Read this page in English. | Leggi questa pagina in English.

News

PcapMonkey is a project that will provide an easy way to analyze pcap using the latest version of Suricata and Zeek. 

It can also save Suricata and Zeek logs in Elasticsearch using the new Elasticsearch Common Schema or the original field names. PcapMonkey uses official docker containers (when available) for most images and aims to be easy and straightforward to use.

Features

  • PcapMonkey let's you run one or multiple pcaps and imports all logs to elasticsearch.
  • PcapMonkey keeps the "official" Zeek and Suricata fields names so you can look them up on the official documentation
  • It let you edit directly Suricata and Zeek configuration and scripts so you can test quickly new features
  • PcapMonkey comes with some very useful Zeek scripts like Ja3 and File extractor
  • It's possible to enable logging in ECS to leverage all ElasticSerch SIEM features
  • Let's you import also windows event files (BETA)

Installation and Basic Usage

Install Docker-CE and docker-compose:

To start Elasticsearch,Logstash and Kibana run the following command:

sudo docker-compose up -d elasticsearch logstash kibana

Use the following command to check if everything is working properly:

sudo docker-compose ps

The output should be the following:

Name                       Command                       State                    Ports         
---------------------------------------------------------------------------------------------------------
pcapmonkey_elasticsearch   /usr/local/bin/docker-entr ...   Up (health: starting)   9200/tcp, 9300/tcp     
pcapmonkey_logstash        /usr/local/bin/docker-entr ...   Up                                             
pcapmonkey_kibana          /usr/local/bin/dumb-init - ...   Up (health: starting)   127.0.0.1:5601->5601/tcp

Kibana and elasticsearch could take a couple of minutes to start. You can monitor the progress by doing "docker-compose ps" and waiting for starting to go away.

Put one pcap file inside the pcap folder.

Start zeek and suricata containers:

sudo docker-compose up zeek suricata

The containers will print the output on the console and exit when they finish processing the pcap. You can see the results on Kibana: http://localhost:5601

Full documentation

You can read the full documentation on the official github page: https://github.com/certego/PcapMonkey

Video Tutorial

Remember to turn on English Subtitles

About the author

Federico Foschini(Twitter)

  • Introduction
  • Malware
    • Execution
    • Defense Evasion
    • Persistence
    • Payload delivery
    • Dropping malware components
      • Credential Access
      • Lateral Movements
    • Download and Update / C&C
  • Detection
    • Detecting Lateral Movements and persistences
    • Detecting Infected Hosts
  • Response
    • Containment
    • Malware Removal
  • Conclusions
  • IOCs
  • About the author
  • Credits

Introduction

This and last week, the Certego Incident Response team handled a powershell based  Active Directory compromise on multiple of our customer networks. Although the actors seemed to be intent on spreading a Cryptominer malware, due to some technical aspects the campaign could hide a second goal.

Considering that more and more attacks are aimed to making lateral movements to compromise enterprise domains, today we decided to share with you some details of detection and response actions performed by Certego IRT to handle these threats.

Note: to prevent antivirus from blocking this site we are forced to share the code via screenshots, the main samples have been uploaded to virustotal.

Malware

In most of the scenarios observed the threat came from unmonitored Domain Trusts, in the remaining cases we were engaged after the first access was already performed.

We can assume that the attacker established a foothold through  valid domain credentials usage against exposed authenticated services, like RDP terminal server. The attacker may have obtained valid credentials exploiting data breach of third-party sites, phishing or dictionary attack/password spraying. In some cases we have found poor password policies which could motivate the last hypothesis.

Malware was differentiated between domain controllers, 32 and 64 bit hosts. The one installed on domain controllers has the most features.

The behavior identified by the malware is described below with its respective code block.

Execution

The runnig malware is usually found on an infected systems in the form of a powershell.exe or a schtasks.exe process usually spawned by WMI Provider Host ( wmiprvse.exe). The most of executables are loaded into the powershell memory space through a fixed version of ReflectivePEInjection script extracted from Invoke-Mimikatz or they are written into schtasks process via a Process Hollowing injector.

The powershell process is easily recognizable by its base64 encoded commandline. The schtasks process, on the other hand, occurs without any parameters and it's harder to notice.

If the XMRig has been written to the schtasks process you will notice a consumption of the CPU and network connections to suspicious ports. In general, since schtasks.exe without parameters displays basic information of tasks and exits, any schtasks process without parameters is potentially malicious.

Defense Evasion

The noteworthy defense evasion techniques are the following:

1) As shown in some screenshots below,  iex/Invoke-Expression and other dangerous cmdlets used for detection are obfuscated through environment variables.

2) Before making a lateral movement the malware adds an exception for powershell.exe inside Windows Defender through Add-MpPreference cmdlet

3) In-memory execution through powershell ReflectivePEInjection and a libpeconv based Process Hollowing injector.

4) In the most recent malware updates we noticed this powershell amsi bypass.

recent_client_agent_sample

Persistence

In some cases we observed successfully running malware launched from a remote host without a local persistence.

The persistences used by the malware are two WMI event subscription. The filters trigger the payload after 1 minute and about 6.5 or 3.8 hours from the system startup:

Some information used by the malware is inserted into the following custom WMI class:

The payload is a classic base64 powershell encoded command as shown in the screenshot.

Payload delivery

The payload served by the domain controller and the C&C is a powershell module encrypted with TripleDES and ciphermode CBC: 

agen.ps1 sample

The module and the function de is called, the password and the salt are passed as parameters to the function:

The result is a powershell dropper.

Dropping malware components

The powershell dropper is a base64 blob of data containing multiple components:

rein.ps1 sample

Once the content has been decoded, the malware could drop one or more of the following components:

a) An XMRig cryptominer:

A simple XMRIG cryptominer which does not appear to be installed on domain controllers nor on low-performing hosts ( 32bit ).

To make the cryptominer work at its best the attacker disables sleep mode, standby and hibernation via powercfg. It also checks via netstat if there are connections from other previous versions of the cryptominer and stops the processes that make them.

sample

b) A libpeconv based Process Hollowing injector

This component is never dropped on domain controllers,

It was used to write the XMRig into the  schtasks.exe process usually spawned by wmiprvse.exe

sample

c) Re-compiled mimikatz DLL to perform Credential Access:

This component is installed on all hosts. We saw it running on the domain controller for the following steps:

  1. Inject LSA to dump NTDS.dit credentials
  2. DCSync

sample

d) The powershell script funs.ps1: funs_decoded.ps1.

This component is downloaded to any host, but with different functions.

By default it contains ReflectivePEInjection and Lateral Movements capabilities from Empire and PoshC2 projects for:

  1. Remote Service Creation (aka SMBExec)

  2. WMI Win32_Process Remote Process Creation

  3. Remote Task Scheduler Creation:

    This last method leaks the credentials in the commandline twice.
  4. Simple TCP scanner:

  5. EternalBlue Scanner:

  6. test-net function, a multithreaded function to verify that the host is not already infected before a lateral movement:

Through lateral movements the attacker executes a command to download or update the malware. Domain controllers malware are installed or updated via the web resource "/update" of the internal or external C&C.

If the host is not a domain controller the web resource " /sync" is used instead.

The version of the malware is monitored via the web resource " /banner" by comparing the WMI filter name.

In addition, these two functions are also dropped on the domain controller:

  1. testhser:

    This function drops the internal C&C server who will listen on port 49636 , the malware launches it and verifies that it works correctly.

    The rein script adds a rule on Windows firewall to allow server binding:

  2. plant-ags:
    The function used by the domain controller to deploy the malware on targets through internal C&C. To performe the deploy it exploits lateral movements techniques and a powershell module masked as gpt.ini downloaded through SMB.

e) The powershell script agen.ps1: agen_decoded.ps1:

f) Internal C&C Malware on DC:

A small and simple http server masked as a fake and unsigned  dfsvc.exe process ( a licit Windows Server process )

The server is developed through Mongoose OS "an Internet of Things (IoT) Firmware Development Framework" designed to be small and light.

This server and the plants-ags function are command and control system, by matching the agent on virustotal the server is identified as a cryptominer but this is a false positive.

During the installation phase the malware extract the agent.ps1 script from the server binary, easily viewable between the strings. By matching this code the antivirus incorrectly report the server as a cryptominer malware.

sample

g) A simple shellcode

sample.

h) A vulnerable driver

WinRing0x64.sys

This driver is dropped on all hosts except the domain controller. Even though it is used directly by XMRig, the driver is present in the most common vulnerable drivers blacklists.

This driver allows any user to perform a local privilege escalation and in generally some ring 0 activities:

"WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model specific registers (MSRs), and read/write to IO ports on the host" 2020-14979

Not needing other privileges at these points of the killchain it is likely that the attacker will use it only for XMRig, however leaving the driver there can expose the host to very serious security problems related to LPE and to the execution of ring 0 code.

For example:

  • Privilege escalation in user space
  • Hinder the operation of security products
  • Remove process protection from critical processes and add process protection to malware components
  • Hide traces of malware via a ring 0 rootkit

This technique is called Bring You Own Vulnerable Driver (BYOvD) and allows you to bypass the following Microsoft security measures:

  1. “The 64-bit versions of Vista require that all device drivers be digitally signed, so that the creator of the driver can be identified” wikipedia 2006.
  2. “Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change.” techcommunity.microsoft.com Jul 26, 2016

More technical details

Detection

Detecting Lateral Movements and persistences

Due to the complexity of corporate networks it is common to spot an attacker from an unmonitored internal network. The detection carried out in this phase of the killchain is much more complex due to false positives and unknown/poorly documented protocols.

A common approach used is to identify the effects of a lateral movement, therefore the activities of the malware installed on board through blacklisted IOCs, anomalous network and host activities.

So what are the benefits of identifying lateral movements?

  1. The attacker does not necessarily perform the same actions on all machines. In this scenario, for example, some distinctions were made for both domain controllers, 64 and 32-bit hosts.
  2. In the absence of vulnerabilities, lateral movements are carried out through Microsoft internal network protocols, these protocols have in many cases some juicy plain text information.
  3. In some cases it is possible to delete a persistence created remotely on the target before the malware is executed for the first time.
  4. Studying the lateral movement can allow us to contain host infection in the response phase.

Where the detection IOCs produces a high number of false positives it is possible to use these indicators to carry out threat hunting activities.

To detect lateral movements through network traffic it is necessary to receive infralan traffic on a network sensor, this is difficult due to the volume of traffic but theoretically possible through internal network segmentation. However, even if it is only a small part, it is possible to identify the internal traffic passing through the firewall. 

