Zscaler - Threat Lab

Examining the Ryuk Ransomware
Source:  Zscaler Research
Monday, 30 September 2019 19:23

Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom.    The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By carrying out these actions, the attackers could disable the Windows System Restore option, making it impossible for users to recover from the attack without external backups. Unlike other ransomware, Ryuk is distributed by common botnets, such as Trickbot and Emotet, which have been widely used as banking trojans. In this blog, we'll provide an analysis of how the Ryuk ransomware can encrypt a victim's data while blocking the infected system from restoring the data.    Analysis Ryuk dropper contains both 32-bit and 64-bit payloads. The dropper checks to see if it is being executed in a 32-bit or 64-bit OS using the "IsWow64Process" API and drops the payload accordingly. It also checks the version of the operating system. If it is executed in Windows XP, it drops the Ryuk payload at "C:\Documents and Settings\Default User\{random-5 char}.exe". If it is executed in Windows Vista or later versions of Windows, it drops the file at "C:\users\Public\{random-5 char}.exe”. Next, it executes the payload using the ShellExecuteW API.   Persistence mechanism Ryuk adds the following registry key so it will execute at every login. It uses the command below to create a registry key: ""C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Public\{random-5 char}.exe" /f"   Process injection Ryuk injects its main code into several remote processes. Ryuk enumerates the process by calling the CreateToolhelp32Snapshot API and injecting its code in all the processes except the ones named explorer.exe, lsaas.exe and csrss.exe, telling it that it should not be executed by the NT AUTHORITY. Ryuk ransomware terminates processes and stops services contained on a predefined list. These processes and services are mostly antivirus tools, databases, backups, and other software. The screenshot below shows the list of services stopped by Ryuk. Figure 1: The list of services disabled by the Ryuk ransomware. The screenshot below shows the list of processes terminated by Ryuk. Figure 2: The list of processes terminated by the Ryuk ransomware. Ryuk also deletes shadow copies and other backup storage files by using a .BAT file so that the infected system can’t restore data. Below is the list of commands used by Ryuk to perform these deletions. Figure 3: The list of commands used by Ryuk ransomware to delete shadow copies and other backup storage files.   Encryption and similarity with Hermes ransomware Ryuk uses a combination of RSA (asymmetric) and AES (symmetric) encryption to encrypt files. Ryuk embeds an RSA key pair in which the RSA private key is already encrypted with a global RSA public key. The sample generates an AES-256 key for each file and encrypts the files with an AES key. Further, the AES key is encrypted with an embedded public key and is appended at the end of the encrypted file. If all the samples contain the same RSA key pair, then after getting access to one private key, it's easy to decrypt all of the files. But Ryuk contains a different RSA key pair for every sample. Some samples append the ".RYK" extension and some don't append any extensions after encrypting the files. Ryuk has a common feature with Hermes ransomware. During encryption, Ryuk adds a marker in the encrypted file using the keyword “HERMES”. Ryuk checks for the HERMES marker before encrypting any file to know if it has been already encrypted. The screenshot below displays the HERMES marker and encrypted AES key appended at the end of the encrypted file. Figure 4: The HERMES marker and the encrypted AES key. Ryuk encrypts files in every drive and network shared from the infected system. It has whitelisted a few folders, including “Windows, Mozilla, Chrome, Recycle Bin, and Ahnlab” so it won’t encrypt files inside these folders. Ryuk drops its ransom note, named RyukReadMe.txt, in every directory. Ryuk asks for the ransom in bitcoin, providing the bitcoin address in the ransom note. Ryuk contains different templates for the ransom note. Below is a screenshot for RyukReadMe.txt file. Figure 5: Ryuk ransomware ransom note. After completing the encryption, Ryuk creates two files. One is “Public” and contains an RSA public key while the second is “UNIQUE_ID_DO_NOT_REMOVE” and contains a unique hardcoded key.   Conclusion While most ransomware is spread using spam email and exploit kits, Ryuk is delivered as a payload of the Emotet and Trickbot malware. Looking at the encryption process and ransom demands, Ryuk is targeting big enterprises in the hopes of large payoffs. Zscaler ThreatLabZ team continues to monitor this threat to ensure that Zscaler customers are protected.   IOCs MD5 5AC0F050F93F86E69026FAEA1FBB4450 6CDCB9F86972EFC4CFCE4B06B6BE053A 31BD0F224E7E74EEE2847F43AAE23974 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  Rajdeepsinh Dodia and Amandeep Kumar are security researchers on the Zscaler ThreatLabZ team.

Magecart hits again, leveraging compromised sites and newly registered domains
Source:  Zscaler Research
Friday, 27 September 2019 06:57

During alert monitoring, ThreatLabZ researchers came across multiple cases of shopping sites being compromised and injected with a skimming script. This injected script looks for the payment method and personally identifiable information (PII) and captures supplied financial information which is then sent to an adversary-controlled gate server even before the user hits the submit form. There have been multiple reports published related to Magecart activity, and ThreatLabZ has blogged about the hacker group’s activities in the past. (Read previous blogs from September 2018 and July 2019.) In this blog, we will provide an overview of the current skimming campaigns with an analysis of those that use compromised sites to host the skimmer code and those that use newly registered domains. The following screen capture shows the Magecart hits we observed over the last 90 days. The activity appears to be fairly consistent week to week, with a spike at the end of the analysis period, and we believe it is likely to continue. Figure 1: Hits on compromised sites over 90 days (x-axis=date, y-axis=hits)   Most of the impacted websites are in the shopping category. The following graph shows the cloud-wide statistic for the number of unique domains per category for the sites impacted. Figure 2: URL categories of impacted sites (x-axis=URL category, y-axis=unique domain counts) This Magecart-based skimming campaign did not reveal any novel tactics, tools, or procedures, but it seems to be more structured in terms of the scripts being used across multiple compromises, similar gate URL parameter patterns, and the algorithm used for data encoding. The cycles we observed were generally the same, but we did see some differences. Some use obfuscation to hide the script injection code and use another compromised site for hosting the skimmer script, while others make use of newly registered domains for skimmer script hosting. Regardless of the loading script, the skimmer code possesses little to no obfuscation.   