Mozilla Releases Security Update for Thunderbird ESR

This post was originally published on this site

Original release date: October 31, 2018

Mozilla has released a security update to address vulnerabilities in Thunderbird ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the Mozilla Security Advisory for Thunderbird ESR 60.3 and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.

Apache Releases Security Update for Apache Tomcat JK Connectors

This post was originally published on this site

Original release date: October 31, 2018

The Apache Software Foundation has released a security update to address a vulnerability affecting Apache Tomcat JK Connectors 1.2.0 to 1.2.44. A remote attacker could exploit this vulnerability to obtain access to sensitive information.

NCCIC encourages users and administrators to review the Apache security advisory for CVE-2018-11759 and apply the necessary update or mitigation.


This product is provided subject to this Notification and this Privacy & Use policy.

An error occured while starting service ‘sps’ VMware vSphere profile-driven Storage failed to start

This post was originally published on this site

Hello, I am very new to the community.

 

I am working on new installing and configure the VCSA , to get Vsphere running  receiving an error in the process. I am building the VCSA VM on HP Blade Gen 10 6.7EXSI host

 

“An error occurred while starting service ‘sps’ VMware vSphere Profile-Driven Storage failed to start”

 

I will appreciate any help…Thank you

More malspam using password-protected Word docs, (Wed, Oct 31st)

This post was originally published on this site

Introduction

This diary reviews an example of malicious spam (malspam) using password-protected Word documents to distribute Nymaim on Tuesday 2018-10-30.

Background: Since March 2013, I’ve documented several examples of malspam using password-protected Word documents to distribute malware.  Previously, this malspam pushed various families of ransomware.  In August 2018, this malspam switched to pushing Neutrino malware.  By September 2018, this campaign started pushing Nymaim. 

Last week on 2018-10-26, this campaign briefly switched to pushing GlobeImposter ransomware, but this week it’s back to pushing Nymaim.

A list of my posts about this malspam (ISC diaries or posts from malware-traffic-analysis.net) follows:

2018-03-14 – Malspam with password-protected Word docs pushes Sigma ransomware
2018-04-20 – Malspam with password-protected Word docs pushes GlobeImposter ransomware
2018-05-09 – Malspam with password-protected Word docs pushes Sigma ransomware
2018-06-04 – Malspam with password-protected Word docs pushes Gandcrab ransomware
2018-07-23 – Malspam with password-protected Word docs pushes AZORult then Hermes ransomware
2018-07-27 – Malspam with password-protected Word docs pushes Hermes ransomware
2018-08-15 – More malspam pushing password-protected Word docs for AZORult and Hermes ransomware
2018-08-21 – More malspam with password-protected Word docs, now pushing Neutrino
2018-09-06 – Malspam with password-protected Word docs pushes AZORult then Neutrino
2018-09-17 – Quick post: Malspam with password-protected Word docs pushes Nymaim
2018-09-21 – Malspam with password-protected Word docs still pushing Nymaim
2018-09-28 – More malspam with password-protected Word docs pushing Nymaim
2018-10-26 – Malspam with password-protected Word docs now pushing GlobeImposter ransomware

Now let’s review my most recent infection from Tuesday evening on 2018-10-30.


Shown above:  Flow chart for infections from this malspam campaign.

Emails

The emails all have spoofed sending addresses, and recent messages are either resume-themed or invoice-themed.  The most recent emails I’ve seen are invoice-themed with invoice.doc as the file attachment.  These emails are currently sent from servers residing in the 176.119.6.0/24 block of IP addresses.  This block appears to be administered by MultiDC, a hosting company based in the Ukraine.  Passwords for the attached Word documents have been 1234 for several weeks now.


Shown above:  An example of malspam from this campaign.

After a victim unlocks the password-protected Word document, it shows a message asking readers to enable macros.  Macros on this Word document will download and install malware on a vulnerable Windows host.


Shown above:  An unlocked Word document waiting for its victim to enable macros.

