Aggiornamento su Vulnerabilità RDP “BlueKeep”

Proto: N070519.

Con la presente Yoroi desidera informarLa relativamente alla recente pubblicazione di ulteriori dettagli tecnici e strumenti atti a replicare la grave vulnerabilità che affligge i servizi Remote Desktop dei sistemi operativi Microsoft.

Si ricorda che la criticità, nota con l’identificativo CVE-2019-0708 ed oggetto del bollettino Early Warning N050519, può permettere ad un attaccante di rete di eseguire codice arbitrario e prendere il controllo della macchina bersaglio senza alcuna autenticazione.

Visto il recente rilascio di codici atti a replicare la problematica, esiste il rischio concreto di un abuso di questa vulnerabilità ai danni di Aziende ed Organizzazioni, sia aventi servizi RDP esposti su internet, sia aventi server RDP non aggiornati nel perimetro di rete interno. A questo proposito, si consiglia caldamente applicare gli aggiornamenti di sicurezza resi disponibili dal Produttore.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

TA505 is Expanding its Operations


In the last few days, during monitoring activities, Yoroi CERT noticed a suspicious attack against an Italian organization. The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution, discovering a potential expansion of the TA505 operation. The threat group is also known for its recent attack campaign against Bank and Retail business sectors, but the latest evidence indicates a potential expansion of its criminal operation to other industries too.

Technical Analysis

Brief DescriptionExcel file with malicious macro
Ssdeep3072:Mc38TehYTdeHVhjqabWHLtyeGxml8/dgzxXYhh3vVYwrq 8/P5HKuPF1+bkm13Kkf:B38TehYTdeHVhjqabWHLty/xml8/dgNr

Table 1. Information about initial dropper

The intercepted attack starts with a spear phishing email embedding a spreadsheet. The document is weaponized with malicious macro code triggered when the user opens the document to see the content under the obfuscated view.

Figure 1. XLS document

To understand its capabilities, the macro code has been isolated and analyzed in detail. Part of the macro’s content is shown in the following figure.

Figure 2. Part of extracted macro

Surprisingly, the source code is composed by more than 1600 lines of code and it is highly obfuscated. Paying more attention during the code analysis, we discovered that it is full of junk instructions used to declare and initialize variables never used, as shown in Figure 2. Only a small portion of this code is actually used to start the infection, the rest is just junk code.

Figure 3. Example of junk instructions used in macro

Once the macro is executed, the malware downloads two files from “kentona[.su”, using an SSL encrypted communication, and stores them in “C:\Users\Public” path: “rtegre.exe” and “wprgxyeqd79.exe”.

Brief DescriptionTrojan/Downloader (Executable file)
Ssdeep12288:3gL3qJxG5hfNV6oYYbDRcY4KhbmwPMCchbjBxwhrVm HAyzNkyRJK7hRMCQ:3mqkhfzYZY4kmgsbdm2HAENk0K7Dm

Table 2. Information about “rtegre.exe” downloaded from “kentona[.su”

Brief DescriptionSFX (self-extracting archive) (Executable file)
Ssdeep49152:sIWB74MncmEWy4i1LkjoAwG2PI/mfqtftvMKcr+7Ao95 xQW1vB38PELaacVzWTV3:sICtHsJoMAwG

Table 3. Information about “wprgxyeqd79.exe” (SFX) downloaded from “kentona[.su”

Figure 4. Files contained in “wprgxyeqd79.exe” (SFX)

The “wprgxyeqd79.exe” sample actually is a Self Extracting Archive (SFX/SFA) containing four files designed to be extracted in the %TEMP% folder. After that, it executes “exit.exe” which launches the “i.cmd” batch script.  

Figure  5. “i.cmd” script contained in “pasmmm.exe”

This new script performs a ping to “www[.cloudflare[.com” for three times with a delay of 3000ms, testing the connectivity of the victim machine. If the host is successfully reached, the script renames a file named “kernel.dll”, obviously not the real one, in “uninstall.exe”, another misleading name. Then it invokes the renamed executable and runs it passing a series of parameter: “uninstall.exe x -pQELRatcwbU2EJ5 -y”

These parameters are needed to self-decrypt the “uninstall.exe” file which is again another SFX archive. The “-p” parameter, indeed, specify the password of the archive to be extracted. The crucial file, at this point of the infection, is the SFX executable named “uninstall.exe”. It has a structure similar to previous “wprgxyeqd79.exe” file: two of their files have the same name, but the content of this new SFX is extracted in the “%ALLUSERSPROFILE%\Windows Anytime Upgrade” directory.

