Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Ahmed Sonbol

CVE-2017-8759 remains popular this week in malspam world with more malicious documents trying to exploit non patched systems to deliver their payload [1][2]. This time the payload is a MoonWind variant. MoonWind is a Remote Access Trojan. It was first uncovered by security researchers at PaloAlto Networks Unit 42 in their blog post about targeted attacks against organizations in Thailand [3].

 

In this threat advisory we will go over the network and host behavior in RSA NetWitness Packets and Endpoint.

 

Upon opening the malicious readme.rtf in Microsoft Word, there was the request for the SOAP payload:

 

 

 

Next comes the request to download the HTA script:

 

 

 

The script is executed and a binary is downloaded:

 

 

 

 

The binary is executed and it downloads a dropper:

 

 

 

For the downloader process (httpx.exe), NetWitness Endpoint has more information about its strings, its tracking data, its path and its network connectivity:

 

 

 

 

 

NetWitness Endpoint generates the following IIOC for httpx.exe:

  • Direct IP request from unsigned module
  • Direct IP request from unsigned process
  • Unsigned writes executable
  • Renames file to executable
  • Unsigned writes executable to Windows directory
  • Compiled in last month
  • In temporary directory
  • Process accesses network

 

The dropper (invo.exe) drops a MoonWind variant (svcohos.exe) to the infected machine. It runs a batch file to delete itself:

 

The new process (svcohos.exe) copies itself to a new location, gains persistency on the system and starts to communicate with its command and control server:

 

 

 

 

NetWitness Endpoint generates the following IIOC for svcohos.exe:

  • Autorun unsigned hidden
  • Autorun unsigned uncommon registry startup method
  • Autorun unsigned only executable in directory
  • Suspicious AutoStart profile #1
  • Unsigned copyitself autorun
  • In hidden directory
  • Unsigned writes executable
  • Unsigned opens phiscal drive
  • Unsigned writes executable and create process on same file
  • Modifies run key
  • Unsigned copy itself
  • Autorun
  • Network access
  • In temporary directory
  • In ProgramData directory
  • In uncommon directory
  • DNS traffic from process
  • Process access network
  • Runs command shell

 

However, the infected system failed to establish a connection with the C2 server. Here is a recap of the network traffic:

 

 

and here is another look at the process tree:

 

 

readme.rtf (SHA256):

  • 0d5ec16b1affc1d85b335291aa9b89d1679865d913ccd5aa5f6093a6a4797d51

 

httpx.exe (SHA256):

  • 72bf1b9136654fd34f469065c086d91634c10ea612e56da6b64a04317f697802

 

svcohos.exe (SHA256):

  • 2175007a69be40a99f78fc565ec5ccda0d681a3c47b4bcb835c6682d72f7f6b0

 

 

References:

  1. FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY « Threat Research Blog | FireEye Inc 
  2. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759 
  3. https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organ… 
Ahmed Sonbol

Malspam and CVE-2017-8759

Posted by Ahmed Sonbol Employee Sep 18, 2017

On September 12th FireEye security researchers disclosed information about CVE-2017-8759, a SOAP WSDL parser code injection vulnerability [1]. Microsoft already released patch to address the vulnerability in affected products [2]. It didn't take a lot of time to start seeing a significant increase in the number of malicious files trying to exploit the vulnerability. A day or two after the disclosure there was a handful of samples submitted to VirusTotal. A week later more than a hundred samples were submitted. It indicates that exploiting the vulnerability is shifting from targeted attacks to mass distribution.

 

In this blog post we will discuss the host and network behavior of one of those samples and see how the activities look in RSA NetWitness Packets and NetWitness Endpoint.

 

The delivery document under investigation is spreading as Quote.doc. Upon opening the RTF in Microsoft Word, an HTTP request was noticed:

 

 

For this session, NetWitness Packets registered the following meta under Service Analysis suggesting suspicious network traffic:

 

  

The WSDL parser handles the SOAP response. The following events took place on the infected host:

  • A .cs source code file (Logo.cs in this case) was generated in C:\Windows\System32\com\SOAPAssembly
  • csc.exe compiled the generated source code into a DLL file (http100googlegtv4com0pppp0office4png.dll in this case).
  • Microsoft Word loaded the generated DLL file,
  • An HTTP request was sent (to the same server) to retrieve a script.
  • mshta.exe was called to run the downloaded script.

