5ss5c Ransomware

The threat actors behind the Satan, DBGer and Lucky ransomware, are back with a new piece of malware named ‘5ss5c’. Like Satan, 5ss5c launches process via a downloader and leverages the EternalBlue exploit for spreading. The downloader for the 5ss5c ransomware fetches and leverages the following:

• EternalBlue exploit and hardcoded credentials
• Mimikatz and another password stealer or dumper
• The actual ransomware 5ss5c as a second-stage malware

The dropper provides hardcoded credentials for the command-and-control (C2) server for the ransomware to connect to an SQL database. 5ss5c has an entirely fresh list of files to be encrypted. It only encrypt files with extensions 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx and zip. As evident, this list primarily includes documents, archives, database files and VMware-related extensions like vmdk. The 5ss5c ransomware drops a ransom note in Chinese that demands a ransom of 1 bitcoin for decryption. The ransom note doesn’t include attackers’email to contact for the payment or a Bitcoin address, instead, the ransomware prepends the email address (5ss5c(at)mail[.]ru) to the file name of each encrypted file.

Countermeasures

• The majority of the ransomware infections are primarily introduced via phishing emails, malicious adverts on websites, and third-party apps and programs. Hence, thoughtfully designed security awareness campaigns that stress the avoidance of clicking on links and attachments in email, can establish an essential pillar of ransomware defense.

• It is crucial to install an active instance of a reputed multi-layered anti-malware solution updated with the latest signatures in all endpoint devices which will help reduce the gravity of such attacks.

• Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations.

• The key infection vector of 5ss5c involves exploiting vulnerabilities, especially the EternalBlue exploit; thus patching the specifically targeted vulnerabilities will reduce the attack window for the ransomware.

• Ransomware infections like 5ss5c primarily keep data as a hostage. Therefore, practicing regular backup of critical data can save the business in the event of such outbreaks. Also please ensure to maintain offline backups.

• All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates/patches available in any unofficial channel.

• Segmenting the critical networks and vulnerable or hard to secure systems from the rest of the network intelligently could serve as an effective shield against such attacks.

Android Malware - IMobile

It is reported that a malicious android application called IMobile-Verify is part of the Income-tax phishing scheme. The app is distributed via a phishing page that is found to do the Indian income tax scam. The phishing page
asks users to download the APK to verify their mobile number. Once downloaded and installed the application requests to become the default source for sending and receiving SMS or Two-factor authentication messages.

This app could be being used to intercept these banking SMS messages and relay them to the attacker. Attackers could use this information to gain unauthorized access into bank accounts and steal money from unsuspecting users.

Countermeasures

• Monitor Connection attempts towards the listed domains. The list may include compromised domains as well. Blocking the domains is solely the recipient's responsibility after diligently verifying them without impacting the operations.

• Users if found any above-mentioned package, android app in their phone should immediately uninstall it from their device. Through setting>applications. Users can also use the factory reset option to move their device in the base configuration.

• Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from the reputed application market only.

• Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.

• Prior to downloading/installing apps on android devices (even from Google Play Store):

• Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.

• Verify app permissions and grant only those permissions which have relevant context for the app's purpose.

• In settings, do not enable the installation of apps from "Untrusted Sources".

• Exercise caution while visiting trusted/untrusted sites for clicking links.

• Install Android updates and patches as and when available from Android device vendors.

• Users are advised to use device encryption or encrypting external SD card feature available with most of the Android OS.

• Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.

Full(z) House: New Magecart Group activity

It is reported that a MageCart group is known as Fullz House has been active in performing banking-related crimes combining phishing with card skimming.

Magecart is a modus operandi used by different threat actors targeting e-commerce sites (mainly built on the Magento e-commerce platform) with JavaScript-based credit card web skimmers used to steal CNP (card not present) data, stealing unsuspecting customers’ payment card details and other information entered into the fields on the page.

The group operates an underground trading post called BlueMagicStore which sells fullz, also known as full packages of information, including both Personally Identifiable Information (PII) and stolen banking data. It is reported that they have pivoted to card skimming to open up a sales point for credit card information which they named CardHouse, another marketplace that traffics in stolen credit card numbers and security codes. Their modus operandi is by combining tactics working in two ecosystems, phishing and web skimming which was playing with a full deck to steal financial data. It sets up fake payment pages on the same domains as their skimmers and redirects victims to legitimate payment processors after the information has been stolen, thereby performing Man-in-The-Middle (MiTM) attack to steal payment data and reportedly hide their activities behind new Cloudflare infrastructure.

