Archive for February, 2019

Rewterz Threat Advisory – CVE-2019-6974 – Linux Kernel KVM “kvm_ioctl_create_device()” Use-AfterFree Vulnerability

Severity

Medium

Analysis Summary


A use-after-free vulnerability was found in the way the Linux kernel’s KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller’s file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service issue or, potentially, gain privileged access to a system.

Impact

Denial of service

Privilege escalation

System access

Affected Products

  • Linux Kernel 3.16.x
  • Linux Kernel 4.4.x
  • Linux Kernel 4.9.x
  • Linux Kernel 4.14.x
  • Linux Kernel 4.19.x
  • Linux Kernel 4.20.x

Remediation

Update to a fixed version if available.

Versions 4.20.x:

Update to version 4.20.8.

Versions 4.19.x:

Update to version 4.19.21.

Versions 4.14.x:

Update to version 4.14.99.

Versions 4.9.x:

Update to version 4.9.156.

Versions 4.4.x:

Update to version 4.4.176.


Rewterz Threat Alert – Russian Language Malspam Pushing Shade Ransomware

Severity

Medium

Analysis Summary

The infection process is almost identical to the previous malspam campaign. The only difference is that the previous campaign had a ZIP archive attached to the malspam email, whereas this new campaign uses a link in a PDF attachment to retrieve the ZIP archive. Within the downloaded ZIP archive is a JavaScript file that infects vulnerable hosts with the Shade ransomware. Files are encrypted by the ransomware and payment via TOR is demanded in exchange for decryption.

Impact

File encryption.

Indicators of Compromise

IP(s) / Hostname(s)

74.220.207.61

62.212.69.227

URLs

  • http[:]//simplerlife[.]pl/wp-content/themes/hueman/assets/admin/css/pic[.]zip
  • http[:]//sidneyyin[.]com/templates/joomlage0084-aravnik/css/msg.jpg
  • http[:]//cryptsen7fo43rr6[.]onion/
  • http[:]//cryptsen7fo43rr6[.]onion.to/
  • http[:]//cryptsen7fo43rr6[.]onion.cab/

Email Address

pilotpilot088[@]gmail.com

Malware Hash (MD5/SHA1/SH256)

  • 6950efbd9d6d10fdd8f644a71b30e53a8d1dbd64976279d8a192a0c9459d06e1
  • e76b93f6ab032e16f5f1d600cb061db49a10538b10a063561df95be94156ac0b
  • 17539e1a0c33fe2f98fa1b8fa282f9f3786ba15419e30ae6c4171ccff65338c9
  • 33dde2eed8ccb2b74c9d0feaf19c341354e54cb5d2c9e475507ff3fe22240381

Remediation

Block the threat indicators at their respective controls.

Always be suspicious of unsolicited email.

Never click/ download any attachments sent from unrecognized senders.


Rewterz Threat Alert – WinRAR ACE Vulnerability Exploited Through Malspam to Install Backdoor

Severity

High

Analysis Summary

If UAC is running, when you attempt to extract the archive it will fail to place the malware in the C:\ProgramData folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed” as shown below.

On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.

Now that CMSTray.exe is extracted to the user’s Startup folder, on the next login the executable will be launched.

Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.

Launching %Temp%\wbssrv.exe

Once launched, the malware will connect to http://138.204.171.108/ and download various files, including a Cobalt Strike Beacon DLL. Cobalt Strike Beacon is a penetration testing tool that is also used by criminals to gain remote access to a victim’s computer.

Downloading Cobalt Strike Beacon DLL

Once the DLL is loaded, the attackers will be able to access your computer remotely, execute commands, and spread to other computers on your network.

Impact

Command execution

System access.

Indicators of Compromise

IP(s) / Hostname(s)

138.204.171.108

URLs

http://138.204.171.108/BxjL5iKld8.zip

Malware Hash (MD5/SHA1/SH256)

2a09056cb4615a53b27aed19793f2d91f5fb497fdf4f6be6cce6c6abac48f707

Remediation

  • Update to the latest version of WinRAR 5.70 beta 32/64bit.
  • If you are unable to upgrade for some reason, then you can use 0Patch’s WinRAR micropatch to address this specific WinRAR bug. This micropatch will fix the vulnerability in all 32-bit and 64-bit versions of WinRAR versions using the UNACEV2.DLL since 2005.

Rewterz Threat Alert – B0r0nt0K Ransomware Infects Linux Servers via Unknown Attack Vector

Severity

Medium

Analysis Summary

A ransomware called B0r0nt0K has surfaced which is encrypting victim’s web sites and demanding a 20 bitcoin or approximately $75,000 ransom. This ransomware is known to infect Linux servers, but may also be able to encrypt users running Windows.

The encrypted website which is under analysis was running on Ubuntu 16.04. No sample of the ransomware was found on the target site after it was encrypted. However, the following ransom note was found.

Furthermore, the ransom amount, the contact email address of the threat actors and the bitcoin address can be seen in the snapshot below.

The email address is associated with a malicious URL given below, whose source code contains the term “Vietnamese Hacker”, hinting at the potential origin of this ransomware campaign.

Impact


Files Encryption


Affected Products

Linux Servers

Windows Servers

Indicators of Compromise


URLs

hxxps[:]//borontok[.]uk

Extension

.rontok

Email Address

info@borontok.uk

Remediation

Since the initial attack vector of this attack is still unknown, vigilant behavior should be followed while clicking on links, opening emails, downloading any kind of software, documents or applications from the internet.

Observing the frequency of malspam campaigns, downloading email attachments should specially be avoided.

Moreover, all vulnerabilities should be timely patched and security updates should be installed regularly.


Rewterz Threat Alert – Coinbased Smishing Campaign Dropping a Malicious URL

Severity

Medium

Analysis Summary

A new campaign of coinbased smishing (via SMS) has been observed which is running actively and has been directed towards senior-level employees. The receiver would be receiving the email like this .

FRM: 9297437532945863372473958264657826267824 SUBJ:__please verify MSG:__Amount received 20 BTC hxxp://zsx-ny[.]com __coinbase_pro”

The message was formatted like so (the FRM number has been altered). The sender’s number was “1 (410) 100-007”

Impact


Loss of sensitive information in your device

Indicators of Compromise


IP(s) / Hostname(s)

213.190.6[.]24

URLs

hxxp://zsx-ny[.]com

Email Subject

Please Verify

Remediation


Do not click on the given links which are being sent from unknown senders. Do not submit your device code to verify your device.


Rewterz Threat Alert – Campaign Deploying Malware via MalSpam Targeting Web Application Servers

Severity

Medium

Analysis Summary


A new email campaign has been discovered that drops malicious files via spam emails. During analysis of these malicious files, a variant of c99madshell was found with a full suite of attack capabilities on web application servers running older versions of PHP.

Impact


Malware Infection

Indicators of Compromise


URLs

gulfup[.]com

Filename

10_lot_photo.jpg

Email Address

xkemox[@]gmail[.]com

Malware Hash (MD5/SHA1/SH256)

  • 8e50e5e71ff22abeaf878a1d2dbb274ef84e0d4f9ccc120bf0c3b016fce0fe13
  • 5179a36d40e1148eb54af2eeeb932a16cf397326a19f5ca2678be4f5ff28914f

Remediation

  • Maintain up-to-date antivirus signatures and engines.
  • Update PHP to the latest version available.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Keep administrative privileges strictly limited to relevant users only.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate ACLs.


Copyright © Rewterz. All rights reserved.