 

The next screenshot shows the machine scandata on NetWitness Endpoint:

 

 

Here is an event reconstruction of the second payload delivery:

 

 

 

The screenshot below shows the files created in C:\Windows\System32\com\SOAPAssembly

 

 

Here is a better look at the content of the newly created source code file Logo.cs:

 

 

When the second payload ran, it issued an HTTP request to a direct IP address in order to download an obfuscated powershell script:

 

 

 

When powershell.exe ran, it dropped an executable on the victim machine: 

 

 

The dropped executable is a LaZagne variant. LaZagne is a publicly available open source application to retrieve passwords stored on a local computer. VirusTotal analysis results can be found here. Here is the report from hybrid-analysis.com. On NetWitness Endpoint the following module IIOC were generated:

  • In root of AppDataRoaming directory
  • Unsigned writes executable
  • Unsigned writes executable to users directory
  • Unsigned writes executable to AppDataLocal directory
  • Self delete
  • In AppData directory

 

 

Following the execution of LaZagne.exe, you can notice a newly created process AZAaPaAA.exe which is also a LaZagne variant according to VirusTotal analysis results. Analysis report from hybrid-analysis.com is available here. NetWitness Endpoint generated even more IIOC for this module:

  • In root of Program directory
  • In root of AppDataRoaming directory
  • In hidden directory
  • Unsigned opens OS process
  • Unsigned writes executable
  • Unsigned writes executable to Windows directory
  • Unsigned writes executable to users directory
  • Unsigned writes executable to AppDataLocal directory
  • Self delete
  • Unsigned copy itself
  • Runs powershell with long arguments
  • In AppData directory
  • In ProgramData directory
  • Unsigned opens process
  • Runs command shell
  • Runs powershell

 
A quick look at the embedded strings of those binaries confirm what kind of data they are targeting:

 

 

 

Finally, below is a recap of the HTTP traffic in NetWitness Packets:

 

 

Delivery document (SHA256):

  • 640b9b789efe66bca20812af4f4e017bb7524ee8a6a4ec5e153a73af9bd0a007

 

LaZagne binaries (SHA256):

  • 3f6e8dea07b6e87182b3068868746e5054123a7c86e04d775292af7ffd1ce9b4
  • 9485a1630d9283d7efee3828fca32d72cfcb3fb1e91015a9753df09a21f14da2

 

References:

  1. FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY « Threat Research Blog | FireEye Inc 
  2. https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759  

In our introductory post to Cryptocurrency, we mentioned that one of the threats to organizations these days is malware distributing cryptocurrency mining software. In this blog post we will discuss the host and network behavior of two malware samples used to drop or download Monero mining software. According to its website, Monero is an open source, secure, private and untraceable cryptocurrency. At the time of this writing, one monero is valued a little above $98 [1].

 

Before we delve into the topic of this threat advisory, it is worth mentioning that mining software itself is not malicious. Guaranteed it has a major impact on system resources but that's the "price" you pay for running such software. However, if you have no idea it is running on your system then it is a different story. An attacker infecting systems left and right to enroll them in a botnet to mine coins and enrich his wallet, that's certainly malicious.

 

First, let's take a look at a Smoke Loader variant. Smoke Loader first appeared on the black market in 2011. It is used to download malware to an infected system [2]. Upon infecting a system, the following network events take place.

 

 

Initially was a POST request to 21072206[.]ru

 

 

In response to that request, the server is sending a 404 Error. However, it is not you average 404 page. Session reconstruction shows an obfuscated payload. It was quickly followed by another POST request to download an executable.

 

 

 

Here is the populated meta under Service Analysis and File Analysis for those HTTP sessions in NetWitness Packets:

 

 

According to VirusTotal analysis results, the binary is a coin miner. Embedded strings suggest that it is an XMRig variant. XMRig is a high performance Monero CPU miner.

 

 

When the miner runs, it starts communicating with a pooled mining server at 91.121.87.10

 

 

Pooled mining allows machines with limited resources to join others in contributing to generate a block. The reward for the block generation is then split among the clients based on their processing power contribution [3]. The clients communicate with the server using a protocol called Stratum [4]. It is basically JSON-RPC over TCP as shown in the screenshot above. After authenticating to the server, the client waits for new mining jobs.

