Archive for October, 2019

Rewterz Threat Alert – Maze Ransomware Attacks Italy in New Email Campaign

Severity

Medium

Analysis Summary

The Maze Ransomware is conducting a new spam campaign that targets Italian users by pretending to be the country’s Tax and Revenue Agency. The Maze Ransomware is not a new infection, but within the past month it has been picking up steam with new campaigns, partnering with exploit kits, and inserting playful comments targeting researchers in their executables.

According to security researcher JAMESWT, users in Italy are being targeted with spam emails pretending to be from the Italian Revenue Agency, or the Agenzia delle Entrate, which is responsible for collecting taxes and revenue for the government.

These emails contain a subject of “AGGIORNAMENTO: Attivita di contrasto all’evasione. Aggiornamento” and contain a word document called “VERDI.doc”, which allegedly contains new guidelines that businesses and citizens must follow.

Spam Email

If a user opens the attached VERDI.doc they will be told that the file is encrypted using RSA encryption and that they must “Enable Content” in order to properly view it.

Malicious Word Document

Malicious Word Document

If the user enables the content, an embedded macro will be executed that downloads the ransomware to C:\Windows\Temp\wupd12.14.tmp file and executes it.

Malicious Macros

Impact

File encryption

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – Phishing Attack Targeting United Nations and Humanitarian Organizations

Severity

Medium

Analysis Summary

A new phishing campaign is targeting a number of United Nations entities and humanitarian organizations with copies of their login portals hosted on copycat domains. According to Lookout’s report on this campaign, the phishing sites are mobile aware in order to display more legitimate-looking content. JavaScript code within the malicious webpage attempts to identify whether the site is being loaded on a mobile device. If so, the page is loaded in a mobile-friendly view, which also unintentionally truncates the URL it is hosting on, making it appear even more legitimate. Along with the traditional method of gathering submitted credentials and exfiltrating them to the attacker, these phishing sites also contain code to perform keylogging so that even if the user does not actually hit the submit button, data typed into the page is still collected. The two domains used in this campaign, and their associated subdomains, all used valid SSL certificate so that users were not presented with a warning by browsers, again furthering the legitimacy of the site. The researchers note that the while many of the SSL certificates that were in use have expired, some of the domains are still live and with valid certificates. Additionally, while analyzing the infrastructure hosting these sites, it was discovered that the ASN of the IPs the domains resolved to is known to have hosted malware in the past.

Phishing%20AI-humanitarian-1.png
Phishing%20AI-humanitarian-2.png

Impact

  • Credential theft
  • Exposure of sensitive information

Indicators of Compromise

URL

  • fs[.]auth[.]wfp[.]org[.]adfs[.]ls[.]client-request-id[.]session-services[.]com
  • logon[.]undp[.]org[.]adfs[.]ls[.]client-request-id[.]session-services[.]com
  • sso[.]united[.]un[.]org[.]adfs[.]ls[.]clinet-request-id[.]session-services[.]com
  • login[.]unicef[.]org[.]adfs[.]ls[.]client-request-id[.]session-services[.]com
  • heritage[.]onelogin[.]com[.]login[.]service-ssl-check[.]com
  • sts[.]ifrc[.]org[.]adfs[.]ls[.]client-request-id[.]session-services[.]com
  • login[.]microsoftonline[.]com[.]common[.]oauth2[.]ip[.]session-services[.]com
  • login[.]microsoftonline[.]com[.]common[.]oauth2[.]co[.]session-services[.]com
  • login[.]microsoftonline[.]com[.]common[.]oauth2[.]hi[.]session-services[.]com
  • sso[.]ssrc[.]org[.]adfs[.]ls[.]client-request-id[.]63f91e15[.]service-ssl-check[.]com
  • login[.]microsoftonline[.]com[.]common[.]oauth2[.]uc[.]session-services[.]com
  • eastwestcenter[.]org[.]owa[.]auth[.]logon[.]aspx[.]replacecurrent[.]service-ssl-check[.]com
  • login[.]microsoftonline[.]com[.]common[.]oauth2[.]br[.]session-services[.]com
  • login[.]microsoftonline[.]com[.]common[.]oauth2[.]client[.]us[.]service-ssl-check[.]com
  • login[.]microsoftonline[.]com[.]common[.]oauth2[.]client[.]al[.]service-ssl-check[.]com
  • login[.]microsoftonline[.]com[.]common[.]oauth2[.]client[.]hi[.]service-ssl-check[.]com
  • login[.]yahoo[.]com[.]manage-account[.]src-ym[.]lang-en-us[.]session-services[.]com
  • login[.]aol[.]com[.]account[.]challenge[.]oauth[.]session-services[.]com

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – How TrickBot is Injected into Browsers

Severity

Medium

Analysis Summary

The TrickBot malware is one of the more prolific banking Trojans in the wild today, and according to a SentinelOne report, is still being continuously developed. The report provides an analysis of how TrickBot hooks web browser functions to inject itself in order to conduct web injections and grabbing form content. Four browser’s processes, chrome.exe, firefox.exe, iexplore.exe, microsoftedgecp.exe, and an associated process, runtimebroker.exe, are targeted by TrickBot. The payload injection is carried out using the “ReflectiveLoader” method and also makes changes to the browser’s security posture.

Impact

Exposure of sensitive information

Indicators of Compromise

SHA1

  • 0785d0c5600d9c096b75cc4465be79d456f60594
  • C546D40D411D0F0BB7A1C9986878F231342CDF8B
  • D5F98BFF5E33A86B213E05344BD402350FC5F7CD

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Advisory – CVE-2019-16675 – ICS: PHOENIX CONTACT Automation Worx Software Suite

Severity

Medium

Analysis Summary

A manipulated PC Worx or Config+ project file could lead to arbitrary code execution due to insufficient input data validation.

Impact

Improper Input Validation

Affected Vendors

Phoenix Contact

Affected Products

  • PC Worx Versions 1.86 and prior
  • PC Worx Express Versions 1.86 and prior
  • Config+ Versions 1.86 and prior

Remediation

Phoenix Contact strongly recommends users exchange project files using only secure file exchange services, and that project files should not be exchanged via unencrypted email.


Rewterz Threat Alert – Recent Lazarus activity – IOC’s

Severity

High

Analysis Summary

Potential DTRACK dumps the data mined output via manually mapped share over SMB to RFC1918 address with a statically encoded user/pass, containing the hard-coded username and password likely stolen from an Indian nuclear plant operator.

Lazarus has been active in the South Asian region targeting different facilities in India, Pakistan and Bangladesh. This time they’ve hit the nuclear facility in India, a second 1,000 MW nuclear power unit at Kudankulam, owned by the Nuclear Power Corporation of India Ltd. The atomic power plant stopped generation about 12.30 a.m. on Saturday owing to “Steam Generation level low”, the company added.

Impact

Exposure of sensitive information

Indicators of Compromise

SHA256

  • c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c
  • a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68
  • 93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9
  • 791c59a0d6456ac1d9976fe82dc6b13f3e5980c6cfa2fd9d58a3cc849755ea9f
  • 4b1948bc4fe200d493a106474f460a744fce2be0c5e33f97fc09aaafb84f6f9a
  • 3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682
  • bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364

Remediation

Block all threat indicators at your respective controls.


Rewterz Threat Advisory – CVE-2019-18189 – Trend Micro Commercial Endpoints Root Login Bypass with Directory Traversal Vulnerability

Severity

High

Analysis Summary

A directory traversal vulnerability may allow an attacker to bypass authentication and log on to an affected product’s management console as a root user. The vulnerability does not require authentication.

Impact

Authentication bypass

Affected Vendors

Trend Micro

Affected Products

  • Apex One (on premise) All (2019 before CP 2049)
  • OfficeScan (OSCE) XG SP1
  • OfficeScan (OSCE) XG
  • OfficeScan (OSCE) 11.0 SP1

Remediation

Trend Micro has released the following solutions to address the issue:

Apex One (on premise) : CP 2049

OfficeScan : XG SP1 CP 5427

OfficeScan : XG CP 1962

OfficeScan : 11.0 SP1 CP 6638

Worry-Free Business Security : 10.0 SP1 Patch 2178

Worry-Free Business Security : 10.0 Patch 1569

Worry-Free Business Security : 9.5 CP 1513


Copyright © Rewterz. All rights reserved.