Since the first analyzes we have identified that the attacker used the following  MS-RPCE network sub-protocols to perform lateral movements:

  • MS-SCMR, through CreateServiceW,StartServiceW and DeleteService operations. This traffic is completely in plain text if used via named pipe over MS-SMB2. Among the main information in clear text we find the name of the service and the command executed. MS-RPC over TCP traffic is normally preferred over MS-RPC over named pipes but in this case the attacker forces the traffic on the 445.
  • MS-WMI through ExecMethod operation, encrypted by default but traceable through timestamp, authentication and MS-RPC operation names.
  • MS-TSCH through SchRpcRegisterTask, SchRpcRun, SchRpcEnableTask, SchRpcDelete operations, encrypted by default but traceable in the same way of WMI protocol.

Together with  WinRM they are the main protocols used to perform lateral movements, this is because in case the target uses the windows firewall they are often enabled for systemic reasons. For this reasoning, the most widely used protocol, enabled by default in each domain is SCMR, used for example by the PsExec utility and supported by any malware or redteam tool to perform lateral movements

Note: In scenarios where the windows firewall is disabled the possible lateral movement techniques are a lot.

To track this type of activity it is possible to do it over the network or aboard the host.

To correlate information on the host it is possible to proceed with an EDR, with Sysmon or through Windows Eventlogs. Since we do not believe that collecting logs alone without Sysmon is enough, we will assume that either an advanced EDR or Sysmon is present on the machines.

Note: ETW and Audit Policy Windows event logs Categories are considered out of scope since they are not supported by main security tools functions to perform detection and threat hunting.

Through the host it is necessary to correlate the connections of the following processes:

svchost -k RPCSS : MS-RPC over TCP ( 135 TCP , 593 HTTPS )

ntoskrnl.exeMS-RPC over named pipes (139 TCP, 445 TCP)

NB The first phase of an MS-RPC connection, the endpoint mapper (EPM), although reachable through a named pipe is usually available through TCP.

Correlate authenticated sessions and the actions performed by the following processes:

Remote Task Creation

Modifications of this filesystem path by " C:\windows\system32\svchost.exe -k netsvcs ( -p -s Schedule on recent OS)": C:\windows\system32\tasks\*

Modifications of this registry paths by the same process:

software\microsoft\windows\ nt\currentversion\schedule\taskcache\*\path
software\microsoft\windows\ nt\currentversion\schedule\taskcache\tree\*

The task is spawned as a child of one of the following processes depending on the operating system:

  • C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
  • C:\windows\system32\svchost.exe -k netsvcs
  • C:\windows\system32\taskeng.exe

EventLogs: 4624 and 4672 and from 4698 to 4702

Remote Service Creation

Modifications of this registry paths by services.exe:

System\ControlSet001\Services\*\imagepath

In the registry path before the imagepath there will be the name of the service.

This indicator also allows us to identify a variant of this technique that plans to modify a pre-existing service through ChangeServiceConfig* operations in order to stay under the radar: Remote Service Modification

The malware process, that is the malicious service, will be spawned as a child of services.exe

EventLogs: 4624 and 4672 and 4697 or 7045

Remote Process Creation through Win32_Process and WMI Event Subscription

Since there is no persistence, the creation of the remote process can be identified by directly correlating the child processes of wmiprvse.exe.

In case of persistence it is possible to detect the modification by  C:\Windows\system32\svchost.exe -k netsvcs of the following registry key:

software\microsoft\wbem\ess\*cimv2

The data is saved in these files from C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt:

  1. C:\Windows\System32\wbem\Repository\OBJECTS.DATA
  2. C:\Windows\System32\wbem\Repository\INDEX.BTR
  3. C:\Windows\System32\wbem\Repository\MAPPING*

Unfortunately these files are modified too frequently for other reasons and they make too many false positives also for threat hunting operations, we therefore recommend using the registry key.

Detect malware interactively:

  1. powershell /c "Get-WMIObject -Namespace root\Subscription -Class __EventConsumer | ? { $_.CommandLineTemplate -Match \".*powershell.*-W\ Hidden\ .*\ -E\ \"}"
  2. powershell "Get-CimClass -NameSpace 'root\default' | ? {$_.CimClassName -Match 'systemcore_updater'}"
  3. findstr /i "powershell.exe Event8" C:\Windows\System32\wbem\Repository\OBJECTS.DATA

Sysmon events: from 19 to 21 .

Detecting Infected Hosts

Despite the complexity of the attack in this case it was rather easy to detect infected hosts.

Excluding the most recent versions of the malware, most of the C&C are present in the main blacklists. Through good threat intelligence it is possible to find the indicators automatically and detect these network activities.

Detect at network level hosts where the miners was running via plaintext  json-rpc usage is trivial and it is a very strong indicator for most of the widespread miners.

Response

Containment

Once learned that the malware was a distributed cryptominer worm, for the most critical situations we have decided to apply Certego's lockdown procedures.

These procedures rely on enabling, managing and exploiting windows firewall and some of its dependencies to selectively block the protocols used by the malware to perform lateral movements maintaining proper functioning of Active Directory.

These procedures along with network-wide restrictions on the firewall and our telemetry systems allowed to block lateral movements and C&C activities keeping the network under close monitoring, giving us time to carry out the necessary analysis.

Malware Removal

Once the malware was isolated, it was trivial to remove it. For older versions it was enough to simply manually remove the persistence using the following commands:

  1. powershell /c "Get-WMIObject -Namespace root\Subscription -Class __EventConsumer | ? { $_.CommandLineTemplate -Match \".*powershell.*-W\ Hidden\ .*\ -E\ \"} | Remove-WmiObject -Verbose"
  2. powershell "([WmiClass] 'root\default:systemcore_Updater8') | Remove-WmiObject -Verbose"

Considering that the action is irreversible, we recommend that you first check with the commands present in the detection that it is not a false positive.

Once persistence is removed a good updated antivirus is usually enough to kill most of other malware components. If the components have just been updated it is common that the antivirus is not able to kill them. In that case we recommend that you look for the indicators described in the malware execution part.

Conclusions

Given the rapidity of intervention, we cannot exclude that the malware is able to drop other threats in addition to those observed. However, we have not found any other types of malware other than those listed in this article.

We have handled a large number of Active Directory compromises based on this type of cryptominer worm. The attacker's goal seems to be to periodically update cryptominers on all machines in the domain through domain controllers causing a periodic denial of service on the whole domain.

More and more actors begin to perform lateral movements and to exploit AD mechanisms to achieve their goal. Knowing these mechanisms is now an essential prerequisite for managing this type of threats.

IOCs

Hashes

0367064d9585cc5c8b8eff127d9565d0
52f510d047e6270c9b916d76725529c8
7e0bc1c01f44c7a663d82e4aff71ee6c
91ff884cff84cb44fb259f5caa30e066
98deacafd4a35fc257d2f381f78b9b3b
d129842ccf642d1e71c5e851c0ced337
d1aed5a1726d278d521d320d082c3e1e
fd044540a38b3422abf275af9e6ab3c2

Domains/IPs

profetestruec[.]net
sjjjv[.]xyz
winupdate.firewall-gateway[.]de
dfdfjkbcv[.]net
51.15.65[.]182
51.255.34[.]118
213.32.29[.]143
217.182.169[.]148
45.10.69[.]141
45.140.88[.]145
5.196.23[.]240
51.15.54[.]102
205.209.152[.]78

Ports

3333
5555
7777
8000
14444
14443
49636

Web resources

/update
/sync
/banner

WMI class: root\default:systemcore_Updater8

WMI filter names: "SCM Event8 Log Filter" or "SCM Event8 Log Filter2"

WMI consumer names: "SCM Event8 Log Consumer" or "SCM Event8 Log Consumer2"

Task Name: sysupdater0

About the author

Gabriele Pippi (Twitter)

Credits

Thanks to Davide Setti (Twitter) and Marco Giovanetti (Twitter) for the collaboration.

Summary

  • Introduction
  • Tests scope
  • APT macro analyses
  • Observations
  • Tests carried out:
    • Bypassing CreateObject detection
    • Crafting our easy custom undetected obfuscation
    • Killing ViperMonkey
    • Undetected code execution methods/functions
    • Undetected methods/functions to get our malicious file
    • Undetected autoexec sub events
    • Results
  • Suggestions for improvement
  • Conclusions
  • About the author

Introduction

One of the most common techniques for getting a foothold on a network client is based on  Office files containing a malicious VBA macro.
VBA macros are still widely used in a business context and, despite the mitigations offered by security vendors and Microsoft, it is still essential to detect evasion techniques in order to catch smart attackers.

On the attacker's side, there is plenty of public projects to setup, weaponize and obfuscate a macro while on the defenser's side there is a reasonable number of public projects, among the most famous projects to de-obfuscate and detect malicious VBA macro there are certainly  olevbaMacroRaptor and ViperMonkey. At Certego, we also use these tools to perform automatic static analysis of VBA macro.

Today we would like to share a test carried out last week on the resilience of public logic offered by olevba, mraptor and vipermonkey. These tests were even more motivated by some autoexec sub functions identified in the wild that were not detected by our implementation of olevba.

All the tests carried out are aimed at encouraging the red teams to test new bypass techniques and improving the detection of olevba, mraptor and vipermonkey public projects.

Tests scope

  • All tests were carried out on a fully patched Windows 10 client with last build and version.
  • Macro based PoCs must work with medium integrity level.
  • The tests carried out focus on the static analysis that can be performed by mraptor and olevba; in these tests we will consider out of scope the dynamic analysis from the point of view of a sandbox, an EDR and any ASR bypass.
  • During the tests, we decided to include vipermonkey vba emulator in the scope.
  • All the tests carried out start from the assumption that the latest versions of olevba, mraptor and vmonkey have been implemented out of the box.
  • Common users are not always able to complete certain tasks keeping all ASR rules enabled, for this reason we consider disabled at least the following rules:

APT macro analyses

There are many ways to obfuscate a VBA macro, but how much do I have to obfuscate my macro to completely evade the analyses of a prepared blue team? It is important to know the weak points of a VBA obfuscation/evasion technique in order to detect it.

We started by learning from public examples of high-level attacks, then by analyzing through the tools mentioned above some noteworthy APT macro samples.

We decided to report the following three examples:

1) 2019-06-06 gorodpavlodar.doc from APT28

APT28 is one of the groups with advanced  TTPs.

VBA code:

olevba result:

2019-06-06 graphic.doc, document dropped from the previous sample and called through Word.Application COM.

VBA code:

olevba result:

2) 2016-11-09  election-headlines-FTE2016.docm from APT29

The sample is a CDFV2 Encrypted with password 3209. password source

APT29 is one of the groups with advanced TTPs

VBA code:

olevba result:

3) 2020-03-03  비건미국무부부장관서신20200302.doc from Kimsuky APT


One of the more recent APT macro.