 

Next, let's take a look at an XMRig dropper. When it infects a system, the process (sample.exe in this case) starts the following chain of events on the host:

 

 

  • It drops an executable lasse.exe in C:\Windows\System32 (SHA256: 8acdb1fae3a564d1e1145e37e1933dea18bd9722f0889b4bf00a2bbb441a9a25)
  • It uses sc.exe and net.exe to start a new service using the dropped file above
  • It modifies the registry in order for lasse.exe to gain persistency on the system
  • lasse.exe drops another executable kernel.exe in C:\Windows\Temp and starts it in the background passing the username and password to connect to the pooled mining server.

 

kernel.exe (sha256: 9e5b3da1e5ece578ff99525d1ea565df458cdd62b305404336303ca8ca97f562) is another XMRig variant. You can find its VirusTotal analysis results here

 

The following screenshots from NetWitness Endpoint give us even more information:

 

 

 

 

 

 

Here is another look at the process tree:

 

 

XMRig comes with a help switch making it easier to understand the command line arguments:

 

 

 

Smoke Loader (SHA256):

  • 9770669d4b864a167dd0a4b684126d6b077889b8cb903dd969b5c5929e565584

 

XMRig dropper (SHA256):

  • da21bef9cb9721e632b7deebfdf6190169be7fe2fa7fd574f741dc3272a594e9

 

XMRig miners (SHA256):

  • 954e8e88740fd3e659fd4ad0502982dd173db2d90cfca0718bfc739bf886d51c
  • 9e5b3da1e5ece578ff99525d1ea565df458cdd62b305404336303ca8ca97f562

 

References:

  1. https://www.worldcoinindex.com/coin/monero 
  2. https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/ 
  3. https://en.bitcoin.it/wiki/Pooled_mining 
  4. https://en.bitcoin.it/wiki/Stratum_mining_protocol 
Ahmed Sonbol

Malspam and CVE-2017-0199

Posted by Ahmed Sonbol Employee Aug 31, 2017

Over the past few weeks, RSA FirstWatch noticed an uptick of malspam trying to exploit CVE-2017-0199 to deliver malicious payloads to victim machines. Microsoft already issued a patch to address the vulnerability in the affected Office products. Un-patched systems are still at risk of getting infected with whatever piece of malware the malspam is distributing at a given point.

 

The attack starts with a crafted office document. It has an embedded OLE2 link object. If opened in a vulnerable application, an HTTP(s) request is issued to retrieve a malicious HTML Application (HTA). The HTA handler, mshta.exe, is then called to execute the downloaded script which in turn downloads and execute the final payload.

 

In this threat advisory we will discuss how RSA NetWitness suite sees the host and network behavior of a couple of delivery documents trying to exploit CVE-2017-0199.

 

First delivery document was noticed on August 29th 2017. Opening the RTF document using an un-patched Microsoft Word led to the following network events:

 

 

Let's break those network sessions. First, a request was made to download an obfuscated script:

 

 

The downloaded script was handled by mshta.exe and another request followed to download an executable:

 

 

 

This report from hybrid-analysis.com suggests that the binary is a Hawkeye variant. VirusTotal scan results can be found here.

 

Next, the malware authenticates to an FTP server and uploads files to it. It also connects to the same server using custom TCP protocols:

 

 

 

 

 

Here's the meta registered by NetWitness packets for the HTTP sessions above:

 

 

Second delivery document was also noticed on August 29th 2017. Opening the malicious document using an un-patched Microsoft Word led to the following:

 

 

The scandata on NetWitness Endpoint is shown below:

 

 

 

On the host side, what's typical in this infection scenario is that Winword.exe looks up the handler for the downloaded HTA file through a COM object. The handler, mshta.exe, is called to execute the malicious script.

 

 

In this case the malicious script has a powershell command to download and save the final payload to the system. So powershell.exe is created to run the command:

 

 

The malware then proceeds to deliver its functionality:

 

 

 

Delivery documents (SHA256):

  • 69c39a042a35bb7e3fb4d259b7fd7cb705ee2730be226d5f3e5b1df8c5cb85dc
  • 278cfc903edc1c49f49c2945fb9128fa29f720cb53e72df9f2a1ff85ba2c1ff6

 

Further reading:

Malspam activity was noted on August 22nd 2017 delivering NanoBot malware via a 'detailed description.xls' Excel spreadsheet with an embedded malicious macro.  According to this threat profile from Microsoft, this backdoor has the following capabilities:

  • Downloading and running files
  • Uploading files
  • Spreading malware to other PCs
  • Logging your keystrokes or stealing your sensitive data
  • Modifying your system settings
  • Running or stopping applications
  • Deleting files

 

In this threat advisory we will discuss the host and network behavior of the malware using RSA NetWitness Suite.

