuspecting users.

This way, users whose computers are already infected pay the price of the campaign (energy, data and hardware resource consumption).

Most owners whose computers are part of a botnet have no idea what’s going on. Millions of computers are part of these botnets, according to the data provided by TrendMicro, and there is no way to know exactly how many computers are compromised.

2 botnet activity trendmicro map

When looking at the countries where most spam emails come from, we can see where the largest botnets are located as well. USA, China, Vietnam, Germany and Russia are the top 5 countries with most infected computers used to send spam campaigns.

Source: AV Test

Spam reaches the potential victim directly.

It’s every cyber criminal’s dream to hit their potential victims as close to home as possible. And the user’s email address is what we could call home if we’d ever look for one online.

A simple email can provide unmitigated access to a vulnerable victim. He/she can be tricked to open that email, click the link inside or download the attachment. These actions usually trigger a malware infection.

Spam emails can include attachments and links.

Malicious actors have the opportunity to include infected attachments and links in spam emails. One click on the link and the victim is redirected to a rogue website that downloads malware onto the system. Just download the attachment and open it, and you can become infected with anything from spyware, financial malware, keyloggers or ransomware.

3 Share of Spam with Attachment or URL last 14 days

Source: AV Test

It’s easy to target spam campaigns to reach a certain country or region.

Malware creators invest a lot of resources into harvesting email addresses so they can send their malicious campaigns (check out how they do it below). When collecting email addresses, they often know where their potential victims are from, so they can target their attacks to the countries or regions they are after.

Just take a look at how much malware is there.
rise of malware trends 10 years

Source: AV Test

Don’t be deceived by the downward trend, it just means malware is now much more potent and specialized.

Usually, cybercriminals choose rich, developed countries, where they know that victims have valuable data or considerable financial resources. They don’t always go for the money, but that’s often the objective.

Targeting a region also means that the attackers will localize the spam emails, translate them and use symbols that the potential victims recognize and trust. That is what makes spam emails so believable and that’s why so many Internet users are still deceived by them.

Spam gives attackers access to a large number of potential victims.

Besides allowing malware creators to create and deploy targeted campaigns, using spam to deliver malware also provides cyber criminals access to a huge number of potential victims.

Spam campaigns used to spread malware are usually massive, involving thousands of email addresses. This is especially the case for “spray & prey” campaigns, which are not targeted but rather sent and expected to “stick”.

The boom in devices and content makes it easy to deceive users.

The advent of smartphones and tablets and the decreasing costs of owning a computer have brought about unprecedented connectivity and access to technology.

Coupled with the alarming growth of IoT devices, aka gadgets connected to the Internet and usually with an extreme lack of secure settings, and you have a godsend for malicious hackers.

A prerequisite of enjoying the web is to have an email address, it’s like your SSN or the most basic ID card.

More devices > More email addresses > More potential victims> More spam

But not all these users are educated about the dangers of using the web without adequate protection. So technology adoption is moving at a faster pace than people can protect themselves from cyber threats.

This leaves a huge number of email users unprotected. Cybercriminals would never miss this opportunity!

This is also how malware creators use spam to maximize their impact. Now that we’ve seen why they prefer this method to other infection vectors, let’s talk about the “how”.

How do cybercriminals collect email addresses for their spam campaigns?

Harvesting email addresses is an important activity for cybercriminals, so they are always on the lookout for new ways to scale their efforts. Here are the top techniques they use to get their hands on thousands of emails:

  • Hacking company databases – this is a bold approach, but brings in huge amounts of data for attackers (the Equifax fiasco and the Yahoo one are still creating ripples);
  • Compromising mailing lists – attackers might also focus on hacking servers which host mailing lists;
  • Crawling websites and forums – if you’ve ever had a blog, you could’ve added a contact email address so that people can reach you; if it’s not protected, it will be harvested;
  • Phishing on social media channels – you’ve probably seen a tempting offer shared by one of your Facebook friends at least once or failed to recognize a Tinder Bot; when clicking the link, the user is directed to a website that requires an email address to access it;
  • Tapping into your network connection (man-in-the-middle attack) – when you connect to an unprotected network, an attacker might eavesdrop to your data exchanges on the web and collect the information you provide, including your email address;
  • Ransomware certain ransomware strains can be instructed to connect to the email accounts you are logged into when the infection happens to collect all your contacts and leak them to the cyber criminal controlled server (see the dreaded WannaCry strain that brought the entire world to tears or its successor, Bad Rabbit, still affecting organizations around the globe);

the dark web is like an iceberg

  • Purchasing email databases on the dark web – cybercriminals like to go shopping too, and they can find and buy email addresses in bulk from other attackers who harvested them. Stolen card credentials go as low as $5-$8 with the CVV2 number included, but an email can cost even under $1! They’re even copying the IaaS or Saas method with Phishing as a Service, simply subscribing to fresh batches of compromised emails every month);
  • Compromising your browser – your browsers are one of the weakest spots in your system, so there are plenty of vulnerabilities that they can leverage to infiltrate in Chrome, Firefox and especially Internet Explorer to intercept the data you are providing for different websites (including your email address);
  • Attacking your website domain contact points – if you’re a website owner, anyone can find out your email address by using the “whois” command or freely available databases;
  • Guessing – certain attackers resort to guessing email addresses, which they verify by sending test messages – if no error is returned, then the email is valid and can be used in the next attack;
  • Social engineering – cybercriminals may sometimes call you and pose as organizations you trust – they’ll also ask for your email address and maybe other information.

