Archive for category Rewterz News

Rewterz Threat Alert – Phishing Campaign Targeting Bank Employees in Pakistan, Forging Zimbra

Severity

Medium

Category

Phishing

Analysis Summary

A new Phishing campaign has been observed targeting bank employees in Pakistan. The email contains an attachment named “Overdue Payment” which looks like a PDF file. The email looks like this:

The attachment has a malicious link embedded in it. When the attachment is clicked, users are redirected to a phishing URL. The URL leads to a forged login page of Zimbra email application used by the employees of the targeted bank. While the original Zimbra page for the bank contains a logo of the bank, the forged page looked like this with a logo of Zimbra itself. However, the difference was still not very apparent for an unsuspecting victim.

What’s innovative in this phishing attack is that when the users were redirected to the login page of Zimbra, their email address associated with the bank was already written in the ‘username’ space, due to which, unsuspecting users might enter their password carelessly, thinking that they had been logged out of their legitimate Zimbra accounts by chance or due to session timeout.

Moreover, our analysts entered the malicious URL on Virus Total, which failed to detect it as malicious because it only focused on the first section of the URL which is Google. Upon closer observation, another URL was found within the main URL “https[:]//2ac43aa43bf473f9a9c09b4b608619d3.iyosyos.id/a9f0e61a137d86aa9db53465e0801612/?email%3D&source=gmail&ust=1549973345949000&usg=AFQjCNFqBoAl5ja-ctaA7FBIEryyEjeeeA” which was identified by Virus Total as a Phishing URL when searched separately.

Impact

Credential Theft

Indicators of Compromise


URLs

https[:]//2ac43aa43bf473f9a9c09b4b608619d3[.]iyosyos[.]id

Email Address

Kenny[@]s2sj[.]com

Email Subject

[BULK] New Protected Document for [target’s name]

Remediation


Block the Threat Indicators at their respective controls.

Since the threat actors are creating target-specific URL for each victim:

1) Never open unexpected emails or attachments received from unknown sources, even if they appear to be harmless.

2) Never enter credentials on any web page that appears by clicking on links received in emails.


Rewterz Threat Alert -Malware Campaign Hides Ransomware in Super Mario Wrapper

Severity

Medium

Category

Cyber Crime

Analysis Summary

Experts have discovered an apparently benign Mario graphic package that uses steganography to conceal the malicious code for GrandCrab ransomware. The campaign is being run in Italy at the moment but experts believe that it’s soon going to spread to other countries as well. Initially, targets receive an excel sheet via email that won’t open online and requires the user to enable edit and enable content. Once the content is enabled, its macros will be triggered that check if the computer is configured to use the Italy region. If not, it will exit the spreadsheet and nothing else happens. Otherwise, a Mario image is downloaded as shown below:

The image hides malicious code using steganography, in conjunction with heavily obfuscated Microsoft PowerShell commands that attackers have hidden within the color channels of blue and green pixels. This technique makes the threat hard to be detected by firewall and other defense systems. Experts were able to download the samples from the address in the de-obfuscated Powershell, including from an Italy-based VPN, and discovered several samples of the Gandcrab ransomware.

When the malware detonates, the usual macro-based launch of cmd.exe and PowerShell with obfuscated arguments is seen.

The decoded image looks like this:

Another large string (base64 encoded) is then observed which is sliced/diced into 40 parts. This can be reassembled:

As researchers further analyzed the codes, multiple layers of still more mildly obfuscated PowerShell were found.

On successful infection by the GrandCrab ransomware, files on the targeted machine are encrypted and the following ransom note is found on the device.

Impact

Ransomware infection

Files encryption

Indicators of Compromise


Filename

F.DOC.2019A259SPA.xls

cmd.exe

Malware Hash (MD5/SHA1/SH256)

3849381059d9e8bbcc59c253d2cbe1c92f7e1f1992b752d396e349892f2bb0e7 2726cd6796774521d03a5f949e10707424800882955686c886d944d2b2a61e0 0c8c27f06a0acb976b8f12ff6749497d4ce1f7a98c2a161b0a9eb956e6955362 ec2a7e8da04bc4e60652d6f7cc2d41ec68ff900d39fc244cc3b5a29c42acb7a4 630b6f15c770716268c539c5558152168004657beee740e73ee9966d6de1753f

Remediation


Block the threat indicators at their respective controls.