Cycle 1: Compromised site loads skimmer code from another compromised site The following image shows a Fiddler session to demonstrate the skimming chain. Figure 3: Fiddler session for Magecart skimming   In these skimming campaigns, we can see compromised sites sending captured payment information to domains that are either newly registered or compromised and under the control of an adversary. In the following example, the gate site is compromised as well and was registered on 2013-03-19. Figure 4: Example of injected script and skimmer code   The way this skimmer code operates is to wait for the user to fill in the personal information and payment method and capture it all before the user hits the submit button. This captured information is then encoded using the Base64 algorithm and sent to the gate URL in a GET request. Figure 5: Skimmer script sending base64 encoded PII and Payment Information GET Request   Cycle 2: Compromised site loads skimmer code from a newly registered domain As shown in the image below, the skimming script is being hosted on a domain registered just 10 days before this analysis. Figure 6: Compromised site leveraging skimmer script from a newly registered domain   All the skimmer scripts we’ve identified so far are similar, and we observed the following common gate URL pattern: hxxps://domain/{path}.(php|js)?hash=[base64data]   Figure 7: Skimmer script differences   We saw multiple cases where the same skimmer code locations were being used in multiple compromised sites, including: custommagnetsdirect[dot]com/catalog/view/javascript/jquery/jquery.sticky.js matteola[dot]com/js/varien/js.js The image below shows examples of skimmer code locations being used for multiple compromised sites.   Figure 8: The same skimmer code locations used in multiple compromised sites   Conclusion Magecart has been successful for years because attackers have improved their techniques for injecting malicious code and hiding it from detection. Now, we are seeing attackers able to steal payment card information before it is even submitted. Zscaler ThreatLabZ actively tracks such campaigns and protects customers from skimming and other types of data-stealing attacks. Appendix Common skimmer JS URL patterns /5d1cbc8c073d4.js /baypressservices/baypr.js /check_cvv2_number_script.js /datetimepicker/bootstrap-datetimepicker.min.js /images/js/googleapi.js /javascript/checkcheckout.js /5d4cdc4cdf344.js /js/afterpay/checkout/idev_onestep.js /js/check_analystic.js /js/extjs/fix-defer-after.js /js/footer-link.js /js/front-scripts.min.js /js/lib/ccard.js /js/mage/cookies.js /js/mage/google.js /js/prototype/prototype.js /js/scriptaculous/print.js /varien/email.js /varien/js.js /varien/mail.js /my/vmart.js /qcore.js /rimzoneonline/code.js /silver/acor.js /wp-includes/js/jquery/jquery.js   Bad domains Creation date api-googles[dot]com 2019-03-30T18:40:29Z cloudflara[dot]org 2019-07-10T19:16:22Z developer-js[dot]info 2019-03-07T21:29:25Z facebookfollow[dot]com 2019-07-21T02:29:39Z googletagmanager-service[dot]com 2019-02-09T23:28:49Z gooqleadvstat[dot]com 2019-09-13T11:22:10Z jquery-cdn[dot]top 2018-09-28T07:41:02Z jquery-js[dot]com 2017-01-02T11:21:35Z jquery[dot]su 2019-02-27T19:12:36Z jquerycodemagento[dot]com 2019-08-11T13:05:43Z magento-security[dot]org 2017-11-14T16:32:41Z magento-track[dot]com 2018-12-28T20:44:11Z script-analytics[dot]com 2019-08-13T22:16:38Z  

Phishing attacks abusing appspot.com and web.app domains on Google Cloud
Source:  Zscaler Research
Tuesday, 24 September 2019 21:17

In July, Zscaler ThreatLabZ posted a blog about a rise in the use of Microsoft Azure domains to host phishing attacks. Our researchers recently detected similar activity on the Google domains Appspot.com and Web.app. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. Web.app is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform. These campaigns use SSL certificates issued by Appspot.com and Web.app, and they have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server. In the analysis that follows, we’ll describe the techniques these campaigns use to avoid detection and we’ll show the phishing domains and the locations where the user credentials are being sent. As of this date, many of these subdomains on appspot.com and web.app are not being flagged by VirusTotal.   Fig 1: VirusTotal detections for the subdomains   Web.app hosted phishing pages The following screenshots are phishing pages of some of the sites that have used an SSL certificate issued by Web.app. Fig 2: Microsoft login phishing page    Fig 3: SSL certificate page of the hosted phishing URL   Appspot.com hosted phishing pages Fig 4: Google Drive login phishing page   Fig 5: Outlook login phishing page   Fig 6: Dropbox login phishing page   Fig 7: DocuSign login phishing page     Fig 8: OneDrive login phishing page   Fig 9: OneDrive login phishing page   Fig 10: OneDrive login phishing page Evasion techniques This is a sophisticated phishing campaign as demonstrated by the well-designed phishing pages that are difficult to distinguish from legitimate pages. In addition, the attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site.  Below is the source code of the phishing pages; the highlighted part is the external JavaScript mentioned above. Fig 11: Source code of phishing page Fig 12: Source code of phishing page In the above landing page source code of the phishing URL, there is less content, no brand name, and no catchy strings that are common in most phishing campaigns. This enables it to bypass many automatic analysis engines and extend its survival. The following screenshots show the code and the location where the user credentials are being sent. This code is present in randomly named, externally added JavaScript files. Fig 13: Location used by the attacker to collect user credentials  Fig 14: Location used by the attacker to collect user credentials The following figure shows a sample packet capture for this data being sent to the attacker’s site.  Fig 15: Packet capture for the data that has been sent to the attacker’s site   Zscaler is actively blocking these phishing pages. The following screen capture shows Zscaler detection for one of these pages: Fig 16: Zscaler successfully detects these domains    Phishing domains As of the writing of this blog, we have collected the following phishing domains. uy67dass[.]appspot[.]com ja8fspxzosaa[.]appspot[.]com gjf9pxzosa[.]appspot[.]com egoew023pzas[.]appspot[.]com vhkad03pas[.]appspot[.]com kda8gazxa[.]appspot[.]com adgkao93pz[.]appspot[.]com l9rwpodsxcs[.]appspot[.]com cvgfsaz[.]appspot[.]com jga9spzas[.]appspot[.]com jjad9gdpxzsa[.]appspot[.]com vadgka932oa[.]appspot[.]com ls9ixosdsasa[.]appspot[.]com qwsa92oozxa[.]appspot[.]com adlg402ooz[.]appspot[.]com bnb932psiz[.]appspot[.]com authofisaiz[.]web[.]app Telecomm-uk[.]web[.]app f45ghdsas[.]appspot[.]com Derr9qepzxas[.]appspot[.]com Vgdikad9oqww[.]appspot[.]com dsa3aszxsa[.]appspot[.]com weotwe0dpa[.]appspot[.]com Wy6fxsa[.]appspot[.]com Yu56sdzsa[.]appspot[.]com Vbhg45as[.]appspot[.]com Hds9pzoas[.]appspot[.]com khs9dpas[.]appspot[.]com u76dfsdasa[.]appspot[.]com y56fds[.]appspot[.]com vfhgj3sz[.]appspot[.]com eyq246ddpoas[.]appspot[.]com h45dsagga[.]appspot[.]com sds43dza[.]appspot[.]com yt76uyhxzz[.]appspot[.]com jh54dfaz[.]appspot[.]com ytyfazxz[.]appspot[.]com   Where information is sent  Below are the locations where the phishing page is sending credentials entered by the user.  https://osipz[.]c3y5-tools[.]com/1[.]newsvpost_ads_auto/loading[.]php https://osipz[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php https://xotpe[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://uiufz[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://xotpe[.]kute[.]pw/1[.]newsvpost_ads/loading[.]php https://xotpe[.]bugcart[.]com/1[.]newsvpost_ads/loading[.]php https://xotpe[.]dtvd[.]biz/1[.]newsvpost_ads/loading[.]php https://uy6x[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://h76fg[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php https://hjif[.]c3y5-tools[.]com/1[.]newsvpost_ads/loading[.]php  