Who are the most vulnerable users?

Cybercrime relies heavily on psychological manipulation (also called social engineering) to achieve its damaging objectives. Attackers leverage technology and its vulnerabilities as well, but no attack can be deployed without “the human touch”.

Users’ curiosity, short attention span, tendency to multitask, but also their trust in certain organizations and lack of cybersecurity education are all psychological factors that cybercriminals use against potential victims.

This means that several user categories become even more vulnerable: the elderly, the young and users who are not experienced in matters of the web and lack even basic cybersecurity knowledge.

These users are not aware of what can happen if they click on a link or download an attachment from an email coming from an unknown sender. Sometimes, they can’t even identify an email as being spam or having potentially malicious content. Not to mention that they don’t even think of installing an antivirus or other cybersecurity software.

Because of this context, cyber attacks are often successful. Not only that, but they also feed the malware economy, providing more vulnerabilities, having their machines enlisted in botnets and more. We know you’re concerned about these insidious attacks, so we created a mega-guide to protect yourself against social engineering here.

What are the most common email spam types I should look out for?

There are several types of spam emails:

  • spam emails that advertise products, such as miraculous weight loss pills or sexual enhancers;
  • scams that try to trick you into paying money or give away personal information;
  • phishing emails which attempt to harvest sensitive information from unsuspecting victims, such as usernames, passwords, and credit card details;
  • blank spam – this is an empty email, sometimes without a subject line, used by cyber criminals to test the validity of the email address so they can then target that address with a malware-laden spam.

phishing and spam emails cost companies malicious attachments

There are several notorious types of spam campaign which you may see in your inbox from time to time:

  • the money laundering scam (Nigerian scam) – you get an email from someone claiming to be your relative, who needs your help to retrieve a large sum of money that is the result of an inheritance;
  • the greeting card scam – you get an email claiming that a friend of yours has sent you an electronic greeting card which you can see by clicking a link;
  • the make money fast scam – someone emails you about a sure-fire way to increase your revenue in just a few weeks;
  • the travel scam – you receive an email with a holiday offer that seems too good to be true (it most likely is, of course);
  • the post office/delivery service scam – your local post office or a delivery company informs you that you weren’t home when they tried to deliver a package and that you should click a link to get more details (please, don’t!);
  • the bank phishing email – you get an email from your bank informing you that your account could be compromised if you don’t change your password and offers a link you can access to do so;
  • the online dating scam – a dating website appears in your inbox, advertising the opportunity to meet singles in your area;
  • the SEO spam – an email announces a Google algorithm update and offers professional help you handle the change;
  • the scan/fax spam – claiming to deliver a scan of an important document that has been scanned or an important fax;
  • the invoice spam – that pretends to be an invoice or a receipt for a product or service the user has purchased.

You can read about other potential dangers to avoid in this top of 11 online scams to stay away from.

How a spam email can trigger a cyber attack

The common attack pattern used by spam campaigns whose objective is to spread malware is the following:

Step 1: The unsuspecting victim opens the spam email.

There are two scenarios that can follow:

A. The user clicks a link in the email which redirects to a malware-infected website. That website drops a malicious payload (packet of data) onto the user’s system. The payload scans for vulnerabilities in software and finds a way to gain administrator privileges. The payload then communicates with the servers controlled by cyber criminals. There it gets the instructions to collect information, encrypt the data, remain dormant until a banking website is accessed, etc.

B. The user downloads the malicious attachment and opens it. The attachment includes a malicious payload that scans the system for vulnerabilities. The payload then connects to the server controlled by the attacker to get its command. Then the infection unfolds, according to its objective.

Don’t be fooled: as complicated a process as this may seem, it only takes a few seconds! And to think that it all starts with opening an email, a task we mindlessly perform on a daily basis, because it feels natural to us.

Kaspersky’s Spam and phishing in Q1 2017 report shows what the most common infections carried by spam emails are:

email spam statistics 2017 trojan types

Source: Kaspersky Lab

Just in Q1 2017 (in such a small interval), just Kaspersky products (just one security specialist) blocked a whopping 51 million attempts to open a phishing page.

An eloquent example: Dridex in 2015

A few years ago, on October 13 2015, news about a huge takedown operation came to light: a bunch of command-and-control (C&C) servers used by the DRIDEX botnet were dismantled by the FBI and the National Crime Agency (NCA) in the UK.

That was excellent news for the cyber security community and for Internet users in general. Dridex was one of the most dangerous banking infostealers, used to defraud Internet users of sizeable amounts of money (we’re talking millions of dollars/euros here).

But cyber criminals have bounced back faster than expected. The Heimdal Security team has observed again that several massive spam campaigns have started to spread the Dridex malware.

Our intelligence indicated that traffic from the Dridex infrastructure continued to rise, in spite of the several attempts to disable the botnet made by several institutions. The botnet 220, which launched the campaigns, was especially active.

And this is just a few years ago. In May 2017 we saw possibly the worst ransomware attack in history:

WannaCry

Named by Europol a ransomware attack of “unprecedented level”, it affected hundreds of thousands of computers running Windows, in 99 countries. The National Health Service (NHS) in England and Scotland was one high-profile victim of WannaCry. Effects? About 40 of NHS’s medical organizations and practices were hit, interrupting critical services and affecting patients’ data.

how wannacry ransomware spreads with eternalblue infographic

Then, at the end of October 2017, Bad Rabbit created panic when it took down major organizations in Eastern European countries, from regular companies to transport behemoths.

How to protect yourself from spam and the malware infections it may carry

I know your inbox is probably already bombarded with spam. Let’s see what you can do to prevent a malware infection from making its way into your system via a junk email. We hope the tips below are enough to keep you safe. If you were still struck by an infection, we recommend you check out our malware removal guide.

These tips are also helpful to keep your inbox protected from future spam emails and also safe from cyber attacks that use this attack vector.

What to do:

  • Before providing any personal information, including your email address, check the privacy policy of the websites that require this data. Do the same when it comes to forms, online surveys or mailing lists. Never submit your email to websites that look shady or suspicious.
  • Only subscribe to newsletters and emails from entities you trust. Unsubscribe from emails that clog your inbox unnecessarily.
  • Use an anti-spam solution. Also install email filters that can send any suspicious emails directly to the spam or trash folder.
  • Choose a reliable email service provider. Big ones like Gmail and Outlook have incorporated spam filters that are pretty good at keeping you safe.
  • Never open an email from the spam folder. If the sender looks familiar, email him/her directly and ask him/her to forward you the email in case it was legitimate.
  • Install a reliable antivirus solution and keep it up to date. Enable real-time protection so it can scan for malware that might have made its way into your system.

how keep safe from spam delivered malware

  • Use a security solution that can filter your Internet traffic to protect you from malicious websites, phishing attempts, and other dangerous web destinations.
  • Always keep your software up to date. Close security holes and don’t leave room for vulnerabilities that cybercriminals can exploit.
  • Don’t open emails or email attachments from unknown senders. If you really, really have to, check the email address and verify the validity of the domain by typing it into your browser’s address bar.
  • Should you receive any strange and suspicious emails. Simply delete them, without opening them. If you open them, you will confirm to the cybercriminal that your email address is valid.
  • Check the “sent” folder or outgoing mailbox to see if there are any outgoing messages that you didn’t send. If you do find some, it’s possible that your email address was hacked. You should disconnect from the Internet and run an in-depth antivirus scan. Also run anti-malware software and see if they find any infections.
  • Set up a disposable email address you can use to sign up for online services or newsletters. That way, you can separate your main email address from one that could become a target for cybercriminals. It’s a very good idea to keep more than one email address. In case something happens with one of them, you can use others to retrieve your account.
  • Create aliases for your email address. Here’s the simple explanation from Microsoft’s Outlook:

An alias is an additional email address for your Microsoft account. It uses the same inbox, contact list, and account settings as the primary alias. You can sign in to your account with any alias—they all use the same password. You can send email from an alias whether you’re using a mail app like Outlook.

An alias is also the best way to change your email, but keep all your mail. Add an alias, then make the new alias primary. Then you can keep or remove the original alias.

Having an alias provides the opportunity to sign up for services with your email address, but in a way that it looks different. This way you can set up filters in your inbox and don’t give out your real email address.

  • View emails in plain text. Spam emails can contain dangerous elements, as shown before, but not only links or attachments. There can be hidden code in their HTML elements. The best way to avoid these dangers is to disable HTML and view them in plain text.
  • Don’t post your email address in plain sight on websites. Cybercriminals use spambots that crawl websites to search for email addresses to harvest. You can display an image that spells your email address or write in in this form: Marry_Poppins[at sign]emailprovider[dot]com. You can also use contact forms to fulfill the same purpose.
  • Report spam emails. If a spam or suspicious email reaches your inbox, mark it as spam. This way, mail service providers can flag it appropriately. Also, you can ask your Internet Service Provider to include malicious or spammy senders in their block lists.

spam statistics 2017 areas of infection

Source: Kaspersky Lab

What NOT to do:

  • Don’t give away your email address so easily. It may not feel like your online actions have an impact, but they do. And losing an email address or having it hacked can be a bigger pain than you can imagine.
  • Don’t fall for scams. Teach yourself to remain alert and observant so you don’t fall for the scams mentioned previously. It can happen to the best of us, but we can avoid it if we carefully evaluate our online interactions. This can certainly become a habit and not a hassle.
  • Never reply to suspicious emails. We know you’re fed up or bored, but it’s never a good idea to reply to spam emails.

Conclusion

Many think that cybercriminals employ tactics that a regular Internet user could never understand. In fact, it’s not covering cybersecurity basics that gets people in trouble.

If you have a friend or a relative that could use this article, forward it to him or her. It may save you both time, effort and energy. You can also subscribe to the Daily Security Tip, the very opposite of spam. It’s a piece of valuable cybersecurity information, straight in your inbox, every day.

If you have a friend or a relative that could use this article, forward it to him or her. It may save you both time, effort and energy. Being ready and knowing how to handle a threat to your online safety are top skills. You need them for the future when everything is connected. And that’s just around the corner!

Written by Andra Zaharia and updated on 14 November 2017 by Ana Dascalescu.

Go to Source
Author: Ana Dascalescu

Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks

In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and executed a malicious downloader that we refer to as PUNCHBUGGY.

PUNCHBUGGY is a dynamic-link library (DLL) downloader, existing in both 32-bit and 64-bit versions, that can obtain additional code over HTTPS. This downloader was used by the threat actor to interact with compromised systems and move laterally across victim environments.

