IPV6 Test  Twitter  Facebook  Google Plus  Android  email Hindi Marathi

Last Updated: 13th November 2019


Cyber Security Alerts

 

DTrack Spyware new

Fresh reports were received of espionage activity of state-sponsored malware campaign related to Dtrack reportedly closely related to ATMDtrack malware campaign which was designed to collect TRACK1 and TRACK2 data of users who insert their cards into the infected Wincor Nixdorf ATM.

DTrack has functionalities including key logging, retrieving browser history, gathering IP addresses, information about available networks and active connections, listing all running processes, and files on all available disk volumes. The droppers also contained a Remote Access Trojan (RAT) – EventTRacker RAT that could allow attackers to perform various operations on a host. DTrack automatically transfer grabbed user data over the internal bank’s network to a web server installed on a remote host.

Countermeasures

  • Limit access to local administrator accounts. Use a solution such as Microsoft LAPS for managing access to the local administrator account.

  • To prevent lateral movement, one could use firewall rules (both network and host firewalls), ACL and communication equipment configurations, in order to prevent direct communication between workstations on the network. Consider limiting workstations to communicate with servers and network services only. This configuration must be tested in a test environment prior to deployment in production networks.

  • Consider limiting and/or monitoring the use of PowerShell on users' workstations. Monitor the use of commands such as PowerShell, MSBuild, wevtutil, psexec, wmic,certutil, bitsadmin, for abnormal usage with regard to time/workstation/user/process and also check for unknown startup entries.

  • Allow egress SSH traffic only from predefined workstations and users. Monitor for SSH traffic using alternative ports, other than the default TCP port 22. Pay special attention to SSH traffic using ports 443, 80, 53.

  • Evaluate tools to identify log files being deleted from servers.

  • Consider defining the behavioral attributes of tools used by the attackers, such as LaZagne, RottenPotato, and Paramiko, in your defense systems.

  • Consider performing a penetration test (PT) against your IT systems, using methods and tools described above.

  • Consider using the Yara rule to identify the use of RottenPotato tool in,
    https://github.com/Neo23x0/signaturebase/blob/master/yara/gen_rottenpotatoyar.

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains [DDNS domains, free domains, Cloud service traffic] sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

  • Use Loki or IOCFinder tool to scan workstation https://github.com/Neo23x0/Loki

 

Credential Stealer Malware: LokiBOT

It is reported that credentials and information Stealer Malware LokiBOT has been spotted in wild. A brief description is described below:

LokiBot is info stealer malware. It steals a variety of credentials – primarily FTP credentials, stored email passwords, passwords stored in the browser. LokiBot is distributed in various forms, and has been seen in the past being distributed in zipped files along with malicious macros in Microsoft Word and Excel, or leveraging the various exploits via malicious RTF files. It is designed to capture bank user accounts by monitoring the computer with its built-in keylogging capability. It is quite infamous due to its ease of use and effectiveness.
 

Countermeasures

  • Enabled code signing feature for all types of users in Power script so that only signed script will execute in Power shell.

  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.

  • Block the attachments of file types: exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.

  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

  • Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized” should be inspected closely or blocked.

  • Maintain up-to-date antivirus signatures and engines.

  • Users must keep their device firmware devices up-to-date with the latest releases to prevent any potential attacks.

  • Keep operating system patches up-to-date.

 

References

Detailed analysis and countermeasures can be seen here;

 

Smominru Botnet Infection

Smominru is a crypto-mining botnet that propagates on Windows devices using Eternal-Blue exploit (which was also used in NotPetya and WannaCry) and via Brute force attacks on exposed services like RDP, MySQL, Telnet, etc. It further installs crypto-mining malware, harvest login credentials, install backdoors, alter system configurations and spread laterally within the network to maximize the number of infections. It has been reported that Smominru botnet has infected 90,000 machines around the world with an infection rate of 4,700 machines per day. As this malware uses Eternal Blue exploit, most of the infected operating systems are Windows 7 and Windows Server 2008. With the EternalBlue exploit, machines running older and end-of-life versions of Windows would be more affected and many were believed to be infected because of weak credentials.