 

The malicious macro inside our 'delivery description.xls' delivery document contains heavily obfuscated VBA code as shown by RSA pre-release What's This File service in the screenshots below:

 

 

 

Upon running the VBA code starts cmd.exe in order to run an encoded powershell command to download, save and run an executable on the infected machine:

 

 

 

 

According to VirusTotal scan results, the dropped file is a NanoBot variant. Here is the analysis report from hybrid-analysis.com.

 

Although the download activity took place over SSL, NetWitness Packets registered meta for the session to indicate a missing subject organizational name for the SSL certificate in use:

 

 

The malware starts to communicate with its command and control (C2) server using a custom protocol over TCP on destination port 30314:

 

 

 

For this session, NetWitness Packets registered the meta value binary handshake under the indicators of compromise key:

 

 

The C2 IP address is associated with other NanoBot samples according to VirusTotal results

 

Opening the delivery document on a machine with a NetWitness Endpoint agent shows the following chain of events:

 

 

Our friend 'powershell.exe' connects to the delivery domain.

 

 

The next screenshots show the module IIOC's for the newly created process. In addition, they show how it copies itself to a new location on the infected machine, modifies the registry to gain persistency on the system, and connects to the C2 IP address:

 

 

 

 

 

NanoBot delivery document (SHA256):

  • ab801421c0a70b96f974a575f29d31cdc22a587dc76bd87d341992db39731141

 

NanoBot variant (SHA256):

  • 26e22dc2d7018a728c6f2331361e265ad27aca8c60b6d4479116454880e4d84e
  • 6261814a313b99471d99454e37845d59d5b7425b1574d6408e6b5bc3e1672678

 

All the IOC will be added to FirstWatch C2 feeds as follows:

  • For download domain:
    threat.source = 'rsa-firstwatch'
    threat.category = 'malspam'
    threat.description = 'delivery-domain'

  • For C2 domain:
    threat.source = 'rsa-firstwatch'
    threat.category = 'cnc'
    threat.description = 'nanobot'

 

A malspam campaign was noted on Friday August 11th 2017 delivering "Diablo6", a variant of Locky ransomware. The new variant is named after the extension of the encrypted files on a victim machine. It is delivered via PDF documents with attached malicious Word documents. RSA FirstWatch discussed this delivery mechanism before and shared detection techniques using NetWitness Packets and the hunting pack. In this threat advisory we will discuss the network behavior of the recent campaign.

 

Here is an example of a delivery document. It has an attached Word document which in turn has a malicious macro. Social engineering is needed to lure the victim to bypass built-in measures in Adobe Reader and Microsoft Word in order to eventually run the malicious macro.

 

 

Submitting the PDF document (SHA256: e58662121738a24edf2341a4344a237d711fdb025dbe0a8f208205d99723209ato RSA pre-release What's This File service shows a medium threat score. It also displays information about embedded Javascript code to try to auto launch the attached Word document:

 

 

The embedded Word document itself (SHA256: e853432940466040561d30e2ee81a5e9785d64e6bead19372a9f585745a934fd) has a high threat score with different suspicious characteristics:

 

 

The VBA code reaches out to a delivery domain in order to download a payload, in this case a Locky ransomware variant (SHA256: 5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e). Analysis report from hybrid-analysis.com can be found here

 

 

 

NetWitness Packets tagged the download sessions with the following meta values:

 

 

The network behavior was shared among different infected systems indicating an active campaign:

 

 

After a time delay, the executable starts to encrypt the files on the victim machine, then changes the desktop background and displays a note with the necessary instructions to pay the ransom before deleting itself from the system. The time delay is most likely used to evade sandbox technologies:

 

 

 

This Locky variant asks for 0.5 BTC to decrypt the victim files:

 

 

NetWitness Endpoint shows the following module IIOC's and tracking data for the ransomware:

 

 

All the delivery domains from this campaign will be added to FirstWatch C2 domains on Live with the following meta values:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

 

Previous RSA Link articles on Locky:

Malspam activity was noted on August 1st 2017 delivering an Xtreme RAT variant. Xtreme RAT is a publicly available remote access tool that has been around for few years and has been used by threat actors in cybercrime as well as targeted attacks. In this threat advisory we will discuss its network and host behavior from the perspective of RSA NetWitness Packets and RSA NetWitness Endpoint.

