Silobreaker Daily Cyber Digest – 03 October 2019
MasterMana BotNet constructed with cheap tools
- Prevailion researchers discovered that the MasterMana botnet has been actively targeting corporations around the world since December, 2018. The malware is delivered via trojanized documents that prompt the target to enable a macro. The malware avoids detection by reaching out to a number of legitimate third-party sites such as Bitly, Blogspot, and Pastebin.
- The payload used in the attack was initially Revenge Rat before changing to Azorult trojan in September 2019. Azorult can steal usernames, passwords, cryptocurrency wallets, and more. The trojan can also upload and download files, take screenshots and more.
- Based on the TTPs used in the operation, the researchers assessed with ‘moderate confidence’ that the attack was the work of the Gorgon Group.
Source (Includes IOCs)
Lax operational security uncovers botnet targeting Russian citizens
- Three security researchers uncovered the Geost botnet which infected over 800,000 victims in Russia. The attackers aimed to deliver a banking trojan to targets by infecting Android devices via fake applications. The botnet also had the ability to directly connect to the top five banks in Russia.
- The botnet was exposed due to the botmasters use of a malicious proxy network that was built by HtBot malware. The researchers were able to capture incoming traffic to the proxy and discovered the C2 communication channel of Geost. The researchers also discovered that Geost members failed to use encrypted communications. Messages between operatives showed technical details of the botnet and ordinary interactions between group members.
Decline in Hqwar activity
- Researchers at Kaspersky observed a decline in Hqwar activity since Q4 2018, most likely due to the tool not being updated regularly, which causes customer outflow. The trojan dropper was first discovered in 2016 and was originally created as a malware-as-a-service infrastructure and it is commonly used for small and large-scale attacks.
- The majority of malware using Hqwar were found to be financial threats, with one third involving the Faketoken trojan family. Other trojans spread via Hqwar include Boogr, Asacub, and Marcher.
- The researchers believe Hqwar, as well as other similar wrappers, are likely to lose their popularity in the future, as their counter-detection mechanisms are no longer necessary.
Source (Includes IOCs)
FTCODE ransomware resurfaces following six-year hiatus
- Certego researchers discovered FTCODE ransomware once again being used to extort victims. The ransomware, which is written in Powershell, was first spotted by Sophos researchers in 2013.
- FTCODE is delivered to victims via emails which purportedly contain an invoice. The email prompts the target to disable protected view which will trigger a malicious macro and run the Powershell. The Powershell retrieves a variant of JasperLoader, achieves persistence by creating a scheduled task, and checks to ensure that the system has not been attacked by previous versions of the ransomware.
- The ransomware encrypts victims’ files using Rijndael symmetric key encryption and leaves a note on the victim’s system. At present, a flaw in FTCODE allows victims to recover the encryption key by monitoring network files. The researchers stated that the malware is still under active development.
Source (Includes IOCs)
Analysis examines ransomware affiliates and links Sodinokibi code to GandCrab
- McAfee researchers published a series of reports proposing that the actors behind Sodinokibi have links with the developers of GandCrab. Analysis showed a 40 percent code overlap between the two ransomwares.
- The researchers also analysed the affiliate model used to distribute GandCrab and Sodinokibi. In both models the malware is offered as Ransomware-as-a-Service (RaaS) and the affiliates spread the ransomware and share the profits with developers. By tracking ID numbers the researchers found that certain affiliates worked with GandCrab operators for extended periods of time and distributed several versions of the malware.
- Monitoring underground forums and tracking a change in distribution methods led the researchers to hypothesize that some GandCrab affiliates have begun distributing Sodinokibi.
Rancor group target Southeast Asian government
- Checkpoint researchers discovered that the Rancor threat group conducted a seven-month long spearphing campaign against the governments of Southeast Asian states. The group, which have been active since 2017, posed as government officials and delivered emails with documents which related to government related topics.
- The attachments were either RTF, DOC or XLS files and contained a macro or exploitable vulnerability. The documents then dropped second stage payloads before connecting with the attacker’s C2 to drop a final stage payload. In total the researchers saw 8 major TTP variants, which were employed in various combinations.
- The researchers suspect Rancor to be a Chinese threat actor, as the C2 was only available during typical working hours in East Asia, the 8.t RTF exploit building kit used in the campaign has previously been seen adopted by Chinese actors and some metadata documents contained Chinese language.
Source (Includes IOCs)
Old ransomware potentially re-used in new campaign
- Security researcher Xavier Mertens came across ransomware that appears to be re-using code from the open source Hidden Tear ransomware. The email used to spread the malware is said to be poorly designed, with no spoofing of the email address.
- After infection, the threat actors ask the victims for 50 Bitcoins to decrypt their files, whilst the ransomware also scanned for SMB services on random IP addresses, most likely to look for hosts vulnerable to EternalBlue.
Source (Includes IOCs)
Three APT campaigns observed leveraging zero-days in niche software
- Researchers at JPCERT observed three separate campaigns using the same techniques, targeting Japanese government agencies, education organisations, and other Japanese users to steal data. The most recent activity was observed in April 2019. The campaigns involve threat actors leveraging the zero-day vulnerabilities CVE-2014-0810, CVE-2014-7247 and CVE-2016-7836 found in Japanese products.
- The first, found in Sanshiro, was exploited by APT17 to deliver PlugX RAT, whereas the second vulnerability, found in Ichitaro, was exploited in a multi-year campaign, dubbed Blue Termite, that started in 2014 and also delivered PlugX, as well as the two bots Emdivi and Agtid.
- The third flaw is in SkySea Client View and was exploited in a campaign that started in 2016 and continued until 2019 and involved NodeRAT. The researchers believe Bronze Butler to be behind this campaign.
Silent Starling group perform vendor email compromise attacks
- Agari researchers discovered a highly active criminal group, dubbed Silent Starling, committing a scam that they named vendor email compromise (VEC). The group, which is composed of three main threat actors, compromises the email accounts of suppliers and vendors by acquiring employees passwords through phishing attacks.
- Following the compromise, the attackers set up a forwarding rule to receive copies of all emails. Silent Starling will monitor incoming emails for months, before they ask the vendor’s customer for a payment. At this point the group alter the payment details to ensure that the customer deposits money into their account.
- The group have compromised more than 700 employee email accounts across 500 companies. The majority of target organisations are in the US, Canada, and the UK. The researchers stated that they believe VEC will pose the biggest threat to organisations in the next 12-18 months.
Leaks and Breaches
American Express employee investigated for accessing card holder information
- On September 30th, 2019, American Express began notifying potentially impacted customers of a data breach incident caused by a former employee. The notification states that the employee accessed American Express Card accounts in order to potentially open accounts at other financial institutions.
- Exposed information included names, addresses, Social Security numbers, credit card numbers, and more. American Express informed BleepingComputer that the employee has been terminated and is under criminal investigation.
Zendesk report 2016 security incident
- On October 2nd, 2019, Zendesk issued a statement informing customers that an unauthorised party accessed approximately 10,000 Zendesk Support and Chat accounts. Impacted parties had accounts that were activated before November 1st, 2016.
- Exposed information included email addresses, names and phone numbers of agents and end users, and hashed and salted passwords of agents and end users. A subset of approximately 700 customers had TLS encryption keys exposed, as well as configurations settings of apps installed from private apps or apps installed from the Zendesk app marketplace.
Double-free vulnerability discovered in WhatsApp for Android
- Security researcher ‘Awakened’ found a double-free vulnerability in the GIF preview generation of the Android version of WhatsApp. The flaw could be exploited for remote code exploitation.
- The vulnerability, tracked as CVE-2019-11932, affects Android 8.1 and 9.0. In older versions, the double-free could be triggered, however, no remote code execution is possible as the triggering crashes the app. A patch was released with WhatsApp version 2.19.244 and users are advised to update.
Source (Includes IOCs)
Cisco issues security advisories for multiple vulnerabilities
- Two vulnerabilities, tracked as CVE-2019-12697 and CVE-2019-12696, were found in the Cisco Firepower System Software Detection Engine, which could allow a remote attacker to bypass configured Malware and File Policies for RTF and RAR files. The flaws also affect Cisco’s Snort project. A list of affected products can be found in the advisory.
- A flaw in the file and malware inspection feature of Cisco Firepower Management Center was also discovered. The bug, tracked as CVE-2019-12701, could be exploited by sending a crafted HTTP request through an affected device, which could allow an attacker to bypass the file and malware inspection policies.
- Patches have been released for all vulnerabilities.
Bulletproof hosting provider used for DDoS attacks taken down by Dutch police
- On October 1st, 2019, the Dutch police seized servers at the bulletproof hosting provider KV Solutions BV. The company was active for two years, during which they provided a hosting infrastructure for various threat actors to engage in criminal activities, including phishing campaigns, crypto-mining operations or to keep malware repositories.
- KV Solutions BV was best known for hosting botnets built with a variety of IoT malware, including Fbot, Gafgyt, Hakai, Handymanny, Mirai, Moobot, Tsunami, Yowai. According to Bad Packets, the majority of malware hosted was used for DDoS attacks, meaning they also hosted the botnets’ C2 servers.
- Marco B and Angelo K, believed to be the founders of the company, were arrested during the raids. ZDNet suspects further arrests of botnet operators and malware authors will follow, as this is often the case in bulletproof hosting provider seizures.
FBI investigates 2018 attempted mid-term elections hacking
- The FBI is currently investigating a hacking attempt of West Virginia citizens’ votes during the 2018 mid-term elections. An unknown hacker is said to have tried to gain access to Voatz, the voting system that is used by US military service members that are stationed abroad. The voting system was used in a pilot programme during the 2018 mid-term elections, during which multiple hacking attempts are said to have taken place.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.