FireEye identified more than 100 organizations in North America that fell victim to this campaign. FireEye investigated a number of these breaches and observed that the threat actor had access to relatively sophisticated tools including a previously unknown elevation of privilege (EoP) exploit and a previously unnamed point of sale (POS) memory scraping tool that we refer to as PUNCHTRACK.

CVE-2016-0167 – Microsoft Windows Zero-Day Local Privilege Escalation

In some victim environments, the threat actor exploited a previously unknown elevation of privilege (EoP) vulnerability in Microsoft Windows to selectively gain SYSTEM privileges on a limited number of compromised machines (Figure 1).

Figure 1. CVE-2016-0167 Local privilege escalation exploit elevates to system

We coordinated with Microsoft, who patched CVE-2016-0167 on the April 12, 2016, Patch Tuesday (MS16-039). Working together, we were able to observe limited, targeted use of this particular exploit dating back to March 8, 2016.

The Threat Actor

We attribute the use of this EoP to a financially motivated threat actor. In the past year, not only have we observed this group using similar infrastructure and tactics, techniques, and procedures (TTPs), but they are also the only group we have observed to date who uses the downloader PUNCHBUGGY and POS malware PUNCHTRACK. Designed to scrape both Track 1 and Track 2 payment card data, PUNCHTRACK is loaded and executed by a highly obfuscated launcher and is never saved to disk.

This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of an EoP exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication.

Exploitation Details

Win32k!xxxMNDestroyHandler Use-After-Free

CVE-2016-0167 is a local elevation of privilege vulnerability in the win32k Windows Graphics subsystem. An attacker who had already achieved remote code execution (RCE) could exploit this vulnerability to elevate privileges. In the attack from the wild, attackers first achieved RCE with malicious macros in documents attached to spear phishing emails. They then downloaded and ran a CVE-2016-0167 exploit to run subsequent code as SYSTEM.

CVE-2016-0167 is patched as of April 12, 2016, meaning the attacker’s EoP exploit will no longer function on fully updated systems. Microsoft released an additional update (MS16-062) on May 10, 2016, to further improve Windows against similar issues.

Vulnerability Setup

First, the exploit calls CreateWindowEx() to create a main window. It sets the WNDCLASSEX.lpfnWndProc field to a function that we name WndProc. It installs an application-defined hook (that we name MessageHandler) and an event hook (that we name EventHandler) using SetWindowsHookEx() and SetWinEventHook(), respectively.

Next, it creates a timer with IDEvent 0x5678 in SetTimer(). When the timeout occurs, WndProc receives the WM_TIMER message and will invoke TrackPopupMenuEx() to display a shortcut menu. EventHandler will capture the EVENT_SYSTEM_MENUPOPUPSTART event from xxxTrackPopupMenuEx()and post a message to the kernel. In handling the message, the kernel eventually calls the vulnerable function xxxMNDestroyHandler(), which calls the usermode callback MessageHandler. MessageHandler then causes a use-after-free scenario by calling DestroyWindow()

Heap Control

The exploit uses SetSysColors() to perform heap Feng Shui which manipulates the layout of the heap by carefully making heap allocations. In the following snippet, one of the important fields is at address fffff900`c1aaac40, where fffff900`c06a0422 is a window kernel object’s (tagWND) base address plus 0x22:

Memory Corruption

The USE operation occurs at HMAssignmentUnlock()+0x14 as shown below:

Since RDX contains the base address of tagWND plus 0x22, this instruction will add 0xffffffff to the win32k!tagWND.state field, changing its value from 0x07004000 to 0x07003fff. 0x07004000 indicates that the bServerSideWindowProc flag is unset. When the change occurs, it sets the bServerSideWindowProc flag as shown below.

Code Execution

If a window is marked as server-side (bServerSideWindowPro is set), the lpfnWndProc function pointer will be trusted by default and this can be user-mode shellcode. The following backtrace shows the kernel calling the exploit’s shellcode:

The shellcode then steals the System process token to elevate a child cmd.exe process.

Mitigation

FireEye products and services identify this activity as Exploit.doc.MVX, Malware.Binary.Doc, PUNCHBUGGY, Malware.Binary.exe, and PUNCHTRACK within the user interfaces.

The latest Windows updates address CVE-2016-0167, and fully protect systems from exploits targeting CVE-2016-0167.

In addition, effective mitigations exist to prevent social engineering attacks that utilize Office macros. Individual users can disable Office macros in their settings and enterprise administrators can enforce a Group Policy to control macro execution for all Office 2016 users. More details about Office macro attacks and mitigations are available here.

Acknowledgements

Thank you to Elia Florio and the Secure@ staff of Microsoft, and Dimiter Andonov, Erye Hernandez, Nick Richard, and Ryann Winters of FireEye for their collaboration on this issue.

Go to Source
Author: brian.sisco@fireeye.com

New Malware with Ties to SunOrcal Discovered

Summary

Unit 42 has discovered a new malware family we’ve named “Reaver” with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.

While we don’t have information on the intended targets in this case, previous reports on this activity have identified targeting primarily among the “Five Poisons” which are movements the Chinese government perceives as dangerous. They are:

  • Uyghurs, particularly those supporting East Turkestan independence
  • Tibetans, particularly those supportive of Tibetan independence
  • Falun Gong practitioners
  • Supporters of Taiwan independence
  • Supporters of Chinese democracy

The attackers used both families concurrently from late last year through November 2017 and there is some C2 infrastructure overlap between the two families, as well as links to historical reporting.  We explore those ties and provide an in-depth analysis of the new malware below.


