Vulnerability Spotlight: Multiple vulnerabilities in Atlantis Word Processor

October 1, 2018, 5:30 am

≫ Next: Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader

≪ Previous: Beers with Talos Ep. #38 — More fun with VPNFilter; Getting pwnd via spreadsheet

Vulnerabilities discovered by Cory Duplantis and Ali Rizvi-Santiago of Cisco Talos.

Overview

Cisco Talos is disclosing several vulnerabilities discovered in Atlantis Word Processor. Atlantis Word Processor is a portable word processor that is also capable of converting any TXT, RTF, ODT, DOC, WRI, or DOCX document into an eBook in the ePub format.

TALOS-2018-0641 - Atlantis Word Processor Uninitialized TDocOleObject Code Execution Vulnerability (CVE-2018-3975)

An exploitable uninitialized variable vulnerability exists in the RTF-parsing functionality of Atlantis Word Processor. A specially crafted RTF can leverage an uninitialized stack address, resulting in an out-of-bounds write. Detailed vulnerability information can be found here.

Tested versions: Atlantis Word Processor 3.0.2.3, 3.0.2.5

TALOS-2018-0646 - Atlantis Word Processor Word Document Complex Piece Descriptor Table Fc.Compressed Code Execution Vulnerability (CVE-2018-3978)

An exploitable out-of-bounds write vulnerability exists in the Word Document parser of Atlantis Word Processor. A specially crafted document can cause Atlantis to write a value outside the bounds of a heap allocation, resulting in a buffer overflow. An attacker must convince a victim to open a specially crafted, malicious document in order to trigger this vulnerability. Detailed vulnerability information can be found here.

Tested versions: Atlantis Word Processor 3.2.6

TALOS-2018-0650 - Atlantis Word Processor Word Document Endnote Reference Code Execution Vulnerability (CVE-2018-3982)

An exploitable arbitrary write vulnerability exists in the Word Document parser of Atlantis Word Processor. A specially crafted document can cause Atlantis to skip the addition of elements to an array that is indexed by a loop. When reading from this array, the application will use an out-of-bounds index, which can result in arbitrary data being read as a pointer. Later, when the application attempts to write to said pointer, an arbitrary write will occur. This can allow an attacker to further corrupt memory and execute code under the context of the application. An attacker must convince a victim to open a malicious document in order to trigger this vulnerability. Detailed vulnerability information can be found here.

Tested versions: Atlantis Word Processor 3.0.2.3, 3.0.2.5

TALOS-2018-0651 - Atlantis Word Processor Empty TTableRow TList Code Execution Vulnerability (CVE-2018-3983)

An exploitable near-null write vulnerability exists in the Word Document parser of Atlantis Word Processor. A specially crafted document can cause an array to fetch a NULL pointer and then performs some arithmetic before writing a value to the result. Due to the application using the null pointer, there is arithmetic that can result in the pointer being larger than a few pages. This can corrupt heap memory, resulting in code execution under the context of the application. An attacker must convince a victim to open a document in order to trigger this vulnerability. Detailed vulnerability information can be found here.

Tested versions: Atlantis Word Processor 3.0.2.3, 3.0.2.5

TALOS-2018-0652 - Atlantis Word Processor Word Document Paragraph Property (0xD608) sprmTDefTable Uninitialized Length Code Execution Vulnerability (CVE-2018-3984)

An exploitable uninitialized length vulnerability exists within the Word Document parser of Atlantis Word Processor. A specially crafted document can cause Atlantis to skip initializing a value representing the number of columns of a table. Later, the application will use this as a length within a loop that will write to a pointer on the heap. A buffer overflow will occur due to this value being controlled, which can lead to code execution under the context of the application. An attacker must convince a victim to open a document in order to trigger this vulnerability. Detailed vulnerability information can be found here.

Tested versions: Atlantis Word Processor 3.0.2.3, 3.0.2.5

TALOS-2018-0666 - Atlantis Word Processor Windows Enhanced Metafile Code Execution Vulnerability (CVE-2018-3998)

An exploitable heap-based buffer overflow vulnerability exists in the Windows Enhanced Metafile parser of Atlantis Word Processor. A specially crafted image embedded within a document can cause an undersized allocation, resulting in an overflow when the application tries to read data into it. An attacker must convince a victim to open a malicious document in order to trigger this vulnerability. Detailed vulnerability information can be found here.

Tested versions: Atlantis Word Processor 3.2.5.0

TALOS-2018-0667 - Atlantis Word Processor JPEG Length Underflow Code Execution Vulnerability (CVE-2018-3999)

An exploitable heap-based buffer overflow vulnerability exists in the JPEG parser of Atlantis Word Processor. A specially crafted image embedded within a document can cause a length to be underflowed, which is then treated as unsigned. Later, when using this length in a copying operation, the application will write outside the bounds of a heap-buffer resulting in a buffer overflow. An attacker must convince a victim to open a malicious document in order to trigger this vulnerability. Detailed vulnerability information can be found here.

Tested versions: Atlantis Word Processor 3.2.5.0

TALOS-2018-0668 - Atlantis Word Processor Office Open XML TTableRow Double Free Code Execution Vulnerability (CVE-2018-4000)

An exploitable double-free vulnerability exists in the Office Open XML parser of Atlantis Word Processor. A specially crafted document can cause a TTableRow instance to be referenced twice, resulting in a double-free vulnerability when both the references go out of scope. An attacker must convince a victim to open a malicious document in order to trigger this vulnerability. Detailed vulnerability information can be found here.

Tested versions: Atlantis Word Processor 3.2.5.0

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47403 - 47412, 47456 - 47457, 47527 - 47528, 47523 - 47524, 47521 - 47522, 47758 - 47760, 47755 - 47756, 47762 - 47763

↧

Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader

October 1, 2018, 9:59 am

≫ Next: Vulnerability Spotlight: Adobe Acrobat Reader DC Collab reviewServer Remote Code Execution Vulnerability

≪ Previous: Vulnerability Spotlight: Multiple vulnerabilities in Atlantis Word Processor

Vulnerabilities discovered by Aleksandar Nikolic of Cisco Talos

Overview

Cisco Talos is disclosing eightteen vulnerabilities in Foxit PDF Reader, a popular free program for viewing, creating and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin.

Details

TALOS-2018-0607

TALOS-2018-0607 / CVE-2018-3940 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'removeDataObject' method of the active document, resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack, including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0608

TALOS-2018-0608 / CVE-2018-3941 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'getNthFieldName' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0609

TALOS-2018-0609 / CVE-2018-3942 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'getPageRotation' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack, including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0610

TALOS-2018-0610 / CVE-2018-3943 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees many used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'getPageBox' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0611

TALOS-2018-0611 / CVE-2018-3944 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees several used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'JSON.Stringify' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0612

TALOS-2018-0612 / CVE-2018-3945 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'this.info' object followed by calling the 'JSON.stringify' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0613

TALOS-2018-0613 / CVE-2018-3946 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'getPageNthWord' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0628

TALOS-2018-0628 references a total of six separate use-after-free vulnerabilities (CVE-2018-3957, CVE-2018-3958, CVE-2018-3959, CVE-2018-3960, CVE-2018-3961, CVE-2018-3962) found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0629

TALOS-2018-0629 / CVE-2018-3964 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code. This particular vulnerability leverages the invocation of the 'getPageNumWords' method of the active document with a crafted object as an argument.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0630

TALOS-2018-0630 / CVE-2018-3965 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code. This particular vulnerability leverages a saved reference to the 'this.bookmarkRoot.children' object, triggering the use-after-free condition.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0631

TALOS-2018-0631 / CVE-2018-3966 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader which can be abused to execute arbitrary code. This particular vulnerability leverages a saved reference to the 'this.dataObjects' object, triggering the use-after-free condition.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0632

TALOS-2018-0632 / CVE-2018-3967 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code. This particular vulnerability leverages a saved reference to the 'this.event.target' object, triggering the use-after-free condition.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0660

TALOS-2018-0660/CVE-2018-3992 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, it can also be triggered by visiting a malicious site.

As a complete feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition. Full details of the vulnerability can be found here.

TALOS-2018-0661

TALOS-2018-0661/CVE-2018-3993 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, it can also be triggered by visiting a malicious site.

This particular vulnerability lies in the way optional content groups (OCG) are manipulated. Saving an OCG and then accessing it's properties after the document is closed can trigger a use-after-free condition. Full details of the vulnerability can be found here.

TALOS-2018-0662

TALOS-2018-0662/CVE-2018-3994 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader, version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition.

Calling `app.activeDocs[0].calculateNow()` while opening a page allocates an extra object on the heap. When the code in the open action for the whole document is executed, calling `app.activeDocs[0].importDataObject();` can then dereference a freed object, leading to use-after-free condition. Full details of the vulnerability can be found here.

TALOS-2018-0663

TALOS-2018-0663/CVE-2018-3995 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at the precise moment after the document is closed can lead to use-after-free condition.

This particular vulnerability lies in saving a reference to the `SignatureInfo` object by invoking the `signatureInfo` method of a form field. When the document is closed, objects are freed and a use-after-free condition occurs if a stale reference is accessed. Full details of the vulnerability can be found here.

TALOS-2018-0664

TALOS-2018-0664/CVE-2018-3996 a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader, version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. A user could also trigger the vulnerability by visiting a malicious site while the browser plugin is enabled. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition.

This particular vulnerability lies in invoking `isDefaultChecked` method of a field object with crafted object as argument, which can trigger a use-after-free condition. Full details of the vulnerability can be found here.

TALOS-2018-0665

TALOS-2018-0665/CVE-2018-3997 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. A user could also trigger the vulnerability by visiting a malicious site while the browser plugin is enabled

As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have Javascript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition.

If a reference to `SeedValue` object is saved by invoking `signatureGetSeedValue` method of a form field and the document is closed, objects are freed and accessing a stale reference results in a use-after-free condition. Full details of the vulnerability can be found here.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 45158 - 45159, 45608 - 45609, 45652 - 45653, 45715 - 45716, 45823 - 45824, 46864 - 46865, 47727 - 47728

↧

Vulnerability Spotlight: Adobe Acrobat Reader DC Collab reviewServer Remote Code Execution Vulnerability

October 2, 2018, 9:07 am

≫ Next: BruCON Primer: 10 Years and Cisco Talos Talks

≪ Previous: Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Today, Cisco Talos is releasing details of a new vulnerability within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a large user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. The one method call required to trigger this vulnerability is privileged and can only be called from trusted functions or a trusted location. Additionally, the use-after-free condition is only triggered upon closing the application.

TALOS-2017-0623 - Adobe Acrobat Reader DC Collab reviewServer Remote Code Execution Vulnerability (CVE-2018-12852)

Usage of specific JavaScript code embedded in a PDF file can lead to a use-after-free condition when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20040. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

Adobe Acrobat Reader DC supports embedded JavaScript code in the PDF to allow for interactive PDF forms This gives the potential attacker the ability to precisely control memory layout and poses additional attack surface. Detailed vulnerability information can be found here.

Known vulnerable versions

Adobe Acrobat Reader DC 2018.011.20040

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 47074 - 47045

↧

BruCON Primer: 10 Years and Cisco Talos Talks

October 2, 2018, 1:25 pm

≫ Next: Vulnerability Spotlight: Google PDFium JBIG2 Image ComposeToOpt2WithRect Information Disclosure Vulnerability

≪ Previous: Vulnerability Spotlight: Adobe Acrobat Reader DC Collab reviewServer Remote Code Execution Vulnerability

Cisco Talos will have a significant presence at the 10th edition of BruCON, which kicks off this week. Below, you will find the presentations that Talos researchers will give, along with a brief overview of the topics they will discuss. We are fortunate to have multiple speakers presenting this year: Benny Ketelslegers, Jared Rittle and Lilith Wyatt.

BruCON Retro day opening speech

Presented by Benny Ketelslegers

BruCON was founded in 2008 by five security-minded Belgians working in the cybersecurity industry. What started as a herculean effort of a few people has now stabilized into one of the better European information security conferences that continues to grow each year. Benny, one of the founders, will go through the history of the con and highlight the key reasons it was able to survive through the first few years. We will be giving an overview of the security landscape in Belgium, why BruCON was founded and cover some of the highlights from the past 10 years.

This talk will take place on Oct. 3 at 10 a.m. during BruCON.

Process Control Through Counterfeit Comms

Presented by Jared Rittle

Programmable Logic Controllers (PLCs) are often relied on for the performance of critical process control functions in many different critical infrastructure sectors. Cisco Talos previously identified several vulnerabilities in the Allen-Bradley MicroLogix 1400 PLCs. These vulnerabilities included ones that could be leveraged to modify device configuration and ladder logic, write modified program data into the device's memory module, erase program data from the device's memory module, or conduct denial-of-service (DoS) attacks against affected devices. These vulnerabilities were disclosed to the manufacturer, with an update released to ensure that vulnerable devices could be updated to resolve these issues.

Jared Rittle of Cisco Talos will be presenting information regarding these vulnerabilities on Oct. 5 at 5:30 p.m.. Cisco Talos is also releasing a whitepaper that includes additional details related to how these vulnerabilities could be leveraged by attackers, the potential impacts they could have on affected devices, as well as mitigations that could be put in place to secure devices affected by these vulnerabilities. This whitepaper can be accessed here.

IoT RCE, a study with Disney

Presented by Lilith Wyatt

As desktop and server security keeps raising the baseline for successful exploitation, internet-of-things (IoT) devices are still stuck in the 1990s, despite their ubiquity in every home network. This, coupled with the ability to access them from anywhere, is creating a situation in which millions of households are left vulnerable, regardless of any network security posture — which is essentially a ticking time bomb.
These topics will be examined using the Circle with Disney— an internet monitoring device made by Disney — and a Foscam IP video camera as case studies. During the course of the vulnerability testing of these devices, more than 50 CVEs were discovered, out of which, discussion will focus on the more novel attack techniques seen within the Disney Circle, including:

SSL certificate-ttribute validation bypasses
SSID broadcasting injection
Use-between-Realloc memory corruption
Cloud routing abuse

During the course of the talk, there will be discussion regarding IoT device's use of traditionally offensive tools (ARP poisoning, backdoors, and beaconing) for central functionality.

Lilith Wyatt will present the information related to these vulnerabilities, including the specific details related to several use cases, on Oct. 5 at 3 p.m.

↧

Vulnerability Spotlight: Google PDFium JBIG2 Image ComposeToOpt2WithRect Information Disclosure Vulnerability

October 3, 2018, 7:38 am

≫ Next: Threat Roundup Sept 28 - Oct 5

≪ Previous: BruCON Primer: 10 Years and Cisco Talos Talks

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Cisco Talos is releasing details of a new vulnerability in Google PDFium's JBIG2 library. An exploitable out-of-bounds read on the heap vulnerability exists in the JBIG2-parsing code in Google Chrome, version 67.0.3396.99. A specially crafted PDF document can trigger an out-of-bounds read, which can possibly lead to an information leak. That leak could be used as part of an exploit. An attacker needs to trick the user into visiting a malicious site to trigger the vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos has worked with Google to ensure that these issues have been resolved and that an update has been made available for affected users. It is recommended that this update is applied as quickly as possible to ensure that systems are no longer affected by this vulnerability.

Vulnerability Details

Google PDFium JBIG2 Image ComposeToOpt2WithRect Information Disclosure Vulnerability (TALOS-2018-0639 / CVE-2018-16076)

PDFium is an open-source PDF renderer developed by Google and used extensively in the Chrome browser, as well as other online services and standalone applications. This bug was fixed in the latest Git version, as well as the latest Chromium address sanitizer build available.

A heap buffer overflow is present in the code responsible for decoding a JBIG2 image stream. An attacker needs to provide a specific PDF that describes the JBIG2 image details in order to exploit this vulnerability. Detailed vulnerability information can be found here.

Known vulnerable versions

Google Chrome version 67.0.3396.99

https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html

Coverage

↧

Threat Roundup Sept 28 - Oct 5

October 5, 2018, 9:23 am

≫ Next: Vulnerability in the Intel Unified Shader compiler for the Intel Graphics Accelerator

≪ Previous: Vulnerability Spotlight: Google PDFium JBIG2 Image ComposeToOpt2WithRect Information Disclosure Vulnerability

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 28 and Oct. 5. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

Win.Malware.Gandcrab-6706045-0
Malware
Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
Xls.Downloader.Valyria-6704496-0
Downloader
These variants of Valyria are malicious Excel files that contain embedded VBA macros used to distribute other malware.
Win.Dropper.Fqdq-6705253-0
Dropper
This dropper attempts to access the Firefox Password Manager local database, uses a temporary batch file to perform additional malicious activities and uploads files to remote servers. Additionally, it might inject code, read INI files or use Visual Basic scripts.
Win.Malware.Genkryptik-6704925-0
Malware
Win.Malware.Genkryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include: collecting system information, downloading and uploading files and dropping additional samples.
Win.Malware.Zusy-6704537-0
Malware
Zusy is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". The malware attempts to trick the user into entering their login information whenever they visit a financial services website.
Win.Malware.Razy-6703914-0
Malware
Razy is oftentimes a generic detection name for a Windows trojan. They collect sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting/creating a value in the registry for persistence.
Doc.Malware.Emooodldr-6699885-0
Malware
These malicious Word documents contain embedded VBA macros, spawn new processes, drops files and remove Office resiliency keys.

Threats

Win.Malware.Gandcrab-6706045-0

Indicators of Compromise

Registry Keys

<HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
- Value Name: LanguageList
<HKCU>\CONTROL PANEL\DESKTOP
- Value Name: Wallpaper

Mutexes

Global\8B5BAAB9E36E4507C5F5.lock
Global\XlAKFoxSKGOfSGOoSFOOFNOLPE

IP Addresses contacted by malware. Does not indicate maliciousness.