Malware from an infected host

The Word macro retrieved a Windows executable from 209.141.60.230 and saved it to the user’s AppDataLocalTemp directory as qwerty2.exe.  In this case, qwerty2.exe was Nymaim.  The malware deleted itself after follow-up Nymaim executables were installed and made persistent on the infected Windows host.


Shown above:  Initial Nymaim executable that deleted itself after the infection.


Shown above:  Follow-up Nymaim executable (1 of 3) made persistent through the Windows registry.


Shown above:  Follow-up Nymaim executable (2 of 3) also persistent through the Windows registry.


Shown above:  Follow-up Nymaim executable (3 of 3) persistent through a shortcut in the Windows Startup folder.

Network traffic

Network traffic was typical for Nymaim infections I’ve recently seen.  This malware spoofs legitimate domains carfax.com and zepter.com but uses different IP addresses based on DNS queries for other domains.

Nymaim uses Google DNS to query IP addresses on actual malicious domains.  In most cases, IP addresses from those DNS queries are not directly used by the infected host for spoofed traffic to carfax.com and zepter.com.  Ultimately, info returned by these Google DNS queries is used by Nymaim to calculate or determine the actual IP addresses used in its post-infection traffic.  People should understand that Carfax and Zepter are not involved with this activity.

Of note, the infected Windows host also made DNS queries through Google DNS for google.com and microsoft.com.


Shown above:  HTTP traffic from the infection filtered in Wireshark.


Shown above:  DNS traffic used by Nymaim to determine IP addresses used for spoofed traffic to carfax.com and zepter.com.

Indicators

Data on 10 malspam examples from 2018-10-27 through 2018-10-30:

  • Received: from tonnocraft.com ([176.119.6.30])
  • Received: from theductbusters.com ([176.119.6.45])
  • Received: from kafadaroto.com ([176.119.6.162])
  • Received: from parkinsonalberta.com ([176.119.6.113])
  • Received: from theultimateadventurecentre.com ([176.119.6.37])
  • Received: from font8.com ([176.119.6.233])
  • Received: from getadsb.com ([176.119.6.220])
  • Received: from madisonchevrolets.com ([176.119.6.150])
  • Received: from fatalvr.com ([176.119.6.238])
  • Received: from juegos4k.com ([176.119.6.165])
  • From: Lavera Muck =?UTF-8?B?wqA=?= <noreply@tonnocraft.com>
  • From: Kasey Rohloff =?UTF-8?B?wqA=?= <support@theductbusters.com>
  • From: Doyle Bruce =?UTF-8?B?wqA=?= <mail@kafadaroto.com>
  • From: Tamekia Ly =?UTF-8?B?wqA=?= <support@parkinsonalberta.com>
  • From: Livia Westlake =?UTF-8?B?wqA=?= <help@theultimateadventurecentre.com>
  • From: Mozelle Kalinowski =?UTF-8?B?wqA=?= <admin@font8.com>
  • From: Arminda Fortson =?UTF-8?B?wqA=?= <noreply@getadsb.com>
  • From: Alona Mcferren =?UTF-8?B?wqA=?= <admin@madisonchevrolets.com>
  • From: Shona Dyck =?UTF-8?B?wqA=?= <sale@fatalvr.com>
  • From: Livia Westlake =?UTF-8?B?wqA=?= <billing@juegos4k.com>
  • Subject: Job
  • Subject: application
  • Subject: Regarding Job
  • Subject: Hiring
  • Subject: application
  • Subject: Invoice Attached
  • Subject: Invoice Attached
  • Subject: Invoice Attached
  • Subject: Invoice Attached
  • Subject: Invoice Attached
  • Attachment name: Lavera Muck   Resume.doc
  • Attachment name: Kasey Rohloff   Resume.doc
  • Attachment name: Doyle Bruce   Resume.doc
  • Attachment name: Tamekia Ly   Resume.doc
  • Attachment name: Livia Westlake   Resume.doc
  • Attachment name: invoice.doc
  • Attachment name: invoice.doc
  • Attachment name: invoice.doc
  • Attachment name: invoice.doc
  • Attachment name: invoice.doc

SHA256 hashes for the attached Word documents:

Malware on the infected Windows host:

SHA256 hash: 45e387b429e6883f12c777b6b7be1c1239dc34115d882bce98afc80e7ad4b2b6

  • File size: 1,392,640 bytes
  • File type: PE32 executable (GUI) Intel 80386, for MS Windows
  • File location: C:Users[username]AppDataLocalTempqwerty2.exe
  • Persistence mechanism: none (deletes itself after running)
  • File description: Initial Nymaim executable downloaded by Word macro

SHA256 hash: 11b0c2732e0bcbfb6d7bbf37180344ec0b1eafd58d73fe65278b69cfb981daf1

  • File size: 982,016 bytes
  • File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
  • File location: C:ProgramDataalgebra-1algebra-2.exe
  • Persistence mechanism: Windows Registry entry
  • Entry: HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon – shell
  • Command: C:ProgramDataalgebra-1algebra-2.exe -q2
  • File description: Nymaim malware persistent on the infected Windows host (1 of 3)

SHA256 hash: 524f22a1582a03defca57913e6a55d5989c4fc1330163efce284ec5eced983ca

  • File size: 1,068,544 bytes
  • File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
  • File location: C:ProgramDatabending-51bending-2.exe
  • Persistence mechanism: Windows Registry entry
  • Entry: HKCUSoftwareMicrosoftWindowsCurrentVersionRun – bending-5
  • Command: C:ProgramDatabending-51bending-2.exe -k4
  • File description: Nymaim malware persistent on the infected Windows host (2 of 3)

SHA256 hash: 8d10d226e723dd9ad8993e4710d5913078d83bae6870b61aa70bafaefbe70c49

  • File size: 982,016 bytes
  • File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
  • File location: C:Users[username]AppDataLocalesbga-7esbga-5.exe
  • Persistence mechanism: Windows shortcut in the Startup folder
  • Command: C:Users[username]AppDataLocalesbga-7esbga-5.exe -9
  • File description: Nymaim malware persistent on the infected Windows host (3 of 3)

Traffic from an infected Windows host:

  • 209.141.60.230 port 80 – 209.141.60.230 – GET /516.exe
  • 2.90.156.13 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 2.90.156.13 port 80 – carfax.com – POST /
  • 31.5.167.149 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 31.5.167.149 port 80 – carfax.com – POST /
  • 37.105.151.155 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 37.105.151.155 port 80 – carfax.com – POST /
  • 46.238.18.157 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 46.238.18.157 port 80 – carfax.com – POST /
  • 47.74.188.255 port 80 – carfax.com – POST /7pxvwbh5sm/index.php
  • 47.74.188.255 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 47.74.188.255 port 80 – carfax.com – POST /
  • 84.2.61.102 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 84.2.61.102 port 80 – carfax.com – POST /
  • 91.139.200.135 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 91.139.200.135 port 80 – carfax.com – POST /
  • 91.201.175.46 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 91.201.175.46 port 80 – carfax.com – POST /
  • 212.237.112.81 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 212.237.112.81 port 80 – carfax.com – POST /
  • 213.164.242.16 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 213.164.242.16 port 80 – carfax.com – POST /
  • 217.156.87.2 port 80 – zepter.com – POST /7pxvwbh5sm/index.php
  • 217.156.87.2 port 80 – carfax.com – POST /
  • DNS query to Google DNS for: microsoft.com
  • DNS query to Google DNS for: google.com
  • DNS query to Google DNS for: shetyiosnf.com
  • DNS query to Google DNS for: deligvsiogsd.com

Final words

Email examples, pcap, and malware associated with today’s diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Hostd, vpxa and the vSphere API/SDK – Confusion on where the APIs actually live

This post was originally published on this site

Hi All,

I’m taking the VMware vSphere Deploy, Manage course and was confused about this:

  • In one slide, the instructor showed that vCenter Server communicated with the ESXi host using vSphere APi/SDK (The VMware Host Client also communicated using this)
  • In another slide, the instructor showed that the vCenter Server communicated with a vCenter agent living on the ESXi host (vpxa). This then communicated with another process called hostd, which then executed commands at the hypervisor…

With the second bullet point in mind, where does the vSphere API/SDK fit in? Is hostd the item that houses the vSphere API? Does vCenter communicate with vpxa, which then communicates with hostd using the vSphere API/SDK?

 

Clarification would be much appreciated.

Apple Releases Multiple Security Updates

This post was originally published on this site

Original release date: October 30, 2018

Apple has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.

ST18-005: Proper Disposal of Electronic Devices

This post was originally published on this site

Original release date: October 30, 2018

Why is it important to dispose of electronic devices safely?

In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal. Computers, smartphones, and cameras allow you to keep a great deal of information at your fingertips, but when you dispose of, donate, or recycle a device you may inadvertently disclose sensitive information which could be exploited by cyber criminals.

Types of electronic devices include:

  • Computers, Smartphones, and Tablets — electronic devices that can automatically store and process data; most contain a central processing unit and memory, and use an operating system that runs programs and applications.
  • Digital Media — these electronic devices create, store, and play digital content. Digital media devices include items like digital cameras and media players.
  • External Hardware and Peripheral Devices — hardware devices that provide input and output for computers, such as printers, monitors, and external hard drives; these devices contain permanently stored digital characters.
  • Gaming Consoles — electronic, digital, or computer devices that output a video signal or visual image to display a video game.

What are some effective methods for removing data from your device?

There are a variety of methods for permanently erasing data from your devices (also called sanitizing). Because methods of sanitization vary according to device, it is important to use the method that applies to that particular device.

Methods for sanitization include:

  • Backing Up Data. Saving your data to another device or a second location (e.g., an external hard drive or the cloud) can help you recover your data if your device is stolen. Options for digital storage include cloud data services, CDs, DVDs, and removable flash drives or removable hard drives (see ST08-001 Using Caution with USB Drives and ST04-020 Protecting Portable Devices: Data Security for more information). Backing up your data can also help you identify exactly what information a thief may have been able to access.
  • Deleting Data. Removing data from your device can be one method of sanitization. When you delete files from a device—although the files may appear to have been removed—data remains on the media even after a delete or format command is executed. Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting “delete” from the menu. Even if you empty the trash, the deleted files are still on device and can be retrieved. Permanent data deletion requires several steps.
    • Computers. Use a disk cleaning software designed to permanently remove the data stored on a computer hard drive to prevent the possibility of recovery.
      • Secure erase. This is a set of commands in the firmware of most computer hard drives. If you select a program that runs the secure erase command set, it will erase the data by overwriting all areas of the hard drive.
      • Disk wiping. This is a utility that erases sensitive information on hard drives and securely wipes flash drives and secure digital cards.
    • Smartphones and Tablets. Ensure that all data is removed from your device by performing a “hard reset.” This will return the device to its original factory settings. Each device has a different hard reset procedure, but most smartphones and tablets can be reset through their settings. In addition, physically remove the memory card and the subscriber identity module card, if your device has one.
    • Digital Cameras, Media Players, and Gaming Consoles. Perform a standard factory reset (i.e., a hard reset) and physically remove the hard drive or memory card.
    • Office Equipment (e.g., copiers, printers, fax machines, multifunction devices). Remove any memory cards from the equipment. Perform a full manufacture reset to restore the equipment to its factory default.
  • Overwriting. Another method of sanitization is to delete sensitive information and write new binary data over it. Using random data instead of easily identifiable patterns makes it harder for attackers to discover the original information underneath. Since data stored on a computer is written in binary code—strings of 0s and 1s—one method of overwriting is to zero-fill a hard disk and select programs that use all zeros in the last layer. Users should overwrite the entire hard disk and add multiple layers of new data (three to seven passes of new binary data) to prevent attackers from obtaining the original data.
    • Cipher.exe is a built-in command-line tool in Microsoft Windows operating systems that can be used to encrypt or decrypt data on New Technology File System drives. This tool also securely deletes data by overwriting it.
    • Clearing is a level of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. The National Institute of Standards and Technology (NIST) notes that devices must be resistant to keystroke recovery attempts from standard input devices (e.g., a keyboard or mouse) and from data scavenging tools.
  • Destroying. Physical destruction of a device is the ultimate way to prevent others from retrieving your information. Specialized services are available that will disintegrate, burn, melt, or pulverize your computer drive and other devices. These sanitization methods are designed to completely destroy the media and are typically carried out at an outsourced metal destruction or licensed incineration facility. If you choose not to use a service, you can destroy your hard drive by driving nails or drilling holes into the device yourself. The remaining physical pieces of the drive must be small enough (at least 1/125 inches) that your information cannot be reconstructed from them. There are also hardware devices available that erase CDs and DVDs by destroying their surface.
    • Magnetic Media Degaussers. Degaussers expose devices to strong magnetic fields that remove the data that is magnetically stored on traditional magnetic media.
    • Solid-State Destruction. The destruction of all data storage chip memory by crushing, shredding, or disintegration is called solid-state destruction. Solid-State Drives should be destroyed with devices that are specifically engineered for this purpose.
    • CD and DVD Destruction. Many office and home paper shredders can shred CDs and DVDs (be sure to check that the shredder you are using can shred CDs and DVDs before attempting this method).

For more information, see the NIST Special Publication 800-88 Guidelines for Media Sanitization.

How can you safely dispose of out-of-date electronic devices?

Electronic waste (sometimes called e-waste) is a term used to describe electronics that are nearing the end of their useful life and are discarded, donated, or recycled. Although donating and recycling electronic devices conserves natural resources, you may still choose to dispose of e-waste by contacting your local landfill and requesting a designated e-waste drop off location. Be aware that although there are many options for disposal, it is your responsibility to ensure that the location chosen is reputable and certified. Visit the Environmental Protection Agency’s (EPA) Electronics Donation and Recycling webpage for additional information on donating and recycling electronics. For information on recycling regulations and facilities in your state, visit the EPA Regulations, Initiatives, and Research on Electronics Stewardship webpage.


Authors:


This product is provided subject to this Notification and this Privacy & Use policy.

National Cybersecurity Awareness Month: Staying Secure

This post was originally published on this site

Original release date: October 30, 2018

National Cybersecurity Awareness Month is over, but your work securing your home and business systems and networks is not.

NCCIC recommends users and administrators subscribe to NCCIC National Cyber Awareness System product notifications to keep on top of cybersecurity threats as they emerge.


This product is provided subject to this Notification and this Privacy & Use policy.

Campaign evolution: Hancitor malspam starts pushing Ursnif this week, (Tue, Oct 30th)

This post was originally published on this site

Introduction

Today’s diary reviews noteworthy changes in recent malicious spam (malspam) pushing Hancitor.

Background:  Malspam pushing Hancitor (also known as Chanitor or Tordal) is a long-running campaign I frequently document on my malware traffic analysis blog.  Infections from this malspam tend to follow predictable patterns and usually end with Zeus Panda Banker as the follow-up malware.  However, this campaign occasionally tries new techniques or sends different follow-up malware.

In recent months, a baseline Hancitor infection used Word macros to push Pony malware and Evil Pony to system RAM, and it also pushed Zeus Panda Banker to disk as a persistent follow-up infection.

However, last week we noticed some changes.  I documented a wave of Hancitor malspam on Monday 2018-10-22 that only pushed Pony malware and didn’t send Zeus Panda Banker.  This week, a Hancitor infection on Monday 2018-10-29 sent Ursnif as the follow-up malware.


Shown above:  Flow chart for a Hancitor malspam infection on Monday 2018-10-29.

The emails

Malspam from this campaign spoofs different online services, and Monday’s example spoofed HelloFax.  As a deception technique, this campaign also spoofs domains from legitimate businesses.  Monday’s example spoofed warrencountyga.com.  Neither HelloFax nor Warren County GA are actually involved with this malspam.  Criminals behind this campaign were simply impersonating names and domains from those two organizations.

Various elements in the email headers change from email to email in this malspam.  For example, subject lines, X-Mailer lines, and even names associated with spoofed sending addresses can change each message.


Shown above:  Email headers you might find in this malspam.


Shown above:  Screenshot from one of the emails in Monday’s wave of malspam.

The downloaded Word document

Links from these messages are designed to download a malicious Word document.  Opening one of these Word documents and enabling macros will infect a vulnerable Windows host.


Shown above:  Downloading a malicious Word document from one of the emails.

Researchers like @James_inthe_box quickly figured out follow-up malware from these infections was Ursnif instead of Zeus Panda Banker.  @Mesa_matt pointed out the Word macro checked for Malwarebytes on an infected Windows host.


Shown above:  Tweet from @James_inthe_box about the follow-up malware.


Shown above:  Tweet from @Mesa_matt about Hancitor checking for Malwarebytes.

This got me curious, so I used Officemalscanner to extract macros from the downloaded Word doc.  Reviewing the macros showed code that checked for the following antivirus solutions:

  • PSUAMain – Panda Cloud Antivirus
  • n360 – Norton 360
  • PccNT – Trend Micro PC-cillin
  • uiSeAgnt – Trend Micro Worry-Free Business Security
  • mbam – Malwarebytes
  • mbamtray – Malwarebytes


Shown above:  Using Officemalscanner to extract macros from the malicious Word doc.


Shown above:  Finding the macro code that checks for Malwarebytes.


Shown above:  Searching the extracted macro to see if it checks for other antivirus solutions.

Infection traffic

Infection traffic was similar to previous Hancitor infections I’ve recently generated in my lab, except there was no Zeus Panda Banker infection traffic.  Instead, I saw post-infection traffic for Ursnif.


Shown above:  Traffic from the infection filtered in Wireshark.


Shown above:  DNS traffic from the infection shows additional domains for Ursnif.

Malware from an infected Windows host

Malware from this infection was not persistent.  It did not survive a reboot of my infected Windows host.  Like Zeus Panda Banker from previous Hancitor infections, follow-up Ursnif malware was saved to the victim’s AppDataLocalTemp folder as a .tmp file.  Unlike previous Zeus Panda Banker infections, Ursnif malware from this infection did not copy itself anywhere else.  It ran as the same .tmp file and was not made persistent to survive a reboot.


Shown above:  Task Manager showed processes by Ursnif and other malware from the infection.


Shown above:  Ursnif malware binary retrieved from my infected Windows host.

Indicators

Indicators of traffic from my infected lab host follow:

  • Start date/time: Monday 2018-10-29 at 16:07 UTC

Downloading the Word document from a link in the email:

  • 47.74.240.167 port 80 – vermontpancake.com – GET /?[string of characters]=[encoded string representing recipient’s email address]

IP address check by the infected Windows host–not inherently malicious on its own:

  • port 80 – api.ipify.org – GET /

Traffic for the follow-up malware (Pony, Evil Pony, and Ursnif):

  • 45.40.182.1 port 80 – mmacontender.com – GET /1
  • 45.40.182.1 port 80 – mmacontender.com – GET /2
  • 45.40.182.1 port 80 – mmacontender.com – GET /4
  • 92.53.126.72 port 80 – otelvictoria.ru – GET /wp-includes/2
  • 92.53.126.72 port 80 – otelvictoria.ru – GET /wp-includes/4
  • 78.155.217.221 port 80 – uzri.net – GET /wp-includes/2
  • 78.155.217.221 port 80 – uzri.net – GET /wp-includes/4

Post-infection traffic for Hancitor, Pony, and Evil Pony:

  • 54.38.145.209 port 80 – oneningsitar.com – attempted TCP connections but no response
  • 185.74.254.92 port 80 – witoftrinreb.ru – POST /4/forum.php
  • 185.74.254.92 port 80 – witoftrinreb.ru – POST /mlu/forum.php
  • 185.74.254.92 port 80 – witoftrinreb.ru – POST /d2/about.php

Post-infection traffic for Ursnif:

  • 8.208.9.98 port 80 – api.xc78cx.at – GET /wpx/[long string of characters]
  • 8.208.9.98 port 80 – io.narran.at – GET /wpx/[long string of characters]
  • 8.208.9.98 port 80 – x1.eromov.at – GET /wpx/[long string of characters]
  • 8.208.9.98 port 80 – chat.ahohri.at – GET /wpx/[long string of characters]
  • 8.208.9.98 port 80 – cdn1.xc78cx.at – GET /wpx/[long string of characters]

DNS queries for additional Ursnif domains:

  • DNS query for golangland.cn – response: No such name
  • DNS query for d1.ho00yn.at – response: No such name
  • DNS query for ar17op.su – response: No such name
  • DNS query for deepmoler.cn – response: No such name
  • DNS query for go.xiroxaro.at – response: Server failure
  • DNS query for ab.pontlap.at – response: No such name

Malware retrieved from my infected lab host follows:

SHA256 hash: 73d7f5cabfc82d7bd8a54e03ecb51567d81ac5dfa8dc1bd36670daede4e6c482

  • File size: 228,864 bytes
  • File name: fax_271094.doc   (random numbers in the file name for each download)
  • File description: Downloaded Word document with macros to cause Hancitor infection

SHA256 hash: 846d1e1d019d5bc2a05940b119e19a07643f2e3851184f843960cfd949280894

  • File size: 81,920 bytes
  • File location: C:Users[username]AppDataLocalTemp6.exe
  • File location: C:Users[username]AppDataLocalTemp6.pif
  • File description: Hancitor malware binary   (Windows executable)

SHA256 hash: 07aa5e78498bcf67458770e22590da1529463b9f65213c8f916b3f680d075fdd

  • File size: 81,920 bytes
  • File location: C:Users[username]AppDataLocalTempBND309.tmp (random characters before .tmp in the file name)
  • File description: Ursnif malware binary   (Windows executable)

Final words

My standard warning still applies.  Properly-administered Windows hosts are not susceptible to this type of infection.  However, for a variety of reasons, many people run older versions of Windows that are not fully patched or up-to-date.  That’s why criminals continue to run these malspam campaigns.  As long as a small percentage generates a successful infection, these campaigns will remain profitable.

My background is not in system administration, so I don’t have details on tools like SRP or AppLocker that can help prevent these malspam-based attacks.  My previous diary has a comment about an article from Aaron Margosis to simplify AppLocker deployment (link).  For those with Office 2013 and later versions, you have an option to block macros in documents downloaded from the Internet (link).

If you find this diary helpful or have any suggested improvements, please leave a comment.

Email examples, pcap, and malware associated with today’s diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Maldoc Duplicating PowerShell Prior to Use, (Mon, Oct 29th)

This post was originally published on this site

Reader Tor submitted a suspicious email he received today. It has a Word document attachment, which, no surpise, has VBA macros.

Looking at the VBA code, I noticed that it was concatenating strings together to form an obfuscated PowerShell script. Unfortunetately for me, they were concatenated in a different order than the order they appear in the script. Hence I used ViperMonkey to emulate the VBA code (I had to use Python 64-bit, as Python 32-bit was running out of memory while emulating the VBA code):

A Shell statement is executed to start an executable in a temporary folder:

This looks like a PowerShell script. ywqprpphbf.exe is actually a copy of the PowerShell executable. The complete PowerShell directory is copied with a VBA command to a temporary folder, and PowerShell.exe is renamed to ywqprpphbf.exe.

With this copy, the malware authors hope to evade simple detection of PowerShell execution based on process names (powershell.exe).

But this does not prevent PowerShell event log entries to be created:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.