Figure 6. Files contained in “uninstall.exe” (SFX)

Another time, the execution flow moves from “exit.exe to “i.cmd”. The script is quite different from the previous one: it guarantees its persistence on the victim machine through the setting of “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key, creating a new entry named “Windows Anytime Upgrade” which points to “winserv.exe”, just stored into the same folder. Thus, the script provides to run “winserv.exe”.

Figure 7. “i.cmd” script contained in “uninstall.exe”

An interesting part of the script is the continuous killing of every “rundll32.exe” process running into the victim machine, generates a huge amount of noise, as visible in the following process explorer view.

taskkill /f /im “rundll32.exe” || goto :Repeat

Figure 8. List of malware’s processes

Anyway, just before the kill loop, the real malicious payload is executed: the  “winserv.exe” file. Analyzing it in depth, we discover it actually is the RMS (Remote Manipulator System) client by TektonIT, encrypted using the MPress PE compressor utility, a legitimate tool, to avoid antivirus detection.

Figure 9. Information about MPress packer used in “winserv.exe” payload

TektonIT RMS acts as a remote administration tool, allowing the attacker to gain complete access to the victim machine. Together with the RMS executable, there is another file named “settings.dat” containing the custom configuration prepared by the attacker. It contains information like:

All these information are automatically loaded by the RMS executable and firstly stored in the registry key “HKCU\Software\tektonik\Remote MANIPULATOR System\Host\parameters”. At the next startup, the software will directly load the configuration from the just created key.

Figure 10. Registry key set by “winserv.exe” (on the left); “settings.dat” file (on the right)

The client establishes a new connection with the remote command and control server hosted on a Bulgarian remote host, part of a Virtual Dedicated Server subnet of the AS-21100, operated by ITL LLC.

Figure 11. C2’s parameters

The attack is composed by a complex flow we synthesize in the following scheme:

Figure 12. Complete infection chain

The TA505 Connection

After the reconstruction of the full infection chain, we noticed strong similarities with a recent spear-phishing attack campaign against an unspecified US retail company. The attack, as stated by CyberInt, leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world, threatening a wide range of high profile companies, active since 2014.

Figure 13. Comparison between infection chains

The comparison of the infection chains reveals in both cases the attacker used a couple of SFX stages to deploy the “RMS” software: a legitimate remote administration tool produced by the Russian company “TektonIT”. The tool is able to grant remote access and full, direct control of the infected machine to the group. Also, some code pieces are directly re-used in the  analyzed campaigns, such as the “i.cmd” and “exit.exe” files, and, at the same time, some new components have been introduced, for instance the “rtegre.exe” and the “veter1605_MAPS_10cr0.exe” file.

During the analysis, we also noticed the “veter1605_MAPS_10cr0.exe” file slightly changed run after run, a few hours after the initial discovery the infection chain dropped it with different icons, different suffix, from “cr0” to “cr24”, and appendix from “veter1605_” to “veter2005_”. This may indicate the campaign is still ongoing.


The TA505 group is one of the most active threat groups operating since 2014, it has traditionally targeted Banking and Retail industries, as we recently documented during the analysis of the “Stealthy Email Stealer” part of their arsenal. The peculiarity of this recent attack wave is it actually hit a company not strictly in the Banking or Retail sector, as they recently did, suggesting the threat group could be potentially widening their current operations.

Indicators of Compromise

Yara Rules

rule excel_dropper {
    description = "Yara rule for excel dropper"
    author = "Cybaze - Yoroi ZLab"
    last_updated = "2019-05-22"
    tlp = "white"
    category = "informational"
    $a1 = { 98 C3 AB F0 E7 F3 BD F4 }
    $a2 = { 41 6E D5 7E F0 10 AB A7 }
    $a3 = "gxbgarjktzyu"
    $a4 = "Bob Brown"

    all of them

import "pe"
rule pasmmm_exe {
    description = "Yara rule for pasmmm SFX archive"
    author = "Cybaze - Yoroi ZLab"
    last_updated = "2019-05-22"
    tlp = "white"
    category = "informational"
    $a1 = { 1C Cf 43 39 C8 32 B4 B0 }
    $a2 = { 60 6C B8 7C 5F FA }
    $a3 = "LookupPrivilege"
    $a4 = "LoadBitmap"

    pe.number_of_sections == 6 and all of them

import "pe"
rule uninstall_exe {
    description = "Yara rule for uninstall SFX archive"
    author = "Cybaze - Yoroi ZLab"
    last_updated = "2019-05-22"
    tlp = "white"
    category = "informational"
    $a1 = { E8 68 BA 01 00 51 }
    $a2 = { 58 E9 8B C6 4F 6F 7A }
    $a3 = { D9 4E D5 FA D4 34 }