Reaver Malware Analysis

To date, Palo Alto Networks Unit 42 has identified 10 unique samples and three distinct variants of a new malware family we have named “Reaver”. As such, we identify each variant as Reaver.v1, Reaver.v2, and Reaver.v3.

Reaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2 and 3 use a payload that uses raw TCP connections for this communication.

The flow for Reaver is as shown:

Sunorcal_1

Figure 1 Reaver execution flow diagram

Reaver.v1

The earliest variant of Reaver begins by attempting to enable the SeDebugPrivilege privilege for the running process. In the event this is successful the malware will use the following path to store any dropped files:

  • %COMMONPROGRAMFILES%services

In the event it is not successful, this alternative path will be used instead:

  • %APPDATA%microsoftmmc

It proceeds to load and decrypt and embedded bitmap resource file. This decrypted data is written to the following location:

  • %TEMP%WUpdate.~tmp

This ‘WUpdate.~tmp’ file is then copied to a filename of ‘Applet.cpl’, which is placed in the previously identified file path.

The malware proceeds to identify the file path of either the common startup folder, or the user’s startup folder depending on if the SeDebugPrivilege privilege was obtained. In the event this privilege was obtained, the common startup folder is queried by reading the following registry key:

  • HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCommon Startup

Alternatively, if the privilege was unable to be obtained, Reaver.v2 will obtain the user’s startup folder by querying the following registry key:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup

Reaver proceeds to write a shortcut file to ‘%TEMP%~WUpdate.lnk’. This file is then copied to a filename of ‘Windows Update.lnk’, which is placed in the startup path previously identified. This shortcut file points to the path of the previously written ‘Applet.cpl’ file. Finally, Reaver.v1 will execute the ‘~WUpdate.lnk’ file in a new process, thus loading the recently dropped malicious CPL file.

Reaver.v2

Reaver.v2 begins by attempting to enable the SeDebugPrivilege privilege for the running process. In the event this is successful, the malware will use the following path to store any dropped files:

  • %COMMONPROGRAMFILES%services

In the event it is not successful, this alternative path will be used instead:

  • %APPDATA%microsoftmmc

Reaver.v2 proceeds to decrypt an embedded file using a simple XOR obfuscation routine. This file is written to the following file path:

  • % TEMP%Update.~tmp

After the file is written, it is then copied to a filename of ’winhelp.cpl’ in the directory that was initially chosen. After this file is copied, the original ‘Update.~tmp’ file is deleted. At this stage the malware will identify the correct startup path using the same technique witnessed in earlier variants.

A shortcut file is generated in the following path:

  • %TEMP%~Update.lnk

This ‘~Update.lnk’ file is then copied to a filename of ‘Windows help.lnk’, which is placed in the startup path previously identified. This shortcut file points to the path of the previously written ‘winhelp.cpl’ file. It will specifically load this CPL file via a call to the built-in Microsoft Windows ‘control.exe’ utility. Finally, Reaver.v2 will execute the ‘~Update.lnk’ file in a new process, thus loading the recently dropped malicious CPL file.


Reaver.v3

Like Reaver.v2, Reaver.v3 begins by attempting to enable the SeDebugPrivilege privilege for the running process. In the event this is successful, the malware will use the following path to store any dropped files:

  • %COMMONPROGRAMFILES%services

In the event it is not successful, this alternative path will be used instead:

  • %APPDATA%microsoftcredentials

Reaver.v3 proceeds to write an embedded Microsoft Cabinet (CAB) file to the following location:

  • %TEMP%winhelp.dat

This cabinet file is then extracted to the previously identified file path. The contents of this cabinet file consist of a Microsoft Control Panel item with a filename of ‘winhelp.cpl’.

Much like the previous version of Reaver, Reaver.v3 will query the necessary registry keys to determine the correct startup path to use. Again, a shortcut file is written to the %TEMP% path with a name of ‘~Update.lnk’, which is in turn copied to the identified startup path with a filename of ‘Windows help.lnk’. This shortcut file calls the built-in ‘control.exe’ utility to in turn load the previously dropped malicious CPL file of ‘winhelp.cpl’.

Finally, the malware calls the ‘winhelp.cpl’ file in a new process via the following command:

  • control [path_previously_identified]winhelp.cpl


Reaver HTTP Payload

The malicious CPL payload of Reaver has the following two exported functions:

  • CPlApplet
  • DllEntryPoint

When the CPlApplet function is loaded, Reaver will initially determine if the SeDebugPrivilege privilege is able to be obtained. The malware proceeds to decrypt and embedded configuration of 128 bytes using a simple XOR routine. The following example decrypted configuration is as follows:

00000000: 77 77 77 2E 74 61 73 68  64 71 64 78 70 2E 63 6F  www.tashdqdxp.co
00000010: 6D 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  m...............
00000020: 38 30 00 00 00 00 00 00  00 00 00 00 00 00 00 00  80..............
00000030: 33 30 00 00 00 00 00 00  00 00 00 00 00 00 00 00  30..............
00000040: 57 69 6E 64 6F 77 73 20  55 70 64 61 74 65 00 00  Windows Update..
00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000060: 41 70 70 6C 65 74 00 00  00 00 00 00 00 00 00 00  Applet..........
00000070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................