Countermeasures

• Monitor Connection attempts towards the listed domains. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations. 

• Enabled code signing feature for all types of users in Power script so that only signed script will execute in Power shell. 

• Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running. 

• Block the attachments of file types: exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf. 

• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints. 

• Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized” should be inspected closely or blocked. Maintain up-to-date antivirus signatures and engines. 

• Users must keep their device firmware devices up-to-date with the latest releases to prevent any potential attacks. 

• Keep operating system patches up-to-date.
   

References

Detailed analysis and countermeasures can be seen here;

• https://www.riskiq.com/blog/labs/fullz-house/

Dridex Banking Trojan

It has been reported that various Threat Actors are actively using Dridex Banking Malware and its derivatives to target the financial services sector, including financial institutions. The attackers are targeting financial services firms through phishing campaigns. The targets of this malware are Windows users who open an email attachment in Word or Excel, causing macros to activate and download Dridex, infecting the computer and opening the victim to banking theft.

Dridex Banking Trojan (also known as Bugat, Cridex or Feodo) is a form of malware, first spotted in 2012, that specializes in stealing bank credentials via a system that utilizes macros from MS Word. The primary objective is to steal banking information from users of infected machines to immediately launch fraudulent transactions. It could also install a keyboard listener and performs injection attacks.

Infection Vector: This Trojan is primarily distributing via phishing email campaigns with attached Microsoft Office documents containing malicious macros.

Malicious activity

The Dridex malware is reportedly capable of

• Steal information from forms.
• Use the injection method based on the “AtomBombing” technique, to evade antimalware solutions. 
• Take screenshots. 
• Redirect HTTP requests. 
• Inject code into web applications. 
• Keystroke logging. 
• Steal User credentials. 
• Virtual network computing (VNC). 
• Back connect. 
• Act as a mini server (peer node). 
• Delete files. 
• Launch distributed denial-of-service (DDoS) attacks and harvest users' banking credentials.
  
  

Countermeasures

• Enabled code signing feature for all types of users in Power script so that only signed script will execute in Power shell.

• Monitor Connection attempts towards the listed IPs/domains. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations.

• Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.

• Block the attachments of file types: exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.

• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

• Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized” should be inspected closely or blocked.

• Maintain up-to-date antivirus signatures and engines. 

• Keep operating system patches up-to-date. 

• Update intrusion detection and prevention systems frequently to ensure the latest variants of malware and downloaders are included. 

• Conduct regular backup of data, ensuring backups are protected from a potential ransomware attack. 

• If there is any doubt about message validity, call and confirm the message with the sender using a number or e-mail address already on file. 

• Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication. 

• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrator's group unless required. 

• Enforce a strong password policy and require regular password changes. 

• Implement appropriate access control lists. 

• Exercise cybersecurity procedures and continuity of operations plan to enhance and maintainability to respond during and following a cyber incident.

NEW ZEROCLEARE DATA WIPER

A new destructive, disk-wiping malware has been recently discovered that is being used to conduct several targeted attacks against the industrial and energy sectors. The malware has been named ZeroCleare after the program database (PDB) pathname of its binary file. ZeroCleare is a typical data wiper malware that is used by threat actors to delete data from compromised systems in order to remove traces of the infection and cause disruptions to regular business processes. Two variants of the wiper have been observed - one that goes after 32-bit machines while the other targets 64-bit systems.

Malicious activity

The technique used for this campaign is as follows ;

• The attack is initiated by carrying out brute force attacks to crack passwords and access numerous network accounts.
• Post gaining access, the threat actors exploit a SharePoint vulnerability to install China Chopper and Tunna web shells.
• Attackers abuse legitimate remote access tools like TeamViewer and use an obfuscated variant of Mimikatz to exfiltrate credentials from compromised servers.
• In order to maximize the number of infections, the attackers move laterally inside the network and deploy ZeroCleare in the ultimate stage of their attack.

Countermeasures

• Monitor Connection attempts towards the listed domains /IPs/Hashes. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations.