50[.]63[.]202[.]89
93[.]125[.]99[.]121
137[.]74[.]238[.]33
94[.]231[.]109[.]239
185[.]135[.]88[.]105
146[.]66[.]72[.]87
87[.]236[.]16[.]31
217[.]160[.]0[.]234
69[.]73[.]180[.]151
104[.]31[.]77[.]95
171[.]244[.]34[.]167
217[.]174[.]149[.]130
70[.]40[.]197[.]96
223[.]26[.]62[.]72
80[.]77[.]123[.]23
178[.]238[.]37[.]162
51[.]68[.]50[.]168
104[.]28[.]30[.]160
67[.]227[.]236[.]96
66[.]96[.]147[.]67
179[.]188[.]11[.]34
89[.]252[.]187[.]72
194[.]58[.]56[.]95
104[.]28[.]28[.]142
104[.]27[.]163[.]241
213[.]186[.]33[.]186
107[.]178[.]113[.]162
87[.]236[.]16[.]29
188[.]165[.]53[.]185
173[.]247[.]242[.]133
77[.]104[.]144[.]25
191[.]252[.]51[.]37
202[.]43[.]45[.]181
192[.]163[.]234[.]40
217[.]160[.]0[.]27
209[.]182[.]208[.]245
94[.]73[.]148[.]18
45[.]33[.]91[.]79
87[.]236[.]19[.]135
52[.]29[.]192[.]136
178[.]33[.]233[.]202
92[.]53[.]96[.]201
186[.]202[.]153[.]158
104[.]24[.]104[.]13
213[.]186[.]33[.]3
188[.]64[.]184[.]90
95[.]213[.]173[.]173
103[.]107[.]17[.]102
103[.]27[.]238[.]31
50[.]87[.]58[.]165
104[.]27[.]186[.]113
104[.]24[.]102[.]153
77[.]104[.]171[.]238
194[.]154[.]192[.]67
87[.]236[.]16[.]41

Domain Names contacted by malware. Does not indicate maliciousness.

www[.]litespeedtech[.]com
big-game-fishing-croatia[.]hr
www[.]lagouttedelixir[.]com
dreamhost[.]com
www[.]himmerlandgolf[.]dk
hanaglobalholding[.]com
top-22[.]ru
zaeba[.]co[.]uk
ispsystem[.]com
unnatimotors[.]in
www[.]macartegrise[.]eu
blokefeed[.]club
bellytobabyphotographyseattle[.]com
diadelorgasmo[.]cl
www[.]bgfc[.]hr
www[.]wash-wear[.]com
yourmine[.]ru
www[.]reg[.]ru
www[.]poketeg[.]com
boatshowradio[.]com
www[.]perfectfunnelblueprint[.]com
perovaphoto[.]ru
www[.]cakav[.]hu
www[.]billerimpex[.]com
evotech[.]lu
www[.]ismcrossconnect[.]com
help[.]dreamhost[.]com
www[.]fabbfoundation[.]gm
alem[.]be
cevent[.]net
mauricionacif[.]com
smbardoli[.]org
www[.]aco[.]dk
cyclevegas[.]com
lucides[.]co[.]uk
krasnaypolyana123[.]ru
hoteltravel2018[.]com
oceanlinen[.]com
6chen[.]cn
koloritplus[.]ru
asl-company[.]ru
www[.]krishnagrp[.]com
test[.]theveeview[.]com
cdnjs[.]cloudflare[.]com
picusglancus[.]pl
bloghalm[.]eu
api[.]w[.]org
nesten[.]dk
simetribilisim[.]com
pp-panda74[.]ru
wpakademi[.]com
dna-cp[.]com
h5s[.]vn
bethel[.]com[.]ve
vjccons[.]com[.]vn
www[.]rment[.]in
marketisleri[.]com
www[.]byggekvalitet[.]dk
royal[.]by
gmpg[.]org
sherouk[.]com
tommarmores[.]com[.]br
graftedinn[.]us
www[.]mimid[.]cz
maxcdn[.]bootstrapcdn[.]com
panel[.]dreamhost[.]com
relectrica[.]com[.]mx
acbt[.]fr
damt7w3yoa0t2[.]cloudfront[.]net
topstockexpert[.]su
goodapd[.]website
www[.]n2plus[.]co[.]th
aurumwedding[.]ru
devdev[.]com[.]br
www[.]toflyaviacao[.]com[.]br
mimid[.]cz
nhs-foi[.]com
www[.]iyfipgun[.]com
wash-wear[.]com

Files and or directories created

%AppData%\Microsoft\Internet Explorer\UserData\MA3SBLRS\spid[1].xml
%UserProfile%\Videos\98b689db98b68e303c.lock
%UserProfile%\Start Menu\98b689db98b68e303c.lock
%UserProfile%\Start Menu\SGMNP-DECRYPT.txt
%UserProfile%\Videos\Sample Videos\98b689db98b68e303c.lock
%UserProfile%\Videos\Sample Videos\SGMNP-DECRYPT.txt
\??\E:\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500\98b689db98b68e303c.lock
\??\E:\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500\SGMNP-DECRYPT.txt
\??\E:\$RECYCLE.BIN\SGMNP-DECRYPT.txt
\??\E:\98b689db98b68e303c.lock
\??\E:\SGMNP-DECRYPT.txt
\MSOCache\SGMNP-DECRYPT.txt
\PerfLogs\Admin\SGMNP-DECRYPT.txt
\PerfLogs\SGMNP-DECRYPT.txt
\Recovery\926583e2-ef64-11e4-beed-d6738078ad98\SGMNP-DECRYPT.txt
\Recovery\SGMNP-DECRYPT.txt
\SGMNP-DECRYPT.txt
\TEMP\SGMNP-DECRYPT.txt
%UserProfile%\Videos\SGMNP-DECRYPT.txt

File Hashes

211484d0deda5cb97b16b27538b7d1d2c26af6ae3aac3c888085a0e8ddf2d8bd
46b702851cb5c1df0a97d1ae9e3202316d36ef2195395a9bcc3699dd1d247733
4e2ba4638d01c1473f0959fae6d31636456cde0ab995fa5f3fad1efc2cb7bf0e
69fd1808c32fe3209f384fba8f79df13bec479e9b081f7edcf8720f6257f7dfe
8b5c1735800d8ad69b535a863f4ae1941604b3e57261961e230a26b16b4b98ec
9ec54c9d6ec39c34c8e011fcb10fb2ae5334d1d0632e63a61d94b36b9f9c8a9b
c394e7fa3604f5ee26419a913dbfeb0988d59bbf8ed25d852ebf62a48cc1688a
c4a126172b27777413ee4efcd0ce8656fbef52e81c984993af3fa63d5264cc8e
d81aa5dbd9272f9be6e4a0def514a9284220d88f219ac6fd908ab2c942b92cdc
d9129786346cfa0aa07a1c82d4bcb79a977c7c8e1a052916a34b6cde4c09c006
e41697a99da83a32bf8a56f993123fbfaef378d5e6f61286a272536fe10b6d35
e50a28068fcae51a609946fad1637a5dbfbda8add88063ddb117cb8e0cfc4a74
e8502aa65a4da371c0e378b245374af7340b809140a5d2e3bc3bfa67a92a2bde
eb9347f0fbbb675ecc61beb1f2be8721871e203357b124ad9858037a641709f5
f77825b0388a6220521219030ad70bdb6fcd3216a590d092ec4aa22a506a17b6

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Xls.Downloader.Valyria-6704496-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value Name: UNCAsIntranet
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value Name: AutoDetect
<HKCU>\SOFTWARE\MICROSOFT\WISP\MULTITOUCH
- Value Name: MultiTouchEnabled
<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0\1
- Value Name: HidCursorName
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
- Value Name: DeleteFlag
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
- Value Name: Start

Mutexes

Local\10MU_ACB10_S-1-5-5-0-57527
Local\10MU_ACBPIDS_S-1-5-5-0-57527
Global\316D1C7871E00
{773F1B9A-35B9-4E95-83A0-A210F2DE3B37}-Default

IP Addresses contacted by malware. Does not indicate maliciousness.

78[.]47[.]139[.]102
107[.]180[.]25[.]0
103[.]110[.]91[.]118
89[.]163[.]224[.]250
199[.]249[.]223[.]62
185[.]220[.]101[.]12
89[.]27[.]96[.]42
208[.]113[.]131[.]196

Domain Names contacted by malware. Does not indicate maliciousness.

dallasmediationlawyer[.]com
myexternalip[.]com

Files and or directories created

%LocalAppData%\Temp\character.exe
%AppData%\mssert\chasactes.exe
%LocalAppData%\Temp\const_cast.bat
%LocalAppData%\Temp\whzxixx5.jdj.ps1
%LocalAppData%\Temp\xgxfy2dc.eju.psm1
%LocalAppData%\Temp\21iyllij.ncz.psm1
%LocalAppData%\Temp\erifm5li.lo3.ps1
%LocalAppData%\Temp\wmez5d0g.r0g.ps1
%LocalAppData%\Temp\gs0jrz4i.yd2.psm1
%LocalAppData%\Temp\qgh0kqvv.ce5.ps1
%LocalAppData%\Temp\tkzdlipn.odo.psm1

File Hashes

0276895b76757b5b2726c1c2fbb50d98040dc2dc46aedff1e5b9709f168b4a8d
0f792637a859a3c2919e1e45a9500e1bdf2b5f4e07bfc4d8b5e24cf7c8003e5e
1114fd2ee387df04c4e7ed0bb6d088b220e893c8a1ee07386977c7369681e5d3
1c2f39f6a608c70b16a79ed4cfb228c412852caac8a8b8bafc4e0819d038aa2c
2ca6d57dcfacd0f59f8b390ccbf138b557b8e95a157a53de6fe864c5eafbcf80
4682a95f9ed32657ee61b7aec758ab6bbdc17a52e2812e1372b3b2a9776cadc1
655f60c338658334723310c79033b26daa207b61fd89ebaf4abbed93802c65be
672aac7a017a8417608dfe687fa4023fdd1e90a7d77f6e1d9b035a070c9d9c40
6ff12e83f44e19de6515c03108fccfd98abd3a70bbab1088171954a3c6113d3b
a407d2cfb849a1822895fb5770db7c24b707422da3a193e7d8f5d9e39bfb3896
ccbac43307cd046f896283deac0341351b5dc83e6be5cb2292a0c28cdfd34650
dafd70b7b82551b0feb905f8d466d2b02784ce6e5d5c2b8d6d00e82b27487ae0
dbf3533e970aacc291d0342289943605537407df18217182ca39d52a8c9f8970

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Fqdq-6705253-0

Indicators of Compromise

Registry Keys

<HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
- Value Name: LanguageList
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- Value Name: PnpInstanceID

Mutexes

3749282D282E1E80C56CAE5A

IP Addresses contacted by malware. Does not indicate maliciousness.

Domain Names contacted by malware. Does not indicate maliciousness.

baxishop[.]ro

Files and or directories created

%AppData%\D282E1\1E80C5.lck
%AllUsersProfile%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
\PC*\MAILSLOT\NET\NETLOGON
\lsass
%AppData%\D282E1
\samr

File Hashes

030290f026a913226735bc017a37997180f130b9ce1fdc3b990e050aea4bc39e
07abd686b7cda16b61c65d82cb72f464e2ea31bb8bb165f01bbcfa693f1bd22a
1258790e008879340d7cd8e6b303e25183345a05d81b6583164f0a690323405b
12963b31f9719d9333f6cbdb46426c32179bba4a31976b094d192588eb4439ff
2627bd09fd4886f83a7ca589518523606b581ad026968f3d013e1cfb221f7811
2c18a46ea35314f065b21e151d37787cfa5b7696207226ca80f7732176659ee9
30a901d40309ac1e42e98ad59044e1e1f97f985ca397628e8f0deb8f67f39d1f
31ef4c98208464b43dd337b92cba0cfa05d0924ebc732e0b1ee88120495f503c
34f159a5b3ee64cbe520c18e9abd66be61b583dad385bbec9cadf054942827da
35c1410cfb084bb4f4ef5a7c3d92c7b78ddd33849864e41f22e09f5b1c3997b2
3a69eddc3ab09e947703dbfd7e279e9e6e867190c9f72f395833fe94a1b6903a
4688f04b2498695705ea718ba724e9f0c04d92d09d75505f7fa1b1ad19bfe795
4e79a2473921ee6132c3e73f9b4de0395ec350cb476981cf2cb19171034f9405
56979370107aeffca2fa5ad915f454e33ced1a5c6518dbc01ed15689b92e83dd
582f2175b65814e7558fca9ebc7e1a6f97402ce3079f43ece47fdc17c3f7324e
5f83ff3b7d094547fd00dacabe669e389bdd04af09dcbc7790f29a63f797a00f
6448bc9787a96f76cc6716294a204df6d1cbd6db9cc441abc78b31161529e00f
7a2868174590c11d2f95794260792700a1fd567b5315702decfd1cd6611ed0d5
8b7a4bc0f2ea0f3e54b0cea9fa2928ddd0a85aa80a64071985cf95301c0d5ac3
9030a6efd1e15d5e78b727700863ab45b667a7c532761b3a148aa222f7e17b87
946de8d2685ded47c74e4b7c9490e8961598462a87be7ca5bef22693745f7cfa
951860ee7f7283a3b238cbfdb6e161c09fcb6a2b7975bb142412c442fd2590fd
95b99dd7dd7814724287c89e2435aa65cc82e91c5aabd453be1a0532d50bd936
96397b26ba4ee4244704c2cadd71c3d3d4c12e988f6de1d695f3602432bd94b3
9c5acd9297928707ed7e472e9316b125b55b2cd98870aaa4b4630dcd0fece734

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Genkryptik-6704925-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
- Value Name: DhcpNameServer
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- Value Name: DhcpNameServer

Mutexes

!IECompat!Mutex
!PrivacIE!SharedMem!Mutex
Local\VERMGMTBlockListFileMutex
Local\!BrowserEmulation!SharedMemory!Mutex
Local\URLBLOCK_DOWNLOAD_MUTEX
Local\URLBLOCK_HASHFILESWITCH_MUTEX
{5312EE61-79E3-4A24-BFE1-132B85B23C3A}
{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}
IsoScope_1e0_ConnHashTable<480>_HashTable_Mutex
IsoScope_1e0_IESQMMUTEX_0_303
IsoScope_1e0_IESQMMUTEX_0_331
IsoScope_1e0_IESQMMUTEX_0_274
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_480
IsoScope_708_ConnHashTable<1800>_HashTable_Mutex
IsoScope_708_IESQMMUTEX_0_303
IsoScope_708_IESQMMUTEX_0_331
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1800
IsoScope_708_IESQMMUTEX_0_274
IsoScope_4b4_IESQMMUTEX_0_274
IsoScope_f8_IESQMMUTEX_0_274
IsoScope_20c_ConnHashTable<524>_HashTable_Mutex
IsoScope_20c_IESQMMUTEX_0_303
IsoScope_20c_IESQMMUTEX_0_331
IsoScope_4b4_ConnHashTable<1204>_HashTable_Mutex
IsoScope_4b4_IESQMMUTEX_0_303
IsoScope_4b4_IESQMMUTEX_0_331
IsoScope_20c_IESQMMUTEX_0_274
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_524
IsoScope_f8_ConnHashTable<248>_HashTable_Mutex
IsoScope_f8_IESQMMUTEX_0_303
IsoScope_f8_IESQMMUTEX_0_331
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_248
IsoScope_6e4_IESQMMUTEX_0_274
IsoScope_6e4_ConnHashTable<1764>_HashTable_Mutex
IsoScope_6e4_IESQMMUTEX_0_303
IsoScope_6e4_IESQMMUTEX_0_331
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1764
IsoScope_4e8_IESQMMUTEX_0_274
IsoScope_4e8_ConnHashTable<1256>_HashTable_Mutex
IsoScope_4e8_IESQMMUTEX_0_303
IsoScope_4e8_IESQMMUTEX_0_331
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1256

IP Addresses contacted by malware. Does not indicate maliciousness

13[.]107[.]21[.]200

Domain Names contacted by malware. Does not indicate maliciousness

ryiwuehwskosuqhs[.]com
goldenmemb[.]website
dolikulooospo[.]fun

Files and or directories created

%LocalAppData%Low\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
%LocalAppData%\Microsoft\Windows\WebCache\V01tmp.log
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\dnserror[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\httpErrorPagesScripts[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\errorPageStrings[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\httpErrorPagesScripts[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\NewErrorPageTemplate[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\errorPageStrings[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\NewErrorPageTemplate[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\dnserror[1]
%LocalAppData%\Microsoft\Windows\WebCache\V010000F.log
%LocalAppData%\Temp\~DF4B1ABF6D6A9DC6E3.TMP
%LocalAppData%\Temp\~DF88BBAB8557CDD7E3.TMP
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\errorPageStrings[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\suggestions[2].en-US
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\NewErrorPageTemplate[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\dnserror[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[2].ico
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\favicon[1].png
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\favicon[2].png
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\views[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[1].ico
%LocalAppData%\Temp\~DFDEB0FC636A1346E9.TMP
%LocalAppData%\Temp\~DFEBFBFB87C6F7EC1B.TMP
%LocalAppData%\Temp\~DFFC172A87F8554CB4.TMP
%LocalAppData%\Temp\~DF81A97BC70E347BD0.TMP
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\httpErrorPagesScripts[1]
%LocalAppData%\Temp\~DF8AA772D245BBB59D.TMP
%LocalAppData%\Temp\~DF90B11BDCE6092786.TMP
%LocalAppData%\Temp\~DF9FFAF3D7E7318657.TMP
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\NewErrorPageTemplate[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\httpErrorPagesScripts[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\NewErrorPageTemplate[2]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\dnserror[2]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\errorPageStrings[1]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\errorPageStrings[2]
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\httpErrorPagesScripts[2]
%LocalAppData%\Temp\~DF5DDD3B43947F7CEA.TMP
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\dnserror[1]
%LocalAppData%\Temp\~DFB15BBE1A2AFF7D7E.TMP
%LocalAppData%\Temp\~DF1D30A03829232972.TMP
%LocalAppData%\Temp\~DF38E2C66D6383AD19.TMP
%LocalAppData%\Temp\~DFCE77235CFE7E5202.TMP

File Hashes

060707050140235807d6e6ac6933fa26cf0c230d68f574b880e99a699bdf506a
088a6e8da14dbeab941702b1515b85486544dffc83885112b95997257f8d32d5
0dfc771e0fbdf05facc54643341dfce97b745efe13867b01049bc977624d14b2
0e21eb1c5f15689329bc6d46d78eb7d0f4eccc6fb8da4f41d17e6205ae7a847b
0f71ba5f0fbba5d9810a4f816c5ebe1d545c4c65b34c180c769c2cd3467b0737
130649d3f09197d1c2e895cc06fd9ecd6feb2e663562a6b99d95ae4ce66eddb8
139ac3f5d2e5351c0edcd0edb384d0a75e482e8007724f181c7a4204f5895ad9
13c3313b910f18431ea183b00632deacd266561a73bcf837f4b46f1f73b31bcd
24b6c693551ed33b55d7ce6baae96dcca9e3cb55e9b94637d5ba59edc109d402
27cec90ae8c84a79dd2ebb2928152bdea1b07cab3b2f1ad98ed8fb3f17cc339b
28b54e5cf1be89766c177bc7f4c8692abec0bb4bdf299a59709d10120f7bc205
29b845365404070e98840dcd74eb3c23919b0990b14bd0905b0921220f8b4bb9
2c3fad4307c0739c336e50ec670b61d00029d2a2be260676419f883835ce8818
337ad107eb3e1fc497af4b3f6006e12ae74a55d6535f28a67c9b231807e15f24
3394d5ec6ba4c548289008cbfea8238318af52d51e8e2110b5060635425db74c
378a4e27208c7fee9c7ac33d11d8872db902fe5242aceabba11343bf11a95155
3a136b2b6df645c3e6b3c0febb821a5dda5bcb4bd35f674fb33aa10684b58004
3c4e171d1f0b29b6f40f8bdf6af0c1161b092591c453c66734f4c6f54a0ac36f
3ec415b8f411c2004892c7dedcd25e4683d0f0fded754c8b9a0f784f087dddcf
420c05993a014331992918e89dda914851c0e31a2e196446309e3da07dc0c31a
43d9e51c98400b09bc499f0e2857e2b797254167c29c9d2234f6506d7cf7f98e
4ae9179659e2ba267b87478ea0f48c6c1caba252b4d2bcdfdc4b6ba873028d87
542b5b23123a0a71d79181adeda4edfff6b91cdaf0068aafc55ee03bdc928ab5
5bbc6d14ed5d408d0c7bb115853dff092c236517223c14b92c709a7ffa2c5742
5cc63a68be8b7ea9feca940e7b038ebca417f421a0b70c17d3e6ebfca4212e16