As we can see, the following information is present within this configuration:

  • Remote Command and Control (C2) server
  • Remote port
  • Sleep timer

Reaver continues to collect various information from the victim machine, including the following:

  • CPU speed
  • Computer name
  • Username
  • IP Address
  • Microsoft Windows version
  • Physical and virtual memory information

The malware proceeds to communicate with the remote server via HTTP GET and POST requests. Data that is sent is compressed and then base64-encoded before being included in the requests.

We have observed the following capabilities of this payload:

  • Get drive information
  • Read files
  • Write files
  • Delete files
  • Move files
  • Spawn processes
  • Create directories


Reaver TCP Payload

The malicious CPL payload of Reaver has the following three exported functions:

  • ServiceMain
  • CPlApplet
  • DllEntryPoint

When the malware is initially loaded, DllEntryPoint will be called, which in turn will call a function that is responsible for decompressing a blob of data. The decompressed data consists of various key/value pairings that represent important strings used by Reaver. An example of this decompressed data can be seen below:

RA@10001=ole32.dll
RA@10002=CoCreateGuid
RA@10003=Shlwapi.dll
RA@10004=SHDeleteKeyA
RA@10005=wininet.dll
RA@10006=InternetOpenA
[TRUNCATED]
RA@10288=%s%s
RA@10289=CMD.EXE
RA@10290=%s=
RA@10311=%sctr.dll
RA@10312=uc.dat
RA@10313=ChangeServiceConfig2A
RA@10314=QueryServiceConfig2A

When the malware wishes to retrieve one of these decoded strings, it will simply call a function with an integer argument that is responsible for providing it. For example, calling this function with an argument of ‘10001’ would retrieve a string of ‘ole32.dll’.

The DllEntryPoint function proceeds to attempt to obtain the SeDebugPrivilege privilege, and also calls WSAStartup for future network activity.

When the CPlApplet function is loaded, it will begin by decompressing an embedded configuration using the same compression algorithm used previously. An example of this decompressed configuration may be seen below:

Sunorcal_2

Figure 2 Decompressed Reaver configuration

This configuration contains multiple pieces of information, including the following:

  • Network port
  • Sleep timer between network requests
  • Remote Command and Control (C2)
  • Service Name
  • Service Description
  • Service Display Name
  • Hardcoded String. This may be either a campaign identifier, or perhaps a malware versioning string.

The malware proceeds to check to see if the original dropped malware file exists. In the event it does, Reaver will move this file to ‘%TEMP%~FJIOW.tmp’ and delete this new file. This simply acts as cleanup to ensure original file artifacts no longer reside on the infected machine. Reaver will then install itself as a service in the event it is running with SeDebugPrivilege privileges.  The service is configured with a name, description, and display name that is provided within the configuration.

Reaver continues to collect various information from the victim machine, including the following:

  • Computer name
  • Volume serial number
  • Microsoft Windows version
  • CPU speed
  • ANSI code page
  • OEM code page identifier for the operating system
  • Physical and virtual memory information

Reaver encrypts this data using an incremental XOR key and uploads it to the configured remote server on the port specified. The following example Python code shows how this encryption takes place:

c = 0
out = ""
for d in data:
  out += chr((ord(d) ^ ((c % 256) + 92)) & 0xFF)
  c += 1

After this data is exfiltrated, the malware expects 8 bytes of data that contains two DWORDs. These DWORDs contain both a major command and a sub-command.

The following capabilities have been observed in this payload:

  • Get drive information
  • Modify files
  • Modify directories
  • Modify registry
  • Spawn process
  • Terminate process
  • Modify services
  • Kill self


Ties to SunOrcal

Reaver was used concurrently with SunOrcal over the past year, to include two Reaver samples dropped from zip files hosted on a domain also being used as a SunOrcal C2 (www.fyoutside[.]com), and there is also passive DNS overlap amongst the C2s. Specifically, Reaver to date has used www.tashdqdxp[.]com for C2, which overlaps with www.weryhstui[.]com, another C2 used by SunOrcal samples during the same timeframe. Both domains have resolved to 98.126.156[.]210. Several of those same SunOrcal samples were also using www.fyoutside[.]com as an additional C2.  This led to further C2 ties within SunOrcal samples, to include samples beaconing to www.olinaodi[.]com; all of this is shown below in Figure 3. The latter has been previously reported in activity targeting Hong Kong democracy activists and that activity is in turn tied to a report targeting Tibetan, Hong Kong, and Taiwanese activists, and another blog about targeting Taiwanese activists.

Sunorcal_3

Figure 3. Chart showing overlaps between Reaver and SunOrcal. All IOCs are in the appendix at the end of this blog.

Conclusion

The attackers behind SunOrcal, whose activity dates to at least 2013 and possibly 2010, remain active and are still developing new custom malware to use against their targets. The new malware, Reaver, appears to have been in the wild since late 2016 with less than a dozen known samples, among which there are three variants. It is also unique in the fact that its final payload is in a CPL file, a technique which Palo Alto Networks has seen with only 0.006% of all malware samples we have analyzed. The attackers used both families concurrently from late last year through November 2017 and there is some C2 infrastructure overlap between the two families, as well as links to historical reporting. We will continue to monitor these attackers for new activity and report as appropriate.