• All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates/patches available in any unofficial channel.

• It is crucial to install an active instance of a reputed multi-layered anti-malware solution updated with the latest signatures in all endpoint devices which will help reduce the gravity of such attacks.

• As ZeroCleare is a data wiper, practicing regular backup of data can save the business in the event of an outbreak.

• The practice of data classification should be adopted in order to keep all digital assets safe.

• Deployment of application control and whitelisting and behavior monitoring can be considered as an easy and affordable method for mitigating unauthorized access and privilege by preventing suspicious applications or processes from executing.

• Enabling and deploying firewalls and intrusion detection and prevention systems will aid in better monitoring and scanning of traffic traversing the network.

• Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized” should be inspected closely or blocked.
  
  
• Practicing the “least privilege” of access could appear as an effective defense against these attacks. The campaign has been seen using PowerShell scripts; hence users who do not require PowerShell to perform their activities should not have access to it.
  
  
• As the attackers move laterally inside the network to deploy ZeroCleare, segmenting the critical networks and vulnerable or hard to secure systems from the rest of the network intelligently could serve as an effective shield against such attacks.

References

Detailed analysis and countermeasures can be seen here;

• https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/

ROBOTO Botnet

It is reported that a new cybercrime campaign named ROBOTO Botnet is in surge for its malicious activities. It has been identified that the new peer to peer (P2P) botnet is exploiting Linux servers running vulnerable Webmin apps.

The main function of the botnet is exploiting a remote code-execution vulnerability (CVE-2019-15107) in Webmin to drop its downloader module on Linux servers running vulnerable installations of Webmin.

Malicious activity

The notorious botnet supports the following functionalities ;

• Reverse shell.
• Self-uninstall.
• System command execution.
• Exfiltration process and network information.
• DDoS attacks (launch attacks via vectors such as ICMP, HTTP, TCP, and UDP). 

Countermeasures

• Server administrators should upgrade their Webmin installations to Webmin 1.930 which contains the necessary patches to remediate the CVE-2019-15107 bug exploited by Roboto.

• Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized “should be inspected closely or blocked.

• Avoid applying updates/patches available in any unofficial channel.

• Search for existing signs of the indicated IOCs in your environment.

• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

• Maintain up-to-date antivirus signatures and engines.

• Keep operating system patches up-to-date.

DTrack Spyware

Fresh reports were received of espionage activity of state-sponsored malware campaign related to Dtrack reportedly closely related to ATMDtrack malware campaign which was designed to collect TRACK1 and TRACK2 data of users who insert their cards into the infected Wincor Nixdorf ATM.

DTrack has functionalities including keylogging, retrieving browser history, gathering IP addresses, information about available networks and active connections, listing all running processes, and files on all available disk volumes. The droppers also contained a Remote Access Trojan (RAT) – EventTRacker RAT that could allow attackers to perform various operations on a host. DTrack automatically transfer grabbed user data over the internal bank’s network to a web server installed on a remote host.

Countermeasures

• Limit access to local administrator accounts. Use a solution such as Microsoft LAPS for managing access to the local administrator account.

• To prevent lateral movement, one could use firewall rules (both network and host firewalls), ACL and communication equipment configurations, in order to prevent direct communication between workstations on the network. Consider limiting workstations to communicate with servers and network services only. This configuration must be tested in a test environment prior to deployment in production networks.

• Consider limiting and/or monitoring the use of PowerShell on users' workstations. Monitor the use of commands such as PowerShell, MSBuild, wevtutil, psexec, wmic,certutil, bitsadmin, for abnormal usage with regard to time/workstation/user/process and also check for unknown startup entries.

• Allow egress SSH traffic only from predefined workstations and users. Monitor for SSH traffic using alternative ports, other than the default TCP port 22. Pay special attention to SSH traffic using ports 443, 80, 53.

• Evaluate tools to identify log files being deleted from servers.

• Consider defining the behavioral attributes of tools used by the attackers, such as LaZagne, RottenPotato, and Paramiko, in your defense systems.

• Consider performing a penetration test (PT) against your IT systems, using methods and tools described above.

• Consider using the Yara rule to identify the use of RottenPotato tool in,
  https://github.com/Neo23x0/signaturebase/blob/master/yara/gen_rottenpotatoyar.