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Zusy-6704537-0

Indicators of Compromise

Registry Keys

<HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
- Value Name: LanguageList
<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- Value Name: PnpInstanceID
<HKCU>\Software\Microsoft\RAS AutoDial

Mutexes

DBWinMutex
NtHack

IP Addresses contacted by malware. Does not indicate maliciousness

139[.]196[.]204[.]190

Domain Names contacted by malware. Does not indicate maliciousness

www[.]bilibili[.]com
wpa[.]qq[.]com
bbs[.]nt47[.]com
www[.]nt47[.]com

Files and or directories created

File Hashes

00b657fa1270930f868fcd06c38af4b1514baa727c0db576e50340cc2f1c49dc
0f6f850198e9afb8ddfe5552dad5ae6151c3cdf41f5ed8964a1e46ce62ea0d2b
1bf8402a3da8797a130c528ff38fcca42403a5e878943d8dbaec420433c55edf
2c0996f013b00833a28d1612acc545a66264b613e7127738ccf3536ddb04501c
41cd6b708c56e1bad9b185ab09de02efd1f57d7c6691a9910d00b18489e59ec7
4733b5c290c00ca10bc72c248d6a014c6bf5fe21b92592b941cfdd8ac6870610
55099d0d5b7f5f677e431ebaf4c9a71877ab7b10887cb027ac78540ba1631779
680e98f78b16e05b2f55e1432f8553341cfd02ece47cedca652a04e1f4c901cf
6f496ef1284e79d93693374672e416d46b55c6590f8ab7737303b12f7316c2dd
9085e78cbbf63b30c42a4801cee1b67fa41f4c4308d0f163c3d39d7f76c00bf8
98e0df2e9cf8ba02d05cdc1bdea0cccc861855197f2a009f4a8fed152770b499
c19b9d8770e3619d832401aa7bc385bbf7e239d0397febbb441621efbb539f72
cca199364abfb50ec1dd467035fd2c637056abac9f8351393111dcdce8243e38
d346a3d9a4be88b2e6fe2b78b391efa47d4de3c9acb23aeb31c0b0e1868d9817
da9e5e6a5379284ca1b4e9be680bbecdcbca2378d8d8ae9e76e5601ba4fd9dcc
eba22d087a40a79daa58a95e6337f53cf98885400019ad9e8417bb4ce2f2c8ea

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Razy-6703914-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value Name: internat.exe
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value Name: system
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4LW407K6-M06A-64Y6-80K0-13CK6KK8U041}
- Value Name: StubPath

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

217[.]12[.]210[.]23
82[.]205[.]63[.]221

Domain Names contacted by malware. Does not indicate maliciousness

extreme33[.]dns1[.]us
mdformo[.]ddns[.]net
mdformo1[.]ddns[.]net

Files and or directories created

File Hashes

00e3f5ffeb38495cefce0f1c9522743764adf1ee6ce51b91c9c4726726562a12
01a7bdfdc6502db6bd237fcbc64596d8f76052e942c2c87e897f1ae786b7cac2
02c5fa1012b9cf0d46801cadcc4fe6814b4f75d50104e948031d00ff3ca7b93c
035f91568ca2bad43ce3fde98a2ae0418821e5f558c62b919c786c3b07bc0fe2
03970d185025e7e226c704b5bcd13de89730677345d3d57081d07895966567d4
052862be7afd84bbd167be8b83918d828608b35e1423600571747e67e66dbd16
055865fb005e3969e6d9e7feba2e81a8bedbe3048bf2a9cd3a9fbfe8ea6076e5
063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573
07912d5cd0bf4ef89355a76c1fc36497e90333111b127dcf07d76cbc8ab76838
081fbe8f1c01676f9765ff7742b5d348433e2fd073136355100fe9f054140e6a
08627d7fbb6313bcdd42ac88152b71f4700dadf0446fb985b269c614bdd3f9af
08c257d2e5938dc6539b463ba0689982b79c112c8ad0aaf1be247726622ea487
092b86ef5f0e69ac5e1d554304189d289f27534fa4c7835ad4137f380a25979b
09c9b81d40f3c97876eaad0f29d7e9694c58c9a9cc4dc38b167611ecfbda3d75
0a032738a8ffc58b6cdce62ef209b247e008f597b6955d87da71e1654da970ef
0a77d603959b51f81cd2b3b27342be0fa4248586ba0121779f1a9959fd701d11
0aa93c8240a9c593d6a8d5c226d4f0b7ac033cef70b39524281c52d92a97fb0a
0afde5386ca8587bca67577727f02c3e71b883b7b5fc72e25a0d542f6c5819c8
0d794619980f35738bd57712d170542d6d8ff58248d21529754a0881c0b139a4
0f4fc18209bbb1d979cb504b807142e1a24aa8ee831e33ce8825a5bd350096fa
0ffca4c710e5af160e813f686181131c963123caaeeea9762f86296822b8c883
10427e9a0ee1b4e3d349d61839e1f09cb86b2a68d23e41933127dd5ce2da0134
1343648c8b4748294191cfdca4b4881a57cee96db4051530c514e7c56e1152e3
1495bb27a646d27162b28bce50ebf25abc5182e7417ced315f1b93060f7e99a0
17983b493cd46b604ef3846516da1cda1628ec855b896be8b54a9558ae83058c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Malware.Emooodldr-6699885-0

Indicators of Compromise

Registry Keys

<HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
- Value Name: LanguageList
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Canon PIXMA MG2520\PrinterDriverData

Mutexes

Global\552FFA80-3393-423d-8671-7BA046BB5906
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500
Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500
Local\10MU_ACB10_S-1-5-5-0-57527
Local\10MU_ACBPIDS_S-1-5-5-0-57527
Local\WinSpl64To32Mutex_e162_0_3000
Local\MSCTF.Asm.MutexDefault1

IP Addresses contacted by malware. Does not indicate maliciousness.

Domain Names contacted by malware. Does not indicate maliciousness.

q0fpkblizxfe1l[.]com

Files and or directories created

%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B106E8EE-597B-49CA-A6A4-5BA8ABCC8F6A}.tmp
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{43E9ADDD-30D5-47E4-98B0-7E3A5536CACC}.tmp
%UserProfile%\Documents\20180928
%UserProfile%\924.exe
%SystemDrive%\TEMP\~$8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d.doc
%LocalAppData%\Temp\CVR41E8.tmp
%LocalAppData%\Temp\~DFD053DCDB50AFFE51.TMP
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0EF83731-611B-4C55-980D-4D5CFC5BF353}.tmp
%AppData%\Microsoft\Office\Recent\5f8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d.LNK
\TEMP\~$8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d.doc
%LocalAppData%\Temp\bdmwft0z.slp.ps1
%LocalAppData%\Temp\tjkn23yi.53a.psm1
%UserProfile%\Documents\20180928\PowerShell_transcript.PC.ceUgAgR5.20180928074741.txt

File Hashes

06f0ec25e8b014b407402207afa8b6c0db494ad270d910534399c2137204e81b
0a8d4f2ac74485345284950b158da4be071633f33b0c7b9fa18d1f3e4d28732e
292b28d2f08fbd08ee8f1c2ed6f765b08c883031c0fae8dd84480ba0e1ca940d
3371fc7b0cf2d389571002c3ca26c9268edc373b79486e47bd6c349120f560c2
33d078881456e3b930c480803902fa28142b17c8550f3932e7cf4a1df0eb9213
567fe3794a9eec27697ae0634861d284279261880887f60a7374c6cbe63b7674
5f8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d
91f0264ea76628c6b8825f358cd9cb8e1255604108fc059e0ac283d49c0dd852
933f5c822937fdec9325d1c99c5e0a5fda92296ef7c51ce7cd2dfc72bbe95b82
cf8f98b1adf802ed2b24345161a38c4cfa499b36f17b0466a1da74edce84ba4b
e469ba3bad870a5e7596035f69f2ba4cbb849cbdf9a8019890ccdea02c60e4d6
f368d4a10770c42316d9c1024a0894b85048020526be03b2e824165b5b66e978
f88ef62f2342f4d1105cfe85395b735efd3f0308b79551944983ce245d425510

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

↧

Vulnerability in the Intel Unified Shader compiler for the Intel Graphics Accelerator

October 9, 2018, 11:04 am

≫ Next: Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage

≪ Previous: Threat Roundup Sept 28 - Oct 5

Vulnerabilities discovered by Piotr Bania of Cisco Talos

Talos is disclosing a pointer corruption vulnerability in the Intel Unified Shader compiler for the Intel Graphics Accelerator.

Overview

In order for the graphics to be produced, the graphics accelerators need to process the OpenGL scripts into actual graphics. That process is named "shader compilation." On the Intel Graphics accelerator, this is done inside the igdusc64 dynamic linked library (DLL), and this is where the vulnerability exists.

TALOS-2018-0533 - Intel Unified Shader Compiler for Intel Graphics Accelerator Pointer Corruption

An exploitable pointer corruption vulnerability exists in the Intel's Unified Shader Compiler for IntelⓇ Graphics Accelerator, version 10.18.14.4889. A specially crafted pixel shader can cause a pointer corruption, that if exploited successfully, may lead to code execution. An attacker can trigger the vulnerability by supplying a specially crafted shader file, either in binary or text form. The vulnerability can be triggered from a VMware guest affecting VMware host (potentially causing VMware to crash or a guest-to-host escape). Under specific circumstances, WebGL may also be an attack vector.

CVE: CVE-2018-12152

A full technical advisory is available here.

TALOS-2018-0568 - Intel Unified Shader Compiler for Intel Graphics Accelerator Remote Denial of Service

An exploitable denial-of-service vulnerability exists in the Intel's Unified Shader Compiler for Intel Graphics Accelerator (10.18.14.4889). An attacker can provide a specially crafted shader file (either in binary or text form) to trigger this vulnerability. This vulnerability can be triggered from VMware guest and the vmware-vmx.exe process crash on the host.

CVE: CVE-2018-12153

A full technical advisory is available here.

TALOS-2018-0579 - Intel Unified Shader Compiler for Intel Graphics Accelerator Remote Denial of Service

An exploitable pointer corruption vulnerability exists in the Intel's Unified Shader Compiler for Intel Graphics Accelerator, version 10.18.14.4889. A specially crafted pixel shader can cause an infinite loop, leading to a denial of service.

The vulnerability can be triggered from a VMware guest affecting VMware host where the vmware-vmx.exe will become unresponsive while consuming CPU resources.

CVE: CVE-2018-12154

A full technical advisory is available here.

Discussion

Vulnerabilities that may lead to virtual machine guest-to-host escape are especially insidious, as they may expose more than just the targeted system. The possibility of a remote attack vector through the WebGL increases the risk posed by this vulnerability, has it provides a bigger landscape of attack.

Coverage

The following Snort IDs have been released to detect these vulnerabilities:
45752 - 45753, 46173 - 46174, 46388 - 46389

↧

Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage

October 9, 2018, 11:38 am

≫ Next: Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

≪ Previous: Vulnerability in the Intel Unified Shader compiler for the Intel Graphics Accelerator

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, 12 of which are rated "critical," 34 that are rated "important,” two that are considered to have “moderate” severity and one that’s rated as “low.”

The advisories cover bugs in the Chakra scripting engine, the Microsoft Edge internet browser and the Microsoft Office suite of products, among other software.

This update also includes a critical advisory that covers updates to the Microsoft Office suite of products.

Critical vulnerabilities

Microsoft has disclosed 12 critical vulnerabilities this month, which we will highlight below.

CVE-2018-8491, CVE-2018-8460 and CVE-2018-8509 are memory corruption vulnerabilities in the Internet Explorer web browser. In both cases, an attacker needs to trick the user into visiting a specially crafted, malicious website that can corrupt the browser’s memory, allowing for remote code execution in the context of the current user. This class of vulnerabilities is especially dangerous since a spam campaign can be used to trick the user while hiding the attack from network protections with HTTPS.

CVE-2018-8473 is a remote code execution vulnerability in Microsoft Edge. The bug lies in the way the web browser accesses objects in memory. An attacker could trick a user into visiting a malicious website or take advantage of a website that accepts user-created content or advertisements in order to exploit this vulnerability.

CVE-2018-8513, CVE-2018-8500, CVE-2018-8511, CVE-2018-8505 and CVE-2018-8510 are memory corruption vulnerabilities in the Chakra scripting engine that affects a variety of products. In all cases, an attacker could exploit these vulnerabilities to execute code on the system in the context of the current user and completely take over the system. This class of vulnerabilities is especially dangerous since a spam campaign can be used to trick the user while hiding the attack from network protections with HTTPS.

CVE-2018-8494 is a remote code execution vulnerability that exists when the MSXML parser in Microsoft XML Core Services processes user input. An attacker can exploit this bug by invoking MSXML through a web browser on a specially crafted website. The user also needs to convince the user to open the web page.

CVE-2018-8490 and CVE-2018-8489 are remote code execution vulnerabilities in the Windows Hyper-V hypervisor. The bugs lie in the way the host server on Hyper-V fails to properly validate input from an authenticated user on a guest operating system. An attacker could exploit these vulnerabilities by running a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

Important vulnerabilities

There are also 34 important vulnerabilities in this release. We would like to specifically highlight 22 of them.

CVE-2018-8512 is a security feature bypass vulnerability in Microsoft Edge. The web browser improperly validates certain specially crafted documents in the Edge Content Security Policy (CSP), which could allow an attacker to trick a user into loading a malicious page.

CVE-2018-8448 is an elevation of privilege vulnerability in the Microsoft Exchange email server. The bug exists in the way that Exchange Outlook Web Access improperly handles web requests. An attacker could exploit this vulnerability by performing script or content injection attacks that trick the user into disclosing sensitive information. They could also trick the user into providing login credentials via social engineering in an email or chat client.

CVE-2018-8453 is an elevation of privilege vulnerability in the Windows operating system that occurs when the Win32k component improperly handles objects in memory. An attacker could obtain the ability to run arbitrary code in kernel mode by logging onto the system and then run a specially crafted application.

CVE-2018-8484 is an elevation of privilege vulnerability in the DirectX Graphics Kernel driver that exists when the driver improperly handles objects in memory. An attacker could log onto the system and execute a specially crafted application to exploit this bug and run processes in an elevated context.

CVE-2018-8423 is a remote code execution vulnerability in the Microsoft JET Database Engine that could allow an attacker to take control of an affected system. A user must open or import a specially crafted Microsoft JET Database Engine file on the system in order to exploit this bug. They could also trick a user into opening a malicious file via email.

CVE-2018-8502 is a security feature bypass vulnerability in Microsoft Excel when the software fails to properly handle objects in protected view. An attacker could execute arbitrary code in the context of the current user if they convince the user to open a specially crafted, malicious Excel document via email or on a web page. This bug cannot be exploited if the user opens the Excel file in just the preview pane.

CVE-2018-8501 is a security feature bypass vulnerability in Microsoft PowerPoint. The bug exists when the software improperly handles objects in protected view. An attacker can execute arbitrary code in the context of the current user if they convince the user to open a specially crafted PowerPoint file. This bug cannot be exploited if the user only opens the file in preview mode.

CVE-2018-8432 is a remote code execution vulnerability that lies in the way Microsoft Graphics Components handles objects in memory. A user would have to open a specially crafted file in order to trigger this bug.

CVE-2018-8504 is a security feature bypass vulnerability in the Microsoft Word word processor. There is a flaw in the way the software handles objects in protected view. An attacker could obtain the ability to arbitrarily execute code in the context of the current user if they convince the user to open a malicious Word document. The bug cannot be triggered if the user opens the file in preview mode.

CVE-2018-8427 is an information disclosure vulnerability in Microsoft Graphics Components. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, which would expose memory layout.

CVE-2018-8480 is an elevation of privilege vulnerability in the Microsoft SharePoint collaborative platform. The bug lies in the way the software improperly sanitizes a specially crafted web request to an affected SharePoint server. An attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server.

CVE-2018-8518, CVE-2018-8488 and CVE-2018-8498 are elevation of privilege vulnerabilities in the Microsoft SharePoint Server. An attacker can exploit these bugs by sending a specially crafted request to an affected SharePoint server, allowing them to carry out cross-site scripting attacks and execute code in the context of the current user.

CVE-2018-8333 is an elevation of privilege vulnerability in Filter Management that exists when the program improperly handles objects in memory. An attacker needs to log onto the system and delete a specially crafted file in order to exploit this bug, which could lead to them gaining the ability to execute code in the context of an elevated user.

CVE-2018-8411 is an elevation of privilege vulnerability that exists when the NFTS file system improperly checks access. An attacker needs to log onto the system to exploit this bug and then run a specially crafted application, which could lead to the attacker running processes in an elevated context.

CVE-2018-8320 is a security feature bypass vulnerability that exists in the DNS Global Blocklist feature. An attacker who exploits this bug could redirect traffic to a malicious DNS endpoint.

CVE-2018-8492 is a security bypass vulnerability in the Device Guard Windows feature that could allow an attacker to inject malicious code into Windows PowerShell. An attacker needs direct access to the machine in order to exploit this bug, and then inject malicious code into a script that is trusted by the Code Integrity policy. The malicious code would then run with the same access level as the script, and bypass the integrity policy.

CVE-2018-8329 is an elevation of privilege vulnerability in Linux on Windows. The bug lies in the way Linux improperly handles objects in memory. An attacker can completely take control of an affected system after logging onto the system and running a specially crafted application.

CVE-2018-8497 is an elevation of privilege vulnerability that exists in the way the Windows Kernel handles objects in memory. A locally authenticated attacker can exploit this bug by running a specially crafted application.

CVE-2018-8495 is a remote code execution vulnerability that exists in the way Windows Shell handles URIs. An attacker needs to convince the user to visit a specially crafted website on Microsoft Edge in order to exploit this vulnerability.

CVE-2018-8413 is a remote code execution vulnerability that exists when “Windows Theme API” improperly decompresses files. A victim can exploit this bug by convincing the user to open a specially crafted file via an email, chat client message or on a malicious web page, allowing the attacker to execute code in the context of the current user.

Other important vulnerabilities:

Moderate vulnerabilities

Of the two moderate vulnerabilities disclosed by Microsoft, Talos believes one is worth highlighting.

CVE-2010-3190 is a remote code execution vulnerability in the way that certain applications built using Microsoft Foundation Classes handle the loading of DLL files. An attacker could take complete control of an affected system by exploiting this vulnerability. At the time this bug was first disclosed, Exchange Server was not identified as an in-scope product, which is why this release highlights a flaw from 2010.

The other moderate vulnerability is CVE-2018-8533.

Low vulnerability

There is also one low-rated vulnerability, which Talos wishes to highlight.

CVE-2018-8503 is a remote code execution vulnerability in the way that Chakra scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker needs to convince a user to visit a malicious website or malicious content on a web page that allows user-created content or advertisements in order to exploit this bug.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 48045 - 48057, 48058 - 48060, 48062, 48063, 48072, 48073

↧

Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

October 9, 2018, 11:59 am

≫ Next: Microsoft WindowsCodecs.dll SniffAndConvertToWideString Information Leak Vulnerability

≪ Previous: Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage

Today, Cisco Talos is disclosing a vulnerability in VMware Workstation that could result in denial of service. VMware Workstation is a widely used virtualization platform designed to run alongside a normal operating system, allowing users to use both virtualized and physical systems concurrently.

TALOS-2018-0589

Discovered by Piotr Bania of Cisco Talos

TALOS-2018-0589 / CVE-2018-6977 is an exploitable denial-of-service (DoS) vulnerability in the VMware Workstation 14 software. The vulnerability lies in the pixel shader utilized by VMware Workstation and can be triggered by supplying a malformed pixel shader in either text or binary form inside a VMware guest operating system. This vulnerability can be triggered from VMware guest or VMware hosts and results in a process crashing leading to a DoS state. Additionally, it is possible to trigger the vulnerability through WEBGL, assuming the browser will not use ANGLE and will supply the malformed shader as intended.

For more technical details, please read our advisory here.

Tested Software:

VMware Workstation 14 (14.1.1.28517)

Coverage

Talos has developed the following Snort rules to detect attempts to exploit this vulnerability. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or Snort.org.

Snort Rules: 46541 - 46542

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: http://www.talosintelligence.com/vulnerability-reports/

To review our Vulnerability Disclosure Policy, please visit this site:

http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html

↧

Microsoft WindowsCodecs.dll SniffAndConvertToWideString Information Leak Vulnerability

October 10, 2018, 9:21 am

≫ Next: GPlayed Trojan - .Net playing with Google Market

≪ Previous: Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

These vulnerabilities were discovered by Marcin Noga of Cisco Talos.

Today, Cisco Talos is disclosing a vulnerability in the WindowsCodecs.dll component of the Windows operating system.

WindowsCodecs.dll is a component library that exists in the implementation of Windows Imaging Component (WIC), which provides a framework for working with images and their data. WIC makes it possible for independent software vendors (ISVs) and independent hardware vendors (IHVs) to develop their own image codecs and get the same platform support as standard image formats (ex. TIFF, JPEG, PNG, GIF, BMP and HDPhoto).

Vulnerability Details

TALOS-2018-0644 - Microsoft WindowsCodecs.dll SniffAndConvertToWideString Information Leak Vulnerability

TALOS-2018-0644 (CVE-2018-8506) is an exploitable memory leak vulnerability that exists in the SniffAndConvertToWideString function of WindowsCodecs.dll, version 10.0.17134.1. A specially crafted JPEG file can cause the library to return uninitialized memory, resulting in a memory leak. An attacker can send or share a malformed JPEG file to trigger this vulnerability.

This vulnerability is present in the WindowsCodecs DLL library — an implementation of Windows Imaging Component (WIC) —that provides an extensible framework for working with images and image metadata.

An attacker can leak heap memory due to the improper sting null termination after calling `IWICImagingFactory::CreateDecoderFromFilename` on a JPEG file with properly malformed metadata.

Additional details can be found here.

Affected versions

The vulnerability is confirmed in the WindowsCodecs.dll, version 10.0.17134.1, but it may also be present in the earlier versions of the product. Users are advised to apply the latest Windows update.

Discussion

WIC enables developers to perform image processing operations on any image format through a single, consistent set of common interfaces, without requiring prior knowledge of specific image formats and it provides an extensive architecture for image codecs, pixel formats, and metadata with automatic run-time discovery of new formats.

It's recommended that developers use operating system components, such as Windows Imaging Component, that are updated frequently so they do not have to apply any specific updates to their own products.

Memory leak vulnerabilities are dangerous and could cause the instability in the system, as the program does not properly free the allocated memory and the memory blocks remain marked as being in use. Vulnerable applications continue to waste memory over time, eventually consuming all RAM resources, which can lead to abnormal system behavior. Developers should be aware of these vulnerabilities' potentially damaging consequences.

Coverage

The following SNORTⓇ rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47430 - 47433

↧

GPlayed Trojan - .Net playing with Google Market

October 11, 2018, 6:06 am

≫ Next: Threat Roundup for October 5 to October 12

≪ Previous: Microsoft WindowsCodecs.dll SniffAndConvertToWideString Information Leak Vulnerability

This blog post is authored by Vitor Ventura.

Introduction

In a world where everything is always connected, and mobile devices are involved in individuals' day-to-day lives more and more often, malicious actors are seeing increased opportunities to attack these devices. Cisco Talos has identified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed "GPlayed." This is a trojan with many built-in capabilities. At the same time, it's extremely flexible, making it a very effective tool for malicious actors. The sample we analyzed uses an icon very similar to Google Apps, with the label "Google Play Marketplace" to disguise itself.

The malicious application is on the left-hand side.

What makes this malware extremely powerful is the capability to adapt after it's deployed. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. Our analysis indicates that this trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one.

Trojan architecture and capabilities

This malware is written in .NET using the Xamarin environment for mobile applications. The main DLL is called "Reznov.DLL." This DLL contains one root class called "eClient," which is the core of the trojan. The imports reveal the use of a second DLL called "eCommon.dll." We determined that the "eCommon" file contains support code and structures that are platform independent. The main DLL also contains eClient subclasses that implement some of the native capabilities.

The package certificate is issued under the package name, which also resembles the name of the main DLL name.

Certificate information

The Android package is named "verReznov.Coampany." The application uses the label "Installer" and its name is "android.app.Application."

Package permissions

The trojan declares numerous permissions in the manifest, from which we should highlight the BIND_DEVICE_ADMIN, which provides nearly full control of the device to the trojan.

This trojan is highly evolved in its design. It has modular architecture implemented in the form of plugins, or it can receive new .NET source code, which will be compiled on the device in runtime.

Initialization of the compiler object

The plugins can be added in runtime, or they can be added as a package resource at packaging time. This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device.

Trojan native capabilities

This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This means that the malware can do anything from harvest the user's banking credentials, to monitoring the device's location. There are several indicators (see section "trojan activity" below) that it is in its last stages of development, but it has the potential to be a serious threat.

Trojan details

Upon boot, the trojan will start by populating a shared preferences file with the configuration it has on its internal structures. Afterward, it will start several timers to execute different tasks. The first timer will be fired on the configured interval (20 seconds in this case), pinging the command and control (C2) server. The response can either be a simple "OK," or can be a request to perform some action on the device. The second timer will run every five seconds and it will try to enable the WiFi if it's disabled. The third timer will fire every 10 seconds and will attempt to register the device into the C2 and register wake-up locks on the system to control the device's status.

During the trojan registration stage, the trojan exfiltrates private information such as the phone's model, IMEI, phone number and country. It will also report the version of Android that the phone is running and any additional capabilities.

Device registration

This is the last of the three main timers that are created. The trojan will register the SMS handler, which will forward the contents and the sender of all of the SMS messages on the phone to the C2.

The final step in the trojan's initialization is the escalation and maintenance of privileges in the device. This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device's settings.

Privilege escalation requests

The screens asking for the user's approval won't close unless the user approves the privilege escalation. If the user closes the windows, they will appear again due to the timer configuration.

After the installation of the trojan, it will wait randomly between three and five minutes to activate one of the native capabilities — these are implemented on the eClient subclass called "GoogleCC." This class will open a WebView with a Google-themed page asking for payment in order to use the Google services. This will take the user through several steps until it collects all the necessary credit card information, which will be checked online and exfiltrated to the C2. During this process, an amount of money, configured by the malicious operator, is requested to the user.

Steps to request the user's credit card information

In our sample configuration, the request for the views above cannot be canceled or removed from the screen — behaving just like a screen lock that won't be disabled without providing credit card information.

All communication with the C2 is done over HTTP. It will use either a standard web request or it will write data into a web socket if the first method fails. The C2 can also use WebSocket as a backup communication channel.

Before sending any data to the C2 using the trojan attempts to disguise its data, the data is serialized using JSON, which is then encoded in Base64. However, the trojan replaces the '=' by 'AAAZZZXXX', the '+' by '|' and the '/' by '.' to disguise the Base64.

Request encoding process

The HTTP requests follow the format below, while on the WebSocket only the query data is written.

As is common with trojans, the communication is always initiated by the trojan on the device to the C2. The request codes are actually replies to the C2 action requests, which are actually called "responses." There are 27 response codes that the C2 can use to make requests to the trojan, which pretty much match what's listed in the capabilities section.

Error
Registration
Ok
Empty
SendSMS
RequestGoogleCC
Wipe
OpenBrowser
SendUSSD

RequestSMSList
RequestAppList
RequestLocation
ShowNotification
SetLockPassword
LockNow
MuteSound
LoadScript
LoadPlugin

ServerChange
StartApp
CallPhone
SetPingTimer
SMSBroadcast
RequestContacts
AddInject
RemoveInject
Evaluate

Another feature of this trojan is the ability to register injects, which are JavaScript snippets of code. These will be executed in a WebView object created by the trojan. This gives the operators the capability to trick the user into accessing any site while stealing the user's cookies or forging form fields, like account numbers or phone numbers.

Trojan activity

At the time of the writing of this post, all URLs (see IOC section) found on the sample were inactive, and it does not seem to be widespread. There are some indicators that this sample is just a test sample on its final stages of development. There are several strings and labels still mentioning 'test' or 'testcc' — even the URL used for the credit card data exfiltration is named "testcc.php."

Debug information on logcat

Another indicator is the amount of debugging information the trojan is still generating — a production-level trojan would keep its logging to a minimum.

The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample. We have observed this trojan being submitted to public antivirus testing platforms, once as a package and once for each DLL to determine the detection ratio. The sample analyzed was targeted at Russian-speaking users, as most of the user interaction pages are written in Russian. However, given the way the trojan is built, it is highly customizable, meaning that adapting it to a different language would be extremely easy. The wide range of capabilities doesn't limit this trojan to a specific malicious activity like a banking trojan or a ransomware. This makes it impossible to create a target profile.

Conclusion

This trojan shows a new path for threats to evolve. Having the ability to move code from desktops to mobile platforms with no effort, like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before. This trojan's design and implementation is of an uncommonly high level, making it a dangerous threat. These kinds of threats will become more common, as more and more companies decide to publish their software directly to consumers.

There have been several recent examples of companies choosing to release their software directly to consumers, bypassing traditional storefronts. The average user might not have the necessary skills to distinguish legitimate sites from malicious ones. We've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms, so, unfortunately, it doesn't seem that this will change any time soon. And this just means attackers will continue to be successful.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise (IOC)

URLs
hxxp://5.9.33.226:5416
hxxp://172.110.10.171:85/testcc.php
hxxp://sub1.tdsworker.ru:5555/3ds/

Hash values
Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f
eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1
Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3

Custom activity prefix
com.cact.CAct

↧

Threat Roundup for October 5 to October 12

October 12, 2018, 11:18 am

≫ Next: Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox

≪ Previous: GPlayed Trojan - .Net playing with Google Market

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 5 and 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

Win.Malware.Emotet-6710203-0
Malware
Emotet is a banking trojan that has remained relevant due to its continual evolution and its ability to bypass antivirus products.
Win.Malware.Fuerboos-6712723-0
Malware
Fuerboos is a backdoor trojan that monitors user activity and captures that information to eventually send it back to a server. It utilizes a double flux network where multiple hosts act as proxies to further prevent researchers from locating the actual malicious server.
Win.Dropper.Demp-6714293-0
Dropper
Demp drops DLL files that are later injected into the explorer process. It is also capable of accepting commands from a command and control (C2) server and exfiltrating system information.
Win.Malware.Dgbv-6714452-0
Malware
DGBV is malware written in Delphi and is packed with Inno Setup, a free software installation system. Once deployed, DGBV collects sensitive information from the infected host and sends it to a C2, including browser password databases.
Doc.Downloader.Valyria-6713303-0
Downloader
Valyria is a malicious Word document family that is used to distribute other malware. This campaign is currently spreading Emotet.
Win.Downloader.Dofoil-6714608-0
Downloader
Dofoil, AKA SmokeLoader, is primarily used to download and execute additional malware. Read more about this threat on our blog.
Win.Malware.Zbot-6714649-0
Malware
Zbot, also known as Zeus, is trojan that steals information such as banking credentials. It has numerous capabilities, including key-logging using methods such as key-logging and form grabbing.

Threats

Win.Malware.Emotet-6710203-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\dimcloud

Mutexes

PEM6A4
PEM6B0

IP Addresses contacted by malware. Does not indicate maliciousness

96[.]114[.]157[.]81
24[.]203[.]4[.]40
216[.]137[.]249[.]154
98[.]191[.]228[.]168
41[.]204[.]202[.]41

Domain Names contacted by malware. Does not indicate maliciousness

smtp[.]aavanira[.]com

Files and or directories created

File Hashes

0eba4bf670ebd4381150a0d9e1fd113561898849ac53fd22e0eee1afe05de77d
12faaf05baa1ead6dd6559f2eed72373d78eff2e462c59fc055ac098b8ad7d38
1affd33a6864d27ffb7b2398630c06610a3c9d81d0f84548b7a66c431d2b733a
1d75775d6b05c878611b678b1bceacc76c888fb086ad2c47111aa696dad4b59f
1fca28e3264af2703e3e221b9193e93351b3b9ef3474643fb27d589b8c10840e
20dec98c8003e986251cc8a765a931783203ec75eae436e9df2248a465321e53
213395fba51bb15feb10d201b78df2a8c4bfcd25498f672b02391a77647cb781
36bc6b1def213cb8f10670fa3d574f831fdd63a9a5f2a66f66c1d580dfb75955
3e9e1062c311605bb78e8df525eaa11268ad5b547ae9295669a0c751e16f5a13
49a9333f65eb8a84e74b14a928d7ad94737c95117eae62e87bf84617637f04a1
6c231427d0fc1cf9ad431c7c5a8973db04e5a5cd2ef3205d6f544ae3b20a57f8
74e5ce08015255e67a1e21dfd2e44afb613a329b4bc6a4a678d1fb18e0d45412
8e0652595b5c7661ce08ef8c986ad31cef38020f80f7afcd500a9acbdd6ae774
995cca730bcdeecd0e497999e7ff2a4a6659fae45130e05599f0d716125c00a3
a5a882b548a7b4faa705f9defef61566fdc778c983f58b71578896448f2721fb
aa9c066ef31f701399812d51bf46231d88911bf062098e4428e8768002d6274c
af253123e7bc9a5732d21ecca3d9d24db4c3a1d616fc8d8b14c3bdaa97bac3b9
b7fab8bd7cfc07cf11cbf012b9d926cc4953df301b4d5bf8df12106d9d748aca
c0fa19dd12030a9c24375a25dbfd413a6fd123b2b0451902af767167b313aad5
c1ea9d852216d51cffbed3da3ef2fc23156f523096f900a9127ca91cbda542fb
ed96c1d12554779cdef56ebd87ac4390815c006cb7771608297377cabc3a8023
fb05b1c6edb8961620fff003d4ea496d889e5e217f28e77a7d6c37a6c73e3f17

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Fuerboos-6712723-0

Indicators of Compromise

Registry Keys

Mutexes

_!SHMSFTHISTORY!_
!PrivacIE!SharedMem!Mutex
SmartScreen_ClientId_Mutex

IP Addresses contacted by malware. Does not indicate maliciousness

54[.]39[.]175[.]170
51[.]68[.]239[.]251

Domain Names contacted by malware. Does not indicate maliciousness

s928eid19oqieuqoeu[.]com
11wiwy19wpqoqsos292uwoqow83[.]com

Files and or directories created

%LocalAppData%\Temp\04pnjlnm.cmdline
%LocalAppData%\Temp\04pnjlnm.dll
%LocalAppData%\Temp\04pnjlnm.out
%LocalAppData%\Temp\F256.bin

File Hashes

033a197eb9289e06f7541f3b66fdf308d8abce2fc4e7269776a664bde3e3945d
05f4d4b6a171b5dc1023b75983a6203f2a958f39a821c3483d05ee30c3a972d5
07783f32930a4b4b595976f347fc6272c1ac67e73b173a962ee4cb6cc92fd757
07b55edfd0e61cd0e120e0245dfe1dce775405c1aa12ea7717afdf3f55fae0a4
0d87696146e48e023816ca67ff8bc449bc326e6592d1fb588283eed4d6b80357
0df85fbe16e6252a12ad9096590d3f1b9af548f0972edfb9393521ac86ca26cd
10c075586237c573630d7361e55b910c38f67d9c8255592858b80e57c4c5b796
11a4da86de7617dbe52f7b89818626f10b4c4c326b71b2a7c8f4477293b5de92
12124b503f2989dea4dc2bbb9edc1054971075d7b326836693f5623ca46ffd1b
13a05b5af10b15d1ad5e296c75507b65c70f669cb5e48f3174fc28d9053e1ee9
14881ef04a4af32b3cd29d413557c5bee31efe0d1f35db0b5a570dac7dc0c6cc
19e9de7427f46bac7637d0a9a633d3b34d8e515df48b39229c1b673bf5105681
1df9d199d46a2f8f0b345b3fd3fdd77ac7c0449df03e156f508b3d0d1600607c
1fae65f06e00e08ec2d60519cd416335c7b26f0e92d4ef2b65e72f5a3d166172
1fd513421c26ae15b03dae61fe9932fbe7fc9bcc65a268867fed5a3987df18c0
23d849dd6ce38c93fb47adfdc6a29c28d7d9993534fc35eb9745396dab3c2edc
25466f6ed1011635a332ef93c465d5f6803e4099a09b8e3764f3d29a012e70fb
2773a65c5791d9382e498e84c352d5175445669c5b566c3bca150d9c320ebfe0
27ed0a3e9ca95105f734e9aa55fe6a65fafb196a291913af197a48c263865685
2ab936982eadd726bab936ab68bef211b3ffafd6f6f36dd1406830db72aae529
2b728ccccb05a1b03cb4ad4ccac320d74feeafe2f2be0a06f635fd9f56daec65
2b7cf52c1c83af3ad9349e551619be5031db6f58049cf7697e155ad25dd6519a
2e534b2373b08930ff05e39491405c6580be5bfd194ec6b9798dad7b5ba841e3
2ede38df97248bfea976a6985427a1f6dc3206b96dab218e14354653192576e8
30e2c4ce1d069cfbd7b3be5025a022e432a681b38dc1b60d2d83e51a160056be