 

The delivery document documentos.doc looks to be targeting Spanish-speaking users. It uses social engineering to trick a victim into running the malicious embedded macro:

 

 

Submitting the delivery document to RSA pre-release What's This File service shows a maximum threat score:

 

 

What's This File service shows embedded VBA code to download an executable from a delivery domain and to save it to a local file on the system:

 

 

Here is a screenshot of the download session from NetWitness Packets:

 

 

 

VirusTotal scan results suggest it is an Xtreme RAT variant. Here is the analysis report from hybrid-analysis.com.

 

NetWitness Packets tagged the download session with the following meta values:

 

 

NetWitness Endpoint scan data of an infected host is below:

 

 

WINWORD.exe creates a new process wtphjgf.exe using the downloaded PE file. The new process copies itself to new locations on the infected system, modifies the registry to gain persistency then starts svchost.exe and injects code in it. The following screenshots from NetWitness Endpoint show the host behavior as well as the module IIOC's for wtphjgf.exe:

 

 

 

 

NetWitness Endpoint also shows a suspicious network connection initiated by the newly created svchost.exe to a dynamic DNS domain:

 

 

The network activity is captured by NetWitness Packets:

 

NetWitness Packets tagged the outbound HTTP sessions with the following meta values indicating highly suspicious traffic:

 

 

Xtreme RAT delivery document (SHA256):

  • e925f362b8f17c6252d6b4c8c7e4a47d41b01b589ab9f30649123ae626086668

Xtreme RAT variant (SHA256):

  • ef551697664f508d9705e108710e6421abb00bf5c5fe658a68dcf05c68ed3ecf

 

All the IOC from those HTTP sessions were added to FirstWatch Command and Control feed on Live with the following meta:

  • For download domain:

    threat.source = 'rsa-firstwatch'
    threat.category = 'malspam'
    threat.description = 'delivery-domain'

  • For Command and Control domain:

    threat.source = 'rsa-firstwatch'
    threat.category = 'cnc'
    threat.description = 'c2-domain'

 

Further reading:

Malspam activity was noted on July 26 2017 delivering GlobeImposter ransomware. This threat advisory will shed some light on the activity from the perspective of NetWitness Packets and NetWitness Endpoint.

 

Scan results of a delivery document can be found here. Submitting the file to RSA pre-release What's This File service shows the highest threat score with different suspicious characteristics:

 

 

Upon running the embedded VBA code, traffic was observed to a delivery domain to download an obfuscated payload:

 

 

 

This network behavior was shared among multiple infected machines:

 

 

The download sessions were tagged with the following meta values in NetWitness Packets: 

 

 

The downloaded payload is de-obfuscated and saved to the user's %Temp% directory as hurds8.exe:

 

 

VirusTotal scan results of that executable can be found here. Here is the analysis report from hybrid-analysis.com.

 

The binary starts by copying itself to a new directory and by modifying the registry to gain persistency on the system:

 

 

 

It also drops and runs a batch script in the %TEMP% directory with typical instructions for ransomware:

 

 

The screenshot below shows part of the tracking history of an infected machine:

 

 

The following screenshot shows the module IIOC's for hurds8.exe as well as its tracking information:

 

 

Notice in the tracking data how the ransomware is using .707 extension to rename the newly encrypted files. This GlobeImposter variant drops the following ransom note:

 

 

GlobeImposter delivery documents (SHA256):

  • 5d0eb492f4f36bfd871f6399dc777b9abb1436d18fdf7f1e737ff36ab86fb5b1
  • 4e4ded4a9aa9122594389adba17f4b6ad6ad5f37b1353274a69a09f737c03789

 

GlobeImposter ransomware variant (SHA256):

  • a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e

 

All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threadt.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

 

Malspam activity was noted on July 20 2017 delivering BEBLOH banking trojan. BEBLOH has been around since 2009 and has the ability to steal money from unsuspecting victims right off their bank accounts [1]. Based on the noticed delivery documents it seems this campaign is targeting users in Japan. 