InnfiRAT: A new RAT aiming for your cryptocurrency and more
Source:  Zscaler Research
Monday, 02 September 2019 14:24

Recently, the Zscaler ThreatLabZ team came across a new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine. This blog provides an analysis of this new RAT, including the way it communicates, all the tasks it performs, and the information it steals.   Background As with just about every piece of malware, InnfiRAT is designed to access and steal personal information on a user's computer. Among other things, InnfiRAT is written to look for cryptocurrency wallet information, such as Bitcoin and Litecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data. In addition, this RAT has ScreenShot functionality so it can grab information from open windows. For example, if the user is reading email, the malware takes a screenshot. It also checks for other applications running on the system, such as an active antivirus program.   InnfiRAT sends the data it has collected to its command-and-control (C&C) server and requests further instructions. The C&C can also instruct the malware to download additional payloads onto the infected system.   Technical analysis 1) Before executing the main payload, the malware initially checks whether the file is executing from %AppData% directory or not with the name NvidiaDriver.exe. If not, then a web request is sent to “iplogger[.]com/1HEt47" (possibly to check network connectivity). 2) It records all the running processes in an array, then iterates through each process and checks whether any process is running with the name NvidiaDriver.exe. If so, the malware kills that process and waits for an exit.   Figure 1: Checks execution location, terminates process with name NvidiaDriver            3) InnfiRAT copies itself as %AppData%/NvidiaDriver.exe and executes it from %AppData% before terminating the current process.                Figure 2: The malware makes a copy of itself in %AppData%    4) After confirming the path of file execution, it writes a Base64 encoded PE file in memory, which is later decoded in its actual format and is loaded after changing the entry point of the file. This is also a .NET executable and contains the actual functionality of the malware.   Figure 3: Embedded PE file in encoded form   Figure 4: Embedded PE file is decoded and executed Analysis of embedded .NET executable All the strings inside the file are encoded with a custom encoding scheme that utilizes the XOR operation. Figure 5: Strings decoding logic   As the execution of the malware starts, it checks for the presence of VM environment. It does so by checking the return value from the routine JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337. If the return value is equal to the first value, enum[0], defined in the enum shown below, then it continues the execution or else it terminates.   Figure 6: User-defined enum structure   After performing the VM checks, the malware obtains the country and HWID information of the machine it is running on. To obtain the country information, it calls the routine EjarVhXфf8752612307563884480() [FetchNetworkInfo] and fetches the Country key value from the returned data in JSON format. Similarly, to obtain the HWID, it calls the routine ubобмдGogBлzWKrgrыaZucвлC33208440168(). Anti-VM checks Inside the JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337() [VMDetection] routine: Note: All the enum values are referenced using enum[index] during analysis where the index starts from 0. 1. Performs WMIquery to obtain the following information: "Manufacturer" "Caption" "Name" "ProcessorId" "NumberOfCores" "NumberOfLogicalProcessors" "L2CacheSize" "L3CacheSize" "SocketDesignation" It then checks, one-by-one, if the manufacturer contains one of the below-mentioned strings and returns the value from the enum as specified: “VBoxVBoxVBox”                   returns enum[2] “VMwareVMware”                  returns enum[1] “Prl hyperv                               returns enum[3] “Microsoft Corporation”        returns enum[4] 2. WMIquery is performed again but this time to obtain the following information: "DeviceID" "MediaType" "Model" "PNPDeviceID" "SerialNumber" A check is performed if the PnpDeviceId contains one of the below strings and returns the value from the enum as specified: “VBOX_HARDDISK”             returns enum[2] “VEN_VMWARE”                  returns enum[1] If none of the above conditions match, it returns enum[0].   Machine network information Inside the EjarVhXфf8752612307563884480() [FetchNetworkInfo] routine: A web request is sent to the following URL https://ipinfo[.]io/json and the received data is returned from the function. The received data contains the following information:   "ip"   "city"   "region"   "country"   "loc"   "postal"   "org"   Figure 7: Web request being made   Network communication   Inside the мMлFкCцеGPбiбqюK1559516831() [CreateDuplexChannel] routine: InnfiRAT sets up a duplex channel with the name “IVictim” using DuplexChannelFactory tcp://62[.]210[.]142[.]219:17231/IVictim   Figure 8: Creating a duplex channel with C&C server   After forming the duplex channel with the name IVictim, it uses the IVictim interface, which contains the following methods: “Subscribe” “CompleteTask” “GetDlls” “AvailableTasks”   Figure 9: Available methods in the IVictim interface Inside the SуkdVkцiшkUояUuчPуюяmмuty187968776() [SubscribeVictim] routine: InnfiRAT calls the subscriber method from the IVictim interface with login = “innfiniti”   Figure 10: The subscribe method from the IVictim interface is invoked Inside the хaxeYхсиghIжNпDмвQюwkуpкgимuбсфbnдбMвMC67210633684721828() [GetAndExecuteSpecifiedTask] routine: InnfiRAT obtains the tasks inside a UserTask list by invoking AvailableTasks where UserTask has the following keys: “ID” “Action” “URL” “FinalPoint” “Current”  “Status” “Country” “RunSilent” “Argument” It iterates through each task. On each iteration, it first checks for the country value received to be equal to “ALL” OR  the one present in the BasicInfoVictim class, which was obtained earlier AND the action to perform is "DownAndEx" and the URL value is available.      If the above conditions match, then the CompleteTasks method is called with three arguments:  “login” “hwid” “TaskID”   The RAT calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the file. Arg1 = Path of the file to be executed [obtained from the URL] Arg2 = Arguments to the file to be executed [obtained from Argument key of current UserTask element] Arg3 = true/false [Obtained from RunSilent key of current UserTask element] After iterating all items in the UserTask list, it sleeps for 30,000 milliseconds.   