VBA code:

olevba result:

Observations

We have observed that:

  • Some useful functions to obfuscate our macro are used to detect it. Ex: Evilclippy tricks like VBA stomping/pcode obfuscation are currently detected by olevba.
  • There is no known way to obfuscate Sub Events, like AutoExec.
  • There is no known way to obfuscate functions and methods.
  • There are many examples of APT macros that prefer to leave the macro in plain text rather than obfuscate it through a well known technique or suspicious functions.
  • Spotting Win32 Windows API through the Lib Declare Statement is trivial and in some contexts blue teams are beginning to block them through ASR.
  • We also identified the following technical details related to the detection of the examined tools :
    • Obfuscation performed through the Mid and the Array functions is not detected by the examined tools. There are plenty of ways to obfuscate the code and it does not seem worth detecting them all through a static approach.
    • ExecQuery and other dangerous WMI methods to perform code execution like Create are not detected by the examined tools.
    • ExpandEnvironmentStrings method of WScript.Shell Object is an Environ alternative to retrieve environment variables which not trigger by the examined tools:

      Example:

      Other undetected alternatives could be:
  • In the common implementations of these tools some hits are systematically discarded to avoid false positives. Hex string detection in olevba is an example.

    However, in well-managed infrastructures, it is possible to research some mandatory subroutines, methods and functions to systematically detect macros through a static approach, and to engaging an analyst.

Tests carried out

Starting from these osservations we have tried to build at least one PoC that performs 0 hits on olevba and a "macro ok" result in mraptor.

These are three minimum requirements for getting a foothold through a VBA macro:

  1. An Autoexec Sub Event to trigger our macro.
  2. A code execution method/function
  3. Except for some trivial cases, you will normally need at least a COM/OLE/ActiveX Object, so you need to call at least one function like CreateObject.

Bypassing CreateObject detection

Even if performing alerting only on CreateObject is pretty impossible due to FP, it is possible to avoid this hit in some scenarios through  GetObject.

At the time of writing, GetObject is not reported as a suspicious function by olevba.

Some automation servers have a running instance by default. Using one of these objects, it is possible to use GetObject, avoiding the call to CreateObject at all. See: differences between GetObject and CreateObject.

For these tests we decided to start with one of the most common objects with a default instance: Shell.Application.

Crafting our easy custom undetected obfuscation

After a first look we decided to use the  CLSID avoid Shell.Application pattern match detection. 

Here is how to easily get Shell.Application CLSID through powershell:

So instead of:

We used:

However the string was detected in a heuristic way by exchanging the CLSID with a hex string.

As mentioned above, it is a olevba hit that makes tons of FPs like this. 

Despite this fact, we still tried to obfuscate this string creating our own obfuscation technique. It would also come in handy later to obfuscate our exploit.

After some research we discovered that adding chunks of strings to a variable containing an empty string prevents olevba from detecting and deobfuscating the string:

Note: without using a variable olevba detects the technique.

Killing ViperMonkey

After a quick test, we realized that  ViperMonkey is able to decode our obfuscation method.

Despite being a big project, ViperMonkey is a experimental emulator, developers who integrate it into their platform are used to handling considerable number of crashes with legitimate macros, ergo seeing a ViperMonkey crash is not suspicious at all.

To crash vmonkey you need to find some VBA code accepted by our office program that crashes the vmonkey parser.

After some fuzzing we have identified the following simple code:

A declaration of a function with at least one argument inside an if statement will do the job. Microsoft Word will successfully run the macro:

The vmonkey parser will fail:

Undetected code execution methods/functions

We started  digging into the documentation looking for unknown execution methods of Shell.Application Object

This is the section in the olevba code where the suspicious methods/functions list is defined by regex or keyword.

We have identified three interesting examples:

  1. InvokeVerb and InvokeVerbEx: dropping an executable and calling the verb "Open" it is possible to run it. As soon as I spotted these methods I tweeted them.
  2. DoIt: slightly more tricky but same concept of invokeverb.
  3. ControlPanelItem: by dropping a malicious .cpl into the current directory, it is possible to execute malicious code

While we were looking for undetected methods to perform code excecution, we have observed that, surprisingly, the   Create method of Win32_Process, retrievable only through GetObject, is not yet detected by olevba.

However, we decided to avoid it because it has been used in  many opportunistic campaigns and some custom implementations, such as ours, easily detect it.

All other interesting methods of WMI code execution, which are not detected by the analyzed tools, require a  high integrity level, which is out of scope.

Undetected methods/functions to get our malicious file

Since we have identified three methods to launch an executable without arguments, we need a function to get our malicious executables.

In order not to leave our executable embedded in the document we decided to download our sample remotely through an  UNC path

To achieve this task we decided to exploit  SMB redirector or WebDAV redirector, this is because it is not possible to map a UNC resource on a unit or link it with a medium integrity level.

Allowing outbound SMB traffic is a bad practice, so we decided to take advantage of  Webdav over SSL (HTTPS).

So we decided to exploit the  CopyHere Shell.Application method to download our executables via WebDav SSL.

During the tests we also found that:

We decided to avoid FileSystemObject because it didn't work through GetObject, even if it is not enough to detect our samples it was interestingly keeping us on the 0 hits..

Undetected autoexec sub events

This is the section in the olevba code where the autoexec list is defined by regex or keyword

Hunting for undetected autoexec sub event:

https://docs.microsoft.com/en-us/office/vba/api/ov...

Docs/Office/VBA/Reference/<program>/Object model/<object>/Events/<eventname>

We have identified three interesting examples:

  1. Document_ContentControlOnEnter:  it triggers when a user "enters" a content control, there are several content controls that can easily attract a user click.
  2. Worksheet_FollowHyperlink: it triggers when a user clicks on a link inside a worksheet, the link can also point to a worksheet component.
  3. Worksheet_Calculate: "Occurs after the worksheet is recalculated for the Worksheet object", this autoexec sub event is the most interesting we have envied: by using a cell with a formula that points to itself, it is possible to perform an autoexec without user interaction. As shown in the gif of the next section a prompt is shown to the user but, whatever the answer is, the macro is still executed.

Results

The outputs shown below are those of the following command:

 olevba --decode --reveal <doc> # 0.56dev6 on Python 2.7.17

 Document_ContentControlOnEnter.docm:

Worksheet_FollowHyperlink.xlsm:

In this case the VB_Base attribute triggers olevba, olevba exchanges the GUID for a Hex String. This is a known and usually filtered false positive. For this reason we can safely consider this sample as one with 0 hits.

Worksheet_Calculate.xlsm:

Also here as in the previous sample the hit is due to the VB_Base attribute.

Virustotal

For these tests only static analysis is significant, however these are the samples:

 Document_ContentControlOnEnter.docm:

Worksheet_FollowHyperlink.xlsm:

Worksheet_Calculate.xlsm:

As you can see there are few known antivirus and only heuristic signatures.

Suggestions for improvement

In order to detect the techniques proposed through olevba / mraptor, it would be important to note the following:

The previous list was proposed on the public project through the following pull request:  https://github.com/decalage2/oletools/pull/591

Conclusions

  • We have shown that digging in the documentation and with a little fuzzing it is possible to craft a 0 hit macro.
  • Chaining these samples with an unknown sandbox detection check and esoteric COM objects could have really unpleasant effects.
  • Implementing an open-source out-of-the-box solution may not be enough to defend your infrastructure.
  • It is very important to carry out periodic internal tests on all the detection components of your platform.
  • Performing periodic internal tests on all the detection components of the platform could significantly increase the detection capacity of your platform.

About the author

Gabriele Pippi, Threat Research Lead Engineer ( Twitter)



                                                                                                                  Photo by Jr Korpa on Unsplash

Intel Owl è un progetto di Open Source Intelligence, o OSINT, che permette di ottenere dati di Threat Intelligence riguardanti uno specifico file, IP o dominio, usando una unica API scalabile e semplice da utilizzare. Intel Owl integra un buon numero di analizzatori disponibili online, ed è pensato per chiunque abbia bisogno di un singolo punto da cui ottenere informazioni riguardanti un determinato indicatore.

Nato all'inizio del 2020 (annuncio ufficiale), questo nuovo strumento è stato accettato per essere portato avanti nel progetto Google Summer of Code 2020, sotto il cappello di Honeynet Project. Questa collaborazione ha permesso di aggiungere molte importanti novità a Intel Owl.

In particolare, proprio grazie a Google Summer of Code e la collaborazione con The Honeynet Project, siamo lieti di annunciare il rilascio della versione 1.0.0, con un'interfaccia grafica completamente nuova ed alcune importanti novità nelle API, che vi permetteranno di gestire al meglio le vostre informazioni di Threat Intelligence.

Potete leggere tutte le novità di Intel Owl 1.0.0 nell'annuncio ufficiale del nuovo rilascio, realizzato in collaborazione da Eshaan Bansal (GSoC Student) e dal suo mentor, il nostro Matteo Lodi, e pubblicato sul blog ufficiale di The Honeynet Project.

Photo by Maximalfocus on Unsplash

Certego è lieta di annunciare il proprio ingresso nell’ecosistema di contributors di Virustotal, il più grande aggregatore di antivirus engines, website scanners, strumenti di analisi file e URL del mondo.

Virustotal è un servizio web gratuito che permette all’utente di verificare il contenuto di file, url, domini, sfruttando le potenzialità di oltre 70 antivirus scanners, blacklisting services e strumenti di analisi forniti dai principali vendor di security a livello globale. Fondata nel 2004 da una società spagnola, Virustotal è stata acquisita nel 2012 da Google e, nel 2018, la proprietà è passata a Chronicle, sussidiaria di Alphabet.

Da oggi, molti dei dati di intelligence prodotti attraverso Quokka, la piattaforma di Threat Intelligence sviluppata da Certego, saranno a disposizione della community di Virustotal in modalità totalmente gratuita. L’obiettivo della community, infatti, è quello di mettere in campo le competenze di tutti i principali attori coinvolti nella sicurezza degli utenti finali per contrastare la diffusione di malware, le problematiche relative a falsi positivi e le minacce dei falsi negativi.

La piattaforma “Quokka” nasce dal lavoro di un team esperto di analisi di malware e di raccolta di informazioni legate alle minacce informatiche. Il team di Threat Intelligence ha combinato diversi strumenti tecnologici, tra cui le Honeypot, vere e proprie “trappole” per i cyber criminali e le Sandbox, ambienti virtuali dove vengono studiati ed eseguiti malware in automatico. Il risultato è una piattaforma che permette di raccogliere in tempo reale importanti informazioni che permettono a Certego di tracciare le attività cyber criminali.