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Demp-6714293-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\Yqar
<HKCU>\Software\Microsoft\Windows\Currentversion\Run

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

203[.]78[.]107[.]112

Domain Names contacted by malware. Does not indicate maliciousness

www[.]siamrich[.]co[.]th

Files and or directories created

%AppData%\Albea\wuzuo.xuo
%AppData%\Ebodyk\ruce.exe
%AppData%\Ogno\ruof.kuh

File Hashes

1179d11e07f6bfc5e19bd4e715ffcc9ea8bb3c0e7cc6d4fe4e462f5433dab8c5
13bcb923aa00b7399e31fce0ad7c73c95d046b9fd9cc61fdad54a2001a24ef52
1751b6a0e5e0eb5709e63cf05f362e0256aff5c56bf919ce510cfa88836e7a3f
1dade14775862a6978810f9edc71679d7d7c128d469f2275258717ed88906d25
2e224ae755c32a914bc7be948a805b358fcc26ff1a95a04c6a05117501b164f3
5cb4338d783396dea3968b5f1ef16a3db4fca907a2c03e715aaafc61200eb20b
68f758a0d97e4f1a3dfa4c637c3d19332217c1c0fdf04e416d708cb9a7f47e10
7ee688e6cc5e3d6f27cb09c82842d7094f8de6d0900fba7c7686fe6e5edbb314
87dc7ea718d5dc4916bdee2a1b928921babc884f1754d5e01152b8bc868b6124
8f615ff9e9bafa6c0278fd4914bad01d4457689ab7a271d674ef0c7da569390c
967cf3782024def1f1bb478d12ab3658aa9081188a5f8a1b97bfb9daf37f1d98
b816f28c64b91a88e8675191bdfc6fb6cee14808a475bd23594637a033bfa3a9
cc7264cc4f7b0692935640eeaaccd71319a0459fe094f9b16cd055fa3cfb6ad7
cf020f6d42ef17fb0afcb5d9abf51721fd2de655e61a565fbc3891574b278e57
eb88635d91cbb0f85d235a2aec00fca2217fc16f076a5fb79cb6764c16eb002c
ee8a67421a69bfd280bb7429e19efb3ee7fc403db592315963934409c841fed4
f7589669d7b57285986b0ec280083fe66fb80aadc8b9d0ff279daac8459eb50d
fbda080d12a9da511c5763b8269b393c3f76a511ff05a4c740cb017d933605fc
fc9f06ce525f321e664d8a9c94bc7d8fe8420aadead196300451f5ade6867bff

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Dgbv-6714452-0

Indicators of Compromise

Registry Keys

Mutexes

3749282D282E1E80C56CAE5A

IP Addresses contacted by malware. Does not indicate maliciousness

45[.]122[.]138[.]6

Domain Names contacted by malware. Does not indicate maliciousness

filitimonieenama[.]com

Files and or directories created

%AppData%\D282E1\1E80C5.lck

File Hashes

1d9cbdafba2ed47d7a420ea42b690664d06245f5c25b94cfdcbc3a1a33499164
23100d1c82e06b6b899d4f04cfdd393c05ca656767c7a7648981fd14973ee7a6
418d65586f05d278901417b0c8d7c4752ea7415b2c8fa6c093a460a434c02c52
58be850629c361f619da13c0106a8e7a1e61e07855fc23aa956e283a626ccaa8
60ae0309004f39b41fb96fa278219875668ad139974a35a6b5bee5ad42caf985
6ce5513f53a548aad74508dd376456b2cb7a91323c4ea27e2410ead309300b86
78e19745a107b3d196d476f81feeeb01663787869910f369b176c23c3536aaca
7dfd6d093b0fd406f734d92b3fac5e59631c0649170670c220743be74344634f
8b6348185f0d21c809f2d924f868bdf8ee2ea7b9ba59c41783a35817dfaf17c9
919d0e14a92fee33c9ec402b0e02b5282fd5cae502aadc2c490d3bfdf4350ad8
bbd0a4000591033769be4ab26ca2fbe334440c4b56acb329433fc98c3405ceff
c0a6d9b38153cc61dd042e7b9ea02df9b8d0958f27f31d5be5d89dd66303b0b4
c6def90e73d83bfdfcaff20902a343f7d600f84ecb0a6531aff7b59a06ea8455
c9abc638ac5e06271bede0ee3880ef8e034a11bd0cda260ef82d4b6ee978c292

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Downloader.Valyria-6713303-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\dimcloud

Mutexes

Global\I98B68E3C
Global\M98B68E3C
PEM758
PEM60C

IP Addresses contacted by malware. Does not indicate maliciousness

12[.]139[.]45[.]113
216[.]215[.]112[.]198
81[.]215[.]192[.]201
113[.]193[.]217[.]34
96[.]254[.]126[.]140

Domain Names contacted by malware. Does not indicate maliciousness

optics-line[.]com
ironspot[.]com

Files and or directories created

File Hashes

0a212916b4767564de4a7b5ae348c56b4d9c5a799723e901352280a3e8d64761
0b62c13a5558d201266446b870d97eb458a82eab17d69a3d566a6e5abb158c6a
171e0e8440bb8152cef9ae20dec4a170f93b1312aadf782490cc36adf5c301a4
17b6cacdac7e3dc56d0b60ea7367e5073048e30aff6742e65b0a6f2b52b6255a
1b90e481327517deced0d43590dfd5715ac0d1645f78f65239aa091f653f4c07
2456f8835a6452a6bc07db97990ac81977f1102f41b53ffc68ed935022caee67
2581d63d7d772a3b1ac3b5ae095b03a9a76e771b3d153ac3e95ead93759880de
3c985296fc326089a695b2ffb78ab22b5bf6b0c28b62c9f8532281487479c99c
400d3ec69470e65f173f5ced9fd5bbedfa0458332639d5f48d4d46ad93f19c8a
50c4e66b9f3cbbab3298dc9113b16e485c17feecf296cab4829607942e6b63d2
5e3034a30bef39ff753853f3712bedc99baf5c0e3e84b8de6665e21716e9bf87
63ed9611ef53d62886a487b66638d5b4e022fb791182130d7fcef35a07f79080
6886615f85136e0c0624642251d7b5396c57f7ba5cdce955d2dd0b1f0be7e6f5
6a5ce4ce91c196918807df2bcfefe256d76970e5b8e87b40df1757639943090e
6af525481cb0998d33e3a3c4954da1545f0f6dcb25b899b450d98a4bc3b17c13
7603db9e307d728676caadf8d1e42733071087e6dc72a7a3ec747372fa0c965e
8319cf7cd706879ced641e96ce84ae78286c5eb3a8de911aaa449a922e2af6d4
8cf4ea0f49b0d6a0df0bcb066bea9bf27ee10ac34dd3e240c7cb19582b9041c7
97c4f7a023bf61ca96d3de53931c0fad28ca2197740999e930c8d702a346ffb7
9b58e48bc55057f200d72f6f6646097a4e1285bdea85073c3e0313bd953ee13d
9c8cd646405cc6c78665e8702051107b0531f7918829985335e6f5348c20a873
ae445853c56dddcbdf899ab132adb7cd9cfe9eb7048ee643838bb85b7422ac37
afddef6744bf508b82295fa1478a03e8016d10c6647925c46a8f0f8ea6bb3a3b
b11cc1ae5ed0b068cc101b046a9c2c8a270d751273cf320934b790fe5afb91a3
c77fcc0be04543148bbfab87443d2d81a712ba16c24f22963a0670275eab6bb4

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Downloader.Dofoil-6714608-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\07771b47

Mutexes

C77D0F25
244F2418

IP Addresses contacted by malware. Does not indicate maliciousness

77[.]182[.]47[.]152
77[.]214[.]6[.]192
77[.]198[.]181[.]15
83[.]226[.]115[.]86
77[.]253[.]52[.]129
8[.]123[.]232[.]109
94[.]227[.]178[.]89
8[.]110[.]105[.]136

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

File Hashes

01ce9f47d246b23480249c21385f28af4f8f6c6f72de0e16f0d5995add2cc4f4
0b1e8ab791aa74ec379a8699c6e50fcda918c02b08aa4460bea8a842931cfb1b
0defb11ec4549eb802fb841cbb58ec72f8bde65bbed48245e0d83c6c942d941d
2273e345b799cc3ed8954fd82b62ad47f16615cb59531355039349d7ee84de23
26f4a9f28493a8250d38061536289c0249bb88b8e12cd304a70ae06475b4072e
2e2aa0b99d225a1583cb40ca233054fef69fe724190cfff0b7ffcd6c805223fd
303a92f502157d4a99c21c2ec6cd05cfa2400497df59a2e9ce322333ab6f78a9
404f7030cb01a7cdbae2ab38adafd587aa5da0cfc5bb55b92e7cf7b095ac543c
47326515c02c1fb96899aebf38fd18919682d79a1445ffa343dfa26e70261231
4c509d782de2ef525b83dbd61f70a59a2c64b1bbc8d02f063c0e081a2bc6b214
53b5bc66cc62f04439d75203bd7e0ff040e055c90598741f9dc26c59ce41dd64
5746ac7b26eab61a51ca790eecc9bfdf120fc711f4173c54c99ea653d154bd4b
5a36ad9f59dd0c8906cf6dd9c395785ba449c9dddc3843cc2d9a9aecd5f78c47
65360c29dd0b0cddcbc77cce83af3761439423c72276dd425755e6dbd3bfc171
6653fe7c4e305c524ca7d59ff8286bfe944af1e4672e11f8a08a7cea0a2dd332
6a8a02f29f22cbdcf42ca25ee3d26e4220c70cb133595bc9b3354742bb4a3a2e
743e3645040914b245661a2e145fb3237237cdb30a82ce6ee59461cd83505841
7ca20063faa25398f5e4ddc7d08e5bd39e71d816caeec5214bcb14c261d5ed25
83e460c7faf4d06a0b255a8ad4175577e9b8cdd8bb88645dff1a8841fc4c72ae
8b9e1ef2b8e37a459b1ead71b6b5c684aa5589b3f6a3fc7aacba4b7c0c3085d4
93fd66843eeefba26d494abf82bd69f972913c59e109a97a8871f1150e75ae01
95c587cce682887a0d9d6297e966a9fd82590cf557aac4767eff29ceafa373e2
99f203e4a8ee38b92ca80807b5350974d809505539284fa53d64b83aee28a749
a48b79aa1d76c9c8480466757d3d198bfefa19434fe4697129d73bce75a412b0
a593ae31f46ba0871580a5d7af3a8abd29fccd164c92dafc6c53f5b69487f717

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Zbot-6714649-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\Waec

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

176[.]99[.]4[.]7

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

%AppData%\Gybyoq\uzbu.ecu
%AppData%\Iftovi\ihuk.exe
%LocalAppData%\Temp\tmpbed48548.bat

File Hashes

075954d09355c42653ebb8340916245a18e28b8ad5d7c701f2f3208f639922a9
168c7ecd964fcae27d56aeb73ebb5917b2a7f025d708019b870f184e92cf42ab
22bdc85124aa553038e1d5b27411c67b931406597cebdc3ab7eb149077695599
259f3336bd8bb16138f45cf341f7290e7edfbee2872a9927184d02643ac86b85
31903b752e05db104908f6e2853597d5990f0fb5378573f98870c57509765b28
480e51e1bef08a8870a7d852abab4ac58179d2fa8031a9a080ce8a5a04a3f073
508517c5a9cbab74b1458ae66f1b744b74fd1833594eb319592416d7825f5d83
5a8b1aecc07c0c707aabfe22e52a7f70cc65aeac7127f7fd87ddf74a172212dd
5b9b975f6f67ed9bf8f45db61117330b31770dc26aecd0262253531106bc74ad
5e0535beb2b18aa4a2a5db338485f6e87fba66cd79fb0afb0c1cc18a3d526b22
62bbd7305b5ccb36a11f1f8d81065daa537e1716fb1983d8b411993d365b2fda
829cc5bc44063c564e0cbfda5d7c4538df9c6eb54f37eb09cf14757dda2f6ad5
897527a34498f81ffac99f626abcc0045cc5953173c84f90766280d38edc4f73
90e57a0f986925b7bf5a9114ff99d0c764c82c2348ae9694cb3b49a10de49ee8
911529ae29929ba58e3e2f7c2b1db4c8697df181bc1122ed2a96268429eae8c6
a3ea8684813d8849686a07809e576ea5276fd63de74fe65406871f7b3b3f185d
a52de51d2c4ca3bcb65d3c35b0a02c2b83142d784e420cd06c79d500d24587d3
ab3e38a476d1d7e136c670d16afeff8ac0a3f82578d0398ba1ec91792c447411
b398d2d8c26361f98d8341bb38e42f9553b107756c0aeb5985688de7af309de6
c25837b0eecbcac9726e6f6b41502b65796f5ddd20a42aa0311f18ed85302809
db58802e343b45a0d173a3bfab5fae9fe1c6188a6a175042a496f2e7ae1b906e
ecb59e655db783f2d4515b90f1045b154827820de20b09ebebe382895726bbcb
fa1962bf247694be787999b8b94dba8a09728cb258776b067a01128d3e073d01
fa9c078a6fbc67f8545381c4dbef455ce3e4e69c518ffdb6080103b98742b00b
fab9b2ba302d819180f19df41bf91abc7370b22fa0a08d35bc6a55dcb9751471

Coverage

Screenshots of Detection

AMP

ThreatGrid

↧

Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox

October 15, 2018, 9:00 am

≫ Next: Vulnerability Spotlight: Linksys ESeries Multiple OS Command Injection Vulnerabilities

≪ Previous: Threat Roundup for October 5 to October 12

This blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Emmanuel Tacheau.

Executive Summary

Cisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan called "Agent Tesla," and other malware such as the Loki information stealer. Initially, Talos' telemetry systems detected a highly suspicious document that wasn't picked up by common antivirus solutions. However, Threat Grid, Cisco's unified malware analysis and threat intelligence platform, identified the unknown file as malware. The adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that antivirus solutions don't detect it. In this post, we will outline the steps the adversaries took to remain undetected, and why it's important to use more sophisticated software to track these kinds of attacks. If undetected, Agent Tesla has the ability to steal user's login information from a number of important pieces of software, such as Google Chrome, Mozilla Firefox, Microsoft Outlook and many others. It can also be used to capture screenshots, record webcams, and allow attackers to install additional malware on infected systems.

Technical Details

In most cases, the first stage of the attack occurred in a similar way to the FormBook malware campaign, which we discussed earlier this year in a blog post. The actors behind the previous FormBook campaign used CVE-2017-0199 — a remote code execution vulnerability in multiple versions of Microsoft Office — to download and open an RTF document from inside a malicious DOCX file. We have also observed newer campaigns being used to distribute Agent Tesla and Loki that are leveraging CVE-2017-11882. An example of one of the malware distribution URLs is in the screenshot below. Besides Agent Tesla and Loki, this infrastructure is also distributing many other malware families, such as Gamarue, which has the ability to completely take over a user's machine and has the same capabilities as a typical information stealer.

The aforementioned FormBook blog contains more information about this stage. Many users have the assumption that modern Microsoft Word documents are less dangerous than RTF or DOC files. While this is partially true, attackers can still find ways with these newer file formats to exploit various vulnerabilities.

Figure 1 - First stage exploit

In the case of Agent Tesla, the downloaded file was an RTF file with the SHA256 hash cf193637626e85b34a7ccaed9e4459b75605af46cedc95325583b879990e0e61. At the time the file was analyzed, it had almost no detections on the multi-engine antivirus scanning website VirusTotal. Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file. AhnLab-V3 marked it for "RTF/Malform-A.Gen," while Zoner said it was likely flagged for "RTFBadVersion."

However, Cisco's Threat Grid painted a different picture, and identified the file as malware.

Figure 2 - ThreatGrid Behavior Indicators (BI)

Figure 2 above shows just a subset of the triggered behaviour indicators (BI), and the part of the process tree below shows the highly suspicious execution chain.

Figure 3 - ThreatGrid process tree

In figure 3, we can see that Winword.exe starts, and a bit later, a svchost process executes the Microsoft Equation Editor (EQNEDT32.exe), which starts a process called "scvhost.exe". Equation Editor is a tool that Microsoft Office uses as a helper application to embed mathematical equations into documents. Word for example, uses OLE/COM functions to start the Equation Editor, which matches what we see in figure 3. It's pretty uncommon for the Equation Editor application to start other executables, like the executable shown in figure 3. Not to mention that an executable using such a similar name, like the system file "svchost.exe," is suspicious on its own. A user could easily miss the fact that the file name is barely changed.

The Threat Grid process timeline below confirms that this file is behaving like typical malware.

Figure 4 - ThreatGrid process timeline

You can see in figure 4 at points 1 and 2 that the Equation Editor downloaded a file called "xyz[1].123" and then created the scvhost.exe process, which created another instance [scvhost.exe(26)] of itself a bit later (blue rectangle). Typical command and control (C2) traffic follows at point 4. At this point, we were sure that this is malware. The question was — why isn't it detected by any antivirus systems? And how does it manage to fly under the radar?

The malicious RTF file

The RTF standard is a proprietary document file format developed by Microsoft as a cross-platform document interchange. A simplified, standard RTF file looks like what you can see in figure 4. It is built out of text and control words (strings). The upper portion is the source code and the lower shows how this file is displayed in Microsoft Word.

Figure 5 - Simple RTF document

RTF files do not support any macro language, but they do support Microsoft Object Linking and Embedding (OLE) objects and Macintosh Edition Manager subscriber objects via the '\object' control word. The user can link or embed an object from the same or different format into the RTF document. For example, the user can embed a mathematical equation formula, created by the Microsoft Equation Editor into the RTF document. Simplified, it would be stored in the object's data as a hexadecimal data stream. If the user opens this RTF file with Word, it hands over the object data to the Equation Editor application via OLE functions and gets the data back in a format that Word can display. In other words, the equation is displayed as being embedded in the document, even if Word could not handle it without the external application. This is pretty much what the file "3027748749.rtf" is doing. The only difference is, it is adding a lot of obfuscation, as you can see in figure 6. The big disadvantages of the RTF standard are that it comes with so many control words and common RTF parsers are supposed to ignore anything they don't know. Therefore, adversaries have plenty of options to obfuscate the content of the RTF files.

Figure 6 - 3027748749.rtf

We were able to use the rtfdump/rtfobj tools to verify the structure and extract the actual object data payload, despite the fact that the RTF file was heavily obfuscated. Figure 8 shows that the file tries to start the Microsoft Equation Editor (class name: EQuATioN.3).

