ShadowPad backdoor spreads through software update

Kaspersky lab discovered that attackers were able to modify the NetSarang software update to include a malware tracked as shadowpad backdoor.

Founded in 1997, NetSarang Computer, Inc. develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks.

In July, researchers at Kaspersky Lab were investigating suspicious DNS requests in a partner’s network. The requests were found on systems used to process transactions in a customer’s network in the financial industry.

Further investigation into the DNS queries led them to NetSarang, that promptly sanitized its software update process by removing the malicious library nssock2.dll in its update package,

“In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions.” states the analysis published by Kaspersky.

The analysis showed that recent versions of software produced and distributed by NetSarang had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker.

The backdoor was embedded into one of the code libraries used by the software (nssock2.dll):

170815-shadowpad-1
Disposition of the NSSOCK2.DLL binary with embedded malicious code

The attackers hid their malicious intent in several layers of encrypted code. The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control (C&C) server (“activation C&C server”). Until then, it only transfers basic information, including the computer, domain and user names, every 8 hours.

Activation of the payload would be triggered via a specially crafted DNS TXT record for a specific domain. The domain name is generated based on the current month and year values, e.g. for August 2017 the domain name used would be “nylalobghyhirgh.com”.

170815-shadowpad-2
Only when triggered by the first layer of C&C servers does the backdoor activate its second stage

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor.

analysis indicates the embedded code acts as a modular backdoor platform. It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim.

Kaspersky Lab revealed that the first known compile date for the ShadowPad backdoor is Jul 13, hackers signed the malicious code with a legitimate NetSarang certificate.

 Kaspersky confirmed activated payload in a company in Hong Kong. Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software.

Kaspersky published the list of Indicators of Compromise to help companies to check their systems.

 

Malicious Email campaign targets Russian-Speaking companies

A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.

The campaign was discovered by Trend Micro that has been active for last 2 months and is targeting Russian-speaking firms.

The hackers leverage on many exploits and Windows components to run malicious scripts to avoid detection. The last sample associated with this attack was uploaded to VirusTotal on June 6, 2017 and experts at Trend Micro observed five spam campaigns running from June 23 to July 27, 2017.

201708-backdoor-email-1

The phishing messages are designed to appear as if they were sent from sales and billing departments and contain a weaponized Rich Text Format (RTF) file that exploits the CVE-2017-0199 flaw in Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.

Their limited distribution and specificity in social engineering lures are red flags that may indicate they are a spear-phishing campaign.

Once the exploit code is executed, it downloads a fake Excel XLS file embedded with malicious JavaScript. When opened, the Excel header is ignored and the file is treated as an HTML Application file by the Windows component mshta.exe.

“The exploit code downloads what is supposedly an XLS file from  hxxps://wecloud[.]biz/m11[.]xls. This domain, to which all of the URLs used by this attack point to, is controlled by the attacker and was registered in early July.” states the analysis publiahed by Trend Micro.

“This fake Excel spreadsheet file is embedded with malicious JavaScript. The Excel header will actually be ignored and the file will be treated as an HTML Application file by mshta.exe, the Windows component that handles/opens HTA or HTML files.”

The JavaScript code calls the odbcconf.exe normal executable to run the DLL. Once executed, the DLL drops a SCT file (Windows scriptlet) in the %APPDATA% folder and appends the .TXT extension to it.

The DLL calls is used to power a Squiblydoo attack that leverages the Regsvr32 (Microsoft Register Server) to bypass restrictions on running scripts and evade application whitelisting protections such as AppLocker.

“This particular command uses the Regsvr32 (Microsoft Register Server) command-line utility, which is normally used to register and unregister OLE controls in the Windows registry, including DLL files. This attack method is also known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts.” continues the analysis. “It also means evading application white-listing protections such as AppLocker. While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe.”

Next, the real backdoor is downloaded and executed, it is an XML file that is downloaded from the domain wecloud[.]biz. Also in this case, it is executed exploiting the same Regsvr32-abusing Squiblydoo attack technique.

The analysis states that “This is another SCT file with obfuscated JavaScript code that contains backdoor commands, which essentially allow attackers to take over an infected system.It tries to connect to it’s C&C server at hxxps://wecloud[.]biz/mail/ajax[.]php and retrieve tasks to carry out, some of which are:

  • d&exec = download and execute PE file
  • gtfo = delete files/startup entries and terminate
  • more_eggs = download additional/new scripts
  • more_onion = run new script and terminate current script
  • more_power = run command shell commands”

While the later stages of the infection chain required the use of various Windows components, the entry point still involves the use of a Microsoft Office exploit. Patching and keeping software up-to-date will protect users. Alternately, employing firewalls, intrusion detection and prevention systems, virtual patching, and URL categorization, as well as enforcing robust patch management policies, will significantly reduce the system’s attack surface.

 

Google discovers & blocks a new Malware family-Lipizzan

Malware researchers at Google have spotted a new strain of Android spyware dubbed Lipizzan that could exfiltrate any kind of data from mobile devices and use them as surveillance tools.

The Lipizzan spyware is a project developed by Israeli startup Equus Technologies.

How does Lipizzan work?

According to the analysis published by Google:

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a “Backup” or “Cleaner” app. Upon installation, Lipizzan would download and load a second “license verification” stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)

The spyware is also able to collect data from specific apps, including WhatsApp, Snapchat, Viber, Telegram, Facebook Messenger, LinkedIn, Gmail, Skype, Hangouts, and KakaoTalk.

Google researchers have found at least 20 apps in Play Store which infected fewer than 100 Android smartphones in total, the company classified the infections as targeted attacks.

“We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.” states Google.

What can you do to protect yourself?

  • Ensure you are opted into Google Play Protect.
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep “unknown sources” disabled while not using it.
  • Keep your phone patched to the latest Android security update.

Petya Ransomware hits the Globe

petya-ransomware-attack-1

On 27 June a nasty piece of ransomware (now declared as a wiper malware) struck the globe within the 2 months of previous ransomware outbreak i.e. WannaCry. The Petya ransomware(now Known as NotPetya Malware) attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all. The virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems. The Email id used to receive the payments in Bitcoin has been shut down so even though the ransom is paid files will not be recovered.

Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself. However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue.

It has been confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks. MEDoc is widely used in Ukraine, indicating that organizations in that country were the primary target.

After gaining an initial foothold, Petya then uses a variety of methods to spread across corporate networks.

What makes it dangerous? Unlike other ransomware viruses, it encrypts the Master File Table (MFT) for NTFS partitions. Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT). If the MFT is corrupted the file system structure on the disk becomes unusable. It also overwrites MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents the victim from booting their computer. This means that once a machine is infected it is in a complete state of lockdown. This makes it more intrusive. In comparison, the WannaCry ransomware virus targeted only specific file extensions while still allowing the operating system access.

INFECTION AND INSTALLATION

According to Symantec , Petya is initially executed via rundll32.exe using the following command:

  • rundll32.exe perfc.dat

Once the DLL has been loaded, it will first attempt to remove itself from the infected system. This is done by opening the file and overwriting its contents with null bytes before finally deleting the file from disk. Overwriting the file with null bytes is used as an attempt to thwart recovery of the file using forensic techniques.

Next, it attempts to create the following file to be used as a flag indicating that the computer has been infected:

  • C:\Windows\perfc

Once installed, Petya proceeds to modify the master boot record (MBR). This allows it to hijack the normal loading process of the infected computer during the next system reboot. The modified MBR is used to encrypt the hard disk while simulating a CHKDSK screen. It then displays a ransom note to the user.

MBR modification does not succeed if the threat is executed as a normal user but the threat will still attempt to spread across the network

At this point, a system reboot is scheduled using the following command:

  • “/c at 00:49 C:\Windows\system32\shutdown.exe /r /f”

By scheduling and not forcing a reboot, it provides time to allow Petya to spread to other computers in the network before user-mode encryption occurs.

Once Petya does get into a local network, however, there are several concurrent mechanisms for it to spread to further local machines. The first and foremost is the ETERNALBLUE exploit. The next mechanism is to use mimikatz to dump credentials and use said credentials to run itself in local LAN computers using either PsExec or wmic.exe.

The following 4 steps are followed by the malware to spread itself:

  1. Tries to find credentials:
    • Method 1: Uses a custom tool to extract credentials from memory (code similarities with MimiKatz and accesses Windows LSASS process)
    • Method 2: Steals credentials from the credential store on the infected systems
  2. Makes an inventory of the local network for other machines. If found, it checks whether port 139 or 445 is open
  3. Checks via WebDAV whether the enumerated systems have already been infected. If this is not the case, it will transfer the malware to the other systems via SMB;
  4. Utilizes PSEXEC or WMI tools, to remotely execute the malware.

Once spreading has occurred, Petya then lists all files on any fixed drive (e.g. C:\) and checks for any of the following file extensions (skipping the %Windir% directory of that drive):

.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h. hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip

An AES 128 bit key is generated for each drive. If any of the file extensions match that of the above list, the malware proceeds to encrypt the first 1MB of the file using the generated key.

After encrypting all eligible files, the threat will generate the ransom note and write it to a “README.TXT” file in the current drive.

The generated AES key(s) then encrypts itself using an embedded public key.

The resulting encrypted blob is then appended to the end of the ransom note (README.TXT) as a Base64 encoded string. The ransom note refers to this as the “installation key”.

The generated key is then destroyed to ensure it cannot be retrieved from memory.

At this point, the system is rebooted and the modified MBR code loads the simulated CHKDSK screen and full disk encryption occurs.

PREVENTION 

Checking if you are at risk for this attack involves multiple actions, due to the fact that the attack itself uses different methods to propagate within networks. The following actions can be performed to identify potential vulnerable machines within the network:

  • Perform a network portscan to identify systems on which the TCP ports 139 and 445 are open. The more machines that are accessible on these ports, the more potential risk of the attack spreading to large amounts of systems within the network.
  • Perform a vulnerability scan to identify machines which are missing the MS17-010 (and the KB2871997) patch. If the patches are missing, the identified systems are vulnerable to the one of the spreading and infection methods used by the malware.
  • Create a file perfc. C:\Windows\perfc beforehand.