Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Ahmed Sonbol
1 2 3 Previous Next

RSA NetWitness Platform

43 Posts authored by: Ahmed Sonbol Employee

Malspam activity was observed on February 11th delivering a Keybase variant. The keylogger was first reported by security researchers at Palo Alto Networks in 2015. FirstWatch previously blogged about how to detect it using RSA NetWitness.

 

The delivery document is crafted to exploit CVE-2017-8759 in Microsoft Office. CVE-2017-8759 is a SOAP WSDL parser code injection vulnerability. FirstWatch dug deeper into that vulnerability in a previous threat advisory.

 

Upon opening the RTF document with an un-patched Microsoft Word, the user is presented with an empty page:

 

 

In the background there is an HTTP request over SSL to a[.]pomfe[.]co :

 

 

 

 

Next comes the request to retrieve an HTA script from bahyt-krim[.]ru :

 

 

 

Then an executable ziraat_bobby.exe; a Keybase variant; is downloaded from the same domain:

 

 

 

 

Once the download is complete, the binary executes and it starts to exfiltrate data in the query strings of successive HTTP GET requests to ziraat-helpdesk[.]com:

 

 

 

 

Post infection HTTP sessions were tagged with keybase malware in NetWitness Packets:

 

 

Here is the analysis report from hybrid-analysis.com

 

It is worth mentioning that the delivery domain bahyt-krim[.]ru has been active over the past couple of days:

 

 

Delivery document (SHA256):

  • 4487cb74d5524d57eb0859bdda34fd9ba7f426fd0867e8826ac2e8c787052848

 

ziraat_bobby.exe (SHA256):

  • df48d1ef1d11b4b5bbc92f52de489935ffb9e36ff226b9ac0a7f5c899b9f1db1

 

Malspam activity was observed on February 13th delivering a variant of ISR password stealer. ISR was reportedly used in spear phishing attacks against food and machine industries. In this blog post we will discuss the network activity using RSA NetWitness Packets.

 

The delivery document Payment receipt.doc is crafted to exploit CVE-2017-11882. You can learn more about the vulnerability in this FirstWatch threat advisory.

 

 

Opening the malicious document with an un-patched Microsoft Word application led to the following network activity:

 

 

 

 

Once 99v.exe executes on the victim machine, it starts to communicate with what looks to be a compromised Wordpress website transeagleperu[.]com:

 

 

Since the User-Agent string used in this session is common to ISR variants, it was tagged with the value known bad ua credentialleak under Indicators of Compromise meta key:

 

 

It is worth mentioning that the delivery domain menorasarainc[.]info has been active over the past week:

 

 

Payment receipt.doc (SHA256):

  • 383521ecc7aa09050e82498e10c756c866b0ce47702d77c6a5a4a7da98517146

 

99v.exe (SHA256):

  • 29eb49ad843aa992abff873d9b611a62248b2b8b4fbfa900bb7712f6aa6cda65

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

Malspam was observed on February 7th 2017 delivering GandCrab ransomware. GandCrab is a new ransomware family that was first reported in late January. This is the first time to see it being distributed via a malspam campaign [1].

 

This screenshot from myonlinesecurity.co.uk shows an example of e-mails used in the campaign [2]. They come with PDF attachments and a little bit of social engineering. If the user opens the attachment, it downloads a Word document ; opening the Word document in turn downloads the ransomware payload.

 

 

A similar infection chain has been used lately to deliver the Dridex banking trojan. RSA FirstWatch previously blogged on the resurgence of Dridex.

 

Scan-image001_070218.jpg is an example of one of those downloaded Word documents:

 

 

Submitting it to RSA pre-release What's This File service gives more information about its maliciousness:

 

 

 

The embedded code suggests that the actors are only targeting Windows 64 bits machines.

 

Upon opening the document with Microsoft Word on a 64 bits machine, an HTTP GET request is issued to sorinnohoun[.]com to retrieve a script:

 

 

 

 

It is a well-documented and publicly available script. It can reflectively load a DLL/EXE into a powershell process or it can reflectively load a DLL into a remote process. In this case, sct5 is being used to load the GandCrab ransomware into the powershell process:

 

 

 

Next, the malware connects to its C2 domain nomoreransom[.]coin to get the victim machine IP address:

 

 

 

This is followed by POST requests to the same domain with encoded/encrypted data:

 

 

 

 

On the host side, you can start seeing the files being encrypted. The ransomware adds gdcb extension to an encrypted file:

 

 

It drops a note in each directory with the instructions on how to pay the ransom and recover the files:

 

 

 

As of this writing, the actors are asking for 2.6 Dash coins to buy GandCrab decryptor in order to recover the files on this particular victim machine. If not paid in time, the ransom they are asking for simply doubles. 