Figure 7 - rtfdump

Figure 8 - rtfobj

In figure 6, you can also see that the adversaries are using the \objupdate trick. This forces the embedded object to update before it's displayed. In other words, the user does not have to click on the object before it's loaded. This would be the case for "normal" objects. But by force-opening the file, the exploit starts right away.

Let's have a look to the objdata content from above, converted to a hexadecimal binary stream. More header details can be found here.

Figure 9 - Headers

We can find a similar MTEF Header like the one described in the FormBook post, but to avoid detection, the adversaries have changed the header's values. The only difference is that, except in the MTEF version field, the actors have filled the header fields with random values. The MTEF version field needs to be 2 or 3 to make the exploit work.

Figure 10 - MTEF V2 header

After the MTEF header, we have an unknown MTEF byte stream tag of two bytes (F1 01) followed by the a Font Tag (08 E0 7B … ).The bytes following the Font Tag (B9 C3 …) do not look like a normal font name, so this is a good indicator that we are looking at an exploit. The bytes do look very different to what we have seen in our research mentioned previously, but let's decode them.

Figure 11 - Shellcode - new campaign.

This looks pretty similar to what we have seen before. In figure 12, you can see the decoded shellcode from our previous research.

Figure 12 - Shellcode - former campaign.

The adversaries have just changed registers and some other minor parts. At this point, we are already pretty sure that this is CVE-2017-11882, but let's prove this.

PyREBox rock 'n' roll

In order to verify that the malicious RTF file is exploiting CVE-2017-11882, we used PyREBox, a dynamic analysis engine developed by Talos. This tool allows us to instrument the execution of a complete system and monitor different events, such as instruction execution, memory read and writes, operating system events, and also provides interactive analysis capabilities that allow us to inspect the state of the emulated system at any time. For additional information about the tool, please refer to the blog posts about its release and the malware monitoring scripts presented at the Hack in the Box 2018 conference.

For this analysis, we leveraged the shadow stack plugin, which was released together with other exploit analysis scripts (shellcode detection and stack pivoting detection) at EuskalHack Security Congress III earlier this year (slides available). This script monitors all the call and RET instructions executed under the context of a given process (in this case, the equation editor process), and maintains a shadow stack that keeps track of all the valid return addresses (those that follow every executed call instruction).

The only thing we need to do is configure the plugin to monitor the equation editor process (the plugin will wait for it to be created), and open the RTF document inside the emulated guest. PyREBox will stop the execution of the system whenever a RET instruction jumps into an address that is not preceded by a call instruction. This approach allows us to detect the exploitation of stack overflow bugs that overwrite the return address stored on the stack. Once the execution is stopped, PyREBox spawns an interactive IPython shell that allows us to inspect the system and debug and/or trace the execution of the equation editor process.

Figure 13 - PyREBox stops the execution the moment it detects the first return to an invalid address: 0x44fd22.

PyREBox will stop the execution on the return address at 0x00411874, which belongs to the vulnerable function reported in CVE-2017-11882. In this case, the malware authors decided to leverage this vulnerability to overwrite the return address with an address contained in Equation Editor's main executable module: 0x0044fd22. If we examine this address (see Figure 13), we see that it points to another RET instruction that will pop another address from the stack and jump into it. The shadow stack plugin detects this situation again, and stops the execution on the next step of the exploit.

Figure 14 — First stage of the shellcode.

Figure 14 shows the first stage of the shellcode, which is executed right after the second RET. This shellcode will call to GlobalLock function (0x18f36e) and afterward, will jump into a second buffer containing the second stage of the shellcode.

Figure 15 - Start of the second stage of the shellcode.

The second stage of the shellcode consists of a sequence of jmp/call instructions followed by a decryption loop.

Figure 16 - Decryption loop of the second stage of the shellcode.

This decryption loop will unpack the final payload of the shellcode, and finally jump into this decoded buffer. PyREBox allows us to dump the memory buffer containing the shellcode at any point during the execution. There are several ways to achieve this, but one possible way is to use the volatility framework (which is available through the PyREBox shell) to list the VAD regions in the process and dump the buffer containing the interesting code. This buffer can then be imported into IDA Pro for a deeper analysis.

Figure 17 — Decrypted buffer of the second stage (final stage of the shellcode).

This final stage of the shellcode is quite straightforward. It leverages standard techniques to find the kernel32.dll module in the linked list of loaded modules available in the PEB, and afterward, will parse its export table to locate the LoadLibrary and GetProcAddress functions. By using these functions, the script resolves several API functions (ExpandEnvironmentStrings, URLDownloadToFileA, and ShellExecute) to download and execute the xyz.123 binary from the URL, which we have already seen in the Threat Grid analysis. The shellcode starts this executable with the name "scvhost.exe," which we have also seen before in the Threat Grid report.

We have also seen several other campaigns using the exact same infection chain, but delivering Loki as the final payload. We list these in the IOC sections.

Payload details

Let's look into the final payload file "xyz.123" (a8ac66acd22d1e194a05c09a3dc3d98a78ebcc2914312cdd647bc209498564d8) or "scvhost.exe" if you prefer the process name from above.

$ file xyz123.exe

xyz123.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Loading the file into dnSpy— a .NET assembly editor, decompiler and debugger — confirms that it's a .NET executable that's heavily obfuscated.

Figure 18 - xyz123.exe.

The execution starts at the class constructor (cctor) executing the

<Module>.ҭъЩӂӬҀУ\u0486\u0489їҒреӱҤЫѝйҹП()

method. It loads a large array into memory and decodes it. The rest of the cctor reconstructs a xs.dll and other code from the array and proceeds at the entry point with additional routines. At the end, it jumps by calling the P.M() method into the xs.dll.

Figure 19 - P.M() method.

This one is interesting because it presents us a well-known artifact that shows that the assembly was obfuscated with the Agile.Net obfuscator.

Figure 20 - Agile.Net obfuscator artifact.

Since there is no custom obfuscation, we can just execute the file, wait a while, and dump it via Megadumper, a tool that dumps .NET executables directly from memory. This already looks much better.

Figure 21 - Deobfuscated code step one.

Unfortunately, the obfuscator has encrypted all strings with the H.G() method and we cannot see the content of those strings.

Figure 22 - H.G() method

Luckily, the de4dot .NET deobfuscator tool kills this with one command. We just need to tell it which method in the sample is used to decrypt the strings at runtime. This is done by handing over the Token from the corresponding method, in this case, 0x06000001. De4dot has an issue with auto-detecting the Agile .NETobfuscator, so we have to hand over this function via the '-p' option.

Figure 23 - de4dot .NET deobfuscator.

Even if it looks like the operation failed, it has successfully replaced all obfuscated strings and recovered them, as we can see below.

Figure 24 - Decoded strings.

Examining the source code shows us that the adversaries are using an information stealer/RAT sold by a company selling grayware products: Agent Tesla. Agent Tesla contains a number of questionable functions, such as password stealing, screen capturing and the ability to download additional malware. However, the sellers of this product say that it is used for password recovery and child monitoring.

Figure 25 - Sample of password stealing methods.

The malware comes with password-stealing routines for more than 25 common applications and other rootkit functions such as keylogging, clipboard stealing, screenshots and webcam access. Passwords are stolen from the following applications, among others:

Chrome
Firefox
Internet Explorer
Yandex
Opera
Outlook
Thunderbird
IncrediMail
Eudora
FileZilla
WinSCP
FTP Navigator
Paltalk
Internet Download Manager
JDownloader
Apple keychain
SeaMonkey
Comodo Dragon
Flock
DynDNS

This version comes with routines for SMTP, FTP and HTTP exfiltration, but is using only the HTTP POST one which you can see in figure 26 below. The decision as to which exfiltration method is used is hardcoded in a variable stored in the configuration, which is checked in almost all methods like this:

if (Operators.CompareString(_P.Exfil, "webpanel", false) == 0)
...
else if (Operators.CompareString(_P.Exfil, "smtp", false) == 0)
...
else if (Operators.CompareString(_P.Exfil, "ftp", false) == 0)

Figure 26 - HTTP exfiltration routine.

For example, it creates the POST request string, as you can see below in figure 27.

Figure 27 - POST request.

Then, it encrypts it with 3DES before sending it (figure 28). The _P.Y ("0295A...1618C") method in figure 25 creates the MD5 hash of the string. This hash is used as secret for the 3DES encryption.


Figure 28 - 3DES Encryption method

Conclusion

This is a highly effective malware campaign that is able to avoid detection by most antivirus applications. Therefore, it is necessary to have additional tools such as Threat Grid to defend your organization from these kinds of threats.

The actor behind this malware used the RTF standard because of its complexity, and used a modified exploit of a Microsoft Office vulnerability to download Agent Tesla and other malware. It is not completely clear if the actor changed the exploit manually, or if they used a tool to produce the shellcode. Either way, this shows that the actor or their tools have ability to modify the assembler code in such a way that the resulting opcode bytes look completely different, but still exploit the same vulnerability. This is a technique that could very well be used to deploy other malware in a stealthy way in the future.

IOC

Maldocs

cf193637626e85b34a7ccaed9e4459b75605af46cedc95325583b879990e0e61 - 3027748749.rtf

A8ac66acd22d1e194a05c09a3dc3d98a78ebcc2914312cdd647bc209498564d8 - xyz.123

38fa057674b5577e33cee537a0add3e4e26f83bc0806ace1d1021d5d110c8bb2 - Proforma_Invoice_AMC18.docx

4fa7299ba750e4db0a18001679b4a23abb210d4d8e6faf05ce2cbe2586aff23f - Proforma_Invoice_AMC19.docx

1dd34c9e89e5ce7a3740eedf05e74ef9aad1cd6ce7206365f5de78a150aa9398 - HSBC8117695310_doc

Distribution Domains

avast[.]dongguanmolds[.]com
avast[.]aandagroupbd[.]website

Loki related samples from hxxp://avast[.]dongguanmolds[.]com

a8ac66acd22d1e194a05c09a3dc3d98a78ebcc2914312cdd647bc209498564d8 - xyz.123

5efab642326ea8f738fe1ea3ae129921ecb302ecce81237c44bf7266bc178bff - xyz.123

55607c427c329612e4a3407fca35483b949fc3647f60d083389996d533a77bc7 - xyz.123

992e8aca9966c1d42ff66ecabacde5299566e74ecb9d146c746acc39454af9ae - xyz.123

1dd34c9e89e5ce7a3740eedf05e74ef9aad1cd6ce7206365f5de78a150aa9398 - HSBC8117695310.doc

d9f1d308addfdebaa7183ca180019075c04cd51a96b1693a4ebf6ce98aadf678 - plugin.wbk

Loki related URLs:

hxxp://46[.]166[.]133[.]164/0x22/fre.php
hxxp://alphastand[.]top/alien/fre.php
hxxp://alphastand[.]trade/alien/fre.php
hxxp://alphastand[.]win/alien/fre.php
hxxp://kbfvzoboss[.]bid/alien/fre.php
hxxp://logs[.]biznetviigator[.]com/0x22/fre.php

Other related samples

1dd34c9e89e5ce7a3740eedf05e74ef9aad1cd6ce7206365f5de78a150aa9398
7c9f8316e52edf16dde86083ee978a929f4c94e3e055eeaef0ad4edc03f4a625
8b779294705a84a34938de7b8041f42b92c2d9bcc6134e5efed567295f57baf9
996c88f99575ab5d784ad3b9fa3fcc75c7450ea4f9de582ce9c7b3d147f7c6d5
dcab4a46f6e62cfaad2b8e7b9d1d8964caaadeca15790c6e19b9a18bc3996e18

↧

Vulnerability Spotlight: Linksys ESeries Multiple OS Command Injection Vulnerabilities

October 16, 2018, 9:25 am

≫ Next: Vulnerability Spotlight: Live Networks LIVE555 streaming media RTSPServer code execution vulnerability

≪ Previous: Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox

These vulnerabilities were discovered by Jared Rittle of Cisco Talos.

Cisco Talos is disclosing several vulnerabilities in the operating system on the Linksys E Series of routers.

Multiple exploitable OS command injection vulnerabilities exist in the Linksys E Series line of routers. An attacker can exploit these bugs by sending an authenticated HTTP request to the network configuration. An attacker could then gain the ability to arbitrarily execute code on the machine.

The E Series is a line of routers for small and home offices that contain several features to make them easier to use. The routers are designed to connect home computers, internet-ready TVs, game consoles, smartphones and other Wi-Fi devices.

Vulnerability Details

TALOS-2018-0625 describes three related vulnerabilities: CVE-2018-3953, CVE-2018-3954 and CVE-2018-3955.

Many of the configuration details passed to the E Series of routers during their configuration must be retained across a device's power cycle. Since the device has only one writable directory (/tmp) and that directory is cleared on reboot, the device uses NVRAM to store configuration details.

All command injection paths follow this process:

When the apply.cgi page is requested with parameters indicating a change to persistent configuration settings, those parameters are processed by the 'get_cgi' function call during, which then get placed directly into NVRAM via a 'nvram_set' call.

After certain configuration changes are made, including both of the changes associated with these vulnerabilities, the device must be rebooted. The httpd binary handles this by sending a SIGHUP signal to PID 1, a binary named 'preinit'. The device then enters a code path where it restarts all necessary system services.

When the 'preinit' binary enters this code path, it exposes functionality where raw data from nvram_get calls is passed into system commands.

In CVE-2018-3953, the data entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the 'machine_name' POST parameter. The machine_name data goes through the nvram_set process described above. Eventually, within the 'start_lltd' function, a 'nvram_get' call is used to obtain the value of the user-controlled 'machine_name' NVRAM entry. This value is then entered directly into a command intended to write the hostname to a file and then execute it.

CVE-2018-3954 applies to the same input field but follows a slightly different code path. Here, the vulnerability is triggered by 'set_host_domain_name' function in libshared.so where nvram_get is called against the 'machine_name' parameter. The result of that operation is subsequently combined with a string via a sprintf call and passed directly into the system command.

Finally, in CVE-2018-3955, the data entered into the 'Domain Name' input field through the web portal is submitted to apply.cgi as the value to the 'wan_domain' POST parameter. The wan_domain data goes through the nvram_set process described above.

When the 'preinit' binary receives the SIGHUP signal, it enters a code path that calls a function named 'set_host_domain_name' from its libshared.so shared object, which calls nvram_get against the 'wan_domain' parameter. The result of that operation is subsequently combined with a string via a snprintf call and passed directly into the system command.

Affected devices

The vulnerabilities are confirmed in multiple devices of the Linksys E Series of wireless routers with various firmware versions. Users are advised to update their routers to the latest version released by the manufacturer.

Discussion

Home routers have become one of the main targets for malicious attacks. Although these vulnerabilities require the attacker to have already authenticated with the device, the vulnerabilities are serious as they allow a potential attacker full control over the device, which may include installation of additional malicious code.

Widespread internet-of-things attacks such as Mirai and VPNFilter show that attackers will keep their focus on discovering new vulnerabilities which would allow them to infect devices and conduct large scale as well as targeted attacks. These attacks are more difficult to detect and protection is available only after their manufacturers update the firmware and patch the vulnerability.

Keeping the device firmware up to date is crucial to avoid SOHO routers participating in a distributed denial-of-service (DDoS) attack or becoming an infection vector in an attack targeted to your organization.

Coverage

The following SNORTⓇ rule detects attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort rule: 47133

↧

Vulnerability Spotlight: Live Networks LIVE555 streaming media RTSPServer code execution vulnerability

October 18, 2018, 7:48 am

≫ Next: Tracking Tick Through Recent Campaigns Targeting East Asia

≪ Previous: Vulnerability Spotlight: Linksys ESeries Multiple OS Command Injection Vulnerabilities

These vulnerabilities were discovered by Lilith Wyatt of Cisco Talos.

Cisco Talos is disclosing a code execution vulnerability that has been identified in Live Networks LIVE555 streaming media RTSPServer.

LIVE555 Streaming Media is a set of open-source C++ libraries developed by Live Networks Inc. for multimedia streaming. The libraries support open standards such as RTP/RTCP and RTSP for streaming, and can also manage video RTP payload formats such as H.264, H.265, MPEG, VP8, and DV, and audio RTP payload formats such as MPEG, AAC, AMR, AC-3 and Vorbis. It is used internally by well-known software such as VLC and MPlayer.

An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

Vulnerability details

TALOS-2018-0684 describes the vulnerability CVE-2018-4013. The LIVE555 Media Libraries are a lightweight set of multimedia streaming libraries for RTSP/RTCP/RTSP/SIP, with code support for both servers and clients. They are utilized by popular media players such as VLC and MPlayer, as well as a multitude of embedded devices (mainly cameras).

One of the functionalities enabled by LIVE555 for their standard RTSP server is the ability to tunnel RTSP over HTTP, which is served by a different port bound by the server, typically TCP 80, 8000, or 8080, depending on what ports are available on the host machine. This port can support normal RTSP, but in certain cases, the HTTP client can negotiate the RTSP-over-HTTP tunnel.

The vulnerability exists in the function that parses HTTP headers for tunneling RTSP over HTTP. An attacker may create a packet containing multiple "Accept:" or "x-sessioncookie" strings which could cause a stack buffer overflow in the function "lookForHeader."

Affected software

The vulnerability is confirmed in Live Networks LIVE555 Media Server, version 0.92 but it may also be present in the earlier version of the product.

Coverage

48067 - 48068

↧

Tracking Tick Through Recent Campaigns Targeting East Asia

October 18, 2018, 9:49 am

≫ Next: Beers with Talos EP 39: VB 2018 Rundown and Prevalent Problems with PDF

≪ Previous: Vulnerability Spotlight: Live Networks LIVE555 streaming media RTSPServer code execution vulnerability

This blog post is authored by Ashlee Benge and Jungsoo An, with contributions from Dazhuo Li.

Summary

Since 2016, an advanced threat group that Cisco Talos is tracking has carried out cyberattacks against South Korea and Japan. This group is known by several different names: Tick, Redbaldknight and Bronze Butler.

Although each campaign employed custom tools, Talos has observed recurring patterns in the actor's use of infrastructure, from overlaps in hijacked command and control (C2) domains to differing campaign C2s resolving to the same IP. These infrastructure patterns indicate similarities between the Datper, xxmm backdoor, and Emdivi malware families. In this post, we will dive into these parallels and examine the methods used by this actor.

Introduction

The APT threat actor known as "Tick," "Bronze Butler," and "Redbaldknight" has conducted espionage campaigns since 2016 against East Asian countries such as Japan and South Korea [1]. Talos analyzed a recent campaign in which compromised websites located in South Korea and Japan were used as C2 servers for samples belonging to the malware family known as "Datper," which has the ability to execute shell commands on the victim machine and obtain hostnames and drive information. Talos found potential links in shared infrastructure between the malware families Datper, xxmm backdoor, and Emdivi, each of which has been attributed to this threat actor under one of the above three aliases.

