Rewterz Threat Alert – Multiple Malware Campaigns – IoCs
March 8, 2019Rewterz threat Alert – Nymaim Malware – threat Indicators
March 11, 2019Rewterz Threat Alert – Multiple Malware Campaigns – IoCs
March 8, 2019Rewterz threat Alert – Nymaim Malware – threat Indicators
March 11, 2019Severity
Medium
Analysis Summary
SLUB is being spread via watering hole attacks, a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once.
The infection was done by exploiting CVE-2018-8174.
CVE-2018-8174
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka “Windows VBScript Engine Remote Code Execution Vulnerability.
Second, it uses a multi-stage infection scheme. After it exploits the vulnerability, it downloads a DLL and runs it in PowerShell (PS). This file, which is a downloader, then downloads and runs the second executable file containing a backdoor. The first stage downloader also checks for the existence of different kinds of antivirus software processes, and then proceeds to exit if any is found.
The downloader
The downloader, which runs through PowerShell as a DLL, serves several purposes. The first is to download the second stage malware, which we called the SLUB (for SLack and githUB; detected as Backdoor.Win32.SLUB.A) backdoor and execute it. The second purpose is to check if the following antivirus processes are running:
- V3Tray.exe
- AYAgent.aye
- navapsvc.exe
- ashServ.exe
- avgemc.exe
- bdagent.exe
- ZhuDongFangYu.exe
If the downloader finds one of these, it simply exits.
Finally, the downloader also exploits the CVE-2015-1701 vulnerability to acquire Local Privilege Escalation. The exploit’s code was likely created by modifying code from a GitHub repository.
The SLUB backdoor
The SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to perform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist snippets) and JsonCpp (for parsing slack channel communication).
The malware also embeds two authorization tokens to communicate with the Slack API.
- It copies itself to ProgramData\update\ and creates persistence via a Run registry key, calling export function UpdateMPUnits with rundll32.exe. Note the typo in the ValueName, “Microsoft Setup Initializazion.
- It downloads a specific “gist” snippet from Github and parses it, looking for commands (which we will cover further in this entry) to execute. Only lines starting with “^” and ending with “$” will be executed. The other lines are ignored.
The result of the commands is then posted to a private Slack channel in a particular workspace using the embedded tokens.
Note that a side effect of this particular setup is that the attacker has no way to issue commands to a specific target. Each infected computer will execute the commands that are enabled in the gist snippet upon checking it.
Impact
- Remote code execution
- Data breach
Indicators of Compromise
URLs | https://gist.github.com/kancc14522/626a3a68a2cc2a91c1ece1eed7610c8a |
Malware Hash (MD5/SHA1/SH256) | 626a3a68a2cc2a91c1ece1eed7610c8a 43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7 3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7 |
Affected Vendors
Slack
GitHUB
Remediation
- This vulnerability has been previously been exploited by cobalt and is recently active.
- Make sure all systems are patched against this vulnerability.