    pe.number_of_resources == 24 and all of them

import "pe"
rule winserv_exe {
    description = "Yara rule for winserv backdoor"
    author = "Cybaze - Yoroi ZLab"
    last_updated = "2019-05-22"
    tlp = "white"
    category = "informational"
    $a1 = "MPRESS1"
    $a2 = { 90 C4 73 05 E6 92 }
    $a3 = { E9 64 4B 56 3F EC }
    $a4 = { 10 EF D0 E1 36 E1 14 3C }

    all of them and pe.version_info["CompanyName"] contains "tox"

import "pe"
rule veter_random {
    description = "Yara rule for veter_trojan"
    author = "Cybaze - Yoroi ZLab"
    last_updated = "2019-05-22"
    tlp = "white"
    category = "informational"
    $a = { 5E C2 04 00 F6 44 24 04 01 56 }
    $b1 = { 01 8B 02 8B 48 04 03}
    $b2 = { 4A 3B C2 7E 08 8B C2 }
    $c1 = { E8 83 CA 04 89 55 E8 }
    $c2 = { 1F DF 70 07 22 84 82 }

    $a and (($b1 and $b2 and pe.version_info["CompanyName"] contains "Miranda") or ($c1 and $c2 and pe.version_info["InternalName"] contains "DrldwgRom"))

This blog post was authored by Davide Testa, Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB

Playing Cat and Mouse: Three Techniques Abused to Avoid Detection


During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.

This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.

Technical Analysis

The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.

The Broken Doc

Threatcve-2017-0199 document
Brief DescriptionDocument Dropper exploiting cve-2017-0199
Ssdeep96:Hd4+dGCbidUEd9IUfPLIuSdFpMcuGg5mLWStWiWrVMd92c SCedL0m03mbRTiqhrr:C+bcyucyMtWNYk0mqQTnhr5OARQT6

Table 1. Sample information

The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.

Figure 1. External resource in the analyzed document

Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.

Figure 2. Suspicious popup window

This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the "user warning" may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.

Figure 3. Corrupted document

Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken.

Figure 4. Popup window reporting the impossibility of opening the document

After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.

Hide Payload with Office Developer Mode

Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.

This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.

Figure 5. Classic phishing document view

However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.

Figure 6. Part of macro code embedded in the document

This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).

Figure 7. Document’s modified view

Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.

Figure 8. Extracted payload

Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.

Spoofed Signature

Another interesting technique abused by cyber-criminals in the wild is the "Certificate Spoofing", allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.

However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).

Figure 9. Spoofed signature on Ursnif sample

Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.

Brief DescriptionEmotet payload
Ssdeep1536:X6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX 7CLNiu:X6ho6yuxU8Dhc++uD32azXGLN

Table 2. Sample information

Brief DescriptionEmotet payload signed using Symantec cert
Ssdeep1536:U6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX7 CLNiuexK3hJw:U6ho6yuxU8Dhc++uD32azXGLNuIw

Table 3. Sample information

Figure 10. Comparison between samples without and with fake certificate

As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.

Figure 11. SignTool check reporting the certificate was invalid

However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!  

For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.

Figure 12. Detection rate decrease thanks to certificate addition

The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.

Figure 13. Comparison between samples without and with fake certificate at hex level


The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.

We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.

Indicator of Compromise


This blog post was authored by Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB

Importanti Vulnerabilità in Infrastrutture Cisco Prime

Proto: N060519.

Con la presente Yoroi desidera informarLa relativamente alla recente scoperta di una importante vulnerabilità nell’infrastruttura Cisco Prime, suite di gestione integrata per reti Enterprise locali e geografiche. La criticità è nota con l’identificativo CVE-2019-1821.

A causa di gravi lacune nella validazione degli input utente e nella restrizione degli accessi alla servlet “Health Monitor”, parte del modulo di High Availability di Cisco Prime Infrastructure (PI), un attaccante di rete non autenticato risulta in grado di caricare ed eseguire codice arbitrario direttamente sul dispositivo bersaglio, ottenendo diritti amministrativi.

Il Produttore ha confermato la problematica rilasciando il bollettino CISCO-SA-20190515-PI-RCE, dove risultano afflitte le versioni Cisco PI minori di  3.4.1, 3.5, e 3.6, e le versioni Cisco Evolved Programmable Network (EPN) Manager minori di 3.0.1. Unitamente alla vulnerabilità in oggetto, il bollettino riporta anche due pericolose criticità analoghe a quest’ultima: CVE-2019-1822 e CVE-2019-1823, sfruttabili però solo previa autenticazione utente.