Smominru botnet also has different variants named Hexmen and Mykings.

 

Malicious activity

The malware is reportedly capable of ;

  • Eliminate other competing malware to prevent other malware to infect the machine.
  • Install Crypto-mining malware.
  • Harvest login credentials.
  • Install backdoors.
  • Very quick lateral movement and infection spread.
  • Deploys a large number of payloads and creates many backdoors on infected systems to maintain persistence, including new administrative users, scheduled tasks, Windows Management Instrumentation (WMI) objects, start-up services, and a master boot record (MBR) rootkit.


Malware Activities:

  • After the initial compromise, a first-stage Powershell script named “blueps.txt” is downloaded onto the machine. It consists of a worm downloader (u.exe / ups.exe), a Trojan horse (upsupx.exe) and an MBR rootkit (max.exe / ok.exe).This script fetches and executes three binary files, creates a new administrator account “admin$” and downloads extra malicious scripts on the machine.

  • Multiple backdoors have been created which include newly-created users, scheduled tasks, WMI objects and services set to run at boot time. The MS-SQL attack flow includes a unique persistence method; the attackers use the obscure task scheduling engine inside MS-SQL to run jobs at different time intervals, e.g. upon reboot, every 30 minutes.

  • It downloads and runs almost twenty distinct scripts and binary payloads in widely distributed more than 20 servers across the world in such a way that fairly resistant to take-downs.

  • It blocks other malicious actor’s activity by terminating processes, deleting executable files, dropping or modifying backdoor credentials and erasing scheduled tasks and MS-SQL jobs belonging to other actors. It even blocks numerous TCP ports including 135, 137, 138, 139 and 445 to in order to prevent other attackers from breaching its own infected machines.

Countermeasures

  • Apply appropriate and latest Patches to patch the vulnerability attributed to the Eternal Blue SMBv1 and keep Windows OS and Windows servers system software patched and up-to-date.

  • Enabled code signing feature for all types of users in Power script so that only signed script will execute in Power shell and practice “least privilege” of access.

  • Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized” should be inspected closely or blocked.

  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints. 

  • Segment the critical networks and vulnerable or hard to secure systems from the rest of the network intelligently to restrict the lateral movement. 

  • Enabling and deploying firewalls and intrusion detection and prevention systems will aid in better monitoring and scanning of traffic traversing the network. 

  • Always use strong passwords with a combination of alphabets (both uppercase and lowercase), numerals and special characters. Also, multi-factor authentication should be enabled in all online accounts.

  • Maintain up-to-date antivirus signatures and engines. We also recommend running a reputable, updated antivirus software solution and monitoring systems for unusual or unexpected spikes in CPU usage that could indicate the presence of cryptocurrency mining malware.

  • Use DLP can enhance data protection by highlighting policy violations.

  • Use a PowerShell script developed by Guardicore Labs that can be used to detect the presence of Smominru botnet infection. The Script can be seen here:

    [https://github.com/guardicore/labs_campaigns/blob/master/Smominru/detect_smominru.ps1 ]

 

ELECTRICFISH and BADCALL - Backdoor Spyware

US-CERT has recently released reports about a malware family related to HiddenCobra Gang, aka Lazarus Group, which is an advanced persistent threat (APT) group state-sponsored by North Korea. The Trojans dubbed ELECTRICFISH that targets Windows systems and BADCALL(both of them primarily spyware)are malware variants that target Windows systems.

They are tunneling tools designed to exfiltrate data from one system to another over the internet once a backdoor has been placed while maintaining a secure connection with the command and control server[s]. They contained a custom protocol that permits traffic to be tunneled between source IP and destination IP addresses, allowing traffic to travel through proxies to outside a victim network, bypassing authentication requirements. This can be used by attackers for covert exfiltration of data and stay hidden in the network.

It is also linked to the APT38 group. APT38 is focusing on stealing millions of dollars from banks across the world.