 

 

Here is a recap of the network activity:

 

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

Feb-9523713.pdf (SHA256):

  • 3aabca6aa74d4499e07d8828be981e65d421603895dd8450a15b49f1113517ff

 

Scan-image001_070218.jpg (SHA256):

  • 8f9e12851b92fcc74f9c9ab6181aa3fd49eabcf789608f9986cb136141033213

 

sct (SHA256):

  • 6960a00da0069a5b1aa7e213962a65abe3b148ddb7ac508cda0f8f8492ef7eaf

 

References:

  1.  GandCrab Ransomware: Now Coming From Malspam - SANS Internet Storm Center 
  2. https://myonlinesecurity.co.uk/fake-receipt-malspam-delivers-gandcrab-ransomware-via-pdf-dropping-macro-dropping-exploit… 

Ahmed Sonbol

A New Hancitor Campaign

Posted by Ahmed Sonbol Employee Jan 25, 2018

This week RSA FirstWatch observed a new malspam campaign delivering Hancitor malware.  Hancitor is a downloader that was used by adversaries to deliver various malware families such as Pony and Zeus Panda Banker.  Contrary to previous malspam campaigns that used VBA macros to deliver Hancitor, this one is exploiting CVE-2017-11882 in malicious RTF documents.

 

Invoice_304550.doc and fax_645751.doc are two examples of the RTF documents used in this campaign.  Opening them with an un-patched instance of Microsoft Word leaves a user with a blank page. However, a lot of activity is happening in the background.

 

 

First, a suspicious retrieves "1", a script containing our Hancitor payload as a Base64 encoded blob along with the necessary commands to decode and start it as a new process.  

 

 

Looking at the HTTP GET, many of headers in the request are curiously absent.  

  

 

NetWitness Packets flags suspicious meta data (e.g., the file.analysis and service.analysis tags shown below).

 


  

Next, there is a request to a service to idenitfy the IP address of the victim machine:

  

  

Then, it checks-in with a C2 domain (undronride[.]ru) sending the host information via an HTTP POST request.  The directory and filename used in the request reflect the telltale 'ls5/forum.php' characteristics of Hancitor.

 

 

It is worth noting that the C2 domain, undronride[.]ru, was registered just seven days ago and lacks a surprising amount of registration information.

 

 

A second C2 callback to the CNOBIN-registered littarhapone[.]com was also generated by the malware. 

 

 

The following screenshot shows the meta populated by NetWitness Packets for these C2 check-in sessions:

 

 

In both cases, there were no binaries downloaded after the check-in. However, this SANS blog post discusses some of the additional payloads delivered by this Hancitor campaign.

 

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

Delivery documents (SHA256):

  • b489ca02dcea8dc7d5420908ad5d58f99a6fef160721dcecfd512095f2163f7a
  • 6dcbf652b96a7aea16d0c2e72186173d9345f722c9592e62820bcfe477b2b297
     

Malspam was observed on January 12th 2018 delivering Ursnif (AKA Gozi). Ursnif is a Banking Trojan that was discovered in 2007. Originally it was targeting banking wire systems in English speaking countries. In the past decade, its list of target countries expanded and its capabilities evolved. In addition to stealing banking credentials, Ursnif can now collect user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites [1]. 

 

In October 2017, security researchers took notice of a new Ursnif spam campaign [2]. The actors behind this campaign developed their macros to run when the document is closed. Sandbox technologies might miss this behavior and it could prove to be a simple yet effective evasion technique.

 

Let's take this delivery document as an example. Submitting it to RSA pre-release What's This File service shows the embedded VBA code including its AutoClose function:

 

 

 

 

On NetWitness Packets, first there is a DNS request to what looks like a DGA delivery domain. Notice the large number of answers in the DNS response:

 

 

Next, an HTTP GET request to retrieve a script from the domain:

 

 

 

Here is a better look at the downloaded script:

 

 

The script reaches out to the same domain in order to download an executable. Notice the usage of PFX file extension and the absence of many headers in the HTTP GET request:

 

 

 

 

VirusTotal scan results indicate that the binary is an Ursnif variant.

 

Once the download is complete and the malware is executed, it checks in with the same domain:

 

 

 

Here is a recap of the network activity:

 

 

More information about the recent Ursnif variants can be found in this Malware Breakdown blog post.

 

Delivery document (SHA256):

  • a0a946868e2a067fc2144f19faa161b586c85fe57413633525e8e8bd5e2f48d6

 

Ursnif binary (SHA256):

  • eee6bd38c0e6498fadc466d5a1b635271b63c4235a3b271a9e15d5896c5a045a

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

References:

  1. https://threatpost.com/ursnif-banking-trojan-spreading-in-japan/128643/ 
  2. https://blog.trendmicro.com/trendlabs-security-intelligence/new-malicious-macro-evasion-tactics-exposed-ursnif-spam-mail… 

Malspam activity was observed on January 7th 2018 delivering a new variant of BITTER Remote Access Tool (RAT), which has been previously reported by Forcepoint in nation-state campaigns against Pakistani targets.  In this blog post, FirstWatch discusses observed malicious activity from the perspective of the RSA NetWitness suite.