Per via della potenziale centralità e criticità delle infrastrutture afflitte, del rilascio di dettagli tecnici e strumenti atti a riprodurre la problematica, Yoroi consiglia appurare che le interfacce amministrative delle infrastrutture Cisco coinvolte non siano raggiungibili da reti non fidate, e di pianificare l’applicazione degli aggiornamenti disponibili.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

The Stealthy Email Stealer in the TA505 Arsenal


During the last month our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector. In fact, many independent researchers pointed to a particular email attack wave probably related to the known TA505 hacking group, active since 2014 and focusing on Retail and Banking companies. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

Figure 1. Attack campaign spotted in the wild.

Investigating and tracking their operations during April and May we detected an interesting tool was delivered through the victim machine. Just after the opening of malicious documents and the installation of FlawedAmmy RAT implants, the group used to deploy a particular credential stealing software, part of their arsenal, revealing details of their recent operation.

Figure 2. Attack campaign spotted in the wild.

Technical Analysis

The piece of malware under analysis were downloaded from “bullettruth[.com/out[.exe”, it was executed into the victim machines after the establishment of the infection.

ThreatCustom Email Stealer
Brief DescriptionExecutable of the email stealer
Figure 3: Malware Signature by SLON LTD

Firstly, we noticed this secondary component was well protected against antivirus detection, in fact the PE file was signed by Sectigo in the first half of May, one of the major Russian Certification Authority. Analyzing the trust chain we found the attackers were relying on cryptographic keys released to a UK company named  SLON LTD. At this time, we have no evidence to hypothesize it could be victim of previous hacks or not.

Anyway, a static inspection of the binary revealed that the malware has a quite high entropy level, suggesting it may be packed.

Figure 4: Malware suspicious entropy level

Dynamically executing the malware, more information about its behaviour is revealed. The malicious executable is substantially an email stealer, in fact, the only purpose is to retrieve all the emails and passwords accounts present inside the victim machine. After executing the information gathering routine, the malware sends to its C2 all the retrieved emails and passwords:

Figure 5: HTTP POST communication

The interesting thing about the communication with the C2 is the fact that there is no encryption: the data harvested are sent to the C2 in JSON format. Investigating the attacker infrastructure we noticed interesting information such as the information of the stolen emails through our Digital Surveillance systems.

In order to retrieve more details about this Email Stealer, the analysis has moved into debugging and disassembling. As previously mentioned, the malware sample is heavily obfuscated and packed. However, by letting the malware execute itself within a debugger, we were able to extract the unpacked payload of the malware.

Figure 6: Static information about the packed sample (on the left) and the unpacked one (on the right)

As shown by the above figure, we notice a peculiarity of these two components: while the packed sample is compiled in Microsoft Visual C++ version 6.0, the unpacked one is compiled in Microsoft Visual C++ version 8. At this point, we deepen the analysis on the extracted payload. However, we are not able to execute it, because it always references many memory addresses of the original one. So, we carry on static analysis on the extracted sample.

As previously described, the malware’s principal purpose is to iterate through the filesystem looking for email accounts.. The first step is to check whether the “outlook.exe” process is running and, in this case it kills the process.The malware iterate through user processes with Process32FirstW API and then kill it with TerminateProcess:

Figure 7: Outlook process search routine

The extracted payload does not present any type of code obfuscation of other types. In fact the C2 server and the path is not encoded:

Figure 8: C2 connection routine

The last routine being analyzed is the credential harvesting inside the entire filesystem.

Apart from the routine that searches for the email account registered in Outlook and Thunderbird clients (as shown in Figure 7), there is another one which scans the filesystem looking for hardcoded extensions, then, if one of them is found, a reference to the found file is conserved inside the %TEMP% directory. At this point, all the gathered email accounts are sent to the server and then erasing  all traces of itself from the infected machine, in fact, the malware creates a simple batch script which delete itself and all the tracks of infection.

Figure 9: Autodeletion batch script

Analysis of Exposed Emails

In this paragraph are shown some statistics about the harvested emails in the attack campaign, recovered during surveillance and hunting operations. So we decided to create a graph in which sort the most frequent TLD occurrences of all the stolen data.

Figure 10: Distribution of TLD

As seen in the graph above, the most frequent TLD is .com with 193.194 occurrences, following .kr with 102.025 occurrences, .cn with 26.160 occurrences, it with 6.317 occurrences and so on. To better visualize the macro-locations involved in this exposure we built a heatmap showing the geographical distribution of the TOP 100 countries referenced in the TLDs.