• Deploy web and email filters on the network. Configure these devices to scan for known bad domains [DDNS domains, free domains, Cloud service traffic] sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  
  
• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
  
  
• Use Loki or IOCFinder tool to scan workstation https://github.com/Neo23x0/Loki

Credential Stealer Malware: LokiBOT

It is reported that credentials and information Stealer Malware LokiBOT has been spotted in wild. A brief description is described below:

LokiBot is info stealer malware. It steals a variety of credentials – primarily FTP credentials, stored email passwords, passwords stored in the browser. LokiBot is distributed in various forms, and has been seen in the past being distributed in zipped files along with malicious macros in Microsoft Word and Excel, or leveraging the various exploits via malicious RTF files. It is designed to capture bank user accounts by monitoring the computer with its built-in keylogging capability. It is quite infamous due to its ease of use and effectiveness.
 

Countermeasures

• Enabled code signing feature for all types of users in Power script so that only signed script will execute in Power shell.

• Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.

• Block the attachments of file types: exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.

• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

• Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized” should be inspected closely or blocked.

• Maintain up-to-date antivirus signatures and engines.

• Users must keep their device firmware devices up-to-date with the latest releases to prevent any potential attacks.

• Keep operating system patches up-to-date.

References

Detailed analysis and countermeasures can be seen here;

• https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot.html 

Smominru Botnet Infection

Smominru is a crypto-mining botnet that propagates on Windows devices using Eternal-Blue exploit (which was also used in NotPetya and WannaCry) and via Brute force attacks on exposed services like RDP, MySQL, Telnet, etc. It further installs crypto-mining malware, harvest login credentials, install backdoors, alter system configurations and spread laterally within the network to maximize the number of infections. It has been reported that Smominru botnet has infected 90,000 machines around the world with an infection rate of 4,700 machines per day. As this malware uses Eternal Blue exploit, most of the infected operating systems are Windows 7 and Windows Server 2008. With the EternalBlue exploit, machines running older and end-of-life versions of Windows would be more affected and many were believed to be infected because of weak credentials.

Smominru botnet also has different variants named Hexmen and Mykings.

Malicious activity

The malware is reportedly capable of ;

• Eliminate other competing malware to prevent other malware to infect the machine.
• Install Crypto-mining malware.
• Harvest login credentials.
• Install backdoors.
• Very quick lateral movement and infection spread.
• Deploys a large number of payloads and creates many backdoors on infected systems to maintain persistence, including new administrative users, scheduled tasks, Windows Management Instrumentation (WMI) objects, start-up services, and a master boot record (MBR) rootkit.

Malware Activities:

• After the initial compromise, a first-stage Powershell script named “blueps.txt” is downloaded onto the machine. It consists of a worm downloader (u.exe / ups.exe), a Trojan horse (upsupx.exe) and an MBR rootkit (max.exe / ok.exe).This script fetches and executes three binary files, creates a new administrator account “admin$” and downloads extra malicious scripts on the machine.

• Multiple backdoors have been created which include newly-created users, scheduled tasks, WMI objects and services set to run at boot time. The MS-SQL attack flow includes a unique persistence method; the attackers use the obscure task scheduling engine inside MS-SQL to run jobs at different time intervals, e.g. upon reboot, every 30 minutes.

• It downloads and runs almost twenty distinct scripts and binary payloads in widely distributed more than 20 servers across the world in such a way that fairly resistant to take-downs.

• It blocks other malicious actor’s activity by terminating processes, deleting executable files, dropping or modifying backdoor credentials and erasing scheduled tasks and MS-SQL jobs belonging to other actors. It even blocks numerous TCP ports including 135, 137, 138, 139 and 445 to in order to prevent other attackers from breaching its own infected machines.

Countermeasures

• Apply appropriate and latest Patches to patch the vulnerability attributed to the Eternal Blue SMBv1 and keep Windows OS and Windows servers system software patched and up-to-date.

• Enabled code signing feature for all types of users in Power script so that only signed script will execute in Power shell and practice “least privilege” of access.

• Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized” should be inspected closely or blocked.

• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints. 

• Segment the critical networks and vulnerable or hard to secure systems from the rest of the network intelligently to restrict the lateral movement. 