 

Scan results of a delivery document can be found here. Here is a screenshot taken of the malicious spreadsheet:

 

 

Submitting the spreadsheet to RSA's pre-release What's This File service shows maximum threat score:

 

 

What's This File service also shows the embedded VBA code:

 

 

Here is the host behavior upon opening the delivery document on a machine with RSA NetWitness Endpoint agent installed:

 

 

Obfuscated powershell code is used to download an executable to a local directory. The screenshot below shows the download activity in RSA NetWitness:

 

 

 

VirusTotal scan results of the download executable suggest it is a BEBLOH variant. The EXE is saved to the user Documents folder as %appdata%.exe

 

 

Here is the process tree:

 

 

The download sessions are tagged with different meta values in RSA NetWitness including http two headers, http no referer, http no user-agenthttp get no post under Service Analysis and exe filetype under File Analysis

 

 

BEBLOH delivery documents (SHA256):

  • fc0d7e53b0d55232a4a89614841ec77f022aab845a08dd4cbc47d3d6d35fc641
  • d82f57b4ab676ae02c710becedf9a0883f935fee89abf98c010c1a8b122b7140
  • 87d3eb0c512568c3cbe931670680b77d3f039312279f6817542dc612619d6449

 

BEBLOH Trojan (SHA256):

  • 29c7740f487a461a96fad1c8db3921ccca8cc3e7548d44016da64cf402a475ad

 

All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threadt.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

 

References:

  1. TrendLabs Security Intelligence BlogBEBLOH Expands to Japan in Latest Spam Attack - TrendLabs Security Intelligence Blog 

The idea of a mathematically secure chain of blocks was first mentioned in 1991, first conceptualized as digital currency in 1998 as "Bit Gold" and first implemented as decentralized digital currency as "Bitcoin" in 2009.

 

Blockchain is nothing but chronological chain of blocks where every block contains a set of transactions/records and a reference to the previous block. This idea of a blockchain helps in establishing a digital ledger; which is immutable and can be distributed in a way that peers in the network can come to a global consensus on adding new blocks and also agree on the true state of ledger. This ledger is not at one place but its copies are with all the participants in the distributed network. These copies are updated at same time when all the participants come to a consensus. The privacy and anonymity depends upon the implementation of blockchain.

 

Blockchain can be implemented in many areas such as finance, banking and real estate. There are a wide variety of implementations already in the market. However, the biggest implementation is in the field of cryptocurrency. There are many cryptocurrencies available and two major currencies are Bitcoin and Ethereum.


Bitcoin is a digital payment system and a cryptocurrency. It can be used for transactions all over the world with no central authority or bank involved. There are participant nodes in Bitcoin network that have the copies of Bitcoin distributed ledger. Six times every hour, a group of transactions is collected in a block and that block is added to the blockchain. Then all the participating nodes are synced with this change in the blockchain.

 

Adding new blocks to the chain is called mining. The miners do the following:

  1. They verify if the transactions are valid which helps resolving double-spending problem (i.e. same digital token is spent twice).
  2. Group transactions in a block.
  3. Give reference of the most recent block in the new block about to get created.
  4. Solve a mathematical proof-of-work problem. This is the step where race starts between all the miners and the winner add the new block in the chain and get funds in the mined currency as a reward.
  5. When the mathematical problem is solved the new block is added and the change is communicated along the network with all participating nodes.

 

The following graph by PwC can help you in understanding the flow of a transaction in the world of cryptocurrency [1].

 

                           

 

With the rise of ransomware in the past couple of years, cryptocurrency and in particular Bitcoin gained more popularity. Due to the level of anonymity it provides, Bitcoin became the criminals’ preferred currency to receive the ransom thus playing an important part in the ransomware ecosystem. In the aftermath of a ransomware attack victims hasten to follow the criminal instructions in order to buy bitcoins and to pay the ransom to recover their files. There is no guarantee that a victim would get its data back and the general advice is not to pay the ransom [2]. However, for some organizations that fall victims to those attacks that is not an option and they are more willing to take the risk. In fact some companies started stockpiling Bitcoins in anticipation of ransomware attacks so they can recover their data as quickly as possible [3].

