Tag Archives: TrendLabs Security Intelligence Blog

a-PATCH-e: Struts Vulnerabilities Run Rampant

/ Leave a Comment

by Steve Povolny

Equifax confirmed the attack vector used in its data breach to be CVE-2017-5638, a vulnerability patched last March 2017 via S2-045. The vulnerability was exploited to gain unauthorized access to highly sensitive data of approximately 143 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers. This vulnerability was first disclosed in March, almost immediately followed by publicly available POCs, weaponized exploits, and scanners produced by third parties.

Trend Micro observed thousands of filter events via our intrusion prevention solutions against the filters for this vulnerability since March, and these exploits or enumeration attempts are still being seen. It’s worth noting that these solutions can leverage these filters to provide a highly effective virtual patch to address critical Apache Struts vulnerabilities until actual software updates are deployed to secure the system.

We’ve observed the filter events against this vulnerability from a large number of countries, with the majority of events sourced from regions below:

Figure 1: Graphical representation of top source countries of attackers for CVE-2017-5638

Trend Micro has also actively blocked and thwarted attacks and enumeration attempts against organizations across various industries, including universities in the U.S., Europe and South America, healthcare, internet service, and telecommunications providers, automotive manufacturers, banks and other financial institutions.

Apache Struts Vulnerabilities are Actively Exploited
The following image is an example of an exploit attempting to leverage the vulnerability used to breach Equifax:

Figure 2: Screenshot of exploitation attempt against CVE-2017-5638

On July 11, we released a filter for the vulnerability techniques observed in another critical Apache Struts application (identified as CVE-2017-9791, patched in July via S2-048). Several weeks ago, a spate of Apache Struts vulnerabilities was published, including CVE-2017-12611 (patched September 9 via S2-053). We quickly located all public exploits surrounding the vulnerability and tested them against our Digital Vaccine filters. They didn’t just block all versions of this exploit with no updates needed; digging deeper, we found these filters have already been blocking intrusion attempts for nearly two months. The diagrams below highlight the timeline of events we observed in relation to the exploit code’s availability.

Figure 3: Timeline of intrusion attempts we observed exploiting CVE-2017-5683 (click to enlarge)

Figure 4: Timeline of attack attempts we observed exploiting CVE-2017-12611, based on existing filter coverage released last July for CVE-2017-9791; note that the figure is based on 5% of total customer activity (click to enlarge)

The types of attacks we have observed have been a combination of targeted or non-targeted intrusion attempts as well as automated enumeration scans for fingerprinting vulnerable servers. Below is a screenshot of an enumeration attempt using the non-intrusive ECHO command, which can be used to inform the attacker if the targeted machine is vulnerable.

Figure 5: Code snippet (highlighted) showing the ECHO command

A Lesson on Patching
A vulnerable framework can cause significant damage regardless of the kind or type of flaw, and it can affect things beyond a company’s bottom line and reputation. At stake are also the privacy and security of personally identifiable data, which can have long-term, real-life repercussions when compromised—not to mention the risk to the integrity of the infrastructure from which the information changes hands.

The takeaway? A single, vulnerable machine on a network is sometimes all it takes to affect millions. Implement defense in depth. Apply more robust patch management policies, but strike a balance between your business needs and the importance of securing your assets and data. Some best practices include:

  • Patching your systems and servers as well as the applications that run on them
  • Deploying vulnerability-driven filters to provide a wider net of protection to the network, system or server
  • Considering virtual patching to address unidentified vulnerabilities or platforms for which patches aren’t directly available
  • Enforcing the principle of least privilege, avoiding or minimizing the use of third-party applications, and disabling unnecessary components to limit your attack surface
  • Proactively monitoring your network, i.e., employing firewalls as well as intrusion detection and prevention systems
  • Backing up your files and implementing defensive measures such as data categorization and network segmentation


Trend Micro Solutions
Trend MicroTippingPoint™ provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via DigitalVaccine™ filters. Trend Micro™ Deep Security™ and Vulnerability Protection also provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications such as Apache Struts. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit Struts vulnerabilities even without an engine or pattern update.

Here are the links to the list of Trend Micro protections against these Apache Struts vulnerabilities: CVE-2017-5638, CVE-2017-9791, and CVE-2017-9805.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

a-PATCH-e: Struts Vulnerabilities Run Rampant

http://ift.tt/2wJRlGj Source: http://ift.tt/1amucZ5

New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining

/ Leave a Comment

By Lenart Bermejo, Kenney Lu, and Cedric Pernet

Several months ago, we discovered and exposed RETADUP malware in Israeli hospitals. We also learned that an Android malware known as “GhostCtrl” was stored in their infrastructure, which might be used for cyberespionage or cybercrime.

Since then, we’ve encountered more samples in the wild. While RETADUP was found in Israeli hospitals, a new variant was targeting specific industries and governments in South America. We believe the use of the Retadup malware family is limited to a very small set of threat actors. We found no evidence of it being sold or distributed via underground marketplaces or forums.

This new RETADUP variant has features that would be useful for cybercrime instead of espionage. One would think that this would result in widespread use, but instead it has only been found in limited areas. It has frequently been used to spread cryptocurrency mining malware, perhaps indicating an evolution towards direct monetization.

Hitting South America

RETADUP first hit South America in May 2017, and attacks are still ongoing. Based on product feedback, it currently affects organizations located in Argentina, Bolivia, Colombia, Ecuador, and Peru. Affected users in Peru accounted for 75% of all potential victims in South America based on unique IP addresses.

Figure 2

Figure 1. Distribution of victims in South America

Our information indicates that the victims are concentrated in several sectors: aside from governments, energy and mining companies are particularly affected.

Some aspects of RETADUP’s behavior are not yet clear. We have found no evidence of what its initial infection vector is. We also raised the question with several individuals involved in responding to RETADUP incidents. We believe that it may use spear phishing or downloader malware, however. Data exfiltration has not been found either.

One incident revealed an unusual characteristic, compared to others launched by the same campaign. In that particular case, in addition to RETADUP, the threat actor dropped an older version (1.25) of BrowsingHistoryView (detected as HKTL_BrowHistoryView.)was dropped by the threat actor. This particular tool allows the browsing history to be collected from multiple browsers, gathering data on visited websites as wellnetwork shares via the supported browsers.

Profiting from cryptocurrency mining

Systems infected with RETADUP also frequently contained various tools used to mine cryptocurrencies, which were dropped by the threat actor. These tools use available computing power (both from the CPU and the GPU) to “mine” different cryptocurrencies. These allow the threat actor to monetize the infected machines. The collective computing power of many (infected) machines allows for significant profits to be made.

In the past, RETADUP most commonly used the cpuminer-multi opensource miner. Newer versions have included mining code directly. In both cases, the code was used to generate Monero (XMR) digital currency. By tracking one unique identifier associated with the user “earning” the cryptocurrency (i.e., the threat actor), we were able to establish that profits from the mining totaled 314.34 XMR since June 18, amounting to almost US$36,000 – at current exchange rates.

Examining the available mining power is informative. Based on information from the Minexmr.com website, at night the hash rate (a measure of computing power) is relatively low (approximately 50 kh/s). This is attributable only to computers that are online 24/7. During working hours, this increases as people turn their computers on. Later in the day, as more systems are turned off, the hash rate falls.

Figure 2

Figure 2. Hash rate

Note that the threat actor may have more miners and identifiers in use , and his actual profits are likely higher than our estimates indicate.

Evolution of RETADUP

As discussed before, the RETADUP malware family is based on code from other malware families: IPPEDDO and ROWMANTI, also named “rad worm” by its developers. The newly encountered variant has several new behaviors.

Firstly, RETADUP has now been split into an infector component and a remote access Trojan (RAT) component. Secondly, the malware now uses HTTP GET requests to send and receive information from its command and control (C&C) servers. Finally, several features related to information theft have been removed.

Multiple files dropped

A wide variety of files are dropped onto the affected system. RETADUP (as split into two components), the Auto-IT engine, miners, and various libraries are all dropped under the main system drive’s root directory with this organization:

Figure 3

Figure 3. Organization of dropped files

Some of these components are worth discussing in detail.

Infector component (WORM_RETADUP.D)

The infector component of RETADUP is dropped as a file named cpuspeed.tnt. When it runs, it first checks the filenames of the AutoIt engine (which was installed by the malware earlier) and itself. If the file names do not match the default names, the malware will terminate itself.

It then creates the persistence mechanism for the remote access Trojan (RAT), by registering it in the Windows registry:

CpuOptimizer = C:\newcpuspeed\Cpufix.exe C:\newcpuspeed\cpuage.tnt

It then disables the ShowSuperHidden flag from the registry. This makes protected system files, including the RETADUP directories, hidden from users. It then spreads to other drives by copying the following files to other drives:

  • <drive letter>:\newcpuspeedcheck\cpuage.tnt
  • <drive letter>:\newcpuspeedcheck\cpufix.exe
  • <drive letter>:\newcpuspeedcheck\cpuspeed.tnt
  • <drive letter>:\newcpuspeedcheck\workers\rad\cpuchecker.exe
  • <drive letter>:\newcpuspeedcheck\workers\rad\cpuchecker32.exe
  • <drive letter>:\newcpuspeedcheck\workers\rad\msvcr120_64.dll
  • <drive letter>:\newcpuspeedcheck\workers\rad\msvcr120_86.dll
  • <drive letter>:\newcpuspeedcheck\workers\rad\x32.bin
  • <drive letter>:\newcpuspeedcheck\workers\rad\x64.bin

For removable drives, the following files are copied in addition to the above files:

  • <drive letter>:\Downloads.lnk
  • <drive letter>:\<folder>\<folder> Copy.lnk

This division of the infector and RAT components is new for RETADUP. We believe this was done to add complexity and flexibility in the malware. For example, this could allow the threat actors to drop and execute some other malware instead of the RETADUP RAT component.

RAT component (TROJ_RETADUP.A) 

The cpuage.tnt file dropped by the infector is RETADUP’s RAT component. As in previous versions, it contains various routines meant to detect if it is run on a virtual machine (VM). This time, though, if that happens it merely shows a message titled “Something went Wrong”.

How does RETADUP determine if it is being executed on a VM? It first checks if certain processes are running:

Figure 3

Figure 4. Code checking for running processes

It also checks for some SystemInfo strings:

Figure 5

Figure 5. Code checking for SystemInfo strings

It also checks for some system modules:

Figure 6

Figure 6. Code checking for system modules

Checks are performed for certain combinations of running processes, the presence of several folders, and whether the RAT itself is located in some folders:

Figure 6

Figure 7. Code checking for various properties

It also checks if its own filename has more than six numbers at its start, or if it’ longer than 35 characters.

All of these conditions are associated either with VMs, or with various analysis tools used by security researchers. If any of the above conditions are met, the malware terminates itself.

Once the RAT is running, the following commands are available:

Command Usage
sleep Sleep
Exit Exit
startminer Start Miner
closeminercommand Terminate Miner
instalminer Install Miner
url Open URL
cmd Execute command
update Update malware
download Download File

The network communications have also changed. This RETADUP variant now uses HTTP GET requests:

Figure 8

Figure 8. HTTP request

The HTTP GET request format, once decoded, is:

  • GET /0409-WIN_7-7601-X64-2355838296/1/1/0/0/empty

This request can be described as:

  • <OS language>-<OS version>-<OS build>-<processor architecture>-<homedrive serial>/<hardcoded flag 1>/<number of processors>/<worm window name (cpuspeed‘s window title is checked) flag>/<miner process flag>/<content of “\worker\” directory>

The reply from the (C&C) server is decoded using BinaryToString and would look like:

  • ok||||sleep-1800000-sleep

The format of these replies would be:

  • ok||||<command start><command parameter/argument/value to use><command end>

The RAT’s reply to the C&C server after completion of the command would be either of the two:

  • MSG:!:<Message + command-related information>
  • MSG:!:<error message>

The URLs of several C&C servers are included, namely:

  • http://ift.tt/2jKcX4a
  • http://ift.tt/2wxhf4S
  • http://ift.tt/2jKcYFg
  • http://ift.tt/2wy2BdB
  • http://ift.tt/2jKZp8n
  • http://ift.tt/2wy2COH

DUP can also use the result of a domain generation algorithm (DGA) for these URLs:

  • hxxp://<DGA output>.mdwnte.com:8090
  • hxxp://<DGA output>.newblackage.com:8090
  • hxxp://<DGA output>.publicvm.com:8090

As we noted earlier, several information theft capabilities have been removed from this RETADUP variant. The list of removed features include:

  • Keylogger
  • Screen capture
  • Password stealing capabilities

All in all, this new variant of Retadup feels like a “light” version of the previous one, in which a huge effort has been put on cryptocurrency mining rather than espionage/data theft capabilities.

Conclusions – The Ongoing RETADUP Mystery

RETADUP continues to be a mystery. It was previously found in Israeli hospitals, and it’s a big jump (figuratively and literally) to go from there to hitting South American energy firms. The number of possible threat actors that have access to RETADUP is presumably very limited, as we have not seen it offered in the cybercrime underground. It’s probably limited to either very few trusted parties, or maybe even only the developers themselves.

There are a lot of questions left unanswered. The initial vector of compromise is not yet known. The goals of the threat actors are not yet clear, and their behavior is contradictory. Cryptocurrency mining suggest a profit motive typical of cybercrime, but the selected targets are more indicative of a cyberespionage operation.

Trend Micro will keep monitoring this threat and will more information to light as it becomes available.

Indicators of Compromise

The following hashes are associated with various aspects of RETADUP attacks:

RETADUP Variants

  • 774fe3d892d88a26d56227c4f47e04620505c22cfdfa64667f92479b0ede4397 detected as WORM_RETADUP.D
  • 8cc79b28037126951090534ec862539295704e820193a2b3de3ffe3e3d157353 detected as WORM_RETADUP.A
  • 940bef003d57e3ef78fb7dd9ed0bb528611164dd663db80aa6d875a8b8688ef4 detected as WORM_RETADUP.A
  • a94ce5e29aebf8bd73fdfb48ccae845e6c0817f0412096830ab638c2238f60a8 detected as WORM_RETADUP.B
  • ad2646755ea2d8c312d9635a452e2180299241f2b7f172bfa071f611b6461bac detected as WORM_RETADUP.A
  • adaffcb21f17057830ce8c60d1e852fe82035c153d6125aaed75a8b1d03e7518 detected as WORM_RETADUP.A
  • c69811d8574fcc59e37fe2cbf0a31be4956ab81c3279bfb1351ff6da3417b4a7 detected as WORM_RETADUP.A

RETADUP Shortcut Files (all detected as LNK_RETADUP.A)

  • 6a6d74f9b35b24fdb7ad51d8f8aff1093823904461077702bb5ebfb93208266a
  • 8ae488d18b46502ee03fead132cb10058b300e198d4a8e548fc0a6fb010984ee
  • d67db90e2ffd91c6cd0a0a5825136d8f467fb10988051fda2857c9da2f69230e
  • dc2ca3c0a4cefeabf954170bc31e0c2519d6cf914af88c5b8b91525a71da4352
  • e1692348549adb3ce9ee6f616daa0470d28a656331405099b5667ab199cd7de5
  • fc82882422d626c07f87dbb1586805d777d26f0118f4a79b7729a12057238796


Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining

http://ift.tt/2wxh4Xg Source: http://ift.tt/1amucZ5

Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns

/ Leave a Comment

By Julie Cabuhat, Michael Casayuran, Anthony Melgarejo

In the beginning of September, a sizeable spam campaign was detected distributing the latest Locky variant. Locky is a notorious ransomware that was first detected in the early months of 2016 and has continued to evolve and spread through different methods, particularly spam mail. A thorough look at samples from recent campaigns shows that cybercriminals are using sophisticated distribution methods, affecting users in more than 70 countries.

In the specific campaigns discussed below, both Locky and the ransomware FakeGlobe were being distributed—but the two were rotated. The cybercriminals behind the campaign designed it so that clicking on a link from the spam email might deliver Locky one hour, and then FakeGlobe the next. This makes re-infection a distinct possibility, as victims infected with one ransomware are still vulnerable to the next one in the rotation.

Worldwide distribution and spam campaign analysis

Figure 1 heatmap

Figure 1. Distribution of initial spam campaign

Figure 2 spam message sent

Figure 2. An example of the spam messages

This sample largely affected users in Japan, China, and the US; 45% of the spam was sent to over 70 other countries. Collectively, we blocked as many as 298,000 spam emails, and distribution peaked at 10 AM (UTC +4) on September 4, 2017.

Figure 3 heatmap

Figure 3. Distribution of second spam campaign 

Figure 4 spam msg

Figure 4. An example of the second spam messages

This sample affected mostly users in Japan, China, and the US; 46% of the spam was sent to over 70 other countries. Distribution peaked at 4 PM (UTC +4) on September 4, 2017, and collectively we were able to block 284,000 spam emails.

The distribution time is typical of spam campaigns, coinciding with regular work hours when more users are likely to check their emails. Based on the timeline, affected countries, and similarities of the email, we can assume that the same source sent these two samples.

We tracked the sender IPs of this spam wave and found that most were from India, Vietnam, and Iran. A total of 185 different countries were involved in spreading these two samples, which gives us an idea of the distribution channel’s size.

Spam pushes rotating ransomware

The spam emails have a link and attachment (now a .7z or 7-zip instead of .zip), both disguised as legitimate invoices or bills targeting the user. The script inside the archive downloaded from the link and the one in the attachment are similar, but they connect to different URLs for their download attempts.

The script downloaded from the link in the email body contains the following URLs:

  • geolearner[.]com/JIKJHgft?
  • naturofind[.]org/p66/JIKJHgft
  • cabbiemail[.]com/JIKJHgft?

In comparison, the one in the attachment leads to the following URLs:

  • m-tensou[.]net/JIKJHgft?
  • naturofind[.]org/p66/JIKJHgft

While analyzing the scripts, we noted that they downloaded two different binaries. One script connecting to geolearner[.]com/JIKJHgft? downloaded a .lukitus variant of Locky with an affiliate ID of “3”. The affiliate ID and the victim ID are sent to Locky’s CnC servers, allowing the threat actors to determine how to distribute ransom payments.

Figure 5-1

Figure 5-2

Figure 5. Locky wallpaper and ransom note

Figure 6 Locky payment page

Figure 6. Locky payment page

The second script, which connects to m-tensou[.]net/JIKJHgft?, downloads the FakeGlobe or “Globe Imposter” ransomware. FakeGlobe surfaced June of this year, also using fake invoices as a lure. It appends the .txt extension to the names of the encrypted files and features a support page that can help victims pay.

Figure 7 FakeGlobe ransom note

Figure 7. FakeGlobe ransom note

Figure 8-1

Figure 8-2

Figure 8. FakeGlobe support pages

After a few hours, we tried downloading from m-tensou[.]net/JIKJHgft? again and found that the file changed from FakeGlobe to Locky. This shows that the files downloaded from these URLs are being rotated.

Other campaigns push FakeGlobe and Locky

Reports detail another spam campaign also trying to distribute both Locky and FakeGlobe on August 30. Similar to the previous campaign discussed above, it only distributed Locky at first but adopted FakeGlobe soon after. The new wave pushing both ransomware was seen on September 5.

Figure 9 Spam sample pushing Locky and FakeGlobe

Figure 9. Spam sample pushing Locky and FakeGlobe

This spam campaign has a DOC file attachment with a malicious macro—a typical and widely-used tactic to trick the user into enabling macros, which are disabled by default.

Figure 10 Content of the DOC file that tricks users to enable macros

Figure 10. Content of the DOC file that tricks users to enable macros

This downloader leverages the Auto Close VBA Macro. When the victim closes the DOC file, the macro will execute.

The DOC files we gathered connect to the following download URLs:

  • http://ift.tt/2ffwqZ3
  • http://ift.tt/2xsuWkK

During first analysis, they downloaded the .lukitus variant of Locky with affiliate ID “24”. Then we tried changing the parameter of f in the URL from 1 to 2:

  • http://ift.tt/2ffGSzA
  • http://ift.tt/2xtn1nh

This time, it downloaded FakeGlobe. This variant appends .911 extension to the encrypted file names and drops !SOS!.html as a ransom note.

After a few hours, both parameters (f=1 and f-2) switched to pushing Locky, a behavior that was also observed on the other spam campaign. The next day, it was FakeGlobe’s turn to be downloaded through both parameters. We also discovered that support.php and admin.php are interchangeable.

Solutions and recommendations

This is not the first time we’ve seen download URLs serving different malware in rotation. However, typically the malware were different types, pairing information stealers and banking Trojans with ransomware. Now we see that cybercriminals are simply doubling up on ransomware, which is quite dangerous for users. Since Locky and FakeGlobe are being pushed alternately, files can be re-encrypted with a different ransomware. Victims will have to pay twice or worse, lose their data permanently.

Ransomware is a constantly evolving threat, but enterprises and end users can follow a set of best practices to improve their defense against ransomware.

Enterprises can benefit from a multi-layered, step-by-step approach to best mitigate the risks brought by spam mail. Trend MicroHosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. Also at the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes the impact of this threat.

To combat the threat presented by Locky and FakeGlobe ransomware, Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud. For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware. For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

All solutions are powered by XGen™ security which provides a cross-generational blend of threat defense techniques and a connected threat defense that can protect your organization from unseen threats.

Related hashes:

VBScript files (downloaders) detected as VBS_NEMUCOD.ELDSAUO

  • 39256f126bba17770310c2115586b9f22b858cf15c43ab36bd7cfb18ad63a0c2
  • a299f3de0c9277c0ce7dd3f7dc9aee57a7abe78b155919b1ecced1896c69653b
  • 0f6ae637a9d15503a0af42be649388f01f8637ca16b15526e318a94b7f34bf6e
  • 4d4a0e1d7218180452e22e6b52a7f9a0db1e0c0aa51a48f9a79c600b51030050


  • bb1df4a93fc27c54c78f84323e0ea7bb2b54469893150e3ea991826c81b56f47


  • e75e5d374f20c386b1114252647cca7bd407190cafb26c6cfbd42c5f9223fe6c

DOC files (downloaders) detected as W2KM_POWLOAD.AUSJST

  • 067eb2754a823953a6efa1dfe9353eeabf699f171d21ffbff8e2303f7f678139 detected as
  • 6bdf46209fda582d7af5b74770b0eccf6abd3dbeabce3bdfb88db2f252ee778a

DOC files (downloaders) detected as W2KM_POWLOAD.AUSJSP

  • efb154bccff1e9a0f090a6afd7a08bf2c1fffea745b575a0bf31f22998688973

LOCKY from DOC detected as RANSOM_LOCKY.TH908

  • 3cb4484976676ac043fae870addaa57e858c1286cdb17d01ef8c973c5ec5b015


  • 12e75bdbc3f0b489a89104c646aee10a71277c22b6abbc6e346d1ba6f17edf6d

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns

http://ift.tt/2xsViTY Source: http://ift.tt/1amucZ5

iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices

/ Leave a Comment

by Hara Hiroaki, Higashi Yuka, Ju Zhu, and Moony Li

While iOS devices generally see relatively fewer threats because of the platform’s walled garden approach in terms of how apps are installed, it’s not entirely unbreachable. We saw a number of threats that successfully scaled the walls in 2016, from those that abused enterprise certificates to ones that exploited vulnerabilities to curtail Apple’s stringent control over its platforms.

This is further exemplified by iXintpwn/YJSNPI (detected by Trend Micro as TROJ_YJSNPI.A), a malicious profile that can render the iOS device unresponsive. It was part of the remnants of the work of a Japanese script kiddie who was arrested in early June this year.

While iXintpwn/YJSNPI seems currently concentrated in Japan, it won’t surprise anyone if it spreads beyond the country given how it proliferated in social media.

iXintpwn/YJSNPI first appeared in late November 2016 via Twitter—and subsequently over YouTube and social websites—posing as an iOS jailbreaker named “iXintpwn”. It’s also the name of the website the malicious profile is hosted in. The overflow of icons it places over the affected device’s screens appears as “YJSNPI”. It was also known as “Beast Senpai” (senpai means teacher or mentor in Japanese) as a reference to the image used as a meme in Japanese online forums.

Regardless if it was created as a prank or to gain notoriety, its attack chain is notable, as attackers can weaponize the iOS feature iXintpwn/YJSNPI misuses: unsigned iOS configuration profile.

YJSNPI can proliferate by accessing the website hosting the malicious profile, especially via Safari. The malicious site contains a JavaScript, and responds with a blob object (the malicious profile) when the user accesses it. On iOS devices, the latest Safari accepts this server response and will automatically download the profile.

Figure 1: Code snippets showing YJSNPI as a blob object (top), and how it’s retrieved in Safari (bottom)

Abusing iOS Configuration Profile
An iOS configuration profile enables developers to streamline the settings of a huge number of devices, including email and exchange, network, and certificates. Enterprises employ these profiles to streamline the management of homegrown apps and corporate devices, for instance. A configuration profile can also customize the settings of a device’s restrictions, Wi-Fi, Virtual Private Network (VPN), Lightweight Directory Access Protocol (LDAP) directory, Calendaring Extensions to WebDAV (CalDAV), web clips, credentials, and keys.

Evidently, a malicious profile can be used to manipulate the settings, i.e., divert the device’s traffic. Examples of this include the information-stealing Wirelurker and adware-laden repackaged apps from Haima.

In iXintpwn/YJSNPI’s case, it uses an unsigned profile and sets it to “cannot be deleted” to make it more difficult to uninstall, as shown below. For persistence, the value for “PayloadIdentifier” string is randomly generated via JavaScript. Note that iOS has countermeasures in place for installing signed or unsigned profiles, which requires direct user interaction. The only difference is how these profiles are displayed—signed profiles are indicated as “verified”, for instance.

Figure 2: iXintpwn/YJSNPI using an unsigned profile

Figure 3: The malicious profile set as unremovable (left) and the icons overlaying the device screen (right)

Figure 4: Code snippets showing how the PayloadIdentifier’s value is generated (top and middle) that results into various iXintpwn configuration profiles (bottom)

iOS SpringBoard Icon Overflow
Upon iXintpwn/YJSNPI’s profile installation, an icon will be awkwardly superimposed on the home screen. Clicking it results in an overflow of YJSNPI icon-laden screens that crashes SpringBoard—the application that manages the home screen and controls how apps are displayed and launched. The YJSNPI icons are clickable but will only show a bigger resolution of the icon’s image. It is also during this overflow of icons that the device becomes unresponsive.

Figure 5: iXintpwn/YJSNPI’s icon hovering in the home screen (left); screenshot of an iPad’s home screen populated with YJSNPI’s icons (right)

Mitigation and Best Practices
Thankfully, YJSNPI can be removed from the device despite it being set as unremovable. Affected users can use Apple Configurator 2, Apple’s official iOS helper app for managing Apple devices via a Mac, to find and remove the malicious profile under the Actions function.

However, there are caveats. YJSNPI has to be fully installed or the icons won’t be removed—that is, the profile will not show up when Apple Configurator 2 is run. There is also no Windows version of Apple Configurator 2.

Follow best practices to improve mobile device security, especially if the iOS device you use runs in a BYOD environment. Regularly update and patch your iOS and apps and download only from the App Store or trusted sources. Beware of the risks of jailbreaking, and be aware of the permissions you grant to unknown or suspicious apps or profiles. App developers are likewise recommended to secure the apps they develop so that their apps can’t be abused to spread malware.

Trend Micro Solutions
End users and businesses can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Apple devices (available on the App Store). Trend Micro™ Mobile Security for Enterprise also provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices

http://ift.tt/2xKFnRB Source: http://ift.tt/1amucZ5

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices

/ Leave a Comment

by Vít Šembera (Cyber Threat Researcher)

BlueBorne is a set of vulnerabilities affecting the implementation of Bluetooth in iOS, Android, Linux, Windows and Mac OS* devices. According to the researchers who uncovered them, BlueBorne affects around 5.3 billion Bluetooth-enabled devices. The immediate mitigation for BlueBorne is to patch the device, if there’s any available, or to switch off the device’s Bluetooth connection if not needed.

Note that while there may be proof-of-concept demonstrations for using BlueBorne as attack vectors, there are no indications that it’s actively exploited in the wild, which we are proactively monitoring. Additionally, certain conditions have to be met to exploit BlueBorne.

What is BlueBorne?
BlueBorne is a combination of vulnerabilities related to vague and outdated definitions of the Bluetooth protocol, including authorization and authentication issues. The absence or wrong validation of different protocol parameters in the Bluetooth stack code can result in stack or heap overflow in the kernel address space. When combined with an outdated implementation, they can lead to remote code execution (RCE).

The current implementation, for instance, allows establishing low-level connections without user interaction and knowledge. iOS fares better against BlueBorne, as Apple already implemented its own Bluetooth stack and has its own authentication and authorization methods during initial connection. iOS, for instance, requires direct user interaction in all cases.

On Android, there would be a red flag that’s unlikely to be noticed by an ordinary user—suspicious activity coming from the Zygote process (a daemon used for launching apps). Zygote already has high com.android.bluetooth privileges, and automatically restarts when it crashes. For example, during a Wi-Fi Pineapple-type of attack on Bluetooth, signs of possible BlueBorne exploits can be observed in sudden network configuration changes, such as in default routes and web proxy definition. Other kinds of attacks like RCE are hardly detectable.

BlueBorne Prevention and Mitigation
iOS users, particularly those that use iPhone 5 or newer models, can be protected by installing the latest iOS (version 10 or 11). Google has also released patches for the vulnerabilities affecting Android devices as per their Security Bulletin for September. Note, however, that patching Android devices is fragmented. While Pixel and Nexus devices have a steadier and more consistent rollout of updates, others don’t. Users must contact their device’s original equipment manufacturers for their availability.

Desktop users are also recommended to patch their OS. Microsoft has one as part of their September Patch Tuesday. Additionally, code execution over Bluetooth cannot be directly carried out in Windows OS using the BlueBorne flaw and will need an additional attack chain.

Updates are also underway for vulnerabilities affecting Linux devices. For CVE-2017-1000250, a Session Description Protocol (SDP) information leak flaw, a fix has been committed since September 13. It is already in the process of propagating to different Linux kernel versions. Debian 5.46-1, as well as RHEL 6 and 7 are already fixed.

A patch for CVE-2017-1000251, a buffer overflow vulnerability in the Logical Link Control and Adaptation Layer Protocol (L2CAP), has been committed since September 9. RHEL 5, 6, and 7 are already patched. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR or CONFIG_CC_STACKPROTECTOR_STRONG, depending on kernel version and platform), an unauthenticated attacker who wants to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out.

There are millions of Internet of Things (IoT) devices running Linux kernel on ARM and MIPS SoC, and many with an active Bluetooth stack. It is difficult to determine if, how, or when their vendors will patch these devices.

For systems vulnerable or potentially at risk to BlueBorne, switching off their Bluetooth stack is recommended. Bluetooth range can be anywhere between 10 and 100 meters depending on its version and environment, so users can take this into account when using their Bluetooth-enabled devices. It should be noted, however, that attackers can significantly extend the range with high-gain antenna.

*Mac OS can be affected by the same vulnerability as it shares Darwin kernel code with iOS. Although it is still officially unconfirmed, some older (before Sierra) versions can be vulnerable.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices

http://ift.tt/2wgsn5X Source: http://ift.tt/1amucZ5

Hangul Word Processor and PostScript Abused Via Malicious Attachments

/ Leave a Comment

The Hangul Word Processor (HWP) is a word processing application which is fairly popular in South Korea. It possesses the ability to run PostScript code, which is a language originally used for printing and desktop publishing, although it is a fully capable language. Unfortunately, this ability is now being exploited in attacks involving malicious attachments.

A branch of PostScript called Encapsulated PostScript exists, which adds restrictions to the code that may be run. This is supposed to make opening these documents safer, but unfortunately older HWP versions implement these restrictions improperly. We have started seeing malicious attachments that contain malicious PostScript, which is in turn being used to drop shortcuts (or actual malicious files) onto the affected system.

Office suites have long been a popular way of getting users to drop and run malware on their systems. The various components of Microsoft Office have been exploited for years, whether via social engineering (macro malware) or vulnerabilities. It shouldn’t be a surprise that other office suites are similarly targeted.

Technical Details

The goal of this attack is to use PostScript to gain a foothold onto a victim’s machine. No actual exploit is used, as this is a case where a feature of PostScript is being abused.

Some of the subject lines and document names used include “Bitcoin” and “Financial Security Standardization”. The appearance of these decoy documents are shown below:

Figures 1 and 2. Samples of decoy documents

PostScript does not have the ability to execute shell commands. However, it does have the capability to manipulate files. This attack instead drops files into various startup folders, and waits for the user to reboot their machine. Some of the ways we’ve seen this seen of this include:

  1. Drops a shortcut in the startup folder, which executes MSHTA.exe to execute a Javascript file.
  2. Drops a shortcut in startup folder and a DLL file in %Temp% directory. The shortcut calls rundll32.exe to execute the said DLL file.
  3. Drops an executable file in the startup folder.

Figure 3. Sample of code in HWP file

One of the samples we’ve received will overwrite gswin32c.exe with a legitimate version of Calc.exe. This file is the PostScript interpreter used by HWP. Since the interpreter is overwritten, this would prevent other embedded PostScript content from executing.

Figure 4. Calculator opened by HWP file

Mitigation and Solutions

Newer versions of the Hangul Word Processor implement EPS correctly, with the 2014 versions and later not being susceptible to this problem. We suggest upgrading to these newer, safer versions.

Trend Micro endpoint solutions such as Trend Micro™ SecurityOfficeScan, and Worry-Free Business Security all include behavior monitoring that prevents HWP from dropping any PostScipt files. We also detect the files associated with this attack as TROJ_HWDOOR.A, TROJ_HWDOOR.B, and TROJ_MALEPS.B, and TROJ_HWDOOR.SMZBEH-A.

Indicators of Compromise

The following hashes are associated with this attack:

  • 082651553ee19f87282ea700446a1335f3c9e0d78192097cbbe32ddc8c8f0ff3 (detected as TROJ_HWDOOR.SMZBEH-A)
  • 1a69a862a0fb66af0cfc5dc131e435c3d4677525bf2f2dc3e42d35e68ff4b3a6 (detected as TROJ_HWDOOR.SMZBEH-A)
  • 4996554df0a31e3d06c08657e61efd50b91b617f1c6d85cb8b67620bfd5d232f (detected as TROJ_HWDOOR.SMZBEH-A)
  • 4f1dd7c10adee45f7ff13dbffa328afae26448ff39ba6d9ae91dec611705dede (detected as TROJ_MALEPS.B)
  • 56a686c591ac63cb8398824f74d882d8ebd117717fd65e52a11b26b3ee5d0235 (detected as TROJ_HWDOOR.C)
  • 58febbf2e2f3f2add32a81d91a94ed94c7ce4e37b91e6ea5679617e7d899b8b3 (detected as TROJ_HWDOOR.B)
  • 6b15a7761443f6a9555c0a6cac41de78e71016d803b726abbb4b0489e8cc323f (detected as TROJ_HWDOOR.SMZBEH-A)
  • 7d099411f19b6f7268a482277cd2da32dffd4a7b58ef4371a71f6b6186705436 (detected as TROJ_HWDOOR.SMZBEH-A)
  • 7df47f410fbd58dbbd995558a9be197da91687f9631bcfe5f0bdb042a67fc41d (detected as TROJ_HWDOORPOC.A)
  • 8278cee571bed619ac786898fea1bc03cf67724ebcd8d974c6cbaa942821f93d (detected as TROJ_HWDOOR.SMZBEH-A)
  • 851723d38c11654d881cb0528ac82f38b43d30cac9ed12c12364d8b2a47697cc (detected as TROJ_HWDOOR.B)
  • 85bf524950260471dba454c5d3ec43141556d74d8f6b016784ecfa48e9056f49 (detected as TROJ_HWDOOR.SMZBEH-A)
  • 904bc03090b39b59180b976b2e87580c9404fa0c9ff5135cbcdb68ecf1fe8c08 (detected as TROJ_HWDOOR.SMZBEH-A)
  • d9829e45cc1989617851b1727e9e4aaf19ee24f5e63b46d2cb2160e7b8c8f6e4 (detected as TROJ_HWDOOR.SMZBEH-A)
  • e5adba30f177431f91ef71d322091f6f26298cac36bfbcca9e6a1dcee0beff94 (detected as TROJ_HWDOOR.B)

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Hangul Word Processor and PostScript Abused Via Malicious Attachments

http://ift.tt/2y7XBtf Source: http://ift.tt/1amucZ5

BankBot Found on Google Play and Targets Ten New UAE Banking Apps

/ Leave a Comment

By Kevin Sun

The Android-targeting BankBot malware (all variants detected by Trend Micro as ANDROIDOS_BANKBOT) first surfaced January of this year and is reportedly the improved version of an unnamed open source banking malware that was leaked in an underground hacking forum. BankBot is particularly risky because it disguises itself as legitimate banking apps, typically using fake overlay screens to mimic existing banking apps and steal user credentials. BankBot is also capable of hijacking and intercepting SMS messages, which means that it can bypass SMS-based 2-factor authentication.

Throughout the year, Bankbot has been distributed as benign apps, some of which made their way onto popular app stores. In April and July of 2017, Bankbot-infected apps were detected posing as entertainment and online banking apps on Google Play. More than twenty were found and exposed during the said months.

Recently we found five new Bankbot apps, four of which made their way into the Google Play Store disguised as utility apps. Two of these were removed immediately, while the other two were made available long enough to be downloaded by a few users. One particular BankBot app was downloaded 5000-10000 times.

This newer BankBot variant targets legitimate apps from banks based in 27 different countries. Also, the total number of targeted apps increased from 150 to 160. Ten United Arab Emirates (UAE) banking apps were added to the list.

The latest version of BankBot will only work if the device meets three conditions:

  • The running environment is a real device
  • The location of the device is not in Commonwealth of Independent States (CIS) countries
  • An app of a targeted bank is installed on the device

New BankBot details and analysis

When BankBot is installed and running, it will check the package information of apps installed on the infected device. If one of the target bank apps is available, BankBot will connect to its C&C server and upload the target’s package name and label. The C&C server will send a URL to BankBot so it can download the library that contains files used for the overlay webpage. This overly page is displayed on top of the legitimate banking app and used to steal the user’s credentials.

After BankBot downloads the library from the URL, it will unpack the APK cache directory (/data/data/packagename/files).

Figure 1. BankBot sending list of installed banking apps

Figure 2. C&C response with library URL

The C&C server will acknowledge the download with the message “success” an hour after it happens. The delay could either be a strategy the malware uses to avoid antivirus sandbox detection, or it is simply busy generating fake overlay webpages for the device token.

When the server is ready, or when it finishes preparing the webpages, it will send another URL to BankBot to get fake webpage data.

Figure 3. BankBot downloading overlay webpage

After the webpage is downloaded, Bankbot monitors the device for the launch of the target banking application and will display the overlay webpage on top of the banking application screen when the app runs. The overlay will make victims think they are using their usual banking app, tricking them into entering their credentials on BankBot’s fake webpage.

Figure 4. Sample of BankBot impersonating a legitimate Japanese banking app

BankBot shows unique behavior for UAE targets

 When targeting UAE banking apps, this newer variant of BankBot includes an additional step. Instead of showing the fake overlay page directly, BankBot will prompt the user to enter their phone number. Then the C&C server will send a pin code to the victim via Firebase Message. After entering the pin, the victim is instructed to input bank details. Next, BankBot will show an “error screen” (even if bank information is correct) and ask for the details again.

Figure 5. Fake Emirates banking app screen

Details below provide a step-by-step description of the above images:

  • Verification prompt
  • Input phone number
  • Input pin code from C&C
  • Input account credentials
  • Error message
  • Input account details again
  • Usual operations

Apparently, the author of BankBot wants to verify the banking details of their victims. They ask for the details twice, just in case users input it incorrectly at first. BankBot will send the stolen data to the C&C server only after account information is entered twice.

Figure 6. BankBot app on Google Play Store

BankBot seems to be widening its reach and experimenting with new techniques—which is a mounting concern because banking apps are growing more ubiquitous. According to a recent study, mobile banking users in the Middle East and Africa will exceed 80 million by 2017, while another report by ArabNet shows that users from UAE have the second highest rate of mobile banking adoption in MENA. As more people adopt this technology, the apps become attractive targets for cybercriminals.

To combat this threat, users should observe proper mobile safety and online account practices. Any device holding banking accounts should also be protected with effective and multilayered security. Users can strengthen their defenses with comprehensive antivirus solutions like Trend Micro™ Mobile Security for Android™ (available on Google Play) blocks threats from app stores before they can be installed and cause damage to devices.

Indicators of Compromise

Files with the following hashes are associated with this threat:

  • 4D417C850C114F2791E839D47566500971668C41C47E290C8D7AEFADDC62F84C
  • 6FD52E78902ED225647AFB87EB1E533412505B97A82EAA7CC9BA30BE6E658C0E
  • AE0C7562F50E640B81646B3553EB0A6381DAC66D015BAA0FA95E136D2DC855F7
  • CF46FDC278DC9D29C66E40352340717B841EAF447F4BEDDF33A2A21678B64138
  • DE2367C1DCD67C97FCF085C58C15B9A3311E61C122649A53DEF31FB689E1356F

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

BankBot Found on Google Play and Targets Ten New UAE Banking Apps

http://ift.tt/2wZOrii Source: http://ift.tt/1amucZ5