Strictly avoid downloading and opening document files received via unexpected emails.


Rewterz Threat Alert – New Linux coin miner kills competing malware to maximize profits

Severity

Medium

Category

Cyber Crime

Analysis Summary

Linux Platform is being targeted by a new malware strain that installs the XMR-Stak Cryptonight cryptocurrency miner. Additionally, it also searches for other Linux malware and coin miners already present on the compromised machine, and kills them to maximize its own cryptocurrency mining.

This KORKERDS variant downloads the universal Stratum XMR-Stak pool miner which uses the system’s CPU or GPU to mine Cryptonight currencies. Following activities have also been observed:

Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware. It also creates new directories, files, and stops processes with connections to identified IP addresses. Function D downloads the coin miner binary from hxxp://yxarsh[.]shop/64 and runs it. Function C downloads a script from hxxp://yxarsh[.]shop/0, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh[.]shop/1.jpg and puts it in different crontabs.

The malware will also make sure to clear system logs to erase its traces, and will also achieve persistence avoiding removal after reboots or deletion with the help of the implanted crontab files. The second stage of the infection originates from multiple IP cameras and web services via the TCP port 8161, from domains where the attackers have stored the crontab file which launches the main stage of the malware attack.

Impact

Cryptocurrency mining

Other unspecified impact is also possible

Affected Products

Linux

Indicators of Compromise


URLs

drnfbu[.]xyz:26750

hxxp://yxarsh.shop

hxxp://yxarsh.shop/0

hxxp://yxarsh.shop/1.jpg

hxxp://yxarsh.shop/64

hxxp://yxarsh.shop/86

hxxps://pastebin.com/u/SYSTEAM

Filename

/opt/yilu/mservice

/opt/yilu/work/xig/xig

/opt/yilu/work/xige/xige

/tmp/thisxxs

/usr/bin/.sshd

/usr/bin/bsd-port/getty

/usr/local/bin/dns

/etc/cron.hourly/oanacroner

/etc/cron.daily/oanacroner

/etc/cron.monthly/oanacroner

Erased:

/var/spool/mail/root

/var/log/wtmp

/var/log/secure

/var/log/cron

Malware Hash (MD5/SHA1/SH256)

d9390bbbc6e399a388ac6ed601db4406eeb708f3893a40f88346ee002398955c

2f7ff54b631dd0af3a3d44f9f916dbde5b30cdbd2ad2a5a049bc8f2d38ae2ab6

Remediation

Block the threat indicators at their respective controls.

Keep all Linux systems up-to-date with the latest patches against all vulnerabilities, as Linux is seen to be targeted by many threat actors.


Rewterz Threat Advisory -CVE-2018-11803 – Apache Subversion Denial of Service Vulnerability

Severity

Medium

Category

Vulnerability

Analysis Summary

Subversion’s mod_dav_svn Apache HTTPD module will crash after de-referencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation. This issue can be triggered by any client on Subversion repositories configured for anonymous read access. If read access requires authentication, a denial of service attack can only be performed by an authenticated user.

Impact

Denial of Service

Affected Products

Apache Subversion 1.11.0

Apache Subversion 1.10.3

Apache Subversion 1.10

Remediation

Vendor has released updates for the affected products. Update to these versions.

Apache Subversion 1.10.4

Apache Subversion 1.11.1.


Rewterz Threat Advisory – CVE-2019-1678 – Cisco Meeting Server Denial of Service Vulnerability

Severity

Medium

Category

Vulnerability

Analysis Summary

Marked as a failure to handle exceptional conditions, a vulnerability in Cisco Meeting Server could allow an authenticated, remote attacker to cause a partial denial of service (DoS) to Cisco Meetings application users who are paired with a Session Initiation Protocol (SIP) endpoint. The vulnerability is due to improper validation of coSpaces configuration parameters. An attacker could exploit this vulnerability by inserting crafted strings in specific coSpace parameters. An exploit could allow the attacker to prevent clients from joining a conference call in the affected coSpace.

Impact


Denial of Service

Affected Products

Cisco Meeting Server 2.3.7

Cisco Meeting Server 2.3.6

Cisco Meeting Server 2.4

Remediation

Updates are available. The following two versions are also not vulnerable to this flaw.

Cisco Meeting Server 2.4.3

Cisco Meeting Server 2.3.9


REWTERZ THREAT ALERT – New SpeakUp Backdoor Infects Linux and macOS with Miners in East Asia

SEVERITY: Medium

CATEGORY: Emerging Threat

Analysis Summary


The backdoor SpeakUp connects to the command and control (C&C) server upon infection, to register the machine and exploits known vulnerabilities in six different Linux distributions. The initial infection vector is targeting the recently reported vulnerability in ThinkPHP and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor. It begins with exploiting CVE-2018-20062 for uploading a PHP shell by using a GET request. Then this shell executes commands sent via the “module” parameter in a query.

SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C which is the compromised website of speakupomaha[.]com. The first POST packet sends a victim ID and more introductory information such as the current version of the installed script. SpeakUp also equips its backdoors with i (sic), a python script which allows the backdoor to scan and infect more Linux servers within its internal and external subnets. Apart from Brute Forcing other potential victims in the local network, the threat actors try to exploit the following Remote Code Execution vulnerabilities in the targeted servers:

a) CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities

b) CVE-2010-1871: JBoss Seam Framework remote code execution

c) JBoss AS 3/4/5/6: Remote Command Execution (exploit)

d) CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE

e) CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.

f) Hadoop YARN ResourceManager – Command Execution (exploit)

g) CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.

A successful exploitation of one of the vulnerabilities will result in deploying the original ibus script on the exploited server. It has the ability to scan the surrounding network of an infected server and distribute the malware.

Impact


Code Execution

Mining of Cryptocurrency

Affected Products

Linux

MacOS

Indicators of Compromise


IP(s) / Hostname(s)



  • 67[.]209.177.163
  • 173[.]82.104.196
  • 5[.]196.70.86
  • 120[.]79.247.183
  • 5[.]2.73.127/lnsqqFE2jK/pprtnp153WWW.php
  • Speakupomaha[.]com/misc/ui/images/Indxe.php
  • Linuxservers[.]000webhostapp[.]com/hp.html linuxsrv134[.]xp3[.]biz

URLs

speakupomaha[.]com.

Malware Hash (MD5/SHA1/SH256)

  • 0a4e5831a2d3115acb3e989f0f660a6f
  • 0b5e1eb67be7c3020610b321f68375c1
  • 968d1906be7eb8321a3afac5fde77467
  • 074d7a4417d55334952d264c0345d885
  • f357f32d7c2ddfef4b5850e7506c532b
  • b6311bffcea117dceac5ccac0a243ae5
  • 2adf4e4512aaafab75e8411aa7121ffa
  • a73c7b777d31b0a8ef270809e2ed6510
  • 114cda60d215e44baeef22b7db0c64d5
  • 8f725fc5406ebf679c5c7ade3e8d5f70
  • 4a80a075c7c6b5e738a7f4b60b7b101f
  • e18749e404baec2aa29f4af001164d1b
  • 1a377b5d5d2162327f0706cc84427780
  • 1da94e156609d7e880c413a124bad004
  • 713260a53eff05ad44aad8d6899f1c6e
  • 36cda3c77ba380d6388a01aafcbaa6c7
  • 0f83482368343f5c811bac84a395d2c0
  • 8dd6cb5f33d25512805c70bd3db5f433
  • e4ca1e857034cbe0428d431c15ec8608
  • 36502273cee61825dc97d62a3dffe729
  • f16c5a6342ccc253b1de177d3fa310b1
  • 08d7674532cc226931570e6a99d5ba30
  • 279c4aa955085480f3ad0c19aa36a93b
  • f79be3df4cbfe81028040796733ab07f
  • a21a3d782d30b51515834a7bf68adc8e
  • c572a10ca12f3bd9783c6d576aa080fb
  • b60ec230644b740ca4dd6fd45059a4be
  • 5e6b6fcd7913ae4917b0cdb0f09bf539
  • ae875c496535be196449547a15205883
  • 068d424a1db93ec0c1f90f5e501449a3
  • 996e0c8190880c8bf1b8ffb0826cf30f

Remediation

  • Make sure to update all Linux distributions to a patched version against above-mentioned vulnerabilities.
  • Block the threat indicators at their respective controls.
  • Ensure close monitoring of all internal and external communications as well as activities within the network.




Copyright © Rewterz. All rights reserved.