 

Another threat to organizations is the rise of cryptocurrency mining malware. This class of malicious software infects a victim machine and enrolls it in a larger mining botnet. Cryptocurrency mining uses a lot of system resources and might degrade its performance. Recently Proofpoint security researches released a report about Adylkuzz cryptocurrency mining malware [4]. Adylkuzz was spreading via EternalBlue/DoublePulsar exploits and was used to mine Monero; a cryptocurrency that has enhanced anonymity capabilities and used in the dark web markets.

 

Cryptocurrency is not a new technology but as it is getting more attention, it is our hope that this post can help in answering some of the basic questions. Future advisories will cover any emerging threats in that domain and will shed some light on detection techniques using RSA technologies.

 

Thanks to Prakhar Pandey for contributing to this blog post.

 

References:

  1. https://www.pwc.com/us/en/financial-services/fintech/bitcoin-blockchain-cryptocurrency.html
  2. https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise
  3. http://www.nbcnews.com/storyline/hacking-of-america/companies-stockpiling-bitcoin-anticipation-ransomware-attacks-n761316
  4. https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

During the first week of July 2017, malspam activity was observed delivering AgentTesla malware, a spyware capable of key and clipboard logging, screen capture, and stealing passwords from browsers [1][2]. This threat advisory will discuss its delivery methods and traffic analysis using NetWitness Logs and Packets.

 

The observed delivery document (File name: document.doc) was originally uploaded to Virus Total on July 7th and is named “document.doc”. This MS Word document contains embedded and obfuscated macros recorded in VBA, which are auto-launched upon opening. This document when submitted to RSA’s pre-release What's This File service had maximum threat score.

 

 

As indicated below, the cleansed VBA code contained within the document uses Document_Open to auto-launch of script and then Shell to launch an executable.

 

 

Following the process tree, powershell.exe is called to download “filenew.exe” from findmylogs[.]com and save the payload, a malicious executable saved as “prcQE.exe” in the “\AppData\Local\Temp” folder.

 

 

 

 

NetWitness packet inspection flags the following meta data from this activity.

 

 

An RSA NetWitness Endpoint (aka ECAT) agent installed on the affected client machine shows the following tracking information and machine Indicators of Compromise (IOCs).

 

 

 

After the victim is infected, AgentTesla begins outbound communications via HTTP POSTs to onlinesypoi[.]com. Highlighted fields below represent a possible signature for Agent Tesla spyware [3].

 

 

 

The domain onlinesypoi[.]com itself was also observed delivering AgentTesla binaries.

 

 

 

 

 

Scan results for those binaries can be found here and here.

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

Thanks to Kevin Stear and Prakhar Pandey for contributing to this threat advisory.

 

References:

  1. https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting
  2. https://cysinfo.com/agent-tesla-new-spyware-variant-plucked-hackers-arena/
  3. In-Depth Analysis of A New Variant of .NET Malware AgentTesla | Fortinet Blog 

Malspam activity was noted this week delivering Hawkeye to infected machines. Hawkeye is a commodity keylogger that can be used to steal a victim sensitive information. This threat advisory will discuss its delivery mechanism and will show how the traffic looks in NetWitness Logs and Packets.

 

This delivery document has an embedded malicious macro that launches a powershell script. Submitting the document to What's This File service shows a high threat score:

 

 

The powershell script is used to download an executable from a delivery domain. An infection scenario that's shared among different malspam campaigns. Here is the process tree:

 

 

Here's the download session in NetWitness Logs and Packets:

 

 

Using the "View Files" option to get the checksum of the downloaded file:

 

 

This report from hybrid-analysis.com suggests it is a Hawkeye variant. The hunting pack registered the following meta for this download session indicating highly suspicious traffic:

 

 

The fact that the executable is recently compiled can also be noticed when submitting the file to What's This File service:

 

 

It is worth mentioning that this domain directlink[.]cz has been used to deliver different kinds of malware. Here is the activity in NetWitness Logs and Packets for this week:

 

 

While the directory remained the same, filenames varied from one download session to another:

 

 

 

Here is a list of some of the delivered payloads (SHA256):