We obtained this Datper variant through VirusTotal. The sample, written in Delphi code, was submitted toward the end of July 2018. Although the exact attack vector is unclear, the threat actor appears to have selected a legitimate-but-vulnerable Korean laundry service website to host their C2, shown below.

Legitimate Korean laundry site used as Datper C2 host.

The website, located at whitepia[.]co.kr, does not use SSL encryption or certificates. The specific URL used for C2 communication is:

hxxp://whitepia[.]co[.]kr/bbs/include/JavaScript.php

Once executed, the Datper variant creates a mutex object called "gyusbaihysezhrj" and retrieves several pieces of information from the victim machine, including system information and keyboard layout. Afterward, the sample attempts to issue an HTTP GET request to the above C2 server, which at the time of this writing, resolved to the IP 111[.]92[.]189[.]19.

An example of this request is:

GET /bbs/include/JavaScript.php?ycmt=de4fd712fa7e104f1apvdogtw HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: whitepia[.]co.kr
Cache-Control: no-cache

Unfortunately, at the time of this investigation, the C2 server was unavailable, preventing Talos from investigating C2 communications in greater detail. However, Talos was able to analyze a previous campaign from 2017, which employed a similar sample from this family and used a slightly different mutex, "d4fy3ykdk2ddssr." All samples in the diagram below, associated with the 2017 campaign, implemented mutex object "d4fy3ykdk2ddssr," likely to prevent access from other processes during execution.

Structure of C2 communications from the 2017 campaign.

The actor behind this campaign deployed and managed their C2 infrastructure mainly in South Korea and Japan. We confirmed that the actor periodically changed their C2 infrastructure and appears to have a history of identifying and penetrating vulnerable websites located in these countries. In addition to whitepia[.]co[.]kr, we identified other instances of compromised websites used as C2 servers. It is possible the malware samples are being delivered using web-based attacks, such as drive-by downloads or watering hole attacks. Additionally, Talos identified hosts used as C2 servers that may not be connected to a compromised website. This indicates the possibility that the threat actor may have initially deployed their C2 server infrastructure on legitimately obtained (and potentially purchased) hosts.

Overlaps in the compromised websites used as C2 domains suggest links to another malware family known as "xxmm backdoor" (or alternatively, "Murim" or "Wrim"), a malware family that allows an attacker to install additional malware. The GET request URI paths of xxmm backdoor and Datper are similar, as seen below:

xxmm backdoor: hxxp://www.amamihanahana.com/diary/archives/a_/2/index.php

Datper: hxxp://www.amamihanahana.com/contact/contact_php/jcode/set.html

Based on the findings above, both tools have used the same websites located in Japan in their C2 infrastructure since 2016.

The xxmm sample, shown on the right-hand side of the diagram above, has the hash 397a5e9dc469ff316c2942ba4b503ff9784f2e84e37ce5d234a87762e0077e25 [2].

The extracted PDB debug symbol paths from the sample are:

C:\Users\123\Documents\Visual Studio 2010\Projects\shadowWalker\Release\BypassUacDll.pdb

C:\Users\123\Documents\Visual Studio 2010\Projects\shadowWalker\Release\loadSetup.pdb

C:\Users\123\documents\visual studio 2010\Projects\xxmm2\Release\test2.pdb

C:\Users\123\Desktop\xxmm3\x64\Release\ReflectivLoader.pdb

In addition to the links between Datper and xxmm backdoor, a recent Datper variant compiled in March 2018 used a legitimate website as a C2, which resolved to the IP 211[.]13[.]196[.]164. This same IP was used as C2 infrastructure by the Emdivi malware family — a trojan that opens a backdoor on the compromised machine — and was attributed to the threat actor behind the campaign "Blue termite" [3].

Structure of 2018 Datper and Emdivi campaigns.

Our passive DNS lookup data of Resource Records (RR) for domains used by Datper and Emdivi further suggest that this IP was used by both malware families.

Resource record for Datper.

Resource record for Emdivi.

Conclusion

Talos' investigation into attacks conducted by this actor indicates commonalities between the Datper, xxmm backdoor, and Emdivi malware families. Specifically, these similarities are in the C2 infrastructure of attacks utilizing these malware families. Some C2 domains used in these attacks resolve to hijacked, legitimate South Korean and Japanese hosts and may have been purchased by the attacker. Successful attacks utilizing these malware families may result in shell commands being run on victim machines, resulting in a potential leak of sensitive information. Cisco security products protect our customers in a range of ways, detailed below.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs:

Hashes

Datper

c2e87e5c0ed40806949628ab7d66caaf4be06cab997b78a46f096e53a6f49ffc

569ceec6ff588ef343d6cb667acf0379b8bc2d510eda11416a9d3589ff184189

d91894e366bb1a8362f62c243b8d6e4055a465a7f59327089fa041fe8e65ce30

5a6990bfa2414d133b5b7b2c25a6e2dccc4f691ed4e3f453460dee2fbbcf616d

7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849

2f6745ccebf8e1d9e3e5284a895206bbb4347cf7daa2371652423aa9b94dfd3d

4149da63e78c47fd7f2d49d210f9230b94bf7935699a47e26e5d99836b9fdd11

a52c3792d8cef6019ce67203220dc191e207c6ddbdfa51ac385d9493ffe2a83a

e71be765cf95bef4900a1cef8f62e263a71d1890a3ecb5df6666b88190e1e53c

xxmm backdoor

397a5e9dc469ff316c2942ba4b503ff9784f2e84e37ce5d234a87762e0077e25

Emdivi

9b8c1830a3b278c2eccb536b5abd39d4033badca2138721d420ab41bb60d8fd2

1df4678d7210a339acf5eb786b4f7f1b31c079365bb99ab8028018fa0e849f2e

IPs used for C&C communication

202[.]218[.]32[.]135

202[.]191[.]118[.]191

110[.]45[.]203[.]133

61[.]106[.]60[.]47

52[.]84[.]186[.]239

111[.]92[.]189[.]19

211[.]13[.]196[.]164

C&C servers resolving to malicious IPs

hxxp://www.oonumaboat[.]com/cx/index.php
hxxp://www.houeikai[.]or.jp/images/ko-ho.gif

hxxp://www.amamihanahana[.]com/contact/contact_php/jcode/set.html

hxxp://www.amamihanahana[.]com/diary/archives/a_/2/index.php

hxxp://rbb.gol-unkai4[.]com/common/include/index-visual/index.htm

hxxp://www.whitepia[.]co.kr/bbs/include/JavaScript.php

hxxp://www.adc-home[.]com/28732.html

hxxp://www.sakuranorei[.]com.com/blog/index.php

↧

Beers with Talos EP 39: VB 2018 Rundown and Prevalent Problems with PDF

October 19, 2018, 9:37 am

≫ Next: Threat Roundup for October 12 to October 19

≪ Previous: Tracking Tick Through Recent Campaigns Targeting East Asia

Beers with Talos (BWT) Podcast Ep. #39 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #39 show notes:

Recorded Oct. 5, 2018 - We start out with a quick chat to get to know this week’s special guests from the Talos Outreach team: Paul Rascagneres, Vanja Svajcer and Warren Mercer. We discuss everyone’s work that was presented at Virus Bulletin, as well as Paul and Warren being nominated for the Péter Szőr Award. We also cover a lot of vulnerability discovery work that we recently released around various PDF software.

The timeline:

The topics

01:25 - Roundtable - Intros with our special guests Warren Mercer, Vanja Svajcer and Paul Rascagneres.
07:01 - Virus Bulletin and Korea in the Crosshairs nominated for Péter Szőr Award
22:42 - Other Talos talks and internet-of-things nonsense
28:39 - PDF vulnerabilities and how vulnerabilities can come in batches
35:23 - Closing thoughts and parting shots

The links

Péter Szőr Award: https://www.virusbulletin.com/conference/peter-szor-award/
Talos PDF vulnerability posts: https://blog.talosintelligence.com/search?q=pdf&by-date=true

==========

Featuring: Nigel Houghton (@EnglishLFC). Special guests: Warren Mercer (@SecurityBeard), Paul Rascagneres (@R00tBSD), and Vanja Svajcer (@VanjaSvajcer). Hosted by Mitch Neff (@MitchNeff).

Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

↧

Threat Roundup for October 12 to October 19

October 19, 2018, 1:39 pm

≫ Next: Beers with Talos EP40: BWT XL feat. SuperMicro, Giant Patches, and More Mobile Malware

≪ Previous: Beers with Talos EP 39: VB 2018 Rundown and Prevalent Problems with PDF

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 12 and 19. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

Win.Malware.Dgoh-6721301-0
Malware
This family is a generic trojan able to steal browser passwords. The samples conatain hidden hollowing techniques and TLS callbacks, making it more difficult to analyze. This malware is also evasive and can identify virtual environments. In this case, it does not show any network activity. The binaries achieve persistence and inject code in the address space of other processes.
Win.Malware.Tspy-6721070-0
Malware
Tspy is a trojan with several functions. It achieves system persistence to survive reboots. It also contacts domains related to remote access trojans (RATs) but are also known to be hosting C2 servers that send additional commands to the malware. The samples are packed and may hinder the analysis with anti-debugging techniques and TLS callbacks.
Win.Packed.Shipup-6718719-0
Packed
This signature and the IOCs cover the packed version of Shipup. These samples are packed and gain persistence by creating a scheduled task to conduct their activities. They also inject malicious code in the address space of other processes and may hinder the analysis with anti-debugging and anti-virtual machine checks.
Win.Malware.Icloader-6718315-0
Malware
Icloader is a generic malware family with an heavy adware behavior. The samples are packed and have evasive checks to hinder the analysis and conceal the real activities. This family can inject code in the address space of other processes and upload files to a remote server.
Win.Malware.Dfni-6718298-0
Malware
Dfni exhibits behaviors of adware, and can be considered a generic malware. The samples are packed and contain anti-VM checks, as well as many anti-debugging techniques. The binaries hook functions on the system and inject code to perform its malicious activities and upload files to a remote server.
Win.Malware.Mikey-6718286-0
Malware
This cluster focuses on malware that gives other malware the ability to achieve persistence. The samples contain anti-analysis tricks as well, which makes it tougher to study. This family is known for its plugin architecture and its intense network activity.
Win.Malware.Dinwod-6718271-0
Malware
This family is a polymorphic dropper. It copies modified versions of itself to the root directory with random names, then deletes the original files. These binaries drop a DLL that is injected. All the binaries are packed and contain tricks to complicate the static analysis phase.
Win.Malware.Triusor-6717792-0
Malware
Triusor is an highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code to complicate the dynamic analysis. Once it is executed, the samples perform code injection.

Threats

Win.Malware.Dgoh-6721301-0

Indicators of Compromise

Registry Keys

<HKLM>\Software\Wow6432Node\Microsoft\WBEM\CIMOM
<HKLM>\SOFTWARE\CLASSES
<HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default

Mutexes

Global\CLR_CASOFF_MUTEX

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
\PC*\MAILSLOT\NET\NETLOGON
%LocalAppData%\Temp\tmp3456.tmp
%LocalAppData%\Temp\bhv35DC.tmp

File Hashes

144dde1f11ae0c405712b370a8599c0497241e637e8fc82e72f64f909a88091e
19287951443ce4dbf938aea1b13f859130d0a8a93581fef391a09d6b7c632157
289f982e4f40d54431c2bfd462b9ab13334bb4038ce2bce60c78689ddddcf931
35757c2e08e8536a0a8498cbbdbe4b7563e6bc03e9d3a443023d923d16fef052
3a22acf82521b4afb12bb99e5c538a4ef329e929ff9b7f118da3a8296a00014a
42442912f6d5d85b0465b6a81f579759123945c1eeae49fbeb1e14642c83a522
44b3f421a16b418893ebf279dcb78302432059f06a240d061fad5cae4d570b0d
45e1f1da441906c91474e8cd14d03a1360a44e1d3a0a716868b38d97a90fa728
463e95e0cabd904e70facd1ad3698ac291f5963b55d6f9540e0afddf2e915c78
4c695e0e5a5e74bfd9474b7ad56f1996eed68993b82e72f755e4654162c94286
5eedbfbc1532012e6694da33a5bbb4213a566c7379d2c7ccbf4ed1fef6ca0fec
79965e71b237768da06e87edaff46529864e0e3224866ffeb8291c6f9a95c4cc
85ed48aef7052d974630e1e350c3557a509dd4f6f26a2ca31fc82b81f3e97417
8e5c5f04842cb799b7ca42a2e47c02a8a0c53a21ea579a42d90115fe40149c4b
b2948e790aa955885082c85dc72d4be259001f68be6414b8d53e5a6ce60ed3c3
b731fbba5419d28bc588981182cf95cb142559c0184714f7f781544107670a75
ce7de4cc59658ee179955f1c9c475ceb5e0bffeb6eb0be35b97d99845b42e93c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Tspy-6721070-0

Indicators of Compromise

Registry Keys

<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKLM>\System\CurrentControlSet\Control\DeviceClasses
<HKCU>\Software\Microsoft\SystemCertificates\MY
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
- Value Name: F
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
- Value Name: F
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
- Value Name: F

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

151[.]80[.]159[.]160

Domain Names contacted by malware. Does not indicate maliciousness

myp0nysite[.]ru

Files and or directories created

%System32%\config\SAM
%LocalAppData%\Temp\-218562641.bat
\TEMP\3101985327.exe

File Hashes

22ef53123754caa2ac3871eb01221c99482e4318b59a30c8f07b9525afae52bd
2953715def863a583bbca5dd830110b158d439ab138e278f7b4302e00b32349c
356d54baec2c91a1acf01fba63efb0c372588b8af954f2ec06b713bd35fcebac
46adc5747d33d6f76574f8c3df31828649159a8b0737b90233023db526f1df36
4735ef713e8010be450f1114f5b47c56f7245e5511d5cf51c81cf4095331c2cc
5431fac0d6c31b0234b32a360541d4142b01e020a3f5958a814aed2f7376c5d4
5f51e8d0681a97d9cc8d08d8053be6ca7fe99570ce74437ceebc61277dd39295
60eba00dd87e876f06d07940b33759f791c5deff12e5c435df38410a7be37b0f
7a78e62befe10074809a5889aa2cb15b48ae18ff643ba9913f77e9277b9ddb5f
7d22af262faaccd05bf7b1beeb2640babb7f9b635c33c55a1f116649702c6651
816593fbb5469d27ac05c4eeaed262ce5486ceef3aa50f6a5991dbf87e0b6e29
833ae0d041b2c2c7196105f2cc2a77c5aca67e701ef8407b5817639bdff9a88b
902035ad4a8c6a13029757688b35a3494a8a914567b382e2d2ac831b43aa087a
9e1ce778a3ce36fc530e6afe53aa4a5876bdc49ee9c3ecd06cd8098357022963
b1b6840d7b373303f2dee59b5735ac70895986c5670a6d00f6c71dc0b5bc9db7
d4d6b8126d2b3886cef618d0a38c16df140f3c261f50cb51b263ccd4dc0060a8
dea62764758a8f94fe90d430d70ffbfcb6781bf1e85a1df1370f4fdc13b96e0b
e2f3c345b99ee26a3277ce52e3577c2fe8c31faa13efe74476493444d99116ed
eef55e6ac86833cbfc3e70d40acd9672ebd68ea278b5bd72e6d33937fa60a39d

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Shipup-6718719-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
- Value Name: LoadAppInit_DLLs
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
- Value Name: AppInit_DLLs
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{F2B28AC6-1443-43F4-9832-8315397F35E8}
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{F2B28AC6-1443-43F4-9832-8315397F35E8}
- Value Name: data

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

%SystemDrive%\PROGRA~3\Mozilla\thfirxd.exe
%System32%\Tasks\aybbmte
%SystemDrive%\PROGRA~3\Mozilla\lygbwac.dll
%SystemDrive%\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\kvlcuie.dll
%SystemDrive%\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\tfbkpde.exe
%WinDir%\Tasks\kylaxsk.job

File Hashes

039882173f4c41312943a6481bd41bddeb0603fc3077c09e99234bebd14266e5
03bd8e2ed9a432a0883ea1acec24c87850127570809c63695bd542a602ba98bb
03e346b9acec0f19bd9d6c0ac40b3ebfbd5e1097708ca6e744cf67ee79dcc9db
04e34571fb0e04658c6d2eb23d908dbc378156fd094f861b7869b2281bc303b5
05e7685b2efa6d6f1fb0c23c6c944f911728a35b2aaa1c1d0662631c374380ae
07042f40f8e0114d7ea3f763a11fc2b0a5cc265238ad57f79710bfcd8917742e
09ace282d6e455c62ba311a89dba6af3274d6e8096b2319c746a129e6c411143
0d63b1289a4bf524359210fcfbfe84762f448911b51a495123b093ce5750ec3f
0f9f448741905479e3504d81a56ada969d0e70287875bcaf18a08cfab63151e8
1030c244fcf87f701b35f9a0fbad4f1e907dc0c5f8bc5ba6e4b6ca359bac9a09
179c0c751b09104e903c6864d9bca8f46386d44ce24e4bf1ebd972be81a9bde3
18205e2caa3af4a991891435f52a4b5f93e3405a1cbc2c88e2491d245fb33169
186f16724db6160aafff7a7696b321d2bb070c6c794564c613904dabce6bf089
194a07b39470d6f3d75292503dfb8d4c39a8a0b8d7a48ebd7b8bd3846e915e74
19f9d7a380494e5329edcc1aefe1e1bbb8b3e97b4b437ebdc8253959b6f3c503
1fb5b2a484b56dee8f91a761ddcd71aca409298d79717cbd305f8c4a115a377a
21561b93554c509f88981504de06bf325182b11718e5e1bbc348b3e9bf40ab9b
2222e6fcf6a7ab4fb824885a47869ff0b75b83c005ad1e56a48b9ac60603e00c
23e1307f7478faf6edb20b4caf72344cfbdde1a3a88669433b07c15ab6276e78
26074d1d9576a6f348861d388c6d33fe83154a4d6177ad128f327d56d61e93c4
269d9e25d3fa50c06d20da82f572324448d689bb8131a9b146f9094aa6f35486
27107374ee6385cc550f4cfe92a2b90b373f2f186d1c0cdac26d7cd941a45de1
27ec15846eb320ef0fcd627e2606e51b398693df813f468eb8a08727005b6ccb
2a199ff9c9922e8656a00622c5df7bc0db3b89d4ca5eda2ff304725b4e4791d3
2c1f9fcebf203434c44710f59bbfd6b8dc7186cb472975964f4621fde162a9a7

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Icloader-6718315-0

Indicators of Compromise

Registry Keys

<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKCU>\Software\Microsoft\SystemCertificates\My
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPeople
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

195[.]201[.]249[.]16
5[.]149[.]248[.]134
185[.]87[.]195[.]36

Domain Names contacted by malware. Does not indicate maliciousness

static[.]16[.]249[.]201[.]195[.]clients[.]your-server[.]de
official-site-cheats[.]ru

Files and or directories created

%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
\ROUTER

File Hashes

09bb7975b2b3841a5cdef1b88b8ac11093bdd4dbd494b4d6af270f848ea85f89
12b1ee5b0cba81b875e5e51bfdc09e782d2a8cd77cc3fb239283898cba768815
4ef33bcc856ec74000212666285ab7f944cda254bf8703339d385da81ba03433
50ca40354710a54ee7eeef160fc7ef7a527890184c76579ad5dfb08cce7a345c
544a3b3251664970097188e7557d476a5640404e0925a1bab3186de284c6f2a0
5b87701da8929701c563806f7e2bdb5babe411cdffae08a63470c62a1f811674
a15f95b1440da055d9289084eae7adaefc0c53253e093f8ea07f6080a3f1bb16
c78cb949042685e156e2532f0ca8eb525c0c162384691c21436866d6477239c1
ce2d96827f323a716aed634705c39e22425e75b239f74945eb2669fecba4ef51
e5dd8c5e4b91ce17be74bb11e33f8b725aae330a8a78019232f438788b233784
e9a9a86b1cd0c1ee7ffbed8cfab0d463a899c6c070af3521f42d7d35ead8b96d

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Dfni-6718298-0

Indicators of Compromise

Registry Keys

<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<HKLM>\Software\Microsoft\RAS AutoDial

Mutexes

\BaseNamedObjects\GenericSetupInstaller_UT006

IP Addresses contacted by malware. Does not indicate maliciousness

195[.]201[.]249[.]16
5[.]149[.]248[.]134

Domain Names contacted by malware. Does not indicate maliciousness

static[.]16[.]249[.]201[.]195[.]clients[.]your-server[.]de

Files and or directories created

\ROUTER
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSC54F3341\Carrier.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSC54F3341\GenericSetup.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSC54F3341\GenericSetup.exe.config
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSC54F3341\installer.exe
%TEMP%\Microsoft_Office_2003_Crack_Full_Version_Free.exe

File Hashes

0b6f97ca1435e9264468c370f04f27ec1a1a73bd5ffc111ba3155c13fb98faa7
21879cd4402d686df1b5216d0ee04b8205041ec88efa74b5647c1e8867aec045
235354c4ff05fe220b4182745eb6cda23d346201bc1f0cd095fe9f5b365d9fc8
263713f594a0bd2f1307fe7fc15802a4689c71fbe84641e6f2487d560265be27
497be4c1fa250d9fbc98502a2d94ab7b9a8333a4320da73ef03073e4621e7c22
51c88f1d544e08460f8460eb586db6f8064b59eac4927cc0762abe8ab395bcec
551d34451ade2931165caf86f3ab48a833ad32e1625a32975961d0451e761967
5a8db36dcddcb13c7e9fb5d975026292bfbd8c3618f0de45ce4cafb7470164d7
60bc15b68fee8d28ba76e99475b2fadbf72a7efd2cee8eb12f23f8e5b88a9896
6c730b4762c6f31e2b4c8845361650e5775bfd5876535d0f12523d22da4258f3
79558d1978785896623d7f82404950345a0646ee20e78a75ca8cfbc70d828290
7a1c9cf27ef8be7d94ad56517b8a7b79b8b508ee698667f266bb597f1cd5c6b0
8530c888819eabbdfb0f3f3d149ae11a242a82a7f19d019e23a7e7846a231f3f
8b0192dfdbe2214216a9b0d941e578d1652d2b220762d055bd8c881158107a46
8e7a3a856d6f7a7e2ba824da91b47c9d2c9759e642ab42f046f1ac533a9fbe29
93e9bff209879823e7ee4fe8a160526f15d0ee01f52992863b609b787c427502
995ca1c36a5dc65ccbc878a74b08c6b36cbc282e792a9ba6767271f93f3cfdda
9a1cddbba9b9dcf9c7c9d651c8fe390665b485895e26e78f4a1b4b1303c8c299
9c736aea53c7b192afbdc97106e95f98804f4a5c7feaa92c0a7d796cf9092c12
a7c5b9cae00ea432de0723f4a71d3b266f152935e5ce8127d5c01c91ea156abe
abfcfc795d72a5afd80010f351ab683a61bfabde66b7b2c1813d7ac5cc9f65d6
add5411deb3f26fca1e60eb72757d0a2488f4bd3d44433afa71fd2c2afc84ec2
b172fcfae21952777f9bac5ecdc4695e120fe425cfa98db9169fdda5065a3848
b935519061e2af2022dcd28f94fc7747b87c6c952acffff5c5a034ae6c8e395c
b994e47854a8557397fb0ed73c2fa16e2a7099167ff605290f4ae1282951b2a0

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Mikey-6718286-0

Indicators of Compromise

Registry Keys

<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters

Mutexes

RasPbFile
Local\http://hao.360.cn/
Global\b002b2c1-cf34-11e8-a007-00501e3ae7b5

IP Addresses contacted by malware. Does not indicate maliciousness

143[.]204[.]31[.]154
143[.]204[.]31[.]216
143[.]204[.]31[.]231
143[.]204[.]31[.]105
143[.]204[.]31[.]64
143[.]204[.]31[.]128
143[.]204[.]31[.]78

Domain Names contacted by malware. Does not indicate maliciousness

www[.]zhihu[.]com
www[.]zgny[.]com[.]cn
www[.]zhangmen[.]com
www[.]xs8[.]cn
www[.]zongheng[.]com
yule[.]360[.]cn
www[.]zhiyin[.]cn
yys[.]163[.]com
www[.]weibo[.]com
www[.]xxsy[.]net
www[.]youth[.]cn
yunpan[.]360[.]cn
you[.]163[.]com
xiaoshuo[.]360[.]cn
www[.]ymatou[.]com
www[.]youku[.]com
www[.]zol[.]com[.]cn
www[.]xiachufang[.]com
www[.]zhanqi[.]tv
yuehui[.]163[.]com
xqn[.]163[.]com
xiaoyouxi[.]360[.]cn
www[.]yy[.]com
xueqiu[.]com
www[.]xinhuanet[.]com
zonghe[.]hao[.]360[.]cn
xyq[.]163[.]com

Files and or directories created

%ProgramFiles% (x86)\DouTu\
%ProgramFiles% (x86)\DouTu\DouTuDaShi.exe
%ProgramFiles%\DouTu\DouTuDaShi.exe

File Hashes

008f25d1573dc62790a69f7a80f5c5453cc5648fe75e2899c02763fe15ff2b0a
011abed6d2117fd5f07cf18ba13fa84957111014baaa12037ae8dee7d342394b
01c8e1e8e172e4605f818fca1c69ef8c92c5ac696248d3b9ccdfa41ac79f214b
0247a8bbc1c947fcf3774ca4785f8896dcef41d0334b37dcf5bac1931d027463
027a08518f203197ec8a4203a27a356b3e25c223e6920ea3809bbed0842028ad
02989e9f1e9714b5c005b905ad9edccc155e4cba50ddcdaab759270a21ce5bd9
02b19d089cdd330d32c2d7e26cb0e2575cb06a4af1d6d55dc100ae26798e4ed1
02d6261ea6726eb0d1652ccd6e4469c29e029daafa4e97c2d91e1984267a7bcd
02fd2646ae865182ba854029a5247ca1401146d82adf4aa7fe7289d5e50e170c
036ba848a3d7f075c78fc8a61c9df37b347e092271532a4ea97e6c63bd69e014
03750181545151e7ca1dba3b73b24f10a94b8728d58fb63c3f7be0d7307d445d
03d612255a4c15406d36ad52ad1a36d03e894e0541fa46b27f36a460bb8e683f
0445d150e6f6598afb477304f72a82d7d929affccbc49240f840a73846f0c32f
045c8475c4206748d2bacbfbfad3696cce3eeeebc12b59ffd70db1b65238cb36
045de43a1c41fa03972c7d7560e639b004eda82db939eb9bf9e42c074e3feae5
046dd51f8b053aacf0ec0c5f267f78e1fda082abaf06a0ea627bcdab21261bc9
04b95424c0d4857b95ec76b43831e050a84dbc9f6396a4ef02784a08237b1e1c
05323e80a0d216c41f64a274cf8fd20a21cce709c1f45ad931bc1273f115000e
053dee417b15f6231492987a7d4015a78025a6a0ceb996cd155651055c322be7
055c4a203cb1230ae63c23100fe9d649b5551885c47c9388814fb6f41462dbac
0563fa1ab4ddddf921ff3bb655498dc4eb91b3a6c679632888a6c81c20453912
0580794965a50a2c165c7c33f0873759251340c57c57e67c5a71b4c26741b3f7
063110c27a66a2bf0a1dd1f6acfe49ce521cb159f2a69bc896b1a7e6025a3c12
06b7cd56f7a52f74181481506b1b757deb87c52e180ab87fa47cec734e11cbbd
0707db8cc197898312024658ee079141f97d5b296589c616408c516a74e36af6

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Dinwod-6718271-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

\vnnjj.exe
\xxhdx.exe
\xxldt.exe
\xxlhl.exe
\vnjvvj.exe
\rvrnnf.exe
\rxjxbdx.exe
\vnrjn.exe
\rvrnbj.exe
\xxltpx.exe
\vnnbn.exe
\vnjrv.exe
\xxltxdh.exe
\xxlhptp.exe
\xxhtp.exe
\xxxpptl.exe
\xxpxthd.exe

File Hashes

007afe2d9baf2e79d00facd2d2d8a4639a792549950386c4f08771ecdf86a5e5
015cdf503ff9594a6fe59d9c2abce53201b36239758bf2341f4a57029daba488
01758e0d8a5558093a58179ae367d4e2f61c10f0758531179aefc2646ba67dd0
07c97c9e72fb5dbec619c404f63a11b912fc8cd8990c9c2f2a94997d41cbd693
15df5a862fac9f36fa3d01654b477b69c83f0e6e3f34506df7cacc690277c031
16347664bea3a83ff23d0f70bdfc89687cd318c9006f641f51e68812647209d8
16d3e585d490cc2ace4d332483e6cfdb58e0b9601a60d8cb1b67fe37ed240f32
1c9522f2196142541138d63c8540a50779766c018808c9dcbb9ae307fabb6727
1ca02fc758959c2b256e2c102528ea5f7d638f2c5191877816f55ff218a491df
280e74d7df292e3a70d32d6cf513477d99e2a8b00c9263a93177ce4f54dcfcd0
2a430cc8543cce3005dcfe77a4c4672e055c5f809240ef8c0b4a5c5279335a9d
32e231bbd83b5f5320a72ba32873ec1c72426b79e86f9c8fc53a3a068f54b01f
39970304ec55d19bd8fb7e9085a16e1321fb4c1f56234dc7cb28ebf85c2559ef
3b16d31f053dafae6636d5e9e6e177c6d3191d792f08f88ebb20eeab64004056
3bc11dacaf93b0456579318c1adeffef853571a637ce549cb788785917b18630
3f1a60c94db70e837c93a5606c622e83d7d728efba2ace44d5a1e25fb9928694
40dffd1df7de4c7734b9d91197f1504abfdf0483041e86babce29800cf676bc5
42760b3beca693ce536a40114e82b7140e9c31b0a0ea3bda6fd35145d385796c
45727028125d1469bbd80957da53beccda382215eedf08749e166401188db598
45965701e3a09e642aa72c4361dff31ab136c691a4b1d196ff040b07fef6ff3c
494fb24fb1bec50a5373d81c28a65f1f3369ccb236e37aa307abb6218aa0bd72
4bc8924ba147f81bc910a1f0a5225cfd25b78d91d8d8725df3db4edb2229732b
4c7c63cd5f5a1a51850ad6c85e08fdfb7d4bf3add81bc45eb2ec3026314b6510
567ee64a97f8ecbf847637702ceb1fce80c5c785ccb8b838bc544bb92657a11b
5b5a40109c12f9ce3ed228625bd2d15e93b17fcee2ffb3d234714a7e0c4f8732

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Triusor-6717792-0

Indicators of Compromise

Registry Keys

Mutexes

\BaseNamedObjects\---

IP Addresses contacted by malware. Does not indicate maliciousness

Domain Names contacted by malware. Does not indicate maliciousness

Files and or directories created

%SystemDrive%\I386\FAXPATCH.EXE
%SystemDrive%\I386\NTSD.EXE
%SystemDrive%\I386\REGEDIT.EXE
%SystemDrive%\I386\SYSPARSE.EXE
%SystemDrive%\I386\AUTOCHK.EXE
%SystemDrive%\I386\AUTOFMT.EXE
%SystemDrive%\I386\EXPAND.EXE
%SystemDrive%\I386\SPNPINST.EXE
%SystemDrive%\I386\SYSTEM32\SMSS.EXE
%SystemDrive%\I386\TELNET.EXE
%ProgramFiles%\AutoIt3\SciTE\SciTE.exe
%ProgramFiles%\FileZilla FTP Client\filezilla.exe
%ProgramFiles%\Windows Media Player\wmplayer.exe
%ProgramFiles%\Windows NT\Accessories\wordpad.exe
%ProgramFiles%\Windows NT\Pinball\pinball.exe
%ProgramFiles%\Windows NT\dialer.exe
%ProgramFiles%\Windows NT\hypertrm.exe

File Hashes

0011723df3b26754ca4ca2eceb09c499aae2c5cc4db928d7727b67c60e577139
002095eb7f10ae09be653040d140ffa762a320afab5185852b7d41b52db61c6a
004c07dd0fa5fad4fe4900cc2ef6bd1b2abb5af3bbcbb2e139b4ff322d4078df
007c2a5cf0f4015a86245231df3d7852a2f65f983b81a4df0dead1085b89a0ed
00eb80745eaf40fc6a96bfcf4e03947beb4fa89a12773dc2aa739ce3777b7678
00ec92b171c50fc7f78b787ce2b441cc2c753d662e25e7d5fcc05e4675bad287
011ef040200e15408460db169067da640b78eba15fad117b28f46b50532c5598
0147aa37821a3897110ed304ec26a1ab06291f59bb0c358de00ad1692ab4ea11
017ddae8c3e44d1b99cba912a1513065ae9883ed63b955297f9ce1dbbf5ffcfc
02ae5aa484fe0a9ddbd128ef9dc13cbd8c8e6880f766a106bae88c783a86583b
02f261c939842a80b16a4a58c91cec0e787e48f190e3e8f6363c4784df122763
0341342a42497c4d2b6886d7ab770a529e266b60c438ad783a615b18c635714c
04078fdc1594bdebbf36b02005c798a8d71e8fb2a4211ffd2fa6653a780ccb99
041f132694ac497b5a0390928f1b5f45e8a1b407d7f33b5d56c4fcaef00d1e1e
043db96315c845bdf388ef63ab097742ad9268b96ca78d6e8565b1a32f551892
04bb15f07d48249864ed7d67485c15c9a90b141299fed80c2cc44ae60d05cfd7
0541a1b37978cf9060e322597f35351d2429dfaf11707092a96743169e4e160f
05aa9a9452f4c1c8a0ee90b6e9d7ce285a4773e171d0fd76c96e57d932243397
05c83511d79d813e563085a8e8b950a20c28bfc5f546ae5e910da25d1cf3a9c3
06261bfb80aa502c1b35d9a0ed627e79f25dca958a32520ea7b3ddaeb98d033e
062eb62bdc94deeba133a244f40b449d7c79dbfd621a95b1dc4daf5405b26650
0630c559b0d079b457072e6fafc912739f57921e84430ba903034b98f688052e
069d85b9fca5faebe3d65e66fc385f208adc02dc2d937e8f73a0683cc5edd1a3
06db79ae47b5da5da9afe655e67805a069fb9b1ccac54d8c21e6bba3390299e0
07a37e10b07767b08e125bbf6d35b5926fdda391faf5d4d9a11dde4014917484

Coverage

Screenshots of Detection

AMP

ThreatGrid

↧

Beers with Talos EP40: BWT XL feat. SuperMicro, Giant Patches, and More Mobile Malware

October 24, 2018, 3:03 pm

≫ Next: Vulnerability Spotlight: TALOS-2018-0635/0636 - Sophos HitmanPro.Alert memory disclosure and code execution vulnerabilities

≪ Previous: Threat Roundup for October 12 to October 19

Beers with Talos (BWT) Podcast Ep. #40 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #40 show notes:

Recorded Oct. 19, 2018 — In celebration of episode No. 40 and hitting over 1 million downloads(!!!), we go XL. This episode is a bit long, but we go a bit deeper than usual to discuss a few things that are highly unusual — namely, the extra-large patches dropped by Oracle, and the extra-large questions surrounding the Bloomberg/Super Micro story. We also talk about a few mobile threats we have seen and what we have brewing in the mobile threat space.

The timeline:

The topics

01:25 — Roundtable: Skeevy JavaScript, Mighty Reds update, potato camera, Joel’s petty HVAC complaints, and whatever Twitter drama Craig is on about.
07:30 — Agent Tesla and Loki playing tricks.
12:30 — What’s next in mobile threats from Talos, and the problem with app store models.
24:04 — Oracle drops 302 patches. Fancy ... some would even say extravagant.
36:30 — The Super Micro Bloomberg incident: What the **** is going on here?

The links

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).
Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

↧

Vulnerability Spotlight: TALOS-2018-0635/0636 - Sophos HitmanPro.Alert memory disclosure and code execution vulnerabilities

October 25, 2018, 8:43 am

≫ Next: Vulnerability Spotlight: Talos-2018-0694 - MKVToolNix mkvinfo read_one_element Code Execution Vulnerability

≪ Previous: Beers with Talos EP40: BWT XL feat. SuperMicro, Giant Patches, and More Mobile Malware

Marcin Noga of Cisco Talos discovered this vulnerability.

Overview

Cisco Talos is disclosing two vulnerabilities in Sophos HitmanPro.Alert, a malware detection and protection tool. Both vulnerabilities lie in the input/output control (IOCTL) message handler. One could allow an attacker to read kernel memory contents, while the other allows code execution and privilege escalation.

Vulnerability Details

TALOS-2018-0635 (CVE-2018-3970) - HitmanPro.Alert hmpalert Kernel Memory Disclosure Vulnerability.

An exploitable memory disclosure vulnerability exists in the IOCTL-handler function of Sophos HitmanPro.Alert, version 3.7.6.744. A specially crafted IOCTL request sent by any user on the system to the hmpalert device results in the contents from the privileged kernel memory returning to the user. You can read the full details of the vulnerability here.

TALOS-2018-0636 (CVE-2018-3971) -HitmanPro.Alert hmpalert Privilege Escalation Vulnerability

An additional exploitable vulnerability also exists in the IOCTL-handler function of Sophos HitmanPro.Alert, version 3.7.6.744. Similar to the vulnerability described above, any user on the system can send a specially crafted IOCTL request to the hmpalert device that allows the user to write to memory, resulting in remote code execution and privilege escalation. You can read the full details of the vulnerability here.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 47295-47296

To review our Vulnerability Disclosure Policy, please visit this site.

↧