Dettagli tecnici

Vogliamo mostrarvi qualche esempio di che genere di informazioni gli utenti possono trovare sfruttando il potere combinato della scansione multipla di VirusTotal con le informazioni di Intelligence di Certego.

Che tu sia una persona tecnologica o meno, sicuramente ti sarà capitato di trovare uno strano link all'interno di una email ricevuta. Prima di cliccare sul link sospetto, è bene sempre verificarlo. Un modo per farlo è quello di visitare il sito di VirusTotal, selezionare la scansione degli URL, inserire il link da verificare nella casella di input e, infine, eseguire l'analisi.

Dopo pochi secondi, puoi trovare i risultati dell'analisi.

Per questo esempio specifico, l'engine di Certego ha rilevato l'URL come "Phishing".

Questa valutazione aiuta l'utente in quanto, nel caso in cui avesse visitato il sito, avrebbe trovato una pagina di phishing di account Outlook identica a quella reale.

Oltre che a "Phishing", ci sono altre possibili valutazioni che l'engine può fornire come risultato dopo una scansione URL.

Le valutazioni “Malicious” e “Malware” servono per indicare quando uno specifico URL o dominio è stato visto ospitare malware o, più semplicemente, è stato coinvolto in attivita cyber criminali. Esempio:

La valutazione “Suspicious” serve a specificare quando uno specifico URL o dominio è o è stato probabilmente coinvolto in attività malevole. Per questi casi, l'engine non ha una prova certa per cui suggerisce di non visitare il sito in questione a scopo precauzionale. Esempio:

L'ultimo caso è la valutazione "Spam" che serve ad indicare quando uno specifico URL o dominio è stato inserito all'interno di un gran numero di email inviate massivamente a diverse caselle di posta: perciò, probabilmente non è un link da cliccare. Diversamente, gli indirizzi IP sono taggati in tal modo quando sono stati osservati inviare molta spam e perciò sono probabilmente correlati alla presenza di uno "spambot". Esempio:


Certego è orgogliosa di contribuire alla sicurezza di tutti gli utenti del mondo attraverso la community di VirusTotal.

Autore: Matteo Lodi, Threat Intelligence Lead Engineer (Twitter).

Certego ha il piacere di sostenere la quarta edizione di ITASEC, la conferenza annuale sulla sicurezza informativa organizzata dal Laboratorio Nazionale di Cybersecurity del CINI – Consorzio Interuniversitario Nazionale per l’Informatica si svolgerà quest’anno ad Ancona dal 4 al 7 febbraio, in collaborazione con l’Università Politecnica delle Marche e l’Università degli Studi di Camerino.


La conferenza, che si svolgerà nelle sale dell’UNIVPM, ha l’obiettivo di riunire ricercatori e professionisti provenienti dal mondo accademico, industriale e governativo per discutere le sfide emergenti e i bisogni consolidati nel campo della cybersecurity.
Al filone principale, dedicato alla scienza e tecnologia della sicurezza informatica, si affiancheranno poi workshop e tutorial riservati agli specifici aspetti economici, politici e legali della cybersecurity.



DOVE e QUANDO TROVARCI:

Bernardino Grignaffini, CEO Certego, prenderà parte alla sessione “Nuove Sfide e Opportunità” il giorno 6 febbraio alle ore 9.45

Vendor Session: Certego e VEM organizzeranno due incontri dedicati a Cybersecurity e Industrial Cyber Security nel corso di ITASEC.


Vi segnaliamo che tutte le sessioni plenarie e vendor session sono gratuite, mentre per partecipare ai workshop formativi sarà necessario versare una quota di iscrizione.

L’ultima data utile per iscriversi e partecipare con la QUOTA RIDOTTA è il 22 GENNAIO 2020.


Per maggiori informazioni visita il sito ufficiale dell’evento e PARTECIPA A ITASEC!


DATA

04 Febbraio 2020 - 07 Febbraio 2020

LUOGO

UNIVPM
Via Brecce Bianche
60131 Monte Dago (Ancona)
Italia

Happy new Year to everyone!

We would like to open this new decade by releasing a new tool that is called Intel Owl. We hope that it could help the community, in particular those researchers that can not afford commercial solutions, in the generation of threat intelligence data, in a simple, scalable and reliable way.

Main features:

  • modern Django-Python application: easy to understand and write code upon it
  • it can get data from multiple sources with a single API request
  • 40 available analyzers that you can use to generate or retrieve data about a suspicious file or observable (IP, domain, …)
  • official client available on Github: PyIntelOwl
  • easily integrable with other tools thanks to the REST API framework and to the PyIntelOwl library.
  • easily and completely customizable, both the APIs and the analyzers
  • early compatibility with some of the AWS services. More in the future.
  • fast and reliable deploy: clone the project, set up the configuration and then you are ready to run it via docker-compose

For more information, we invite you to check the documentation and the code available on Github.

Feel free to ask everything it comes to your mind about the project to the author:

Matteo Lodi, Threat Intelligence Lead Engineer (Twitter).

Every suggestion or contribution is really appreciated.

Keep hunting malware! We cheer on you :)

Hi there, this is Gabriele Pippi, from the Certego Purple Team.

I want to share this simple password-based FTCODE decryptor.

Note #1: this must be considered a beta version of the script; the author assumes no responsibility for any damage caused by running it.

Note #2: currently the malware sends the password both as plain and cypher text; we believe the behavior may change soon as the malware is updated, and the plain text form may not be available anymore.

Note #3: decrypting files with an incorrect password may make them unrecoverable; so, we recommend taking a backup of the files before running the script.

Why should a password-based decryptor be useful?

Since the first observed campaigns, documented in this article, we have noticed that FTCODE was sending the password in plaintext within the body of an HTTP post request to the C&C.
Once implemented the relevant Suricata signatures, I decided to develop this tool internally, in order to make the decryption operation feasible.
In all of the cases we had the opportunity to put hands on, we were able to recover the encrypted files up to version 1018.1.

Network Traffic

In order to be able to decrypt the files successfully, it is necessary to intercept the contents of the POST request that the malware sends to the C&C at infection time; an example of such request follows:

ext = extension of encrypted files
ek = password in plain text
r1 = Base64 chunk containing the encrypted password

In order to intercept the POST request, we developed the following Suricata signature, and deployed it to our network monitoring system:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CERTEGO TROJAN FTCODE Registration Request (m.bompani)"; flow:to_server; content:"POST"; http_method; content:"ext="; http_client_body; content:"guid="; http_client_body; content:"ek="; http_client_body; classtype:trojan-activity; sid:9000931; rev:1;)

What does the tool do?

Given the extension and the password, the tool is able to recursively decrypt the encrypted files in all the mounted disks or in a given path.

It offers the following features.

  • In-memory fileless utilization: it is possible by wrapping the script in a function, leveraging the built-in PowerShell cmdlet Invoke-Expression
  • Logger: it traces the activities carried out, leveraging two cmdlets described at Start/Stop Transcript
  • Backup: it backs up all the files that the tool will try to decrypt.
  • Some options were added to the script for possible future uses.

Additional Details

For further technical details and demonstrations, please refer to the official github project FTdecryptor

For further FTCODE details, please refer to this article FTCODE article

About the author

Gabriele Pippi, Purple Team (LinkedIn)

Hi everyone! Today we are talking about a new ransomware we spotted being distributed in the wild dubbed as FTCODE.

Summary

  1. The Threat
  2. Payload Delivery
  3. Environment Preparation
  4. Ransomware Attack
  5. Version Changes
  6. Conclusion
  7. Suricata Signatures
  8. IoC

1. The Threat

Malicious actors are evolving and trying new ways to infect computers.

At the start of this year, a specific actor started to leverage a legitimate certified mail service, mainly used in Italy, called PEC (Wikipedia). This service is particularly trusted by its users and is commonly used to deliver electronic invoices. Therefore, it’s of special interest because it’s easier to lure potential victims with malicious emails that refer to fake invoices.

Until the last week, the Gootkit banker was delivered as the final payload of the infection chain. (Certego Gootkit analysis)

During this year, the way to deliver this threat changed: they started to leverage a new simple but effective downloader dubbed as JasperLoader to deliver upgrades and additional modules when needed. (Talos research).

However, even if sophisticated, Gootkit is old malware. Also, it does not monetize fast and does require special interaction by the user. So, they have started experimenting with ransomware, maybe to understand if they can get more from this kind of infection.

We are talking about a raw ransomware fully written in Powershell code, called FTCODE.

Even if the name could seem new, the first appearance of this threat was in 2013, as stated by Sophos. Then, almost nothing was seen for about 6 years. Strange, but we have to remember that technology changes. Windows XP was widespread at that time and, by default, Powershell is installed only from Windows 7 on. That can be a problem because actors need to install powershell itself before running ransomware. Also, cyber security was not mature as it is nowadays so, for instance, classic Zeus-like bankers were more effective.

Indeed, last year we saw the arrival of a new downloader and backdoor written in Powershell that was called sLoad and it’s still being actively distributed (Certego sLoad analysis).

KISS (“keep it simple and stupid”) they teach you during software engineering courses. So, why strive with sophisticated malware when with a bunch of code written in Powershell you can perform every kind of wickedness?

So let’s dive in more technical details to understand how FTCODE works.

Mainly we analyzed two samples from two different campaigns:

  • version 930.5, md5: a5af9f4b875be92a79085bb03c46fe5c, day: 01/10/2019
  • version 1001.7, md5: 8d4c81e06b54436160886d78a1fb5c38, day 02/10/2019

2.Payload Delivery

As stated before, the user receives an email that refers to a fake invoice with an attached document called " Fattura-2019-951692.doc". The threat actor leverages a commonly used template to trick the user to disable the “Protected View” mode and to trigger the execution of the malicious macro.

Once enabled, the macro runs and spawns the following Powershell process:

The result is the download of a piece of Powershell code that is run using the "Invoke-Expression" command (“iex”). Note that the function “DownloadString” saves the result of the request only in memory, in an attempt to avoid antivirus detection.

The new Powershell code is FTCODE itself. On execution, it performs the following GET request:

to download a Visual Basic Script file and save it in "C:\Users\Public\Libraries\WindowsIndexingService.vbs".

This is a variant of JasperLoader, a simple backdoor that is able to download further payloads.

Then, it tries to create a shortcut file called "WindowsIndexingService.lnk" in the user's startup folder that runs the JasperLoader. Finally, to achieve persistence after reboot, it creates a scheduled task called "WindowsApplicationService" pointing to the shortcut file.

3. Environment Preparation

After having installed the JasperLoader backdoor, FTCODE starts to prepare the environment for the ransomware attack.

It verifies if the file "C:\Users\Public\OracleKit\w00log03.tmp" exists. If yes, it would check the presence of some files with the extension " .FTCODE" in all the drives with at least a free space of 50 KB. If there are some, it means that the machine was already attacked by the ransomware, maybe by a previous version: therefore, it would exit.

De facto, this indicator can be used to “ vaccinate” the endpoints from this threat. It’s enough to create the mentioned file with any kind of content to let FTCODE believe that the computer was already infected.

Afterwards it generates a random globally unique identifier (GUID) and a password consisting of 50 characters with at least 4 non-alphanumeric characters.

Then we found a hardcoded RSA public key that is used to encrypt the password. In this way the password cannot be deciphered without the proper private key controlled by the malicious actor and can be sent, in a secure way, to the attacker’s server.

Surprisingly, the encrypted password, after being generated, is never used elsewhere in the code and, instead, is just sent the basic base64-encoded password to the attacker’s server.

The consequence is that, if the traffic against the attacker’s server is being monitored, it’s possible to retrieve the key that will be used to decipher the files, without paying any ransom.

We believe that this mistake will be corrected in future versions.

After that error, FTCODE performs a POST request to the following URL:

with the following parameters:

  • ver=930.5, version number
  • vid=dpec2, probably to identify the campaign
  • psver=Powershell Major Version, probably to understand if FTCODE needs an update from JasperLoader
  • guid=the GUID generated previously, to identify the victim
  • ek=the previously generated password encoded in base64

if the server response is "ok", it creates the file "C:\Users\Public\OracleKit\w00log03.tmp" containing the GUID. If the server response is different, it would exit. This is another protection mechanism to evade execution in simulated environments.

Afterwards, it tries to run the following commands that are commonly used by almost every ransomware to avoid the chance that the victim can recover the encrypted files without paying:

Similar behaviour is performed by Sodinokibi: Certego blog

4. Ransomware Attack

At this moment, everything is ready to perform the real attack phase.

FTCODE checks for all the drives with at least 50 KB of free space and it looks for all the files with the following extensions:

.sql,.mp4,.7z,.rar,.m4a,.wma,.avi,.wmv,.csv,.d3dbsp,.zip,.sie,.sum,.ibank,.t13,.t12,.qdf,.gdb,.tax,.pkpass,.bc6,.bc7,.bkp,.qic,.bkf,.sidn,.sidd,.mddata,.itl,.itdb,.icxs,.hvpl,.hplg,.hkdb,.mdbackup,.syncdb,.gho,.cas,.svg,.map,.wmo,.itm,.sb,.fos,.mov,.vdf,.ztmp,.sis,.sid,.ncf,.menu,.layout,.dmp,.blob,.esm,.vcf,.vtf,.dazip,.fpk,.mlx,.kf,.iwd,.vpk,.tor,.psk,.rim,.w3x,.fsh,.ntl,.arch00,.lvl,.snx,.cfr,.ff,.vpp_pc,.lrf,.m2,.mcmeta,.vfs0,.mpqge,.kdb,.db0,.dba,.rofl,.hkx,.bar,.upk,.das,.iwi,.lite,.mod,.asset,.forge,.ltx,.bsa,.apk,.re4,.sav,.lbf,.slm,.bik,.epk,.rgss3a,.pak,.big,.wallet,.wotreplay,.xxx,.desc,.py,.m3u,.flv,.js,.css,.rb,.png,.jpeg,.txt,.p7c,.p7b,.p12,.pfx,.pem,.crt,.cer,.der,.x3f,.srw,.pef,.ptx,.r3d,.rw2,.rwl,.raw,.raf,.orf,.nrw,.mrwref,.mef,.erf,.kdc,.dcr,.cr2,.crw,.bay,.sr2,.srf,.arw,.3fr,.dng,.jpe,.jpg,.cdr,.indd,.ai,.eps,.pdf,.pdd,.psd,.dbf,.mdf,.wb2,.rtf,.wpd,.dxg,.xf,.dwg,.pst,.accdb,.mdb,.pptm,.pptx,.ppt,.xlk,.xlsb,.xlsm,.xlsx,.xls,.wps,.docm,.docx,.doc,.odb,.odc,.odm,.odp,.ods,.odt

Then, it encrypts the first 40960 bytes of each of them using the “ Rijndael symmetric key encryption”. The key is created based on the previous generated key and the hardcoded string “BXCODE hack your system”. The initialization vector is also based on another hardcoded string ("BXCODE INIT").

Finally it appends the extension ".FTCODE" and creates the file "READ_ME_NOW.htm" in the folders that contain the encrypted files. We are talking about the classic ransom note with instructions on how to recover the encrypted file.

5.Version changes

We believe that this ransomware is in active development. Just one day after the delivery of the version 930.5, we saw another version distributed (1001.7). Malware authors noticed that, in the first version, there was no mechanism to tell the threat actors if the file encryption was successful or not. So, they added other 2 lines of code that trigger other 2 C&C POST requests with the following new parameters:

  • status=”start” or “done”
  • res=number of successfully encrypted files

Conclusion

Actors change their tactics faster and faster. But we understood that they could be lazy and they can make mistakes too. They are humans after all.

Some of them are starting to prefer ransomware like FTCODE over classic infostealers and bankers.

Also, we found that, monitoring the network traffic, it’s possible to retrieve they key used to encrypt the files.

So, it’s important to continuously monitor your own assets, both on a network and an endpoint level, to fight against these kind of threats.

Certego Threat Intelligence Team has been studying upcoming cyber threats for years in order to provide the best protection to their customers.

Suricata IDS signatures

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"CERTEGO TROJAN FTCODE Payload Request"; flow:to_client; content:"FTCODE"; http_server_body; nocase; content:"vssadmin"; http_server_body; nocase; reference:url,www.certego.net/it/news/malware-tales-ftcode/; classtype:trojan-activity; sid:9000999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CERTEGO TROJAN FTCODE Registration Request"; flow:to_server; content:"POST"; http_method; content:"vid="; http_client_body; content:"psver="; http_client_body; content:"guid="; http_client_body; content:"ek="; http_client_body; reference:url,www.certego.net/it/news/malware-tales-ftcode/; classtype:trojan-activity; sid:9000998; rev:1;)

IoC

C:\Users\Public\OracleKit\w00log03.tmp
C:\Users\Public\OracleKit\AFX50058.tmp
home.southerntransitions[.]net
connect.southerntransitions[.]com
home.selltokengarff[.]com
home.ktxhome[.]com
connect.simplebutmatters[.]com
qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd[.]onion

About the authors

Matteo Lodi, Threat Intelligence Lead Engineer (Twitter)

Marco Bompani, Security Analyst (Twitter)

License:

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Hi everyone! Today we are looking at a threat that appeared recently: a new ransomware called Sodinokibi.

Summary

  1. The Threat
  2. The Loader
  3. Mutex and Configuration
  4. Machine information recovery
  5. Encryption preparation inspired by GandCrab
  6. Ransomware attack
  7. C2 Registration
  8. Conclusion

1. The Threat

The first noteworthy appearance was at the end of April ( Talos Research).

Then, at the start of this month, we gathered different reports of this threat being spread in Italy (eg: JAMESWT_MHT's tweet), both via malspam and known server vulnerabilities.

Also, there was the announcement of the shutdown of the GandCrab Operation ( Bleeping Computer), just some days earlier.

Coincidence? We’ll see.

Our guess is that this new payload could be used as a replacement of GandCrab in the RAAS (Ransomware-as-a-service) panorama.

Therefore, in order to protect our customers effectively, we went deep into the analysis of this ransomware.

Mainly we analyzed two different samples:

  • version 1.01: md5: e713658b666ff04c9863ebecb458f174
  • version 1.00: md5: bf9359046c4f5c24de0a9de28bbabd14

2. The Loader

Like every malware who deserves respect, Sodinokibi is protected by a custom packer that is different for each sample.

The method used by the version 1.01 sample to reconstruct the original payload is called “ PE overwrite”.

To perform this technique, the malicious software must allocate a new area inside its process memory and fill it with the code that has the duty to overwrite the mapped image of the original file with the real malware payload. In this case, first the process allocates space in the Heap via LocalAlloc, then it writes the “unpacking stub” code, it signs that space as executable with VirtualProtect and finally it redirects the execution flow to the new memory space

In order to slow the analysis, the loader contains a lot of junk code that will be never executed.

Also, in the following image, we can see that it tries to hide some important strings from the static analysis like “ kernel32.dll”. It leverages “stack strings” plus the randomization of the order of the characters.

At this point, the unpacking stub resolves dynamically the functions that he needs like VirtualAlloc. Then it performs the overwrite of the original image base with the new decrypted payload.

Finally, it transfers the execution to the OEP (Original Entry Point) of the unpacked Sodinokibi payload.

3. Mutex and Configuration

Once unpacked, the sample tries to create a mutex object. It calls CreateMutexW, then, if there was an error, with RtlGetLastWin32Error it would extract the generated error. Indeed, if the mutex already existed, the error would have been “0xB7” ("ERROR_ALREADY_EXISTS" ref docs). In that case a function is called that terminates the process.

We found that the mutex name is different for each sample but following this pattern: “ Global\{UUID}”. Therefore it’s a method to detect the malware or to vaccinate the endpoint (Zeltser blog) that is reliable only for a specific sample.

Going forward, we found the configuration in an encrypted form in the section “ .zeacl” for v.1.01 or “.grrr” for v.1.00. Once extracted, we noticed that it’s a JSON file.

These are the keys found in the configuration.

  • pk” -> base64 encoded key used to encrypt files
  • pid” -> personal id of the actor
  • sub” -> another id, maybe related to the specific campaign
  • dbg” -> debug mode
  • fast” -> fast mode
  • wipe” -> enable wipe of specific directories
  • wht” -> whitelist dictionary
    • fld” -> keyword in whitelisted directories
    • fls” -> whitelisted filenames
    • ext” -> whitelisted file extensions
  • wfld” -> directories to wipe
  • prc” -> processes to kill before the encryption
  • dmn” -> domains to contact after encryption
  • net” -> check network resources
  • nbody” -> base64 encoded ransom note body
  • nname” -> ransom note file name
  • exp” -> unknown, expert mode?
  • img” -> base64 encoded message on desktop background

If you are interested in manually checking the configuration files we have extracted in the samples we have analyzed, follow this link and download the archive (password:sodinokibi): sodinokibi_config_files.zip

4. Machine information recovery

Afterwards, Sodinokibi starts to gather information about the infected machine and builds another JSON structure that stores in an encrypted form in the “ HKEY_LOCAL_MACHINE\SOFTWARE\recfg\stat” registry key.

Keys:

  • ver”: version (100 or 101)
  • pid”: previous config “pid”
  • sub”: previous config “sub”
  • pk”: previous config “pk”
  • uid”: user ID. It’s a 8 byte hexadecimal value generated with XOR encryption. First 4 bytes are created from the processor name, while the others are created from the volume serial number extracted with a “GetVolumeInformationW” API call.

  • sk”: secondary key, base64 encoded key generated at runtime
  • unm”: username
  • net” : hostname
  • grp”: windows domain

  • lng”: language

  • bro”: brother? Sodinokibi retrieves the keyboard language with GetKeyboardLayoutList. Then it implements an algorithm that gives “True” as value for this key only if the nation code ends with a byte between 0x18 and 0x2c. It’s not odd that inside this range there are the majority of the East-Europe language codes, like Russian, Cyrillic and Romanian. It’s a clear indication of the origin of the malware authors.

  • os”: full OS name

  • bit”: Sodinokibi extracts this value from “GetNativeSystemInfo” then it compares with 9 that corresponds to the x64 architecture. Further processing will generate “40” if the architecture is 64bit, “56” otherwise.

  • dsk”: base64 encoded value generated based on the drives found on the machine.
  • ext”: new in 1.01. The random extension used for encrypted files.

5. Encryption preparation inspired by GandCrab

At this time, before performing the encryption, Sodinokibi replicates a behavior that is very similar to what GandCrab performs, suggesting that Sodinokibi authors learned from GandCrab ones or that they are strictly related.

Sodinokibi extracts the running processes with the combination of CreateToolhelp32Snapshot, Process32First and Process32First and checks if they match the names in the configuration. In that case, those processes are killed. The reason is that these programs could hold write access on files and therefore they could not allow the ransomware to encrypt them.

The list of the version 1.00 contains only the “ mysql.exe” process, while the list of the version 1.01 is a lot longer and almost matches the ones used by GandCrab (source: Symantec).

Afterwards, like his predecessor, Sodinokibi deletes the shadow copies with the leverage of the “ vssadmin” native utility. In addition, it uses “bcdedit” to disable windows error recovery on reboot.

Another check done by the ransomware is for available network resources with WNetOpenEnumW e WNetEnumResourceW with the aim to find other files to encrypt.

Last operation before the encryption is to find all the directories with a name that matches the configuration key “ wfld” and to wipe them. In this case, the list contains only “backup”. So, for example, Sodinokibi deletes Windows Defenders updates backups.

6. Ransomware attack

Finally (or not?) Sodinokibi starts to iterate over the available directories with FindFirstFile and FindNextFile.

It skips files and directories that match conditions on the whitelist configuration. The others are encrypted by the ransomware that adds the random generated key as extension to the name.

In each directory the malware also write the ransom note “ {ext}.readme.txt” extracted from the configuration and a lock file.

Then it creates a file with a random name “ {random}.bmp” in the %TEMP% which contains the image that will be put as a background with the help of DrawTextW and FillRect functions.

7. C2 Registration

Once the encryption is finished, Sodinokibi starts to iterate through a giant list of domains hardcoded in the configuration (about 1k). These domains are the same across the samples we analyzed but they are ordered differently in order to mislead the analysis.

At a first glance, these domains seem legit and most of them are correctly registered.

This is not a classic DGA but the result is almost the same because the purpose is to hide the real C&C Server used by cyber criminals.

For each domain listed, Sodinokibi generates a random URI. Then it uses the winhttp.dll library functions to perform HTTPS POST requests with the created URLs.

The data sent with the POST request is an encrypted form of the JSON configuration saved on the “ HKEY_LOCAL_MACHINE\SOFTWARE\recfg\stat” registry key and described on the “Machine information recovery” section. In this way, malicious actors can collect important information of the infected machine.

The following are examples of some of these URLs:

Looking at an analysis of this sample in a sandbox ( AnyRun), we noticed that HTTPS requests where not correctly listed. The malware can avoid traffic interception by proxies like Fiddler or Mitmproxy that are used for manual or automatic analysis.

How? The second parameter of the WinHttpOpen function is 0 which corresponds to “WINHTTP_ACCESS_TYPE_DEFAULT_PROXY”: this means that the configured proxy is skipped and the HTTP connection won’t be logged. This trick could mislead the analysis if not properly handled.

I suggest to read the following blog post where it’s further explained how these URLs are generated and why also this routine is inspired by GandCrab code: Tesorion analysis

8. Conclusion

Sodinokibi could be the heir of GandCrab. It’s still at version 1.01 so maybe it’s not mature yet but is actively developed and updated

Malicious actors have started to use Sodinokibi to generate profit, even in Italy.

It’s important to continuously monitor your own assets, both on a network and an endpoint level, to fight against these kind of threats.

Certego Threat Intelligence Team has been studying upcoming cyber threats for years in order to provide the best protection to their customers.

IOC

HKEY_LOCAL_MACHINE\SOFTWARE\recfg\stat
HKEY_LOCAL_MACHINE\SOFTWARE\recfg\pk_key
decryptor[.]top
aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion

About the author

Matteo Lodi, Cyber Threat Intelligence Team Leader

Twitter: https://twitter.com/matte_lodi

License:

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Today we are going to talk about one of the biggest threats that is spreading in these days, in particular in Italy: Dreambot, the most recent version of a malware also known as Ursnif, or Gozi.

Summary

  1. The Threat
  2. The Check-In phase
  3. Encryption routine
  4. Injected Internet Explorer? Or not?
  5. Conclusion

1. The Threat

Ursnif belongs to the category of Infostealers. It was already analyzed by a lot of skilled researchers. I list just some of the best analysis you could find:

In this article, we'll focus on the initial communication with the Command & Control infrastructure.

2. The Check-In phase

At the time of the compilation of the malware, spreaders can choose a list of domains that will be hardcoded in the sample in an encrypted form.

For example, the following image shows 3 different domains uploaded into the memory of one of the variant that we analyzed.

The malicious agent tries to perform its initial communication with the first of the list, then, if it fails, it would try with the next and so on.

We underline that this " beacon" is always performed via plain HTTP while the following steps of communication are done via SSL encryption and custom certificates.

This is important because, with the right eye, even without SSL interception, we can pretty easily spot if something is going wrong.

The following image shows 3 different attempts to communicate with the C2 server in a sandbox environment. 

If the pattern is not known, an untrained analyst could be misleaded by this behaviour while performing threat hunting on network logs or artifacts.

The file extension ".avi" refers to video files. Also, the path "/images/" is deceptive. In addition, it's performed as a "GET" request. All of this evidence could be seen as a normal download of a video file from a site hosting media.
In fact it's the check-in of the malware that is sending basic information about the compromised machine, hiding them in plain sight in the URI path.

Example:

Decoded data:

  • fjidtflrb -> junk param, always present at the start of the URI to generate randomness (and always different)
  • soft -> major version
  • version -> minor version
  • user -> unique user id
  • server -> unique c2 server id
  • id -> bot group id
  • crc -> payload to retrieve (1-DLL 32bit, 2-DLL64 bit, 3-ps1)
  • uptime -> time elapsed from initial infection (seconds)

The following image represents the phase when the malware creates the first parameter:

After having seen a lot of this kind of patterns on Ursnif samples in last years, I decided to create a simple and raw tool that is able to decrypt the URL created by the malware on the fly.

In this way it's possible to spy the configuration sent to the Command & Control server and, at the same time, to check if the URL is related to this threat. 

All of this without any need of manual reverse engineering.

You can check the simple tool that I created on the following link on: Github

This is an example of how to run the script:

and the related output:

3. Encryption routine

The custom algorithm starts with a symmetric encryption that leverages the Serpent cipher in CBC mode and a null IV (initialization vector). 

Afterwards the result is encoded with a classic base64. Considering that base64 encoding is pretty easy to spot, malware authors decided to change things a little more. They removed padding characters("=") and substituted the other special characters ("+", "/") with the relative ASCII code, after having prepended them by an underscore ("_2f", "_2b"). The last tweak is to add slashes at specified offsets to let the URI to appear like a real one.

Obviously, the Serpent encryption needs a key. We can find it hardcoded on the malware sample. Some code level analysis could be required to get that info.

However, observations led to the fact that the key is usually shared among a lot of samples and rarely changed.

If you don't have one, just run the script: it would try a predefined list of known keys for you.

It's really appreciated if you want to share new keys that you find with us. Feel free to contact us on Twitter or LinkedIn

4. Injected Internet Explorer? Or not?

While investigating the check-in phase, we noticed an unusual fact that we think it's worth to mention.

As you can see from the analysis of AnyRun, the malicious beacon seems to be sent by an Internet Explorer instance after the malware has run.

Considering that Ursnif is known to perform injection on browsers to steal information, an unaware analyst could think that the malware already decided to perform some form of memory injection into a new spawned instance of Internet Explorer to masquerade the communication as a legit one.

However this is unecessary. It's enough to use the COM (Wikipedia) library that is provided by Microsoft.
Looking at the code, we can detect this behaviour with the finding of the function CoCreateInstance that were made just before the network communication.

This one is a stealthy way that could mislead both analysts and security products if it has not been taken in consideration.

If you like to have a more detailed explanation on COM and, in general, on how to detect malware C2 communications while reverse engineering, I suggest the following reading: FireEye Blog

Conclusions

Ursnif has been trying for years to make analysis difficult for people and detection for security products.

We went deep into the communication performed during the check-in phase and created a new tool to help to analyze and detect the malware.

Certego is actively monitoring every day threats to improve its detection and response methods, continuously increasing the effectiveness of the incident response workflow.

Hash
9406ff0da0f238466f7638490ad4335d
8793af5f5ad8a2ca9b2ae6af5e70e63f
8f0195472ede691b129913465eec0c9e

About the author:

Matteo Lodi, Cyber Threat Intelligence Team Leader 

If you know something more about protocols used by Ursnif for C2 communications or if you'd like to improve the tool(Github), feel free to contact me at any time.

Twitter: https://twitter.com/matte_lodi

License:

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Today we are going to start a new series of blog posts called “Malware tales”: the intent is to go deep on code-level analysis of most widespread malware to allow everyone to get a better picture of everyday cyber threats. Also, we’d like to demystify malware and show that we are just talking about a bunch of code

Summary:

  1. The Threat
  2. Payload delivery
  3. Gootkit executable
  4. Stage 1: Packed Gootkit
  5. Stage 2: Gaining a foothold
  6. Stage 3: Check-in phase
  7. Last stage
  8. Additional findings
  9. Conclusions

The Threat:

Gootkit belongs to the category of Infostealers and Bankers therefore it aims to steal information available on infected machines and to hijack bank accounts to perform unwanted transactions.

It has been around at least since 2014 and it seems being actively distributed in many countries, including Italy.

Previous reports about this threat can be found following this link: Malpedia

Today we are going to dive into the analysis of a particular variant that came up the last week.

Payload Delivery:

The infection vector is an email written in Italian. In this case adversaries used one of the most common social engineering techniques to trigger the user to open the attachment.

The downloaded file is a heavily obfuscated Javascript file called " GLS_Notifica.js". If the user opens it, the native Javascript interpreter wscript.exe would be executed by default and it would perform the following HTTP request:

The result is the download of a cabinet file that is an archive file which can be extracted natively by Windows. Inside there is a Portable Executable file that is saved into the %TEMP% folder (“C:\Users\<username>\AppData\Local\Temp”) and launched.

Javascripts downloaders are a common payload delivery because a little obfuscation can be enough to make them very difficult to be detected by antivirus engines.

Gootkit executable:

First run of the sample in an automated environment revealed that something new was added in this version. As we can see in the following images, malware authors added a new layer of protection to the malicious agent. The comparison has been made with a variant spread during December of 2018 in Italy. (images are from AnyRun)

This means that the original program was “packed” with the aim to slow down reverse engineers and to make ineffective static analysis tools like Yara rules.

Stage 1: Packed Gootkit

In such cases, a malware analyst knows that he has to extract the original payload as fast as possible without losing time to try to understand the inner workings of this stage.

A great open-source tool exists which can resolve the problem in a matter of seconds. It’s called PE-Sieve (Github). Even though it does not always work, in this case it can dump the unmapped version of the original executable because the malicious software uses a technique called Process Hollowing a.k.a. RunPE. This method consists in starting a new process in a suspended state, “hollowing” out the content of the process, replacing it with malicious code and, finally, resuming the thread.

In the image we can see that the 6th parameter of "CreateProcessW" was set to "4", indicating that the process will start in a suspended state.

We are talking about a well known technique that is easily detectable with the monitoring of the Windows API calls that are needed to perform the injection. But here comes the trick.

Following the flow of execution we couldn’t find all the needed API calls: we got NtCreateProcess, NtGetContextThread, NtReadVirtualMemory and NtSetContextThread.

The most important ones that are used by monitoring applications to detect the technique were missing:

  • NtUnmapViewOfSection to “hollow” the target process
  • NtWriteVirtualMemory to write into the target process
  • NtResumeThread to resume the suspended thread

Let’s find out what’s happening!

After some shellcode injections inside its memory space, the process executes a call to IsWow64Process API that is used by the application to understand if the process is running under the WOW64 environment (Wiki): this is a subsystem of the Windows OS that is able to run 32-bit applications, like this one, on 64-bit operating systems.

The result of this check is used to run two different paths of code but with the same scope: run one of the aforementioned missing API calls in the Kernel mode. This means that, in this way, classic user-level monitoring tools would not catch these calls and the RunPE technique would remain unnoticed.

Specifically, in case the process is running in a 32-bit environment, it would use the SYSENTER command to switch into the Kernel mode, while, on the contrary, it would use the SYSCALL command to perform the same operation.

To complicate even further, the SYSCALL command can’t be called in the context of a 32-bit application. This means that the executable needs to perform a “trick-into-the-trick” to execute this operation. We are talking about a technique known as The Heaven’s Gate.

Practically, thanks to the RETF instruction, it’s possible to change the code segment (CS) from 0x23 to 0x33, de facto enabling 64-bit mode on the running process.

In the following image we highlight the entrance and the exit of the “Gate” which contains the 64-bit code that performs the SYSCALL operation.

Instead, in this other image, we can see the process status before opening the gate (grey=suspended process) and after having closed it (orange=running process).

Also, Gootkit takes advantage of The Heaven’s Gate as an anti-debugging technique because the majority of commonly used debuggers can’t properly handle this situation, not allowing the analyst to follow the code of the Gate step-by-step.

For further details, this method was deeply explained in this blog (MalwareBytes)

Going back to the point, the first stage resulted more complicated than expected because it pushed over the limits of obfuscation and stealthiness with the combination of various techniques.

Stage 2: Gaining a foothold

At this point we can proceed with the analysis of the unpacked Gootkit.

The very first considerable finding was the check for the existence of a mutex object named “ServiceEntryPointThread”. If it exists, the process would terminate itself.

But how mutexes works? Mutexes are used as a locking mechanism to serialize access to a resource on the system. Malware sometimes uses it as an “infection marker” to avoid to infect the same machine twice. The fascinating thing about mutexes is that they are a double-edged weapon: security analysts could install the mutex in advance to vaccinate endpoints. (ref: Zeltser blog)

This means that this is a great indicator of compromise that we can use not only to detect the infection but also to prevent it.

Moving on, we found that malware authors implemented a lot of checks to understand if the malware is running inside a virtual environment. Some of them are:

  • It checks if the registry key “HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString” contains the word “Xeon”

  • it checks if the computer name is “7SILVIA” or “SANDBOX”, if the username is “CurrentUser” or “Sandbox” or if “sbiedll.dll” has been loaded.

  • it checks if “HKLM\HARDWARE\Description\System\VideoBiosVersion” contains the word “VirtualBox”

  • it checks “HKLM\Software\Microsoft\Windows\CurrentVersion\SystemBiosVersion” for the string “VBOX”

In the case one of this check fails, the program would execute a Sleep operation in a infinite cycle in the attempt to thwart automated sandbox execution.

After that, we encountered the implementation of a particular persistence mechanism that it seems Gootkit has been using for many months: it’s already documented in various blog posts, for ex. ReaQta blog.

Briefly, the infostealer generates a INF file with the same filename of itself.

Content of the INF file:

Then it creates 3 different registry keys (“ Count”, “Path1” and “Section1”) inside “HKCU\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs” with the purpose to allow the threat to execute on reboot.

It seems that this technique was reported to be used only by Gootkit.

Famous security tools still can’t detect this mechanism even if it has been used for months.

For example, the famous SysInternal Autoruns tool, that should be able to show all the programs that are configured to run on system bootup or login, fails the detection of this persistence method.

Stepping through the code, we noticed that, at runtime, Gootkit decrypts the strings it uses with a custom algorithm to evade static analysis detection of anomalous behaviour.

It’s a combination of “stack strings”, XOR commands and the modulo operation.

An exhaustive explanation of the decryption routine can be found here: link

Skipping further, eventually there’s a call to “ CreateProcessW” to start a new instance of Gootkit with the following parameter: --vwxyz

Stage 3: Check-in phase

Quickly we found out that executing the malware with the cited parameter allows us to skip all the previous anti-analysis controls to get into the part of the code that starts to contact the Command & Control Server.

The first check-in to home is done to the following URL via HTTPS:

As we can see from the image, many headers were added to the request to send different informations of the infected machine to the C&C Server.

In particular one of the headers caught my attention: “ X-IsTrustedComp”. Digging into the code we found that the value would be set to “1” if an environment variable called “crackmeololo” was found in the host, “0” otherwise.

That seems another “escaping” mechanism implementing by the author, probably to stop the infection chain for his own debugging purposes.

Last stage:

The response that arrives from the previous connection contains the final stage of Gootkit, configured to work properly on the infected machine.

The malware dynamically loaded “ RtlDecompressBuffer” call to use it to decompress the payload; then, it injected into an area of the current process memory.

Afterwards the flow of execution is transferred to the start of the injected code.

The final payload is a DLL file that is bigger than 5MB because it contains the Node.js engine which is probably needed to run some embedded javascript files. At this time we decided to stop our analysis and leave the rest to future work.

Additional findings:

While debugging, we noticed that Gootkit does not check only if a parameter called “ --vwxyz” was passed to the command line. Also it checks if other 3 parameters:

  • --reinstall

  • --service

  • -test

Pretty strange thing. We haven’t found the malware to actively use these arguments yet. However, stepping through code we discovered that:

1 - the “ --reinstall” command leaded the execution to some curious code. First, the malware used “CreateToolHelp32Snapshot” to retrieve a list of the current running processes.

Then, it iterated through the retrieved list via “ Process32FirstW” and “Process32NextW” with the aim to get a handle to the active “explorer.exe” instance.

At this point it killed “ explorer.exe”. The following image shows the process list before the “TerminateProcess” command.

After having executed that command, we found that a new instance of the malware spawned as a child of “explorer.exe”.

What happened? We performed some tests and it seems that “ explorer.exe” was killed and then automatically restarted by “winlogon.exe”. Therefore “explorer.exe” accessed the keys involved in the persistence mechanism previously explained:

Using this trick, the malware is able to “reinstall” itself, without the need to use suspicious API calls like “ CreateProcessW”.

2 - the “ --service” command did not change the flow of execution with the exception of creating a new environment variable called “USERNAME_REQUIRED” and set it to “TRUE”.

Eventually we found that the final stage checks if the aforementioned variable exists.

3 - the “ -test” command just terminate the process. Indeed it’s a test.

Conclusions

We explored some of the functionalities of one of the most widespread Infostealers of these days, revealing new and old tricks that is using to remain undetected as much time as possible.

Certego is actively monitoring every day threats to improve our detection and response methods, continuously increasing the effectiveness of the incident response workflow.

PS: Let us know if you liked this story and feel free to tell us how we can improve it!

Hash:

597f734c780f283d6cd7c7443700a65249b8350ec1ad58b8aa790a32f57eec4d 
GLS_Notifica.js
5ed739855d05d9601ee65e51bf4fec20d9f600e49ed29b7a13d018de7c5d23bc
gootkit 1st stage
e32d72c4ad2b023bf27ee8a79bf82c891c188c9bd7a200bfc987f41397bd61df 
gootkit 2nd stage
0ad2e03b734b6675759526b357788f56594ac900eeb5bd37c67b52241305a10a 
gootkit DLL module

About the author:

Matteo Lodi, Cyber Threat Intelligence Team Leader

Twitter: https://twitter.com/matte_lodi

License:
Licenza Creative Commons
Quest'opera è distribuita con Licenza Creative Commons Attribuzione - Non commerciale - Non opere derivate 4.0 Internazionale.

Hi everyone, here is Matteo Lodi, Threat Intelligence Analyst in Certego.

Recently, we saw a particular new spam campaign targeting italian users with the focus of delivering a downloader known as Sload.

Nowadays, attackers are trying harder and harder to make difficult the analysis and the detection. The most common tool misused in this way is Powershell: it's installed by default in every recent version of Windows and is commonly used to perform administrator tasks.

The infection chain

Let's dig in the infection chain:

1. A user receives an email with subject "<TARGET_COMPANY_NAME> Emissione fattura <random_number>" containing a reference to a fake invoice.

The user is tricked to click on the malicious link that points to a randomly generated domain hosted with HTTPS in 91.218[.]127.189. The following is an example:

2. Once downloaded, if the user opens the archive, it would find two files. The first one is a legit image, while the second one is a .lnk file. We have already seen the misuse of shortcut files with powershell to perform the download of malicious samples. But this time it seemed different: in fact, the .lnk points to the following command:

3. Where is the download? At first glance, that seemed very strange: what is the aim of this execution? After having analyzed the command, the trick was clear. The attackers wants to call "Invoke-Expression" command to run a string hidden inside the zip itself!! But where?

As we can see in the following image, at the end of the original downloaded zip file we can see readable strings that are the real first stage downloader!!

The zip file is still a legit and correctly working archive! Powershell commands are written after the EOCD (End of central directory) which determines the end of a zip file.

This clever trick can deceive many signatures-based detection tools.

4. The extracted command is the following:

5. The result is the download and the execution of another powershell script from a server hosted in 185.17[.]27.108. We saw different domains used but, in the last week, the Dropzone IP never changed. Also, we noted that the CnC server was blocking requests without the "Microsoft BITS/7.5" User-Agent to prevent unwanted download by non-infected machines.

This script was very well detected by antivirus engines as you can see in the following image!

How funny was I? Static analysis is completely useless in such cases.

Going forward, the malware drops the following items before deleting itself:

Therefore it registers a task called "AppRunLog" to maintain persistence

6. At the end, it calls the registered task. This will execute the dropped Visual Basic Script file that, in turn, will execute the dropped Powershell script:

This script parses arguments and it won't execute properly in case they are not what it expects. It needs the numbers from 1 to 16 as arguments because, in fact, they are the key to decrypt the last stage.

7. The final payload is decrypted from the "config.ini" file and is called with "Invoke-Expression". It's loaded directly in memory: this makes very difficult for antivirus products to detect the threat. At the moment, this execution method is widely known as "fileless" because, indeed, the malware is never written on disk.

The payload is the last (finally) powershell script: it is the real Sload downloader which performs various malicious steps that were already explained in details in the article written by Proofpoint.

In few words, Sload can:

  1. Load external binaries
  2. Take screenshots
  3. Update configuration and CnC servers
  4. List running processes
  5. Detect Outlook usage

The variant we spotted in the last week uses the following CnC domains, which resolve in the same IP used by the second downloader stage (185.17[.]27.108)

However, we expect that this configuration won't last long, because, as we said before, Sload is able to update his CnC servers at any time.

Conclusion

We had a fantastic journey that made us understand, hopefully, how powerful can be Powershell and how attackers are misusing this tool to evade analysis detection.

We analyzed 5 different powershell scripts and that was only the "downloader" phase of the infection.

In case of a successfull one, Sload was seen to download known malware like Ramnit, Gootkit, DarkVNC or Ursnif (reference: Proofpoint). At that stage the threat would be really important.

Certego is monitoring the campaign and it's updating its signatures to correctly detect possible infections.

IOC

First stage download: (many and changing fast)
usined[.]com
darrenportermusic[.]com
supporto.eldersonfire[.]com
91.218[.]127.189
Second stage download: (many and changing fast)
firetechnicaladvisor[.]com
cltspine[.]info
185.17[.]27.108
CnC servers: (stable through the last week)
ljfumm[.]me 
hamofgri[.]me
185.17[.]27.108
Hash (sha256):
first stage
7838904c04c8bdf2444a64bd32fa308b6bd248789305e2fe4e91699b5a0a9f99 
8e1271fbb3f21d4c441748488d68636c68e6dbf4a755468da27b210c04ceb9c1
second stage
ee1dbf76665f5c07ba1c453d1890aa93307f759c5cce6f59f225111509482a64
sload
ad50e8ee958cb3f391ecc8e94b1506eba3174d9f08b95b37f616eeba382838b5

Nelle ultime settimane i sistemi di monitoraggio Certego hanno rilevato un significativo aumento nella diffusione del malware Ursnif.

Questo aumento è dovuto al particolare sistema di spear phishing recentemente impiegato per diffondere tale malware. Questo sistema, già segnalato lo scorso Novembre da Barkly e ripreso questo mese da LibraesvaMetis, si basa su una tecnica che possiamo definire di thread injection: la vittima si vede recapitare un messaggio email come risposta ad una precedente conversazione con un suo contatto, con tanto di citazioni dei messaggi precedenti e firma del mittente, in cui si invita l'ignaro e fiducioso destinatario ad aprire il documento allegato.

Come è facile immaginare, l'allegato in questione, spesso in formato doc di Microsoft Word, in questione contiene in realtà delle MACRO il cui scopo è scaricare da un server remoto una copia del malware Ursnif e così infettare un altro host.

Come anticipato, i vantaggi di questa tecnica di phishing sono evidenti: il rapporto di fiducia che esiste tra le utenze riduce l'attenzione della vittima finale quando questa riceve il documento malevolo. Esiste però anche un altro vantaggio rispetto allo spam "tradizionale": si vengono a colpire esclusivamente utenti attivi e, contemporaneamente, si aggirano i sistemi di raccolta passivi dello spam.

Tuttavia, finora non si avevano prove certe su come operasse il malware per recuperare tali informazioni. Essendo Ursnif un malware la cui principale funzione consiste nel manomettere le connessioni verso i siti bancari (session hijacking), era abbastanza facile supporre che effettuasse la stessa operazione verso i client di posta e/o le webmail; così da raccogliere alcune conversazioni e inviare le mail di phishing sopra descritte. Il malware è così riuscito a trasformare le sue vittime in complici, per quanto ignari, della sua propagazione.

In questi giorni è però emerso un fatto interessante. Durante la sua attività di analisi di un esemplare di Ursnif, il ricercatore noto come  JAMESWT ha individuato su uno dei server utilizzati per distribuire gli eseguibili del malware una cartella contenente numerose informazioni relative ad account di posta.

L'analisi del contenuto della cartella indicata da JAMESWT ha portato alla luce una serie di file testuali in cui erano presenti accurate informazioni per accedere a diversi account di posta compromessi. Per ciascuna utenza sono riportati: nome utente, password, indirizzo del server email e protocollo di accesso.

<protocol>://<username>:<password>@<server>:<port>

Poco tempo dopo la segnalazione, i file con le credenziali compromesse sono stati rimossi dal server.

Questo rilevamento ci permette di affermare che, per quanto riguarda le campagne attualmente in atto, i responsabili della diffusione del malware Ursnif abbiano completo accesso e disponibilità delle caselle di posta delle loro vittime, senza alcuna necessità di utilizzare bot o strumenti di intercettazione. Inoltre, espone tutti i contatti delle vittime ad attacchi di spear phishing tramite thread injection, come quelli sopra descritti.

Analizzando alcune mail appartenenti a queste campagne in cerca di anomalie, abbiamo rilevato che il bounce address non corrispondeva con l'indirizzo presumibilmente compromesso. Il controllo degli header Received delle mail ha confermato che il server da cui venivano trasmesse queste mail apparteneva all'organizzazione del bounce address. In base a questo possiamo dire che, al momento in cui scrivamo questo articolo, gli account compromessi non vengano utilizzati per inviare attivamente le mail di phishing. Molto probabilmente si tratta di una scelta ponderata da parte degli attaccanti, in modo da aggirare eventuali filtri in uscita da parte dei server delle loro vittime: infatti un errore di consegna potrebbe allarmare l'utente (o il responsabile della gestione della mail aziendale) che andrebbe quindi in cerca di anomalie, utilizzando invece mail server di una terza parte si evitano questi "inconvenienti".

Il miglior modo per difendersi da questo genere di attacchi è non abilitare in alcun caso le MACRO di qualunque documento ricevuto via mail (o tramite link ricevuti via mail). È comunque importante possedere, e mantenere aggiornato, un buon sistema di difesa sia perimetrale (antispam, firewall) che locale (antivirus), così da ridurre il rischio e contrastare eventuali infezioni.

La piattaforma di Threat Intelligence Certego sta osservando alcune campagne di SPAM che utilizzano file con estensione .url come first-stage downloader per diffondere malware e aggirare i filtri anti-SPAM.

Cosa sono i file .url? Questo tipo di file viene normalmente utilizzato dai sistemi operativi Windows per salvare un collegamento a un sito web, in modo da poter essere facilmente acceduto tramite un semplice click. Di per sé non sono quindi file pericolosi, tuttavia possono essere abusati per la creazione di link malevoli.

La particolarità di questa campagna non risiede solo nell'utilizzo di questo particolare tipo di file, ma anche in come questi siano stati configurati. Infatti, tutti i campioni finora analizzati riportavano URL particolari, in cui lo  schema utilizzato non è il ben noto e diffuso http (o https). Viene invece utilizzato file.

Cosa comporta lo schema file? Questo schema solitamente viene utilizzato per l'accesso al filesystem locale. Può essere anche utilizzato con filesystem remoti, che su Windows vengono acceduti tramite il protocollo SMB.

Si tratta quindi di una nuova tecnica di diffusione di malware, sfruttando il protocollo SMB come canale d'ingresso.

Come funziona questo attacco? Come in tutte le campagne di spam, la vittima riceve una mail che annuncia la comunicazione di un documento contenuto nell'archivio ZIP allegato ad essa.

Una volta estratto il contenuto dello ZIP, l'utente si trova di fronte a quello che appare come un collegamento ad una cartella di Windows (in effetti è proprio di questo che si tratta!).
Una volta cliccato sull'icona l'host tenta di stabilire una connessione SMB con il server controllato dall'attaccante. Questi invia un file JScript che, una volta ricevuto, richiede all'utente se essere eseguito o salvato.

Il file JScript rappresenta il second-stage downloader: questo si collega a un altro server remoto da cui scarica un file eseguibile contenente altro codice malevolo.
Nei casi finora osservati, si è trattato di una variante del malware Quant Loader, il cui scopo è quello di assicurarsi persistenza sull'host e di scaricare altro malware (third-stage downloader).

Come ci si può proteggere da questo tipo di attacco?

 Come per tutti gli attacchi condotti tramite mail la prima linea di difesa è costituita dai filtri anti-SPAM. La componente preponderante però restano gli utenti, poiché senza il loro intervento questo genere di attacchi non potrebbe andare a buon fine; è quindi importante che questi siano istruiti sul fenomeno.

IOC
oggetti utilizzati

Continua a leggere