• Enabling and deploying firewalls and intrusion detection and prevention systems will aid in better monitoring and scanning of traffic traversing the network. 

• Always use strong passwords with a combination of alphabets (both uppercase and lowercase), numerals and special characters. Also, multi-factor authentication should be enabled in all online accounts.

• Maintain up-to-date antivirus signatures and engines. We also recommend running a reputable, updated antivirus software solution and monitoring systems for unusual or unexpected spikes in CPU usage that could indicate the presence of cryptocurrency mining malware.

• Use DLP can enhance data protection by highlighting policy violations.

• Use a PowerShell script developed by Guardicore Labs that can be used to detect the presence of Smominru botnet infection. The Script can be seen here:

  [https://github.com/guardicore/labs_campaigns/blob/master/Smominru/detect_smominru.ps1 ]

ELECTRICFISH and BADCALL - Backdoor Spyware

US-CERT has recently released reports about a malware family related to HiddenCobra Gang, aka Lazarus Group, which is an advanced persistent threat (APT) group state-sponsored by North Korea. The Trojans dubbed ELECTRICFISH that targets Windows systems and BADCALL(both of them primarily spyware)are malware variants that target Windows systems.

They are tunneling tools designed to exfiltrate data from one system to another over the internet once a backdoor has been placed while maintaining a secure connection with the command and control server[s]. They contained a custom protocol that permits traffic to be tunneled between source IP and destination IP addresses, allowing traffic to travel through proxies to outside a victim network, bypassing authentication requirements. This can be used by attackers for covert exfiltration of data and stay hidden in the network.

It is also linked to the APT38 group. APT38 is focusing on stealing millions of dollars from banks across the world.

Malicious activity

The malware is reportedly capable of ;

• Read, write, and move files.
• Funnel out information stolen on the victim machine.
• Inject code into running processes.
• Stay hidden and unidentified in a network.
• Create, start, and stop services.
• Connect to a remote host

Malware Activities:

• The custom protocol implemented through this malware allows traffic to be tunneled between a source and destination IP address. 
  
  
•  To initiate a tunneling session, this malware consistently attempts to reach out to source and destination systems. 
  
  
• Since this spyware can be configured with a proxy server/port and proxy credentials, this feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network. 
   
• In BADCALL, the first three files are 32-bit Windows executables that function as proxy servers and implement a "Fake TLS" method whereas the fourth file is an APK file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT). They are designed to force a compromised system to act as a proxy server. This implant is designed to proxy network traffic from an operator to another software tool that is being operated by the adversary on a remote system.
   

References

Detailed analysis and countermeasures can be seen here;

• https://www.us-cert.gov/ncas/analysis-reports/ar19-252b 
  
  
• https://www.us-cert.gov/ncas/analysis-reports/ar19-252a

Backdoor malware

There is a surge in the distribution of backdoor malware with a different name as GENERIC Backdoor, Sagerunex Backdoor, Double Pulse Backdoor. These backdoor are used by an attacker to gain access to the victim machine. The initial mode of infection is via malvertising, compromised sites, phishing mail with carrying malicious attachments, etc.
 

Countermeasures

• Keep checking the web proxy logs for users downloading the file having MD5 (as given above) from an external host using a non-standard or high TCP port.
  
  
• Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations.
  
  
• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  
  
• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
  
  
• Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure the installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging, enabled script block logging and transcription enabled. Send the associated logs to a centralized log
  repository for monitoring and analysis.

Credential Stealer Malware: TrickBOT activity

It is reported that credential and information stealer malware TrickBOT has been spotted in wild. A brief description is described below:

Malicious activity

TrickBot is a Banking Trojan that targets user financial information and acts as a dropper for other malware. TrickBot has distributed via mail spam campaigns or exploits kits on a massive scale. It uses man-in-the-browser attacks to steal financial information, such as login credentials for online banking sessions These campaigns send unsolicited emails that include an attachment, such as a Microsoft Word or Excel document (such as invoices from accounting and financial firms) that direct users to download malware from malicious websites or trick the user into opening malware through an attachment, which enables macros and then executes a VBScript to run a PowerShell script to download the malware.

TrickBot is also dropped as a secondary payload by other malware, such as by Emotet.

Countermeasures

• Enable code signing feature for all types of users in Power script so that only signed script will execute in Power shell.
  