 

edac9b3dfc1bb7c64159323d8768ace4858ad239daf00499b9c01358f6cdf2a8
f4d86b3ee2f474198956f982c97e801cb9dc82e886f0a733aaffc1910feff85c
2b8e82fbc69dcf059e38a85ab5fcd135b86707528e26068f6cf514b6b4df0353
1e1ba211402544a252ef52276dee0f2de1720870da50212e51835200c9f199e2
7e5525d85b0aea64bc257a36cacc107731948eca198b109e13ca3c26cc630c99
864b1ec7fb0608807a5624cc84029a5c4cde15da111e7e846c993eab8e590091
0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb
d156b5fa4ee0dad4d7971812bd7bf0171af0df6528c84bb4bfc3e97ea3b69e78

 

This delivery domain was added to RSA FirstWatch Command and Control Domains on Live with the following meta values:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'


Further reading:

1. How I Cracked a Keylogger and Ended Up in Someone's Inbox 

2. Piercing the HawkEye: How Nigerian Cybercriminals Used a Simple Keylogger to Prey on SMBs - Security News - Trend Micro… 

3. The “HawkEye” attack: how cybercrooks target small businesses for big money – Naked Security 

Malspam activity was noted on June 26th 2017, delivering Emotet banking trojan. It leverages malicious Word documents with embedded macros.

 

Scan results of a delivery document can be found here. An attacker can easily lure the victim to run the embedded macro:

 

 

Submitting the delivery document to What's This File service shows its maliciousness:

 

 

Upon running the macro launches a powershell script to download and run the malware. Here is the process tree:

 

 

Here is the GET request in NetWitness Logs and Packets, as well as the file checksum using the "View Files" option of the download session:

 

 

 

The Hunting pack registered the following meta values for the download sessions indicating highly suspicious traffic:

 

 

Analysis results on VirusTotal suggest the final payload is an Emotet variant, a banking trojan that has been around since 2014.

 

All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threadt.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

 

Further reading:

  1. more invoice malspam with links to download word doc deliver malware – My Online Security 
  2. New Variant of Geodo/Emotet Banking Malware Targets UK | Forcepoint 
  3. https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/ 

After few days of inactivity, this malspam campaign is back and yesterday it was delivering Locky ransomware. The campaign is known for using PDF attachments with embedded malicious Word documents. 

 

Here is the traffic for a download session in NetWitness Logs and Packets:

 

 

Note that an obfuscated file is first downloaded to an infected machine:

 

 

Once the download is complete, it is de-obfuscated and the final payload is saved to the same directory:

 

 

The checksum of the final payload is shown below:

 

 

Analysis results on VirusTotal suggest it is a Locky ransomware variant. Malware-Traffic-Analysis.net mentions that this Locky variant would run only on a Windows XP machine.

 

Submitting the delivery document to What's This File service shows more information about the malicious PDF document.

 

 

 

 

All the IOCs from those HTTP sessions were added to RSA FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

For the past few weeks, there has been an increase in malspam delivering Zyklon malware. Zyklon is available for sale on the Darknet and is capable of launching various types of DDoS attacks, data theft and fraud [1] [2]. In this threat advisory, we will shed some light on its delivery mechanism.

 

Let’s take this delivery document from June 21, 2017 [3] seen in the wild as Sean-Resume.doc. An attacker can easily trick a victim into running the embedded malicious macro.

 

 

Upon running the macro launches a powershell script to download and run the malware. Here is the process tree:

 

 

Here is the download session from NetWitness Packets and Logs:

 

 

The checksum of the downloaded executable can be obtained using the “View Files” option:

 

 

Analysis results on VirusTotal suggest it is a Zyklon variant [4].

 

The malicious network behavior is easily detected using NetWitness Packets and Logs. Here are some of the meta values registered by the Hunting pack for the download sessions since mid-May [5]:

 

 

It is worth mentioning that over the same period of time, the filename in those download sessions has been constantly changing:

 

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control IPs on Live with the following meta values:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-ip’

 

References:

  1. https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/zyklon-http-botnet/
  2. https://myonlinesecurity.co.uk/spear-phishing-fake-resume-malspam-leads-to-malware/
  3. https://www.virustotal.com/en/file/4ad419ebe91c3549eb18731c7bc6fd6bf2f7da83d6295b3c75efb684a8449486/analysis/
  4. https://www.virustotal.com/en/file/524ad16ac80b196a5507fc45adfff6edc2938d498bc8e736ac69a8be7e5e8034/analysis/
  5. https://community.rsa.com/docs/DOC-62341

Filter Blog

By date: By tag: