Archive for category Rewterz News

Rewterz Threat Alert – Lazarus Mobile Malware turning devices into bots

Severity

High

Analysis Summary

Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play.

Impact

Device acts like a bot

Indicators of Compromise

URLs

  • http[:]//103[.]53[.]176[.]145[:]8080/ServiceDeskPlus/products[.]do
  • http[:]//111[.]68[.]126[.]155[:]8080/ServiceDeskPlus/products[.]do
  • http[:]//137[.]117[.]57[.]244[:]8080/ServiceDeskPlus/products[.]do
  • http[:]//chanbang[.]co[.]kr/board/check[.]asp
  • http[:]//chanbang[.]co[.]kr/family/check[.]asp
  • http[:]//chanbang[.]co[.]kr/gonggu/upload[.]asp
  • http[:]//difa[.]or[.]kr/common/asp/inc_Comn[.]asp
  • http[:]//edenenc[.]co[.]kr/Report/RptMyReport[.]asp
  • http[:]//egreenland[.]co[.]kr/cheditor2/example/newpost[.]asp
  • http[:]//hanbook[.]co[.]kr/partnershop/hanmail_ep[.]asp
  • http[:]//img[.]kindermom[.]co[.]kr/frameart/print/footer[.]mov
  • http[:]//kgsa1015[.]co[.]kr/upload/member/member[.]asp
  • http[:]//rodaxsankyokorea[.]com/upload/favicon/favicon[.]asp
  • http[:]//www[.]kgsa1015[.]co[.]kr/upload/member/member[.]asp
  • http[:]//www[.]sinokor-eng[.]com/sub/sub01_09[.]asp

Malware Hash (MD5/SHA1/SH256)

  • 12518eaa24d405debd014863112a3c00a652f3416df27c424310520a8f55b2ec
  • 1a9714fe84d62ae23b9eb439dbea6562e424e1c20f433a4f8338347bee2fd65e
  • 20e6391cf3598a517467cfbc5d327a7bb1248313983cba2b56fd01f8e88bb6b9
  • 21c7180c568bf115a0784629a8e5575103007f66ab2b964ab1d7f3290f5ab370
  • 3fb44f4698168b53642c8a4a8ba32ee8
  • 5621c89102d84f4a335218cb84a94852
  • 59404af2d92c53ad1ee9e21b252c07c77dcba810b248a79d6ae989b1ff63c7d6
  • 65c27af540d1a3f7b74db62e85adcdf9c686f70d1263e89a8d2545c6b7f49154
  • 69ceb2c4770262e75cf7ef7f48c222dad63690e354809d528ad2a3de7a84f794
  • 7ad49a8df0fb1b9238dc7e3ec7c1bc274ca8e29e154abf3a4acff15506423794
  • 7c8d3ca5c540912590eec20b5a55dac979ccc55da9eefccbe65ee0e84122e93d
  • 91f8c1f11227ee1d71f096fd97501c17a1361d71b81c3e16bcdabad52bfa5d9f
  • 97bfb4528facc9bd1464d70744fa3f328e7269934d919b54c505ea8d461c7b4e
  • 98435958d61012e842039a5d572908a52017e1367c4e1f61bf0812dcfbcac126
  • 9deb8bb7c8a8eb012761a05a67aa2c72e1ef310c9395aaa3293869c5314676cf
  • b6682cab65d3243b5b75efb7279dbf49491957484780f2ba0a87632cc0e25642
  • b8b5d82eb25815dd3685630af9e9b0938bccecb3a89ce0ad94324b12d25983f0
  • b9d9b2e39247744723f72f63888deb191eafa3ffa137a903a474eda5c0c335cf
  • bfeef232cc83af4a3afd262bddc1b9fbb6e829ac1980461003ea551051808268
  • e477c8195fcbb95e7764027a9fb4aabeae475879b809d2e542cfd84ca34c1b5c
  • ecb6603a8cd1354c9be236a3c3e7bf498576ee71f7c5d0a810cb77e1138139ec
  • fe92a44d726b43927f51418ce09ce9731c7a46a0dd6d9e4b46af34fdf99009ef

Remediation

  • Always keep your mobile security application updated to the latest version.
  • Never install applications from unverified sources.


Rewterz Threat Alert – Lazarus APT Group, Attacked as Identity Document

Severity

High

Analysis Summary

A new malicious HWP document has been discovered today, while the activities of the Lazarus group, one of the leading hacking organizations sponsored by the government, continue to be captured.

The file name of this document is ‘(Required) Subcontractor Statement .hwp’ , and the production date is July 12, 2019. the type of document is aimed at the outsourcing staff of a particular company.

And it is similar to the ‘ investment contract_20190619.hwp’ attack code, but there is one more feature to add code obfuscation.

99BA4D365D2C492B1B

‘(Required) Subcontractor’s personal statement .hwp’ Malicious documents also appear to have been used by the same Lazarus threat group , and include the following malicious postscripts:

995292375D2C23EB34

When the document is run, malicious code will work, depending on the vulnerability, while showing the following normal text:

If you look at the content, it contains a template for a new financial statement from a specific financial related subcontractor.

99A3D4395D2C24942B

PostScript has the following hexadecimal code encrypted with XOR logic:

990D40365D2C252236

Impact

File encryption

Indicators of Compromise

URLs

  • https[:]//technokain[.]com/ads/adshow1[.]dat
  • https[:]//technokain[.]com/ads/adshow2[.]dat
  • https[:]//www[.]adhyatmikpunarjagran[.]org/wp-includes/Text/about[.]php
  • https[:]//www[.]payngrab[.]com/wordpress/wp-content/plugins/megamenu/about[.]php
  • https[:]//www[.]weeklyexperts[.]com/wp-content/plugins/revslider/about[.]php


Filename

  • (Required) Subcontractor Statement .hwp
  • investment contract_20190619.hwp
  • the system porting agreement (modified) .hwp


Malware Hash (MD5/SHA1/SH256)

  • 28ef91c65dc459592d02a198b0a446f0
  • a53446de32556f2a496f8d7e78cd4249
  • ef118025c43889f0fb9d5c816e815981
  • f79cc1ab1b4f0d18eba0bd3899edcf44

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Update to the latest Microsoft office version.

Rise in Attacks on DNS Infrastructure and Web Applications

Severity

Medium

Overview

While organizations strive to keep their internal environments safe, it is also crucial to counter the internet-based threats. FBI’s Internet Crime Report 2018 reports that internet-based exploitation, frauds and theft have been responsible for about $2.7 billion financial losses in 2018. Researchers find that cybercriminals exploit Domain Name Systems (DNS) in most of the internet-based and web application attacks.

For instance, take the example of the attack on the cloud-based messaging app Telegram, compromising which, APT34’s hacking tools as well as data belonging to victims has been exposed since March 2019.
It is therefore necessary for organizations to take measures for protecting their networks and end users from internet-based attacks.

DNS attacks

DNS is the most commonly exploited tool for such attacks, initiated through phishing. Therefore, Paul Griswold from IBM security suggests that organizations should not consider the DNS they receive from their Internet service providers as ‘clean’. Not being skeptical about the ISP-provided DNS may lead to harsh consequences. The domain assets need more attention to avoid security glitches.

When domain registries aren’t fully managed, it may lead to DNS attacks, adds Griswold, saying that the domain registries can be repurchased and the domains can be exploited to compromise the DNS servers.

Web application attacks

Although major internet-based attacks arise out of DNS exploitation, vulnerable Web applications are the reason for major security glitches and may also yield harsh consequences for organizations. Users often use vulnerable versions of these web applications, adding to the probability of cyber-attacks.

Additionally, with the proliferation of IoT based endpoints and devices, attack vectors are increasing exponentially and the internet arena is becoming more and more threatening for organizations.

Moreover, third party vulnerable applications are not the only reason for malware downloads. Compromised websites too host a lot of malware that non-skeptical users download via javascript without hesitation, while surfing through the internet. Apparently benign, these websites often redirect to malicious sites, leading to drive-by downloads of malware and ransomware on the user systems.

Need of Preventive Measures

image-1563193608.jpg

To save their integrity from compromise due to internet-based attacks, organizations need to reinforce strong security measures, blocking threats coming from the internet. Advanced DNS analytics also provide advanced threat intelligence to organizations for enhancing the detection of malicious tools and compromised devices. Such threat intelligence greatly helps prevent cyber-attacks across the network.

Looking at the growing number of DNS based cyber-attacks, experts suggest that organizations should also introduce redundancy at all levels of a server infrastructure, including the DNS host. Redundancy means deployment of a secondary DNS network, in order to move traffic from a failing server to a live redundant server that will subsume the queries for the former.

Recommendations

Keeping in view the threats coming from expansive internet arena, NS1’s Zeman recommends the following precautions for organizations:

  • Borrow a page from the cloud computing playbook and leverage a managed DNS solution with a globally distributed, anycast network that ensures high availability.
  • Reinforce the authenticity of DNS query responses by implementing Domain Name Security Extensions (DNSSEC) across all zones in your control.
  • Because DNS is a mission-critical service, administrative access to DNS management should be tightly controlled. Make sure to use strong password enforcement, two-factor, or multifactor authentication, and role-based access controls.
  • When using zone transfers, whitelist the transfer IP addresses of your secondary providers and leverage TSIG (Transaction SIGnature) to sign the transfers with a private key and limit exposure.
  • Keep all web applications updated to latest secure versions.

Keeping in view the harsher consequences of DNS attacks and web application attacks on businesses, organizations should prioritize DNS protection, and patching of vulnerable web applications, as it is very crucial for overall network security.


Rewterz Threat Advisory – CVE-2019-0330 – SAP Diagnostic Agent OS Command Injection Vulnerability

Severity

High

Analysis Summary

The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.

Impact

Privilege access

Affected Vendors

SAP

Affected Products

SAP Diagnostic Agent (LM-Service)version 7.2

Remediation

Apply SAP Note 2808158.


Rewterz Threat Alert – DNS Infrastructure Hijacking Campaign

Severity

High

Analysis Summary

A new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on the research It’s clear that this adversary spent time understanding the victims’ network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

The attackers’ first attempt to compromise the user involved two malicious websites that mimicked legitimate sites that host job listings:

  • hr-wipro[.]com (with a redirection to wipro.com)
  • hr-suncor[.]com (with a redirection to suncor.com)

These sites hosted a malicious Microsoft Office document: hxxp://hr-suncor[.]com/Suncor_employment_form[.]doc.

The document is a copy of a legitimate file available on the website for Suncor Energy, a Canadian sustainable energy company, and contains a malicious macro.

Upon opening the first Office document, the user receives a message that says “Content Mode Available:”

image3.png

The macros of the analysed samples can be divided into two steps:

When the document is opened, the macro will decode a PE file encoded with base64 and will drop it in %UserProfile%.oracleServices\svshost_serv.doc
When the document is closed, the macro will rename the file “svshost_serv.doc” to “svshost_serv.exe.” Then, the macro creates a scheduled task named “chromium updater v 37.5.0” in order to execute the binary. The scheduled task is executed immediately and repeatedly every minute.
The purpose of these two steps is to avoid sandbox detection.

The payload is executed when Microsoft Office is closed, meaning it requires human interaction to deploy it. The macros, while available through analysis, are also password-protected in Microsoft Word to stop the victim from exploring the macro code via Microsoft Office.

Additionally, the macro uses classical string obfuscation in order to avoid strings detection.

Impact

Alters DNS records

Indicators of Compromise

IP(s) / Hostname(s)

  • 185[.].20[.].184[.].138
  • 185[.].20[.].187[.].8
  • 185[.].161[.].211[.].72

URLs

  • hr-wipro[.]com
  • hr-suncor[.]com
  • 0ffice36o[.]com

Malware Hash (MD5/SHA1/SH256)

  • 9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14
  • 15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa
  • 2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec
  • 82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969
  • 45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff

Remediation

  • Update the passwords for all accounts that can change organizations’ DNS records.
  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.

Rewterz Threat Alert – Buhtrap Group uses Zero Day in latest Espionage Campaigns

Severity

High

Analysis Summary


The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia. However, since late 2015, an interesting change in its traditional targets. From a pure criminal group perpetrating cybercrime for financial gain, its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia.

Throughout the tracking, this group deploy its main backdoor as well as other tools against various victims, but June 2019 was the first time the Buhtrap group use a zero-day exploit as part of a campaign. In that case, we observed Buhtrap using a local privilege escalation exploit, CVE-2019-1132, against one of its victims. The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.

New tools have been added to their arsenal and updates applied to older ones, the tactics, techniques and procedures (TTPs) used in the different Buhtrap campaigns have not changed dramatically over all these years. They still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious documents. Also, several of their tools are signed with valid code-signing certificates and abuse a known, legitimate application to side-load their malicious payloads.

Impact

Privilege escalation

Indicators of Compromise

URLs

  • 7812[.]reg0.5204[.]toor[.]win10[.]ipv6-microsoft[.]org
  • 7812[.]reg0[.]5267[.]toor[.]win10[.]ipv6-microsoft[.]org
  • 7812[.]reg0.5314[.]toor.win10[.]ipv6-microsoft[.]org
  • 7812[.]reg0.5361[.]toor[.]win10.ipv6-microsoft[.]org
  • 7812[.]reg0[.]4621.toor[.]win10.ipv6-microsoft[.]org
  • 7812[.]reg0[.]5173[.]toor.win10[.]ipv6-microsoft[.]org
  • corp-microsoft[.]co

Malware Hash (MD5/SHA1/SH256)

  • 2f2640720cce2f83ca2f0633330f13651384dd6a
  • 6e820b5732cd8bb95546cf39aeb6babe90cf4cc7dde675b718710babcf1740b5
  • b475f14a1ffdeaf883c73e97724544b9bba0f6c481830bd25e3ba0d0f69b9181
  • c17c335b7ddb5c8979444ec36ab668ae8e4e0a72
  • e0f3557ea9f2ba4f7074caa0d0cf3b187c4472ff
  • fd6c772c31da19a66283af4703d1d5072a9158d03031a4094ac2eb8dccd3d6d1

Remediation

Search for the existing IOC’s in your environment.
Patch for the exploited vulnerability.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1132


Copyright © Rewterz. All rights reserved.