“If you want a playbook for how to defend your network against infection and lateral movement by a sophisticated attacker, detect and defend against Emotet,” Microsoft’s Jessica Payne recently wrote on Twitter. She is right: though threats like Emotet often tend to spread via not particularly targeted spam emails, the actors behind it have become pretty skilled in exploiting the most valuable infections. An example of this was seen late last year when Emotet was used to deliver the Ryuk ransomware to US newspapers.
The same is true for other kinds of commodity malware, such as Trickbot and GandCrab. Though this newsletter is fairly low on nation-state attacks, it includes some analyses of fairly sophisticated cybercrime operations, such as the use of GandCrab to target a hospital and a Trickbot module that tries to steal PuTTy and VNC credentials.
Don’t forget that you can read past editions of this newsletter on our website (where you can also subscribe to the newsletter) and that the Call for Papers for VB2019 (London, 2-4 October) remains open until 17 March. Don’t hesitate to contact us with any questions about the CFP or for information about sponsor or partner opportunities!
Editor, Virus Bulletin
For the privacy conscious among you: we do not track clicks on the links contained in this newsletter to individual subscribers, but should you feel more comfortable, we believe that any of the links mentioned here can be found through search engines. All links have been added to the Wayback Machine.
Last week, we published a VB2018 paper by Ixia researcher Stefan Tanase who warned about the dangers of Internet balkanisation - a warning that may be timely given Russia’s plans to temporary close its Internet off from the rest of the world. We also released the recording of Stefan's presentation.
Also at VB2018, Sophos researcher Gabor Szappanos presented a paper on Office exploit builders, which were used to build malicious Office documents that targeted unpatched Office vulnerabilities (as opposed to tricking users into enabling macros). In a new paper, Gabor explains how a new exploit builder, Old Phantom Crypter, is now responsible for almost a third of such attacks. The builder has around 100 customers, the majority of which are based in Nigeria and Russia, while Lokibot and Formbook are the most prominent payloads delivered by it.
Kaspersky’s GReAT has released an analysis of a cloned version of a website on which volunteers can sign up to deliver humanitarian aid in Venezuela, with the cloned version using a lookalike domain. Such phishing sites are common. What makes this one scarier, though, is that within Venezuela the DNS of the original site resolves to the IP address of the cloned version.
The AZORult information-stealing trojan is often mentioned in these newsletters as it is spread in various malware campaigns. However, BlueLiv reports that the alleged author of the malware has recently announced it will stop being sold. BlueLiv’s telemetry suggests that this might indeed be true.
Late last year, Trickbot added a module that stole passwords from various applications. This ‘pwgrab’ module, researchers at Trend Micro write, has now been updated to steal credentials from VNC, PuTTy and RDP. Though most users won’t run any of these clients, those who do use them often connect to high-value targets and this thus fits in a trend of commodity malware looking to utilize the more most valuable infections.
Crowdstrike’s Brendon Feeley and Bex Hartley have analysed a new campaign by a cybercrime actor they dub Lunar Spider. Lunar Spider is believed to be the author of the IcedID/Bokbot malware but has occasionally worked together with the Wizard Spider group, believed to be behind Trickbot. This cooperation might have recently become more intimate as in the new campaign, the former serves a custom variant of Trickbot. A (possibly unrelated) spam campaign which served Emotet, which then downloaded IcedID, which then downloaded Trickbot, was analysed by Brad Duncan.
Though exploit kits have decreased significantly in prevalence since the days of Blackhole half a dozen years ago, there are still many active kits that use various anti-analysis techniques to stay on the radar. We still catch many in our VBWeb lab, and we always enjoy reading the quarterly exploit kit overviews by Malwarebytes researcher Jerome Segura. In the latest overview, he lists the six exploit kits that are known to be active, from the fairly common Rig to the cutting-edge Fallout and the geo-targeted Magnitude and GreenFlash Sundown kits.
Our own quarterly VBWeb reports also look at exploit kits and the wider web threat landscape, while also detailing the results of our web security product tests. The latest report was published last week. Don’t hesitate to get in touch with us if you are interested in having your product tested either publicly or privately.
Apart from exploit kits, fake updates are also plaguing web users, by tricking them into downloading malware. On the SANS Internet Storm Center blog, Brad Duncan looks at a recent case that served the Chthonic banking trojan.
Many remote access trojans (RATs) are sold commercially (under the guise of remote access tools) or are available as free open source projects. The Quasar RAT is an example of the latter, and while that makes analysis easy, it hasn’t stopped it from being used in various state-sponsored attacks. At the Stratosphere IPS blog, Veronica Valeros has published a short, but well-referenced overview of what is known about the RAT.
More than eight years ago, Liam O’Murchu used the inflation of a balloon through a computer program to demonstrate to the VB2010 audience how Stuxnet interacted with the nuclear centrifuges it targeted. Since then, malware targeting industrial control systems (ICS), though still fairly rare, has become more common. To demonstrate the damage malware can do to an ICS, and to let one try this out for oneself, Cisco Talos’s Paul Rascagnères has released the 3D printable model of an oil pumpjack, together with the source code of the controller and its human-machine interface.
Malware packers frustrate both detection and analysis, though this is often somewhat mitigated by malware families using the same packer. ZScaler’s Manohar Ghule has reverse-engineered a packer (or crypter) used by various malware families, including Emotet, Qakbot and Dridex.
The use of targeted ransomware such as SamSam, Ryuk or Matrix to extort large amounts of money from organisations is well documented. However, an analysis on Sophos’s Naked Security blog shows how GandCrab, sold as ransomware-as-a-service and typically spread in large, opportunistic campaigns, was used in a targeted attack against a hospital.
Another GandCrab infection was analysed by Chris Bisnett of Huntress Labs, who discovered that a long patched ConnectWise vulnerability was being used to infect MSPs with the infamous ransomware.
Trend Micro researchers Don Ladores and Luis Magisa have analysed a macOS malware sample that uses an inventive trick to bypass Gatekeeper and other built-in protections. The installer of the information stealer includes an .exe file, which would normally not run on macOS, but which would be executed by the Mono .NET framework that can be used to run .NET applications cross-platform, and which was also included in the installer.
The Shlayer macOS malware was first analysed by Intego in 2018 and made the news recently when Confiant found it being delivered as the payload in a complex malvertising campaign targeting Mac users. Carbon Black has now published an analysis of this new variant of Shlayer, which steals system information before installing a second-stage payload.
Smokeloader is a malware downloader that allows for the use of plug-ins to perform other common malware functions, such as logging keystrokes or mining cryptocurrencies. It has been active since at least 2011 and has widely been analysed, but researchers at 360’s Netlab have focused on an often ignored part of the malware operation: its admin panel. They believe that recently found modified samples aren’t an attempt by the malware author to hide the C&C domains, but an example of a Smokeloader customer having tweaked the malware to avoid paying the author to update the domains.
Last week we wrote about a malspam attack targeting users in Italy where malicious PowerShell code was hidden inside the pixels of a Super Mario image. In the unlikely (and unwise) event you were blocking this campaign based on the image itself, note that Carbon Black has analysed a different sample that uses the image of a snowman.
Avast researchers have analysed Rietspoof, a new multi-stage malware family with the ability to download further malware, and which exhibits some interesting behaviour. Rietspoof’s C&C server only communicates with IP addresses based in the USA, indicating a geo-targeted attack, while the executable is signed with valid code-signing certificates.
Last year, ESET published a paper on GreyEnergy, believed to be a successor to the BlackEnergy malware once used to turn off the lights in parts of Ukraine. Now, Nozomi’s Alessandro Di Pinto has written a research paper in which he presents a detailed analysis of GreyEnergy’s packer and dropper and the various anti-analysis tricks they deployed.
A blog post by HaveIBeenPwned’s Troy Hunt on his decision not to include the Collection #2 to #5 lists in his database (after he had previously added Collection #1) gives a good insight into the poor quality of such lists that are widely available in the cybercriminal underground.
In an well-researched overview paper, ESET researcher Lukas Stefanko writes about two kinds of malicious apps targeting Android users’ bank accounts: fake banking apps that use bogus login screens to harvest data, and the more sophisticated banking trojans that perform their malicious tasks when the legitimate banking app is launched.
Cybereason researchers have analysed a new version of the Astaroth infostealer that has targeted Brazil. Interestingly, and worryingly, while earlier versions of the malware quit upon detecting the user was running Avast, this version actually leverages the anti-virus software when it is present by using it to download a malicious module.
Though not as widely used as, for example, the Google Play store, the Microsoft Store has millions of users and contains hundreds of thousands of apps. Some of these, Symantec researchers have found, are written for malicious purposes, with eight apps engaged in illicit mining of Monero. Interestingly, the JavaScript mining code wasn’t stored inside the apps themselves, but was pulled from Google Tag Manager, which might have helped the apps bypass Microsoft’s defences.
February may be a short month, but the monthly release of patches by Microsoft in what used to be known as Patch Tuesday was by no means small. No fewer than 74 vulnerabilities were patched, several of which were deemed critical by the SANS Internet Storm Center which, as always, provided a useful overview. Notable among the vulnerabilities for which patches have been released is CVE-2019-0676, which gives a malicious website information on whether a file is present on disk, and which has already been used in the wild. Also patched is the widely discussed ‘PrivExchange’ vulnerability (CVE-2019-0686) in Microsoft Exchange Server.
As always, Adobe has issued patches for its various products as well, with the majority of them affecting Acrobat and Reader.
Wordfence’s Mikey Veenstra has analysed a recently patched file upload vulnerability in the paid-for WP Cost Estimation plug-in for WordPress. While doing so, he found a directory traversal plug-in that has since also been patched. Meanwhile, WebARX’s Luka Šikić found and reported a privilege escalation vulnerability in the free and popular Simple Social Buttons plug-in. This too has been patched.
On the Crowdstrike blog, researchers Hanno Heinrichs and Florent Hochwelker explain how secure boot can be used to harden a Dell laptop running Fedora 29, and how it can be customized to further harden it.
My Online Security has looked at how French-speaking Canadians were being targeted in an email spam campaign that claimed to come from the Royal Bank of Canada and which was delivering Trickbot via macros in an Excel attachment.
The same blog also looked at a spam email targeting “blockchain customers” with a new update that will “keep [their] bitcoins safe”; the email helpfully suggests disabling anti-virus. Those falling for the trick and opening the link would find themselves infected with the DarkComet RAT.
On the SANS Internet Storm Center blog, Xavier Mertens has written about a PDF he analysed that, upon opening, contacted a remote SMB share.
Seqrite’s Bajrang Mane has analysed a malicious Word document, attached to a spam email, that led to a GandCrab ransomware infection.
Menlo Security has looked at recent campaigns spreading Emotet and at the use of XML files with macros embedded, masquerading as .doc Office files.
Myki has analysed a phishing campaign that mimicked a Facebook single sign-on pop-up window. The pop-up looked very realistic as the URL bar was generated using HTML, so that what was actually an HTML overlay looked like a genuine Facebook pop-up.
Finally, ThreatSTOP’s John Bambenek has written about a phishing email that masqueraded as a DocuSign invoice. In our VBSpam test lab, we saw several of these emails and found them to be blocked by most email security products. The same was true for some spam emails with phishing links containing up to 1,000 characters that Bleeping computer writes about.
© 2019 Virus Bulletin Limited
The Pentagon, Abingdon Science Park, Abingdon, Oxon, OX14 3YP, UK