 

The delivery document (NamesOfMaldiviansReturning-1.doc) tries to exploit CVE-2017-11882 in order to deliver the BITTER RAT to a victim machine.  CVE-2017-11882 is a vulnerability in Microsoft Office suite that was disclosed in November 2017 and has an available patch for affected products.  You can read more about this vulnerability in a past  FirstWatch threat advisory.

 

Upon opening the malicious document with an un-patched Microsoft Word application, a HTTP GET request was observed downloading an executable file from delivery domains, hartraders[.]com, which is hosted on a Namecheap server at 104.219.248[.]10.

 

 

 

VirusTotal scan results and a Hybrid-Analysis report of the payload, 'wp-sig.exe', are available, but also observe below the suspicious scoring of this file as evaluated during execution by NetWitness Endpoint (NWE).  

 

  

Upon execution, the malware also spawns a second process, 'ctfmers.exe', which is responsible for checking in with a C2 server.  This process is also flagged as potentially malicious by NWE.

 

 

 

  

Similar network behavior was previously observed in a November 2017 BITTER campaign with the execution of another delivery document (yyyyyyy.doc).  While, the malspam document from this earlier campaign was crafted to exploit the older CVE-2012-0158, the maldoc attempted to download its payload from zmwardrobe[.]com, which is actually hosted on the same Namecheap server as the current campaign, 104.219.248[.]10.

  

 

The payload from the November 2017 campaign was an earlier BITTER variant, 'ctf.exe' as shown below.

  

 

Post infection, we also observed similar C2 callbacks from this earlier BITTER variant.

 

 

That's not the only C2 similarity across historical BITTER campaigns though, the new variant's C2 communication also shares characteristics with much older variants.  For example, the following screenshot shows the C2 check-in for a binary first submitted to VirusTotal in January 2016:

 

 

More information about older BITTER variants can be found in this blog post from RSA FirstWatch.

 

Delivery documents (SHA256):

  • 9292764ce4a84b29f2ca4598def80239dfd079451c113a45f2569d9ea220fac3
  • d128bdcedecee0fbc8ec440a3edd3fe624cfd9a6c0ed298fe7c26f0c86f21618

 

BITTER binaries (SHA256):

  • ffe1528eea078bde8336ab96a574a5401ff2c0403bbefda96a34e5cce4ae6385
  • 131c53a3612c933e747897573a5f79db9f61895b404f69efea8c1c87262da4fe

 

All the IOC from those HTTP sessions were added to RSA FirstWatch APT Threat Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘apt’
  • threat.description = ‘bitter'

 

Thanks go to Kent Backman and Kevin Stear for contributing to this threat advisory.

 

References:

  1. BITTER: A Targeted Attack Against Pakistan | Forcepoint 

 

Malspam activity was observed on January 8th 2018 delivering FormBook malware. FormBook is a data stealer and form grabber available on various hacking forums since early 2016. Its capabilities include clipboard monitoring, keyboard logging, taking screenshots, grabbing form data and collecting passwords from browsers and email clients. More information about the malware can be found in this blog post by FireEye security researchers.

 

The delivery document Tax Reform.doc uses macros to help delivering the payload to a victim machine.

 

 

The following screenshots show the results of scanning the document using RSA pre-release What's This File service including signs of an auto launch script.

 

 

 

Upon enabling the macro, the code runs and a binary is downloaded to the victim machine. Notice the absence of typical fields in the HTTP GET request and the usage of a unique User-Agent string.

 

 

 

 

 

VirusTotal scan results can be found here. Analysis report from hybrid-analysis.com suggests it is a FormBook variant.

 

Upon execution of the binary, it checks in with a list of C2 servers. 

 

 

 

 

After checking in, the malware posts data to the server in an encoded/encrypted format.

 

 

 

Delivery document Tax Reform.doc (SHA256):

  • 9441d7811e869d50e7c340c622a57c14004682573ff6d5d43fca4d0be6aca102

 

FormBook binary bin.exe (SHA256):

  • 391971ca3923a45997633275249dcd5bedf2b11f165646671e4359afa3fec4b4

 

Last month, security researchers at Embedi disclosed a new vulnerability in Microsoft Office suite. CVE-2017-11882 resides in the Microsoft Equation editor; a tool that lets users insert and edit mathematical equations inside office documents [1]. If exploited, the vulnerability allows the attacker to run arbitrary code in the context of the current user. Microsoft issued a patch to address the vulnerability in the affected products [2][3]. It didn't take a lot of time to start seeing malspam campaigns trying to leverage CVE-2017-11882 to deliver their final payload as discussed in this blog post by Fortinet.

 

One of those delivery documents is PI-5460-DPC.doc. In this threat advisory we will go over the host and network behavior using NetWitness Packets and NetWitness Endpoint.

 

Upon opening the document in a vulnerable Microsoft Word, the vulnerability is exploited and an instance of the vulnerable Equation tool (eqnedt32.exe) is created by svchost.exe:

 

 

That is followed by a GET request to retrieve a javascript script:


 

 

eqnedt32.exe calls mshta.exe to execute the downloaded script:

 

 

When mshta.exe runs, it calls cmd.exe to write a script (A6p.vbs) to the infected machine. wscript.exe runs the newly created script which has the instructions to download the final payload:


 

 

 

 


The downloaded binary is executed and it starts to communicate with its command and control server:

 

 

 

 

 

The post infection traffic is characteristic of dyzap malware (also known as Lokibot). RSA FirstWatch blogged twice about its activity here and here.

 

Here is a recap of the network activity:

 

 

And here is a recap of the host activity:

 

 

Thanks to Kent Backman and Justin Lamarre for contributing to this threat advisory.

 

PI-5460-DPC.doc (SHA256):

  • 3917474eb4b2dd52aad96b76228304b692031180a55f59346808e797ea332305

 

fafa.exe (SHA256):

  • 1c71868cf97ee2f713d1a445f650d7a829c80e49c529be5bffb3091a3059ff23

 

References:

  1. http://www.securityweek.com/microsoft-patches-17-year-old-vulnerability-office 
  2. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882 
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882 

 

Malspam activity was observed on November 28th delivery a variant of Slingup backdoor. In this blog post, we will go over the network activity in RSA NetWitness Packets.

 

Submitting the delivery document (purchase order.doc) to RSA pre-release What's This File service scores the maximum threat score:

 

 

The embedded obfuscated VBA code launches upon opening the document:

 

 

 

The VBA code launches powershell to download an executable from a delivery domain:

 

 

 

 

 

According to VirusTotal scan results, the downloaded binary is a Slingup backdoor variant. Microsoft Windows Defender Security Intelligence has more information on the malware here.

 

When the malware runs on the infected system, it looks to be reaching out to the delivery domain to download more plugins. While the filename varies from one GET request to another, the directory remains the same /Panel/plugins/:

 

 

The server responds with obfuscated payloads as shown below:

 

 

 

 

 

  • purchase order.doc (SHA256):
    959b1063120cacfe108b862d15ec8b6f5c5ecba6c054b982231381bd4afae255

  • loader.exe (SHA256):
    e96880f7008175c573da79964cc1589e46b5080356a55b934e9a013f1828cb96

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

For years, threat actors have been relying on DLL side-loading to load their malicious code into the address space of legitimate applications. PlugX is probably the most prominent example, but there are other malware families [1]. There is a certain order that Microsoft Windows follows in order to find a DLL required by an application [2]. If SafeDLLSearchMode is disabled, the current directory comes before other typical directories such as Systems directory or Windows directory in the search order for a DLL. By dropping their malicious DLL in the same directory as a trusted application, malware authors have a chance to blend in and evade analysis.

 

TeamSpy leverages the DLL side-loading technique to load its malicious payload into the memory space of TeamViewer; a popular remote desktop application [3]. Avast has a detailed explanation of TeamSpy and its capabilities [4]. In this blog post, we will go over a recent malspam activity delivering TeamSpy to victim machines and will discuss how the activity looks in NetWitness Packets.

 

Submitting the delivery document NEW_price.xlsm to RSA pre-release What's This File service scores the maximum threat score:

 

 

The malicious spreadsheet has an auto-launch script to download a payload from a delivery domain:

 

 

When the victim enables the embedded macro, the download activity begins:

 

 

 

Here is the meta registered by NetWitness Packets for the download session:

 

 

Here is a list of files downloaded to the victim machine (all downloaded to the C:\ directory):

 

Filenamemd5notes
tv_64.dlldcd8cda46bb20ff09c8c8be8be2f3098Helper library for TeamViewer performance optimization and QuickConnect (64 bit)
tv_64.exee0331b54a56e7aa48f97b4956bcef769Helper process for TeamViewer performance optimization and QuickConnect (64 bit)
tvr.cfg71488723b5b71651ab164989535bceedObfuscated configuration file for TeamSpy spyware
TV.exe75c738b78021eec28f7a9eeaade02cfeTeamViewer Remote Control Application
avicap32.dllbe03a49d09f85bc7b977574bcef5a4f1Malicious DLL
avicap32.expa394b34ce831a37ca007c00576b0a5ba
avicap32.lib46af858202494af4cf568facc9d4914e
TeamViewer_Desktop.exe301d4c233bb1297d600ceb05a0ebbc33TeamViewer Remote Control Application
TeamViewer_Resource_en.dll1ead0b5a632b2d60414b5a1daa4905f3TeamViewer resources
tv_32.dlld1cae98656bc6703e21f4580b8830dfcHelper library for TeamViewer performance optimization and QuickConnect
tv_32.exe7d90bdf0f9c2d9224d8b4d5d2f195506Helper process for TeamViewer performance optimization and QuickConnect

 

By dropping the malicious DLL in the same directory as the legitimate application, TeamSpy has a chance to load successfully and to run its payload. It uses a password to de-obfuscate the configuration file at run time in order to start communicating with its C2 server, which in this case is the same as the delivery domain:

 

Avast has a full list of those parameters in the query strings above [4] but here is some information:

  • id: ID of the infected machine
  • tout: timeout
  • osbt: 32bit/64bit
  • osv: OS version
  • osbd: OS build version
  • uname: user name
  • cname: computer name
  • tvrv: teamviewer version

 

Here is the meta registered by NetWitness Packets for the C2 communication:

 

 

Delivery document (SHA256):

  • 00048ea8873518a5a17ddea0cfee0f1103bf56c07b89b287c6aa60e082d75f99

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

References:

  1. DLL Side-Loading - enterprise 
  2. Dynamic-Link Library Search Order (Windows) 
  3. https://www.teamviewer.us/products/teamviewer/ 
  4. A deeper look into malware abusing TeamViewer 

Yesterday news emerged about a new ransomware outbreak dubbed Bad Rabbit. The new ransomware has some similarities to the Petya/Not Petya ransomware attack that took the world by storm last summer. Both ransomware families encrypt the entire disk.  As of now, it appears that most reported victims are in Eastern Europe with some reports suggesting that some victims were detected in the United States. While the US-CERT issued a notice that it is aware of the attacks, it has no specific information on US victims.

 

Bad Rabbit binary is currently being delivered to the victim as a fake Adobe Flash update (SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) through compromised websites, and one particular delivery domain, 1dnscontrol[.]com, has been identified in numerous Industry reports.  Researchers at Cisco Talos demonstrated how BadRabbit victims were redirected to this delivery domain via compromised websites.

 

First, there was a POST request to 185.149.120[.]3/scholargoogle to collect some information such as user agent, referring site, cookie and domain name of the session.  Next, the ransomware dropper was delivered via two paths:

  • 1dnscontrol[.]com/index.php
  • 1dnscontrol[.]com/flash_install.php

 

At this time, it appears that the delivery domain is no longer active; however, both the IP and domain have been placed into FirstWatch C2 feeds available in RSA Live with the following meta tags:

  • threat.category = "ransomware"
  • threat.desc = "badrabbit"

 

Executing the malware on a 32bits Windows machine, it dropped the following files on the system (names of the dropped files might vary from one system to another):

 

File PathSHA256Notes
C:\Windows\cscc.dat682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806diskcryptor driver
C:\Windows\infpub.dat14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
C:\Windows\dispci.exe8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93diskcryptor client
C:\Windows\740.tmp
a81b01737a22b8dae8f3e4fe3693c2f56eae0c6e24670146d91832ba6b76c82f

 

Executing the malware on a 64bits Windows machine, it dropped the following files:

 

File PathSHA256Notes
C:\Windows\cscc.dat0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6diskcryptor driver
C:\Windows\infpub.dat14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
C:\Windows\dispci.exe
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93diskcryptor client
C:\Windows\CE27.tmp
fdef2f6da8c5e8002fa5822e8e4fea278fba66c22df9e13b61c8a95c2f9d585f

 

Here is a process tree after running the dropper:

 

 

The malware creates two scheduled tasks to perform the following:

  • A scheduled task to run the open source utility DiskCryptor to encrypt the entire disk.
  • A scheduled task to reboot the system at a certain time.

 
Strings embedded in the unpacked DLL suggest that the malware also targets a certain list of files for encryption:

  • .3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.
  • Note: It remains unclear why the malware has a list of target file extensions, while it's behavior encrypts the whole disk.

  

The malware also drops mimikatz-like binaries to harvest credentials.  Communication between those binaries and the malware is done through a named pipe as shown in the process tree above. 

 

In addition to the stealers, the malware comes embedded with a list of default usernames and passwords.  These credentials are used by the malware to try to login to other systems via SMB and infect them.  It should be noted, that BadRabbit does not currently use the EternalBlue vulnerability for lateral movement; instead this is basic scanning and login attempts for the following shares.

  • admin
  • atsvc
  • browser
  • eventlog
  • lsarpc
  • netlogon
  • ntsvcs
  • spoolss
  • samr
  • srvsvc
  • scerpc
  • svcctl
  • wkssvc

If a login attempt is successful, 'infpub.dat' is dropped into Windows directory and executed via SCManager and rundll.exe.  

 

In it's final stages, Bad Rabbit executes a system reboot, after which the victim is presented with a ransom note:

 

 

The helpful message on caforssztxqzf2nm[.]onion notifies victims of 0.05 Bitcoin ransom with a message suggesting that the price will go up after some 10+ hours.

  

 

Microsoft recently released a threat bulletin on Bad Rabbit [6]. It has the following instructions to stop the system from rebooting (thus stopping it from encrypting the disk):

  • Check event logs for the following IDs: 1102 and 106

Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.

Event 106  indicates that scheduled tasks "drogon" and "Rhaegel" have been registered (these are ransomware wipers)

If events 1102 and 106 are present, issue a shutdown -a to prevent a reboot

 

Halim Abouzeid has a detailed post on how the post infection activity looks in both NetWitness Packets and NetWitness Endpoint.

 

 

Ahmed Sonbol

Sage Ransomware Campaign

Posted by Ahmed Sonbol Employee Oct 20, 2017

During the week of October 16th 2017, RSA FirstWatch observed a new malspam campaign delivering Sage 2.2 ransomware. The delivery documents come embedded with malicious macros that download the ransomware upon execution. 

 

31119.doc is one example. It uses the usual social engineering tricks to convince the user to run the embedded macro:

 

 

Submitting the delivery document to RSA pre-release What's This File service reveals more information about it including the obfuscated VBA code:

 

 

 

The VBA code runs a powershell command that downloads a binary to the victim machine and executes it:

 

 

NetWitness Packets shows the following information for the download session:

 

 

Analysis results indicate that the downloaded binary is a Sage ransomware variant. The following post infection screenshots are from hybrid-analysis.com:

 

 

If you zoom out a little bit, you can notice a pattern:

 

 

 

Here is a list of delivery documents (SHA256):

274d7b79f5e9645c1192b8b9cbbfea851eb1704b531e68b6f864163abe1caee2
7dd90e639ffd672072eae5d050d15612e436f34842de8ecb404ccf927bda0957
58082d7a63df4293a22857ce33cff839cb8b6f9466eb32768cef7c9f354bd951
c2ed3b0d50459a3cc715de6c73015f002b87ce46a7f436b7cc492366ca11f498
c7cdd0f0f43b86f47e9d028627923a346a47dd2bccf036fdf6d4dedba8acc03a
7256bbcf4f1050f49d892d40cd8b52f2e8de5b987840a5b484beb1e66d7a509b
4c0207af91ae4160c422d7e316e814d5631661f2c9dc7bb9df21a0fb48c0a71b
7e42322134c241490cc2c4fdaa4c980fd365374ea704d6a91617719ddf1c79e0
e2eabf1c99c7d359b03b79c6f022d99e6e38577358eb7f33ca4e0a54936ec3e9
6d330792ae0a0f1e59696dc2bb7316c21fea4661d3054af6adca535f8e0279a2
9a447796eb2248134e06bf51f747b439221f87d14144a4f562f256f46ee2f5dc
25eec5ca8ffe1befcb946df90efac6de4e8d95ec1c1eccbc08a6d841d2df90f4
f1a72a50b3bf1d2c54a00192581a42656ab04aae52c44a0257663f147c81bb0c
773b7c6a0f4ecfdc2be76523407297f14b535edf4ea6d61b695a81cc1a2ba71f
31c2272c8cfc19b86ef0284c697337da944c389499426de7f3aed42a994fe454
063de7be700f6e07690446b0a96c6abfcec5f4ce35fbddede606a05e13a9f6b5
b0140c6f1ca5acad0c27b7fe32e8585bd263b3c7eda60a9c8af3b3f730993ddc
47c9ea2259b47c7db9bb59f909ab7512843841f2317cf461a6ebb9adb46ca6ee
9f004a50d6430155d120bb9085ed243153ba1c787fa39cdbe938cab243b067e5
9fad95c40b8240145b1e5222f245cf5d72647e91b1ced0992128d76d9fb1bf41
7703541357104e4e8ddb5e3e236f18f2edbc52833e918ed52af1fb2bb807f5e6
8c66095047f58b334064d350667326b61930ac0223adb39d4c2220f89129e66a
216efe9357dbd9d692ce05a1d979308765d4c3af53c517b3e948d37f08b757b6
7ca4f9cd2f4cc01c6148a0d349938b5a9835378ec4947f02af67a53cbf40a87e
149adaeda8b6d891f60350d6155eaa268bf058c0ed38e06a536cf24455d3cc98
2727a8727557f65c1650c2262b5fb4b4d48b847c5165d768e90af327dfbd1755
0daf7b17550da58f9b3ba07a85f6e186137143addfe049e35debd09c99db53fb
45b6403cdd91f73171a4f35065a2e8b28cb03182477d70c7c8bac9e190e0e051
e9040610f48117f0e4cd6114a5a6ff54781cb9439ef1d8d5e0543b4ed34e595f
e0b453143994314bab03c94c9344b0eaa53a466bb793c27277bc4f129e9c8422
43dbbc9e7bb826932b2242e3f7e5f378e0a866727d606616369c3e668874c4df
8daf66ea9005f2a651ffd03a7b2c0d23612946330578239beb863f4c6f3a3ddb
db218309da397d978722a990674168a359e1ad5118fb1b2cad0108e75abfe3cb
56bc350e23bba845d247fb0e276cf92792269f7d564d0a703f56552794f95ea5
a5e43b1519b231a5fe102a259f497ddb914aab63c1208afe96d9023dd140b778
c9b301c9bc45966885bd62d3d93addad9cc12386c1832121c64cb7a1dab86f02
a43b418e168e5802bc7f01eed1600517c812b946ef1b106227519dcf1f7daa6f
d87f31c39b7b0109f8c6e7ce540365adcecec3a28e557becb0649ab977ae8d8c
23a83b57bce9910ecac56869f4cbf8df4f6098019f5489c972a9bdcfdcf37192
1178fcc82a63b9e2795f9371fc951a03255c8fcd2e073fd9a0a981cec91b6657
895b74a6f511b4ea6b506e481e9b53e06c6b8241331af2bc809b3431d62df2fc
74ee87ac9f148d1f63f70deb854b70e7085a35b6606c4ed88a5421e141816247
b23b7be8a8c68efa5383846f09564da83b250bc4422911fcb6a09690cdaf634a
3036029b079f4628452cec4de9fc2e1c58f5db61b872a4b1fa8a4cf34cbe503d
b216b77ce9d3f8dabc110e046a8e9fb21ea16b48e16d31405609d1fa806fff42
71ab6b255621bedb8f7f30c2abdaa87b65057364ea4626d43cbb513c30e9205a
dacb4d816a1c47bc60c03127de674e45ce2951fa46a21c978bd9340c8be6068b
183a31aedf13df11a6c1d7bcf8b8a8efa5d8fb91c5c5c6a35f3cbf439bf61b03
34de727c753aec40af9e8201116ade27f52e24cd7d228f56d48935672b3606dc

 

And below is a list of Sage ransomware variants (SHA256):

ea3e84e499373f8044b013a2d844605ff1460b20a24e5ad9ffb161d310a142ce
1b9973b12c1b3dc87903ed62eb271804df543df063e1214469fc2bb0e6dc657e
96801c5f7bf6751622b42cd5ad6abd114eff276437e6873aedaacd3c5e6d62d3
c31ebfbdbb676fd2def375aea3cde05f9b4ac71058cd88eba7ff1009c1d05efb
62bc59d787dc76471ed07c6a04f25aa76e98033ba2cd37134d1f6f248c338dc5
3c098a2c6a471cecaa768edd01309d47a6b4a8725e0b4ba3d0f5668d1318586c
f028edcbac147e401699ac8c129d46b0fb2c2d3e0af089616e324230024361de
c1aa68e448657911273a98e6492a425b8341650541ff3857ecfc303cab09c779
0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693
ee9714df6487b57dd0ee6a108f5ad01dc617b8d6d03c8e05854dbec8f4803d2b

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

A new malspam campaign has been observed on October 6th 2017 spreading DoublePulsar via EternalBlue exploit, and Hidden Tear ransomware. Based on the delivery documents and ransom notes, the campaign looks to be targeting German speaking users.

 

EternalBlue exploits a vulnerability in the way Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests giving the attacker an opportunity to execute code on the target server [1]. Microsoft has issued a patch for the vulnerability back in March 2017 but the exploit was used as part of the WannaCry ransomware attack in May 2017 and NotPetya attack in June 2017. DoublePulsar is a backdoor implant that was used alongside EternalBlue. Hidden Tear is an open source ransomware family. Malware authors have built different variants on top of its code base that vary from each other in different ways such as the payment methods, the encryption techniques and which files to consider for encryption [2].

 

The delivery document (PRELIMINARY_KAPSCH_SECURITY_NIGHT_2017_WORD_DROPPER.doc) uses a macro to drop the malicious payload to the victim machine:

 

 

Submitting the delivery document to RSA pre-release What's This File service shows the following malicious characteristics including the auto-launch script to download a payload from a domain over SSL: 

 

 

 

 

The powershell script (launcher.ps1.txt) has the capability of mapping the victim network:

 

 

It can also download a zipped filed 'EB_LAUNCHER.zip' and extracts it on the victim machine:

 

 

The request to download 'EB_LAUNCHER.zip' was observed in NetWitness Packets:

 

 

 

 

Finally, the script proceeds to deliver:

 

 

First, it tries to run a powershell script (Execute-EB-Launcher.ps1) to attempt to infect machines in the network that could be vulnerable to EternalBlue exploit and to implant DoublePulsar in case the attempt was successful:

 

 

In this scenario, no neighbor machines were compromised. The malicious powershell script (launcher.ps1.txt) finally downloads and launches a Hidden Tear variant:

 

 

 

 

Upon execution, the malware encrypts the victim files and presents the following ransom note:

 

 

Post-infection traffic is over SSL:

 

 

The payment websites were down at the time of this writing.

 

Delivery documents (SHA256):

  • 8ad3c6df4a96b97279e50a39fe4c2662d8da7699c54cb2582a5c0ae7ae358334
  • 4592803dfdd47c4bfffad037695d3be4566c38ad46132e55c5679c7eb6f029da

EB_LAUNCHER.zip (SHA256):

  • 22a3a1c609b678b5eed59b48eed47513996998ab99841773d5b0f316fc9e7528

Hidden Tear ransomware (SHA256):

  • bf9d54c7b894065d6f3ac59da093241ee0c0c545a323c9d8ae8c8f8a9b14d591

 

References:

  1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144 
  2. Ransomware Recap: The Ongoing Development of Hidden Tear Variants - Security News - Trend Micro USA

 

Malspam activity was noted on September 23rd 2017 delivering a Jacksbot variant to infected machines. Jacksbot is a backdoor family that can run on any platform that supports Java Runtime Environment [1]. In this blog post we will discuss the delivery mechanism and the behavior on the infected machine.

 

Submitting the delivery document to RSA pre-release What's This File service shows the maximum threat score.

 

 

 

The VBA code writes data to a local VBS file (J4n.vbs). Here is the activity in NetWitness Endpoint:

 

 

Next wscript.exe is called to execute the newly created J4n.vbs. A JAR file is downloaded and saved to a temp directory as HELP202.JAR. After a timeout, javaw.exe is called to execute the JAR:

 

 

Here is the download session in NetWitness Packets:

 

 

 

The following meta values were registered for the download session including watchlist file extension, tld not com net org, http not good mozilla, http no referer, http long user-agent and http get no post. For more information about those meta values, please check the hunting guide [2]:

 

 

According to VirusTotal scan results, the payload is a Jacksbot variant. However, it looks like it failed to run on a victim machine:

 

 

The delivery domain a[.]pomf[.]cat has been active delivering all kinds of payloads to infected machines not only over HTTP but also over SSL:

 

 

 

Here is another look at the process tree:

 

 

Delivery document (SHA256):

  • 1459ec6788f4ecd1dd8d2b55dd931c245304c3fd0cae410d2c0df93170c13ee8

Jacksbot variant (SHA256):

  • 090c02c428cc42b55772055e8c26232e2fd8f51c9c28e6041d503abcd82cb695

 

References:

  1. TrendLabs Security Intelligence BlogJACKSBOT Has Some Dirty Tricks up Its Sleeves - TrendLabs Security Intelligence Blog 
  2. RSA NetWitness Hunting Guide 

Malspam activity was noted on September 19th 2017 delivering a Cobalt Strike payload. The malicious RTF document leverages the newly disclosed CVE-2017-8759 [1]. Microsoft already released a patch to address the vulnerability in the affected products [2]. RSA FirstWatch blogged last week about it [3][4]. However, we noticed a different network behavior that was worth sharing with the community.

 

The malicious document is spreading as 'resume.rtf'. Upon opening the document in Microsoft Word, the infected system communicated with an external server over FTP to retrieve a file (readme.txt):

 

 

RSA NetWitness Packets shows the file transfer taking place in a separate session (service=0):

 

 

Due to the vulnerability, an HTTP request was made to the same server to get 'favicon.ico' which is actually an HTA script:

 

 

 

Following the execution of the downloaded script, an SSL session was established to download an executable:

 

 

RSA NetWitness Packets indicates that the SSL session uses a self-signed certificate. In fact most of the fields were left blank and that's why you don't see values for SSL CA and an SSL subject in the screenshot below:

 

 

The final payload is a DLL; looks to be a hacking tool and a part of the offensive framework Cobalt Strike. You can find its VirusTotal scan results here.

 

RTF document (SHA256):

  • cdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1f

 

Final payload (SHA256):

  • 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362

 

References:

  1. FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY « Threat Research Blog | FireEye Inc 
  2. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759 
  3. Malspam and CVE-2017-8759
  4. Malspam delivers MoonWind 9-20-2017 

Filter Blog

By date: By tag: