Archive for January, 2019

Rewterz Threat Alert – New LockerGoga Ransomware used in Cyber Attacks in Multiple Countries

CATEGORY: Medium

 

 

SEVERITY: Cyber Crime

 

 

ANALYSIS SUMMARY

 

New LockerGoga Ransomware has been found mainly in a cyber attack on the French engineering consultancy, Altran Technologies.

 

The distribution method of this Ransomware is not clear yet. Once the ransomware is executed, it targets DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files. Samples for this ransomware have been uploaded from Romania and Netherlands whereas its victims have been observed in five different countries.

 

The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption. Some researchers declared it a sloppy, slow ransomware that doesn’t aim to evade detection. Security researchers informed that the ransomware spawned a new process for each file it encrypted, making the encryption process to be very slow. Once it has encrypted files, it appends the extension .locked to encrypted files and leaves a ransom note on the desktop like this:

 

 

 

 

Bleeping Computer suggests that the first rule of Security Researcher V should be considered while trying to detect the family of infections using Yara, in order to save organizations from the LockerGoga Ransomware.

 

 

INDICATORS OF COMPROMISE

 

 

Filename

 

  • worker32
  • bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f_wQkb8SOVnc[.]
  • bin svch0st[.]5817[.]exe
  • svch0st[.]11077[.]exe

 

 

Email Address

 

  • CottleAkela[@]protonmail[.]com
  • QyavauZehyco1994[@]o2[.]pl

 

 

Malware Hash (MD5/SHA1/SH256)

 

  • bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
  • 52340664fe59e030790c48b66924b5bd 73171ffa6dfee5f9264e3d20a1b6926ec1b60897

 

 

REMEDIATION

 

Block the threat indicators at their respective controls and keep your systems up-to-date. Since the attack vector is still unknown, using products with vulnerabilities increases risk of attack by a malicious entity.

 


Rewterz Threat Advisory – Google Releases Security Updates for Chrome Multiple Vulnerabilities

SEVERITY: HIGH

 

 

CATEGORY: Vulnerability

 

 

ANALYSIS SUMMARY

 

 

Google has released security updates for Google Chrome addressing multiple vulnerabilities that an attacker could exploit to take control of an affected system. There are 58 security fixes in the new version for Windows, Mac and Linux. Following vulnerabilities ranging from Medium to High severity have been addressed.

CVE-2019-5754: Inappropriate implementation in QUIC Networking

CVE-2019-5755: Inappropriate implementation in V8

CVE-2019-5756: Use after free in PDFium

CVE-2019-5757: Type Confusion in SVG

CVE-2019-5758: Use after free in Blink.

CVE-2019-5759: Use after free in HTML select elements.

CVE-2019-5760: Use after free in WebRTC

CVE-2019-5761: Use after free in SwiftShader

CVE-2019-5762: Use after free in PDFium

CVE-2019-5763: Insufficient validation of untrusted input in V8.

CVE-2019-5764: Use after free in WebRTC

CVE-2019-5765: Insufficient policy enforcement in the browser.

CVE-2019-5766: Insufficient policy enforcement in Canvas.

CVE-2019-5767: Incorrect security UI in WebAPKs.

CVE-2019-5768: Insufficient policy enforcement in DevTools.

CVE-2019-5769: Insufficient validation of untrusted input in Blink.

CVE-2019-5770: Heap buffer overflow in WebGL

CVE-2019-5771: Heap buffer overflow in SwiftShader

CVE-2019-5772: Use after free in PDFium

CVE-2019-5773: Insufficient data validation in IndexedDB.

CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing.

CVE-2019-5775: Insufficient policy enforcement in Omnibox.

CVE-2019-5776: Insufficient policy enforcement in Omnibox.

CVE-2019-5777: Insufficient policy enforcement in Omnibox.

CVE-2019-5778: Insufficient policy enforcement in Extensions.

CVE-2019-5779: Insufficient policy enforcement in ServiceWorker.

CVE-2019-5780: Insufficient policy enforcement

CVE-2019-5781: Insufficient policy enforcement in Omnibox.

CVE-2019-5782: Inappropriate implementation in V8

Other issues addressed in the update include:

Use after free in FileAPI

Use after free in Mojo interface

Use after free in Payments.

Stack buffer overflow in Skia

 

 

Attackers can exploit these issues to execute arbitrary code in the context of the browser, bypass security restrictions and possibly take control of a system.