  
• Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  
  
• Block the attachments of file types: exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
  
  
• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
  
  
• Monitoring all outbound traffic especially the traffic that is destined to newly-registered domains or belongs to the category: “Uncategorized” should be inspected closely or blocked.
  
  
• Maintain up-to-date antivirus signatures and engines.
  
  
• Users must keep their device firmware devices up-to-date with the latest releases to prevent any potential attacks.
  
  
• Keep operating system patches up-to-date.

TrickBot Malware

It has been observed that the new variants of the banking malware named TrickBot are spreading and targeting Indian cyberspace. We have analyzed telemetry against IoCs and observed, some of your organization’s clients were interacting with CnC.

Malicious activity

TrickBot is a modular banking Trojan that targets user financial information and acts as a dropper for other malware. This malware mainly targets banks, payments processors and CRM systems mainly through malspam campaigns. The infection vector used by the malware is similar to the tactics used by other banking Trojans such as Ryuk, Dyreza, Dridex, Locky and Jaff ransomware, i.e. a macro embedded PDF/ documents files in emails which make use of PowerShell to fetch and deploy payloads on the targeted users.

Countermeasures

• Isolate, patch and re-mediate the infected systems.
  
  
• Updated Antivirus/Internet Security Suites should be used in all devices/systems.
  
  
• Restrict execution of PowerShell / WSCRIPT in an enterprise environment with enhanced logging enabled, Script block logging, and transcription enabled.
  
  
• Disable macros in Microsoft Office products.
  
  
• Implement filters at the email gateway and block suspicious IP address at the Firewall and do not download attachments from suspicious emails.
  
  

RobbinHood Ransomware

It has been reported that a new variant of ransomware named RobbinHood is spreading. The modes of spreading this ransomware are via malicious advertisements, spam emails, etc. with crafted attachments or using an eternal blue exploit kit to reach the victim machine.

Malicious activity

• First attacker’s tries to access the victim machine either through compromised the remote desktop services or other Trojans malware. Once the attacker successfully accesses the victim machine, it drops the RobbinHood Ransomware on the victim machine.
  
  
• Once RobbinHood Ransomware installed on the victim machine, it tried to stop the running window service on the victim machine, which could keep files open and prevent their encryption. RobbinHood will now clear Shadow Volume Copies, clear event logs and disable the Windows automatic repair so that recovery becomes near impossible. RobbinHood Ransomware target victim system individually as other computers connected in the same network are also disconnected by this ransomware.
  
  
• Finally, ransomware starts encrypting files using the AES key which is created for each file and renamed the all encrypted file as Encrypted_randomstring. enc_robbinhood. After encrypting all files of the victim machine, the attacker drops four different files which contain a message for paying a ransom to decrypt the data.
  
  

Countermeasures

• TCP Users are advised to patch their system with BlueKeep (CVE-2019-0708) vulnerability as this vulnerability effect RDP service of the system which might be used by an attacker for malicious activity. https://support.microsoft.com/en-in/help/4500705/customer-guidance-for-cve-2019-0708.
  
  
• Users are advised to disable their RDP if not in use, if required it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
  
  
• Restrict execution of Power Shell/WSCRIPT in an enterprise environment. Ensure the installation and use of the latest version (currently v5.0) of Power Shell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  Reference: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
  
  
• Establish a Sender Policy Framework(SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  
  
• Application whitelisting/Strict implementation of Software Restriction Policies(SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
  
  
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
  
  
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  
  
• Consider encrypting the confidential data as the ransomware generally targets common file types.
  
  
• Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  
  

References

• https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/
  
  
• https://www.joesandbox.com/analysis/129748/0/pdf

Child Online Protection

  Click Here for Details

Gh0st RAT Malware

There is a surge in the distribution of Gh0stRAT Malware which is a full-featured remote access Trojan for windows operating system.

Malicious activity

• Attackers are distributing Gh0stRAT malware by using the HTTP File Server (commonly abbreviated as HFS, a free and easy way to send and receive files across the Internet).
  
  
• Attackers are exploiting the HTTP File Server vulnerability (CVE-2018-8174) to download the file from the URL onto the disk which was identified as Gh0st RAT. Once this malware reaches on the victim machine it tries to communicate with the C2 server under control of an attacker.
  
  

Countermeasures

• Keep checking the web proxy logs for users downloading the file having MD5 (as given above) from an external host using a non-standard or high TCP port.
  
  
• Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations.
  
  
• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  
  
• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
  
  
• Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure the installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.

Kindly visit https://www.cyberswachhtakendra.gov.in to get information about the latest malware/botnets and to download free botnet removal tools.

Hawkeye Key Logger Malware

Hawkeye Key Logger Malware is an info-stealing malware that steals the credentials from the victim browser and email client.

Malicious activity

• The malware spread through a malicious document that contains the shortened URL to connect with the remote location. Once the victim reaches there, it downloads the remote frame which finally downloads the excel file having a macro.
  
  
• This macro contains the final URL to download the malware (at location C:\Users\Public\svchost32.exe) with the help of a power shell. Once malware executed, it deletes Windows Defender AV’s malware definitions and restricts access to certain domains that are associated with antivirus or security updates so that it remains undetected in the victim machine.

Countermeasures

• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign.
  
  
• Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations.
  
  
• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  
  
• Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure the installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.

Kindly visit https://www.cyberswachhtakendra.gov.in to get information about the latest malware/botnets and to download free botnet removal tools.

Magniber Ransomware

Magniber Ransomware is being distributed through advertisements, compromised websites which make the victim to land on the Magnitude exploit kit page.
 

Malicious activity

• A victim is landed on the Magnitude exploit page with the help of obfuscated javascript along with a Base64 encoded VBScript.
  
  
• It tries to exploit the vulnerability (CVE-2018-8174) present in a VBScript engine with the help of internet explorer. This VBScript then executes the shellcode.
  
  
• The shellcode just acts as a simple downloader for downloading the obfuscated payload. This obfuscated payload contains the Magniber Ransomware in packed form, which it unpack and try to inject it into the legitimate process.
  
  
• Finally, the ransomware starts encrypting all the files with a unique key and add the .dyaaghemy extension to all the encrypted files. While encrypting the files, Magniber will also create a ransom note and links to a URL (which contains the victim actual ID) of the TOR decryption service to decrypt its files.

Countermeasures

• Perform the regular backup of all the critical information to minimize the loss.
  
  
• Keep the operating system and third-party applications (MSOffice, browsers, browser Plugins, and antivirus) up-to-date with the latest patches.
  
  
• Use Microsoft Bit locker full-drive encryption feature to mitigate unauthorized data access by enhancing file and system protection.
  
  
• Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
  
  
• Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure the installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.

Kindly visit https://www.cyberswachhtakendra.gov.in to get information about the latest malware/botnets and to download free botnet removal tools.

Healthcare Sector Malware Orangeworm

An attack campaign dubbed Orangeworm mainly targeting the healthcare sector IT infrastructure - healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry - is reported using a backdoor Kwampirs.

Malicious activity

• The malware targets in medical devices (including high-tech imaging gear such as X-ray devices and MRI machines); network shares and servers; and platforms that assist patients in completing consent forms for required procedures.
  
  
• Backdoor Trojan executes, decrypt and extract the copy of its main DLL payload, insert a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.
  
  
• It collects information like network adapter information, system version information, language settings, system date, domain local groups, running process and services etc.from the victim system.

Countermeasures

• Use firewalls, gateway antivirus, intrusion detection devices, and monitoring to screen for the unauthorized intrusion, port scans, and other network attacks and security breaches.
  
  
• Update the operating system with the latest patch to fix the known vulnerabilities. Keep up-to-date Antivirus and Antispyware signatures and keep checking the traffic flow from your system at the above-mentioned IP, domains regularly.
  
  
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign.
  
  
• Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure the installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled.

Kindly visit https://www.cyberswachhtakendra.gov.in to get information about the latest malware/botnets and to download free botnet removal tools.

