Campagna di attacco “Fattura corretta”

Proto: N070119.

Con la presente Yoroi desidera informarLa relativamente ad una campagna di attacco in corso ai danni di numerose utenze ed organizzazioni italiane. Le email malevole sono appositamente create con tematizzazioni amministrative e riferimenti ai nuovi obblighi di fatturazione elettronica. I messaggi fraudolenti contengono al loro interno allegati Excel in grado di infettare la vittima con impianti malware della famiglia Ursnif.

Questi documenti sono stati preparati esplicitamente ai danni di utenze italiane, infatti il codice macro malevolo al loro interno viene attivato solamente qualora il pacchetto Office sia configurato in lingua italiana. In seguito viene eseguito codice powershell reperito tramite tecniche di steganografia su immagini raster, analogamente a quanto osservato in N031218 e N050918.

Figura 1. Documento Excel malevolo
Figura 2. Immagine contenente codice powershell

Di seguito si riportano gli indicatori di compromissione individuati durante le analisi:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Sofacy's Zepakab Downloader Spotted In-The-Wild

In the last weeks, the Cybaze-Yoroi ZLAB investigated a new APT28 campaign discovered in January 2019. The sample has been initially identified by an Italian independent security researcher, who warned the InfoSec community and shared the binary for further analysis.

Cybaze-Yoroi ZLab researchers analyzed this sample to extract indicators and investigate their presence into the Italian landscape.

Technical Analysis

The attack vector is still not clear, APT28 typically use decoy Office documents armed with VB macro. Anyway the analyzed sample pretends to mimic a Microsoft component called “ServiceTray”.

Sha256e6e93c7744d20e2cac2c2b257868686c861d43c6cf3de146b8812778c8283f7d
ThreatZepakab/Zebrocy Downloader
ssdeep12288:QYV6MorX7qzuC3QHO9FQVHPF51jgcSj2EtPo/V7I6R+Lqaw8i6hG0:vBXu9HGaVHh4Po/VU6RkqaQ6F

At first glance the executable shows it is packed using UPX v3.0 compressor, a widely known tool commonly used to minimize the PE file size.

Figure 1. Info about malicious PE.

Interestingly, the resource section of the executable shows a typical binary pattern of the AutoIt v3 compiled script: the “AUT3!” signature.

Figure 2. Hexadecimal view reporting the AutoIt v3 header.

After the decompilation and the extraction of the script we noticed the script looks simpler than expected: no obfuscation or anti-analysis tricks found.

The usage of AutoIt language is an emerging characteristic of recent Zepakab downloaders, as also stated by Vitali Kremez, independent security researcher who compared this sample with the older Zepakab implant’s version: the behavior and the script structure are very similar, but obviously the new sample use different command-and-controls servers and artifacts’ names.

Figure 3. Part of malicious decompiled AutoIt script.

After statically setting some variables, such as the C2 url and the payload path, the script invokes the “argv” function calculating a 32 characters random ID.

Figure 4. Function to craft a 32-chars random ID.

Then, it runs the “main” routine. The core of Zepakab. Here the malware implements recon functionalities, retrieves machine information and grabs screenshot every minute.

Figure 5. AutoIt script’s main function.

Then, all the information is encoded in Base64 and sent to the C2 through the “connect” function, using a SSL encrypted HTTP channel. Just before sending its message, the malware adds random padding characters, probably to prevent the automatic decoding of the message; the final request looks like this:

Figure 6. POST request sent to C2C.

The machine information sent to the C2 is gathered within the “info” function, invoking the “_computergetoss” routine. This last code snippet is likely borrowed from a publicly available AutoIT library script called “CompInfo.au3”: an AutoIt interface to access the Windows Management Instrumentation framework’s data.  

Figure 7. Function to retrieve information about victim’s machine.

The code analysis performed also identified another re-used snippet of script: the AutoIT WinHttp wrapper was included into the malicious sample to enable network communication through system proxy.

Figure 8. Blog post reporting the Base64 script, shared by a forum user.

Once communication channel has been established, the command and control analyzes the victim check-in information and, if the compromised machine is likely a target, it sends back the final payload.

The payload will eventually be saved into “C:\ProgramData\Windows\Microsoft\Settings\srhost.exe” and executed inside the “crocodile” function.

Figure 9. The “crocodile” function, used to launch the final payload.

Once the final payload is correctly launched ($cr != 0), the function set the $call variable to False and the main loop of the script terminates.

Unfortunately, the C2 destination is down at time of writing, so it was impossible to retrieve the final payload and proceed with in-depth analysis.

Conclusion

Despite its harmful capabilities, the AutoIt Zepakab malware is quite simple and surprisingly does not use any anti-analysis tricks. The Sofacy group borrowed code from publicly available scripts to ease the development of this new weapon in its arsenal and to keep a low profile in terms of TTP, building a cheap and effective info-stealer malware able to bypass traditional antivirus, almost effortless.

CERT-Yoroi assessed no organization part of its constituency have been impacted by this threat.

Indicator of Compromise

Yara rules

import "pe"
rule APT28_Zepakab_Zebrocy_Implant_201901{
	meta:
		description = "Yara Rule for APT28 AutoIt Zepakab implant Jan 2019"
		author = "Cybaze Zlab_Yoroi"
		last_updated = "2019_01_29"
		tlp = "white"
		category = "informational"

	strings:
   		$AU3 = {41 55 33 21 45 41}
		$v = "13.3.1223.2" wide
		
	condition:
    	all of them and pe.sections[0].name == "UPX0" and pe.version_info["FileDescription"] contains "ServicesTray" and pe.resources[19].type == pe.RESOURCE_TYPE_RCDATA
}

Cyber Security Defence Center Update

Con la presente Yoroi desidera informarLa dell'aggiornamento avvenuto nella notte tra il 25 ed il 26 di Gennaio 2019 al proprio Cyber Security Defence Center alla versione B:5.19, F: 6.7, G: 3.20.

Nella presente versione sono state migliorate le seguenti attività:

Per usufruire della nuova versione è sufficiente effettuare logout e successivo login al portale utenti. Yoroi la ringrazia per la sua cordiale attenzione.

The Story of Manuel's Java RAT

Introduction

During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant delivered via several methods tailored to lure the target company.

In the recent past, similar attack cases hit this industry, such as the MartyMCFly case, where the attackers weaponized their emails with QasarRAT payloads. Instead, in this case, Cybaze-Yoroi ZLab detected the usage of multiplatform Java malware.

Technical analysis

A preliminary analysis of the two malicious email waves shows no common strict indicators: the smtp infrastructure detected on the 16th and 17th is different from the 21tst one, the attachment type didn’t match, in fact the first ones contained .jar attachments, the second ones ZIP archives and JS scripts, and the email theme was different too.

In detail, the first email wave has been prepared to simulate a purchase order, trying to impersonate administrative personnel of an italian company operating in the Hydraulic and Lifting sectors,  “Difast Srl”. These messages were written in Italian.

The second email wave, instead, was not Italian speaking anymore. This time the attacker were trying to impersonate a German logistic company, “Dederich Spedition”, simulating another kind of purchase order communication.

However, we figured out these two email waves were linked to the same attacker.

Dissecting the Stage1

The following attachments have been analyzed by Cybaze-Yoroi Zlab team:

HashSha 256:a17b18ba1d405569d3334f4d7c653bf784f07805133d7a1e2409c69c67a72d99
ThreatJAR/Dropper
ssdeep12288:1zdaHanWmyPL64RrYzX/6ZjHfTMmy7KUBjycRKXsfp330VPMsCXtZcLzSU:1zUHanW3DJRr0/ubfTK3hycjfx30VPMw
HashSha256:cb5389744825a8a8d97c0dce8eec977ae6d8eeca456076d294c142d81de94427
ThreatJAR/Dropper
ssdeep12288:LR9aQ+oSsyJZVqhoae1yjocYKLCpOo5q/mOmFgnxhQZMR:C4yuoCoflp1DFOxx
HashSha256:5b7192be8956a0a6972cd493349fe2c58bc64529aa1f62b9f0e2eaebe65829be
ThreatJS/Dropper
ssdeep12288:Vhz+1VYSCR8TedejbWcGrwmzt7cOk6O6vJX9SxmN6QjH9HJW93awECdf66bC8a:rzbsedejF1k1BXFRVJjXl

The first two malware samples were attached to the suspicious emails sent since 16th January. The last was embedded into the 21st January emails.

Analyzing in detail the first two JAR archives, it’s possible to see the source code is the same, except for name of the declared classes. Thus, the analysis are conducted only on one of them.

Figure 2 - Comparison between two jar file dropper

Differently from other ones, the JS file has a different structure how visible in the following figure.

Figure 3 - Code snippet of js file dropper

Despite the different structures of code and programming languages, all the dropper samples have the same encoded payload strings.

The string labeled with the variable name “duvet” hides another layer of code. The obfuscation method is quite easy: just replace the “#@>” character with “m”, and convert all from base64. The results of decryption is visible in the following figure:

Table 4 - First step decryption of base64 encoded string

In the previous code snippet, a malware routine checks the existence of the Java environment on the victim machine: if it is not installed it downloads the JRE environment from an external location, a potentially compromised third party website  “hxxp://www[.thegoldfingerinc[.]com/images/jre.zip”.

Figure 5 - Open directory used by malware to download jre.zip component

After downloading the JRE archive, the malware installs it on the victim machine. At this point, the malware triggers the persistence mechanism and sets the typical “CurrentVersion\Run” registry key.

Figure 7  - Register key setted by the malware

After many deobfuscation rounds of the nested base64 strings recovered, the final results is:

Figure 8 - result of decrypted code

The “longText” variable hides the final payload: another .jar file. Instead, decoding the variable “longText1”, we retrieved the following code snippet:

Figure 9 - fake listener on localhost setted by the malware in case of evasion

This code, able to create a localhost listener or a sort of proxy on port 7755, is actually unused by the other part of the RAT malware.

Converging to the Java RAT Payload

As anticipated before, the “longText” variable encodes a JAR executable containing the infamous, multi-platform (Win/macOS), Adwind/JRat malware: a Remote Access Tool well known to the InfoSec community.

HashSha256:9b2968eaeb219390a81215fc79cb78a5ccf0b41db13b3e416af619ed5982eb4a
ThreatAdwind/JRAT
ssdeep12288:jz8uQYmMzFIXJ9A2G5px
ogQNUhIK/0c2qnAv:EuQ/ImYnsS7B2qnk

The structure of the code seen in the above figure, indicates the fact that it is the canonical Adwind/JRat malware, containing the “JRat.io” false flag.

Figure 10 - Structure of JRat malware

Finally, we extrapolated the configuration of the RAT payload, the JSON object reported in the following snippet.

{  
   "NETWORK":[  
      {  
         "PORT":9888,
         "DNS":"185.244.30.93"
      }
   ],
   "INSTALL":true,
   "MODULE_PATH":"KXA/Gzd/Sb.Po",
   "PLUGIN_FOLDER":"vuVCbHOEGdl",
   "JRE_FOLDER":"bvDMbv",
   "JAR_FOLDER":"oJYFGyiYDKG",
   "JAR_EXTENSION":"gHPrve",
   "ENCRYPT_KEY":"PqKOsNWuSwYdlCTuCJPnAGXoL",
   "DELAY_INSTALL":2,
   "NICKNAME":"MANUEL1986",
   "VMWARE":false,
   "PLUGIN_EXTENSION":"xSgaW",
   "WEBSITE_PROJECT":"https://jrat.io",
   "JAR_NAME":"GErbOAiLUBf",
   "JAR_REGISTRY":"NVxqGXNfpjm",
   "DELAY_CONNECT":2,
   "VBOX":false
}

The remote destination address 185.244.30.93, belonging to “Stajazk VPN” services,  hosts the control server reachable on port tcp/9888. Also, the configuration reveal the  nickname field containing the string “MANUEL1986”.

The usage of the VPN service hides the real location of the attacker, however, the specific IP isn’t new to the threat intel community, it has been abused since october 2018. Particularly interesting is the presence of the No-IP domain “manuel.hopto.org”: this domain also resolved Nigerian IP addresses of the 37076-EMTS-NIGERIA-AS, and and the Italian AS1267 back in 2012-2014.

Figure 11 - “manuel.hopto.org” last DNSs of C2 of JRat

Conclusions

The analyzed case shows how threat actors may quickly vary attack techniques and artifact characteristics, trying to masquerade their intent by making harder to track their attempts. Proving the investigation capabilities of a threat research team are fundamental into a modern cyber security paradigm.

 

Indicator of Compromise

Yara rules

rule JRat__js_dropper_23_01_2019{
	meta:
  	description = "Yara Rule for JRat js dropper"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_01_23"
  	tlp = "white"
  	category = "informational"

	strings:
   		 $a = "duvet"
   		 $b = "\"#@>\""
   		 $c = "electric = \"m\";"
   		 $d = {59 35 64 32 46 48 54 6E 56 4C 53 45 35 71 59 32}
   		 $e = "b_64_2_byt_arr"

	condition:
    	all of them
}

rule JRat__jar_dropper_23_01_2019{

	meta:
  	description = "Yara Rule for JRat jar dropper"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_01_23"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a = {24 00 ?? ??  ??  ??  ??  ??  ??  ?? ?? ?? 2F 72 65 73 6F 75 72 63 65 73 2F}
   	 $b = {50 4B}
 	   $c1 = {B1 21 68 47 3B D9 AC 12 F1 E1 55 33}
  	 $c2 = {4F 70 06 7E B9 00 4E 29 AA 77 73 00}

	condition:
    	$a and $b and 1 of ($c*)
}

rule JRat_payload_23_01_2019{

	meta:
  	description = "Yara Rule for JRat payload"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_01_23"
  	tlp = "white"
  	category = "informational"

	strings:
   		 $a = "PK"
   		 $b = "manintheskymaninthesky"
    		$c = {1B BD A2 69 8F 0A 9C 4F}
   		 $d = {26 F3 40 AF 9C 97}

	condition:
    	all of them
}

This blog post was authored by Davide Testa, Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB

Vulnerabilità in Firmware BMC

Proto: N060119.

Con la presente Yoroi desidera informarLa relativamente alla recente scoperta di vulnerabilità all’interno di numerosi apparati server moderni aventi co-processore di servizio BMC (Baseboard Management Controller): particolare classe di chip embedded utilizzati per la gestione out-of-band e side-band in dispositivi quali, ma non limitato a, macchine server, rack di switch o appliance RAID. La criticità è nota con l’identificativo CVE-2019-6260 e referenziata pubblicamente con l’alias “pantsdown”.

Ricercatori indipendenti hanno individuato problematiche all’interno dei chip SoCs ASPEED ast2400 e ast2500, i quali realizzano ponti di comunicazione ad alta velocità (AHB bridge). Queste funzionalità di comunicazione sono gestite lacunosamente all’interno dei principali firmware BMC in circolazione (e.g. OpenBMC, AMI, SuperMicro, ..) e possono essere sfruttate da un attaccante posizionato sull’host per accedere alla memoria del sottosistema di gestione BMC fisico, ottenendone il controllo. Questo contesto può comportare possibilità di accessi abusivi alle reti di gestione e potenziali attacchi Deny/Disruption of Service.

Figura 1. Architettura IPMI e chip BMC (Fonte:CERN-FIO-DS)

La Fondazione OpenBMC non ha ancora confermato la problematica, tuttavia l’autore della ricerca ha reso nota l’esistenza di mitigazioni applicabili, come la disabilitazione di funzionalità  SuperIO od il filtraggio di parte delle operazioni di scrittura in memoria.

L’applicabilità degli scenari di minaccia risulta ad oggi limitata, tuttavia, vista la potenziale longevità delle tipologie di dispositivi afflitti, la possibile sporadicità di aggiornamenti firmware e l’annunciato rilascio di proof-of-concept, Yoroi suggerisce di monitorare l’eventuale disponibilità di aggiornamenti BMC e pianificare l’applicazione di mitigazioni e patch di sicurezza.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Massiva Raccolta di Account Compromessi

Proto: N050119.

Con la presente Yoroi desidera informarLa relativamente alla recente scoperta di una importante raccolta di collezioni di account compromessi in vendita all’interno del Deep Web: più di 12 mila files per una dimensione complessiva di oltre 993 GB.

Una porzione di queste collezioni è già stata oggetto di analisi da parte di ricercatori di sicurezza indipendenti, dove i dati contenuti risultano referenziare account realmente esistenti e, con buone probabilità, legati a data breach registrati nel corso degli anni.

Figura 1. Collezioni di account compromessi in vendita

La diffusione di questa ingente mole di credenziali ed account può comportare un sensibile aumento del rischio di sicurezza per utenti ed Organizzazioni, in quanto:

Per via dell’eccezionale volume delle collezioni di account compromessi in circolazione, oltre 23 volte più grande rispetto alla raccolta individuata da 4iQ a fine 2017, Yoroi suggerisce di avvertire i Vostri utenti riguardo alla possibile ricezione di messaggi di posta fraudolenti volti ad estorcere denaro sotto la falsa minaccia di pubblicazione di informazioni compromettenti, inclusivi di riferimenti ad account e password realmente appartenuti alla vittima.

CERT-Yoroi sta analizzando la raccolta al fine appurare il coinvolgimento di membri della sua constituency all’interno dei dati circolanti.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

GreyEnergy: Welcome to 2019

Introduction

Figure 1. Possible GreyEnergy sample

In the first days of January, an interesting malware sample has been disclosed through the InfoSec community: a potential GreyEnergy implant still under investigation.

This kind of threat, previously analyzed by third party firms, contains similarities with the infamous BlackEnergy malware, used in the attacks against the Ukrainian energy industry back in 2015.

The Cybaze-Yoroi ZLAB researchers dissected this new sample to investigate its attribution.

Background - Past Research

According to a recent ESET report, GreyEnergy malware is part of the new cyber arsenal of the BlackEnergy APT group, whose main toolset was last seen back in 2015 during the Ukraine power grid cyber-attack. It typically spreads through two different vectors:

  1. perimeter breach, for instance compromising company’s websites;
  2. spear-phishing emails and malicious attachments.

The GreyEnergy implant is also known as “FELIXROOT” backdoor: FireEye researchers published a technical article on July 2018 about a spear-phishing campaign trying to deliver the malware to undisclosed targets. More recently, on October 2018, community researchers reported a phishing attacks aimed to infiltrate Polish critical infrastrucure, trying to install the FELIXROOT implant dropped from malicious RTF documents.

The entire malware architecture is modular and very difficult to neutralize. It is able to retrieve new modules from command and control servers, empowering the offensive capabilities of the implant: modules such as NMAP and MIMIKATZ were used in the past to perform lateral movement and privilege escalation.

Figure 2 - Modules of GreyEnergy malware (Figure by ESET)

Technical analysis

In order to investigate the attribution of the sample, Cybaze-Yoroi Zlab researchers performed a comparative analysis of the January 2019’s sample with respect to technical indicators and TTP published in previous articles.

First of all, static analysis on this sample shows the information about original filename, size, exported functions and other information are closely similar to the FE_Dropper_Win32_FELIXROOT_1 sample.

Figure 3 - January’s sample on the left; FELIXROOT_1 sample on the right.

Despite this similarity, the first sample results to be known to the community only since the 6th of January 2019, meanwhile the FELIXROOT_1 one has been submitted to the VT platform almost an year earlier, back in 2018.

Figure 4 - January’s sample on top; FELIXROOT_1 sample on bottom.

A dynamic analysis of the sample shows classic, but effective, automated analysis’ evasion techniques such as long sleep time-periods of dozens of minutes.

Figure 5 - GreyEnergy invokes sleep API to evade analysis.

After this incubation time, the malware contacts the C2 server sending checking information about victim machine. The remote destination ends to the 217.12.204.100 IP address, owned by an Ukrainian contractor and manufacturer company.

Figure 6 - The malicious IP

The callback activity of the malware is periodic, every thirty minutes it gets in touch with the remote C2 to notify the implant is still running. It sends information about computer name, user name, volume serial number, Windows version, processor architecture and two additional values: “1.3” and “KdfrJKN”. These values match the campaign-id reported by the FE researchers back in 2018.

These identifiers are clearly visible in Figure 7, where the in-memory analysis session shows the malware configuration.

Figure 7 - The malware accesses to its configurations.

The data sent to the C2 are protected by SSL encryption. However, emulating the network destination is possible to decrypt the victim information sent to the remote server; the data are transmitted into the “u=” parameter of HTTP POST requests.

Figure 8 - POST body.

This evidence matches the FELIXROOT backdoor’s behavior reported into past FE researches, where the usage of three main HTTP parameter, including the “u=” one, have been documented.

CommandDescription
“u=”Send information about victim machine as computer name,
user name, volume serial number, Windows version,
processor architecture and two additional values: “1.3” and “KdfrJKN
“&h=”Command executed and its results
“&p=”Information about data associated with the C2 server.

Also, a binary differential analysis between the January’s sample and the FELIXROOT_1 sample reported only three modified binary areas, as shown in Figure 10.

Figure 10 - Differences between the latest binary and FELIXROOT_1 sample.

Conclusion

The sample disclosed in January 2019 is clearly classifiable as GreyEnergy malware implant with highest level of confidence: the behaviour, the configurations and the static data closely match TTP and technical details from previous analysis.

This means the analyzed sample is linked to the BlackEnergy/Sandworm APT group.

The recent detection of this previously unknown sample containing known campaign identifiers, may suggest the attack operations reported by third party firms in 2018 are still ongoing.

The lack of contextual data about this new sample makes the determination of the current targeted organizations harder; however CERT-Yoroi assessed no organization part of its constituency have been impacted by this threat.

Indicator of Compromise

Filenamesha-256Description
module.1620.3e25bb98.58d10000.dll1bb78a73f28617bf8209dae0be4ced07dcd44420b541d7147a0f978237f9b3e2FELIXROOT 2019

Yara rules

import "pe"
rule GreyEnergy_FELIXROOT_2019_01_15{

    meta:
      description = "Yara Rule for GreyEnergy Mini aka FELIXROOT"
      author = "Yoroi ZLab - Cybaze"
      last_updated = "2019_01_15"
      tlp = "white"
      category = "informational"

    strings:
	  $a1 = {E8 21 D1 58 DC 21 D1 58 D0 21 D1 58}
	  $a2 = {3C 6A 2A 77 28 D3 2A 77 6D CF 2A 77 7F 6F 2A 77}
	
    condition:
        pe.version_info["FileDescription"] contains "WST Decoder Filter" and all of them

}

Campagna di Attacco tramite PEC

Proto: N040119.

Con la presente Yoroi desidera informarLa relativamente ad una nuova ondata di attacchi rivolti ad Organizzazioni e utenti italiani. Le email fraudolente osservate sono dirette verso caselle di Posta Elettronica Certificata ed invitano l’utente ad aprire archivi compressi allegati all’interno dei messaggi.

Figura 1. Immagine mostrata all’utente a seguito dell’esecuzione dell’allegato

Gli archivi malevoli contengono script eseguibili VBS e/o Javascript che, una volta aperti, scaricano ed installano un impianto malware della famiglia Gootkit sull’host bersaglio: la minaccia è in grado capace di intercettare le comunicazioni di rete, accedere alle smartcard inserite e trafugare digitazioni utente.

Figura 2. Estratto del codice della minaccia

Le tecniche di propagazione utilizzate dagli attaccanti ed alcuni degli indicatori estratti durante le analisi indicano, con buona confidenza, un legame con le campagne email tracciate dal CERT-PA a Novembre-Dicembre 2018. L’ondata di attacco è riconducibile all’attore di minaccia referenziato come TH-106 da CERT Yoroi.

Di seguito si riportano gli indicatori di compromissioni individuati durante le analisi:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

The “AVE_MARIA” Malware

The  Cybaze-Yoroi ZLab researchers analyzed phishing attempts spreading in the last days of the past year against an italian organization operating in the Oil&Gas sector. The malicious emails try to impersonate a supplier’s sales office sending invoices and shipping orders confirmations. As usual, the mail conveys malicious Excel files exploiting the popular CVE-2017-11882 vulnerability to run an executable retrieved from a malicious website, previously compromised by the attackers.

The domains used to vehicle the malicious messages remained active only for few days in the middle of December, just the time needed to spread phishing emails.

Figure 1. The sender’s domains were active from 12 to 14 Dec 18

The Cybaze-Yoroi ZLab analyzed and dissected the payload delivered during these days.

Technical analysis

The actual infection chain starts from the self-extracting archive (SFX) dropped by after the opening of the malicious Office document.  The sample contains the image of Kagamine Rin as icon, a character belonging to the singing voice synthesizer software dubbed VOCALOID.

The file is a WinRAR self-extractor configured to unpack its contents into the temporary folder  “%TEMP%\04505187” and then silently run a specific setup routine:

Figure 2. Configuration of the SFX extractor

The timestamp of the compressed files shows the attacker weaponized the archive at 22:56 of 13th December 2018, within the domain activation time-span.

Figure 3. Files extracted by SFX executable

All the files have misleading extension to confuse the analysis and most of them are text files containing junk data. But three of these files deserve further attention:

Figure 4. Appearance of the first AutoIt script (called “hbx-lbl”).
Figure 5. uaf.icm’s structure.

Similar packing of AutoIT code have been observed even by Juniper back in 2016, where SFX files were abused this way to deliver scripts used as first stage of the malware. As shown in the configuration in Figure 2, the sample able to run the first script using the command:

$> xfi.exe hbx=lbl

At this point, using the encoded data contained into “uaf.icm” between the string pattern “[sData]” and “[esData]”, the first script creates a second one, with a random name (es. “ZZQLZ”), and runs it using “xfi.exe” engine.

Figure 6.The second script is binary-encoded and hidden into the uaf.icm file between “[sData]” and “[esData]”.

The second script is heavily obfuscated using binary-encoding. After deobfuscation, it reveals interesting capabilities. First of all, there are different evasion techniques, such as a check about the current running processes: if there is a process related to some virtualization software, like Virtualbox, the malware kills itself.  

Figure 7.Example of malware evasion.

The main purpose of the second script is to decrypt and execute the final payload hidden inside “[Data]” and “[eData]” delimiter strings of the  “uaf.icm” file. The data is decrypted using the “Advapi32.dll!CryptDecrypt” Microsoft function, which is dynamically invoked into the AutoIt script through the high-level API “DllCall”. The decryption key is retrieved from the usual settings file.

It is interesting the way used by the AutoIt script to run the just extracted payload. In the first instance, the malware creates a copy of legit Regsvcs.exe, the .NET Services Installation Tool, into %TEMP% folder and runs it. Then, it performs a process injection in order to start the malicious payload behind the Regsvcs process.

In the following figure, it is shown the routine to extract, decrypt and inject the malicious binary stored into “uaf.icm” settings file.

Figure 8.Example of malware evasion.

The malware uses the CallWindowProcW Windows function as process injection technique, through DllCall AutoIt API.

Figure 9.Function to decrypt and inject malicious payload into legit process.

The malware author used a custom shellcode stored into $ASM variable to correctly inject the binary payload into the running regsvcs process.

Finally, the second AutoIt script provides to set persistence onto the victim’s machine writing the registry key HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.

Figure 10.Registry key set by the malware.

The registry key’s name corresponds to the value extracted from “uaf.icm” settings file at the section “Key”.

The Payload: AVE_MARIA Stealer

The payload injected into legit .NET process shows a typical bot behavior: it contacts a C2  hosted on anglekeys.warzonedns[.]com and retrieves the next action to perform. The attacker’ server is currently down, so it is not possible to obtain further stages of the commands.

A static investigation shows the malware looks for the installed e-mail client, like Microsoft Exchange Client or Outlook, to exfiltrate victim’s credentials.

Figure 11.Research of the installed email client software.

Moreover, the bot is able to decrypt all the credentials stored by Firefox browser. These sensitive data are protected using PK11 encryption from Mozilla Network Security Services, so the malware is weaponized with all the necessary functions decrypt them.

The malware writer re-used publicly available code to implement this functionality. The following screen shows part of the execution flow (on the left) and a piece of code belonging to a KeePass plugin (on the right) published on github; these two flows are very similar.

Figure 12.Malware’s piece of code (on the left); KeePass plugin’s piece of code (on the right).

In addition, the malware embeds an utility able to bypass the User Access Control within the resource section. It abuses a vulnerability of the “pkgmgr.exe” Windows tool; many resources related to this exploit are publicly available on the internet.

Figure 13.Workflow of the UAC bypass utility.

Despite the wide malware’s capabilities, the writer left some evidences referring to his environment into the malicious code.

Figure 14.Probable address path of the malware writer’s workspace.

Finally, another strange string is emerged from the executable: “AVE_MARIA”. Which is used as HELLO message when the malware correctly contacts the C2. This particular string has been elected as common malware name by many researchers of the InfoSec community.

Figure 15.The characteristic string sent by the malware.

Conclusion

The first stages of the malware, including the AutoIt scripts, are very similar to another malware waves analyzed few years ago by third party security researchers: the malware logic, based on an INI settings file, and some pieces of AutoIt code are the same but the final payload is different.

It’s possible the author of these malware is the same, showing an increasing complexity of implant, or also the first stage of the malware may have been purchased in the dark markets and the author of the “AVE_MARIA” malware composed a new stealer using publicly available code, forgetting to wipe the information related to him.

Indicator of Compromise

FileNamesha256description
DSK.exe4576d9940db9a748378a7e7d8c0edc048529ed72ef5161ed4a75c5612da3d5d9SFX dropper
hbx=lbl6fff30ad7d09e11e85614de11ea3607ed39c2c6ed2cca481d7e54b506c423707AutoIt script dropper 1
xfi.exe237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95dLegit AutoIt engine
uaf.icm7b5a8198138abc2436d92dfcd16f0be26e8783a51e42d2a4ad5334686f4c9140Malware settings file
ZZQLZ02cb295e95881abca2fe85fadc4228a932a12ea0d1fa6b961a38d789e7b8287fAutoIt script dropper 2
payload81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1AveMaria payload
uac_bypass021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546UAC_bypass utility

Yara Rules

rule SFX_AutoIt_dropper_09_01_2019{

    meta:
      description = "Yara Rule for SFX dropper"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019_01_09"
      tlp = "white"
      category = "informational"

    strings:
	$a1 = "CryptProtectMemory"
	$a2 = {2A 3F ?? ?? ?? ?? 72 61 72}
	$b = {4D 5A}
	$c = {CE E8 DC F8 FF FF 56 E8 A3 80 FF FF 59 33 C0 5E}
	$d = "publicKeyToken=\"6595b64144ccf1df\""
	$e = {7B 65 32 30 31 31 34 35 37 2D 31 35 34 36}

    condition:
        $b and $c and $d and $e and 1 of ($a*) 

}


rule AveMaria_infostealer_09_01_2019{

    meta:
      description = "Yara Rule for AveMaria infostealer"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019_01_09"
      tlp = "white"
      category = "informational"

    strings:
	$a1 = "PK11SDR_Decrypt"
	$a2 = {70 69 6E 67 2E 65 78 65}
	$a3 = {4D 5A}
	$a4 = {31 32 37 2E 30 2E 30 2E 32}
	$a5 = {4D D0 8B 46 08 33 C2 23 C7 C1 CF}
	$a6 = "AVE_MARIA"

    condition:
        all of them

}

This blog post was authored by Antonio Farina, Luca Mella, Antonio Pirozzi of Cybaze-Yoroi Z-LAB

Gravi Vulnerabilità su Appliance Cisco ESA

Proto: N030119.

Con la presente Yoroi desidera informarLa relativamente a gravi vulnerabilità all’interno del firmware degli apparati Cisco ESA (Email Security Appliance), utilizzati da numerose Organizzazioni per effettuare controlli di sicurezza sui messaggi di posta elettronica in transito. Le criticità sono note con gli identificativi CVE-2018-15460 e CVE-2018-15453.

Le problematiche sono originate da lacune nella gestione di risorse e memoria all’interno di Cisco AsyncOS, le quali permettono ad attaccanti remoti non autenticati di creare condizioni di disservizio persistenti all’interno dei dispositivi perimetrali ESA, causando il blocco del transito dei messaggi di posta.

Il Produttore ha pubblicato due appositi bollettini di sicurezza relativamente alle criticità in oggetto, indicando come afflitte le versioni del firmware 9.x, 10.x, 11.0.x, 11.1.x e minori di 9.0:

Benché ad oggi non siano stati rilevati attacchi volti a sfruttare queste criticità, Yoroi consiglia di pianificare l’aggiornamento dei dispositivi perimetrali Cisco ESA alle ultime versioni disponibili e, qualora possibile, di valutare l’applicazione delle mitigazioni suggerite dal Produttore (dettagli in bollettini ufficiali).

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Vulnerabilità su Sistemi Yokogawa CENTUM

Proto: N020119.

Con la presente Yoroi desidera informarLa relativamente ad una importante vulnerabilità che affligge vari dispositivi Yokogawa della famiglia CENTUM, utilizzati per la realizzazione di sistemi di controllo distribuiti (DCS) nei settori energetico, manifatturiero, agricolo ed alimentare. La criticità è nota con l’identificativo CVE-2018-16196.

La problematica è originata da lacune nella gestione delle risorse all'interno del driver di comunicazione “Vnet/IP Open Communication Driver”, attraverso il quale un attaccante di rete non autenticato può creare condizioni di disservizio impedendo le interazioni con il dispositivo bersaglio.

Il Produttore ha confermato la problematica ed ha rilasciato il bollettino di sicurezza YSAR-18-0008, dove sono state rilasciate patch di sicurezza per i firmware Yokogawa:

Risultano afflitti, ma non sono invece disponibili aggiornamenti per i seguenti firmware in quanto fuori supporto:

Per via della elevata criticità dei dispositivi potenzialmente coinvolti dalla problematica, Yoroi suggerisce di pianificare l’applicazione degli aggiornamenti rilasciati dal Produttore e di limitare quanto più possibile l’esposizione di rete degli apparati di controllo.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Campagne di Attacco “Dichiarazione dei redditi”

Proto: N010119.

Con la presente Yoroi desidera informarLa relativamente ad una nuova ondata di attacchi mirati a compromettere organizzazioni ed utenze italiane. La campagna malevola si manifesta con messaggi di posta fraudolenti preparati per indurre le vittime all'apertura di link remoti in grado di installare malware della famiglia Danabot.

Figura 1. Esempio di messaggio malevolo.


Figura 2. Archivio contenente la minaccia Brushaloader.

All'apertura del link inserito nei messaggi email, viene scaricato un archivio compresso contenente uno script vbs in grado di mettere in esecuzione la minaccia Brushaloader, la quale è attualmente configurata per scaricare un impianto malware Danabot capace di intercettare credenziali di numerosi portali bancari e provider di posta (rif. “Dissecting The Danabot Payload Targeting Italy”).

Di seguito si riportano gli indicatori di compromissione individuati durante le analisi effettuate:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index