 

 

IMPACT

 

Code Execution

Security Bypass

System Access

 

 

REMEDIATION

 

Update to the latest version: Chrome 72.0.3626.81 for Windows, Mac and Linux, which contains a number of fixes and improvements.

 

 

If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com.


Rewterz Threat Alert – Phishing Awareness For Employees and Customers of the Banking Industry

SEVERITY: High

 

 

CATEGORY: Phishing 

 

 

ANALYSIS SUMMARY

 

 

Looking at the recent Phishing Campaigns observed attacking employees of the banking sector in Pakistan, it’s highly possible that the same Phishing Attacks are targeting customers of banks too. Therefore, it is suggested to urgently run awareness programs for employees as well as customers.

 

Phishing emails are fake emails falsely claiming identity of a legitimate organization in order to steal credentials or personal information. Phishing mainly uses popular communication tools like emails, instant messaging and peer-to-peer communication, either directly obtaining sensitive information or luring victims into visiting fake websites.

 

The fake websites usually look very similar to the legitimate websites of the respective banks and can not be detected as malicious by an unsuspecting user. The information entered on such sites like username, passwords, etc. can be used to carry out fraudulent activities like unauthenticated transactions or can be sold to fraudulent groups for further malicious activity.

 

 

IMPACT

 

 

Information Disclosure

Credential Theft

Account Compromise

Fraudulent Transactions

 

REMEDIATION

 

 

  • Do not share your account information (user name, password, account number, etc) with anyone. Your Bank already has your information and it will never demand sensitive information via email.
  • Disable all kinds of auto-download options for incoming files and documents.
  • Your account will never be closed automatically even if you have previously ignored your bank’s emails. Any email warning you about closure of your account is fake.
  • Never click a link or pop-up message received in an email to access your account. It’s likely to redirect you to a fake log-in page.
  • If you want to access your online account, carefully type the legitimate URL in the browser address bar instead of following links.
  • Set up real-time scanning for viruses and automatic updates of virus definitions.
  • Before processing transactions, Bank employees should verify all transactions directed via Alerts like SMS or email that appears to have come from the bank.
  • Be very careful while entering login information on any web page and never try to log in on a site which you did not open intentionally.
  • If you receive any email or text that looks suspicious, immediately report to the concerned bank.

Rewterz Threat Alert – GrandCrab and Ursnif Campaign Observed in the Wild

SEVERITY: Medium

 

 

CATEGORY: Phishing

 

 

ANALYSIS SUMMARY 

 

 

A campaign distributing both Ursnif malware and GrandCrab ransomware via malicious Word documents attached to phishing emails. The Word documents contained a VBS macro that executes a base64 encoded PowerShell script. The PowerShell script is used to retrieve the files associated with the GrandCrab and Ursnif infections. The first payload that is downloaded and executed is a PowerShell command used to download an additional PowerShell script. This additional PowerShell script contains a base64 encoded PE file which it injects into memory for execution. This PE file was identified to be a variant of the GrandCrab ransomware. The second payload that is download and executed via the VBS macro is the Ursnif executable, which is used for malicious activities such as gathering system information and harvesting credentials.

 

 

 

 

Impact

 

Leakage of system information
Loss of credentials

 

 

INDICATORS OF COMPROMISE

 

 

URLs

 

bevendbrec[.]com
iscondisth[.]com

 

 

Malware Hash (MD5/SHA1/SH256)

 

c064f6f047a4e39014a29c8c95526c3fe90d7bcea5ef0b8f21ea306c27713d1f
d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525
0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080

 

 

Remediation

 

Block all URL’s and IoC’s at your respective controls.
Ensure anti virus software and associated files are up to date.
Always be suspicious about emails sent to users from unknown senders.


Rewterz Threat Alert: Fresher Phishing Campaigns Targeting Pakistani Bank Employees

SEVERITY: Medium

 

 

CATEGORY: Phishing

 

 

ANALYSIS SUMMARY

 

 

Following the previous two phishing campaigns that spoofed Summit Bank and Bank Al-Habib, the streak continues targeting bank employees in Pakistan with two fresher campaigns. This time the attackers spoofed Faysal Bank’s internet banking site and the Standard Chartered Bank. The email claiming to come from Faysal Bank looks like this:

 

 

 

 

Whereas, clicking on the “Click Here Now”, users are redirected to a malicious URL that looks very similar to the legitimate Internet Banking site of Faysal Bank. An unsuspecting user isn’t likely to differentiate between the fake and the original site.

 

 

 

 

Second campaign of the day fakes the identity of Standard Chartered Bank and has targeted more than hundred bank employees in Pakistan. The email pretending to be coming from Standard Chartered bank looks like this:

 

 

 

The hyperlink in this email also redirects to a URL which again looks similar to the legitimate site.

 

 

 

 

However, this time the site requires more information other than just credentials. When the information is provided, the user is redirected to the login page of original website of the bank, not logged-in.

 

 

Impact

 

Credential Theft

Exposure of Personal Information

 

 

Indicators of Compromise

 

 

URLs

 

 

https[:]//cbd9[.]net/images/query/faysalmobit/faysalmobit[.]php http[:]//blayzercommerce[.]com/wp-content/themes/twentysixteen/schartered/schartered[.]html

 

 

Email Address

 

 

noreplymobit[@]faysalbank[.]com[.]pk

iBanking[.]Pakistan[@]sc[.]com

 

 

Email Subject

 

 

Faysal Bank Account Locked

Standard Chartered Bank – Account Locked

 

 

Remediation

 

The count of these phishing campaigns targeting bank employees in Pakistan and spoofing the identity of banks has reached four now. It is advised to strictly avoid opening irrelevant or unexpected emails, attachments and URLs even if the source looks as legitimate as a financial organization.


Rewterz Threat Alert: The Cobalt gang exploiting Google App Engine to distribute malware through PDF decoy documents

SEVERITY: HIGH

 

 

CATEGORY: DATA BREACH

 

 

ANALYSIS SUMMARY

 

 

Known for targeting financial organizations, the Cobalt gang resurfaces with another campaign that drops malware. About 42 targets from the financial and banking sector around the World have been attacked by the Cobalt gang’s campaign, meant to drop malware via PDF decoys using App Engine Google Cloud computing platform (GCP).

 

The attackers are abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload.

 

 

 

 

The URL hosting the malware points the host URL to Google App Engine, making it more trust-able for the targets. Most of the PDF’s involved were created using Adobe Acrobat 18.0. The PDF decoy downloads a word document containing obfuscated macro code. This document was downloaded from the URL https://transef[.]biz.

 

 

 

 

Once the download is complete, a message pops up on opening the document that requires enabling editing and content mode to view the document. On enabling the option, the macro is executed downloading another stage payload.

 

 

IMPACT

 

 

Code Execution

Malware Infection

 

 

INDICATORS OF COMPROMISE

 

URLs

 

 

  • pace[.]edu
  • ulaval[.]ca
  • metacase[.]eu
  • ivywise[.]com
  • transef[.]biz
  • ebf[.]eu[.]com
  • hxxps://appengine.google[.]com/_ah/logout?continue=https%3A%2F%2Ftransef[.]biz%2FDoc102018[.]doc
  • https://appengine.google[.]com/_ah/logout?continue=https%3A%2F%2Fswptransaction-scan2034[.]s3[.]ca-central-1[.]a mazonaws[.]com%2FDoc102018[.]doc

 

 

FILENAME

 

 

  • fr[.]txt

 

 

EXTENSION

 

 

.eml

 

 

EMAIL ADDRESS

 

 

  • jk01814n[@]pace[.]edu
  • benoit[.]filion[.]2[@]ulaval[.]ca
  • alexandre[.]custeau[.]1[@]ulaval[.]ca
  • dominique[.]denis-berube[.]1[@]ulaval[.]ca
  • helpdesk[@]metacase[.]eu
  • adrienne[@]ivywise[.]com
  • info[@]ebf[.]eu[.]com
  • sec[@]ebf[.]eu[.]com
  • r[.]evans[@]ebf[.]eu[.]com

 

 

REMEDIATION

 

 

  • Block the threat indicators at their respective controls.
  • Warn users against opening un-trusted attachments, regardless of their extensions or filenames.
  • Warn users to avoid executing any file without confirming that they are not malicious.
  • Un-check the option “Remember this action for this site for all PDF documents” in the PDF reader software. The Default Allow policy can help in downloading malware even from trusted sites like Google App Engine.

Copyright © Rewterz. All rights reserved.