Palo Alto Networks customers are protected by the following:

  • Wildfire and Traps identifies both malware families as malicious.
  • The C2 domains are blocked via Threat Prevention.
  • AutoFocus customers can monitor activity using this malware with the following tags:


Appendix

SHA2556 – Reaver.v1

d560f44188fb56d3abb11d9508e1167329470de19b811163eb1167534722e666

SHA2556 – Reaver.v2

98eb5465c6330b9b49df2e7c9ad0b1164aa5b35423d9e80495a178eb510cdc1c

05ddbd0506ec95fb460b3994e5b21cdb0418ba4aa406374ca1b91249349b7640

SHA2556 – Reaver.v3

18ac3b14300ecfeed4b64a844c16dccb06b0e3513d0954d6c6182f2ea14e4c92

c0f8bb77284b96e07cab1c3fab8800b1bbd030720c74628c4ee5666694ef903d

9213f70bce491991c4cbbbd7dc3e67d3a3d535b965d7064973b35c50f265e59b

26c234c73e2c3448589c7d4a0cf17f615ad3666541a4e611e2d8b77637205bcf

ae9f158e4886cfdbfb4f1b3b25707d05f6fd873d0be9d8e7334a2c28741228ee

1fcda755e8fa23d27329e4bc0443a82e1c1e9a6c1691639db256a187365e4db1

c906250e0a4c457663e37119ebe1efa1e4b97eef1d975f383ac3243f9f09908c

1813f10bcf74beb582c824c64fff63cb150d178bef93af81d875ca84214307a1

SHA256 – SunOrcal

799139b5278dc2ac24279cc6c3db44f4ef0ea78ee7b721b0ace38fd8018c51ac

81d887fefdbb0219647991c2b7bddf45c2fede4dc6fc18408f1706e0279615b2

58312fb742ce881e040e1b5b8555f00a402b8dd4fc886acaae2f862040b3bfc5

38ea33dab0ba2edd16ecd98cba161c550d1036b253c8666c4110d198948329fb

cb7c0cf1750baaa11783e93369230ee666b9f3da7298e4d1bb9a07af6a439f2f


C2 domains and IP addresses

www.tashdqdxp[.]com

www.weryhstui[.]com

www.fyoutside[.]com

www.olinaodi[.]com

104.148.70[.]217

98.126.156[.]210

The post New Malware with Ties to SunOrcal Discovered appeared first on Palo Alto Networks Blog.

Go to Source
Author: Josh Grunzweig

Disdain exploit kit served with a side of social engineering

Today we picked up new activity from an exploit kit that was first discovered back in August of this year. The Disdain exploit kit, simply identified by a string of the same name found in its source code, is being distributed again after a short interruption via malvertising chains.

Disdain EK relies on older vulnerabilities that have long been patched and some that do not appear to be working properly. From a traffic to infection point of view, this means that the conversion rates are going to be lower than, say, RIG EK, the other most common exploit kit at the moment.

This may explain why we are seeing Disdain being used as a drive-by download alongside a social engineering attack to increase the likelihood of infections. Case in point, the following site was compromised to serve Disdain EK while also distributing a fake Flash Player update:

What’s interesting is that both payloads (Disdain’s and the Flash update) are actually the same malware binary, just delivered by different methods. The former is loaded via an iframe injected into the page, while the latter is a regular download that requires user interaction to execute it:

Disdain’s landing page exploits older Internet Explorer vulnerabilities and attempts to load Flash exploits as well, although in our tests these did not work.

The final payload, served either via the exploit or social engineering route, is Neutrino Bot, which we have documented on this blog before when it was served in malicious spam campaigns.

In the past few weeks, there have been a few developments in the exploit kit scene beyond the long running RIG exploit kit, where threat actors are attempting new tricks both from an evasion and distribution point of view. Despite this, there remains a lack of innovation in what really matters at the end of the day: the exploits being used to deliver drive-by infections.

While some groups have switched to pure social engineering-based attacks, others are attempting either or both methods at once. In the current threat landscape, the campaigns that have the most success are those that can draw a lot of traffic and use clever techniques to fool users.

Systems that have been patched regularly would not be affected by this exploit kit, but at the same time users should beware of non-legitimate software updates. Many of the so-called “Flash Player” or “Video Player” updates typically push adware and, as we saw recently with the BadRabbit outbreak, even ransomware.

Malwarebytes users are protected from the Disdain exploit kit and Neutrino Bot malware.

The post Disdain exploit kit served with a side of social engineering appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

LockCrypt Ransomware Spreading via RDP Brute-Force Attacks

We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers.

Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections.

LockCrypt doesn’t have heavy code overlaps with other ransomware. We’ve seen evidence that the attackers likely started out with easier-to-deploy “ransomware as a service” before re-investing in their own ransomware.

We have seen small businesses infected with LockCrypt in the US, UK, South Africa, India and the Philippines.

Initial Compromise

One target reported they were infected via RDP brute-forcing from a compromised mail server. The attackers then manually killed business critical processes for maximum damage.

We have seen lots of related activity from this IP:

The Targets

Targets have reported paying between 0.5 and 1 Bitcoin per server – which translates at current prices to over $5000 per server. One business reported paying approximately $19,000 to recover three machines.

An earlier version included a BitCoin address in the ransomware note. That address received about $20,000 worth of Bitcoins from targets in July.

A photo of an infected machine taken by a target

Overview of Execution

The pop-up window and ransom message provided by the attackers to targets

LockCrypt encrypts files and renames them with a .lock extension. It also installs itself for persistence and deletes back-ups (volume shadow copies) to prevent an easy recovery.

It executes a batch file to kill all non-core processes – a very aggressive way of anti-virus and sandbox evasion.