Malicious activity

The malware is reportedly capable of ;

  • Read, write, and move files.
  • Funnel out information stolen on the victim machine.
  • Inject code into running processes.
  • Stay hidden and unidentified in a network.
  • Create, start, and stop services.
  • Connect to a remote host


Malware Activities:

  • The custom protocol implemented through this malware allows traffic to be tunneled between a source and destination IP address. 

  •  To initiate a tunneling session, this malware consistently attempts to reach out to source and destination systems. 

  • Since this spyware can be configured with a proxy server/port and proxy credentials, this feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network. 
     
  • In BADCALL, the first three files are 32-bit Windows executables that function as proxy servers and implement a "Fake TLS" method whereas the fourth file is an APK file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT). They are designed to force a compromised system to act as a proxy server. This implant is designed to proxy network traffic from an operator to another software tool that is being operated by the adversary on a remote system.
     

References

Detailed analysis and countermeasures can be seen here;

 

Backdoor malware

There is a surge in the distribution of backdoor malware with a different name as GENERIC Backdoor, Sagerunex Backdoor, Double Pulse Backdoor. These backdoor are used by an attacker to gain access to the victim machine. The initial mode of infection is via malvertising, compromised sites, phishing mail with carrying malicious attachments, etc.
 

Countermeasures

  • Keep checking the web proxy logs for users downloading the file having MD5 (as given above) from an external host using a non-standard or high TCP port.

  • Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations.

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

  • Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure the installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging, enabled script block logging and transcription enabled. Send the associated logs to a centralized log
    repository for monitoring and analysis.

 

Credential Stealer Malware: TrickBOT activity

It is reported that credential and information stealer malware TrickBOT has been spotted in wild. A brief description is described below:

Malicious activity

TrickBot is a Banking Trojan that targets user financial information and acts as a dropper for other malware. TrickBot is distributed via mail spam campaigns or exploits kits on a massive scale. It uses man-in-the-browser attacks to steal financial information, such as login credentials for online banking sessions These campaigns send unsolicited emails that include an attachment, such as a Microsoft Word or Excel document (such as invoices from accounting and financial firms) that direct users to download malware from malicious websites or trick the user into opening malware through an attachment, which enables macros and then executes a VBScript to run a PowerShell script to download the malware.

TrickBot is also dropped as a secondary payload by other malware, such as by Emotet.

 

Countermeasures

  • Enable code signing feature for all types of users in Power script so that only signed script will execute in Power shell.

  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.

  • Block the attachments of file types: exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.

  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

  • Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized” should be inspected closely or blocked.

  • Maintain up-to-date antivirus signatures and engines.

  • Users must keep their device firmware devices up-to-date with the latest releases to prevent any potential attacks.

  • Keep operating system patches up-to-date.

 

TrickBot Malware

It has been observed that the new variants of the banking malware named as TrickBot are spreading and targeting Indian cyberspace. We have analyzed telemetry against IoCs and observed, some of your organization’s clients were interacting with CnC.

Malicious activity

TrickBot is a modular banking Trojan that targets user financial information and acts as a dropper for other malware. This malware mainly targets banks, payments processors and CRM systems mainly through malspam campaigns. The infection vector used by the malware is similar to the tactics used by other banking Trojans such as Ryuk, Dyreza, Dridex, Locky and Jaff ransomware, i.e. a macro embedded PDF/ documents files in emails which make use of PowerShell to fetch and deploy payloads on the targeted users.

Countermeasures

  • Isolate, patch and re-mediate the infected systems.

  • Updated Antivirus/Internet Security Suites should be used in all devices/systems.

  • Restrict execution of PowerShell / WSCRIPT in an enterprise environment with enhanced logging enabled, Script block logging, and transcription enabled.

  • Disable macros in Microsoft Office products.

  • Implement filters at the email gateway and block suspicious IP address at the Firewall and do not download attachments from suspicious emails.

 

RobbinHood Ransomware

It has been reported that a new variant of ransomware named RobbinHood is spreading. The modes of spreading this ransomware are via malicious advertisements, spam emails, etc. with crafted attachments or using an eternal blue exploit kit to reach the victim machine.