Banking Trojan Emotet

Banking Trojan Emotet

     The Emotet Trojan designed to steal banking credentials and other sensitive information and is most often propagated by way of phishing emails containing a crafted document purporting to be invoices or other business communications or links to similar Reportedly, a surge in the Emotet activity is observed involves the use of a spam botnet, which results in its rapid distribution via email thus distributing IcedID, TRICKBOT, etc. Emotet can also spread via a network propagation module that brute forces its way into an account domain using a dictionary attack. Emotet’s use of compromised URLs as C&C servers likely helped it spread as well.  Once Emotet has infected a host, a malicious file that is part of the malware is able to intercept, log, and save outgoing network traffic via a web browser leading to sensitive data being compiled to access the victim's bank account. According to reports, The Trojan may download the following modules to carry out various tasks:

Banking module

Distributed denial of service (DDoS) module

Spam module

Email client infostealer module

Browser infostealer module

Personal Storage Table (PST) infostealer module

Recommendations

  Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains / IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations. Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints. Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running. Restrict the execution of PowerShell /WSCRIPT in an enterprise environment. Ensure the installation and use of the latest version (currently v5.0) of PowerShell with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.

Information Stealer Backdoor Malware Darkcomet

Reports of Darkcomet RAT variants that collects and exfiltrates system information, user credentials, cryptocurrency wallets, browser info, and login credentials. It is designed to allow a remote operator to perform various specific functions, such as recording the victim's information and downloading additional malicious payloads.

When executed, the malware checks if the following Anti-Virus (AV) applications are installed:

• Bitdefender
• Kaspersky Anti-Virus

It logs victim's activities in plaintext such as keystrokes, along with time, clipboard changes, applications and more into "%AppData%\dclogs\YY-MM-DD-00.dc". It attempts to connect to a domain "dkcengin.ddns.net" using port 4891 and waits for commands from the C2 or controller.

CERT-In Recommends

• Restrict connection towards the domains. Put the IPs under the watchlist. [Note: blocking of IPs can impact the business. The IP address may hosts multiple genuine domains/ or may belong to a compromised infrastructure. Blacklisting is completely on the business policy of the organization.
  
  
• Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  
  
• Restrict execution of PowerShell/WSCRIPT in enterprise environment Ensure the installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  Reference:https://www.fireeye.com/blog/threatresearch/2016/02/greater_visibilityt.html
  
  
• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution. Note: A lot of malicious domains are using TLDs of (.PW, .TOP, .ME) and DYNDNS domains. Monitor connections to such domains.
  
  
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) /APPLOCKER to block binaries running from %APPDATA% and %TEMP% paths.
  
  
• Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through a browser.
  
  
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  
  
• Block the attachments of file types;  exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

Malware SAMSAM Ransomware

A surge in SAMSAM Ransomware activity with various tactics such as vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network. Succesful infection encrypts all the user data with RSA-2048 encryption.

Following the encryption of the victim’s files, the ransomware executes "selfdel.exe" [extracted from the resource section] to delete itself from the system and installs the ransomware note "HELP_DECRYPT_YOUR_FILES.html” onto the victim’s system.

CERT-In Recommends;

• Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
   
• Restrict connection towards the domains. Put the IPs under the watchlist. [Note: blocking of IPs can impact the business. The IP address may hosts multiple genuine domains/ or may belong to a compromised infrastructure. Blacklisting is completely on the business policy of the organization]
   
• Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  
  
• Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure the installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  Reference:https://www.fireeye.com/blog/threatresearch/2016/02/greater_visib ilityt.html
  
  
• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  Note: A lot of malicious domains are using TLDs of (.PW, .TOP, .ME) and DYNDNS domains. Monitor connections to such domains.
   
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) /APPLOCKER to block binaries running from %APPDATA% and %TEMP% paths.
   
• Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through a browser.
   
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to sites with unfavorable content.
   
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  
  
• Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389) and file transfer Protocol(TCP 21).

Satori Botnet

Satori Botnet affecting IoT devices

You may be aware that a new Botnet named Satori has been found infecting Internet of Things (IoT) devices.

One of the possible modus operandi of this malware is as under:

• Compromise IoT systems.
• Create botnets of the compromised devices.
• Use compromise devices to launch DDoS attacks.
• Make network connections to receive commands to launch further attacks.

Following countermeasures can be taken to protect the IoT devices;

• Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords
• Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
• Keep up to date Antivirus on the computer system
• Keep up-to-date on patches and fixes on the IoT devices, operating system, and applications.
• Unnecessary port and services on the devices should be stopped and closed.

Kindly visit https://www.cyberswachhtakendra.gov.in to get information about the latest malware/botnets and to download free botnet removal tools.