LockCrypt then sends base64 encoded information about the infected machine to a server in Iran 

Ransomware proliferation?

The first versions of LockCrypt used an e-mail address that was previously connected to Satan Ransomware – an easy to use “ransomware as a service”.

To get the decryptеr you should pay for decrypt:

to send 1 bitcoin today (tomorrow 2 bitcoins) to bitcoin the address 1Nez7W9ashFL4BA7vHuA5aoaad9XtqHKCF

Send screenshot of payment to mail support stn_satan@aol.com or Satan-Stn@bitmessage.ch

All your files have been encrypted due to a security problem with your PC

If you want to restore them, write us to the e-mail support stn_satan@aol.com or Satan-Stn@bitmessage.ch

Left – A ransom note from Satan Ransomware; Right – A ransom note from LockCrypt ransomware with matching contact details – A targeted business lost their accounting records to this malware

Many fear that ransomware creation services such as Satan could lead to attackers re-investing their criminal gain into more sophisticated schemes. It’s possible that has happened in this case.

Coincidentally, AlienVault recently discussed the threat posed by Satan ransomware in an interview with the BBC. Here’s what the creation process looks like:

The Satan Ransomware Creation page

Prevention and Detection

Preventing RDP brute-forcing requires basic security hygiene such as:

  • Consider enforcing complex passwords and two-factor authentication on RDP access
  • Don’t allow incoming RDP connections from anywhere on the internet
  • Consider locking out users that have numerous failed login attempts

We have provided detection rules, Yara signatures, File-Hashes, payment e-mails and bitcoin addresses below.

How to detect these malicious behaviours in general

Indicators of compromise are useful for tracking malicious activity – but poor at detecting future malicious activity in general. Below we show how we detect LockCrypt in USM Anywhere:

Yara rules for file detection

rule lockcrypt {

$a = “taskkill /f /im bcn1.exe” nocase wide ascii

$mz = { 4d 5a }

condition:

$mz at 0 and $a

}

rule lockcrypt_text {

$a = “Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe” nocase wide ascii

$b = “You have to pay for decryption in Bitcoins. The price dependson” nocase wide ascii

condition:

any of them

}

rule lockcrypt_installer_packer {

strings:

$a = “c:\users\nachalnik\documents\visual” nocase wide ascii

$b = “WshShell.Run chr(34) & “bcn1.exe” & Chr(34), 0″ nocase wide ascii

condition:

any of them

}

BitCoin Addresses

17K5weJTPyc8Ktei8c58D2jSGbXZdWXQ2f

1Nez7W9ashFL4BA7vHuA5aoaad9XtqHKCF

E-Mail Addresses

jekr@aol[.]com

stnsatan@aol[.]com

Satan-Stn@bitmessage[.]ch

enigmax_x@aol[.]com

djekr@aol[.]com

jajanielse@aol[.]com

jajanielse@bitmessage[.]ch

File Hashes

1df3d4da1ef11373966f54a6d67c38a223229f272438e1c6ec7cb4c1ea3ff3e2

bf80ef6cfea9478bf69f247b59d17dab9ede4b74193234168ee6e3d55dc526e1

0948390b18338b460edf60beaf1a792d1d85dab64ec59b158fa2d47e78ad4373

dc892346618f8fe561a7219a59e7c6fd2e15ff463469a29708886a23f54157b9

0ab44a962ababbf4500b335171e25d930ae3b8356a50bc547979126007aa42c0

151cf4f4c5e2a90b57af8d22e085ebc5f8927cf8b14eeaade3adb271c11eb54f

64d6cc34ad16e2ecbaf7e71573ed222cfa16b710cc6ff79ab3cc3c1c6c4b1138

D69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612

Cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e

Bce16a425c37d2ad3280c19d4c64bc7ed037d29dabe3e34ab4941a245cb5ec34

722df6f33a9d11d841ce399a9081bac2788ce007474b0be9ee76efbf1f5a132b

3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565

714546c621a797743f0bce6a8843611860d3392a7f3fcff5cf661d0a6bffa78b

IP Addresses Performing RDP Brute-Force Attacks

You can view IP addresses associated with related attacks here.

Ransom Note

All your files have beenencrypted!

All your files have been encrypted due to a security problemwith your PC. If you want to restore them, write us to the e-mail support: jajanielse@aol.com or jajanielse@bitmessage.ch

Write this ID in the title of your message

In case of no answer in 24 hours write us to theese e-mails support: jajanielse@aol.com or jajanielse@bitmessage.ch

You have to pay for decryption in Bitcoins. The price dependson how fast you write to us. After payment we will send you thedecryption tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 3 files for freedecryption. The total size of files must be less than 10Mb (nonarchived), and files should not contain valuable information.

(databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. Youhave to register, click ‘Buy bitcoins’, and select the seller bypayment method and price.

https://localbitcoins.com/buy_bitcoins

Also you can find other places to buy Bitcoins and beginnersguide here:

http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software,it may cause permanent data loss.

Decryption of your files with the help of third parties maycause increased price (they add their fee to our) or you can becomea victim of a scam.

{{IDENTIFIER}}

Your ID

Conclusion

LockCrypt ransomware doesn’t appear to be targeted – the attackers just opportunistically infect servers with RDP. But they do show an interest in manually interacting with systems for maximum impact, and the excessive fees they charge can put businesses that can’t afford to pay out of operation. We’ve provided some details on how to detect LockCrypt, and others like it, below.

Author: hello@alienvault.com