Figure 11: Geolocation of emails TLD exposure

The heatmap shows the less-affected countries with a greenish color, on the contrary, the most-affected ones tend to an orange or red-tinged color. The first thing that emerges from these 2 distributions is that this specific threat seems not to be targeted, in fact, the diffusion is almost global with some red or orange zones in UK, Italy, Republic of Korea, China, Germany, Hungary, Taiwan, Japan, India and Mexico. All these countries exceeded the thousand occurrences.


Nowadays, the email accounts are an effective source of revenue for the cyber criminals. In fact all these information can be used to spread other malware through phishing campaigns, to perform BEC attacks (Business Email Compromise) and also to try credential stuffing attacks.

Evan a simple Info-Stealer malware like this one could be a dangerous threat, especially if used by organized groups  in conjunction with other malware implants. In fact, as reported by the independent researcher Germán Fernández Bacian too, this Email Stealer has been recently used by the infamous TA505 hacking group. This link means, with good confidence, the exposed data, full email accounts in some cases and email contacts in general, are now available to a cyber-criminal group who launched targeted attacks against Banks and Retail industries in the near past.

Indicators of Compromise

Yara Rules

import "pe"
rule EmailStealer_201905 {
	description = "Yara rule for EmailStealer"
	author = "Cybaze - Yoroi ZLab"
	last_updated = "2019-05-14"
	tlp = "white"
	category = "informational"
	$a1 = { 80 F2 F3 00 56 53 A7 }
	$a2 = { 4D 26 9A 00 56 4B AC 55 } 
	$a3 = { 1C 4A 77 00 00 89 B4 B7 }

	uint16(0) == 0x5A4D and pe.number_of_sections == 3 and all of them

Searched Extensions

.msf; .dat; .pst; .ost; .asp; .cdd; .cpp; .doc; .docm; .docx; .dot; .dotm; .dotx; .epub; .fb2; .gpx; .ibooks; .indd; .kdc; .key; .kml; .mdb; .mdf; .mobi; .mso; .ods; .odt; .one; .oxps; .pages; .pdf; .pkg; .pl; .pot; .potm; .potx; .pps; .ppsm; .ppsx; .ppt; .pptm; .pptx; .ps; .pub; .rtf; .sdf; .sgml; .sldm; .snb; .wpd; .wps; .xar; .xlr; .xls; .xlsb; .xlsm; .xlsx; .xlt; .xltm; .xltx; .xps; .3dm; .aspx; .cer; .cfm; .chm; .crdownload; .csr; .css; .download; .eml; .flv; .htaccess; .htm; .html; .jnlp; .js; .jsp; .magnet; .mht; .mhtm; .mhtml; .msg; .php; .prf; .rss; .srt; .stl; .swf; .torrent; .url; .vcf; .webarchive; .webloc; .xhtml; .xul; .asf; .asm; .cgi; .class; .cs; .dtd; .fla; .ged; .gv; .icl; .java; .jse; .json; .lua; .mb; .mod; .msp; .obj; .po; .ps1; .py; .sh; .sln; .so; .sql; .ts; .vbe; .vbs; .vc4; .vcproj; .vcxproj; .wsc; .xcodeproj; .xsd; .apt; .err; .log; .pwi; .sub; .ttf; .tex; .text; .txt; .accdb; .b2; .crypt; .crypt5; .crypt6; .crypt7; .crypt8; .crypt12; .db; .dbf; .dbx; .sis; .awb; .bin; .cdi; .cdr; .csv; .eap; .efx; .gam; .gbr; .gtp; .mpp; .msc; .mts; .otf; .nbk; .nbp; .ndb; .prj; .rtp; .sav; .scppy; .tax2010; .tbl; .tmp; .vcd; .xml; .xsl; .xslt; .bak; .dmp; .gho; .ghs; .v2i; .zip; .asx; .iff; .inf; .temp; .ai; .aif; .amr; .apk; .bp1; .ccd; .cdw; .dds; .dmg; .dxf; .ext; .ics; .ini; .m4p; .max; .md0; .mng; .mp3; .mpa; .msu; .nrg; .pak; .part; .pkpass; .psd; .rnd; .rom; .spl; .swb; .svg; .xla; .application; .appref; .cfg; .conf; .config; .cpl; .cue; .deskthemepack; .diagcfg; .ds_store; .iso; .pdi; .plist; .reg; .scr; .theme; .themepack; .thm

This blog post was authored by Luigi Martire, Davide Testa, Antonio Pirozzi and Luca Mella of Cybaze-Yoroi Z-LAB

Vulnerabilità Critica in Servizi Remote Desktop (BlueKeep)

Proto: N050519.

Con la presente Yoroi desidera informarLa relativamente alla recente scoperta di una gravissima vulnerabilità nei servizi di Remote Desktop all’interno dei sistemi Microsoft. La criticità è nota con l’identificativo CVE-2019-0708 ed è referenziata con l'alias "BlueKeep".

La problematica è causata da lacune nella gestione della memoria all’interno delle componenti di sistema Terminal Services, attraverso le quali un attaccante di rete può eseguire codice arbitrario e prendere il controllo della macchina bersaglio, senza alcuna autenticazione.

Il Produttore ha confermato la problematica attraverso appositi bollettini di sicurezza, nel quale ha reso disponibili aggiornamenti per sistemi operativi Windows 7, Windows Server 2008, Windows Server 2008 R2 (32bit e 64bit). Risultano afflitte anche le versioni Windows fuori supporto quali XP SP3, XP Professional SP2, XP Embedded SP3 e Windows Server 2003 SP2.

Figura. Esposizione internet servizio RDP (Fonte:ShodanHQ)

Per via della potenziale diffusione dei sistemi afflitti, della loro possibile esposizione Internet e dell’alto rischio di sfruttamento da parte di gruppi criminali opportunistici, Yoroi consiglia caldamente di pianificare l’applicazione delle patch di sicurezza a disposizione e di disabilitare i servizi Remote Desktop qualora non necessari.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Importante Vulnerabilità in Kernel Linux

Proto: N040519.

Con la presente Yoroi desidera informarLa relativamente alla recente scoperta di una importante vulnerabilità all’interno del Kernel Linux, cuore di numerosi Sistemi Operativi utilizzati in dispositivi IoT, server applicativi, attrezzature ed apparati di rete. La criticità è nota con l’identificativo CVE-2019-11815.

La problematica è originata da lacune nella gestione della memoria all’interno dello stack TCP/IP, che implementa le funzionalità di connettività poi fruite da applicativi e servizi. Inviando particolari sequenze di pacchetti di rete, un attaccante senza alcuna autenticazione può essere in grado di scatenare condizioni di disservizio sui dispositivi stesso o, nel peggiore dei casi, eseguire codice arbitrario all’interno delle macchine bersaglio.

La problematica è stata confermata dal Manutentore, il quale ha rilasciato opportune patch in grado di mitigare la criticità per le versioni Linux Kernel anteriori a 5.0.8. Al contempo, Vendor di Sistemi Operativi Linux-based come Red Hat, Ubuntu, SUSE e Debian stanno vagliando la problematica e recependo le patch rilasciate dal Manutentore.

A questo proposito, Yoroi suggerisce di monitorare la disponibilità di aggiornamenti di sistema per il Vostro parco macchine Linux, pianificandone l’applicazione qualora necessario.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Vulnerabilità Sharepoint Sotto Attacco

Proto: N030519.

Con la presente Yoroi desidera informarLa relativamente al recente rilevamento di attacchi rivolti ad istanze Microsoft Sharepoint, nota piattaforma collaborativa utilizzata sia in ambienti SMB che Enterprise per la condivisione e gestione di knowledge base aziendali. La criticità presa di mira è nota con l’identificativo CVE-2019-0604.

La vulnerabilità è causata da lacune nella validazione dei “markup” all’interno dei pacchetti applicativi Sharepoint. Tale condizione può essere sfruttata da un attaccante in possesso di apposite utenze sharepoint attraverso le quali può eseguire codice arbitrario all’interno del server, compromettendone la sicurezza.

Ricercatori di terze parti hanno recentemente rilevato tentativi di attacco verso questa particolare vulnerabilità degli applicativi Sharepoint, pertanto Yoroi consiglia caldamente di verificare lo stato di aggiornamento delle infrastrutture server Sharepoint eventualmente in uso presso le vostre reti, di valutarne l’esposizione e di applicare gli aggiornamenti di sicurezza resi disponibili dal Produttore.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Yoroi Cyber Security Annual Report 2018

In 2018 cyber-security experts observed an increased number of cyber attacks, malware endure to be the most aggressive and pervasive threat. For this reason, analyzing the last year occurred events would help cyber-security professionals to prevent further attacks during the next few months. In many cases the attacks reached a very high sophistication levels, both nation-state cyber espionage groups and cyber crime organizations carried out attacks that had a severe impact on the victims. This is just the tip of the iceberg since in many cases organizations are not able to detect threats allowing them to cause huge damage on their infrastructure.

Yoroi Cyber-security Report analyzes the evolution of the threat landscape observed between January 2018 and December 2018. Differently from other reports published by many security firms, this analysis focuses on threats detected by Yoroi Cyber-Security Sensors standing behind Customers infrastructures. Every single attack and/or threat has been managed by the experts at Yoroi.

The report provides a unique point of view because it describes threats and attacks that have bypassed security measures implemented by the targets. Those data are not coming from OSINT or CLOSINT, but have been collected directly from the customer side.The report is divided into sections. Each section is atomic and could be read independently from each other section. Section 1 describes the evolution of the malware in the threat landscape in the past twelve months. it also includes a special focus on 0-Day Malware and their propagation methods.

Section 2 reports observed data from the attacks surface focusing on IP addresses analysis and ASNs involved in the attacks. Section 3 describes the “blocked attacks” through Yoroi DNS protection during the year, while Section 4 describe Dark-Net activities observed by our researchers. Dark-nets are abused for many malicious purposes, they can be abused to hide command and control infrastructure or to carry out an attack attempting to remain anonymous. This section provides data on the attacks originated from resources hidden in the dark-nets and communications from customers infrastructures to dark-nets, likely associated with malware activity. Section 5 includes a wide analysis on data leaks discovered using the Yoroi Digital Surveillance and finally the Section 6 describes new trends on attacks techniques and operations.

Download the Yoroi Cyber Security Report 2018

Figure. Major e-crime malware activities observed during Yoroi’s monitoring operations within Italian landscape

Yomi Hunter Joined the VirusTotal Sandbox Program!

We are pleased to announce that Yomi the Malware Hunter has successfully completed the on-boarding in the VirusTotal MultiSandbox Program!

Official VirusTotal Announce:

Yoroi can now contribute to the fight against malware threats sharing its TLP:WHITE analysis with Chronicle Security, the Alphabet’s subsidiary author of the notorious VirusTotal Threat Intelligence platform: one of the most widely used community platforms all around the world. The Yomi analysis reports will be available on the “Behavior tab” of the VirusTotal analysis page.

Figure. Yomi Hunter report on VirusTotal

By clicking the “Full report”, every VT community user can now access the analysis report generated by the Yomi Sandbox, accessing fine grain details about malware execution, dropped files, https traffic, registry edits, spawned commands and system calls invocations. Including the MITRE ATT&CK™ matrix summarizing the key points of the malware attack.

Figure. Extracted MITRE ATT&CK™ matrix


If you want to try Yomi: The Malware Hunter please register here!


Campagna Gootkit verso PEC Italiane

Proto: N020519.

Con la presente Yoroi desidera informarLa relativamente ad una pericolosa campagna di attacco in corso ai danni di Organizzazioni italiane. Sono state infatti intercettate email dirette a caselle di Posta Elettronica Certificata (PEC) contenenti allegati infetti. I messaggi tentano di ingannare l’utente simulando comunicazioni legate a problematiche amministrative, tuttavia al loro interno sono presenti script VBS in grado di infettare la vittima con un impianto malware della famiglia Gootkit: minaccia capace di intercettare le comunicazioni di rete, tra cui le sessioni di home-banking sui principali portali bancari italiani, smart-card inserite e digitazioni utente.

Figura. Esempio PEC fraudolenta.

Di seguito si riportano gli indicatori di compromissione estratti:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

ATMitch: New Evidence Spotted In The Wild


In the first days of April, our threat monitoring operations spotted a new interesting malware sample possibly active in the wild since 2017. Its initial triage suggests it may be part of an advanced attacker arsenal targeting the Banking sector, possibly related to the same APT group Kaspersky Lab tracked two years ago after the compromise of a Russian bank, where a particular malware tool dubbed ATMitch has been unveiled. In the past, this piece of malware was manually installed on the victim ATM after a wide enterprise network intrusion, enabling the cyber-criminals  to manipulate the cash-withdrawal process on the machine.

The recent, unattended discovery of such kind of sample within the Info-Sec community led us to a deep dive into this particular malware tool, spearhead of a sophisticated cyber arsenal.

Technical Analysis

The executable sample is a PE32 x86 file named “tester.exe”. It seems to be custom loader for the real malicious payload able to take control of the target machine.

ThreatATMitch ATM malware
Brief descriptionATMitch initial loader

Table 1: Information about Dropper/Loader of ATMitch

The static data about this sample reveal the sample has been compiled on 8th Oct 2017, months later than the Kaspersky disclosure of the ATMitch attack operation. This element is not enough to date the sample with 100% accuracy due to possible tampering, anyway the other static details suggest the date could be genuine due to the absence of scrambled artifacts.

Figure 1: Payload as resource of the Loader

When started, the executable creates a new folder on “C:\intel” and then starts inspecting all the running processes. It looks for a really particular one: “fwmain32.exe”. This lookup reveals how deeply environmental aware is this implant. In fact, the “fwmain32” process is part of the software services produced by Wincor Nixdorf International GmbH, one of the major vendors providing retail and banking hardware such as ATMs.

Figure 2: Research of “fwmain32.exe” process by malware

Once the “fwmain32.exe” process is found, the loader injects the actual payload in its own memory, infecting it. The payload DLL, initially stored into the loader resources section, will be implanted into the target process using the “SetThreadContext” injection technique (Thread Hijacking).

Figure 3: Complete Thread Hijacking flow

The figure above shows the sample calls on the OpenThread and the SuspendThread functions to pause the current execution. After allocating the right memory amount in the target process, it writes the shellcode target memory space using the WriteProcessMemory function and sets up the new process context with SetThreadContext. Finally, using the ResumeThread function the payload is able to start its malicious execution.

When the loader succeeded to inject the payload into the “fwmain” process, it also shows a popup window reporting the outcome of the injection phases.

Figure 4: Prompt window reporting the log of the injection phase

ATMitch Payload

ThreatATMitch ATM malware
Brief descriptionATMitch payload

Table 2: Information about the payload (DLL contained as resource in the Dropper/Loader)

The injected DLL has a very characteristic dependency: it requires the “msxfs.dll”. This library provides access to the EXtension for Financial Service (XFS) API, the communication interface needed to interact with AMT components such as PIN pad and cash dispenser. Again, this is a very particular dependency can only be resolved on special purpose Windows environment, like the Wincor machines.

Figure 5: “msxfs.dll”, library required by malware to communicate with ATM device

The malware is quite simple: it reads commands from a file included into “c:\intel” folder and interacts with the ATM drivers in order to retrieve information about the current amount and to dispense money at the right time. In the following screen is shown a function used to initiate the communication with the PinPad and Dispenser ATM components.

Figure 6: Discovering of PinPad and Dispenser components

Using the functions provided by “msxfs.dll” library, the malware can easily interact with these components. For example, using the WFSExecute function it is possible to send one of the supported commands to the dispenser, like OPEN_SHUTTER or OPEN_SAFE_DOOR.

Figure 7: Part of commands accepted by ATM

In the specific case, the malware uses the function to dispense money through the command WFS_CMD_CDM_DISPENSE, as shown in figure:

Figure 8: Command “WFS_CMD_CDM_DISPENSE” used by malware to dispense money

The core of the malware is the following switch structure: after reading the new command from the specific file, it compares the command code with the embedded ones, such as “code 2” for retrieving information or “code 7” for dispensing money.

Figure 9: Malware’ switch structure

Moreover, the malware provides a well-structured logging system: all actions are traced and logged into “c:\intel\__log.txt”. In relation to the action that needs to be logged, it is able to set a specific logging level (FATAL, ERROR, DEBUG etc.).

Figure 10: Logging-level of the malware logging system


This recently discovered ATMitch sample is one of the key assets used by advanced attackers during bank cyber-robberies, potentially even by the Carbanak or the GCMAN group. Who manually install it within segregated hosts and write commands directly into the target machine, without any command and control traffic. The usage of Remote Desktop to directly connect to the target machine is also supported by the presence of a prompt window (Figure 4) which shows the correct execution of the first stage. Probably the last steps of an attack flow involving ATMitch are the following:

  1. The attacker connects to the ATM machine using Remote Desktop;
  2. The attacker transfers the loader EXE and runs it: the prompt window shows if everything went well;
  3. The attacker deletes the initial file in order to remove tracks;
  4. The attacker writes commands in the appropriate file;
  5. The malware executes the new commands and writes in the log file;
  6. The attacker examines the log file to know the state of the command execution.

So, the eventual presence of this malware could be the tip of the iceberg of a more complex and articulated attack perpetrated by advanced cyber-criminals.

Indicators of Compromise


Yara Rules

import "pe"
rule ATMitch {
  	  description = "Yara Rule for ATMitch Dropper/Payload"
  	  author = "ZLAB Yoroi - Cybaze"
  	  last_updated = "2019-05-03"
  	  tlp = "white"
  	  category = "informational"

      	$str1 = {4A 75 E6 8B C7 8B 4D FC}
    	 $str2 = {EC 53 8D 4D DC 88}
      	$str3 = "MSXFS.dll"
      	$str4 = "DISPENSE"
     	$str5 = "PinPad"
      	$str6 = "cash"
      	$str7 = {40 59 41 50 41 58 49 40 5A}
      	$str8 = "WFMFreeBuffer"

   	pe.number_of_sections == 4 and pe.number_of_resources == 3 and $str1 and $str2 or $str3 and $str4 and $str5 and $str6 and $str7 and $str8

This blog post was authored by Antonio Farina, Davide Testa, Antonio Pirozzi and Luca Mella of Cybaze-Yoroi Z-LAB