Malicious activity

  • First attacker’s tries to access the victim machine either through compromised the remote desktop services or other Trojans malware. Once the attacker successfully accesses the victim machine, it drops the RobbinHood Ransomware on the victim machine.

  • Once RobbinHood Ransomware installed on the victim machine, it tried to stop the running window service on the victim machine, which could keep files open and prevent their encryption. RobbinHood will now clear Shadow Volume Copies, clear event logs and disable the Windows automatic repair so that recovery becomes near impossible. RobbinHood Ransomware target victim system individually as other computers connected in the same network are also disconnected by this ransomware.

  • Finally, ransomware starts encrypting files using the AES key which is created for each file and renamed the all encrypted file as Encrypted_randomstring. enc_robbinhood. After encrypting all files of the victim machine, the attacker drops four different files which contain a message for paying ransom to decrypt the data.

Countermeasures

  • TCP Users are advised to patch their system with BlueKeep (CVE-2019-0708) vulnerability as this vulnerability effect RDP service of the system which might be used by an attacker for malicious activity. https://support.microsoft.com/en-in/help/4500705/customer-guidance-for-cve-2019-0708.

  • Users are advised to disable their RDP if not in use, if required it should be placed behind the firewall and users are to bind with proper policies while using the RDP.

  • Restrict execution of Power Shell/WSCRIPT in enterprise environment ensure installation and use of the latest version (currently v5.0) of Power Shell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    Reference: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

  • Establish a Sender Policy Framework(SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.

  • Application whitelisting/Strict implementation of Software Restriction Policies(SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.

  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.

  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

  • Consider encrypting the confidential data as the ransomware generally targets common file types.

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.

References

  • https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/

  • https://www.joesandbox.com/analysis/129748/0/pdf

 

Child Online Protection

  Click Here for Details

Gh0st RAT Malware


There is a surge in the distribution of Gh0stRAT Malware which is a full-featured remote access Trojan for windows operating system.

Malicious activity

  • Attackers are distributing Gh0stRAT malware by using the HTTP File Server (commonly abbreviated as HFS, a free and easy way to send and receive files across the Internet).

  • Attackers are exploiting the HTTP File Server vulnerability (CVE-2018-8174) to download the file from the URL onto the disk which was identified as Gh0st RAT. Once this malware reaches on victim machine it tries to communicate with the C2 server under controlled of an attacker.

Countermeasures

  • Keep checking the web proxy logs for users downloading the file having MD5 (as given above) from an external host using a non-standard or high TCP port.

  • Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient responsibility after diligently verifying them without impacting the operations.

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.


Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malware/botnets and to download free botnet removal tools.

 

Hawkeye Key Logger Malware


Hawkeye Key Logger Malware is an info-stealing malware which steals the credentials from the victim browser and email client.

 

Malicious activity

  • The malware spread through a malicious document which contains the shortened URL to connect with the remote location. Once victim reaches there, it downloads the remote frame which finally downloads the excel file having a macro.

  • This macro contains the final URL to download the malware (at location C:\Users\Public\svchost32.exe) with the help of power shell. Once malware executed, it deletes Windows Defender AV’s malware definitions and restricts the access to certain domains which are associated with antivirus or security updates so that it remains undetected in the victim machine.


Countermeasures

  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign.

  • Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient responsibility after diligently verifying them without impacting the operations.

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.


Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malware/botnets and to download free botnet removal tools.

 

Magniber Ransomware


Magniber Ransomware is being distributed through malvertisements, compromised websites which make the victim to land on the Magnitude exploit kit page.
 

Malicious activity

  • A victim is landed on the Magnitude exploit page with the help of obfuscated javascript along with a Base64 encoded VBScript.

  • It tries to exploit the vulnerability (CVE-2018-8174) present in a VBScript engine with the help of internet explorer. This VBScript then executes the shell code.

  • The shell code just acts as a simple downloader for downloading the obfuscated payload. This obfuscated payload contains the Magniber Ransomware in packed form, which it unpack and try to inject it into the legitimate process.

  • Finally, the ransomware starts encrypting all the files with a unique key and add the .dyaaghemy extension to all the encrypted files. While encrypting the files, Magniber will also create a ransom note and links to a URL (which contains the victim actual ID) of TOR decryption service to decrypt its files.


Countermeasures

  • Perform the regular backup of all the critical information to minimize the loss.

  • Keep the operating system and third-party applications (MSOffice, browsers, browser Plugins, and antivirus) up-to-date with the latest patches.

  • Use Microsoft Bit locker full-drive encryption feature to mitigate the unauthorized data access by enhancing file and system protection.

  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.


Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malware/botnets and to download free botnet removal tools.

 

Healthcare Sector Malware Orangeworm

An attack campaign dubbed Orangeworm mainly targeting the healthcare sector IT infrastructure - healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry - is reported using a backdoor Kwampirs.

Malicious activity

  • The malware targets in medical devices (including high-tech imaging gear such as X-ray devices and MRI machines); network shares and servers; and platforms that assist patients in completing consent forms for required procedures.

  • Backdoor Trojan executes, decrypt and extract the copy of its main DLL payload, insert a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.

  • It collects information like network adapter information, system version information, language settings, system date, domain local groups, running process and services etc.from the victim system.


Countermeasures

  • Use firewalls, gateway antivirus, intrusion detection devices and monitoring to screen for the unauthorized intrusion, port scans, and other network attacks and security breaches.

  • Update the operating system with the latest patch to fix the known vulnerabilities. Keep up-to-date Antivirus and Antispyware signatures and keep checking the traffic flow from your system at above-mentioned IP, domains regularly.

  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled.


Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malware/botnets and to download free botnet removal tools.

 

Banking Trojan Emotet

Banking Trojan Emotet

     The Emotet Trojan designed to steal banking credentials and other sensitive information and is most often propagated by way of phishing emails containing a crafted document purporting to be invoices or other business communications or links to similar Reportedly, a surge in the Emotet activity is observed involves the use of a spam botnet, which results in its rapid distribution via email thus distributing IcedID, TRICKBOT etc. Emotet can also spread via a network propagation module that brute forces its way into an account domain using a dictionary attack. Emotet’s use of compromised URLs as C&C servers likely helped it spread as well.  Once Emotet has infected a host, a malicious file that is part of the malware is able to intercept, log, and save outgoing network traffic via a web browser leading to sensitive data being compiled to access the victim's bank account. According to reports, The Trojan may download the following modules to carry out various tasks:

Banking module

Distributed denial of service (DDoS) module

Spam module

Email client infostealer module

Browser infostealer module

Personal Storage Table (PST) infostealer module

Recommendations

  Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains / IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations. Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints. Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running. Restrict the execution of PowerShell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.

 

Information Stealer Backdoor Malware Darkcomet

Reports of Darkcomet RAT variants that collects and exfiltrates system information, user credentials, cryptocurrency wallets, browser info, and login credentials. It is designed to allow a remote operator to perform various specific functions, such as recording the victim's information and downloading additional malicious payloads.

When executed, the malware checks if the following Anti-Virus (AV) applications are installed:

  • Bitdefender
  • Kaspersky Anti-Virus

It logs victim's activities in plaintext such as keystrokes, along with time, clipboard changes, applications and more into "%AppData%\dclogs\YY-MM-DD-00.dc". It attempts to connect to a domain "dkcengin.ddns.net" using port 4891 and waits for commands from the C2 or controller.

 

CERT-In Recommends

  • Restrict connection towards the domains. Put the IPs under watchlist. [Note: blocking of IPs can impact the business. The IP address may hosts multiple genuine domains/ or may belong to a compromised infrastructure. Blacklisting is completely on the business policy of the organization.

  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.

  • Restrict execution of PowerShell/WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    Reference:https://www.fireeye.com/blog/threatresearch/2016/02/greater_visibilityt.html

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution. Note: A lot of malicious domains are using TLDs of (.PW, .TOP, .ME) and DYNDNS domains. Monitor connections to such domains.

  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) /APPLOCKER to block binaries running from %APPDATA% and %TEMP% paths.

  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through a browser.

  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to sites with unfavorable content.

  • Block the attachments of file types;  exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

 

Malware SAMSAM Ransomware

A surge in SAMSAM Ransomware activity with various tactics such as vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network. Succesful infection encrypts all the user data with RSA-2048 encryption.

Following the encryption of the victim’s files, the ransomware executes "selfdel.exe" [extracted from the resource section] to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html” onto the victim’s system.

CERT-In Recommends;

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
     
  • Restrict connection towards the domains. Put the IPs under watchlist. [Note: blocking of IPs can impact the business. The IP address may hosts multiple genuine domains/ or may belong to a compromised infrastructure. Blacklisting is completely on the business policy of the organization]
     
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.

  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    Reference:https://www.fireeye.com/blog/threatresearch/2016/02/greater_visib ilityt.html

  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
    Note: A lot of malicious domains are using TLDs of (.PW, .TOP, .ME) and DYNDNS domains. Monitor connections to such domains.
     
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) /APPLOCKER to block binaries running from %APPDATA% and %TEMP% paths.
     
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through a browser.
     
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to sites with unfavorable content.
     
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389) and file transfer Protocol(TCP 21).

 

Satori Botnet

Satori Botnet affecting IoT devices

You may be aware that a new Botnet named as Satori has been found infecting Internet of Things (IoT) devices.

One of the possible modus operandi of this malware is as under:

  • Compromise IoT systems.
  • Create botnets of the compromised devices.
  • Use compromise devices to launch DDoS attacks.
  • Make network connections to receive commands to launch further attacks.

Following countermeasures can be taken to protect the IOT devices;

  • Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords
  • Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
  • Keep up to date Antivirus on the computer system
  • Keep up-to-date on patches and fixes on the IoT devices, operating system, and applications.
  • Unnecessary port and services on the devices should be stopped and closed.

Kindly visit https://www.cyberswachhtakendra.gov.in to get information about latest malwares/botnets and to download free botnet removal tools.

 

Mirai Botnet

Mirai Botnet affecting IoT devices

A new malware named as Mirai targeting Internet of Things (IoT) devices such as printers, video camera, routers, smart TVs is spreading.The malware is capable of scanning the network devices or Internet of Things and try to compromise these systems especially those protected with defaults credentials or hardcoded username passwords.    

The malware is capable of performing the following function:

  • Compromise IoT systems with default username and passwords
  • Create botnets of the compromised devices.
  • Use compromise devices to launch DDoS attacks.
  • Make network connections to receive commands from launch further attacks.

 Indicators of compromise:

  • Abnormal traffic on port 2323/TCP and 23/TCP as it scans for vulnerable devices.
  • Command and Control Network traffic on port 48101/TCP.
  • Huge outbound traffic if the device is part of DDoS attack.

When the malware runs, it turns the infected system into a bot connecting to a C&C server. Bot-infected systems are connecting to the C&C Servers on specific ports and listen for commands from the remote attacker. In view of the high damage potential of Botnet infected machines, the customers are requested to disinfect their systems and take appropriate countermeasures suggested below to prevent such incidents in future.

Countermeasures for securing IOT devices:

  • Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords.
  • Always change Default login credentials before deployment in production.
  • Change default credentials at device startup and ensure that passwords meet the minimum complexity.
  • Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
  • Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Control access to the devices with Access List.
  • Configure devices to "lock" or log out and require a user to re-authenticate if left unattended.
  • Identify systems with default passwords and implement abovementioned measures. Some the systems that need to be examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces.
  • Implement account lockout policies to reduce the risk of brute forcing attacks.
  • Telnet and SSH should be disabled on a device if there is no requirement for remote management.
  • Configure VPN and SSH to access device if remote access is required.
  • Configure certificate-based authentication for telnet client for remote management of devices.
  • Implement Egress and Ingress filtering at the router level.
  • Report suspicious entries in Routers to your Internet Service Provider.
  • Keep up to date Antivirus on the computer system.
  • Keep up-to-date on patches and fixes on the IoT devices, operating system, and applications.
  • Unnecessary port and services should be stopped and closed.
  • Logging must be enabled on the device to log all the activities.
  • Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.