Figure 11: Country, action, and URL checks are performed and the specified task is completed   Process checks Inside the LlсiсkнwychhVзjзNзxрFrUOE4656655235232302206601527615541285() [ProcessCheck] routine: All the running processes in the system are obtained, their names are converted to lowercase and then a check is performed to see if the name matches with any of the following strings:  “taskmgr” “processhacker” “procmon” “procexp” “pchunter” “procexp64” If there are any matches, the process terminates. Below are the snapshots depicting the actions performed.   Figure 12: Obtaining processes, converting their names to lowercase, checking specific processes   Figure 13: Converting ProcessName to lowercase   Figure 14: Checking for above-mentioned running processes (process names are obfuscated here) Inside wYxйыrоyTHuLдTч212065() [KillProcesses] routine: InnfiRAT obtains the list of all processes running in the system and kills any process whose name contains one of the following strings: “chrome” “browser” “firefox” “opera” “amigo” “kometa” “torch” “orbitum”   Figure 15: Kills processes that contain any of the above-mentioned strings   Scheduled execution Inside the эйviMhйсuьZCпJфшcкLйшuв348374() [ScheduleMalwareExecution] routine: The CMD (cmd.exe) command string is constructed and executed to schedule the malware execution. The command string looks like below:  /C schtasks /create /tn WindowsUpdater /tr "%AppData%NvidiaDriver.exe " /st HH:mm  /du 9999:59 /sc daily /ri 1 /f   Figure 16: CMD command is constructed and executed   C&C commands Here are some tasks performed by the malware based on the commands received from C&C server: 1. SendUrlAndExecute(string URL) InnfiRAT downloads the file from the specified URL by calling the routine жRfаeQbrwйfsLGыhчUrEжьFхaяGчрлCдtGжSofьQvдnIмs8383484343838630833542717281211() [DownloadFileFromUrl]. Inside this routine, a directory is first created with the name TEMP inside the %AppData% if it doesn’t exist. Then the file is downloaded and saved inside this folder with the name extracted from the passed URL. The URL passed is broken into parts via delimiter ‘/’ and the last item is used as the file name.   Figure 17: Create folder and download file   Once the download is complete, it calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to execute the downloaded file. Arg1 = Path of the file to be executed Arg2 = Arguments to the file to be executed Arg3 = true   Figure 18: Execute the downloaded file 2. ProfileInfo() Inside the routine, it collects the following information: “NetworkInfo”:{ "ip"  "city" "region" "country" "loc" "postal" "org" } “PCAdmin” “PCInformation” :{ “FrameWorkDescription” “Processors” “PRocessorsCore” “VideoCards” }  It then sends the information to the C&C server. Figure 19: UserProfile info being collected and sent to the C&C server   3. LoadLogs() It calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys: “Path”,                     represents a relative path to an .exe file “ByteArray”            binary data   Figure 20: GetDlls being called   After fetching the list, InnfiRAT traverses each element inside the list via a for-loop. Inside the for-loop: The value of the Path key is split using delimiter “\\”. The second value in the split is the name of the directory. A check is performed to see if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.  A check is performed if no file exists specified by Path key in the executing module directory. If the check is true, it creates the file and writes the value of ByteArray to this created file.  The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called. Finally, data obtained from UserProfile() is sent to the C&C server.   Figure 21: A directory is created, file is created, and KillProcesses is called; response is sent to the C&C server   4. LoadCookies()  - Steal Browser Cookie information InnfiRAT calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys: “Path”                    represents a relative path to an .exe file “ByteArray”          binary data   Figure 22: GetDlls being called   After fetching the list, the malware traverses each element inside the list via for-loop. The following occurs inside the for-loop: The value of the Path key is split using the delimiter “\\”. Second, the value in the split is the name of the directory. A check is performed if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key split inside the executing module directory. If the check is true, a directory with the obtained name is created.  A check is performed if no file exists specified by the Path key in the executing module directory. If a check is true, it creates the file and writes the value of ByteArray to this created file.    Figure 23: Directory is created, file is created   It creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths” “BrowserName” The name and corresponding cookie path are retrieved for the following browsers one by one: “Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla” A BrowserCook type element is created with the fetched information and is added to the list created earlier.   Figure 24: Browser info is retrieved and added to the list   It creates an empty list of BrowserCookie type where BrowserCookie has three keys, namely:  “Browser” “FileName” “FileArray” Inside, two for-loop elements of the BrowserCookie type are created, where the Browser key and FileArray key are both assigned values using the information from the previously created BrowserCook list and the FileName is set to _Cookie.txt if the browser name for the current element is not “Mozilla”, or else it is set to Cookie.txt.   Figure 25: BrowserCookie elements list is built   The harvested BrowserCookie list is then sent to the C&C server and the temporary file and directory are deleted.   Figure 26: File and directory is deleted 5. LoadWallets() - Steal Bitcoin Wallets The malware creates an empty list of the BitcoinWallet type where BitcoinWallet has two keys, namely: “WalletArray” “WalletName” A check is performed to see if a file for a Litecoin or Bitcoin wallet is present in the system at the following location: Litecoin: %AppData%\Litecoin\wallet.dat Bitcoin: %AppData%\Bitcoin\wallet.dat If it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and reading the corresponding wallet file in the WalletArray key.   Figure 27: File presence is checked, BitcoinWallet element is added to the list   Finally, the created list is sent in response to the C&C server.   Figure 28: List is sent in response to the C&C server   6. LoadFiles() - Steal small text files potentially containing sensitive information InnfiRAT collects all the .txt files available on the desktop whose size is less than 2,097,152 bytes inside a list of CustomFile types. CustomFile has two keys namely:  “Name”   “FileArray” The created list is sent in response to the C&C server.   Figure 29: Files are collected and sent to the C&C server   Figure 30: Inside HcапkцтеuxчI46156665847187238336657104255061.лQtdjюAKMCdскHUжfъqZTzmMнуз68532317728035381607276587242500 [CollectFiles]   7. LoadProcesses() - Get the list of running processes on the victim machine InnfiRAT creates an empty list of type ProcessInfo where ProcessInfo has three keys, namely: “ID” “Name”  “Path” It obtains the list of all the processes running in the system and sends the list in response to the C&C server.    Figure 31: Process information is obtained and the list is sent to the C&C server   8. Kill(int process) - Command to Kill a specific process on the victim machine InnfiRAT obtains the list of all the processes running in the system and then inside a for-loop, the processID of obtained processes is compared with the processID passed as an argument to this routine one at a time. If there is a match, the process is killed and the flag variable is set to true. Finally, a response is sent to C&C server.   Figure 32: Process is killed and response is sent   9. Screenshot() - Take a screenshot on the victim machine It calls the qюFpьGoJv97921676245() [CaptureScreenshot] routine and the returned value is sent to the C&C server.   Figure 33: Screenshot captured and sent to the C&C server   Figure 34: Inside the qюFpьGoJv97921676245() [CaptureScreenshot] routine   10. RunCommand(string command) - Execute specified command on the victim machine This creates a new CMD process, builds the command line argument using the command passed as an argument to this routine, and finally starts the process. Command line argument:   /c  +  “ ” + command   Figure 35: Received command is executed   11. ClearCooks() - Clears browser Cookies on the victim machine for specific Browsers InnfiRAT creates an empty list of BrowserCook type where BrowserCook has two keys, namely: “CookiePaths”  “BrowserName” The name and corresponding cookie path are retrieved for the following browsers one by one: “Chrome” “Yandex” “Kometa” “Amigo” “Torch” “Orbitum” “Opera” “Mozilla”   A BrowserCook type element is created with the fetched information and is added to the list created earlier. Figure 36: Browser info is retrieved and added to the list   The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called. The BrowserCook type list created earlier is traversed and cookies files are deleted using CookiePaths key value. Finally, a response is sent to the C&C server.   Figure 37: The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called, cookie files are deleted, and response is sent to the C&C server Conclusion A RAT, remote-access trojan, is a type of malware that includes a backdoor, giving intruders the ability to control the targeted computer remotely and enabling them to perform any number of tasks, such as logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more. They can also be designed to spread to other systems on a network. Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren't from a trusted source. The ThreatLabZ team continues to monitor this threat and ensure that Zscaler customers are protected.   IOCs Md5: f992dd6dbe1e065dff73a20e3d7b1eef Downloading URL: rgho[.]st/download/6yghkhzgm/84986b88fe9d7e3caf5183e4342e713adf6c3040/df3049723db33889ac49202cb3a2f21ac1b82d5b/peugeot.zip NetworkURL: tcp://62[.]210[.]142[.]219:17231/IVictim

Saefko: A new multi-layered RAT
Source:  Zscaler Research
Thursday, 08 August 2019 16:48

Recently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis of this piece of malware, including its HTTP, IRC, and data stealing and spreading module.   Background A RAT is a type of malware that includes a backdoor for remote administrative control of the targeted computer. RATs are usually downloaded as a result of a user opening an email attachment or downloading an application or a game that has been infected. Because a RAT enables administrative control, the intruder can do just about anything on the targeted computer, such as monitoring user behavior by logging keystrokes, accessing confidential information, activating the system's webcam, taking screenshots, formatting drives, and more. Upon successful infection, the Saefko RAT stays in the background and executes every time the user logs in. It fetches the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, shopping, and more. It sends the data it has collected to its command-and-control (C&C) server and requests for further instructions. The C&C instructs the malware to provide system information and the RAT will begin to collect a range of data including screenshot,videos, keystroke logs and more. The C&C can also instruct the malware to download additional payload onto the infected system. RATs present a unique business threat. They have the ability to steal a lot of data without being detected and spread to other systems across the network. The ThreatLabZ team also detonated the Saefko RAT in the Zscaler Cloud Sandbox to determine its functionality, communications, and the potential threat.   Technical Analysis of the Saefko RAT Saefko malware unpacks itself and places the saefkoagent.exe file in “/%AppData%/Roaming/SaefkoAgent.exe” and executes it. It also copies itself to “/%AppData%/Roaming/windows.exe” and "/%AppData%/Local/explorer.exe” and executes them. Autostart Key The Saefko malware creates a startup key to execute the malware at every login. If it is executing from an admin account, it creates the following registry key: “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Otherwise, it creates a registry key in the following path: “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Functionality Saefko first checks to see whether the internet connection is active by connecting to “clients3.google.com/generate_204”. It then uses a unique technique to identify if the infected system contains any vital information. It fetches the browser history and searches for particular websites that have been visited by the user and makes a count based on the categories mentioned below. From the counts, the attacker can determine which systems it should target first from all the infected systems. The list of different categories it searches include: Credit card possibility paypal.com 2c2p adyen.com volusion.com pay.amazon.com apple.com/apple-pay/ atos.net authorize.net BIPS bitpay.com bpay.com braintreepayments.com centup.org cm.com creditcall.com cybersource.com mastercard.com digi.cash digitalriver.com dwolla.com elavon.com euronetworldwide.com eway.io firstdata.com fortumo.com pay.google.com/send/home heartlandpaymentsystems.com ingenico.com ippayments.com klarna.com emergentpayments.ne moduslink.com mpay.com neteller.com ofx.com pagseguro payoneer.com paymentwall.com paypoint.co paysbuy.com paysafe.com paytm.com payzone.co.uk crunchbase.com qiwi.com globalpaymentsinc.com reddotpayment.com sagellc.com skrill.com stripe.com squareup.com tencent.com transfermate.com transferwise.com wmtransfer.com trustly.com wepay.com verifone.com xendpay.com pay.weixin.qq.com money.yandex.ru wirecard.com truemoney.com xsolla.com myshopify.com/admin payza.com 2checkout.com 3dcart.com paysafecard.com weebly.com       Gaming activity value origin.com steampowered.com g2a.com twitch.tv nichegamer.com techraptor.net gematsu.com estructoid.com pcgamer.com gamefaqs.gamespot.com gamespot.com siliconera.com rockpapershotgun.com gameinformer.com decluttr.com glyde.com gamestop.com microsoft.com/account/xboxlive playstation.com/en-us/network/store nintendo.com/games gog.com game.co.uk itch.io gamefly.com greenmangaming.com gaming.youtube.com     Cryptocurrency value etoro.com 24option.com puatrack.com/coinbull2/ luno.com paxforex.com binance.com coinbase.com cex.io changelly.com coinmama.com xtrade.ae capital.com paxful.com kraken.com poloniex.com gemini.com bithumb.com xcoins.io cobinhood.com coincheck.com coinexchange.io shapeshift.io bitso.com indacoin.com cityindex.co.uk bitbay.net bitstamp.net cryptopia.co.nz pro.coinbase.com kucoin.com bitpanda.com foxbit.com.br bitflyer.com bitfinex.com bit-z.com quadrigacx.com quadrigacx.com big.one lakebtc.com wex.nz kuna.io yobit.io zebpay.com hitbtc.com bx.in.th trezor.io electrum.org blockchain.com crypto.robinhood.com exodus.io mycelium.com bitcointalk.org btc-e.com moonbit.co.in bitcoinaliens.com bitcoinwisdom.com coindesk.com cointelegraph.com ccn.com reddit.com/r/Bitcoin/ bitcoin.org/en/blog newsbtc.com blog.spectrocoin.com blog.coinbase.com bitcoinist.com forklog.com abitcoinc.com bitcoin.stackexchange.com news.bitcoin.com blog.bitfinex.com blog.genesis-mining.com     Instagram activity instagram.com m.instagram.com   Facebook activity facebook.com m.facebook.com   Youtube activity youtube.com m.youtube.com   Google+ activity plus.google.com m.plus.google.com   Gmail activity gmail.com mail.google.com   Shopping activity boohoo.com gymshark.com mail.google.com prettylittlething.com showpo.com athleta.com ae.com ruelala.com asos.com superdry.com zaful.com zafulswimwear.com luckybrand.com forever21.com urbanoutfitters.com nastygal.com jcrew.com anthropologie.com allsaints.com uniqlo.com armaniexchange.com fashionnova.com saksoff5th.com target.com macys.com barneys.com zappos.com sneakersnstuff.com yoox.com nike.com simmi.com amazon.com ebay.com walmart.com newegg.com bestbuy.com ftd.com 1800flowers.com glossier.com sephora.com thebodyshop.com ulta.com horchow.com homedepot.com pier1.com bedbathandbeyond.com wayfair.com shoptiques.com viator.com etsy.com cloud9living.com seatgeek.com aliexpress.com alibaba.com       Business value linkedin.com twitter.com nasdaq.com ft.com reuters.com nyse.com tsx.com marketwatch.com thestreet.com wsj.com investing.com investopedia.com finance.yahoo.com seekingalpha.com fool.com investorguide.com zacks.com home.saxo forexbrokers.com swissquote.com cmcmarkets.com fxpro.co.uk forex.com dukascopy.com interactivebrokers.com tdameritrade.com bankofinternet.com ally.com bankpurely.com redneck.bank       Saefko also collects additional user application data, including: Command Description irc_channel IRC channel name irc_nickname Nickname irc_password IRC channel Password irc_port IRC Port for communication to a server irc_server Server name machine_active_time System uptime machine_artct Machine Architecture machine_bitcoin_value Number of cryptocurrency sites visited by the user machine_business_value Number of business sites visited by the user machine_calls_activity 0 machine_camera_activity No. of “.png” files present on the desktop machine_country_iso_code Country code fetch from “ipinfo.io/geo” machine_lat latitude machine_lng longitude machine_creadit_card_posiblty Checks the number of payment sites visited by the user machine_current_time Taking machine current time machine_facebook_activity Checks the number of times the user visited facebook machine_gaming_value Checks the number of times the user visited gaming websites machine_gmail_avtivity Checks the number of times the user visited gmail machine_googleplus_activity Checks the number of times the user visited google+ machine_instgram_activty Checks the number of times the user visited Instagram machine_ip Machine IP machine_lat The geographic location of the system (latitude) machine_lng The geographic location of the system (longitude) machine_os_type 1 machine_screenshot Captures screenshot and encode it in base 64 machine_shooping_activity Checks number of times shopping sites visit by the user   The RAT sends the collected data to a command and control server as shown below: After getting an "ok" response from the server, Saefko begins the "StartServices" function, which has four different infection modules: HTTPClinet IRCHelper KEYLogger StartLocalServices (USB spreading) HTTP Clinet (Possible misspelling of HTTP Client by the author) The RAT sends a request to the server, requesting for a new task. It sends a command “UpdateAndGetTask” and also sends other information, including machine_ID, machine_os, and privateip, as shown below: The task is the URL from which the malware downloaded the new payload and executed it on the infected machine. Key Logger The malware uses the SetWindowsHookEx API for capturing keystrokes. It stores the captured keystrokes into a “log.txt” file. The filepath is: “\%AppData%\Local\log.txt.” IRC Helper First, the malware disconnects the current IRC connection. Then, it sends status information to the C&C as shown below: pass: password command: UpdateHTTPIRCStatus machine_id: unique id sent by C&C in an earlier request irc_status: 1  Next malware fetch  Serverlist: it selects a server from the list below. Port: port  Nickname: generates a random 7 character name  List of IRC servers and ports IRC server Port IRC server Port irc.afterx.net 6667 irc.cyanide-x.net 6667 chat.freenode.net 6667 irc.europnet.org 6667 irc.azzurra.org 6669 irc.rizon.net 6669 irc.dal.net 6667 irc.efnet.org 6667 irc.gamesurge.net 6667 open.ircnet.net 6669 irc.quakenet.org 6667 irc.swiftirc.net 6667 eu.undernet.org 6667 irc.webchat.org 7000 irc.2600.net 6667 irc.abjects.net 6669 irc.accessirc.net 6667 irc.afternet.org 6667 irc.data.lt 6667 irc.allnetwork.org 6667 irc.alphachat.net 6667 irc.austnet.org 6667 irc.axenet.org 6667 irc.ayochat.or.id 6667 irc.beyondirc.net 6669 irc.blitzed.org 6667 irc.bongster.org 6669 irc.caelestia.net 6667 irc.canternet.org 6667 irc.chatall.org 6669 irc.chatcafe.net 6667 irc.chatspike.net 6667 irc.chatzona.org 6667 irc.criten.net 6667 irc.cyberarmy.net 6667 irc.d-t-net.de 6667 irc.darkmyst.org 6667 irc.deepspace.org 6667 irc.dream-irc.de 6667 irc.drlnet.com 6667 irc.dynastynet.net 6667 irc.echo.com 6667 irc.ecnet.org 6667 irc.enterthegame.com 6667 irc.epiknet.org 6667 irc.esper.net 6667 irc.euirc.net 6669 irc.evolu.net 6667 irc.explosionirc.net 6667 irc.fdfnet.net 6668 irc.fef.net 6667       Saefko connects to one of these servers and waits for a response. In the response, it checks for “T_T” string and any separate messages using that string. Below is the list of IRC functions that the RAT can perform. According to the command it receives, Saefko will respond with corresponding data. List of IRC Commands IRC Command Description dexe Download a file from a given URL and execute it hdexe Download a file from a given URL and execute it (UseShellExecute=false) vistpage Open URL hvistpage Open URL (UseShellExecute = false) snapshot Captures video frame, converts into Base64 and sends to C&C (Detailed information explained below); also replies “.oksnapshot” shell Executes command using cmd.exe tcp Makes a tcp connection using a given IP and port. identify Send system information: OS type: Microsoft windows OS version: OS version OS Username: username OS MachineName: System name OS SystemDirectory: System Directory opencd Open CDROM drive. Command: set CDAudio door open closecd Close CDROM drive. Command: set CDAudio door closed screenshot Capture screenshot, encode it into Base64 and send to C&C ping Reply “okping” camlist Gets the video devices from the system and sends information to the C&C.Detailed information explained below. pwd Current directory location Gets the system location using “https://ipinfo.io/geo” IP, city, region, country, latitude and longitude keylogs Encode the keylog file (log.txt) using base64 and send it to C&C uninstall Delete the autostart registry key (RUN) and terminate itself.   Camlist Saefko also searches for the following payloads in the system: AForge.dll AForge.Video.DirectShow.dll AForge.Video.dll Sqlite3.dll If these files are not present, the malware sends a request to the C&C to download these files. Next, it searches for a list of video input devices on the targeted system and sends the related information to the C&C. Snapshot Saefko also captures videos from the device present on the system, encodes the video frame with Base64 and sends it to the C&C. Start USB Service Saefko checks to see if the drive type is either removable or networked, after which it starts the infection and copies the files below onto a removable drive. Sas.exe USBStart.exe usbspread.vbs Sas.exe is a copy of the malware itself. USBStart.exe is fetched from the resource section of the main binary. It contains code to execute Sas.exe. It creates a usbspread.vbs file then executes it. It searches every directory and all the files and creates a "lnk" file for each file and directory with a target path USBStart.exe file. When the removable device is plugged in any other system, the user is tricked into clicking a lnk file as the main files and folder are hidden. Lnk file executes the USBStart.exe that ends up executing Sas.exe which is the main payload. So it futher infect other Systems. Below is the code of the usbspread.vbs file: One online forum has an ad for a cracked Saefko RAT tool as shown below. It is a multi-protocol, multi-operating system remote administration tool that can be used to launch the malware on Windows and Android devices.   Conclusion To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't from a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT. Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.   IOCs Md5: D9B0ECCCA3AF50E9309489848EB59924 C4825334DA8AA7EA9E81B6CE18F9C15F 952572F16A955745A50AAF703C30437C 4F2607FAEC3CB30DC8C476C7029F9046 7CCCB06681E7D62B2315761DBE3C81F9 5B516EAB606DC3CC35B0494643129058 Downloader URL: industry.aeconex[.]com/receipt-inv.zip 3.121.182[.]157/dwd/explorer.exe 3.121.182[.]157/dwd/vmp.exe deqwrqwer.kl[.]com.ua/ex/explorer.exe maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip Network URL: acpananma[.]com/love/server.php 3.121.182[.]157/smth/server.php f0278951.xsph[.]ru/server.php maprivate[.]date/server.php

UC Browser app abuses may have exposed 500 million users
Source:  Zscaler Research
Tuesday, 13 August 2019 19:47

Recently, when examining the Zscaler cloud for unusual activity, ThreatLabZ researchers found some questionable hits in relation to a particular domain: 9appsdownloading[.]com. Upon analysis, we found these requests being made from a popular browser that's available on Google Play and has more than 500 million downloads to date: the UC Browser app.    Fig. 1: UC Browser on Google Play   As we began to analyze the UC Browser app, we found that the requests were being made to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). Downloading and/or updating components from a third-party source violates Google Play policy, which states: “An app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play.” We decided to explore further into the UC Browser app and found the following issues, which will be discussed in detail in this blog:   Downloading an additional APK from a third party – in violation of Google Play policy Communication over an unsecured channel – opening doors to man-in-the-middle attacks Dropping an APK on external storage (/storage/emulated/0) – allowing other apps, with appropriate permissions, to tamper with the APK We found another app called UC Browser Mini from the same developer with the same functionality and issues, and it dropped the same additional APK from a remote server. The screenshot below shows UC Mini on Google Play.   Fig. 2: UC Browser Mini (UC Mini)   It is important to note that these issues have the potential to affect millions of Android users because the UC Browser app has been downloaded 500 million+ times and UC Mini has been downloaded 100 million+ times. The ThreatLabZ team has been in contact with Google, whose teams are investigating the apps.  Timeline: August 13, 2019: Zscaler reported policy violation to Google. August 13, 2019: Google promptly responded. Case assigned to an investigation team.  August 13 – September 25, 2019: Follow-up emails with research details. September 27, 2019: Google confirmed policy violation by UC Browser and UC Mini. Google contacted UC developers to update the apps and remediate the policy violation.  Update: After Google's intervention, the Zscaler research team noticed that the latest version of both the apps, UC Browser and UC Mini, have stopped downloading the third-party app store.   Technical Details of UC Browser Name: UC Browser Package Name: com.UCMobile.intl Installs: 500,000,000+ (500M +) Developer: UCWeb Singapore Pte. Ltd.   1. Downloading an APK from a third party Upon finding the UC Browser app as the main culprit, we decided to dig deeper into our analysis of the app. As soon as the app is installed, it displays basic activities (Android screens) to set up default language, topics of interest, location, and so on.  Fig. 3: UC Browser app icon and initial Android activity   After some initial requests for news and notifications, the app sends multiple requests with redirections and finally drops an APK on to the user’s device. The screenshot below illustrates the chain of requests and redirects taking place:    Fig. 4 Unsecured requests for APK download   This functionality of dropping another APK from a third-party source clearly violates Google Play’s policy, which includes the following: “An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a webview or browser).” During our analysis, we found the APK being dropped on external storage but we did not find the APK being installed. It is possible that this functionality is still under development or there may be other reasons it wasn’t installed, such as exception, disabled unknown-sources option, or rooted device.    2. Communication over an unsecured channel  The APK was downloaded over an unsecured channel (HTTP over HTTPS), opening the possibility for man-in-the-middle (MiTM) attacks. In our research, we came across a recent Dr. Web blog post that talks about similar issues they saw with UC Browser downloading and installing libraries from remote servers. In that case, they talk about libraries being downloaded over HTTP and, in our case, we saw a completely new APK being dropped (this APK is also analyzed in the latter part of this blog).  The consequences of downloading and installing components over unsecured channels were well addressed in the Dr. Web blog, along with the MiTM vulnerability, so we will not address those issues further. We noticed that the app analyzed by Dr. Web researchers had the same icon as our sample, but had a different full-name and a different developer. The screenshots below show the Dr. Web sample (left) compared to the Zscaler sample (right): Fig. 5: UC Browser app samples: Dr. Web (left) and Zscaler (right)    It could be that the same app had been uploaded again on Google Play with a different name and developer along with modified or enhanced code to download additional APKs.    3. Dropping an APK on external storage We also noticed that the additional APK being dropped by this app is stored on external storage, which is world-readable by default. The screenshot below shows the location of the dropped APK: Fig. 6: Dropped APK storage location An APK being placed on external storage, or any other app with storage permission (android:name=android.permission.READ/WRITE_EXTERNAL_STORAGE) can have access to this location and can tamper with the downloaded APK.    Analysis of the dropped APK During our analysis, we noted that UC Browser was dropping the APK but not installing it. It is unclear whether this is due to the fact that the functionality is still under development or if there is another reason the APK is not installing. But we did want to find out what the APK contained, so we decided to manually install it and have a look inside. To our surprise, we found that the APK was actually a third-party app store named “9 Apps” with the package name com.mobile.indiapp.     Fig. 7: 9Apps app install process   After installing the app, it scans the device for installed apps. The app’s scanning and further activities can be seen in the screenshots below: Fig. 8: 9Apps initial activities   We also saw several adult apps available for download in this third-party app store. These apps can be seen in the screenshot below:    Fig. 9: Adult apps on 9Apps store   We tried downloading a small-sized app from the 9Apps store and, to our surprise, the app was downloaded from 9appsdownloading[.]com. This is the same domain that we mentioned at the beginning of this blog. The screenshot below shows the functionality in action:    Fig. 10: Sample APK download requests   Further scrutiny of Zscaler cloud traffic showed multiple requests for APK downloads from this 9appsdownloading[.]com domain. Within the last month, we found 130+ such requests. The hits can be seen in the Zscaler cloud dashboard:  Fig. 11: Zscaler dashboard showing the domain’s activity   Conclusion The tactics used by UC Browser and UC Mini violate Google Play security policies and make it possible for any malicious app to gain entry into a user's device. While 9Apps, an app store for Android apps, is not a malicious site, we searched the domain using VirusTotal, which showed a number of detections: Fig. 12: VirusTotal search for the domain   It is too early to determine exactly what the UC Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat. Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications. The UC Browser app’s use of unsecured channels also allows attackers to install an arbitrary payload on a device that can perform a variety of activities, such as display phishing messages designed to steal personal data, including usernames, passwords, and credit card numbers. Once a user device has been compromised, and that compromised device connects back at the office, attackers have the ability to establish a foothold in your network, so they can snoop, spread malware, or steal data.   

Abusing Microsoft’s Azure domains to host phishing attacks
Source:  Zscaler Research
Wednesday, 03 July 2019 18:27

Recently, the Zscaler ThreatLabZ team came across various phishing attacks leveraging Microsoft Azure custom domains. These sites are signed with a Microsoft SSL certificate, so they are unlikely to raise suspicion about their authenticity. We notified Microsoft, who quickly engaged to shut these sites down, while we took action to detect and block 2,000 phishing attempts from these domains over a six-week period.  In this blog, we will describe two of the prominent vectors used and we’ll show several examples of the phishing pages. The following figure depicts the phishing hits that were hosted using the Azure domain (Windows.net) and blocked by the Zscaler cloud. Fig 1: Phishing hits using the Azure domain web.core.windows.net (green) and blob.core.windows.net (orange)   The following is the Whois lookup information related to the Windows.net domain. Fig 2: Whois lookup info for domain Windows.net domain   For these phishing campaigns, the delivery vector was spam emails. CASE 1: In this case, the attacker sends a spam email to a user, appearing to come from a particular organization and notifying the user that seven emails have been quarantined. It states that in order to review the emails, the user has to log in using the work or school account. Fig 3: Spam email with direct phishing link   If the user clicks the view emails button, it will redirect to the Outlook login phishing page (hxxps://onemailofice365(.)z13(.)web(.)core(.)windows(.)net/index(.)html). Fig 4: Outlook login phishing page   Some users may get confused because of the unknown URL hosting the Outlook login page. To trick those users, the attackers have used the SSL certificate issued by Microsoft as shown below. Fig 5: SSL certificate page of the hosted phishing URL   The following figure depicts the source code of the phishing page, which is used by attackers to collect users’ data. Fig 6: Source code of the phishing URL page   Once the login information has been entered by the user, the form will post the user’s credential details to the compromised domain that is operated by the cybercriminals. Fig 7: Captured data traffic that has been sent to the attacker’s site   CASE 2: In this method, attackers send the spam email with an attached HTML file that looks like a voice message. Once the user clicks the HTML file, it will redirect to the phishing page hosted using the Azure domain. Fig 8: Spam mail with double extension method   Fig 9: Outlook login phishing page redirected from voice message   In this phishing campaign, the attackers have injected obfuscated JavaScript to validate the user credentials that are present in their database to avoid duplication. Fig 10: Obfuscated JavaScript to validate user credentials to avoid duplication   The following figure depicts the deobfuscated JavaScript. This code will validate the user’s credential details and sent it to the attacker’s server (hxxps://validr2vtap2l3eh544kb(.)azurewebsites(.)net/v20(.)php). Fig 11: Deobfuscated JavaScript Fig 12: User data will be sent to the attacker’s site using the function getValidatorURL().   In addition to the Outlook phishing campaigns, we have seen phishing campaigns associated with these Azure domains: Microsoft Phishing, OneDrive Phishing, Adobe Document Phishing, Blockchain Phishing, and more. The following figure shows the different phishing campaigns that are hosted using the Azure domain (Windows.net). Fig 13: Microsoft login phishing page   Fig 14: Adobe login phishing page   Fig 15: Blockchain login phishing page   Fig 16: OneDrive login phishing page   Conclusion The Zscaler cloud blocked more than 2,000 phishing attacks over six weeks that were hosted using the Azure domain (Windows.net). The following diagram represents the various kinds of phishing campaigns that were blocked by the Zscaler cloud. Fig 17: Detected phishing hits    Fig 18: The Zscaler Zulu URL Risk Analyzer score for one of the phishing URLs   IOCs 039282fsd(.)z19(.)web(.)core(.)windows(.)net 3652adua38ea(.)z5(.)web(.)core(.)windows(.)net 378468459jjn(.)z19(.)web(.)core(.)windows(.)net 623623626638885047749469(.)z19(.)web(.)core(.)windows(.)net 86hoi2a8j592hf2(.)z14(.)web(.)core(.)windows(.)net accounhostoutlook(.)z35(.)web(.)core(.)windows(.)net accountsupdate(.)z22(.)web(.)core(.)windows(.)net adobe111(.)z19(.)web(.)core(.)windows(.)net appriver(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net bchwalletblockchain(.)z13(.)web(.)core(.)windows(.)net bitcoinwalletrecovery(.)z13(.)web(.)core(.)windows(.)net blockchainofficesupport(.)z13(.)web(.)core(.)windows(.)net blockchainrecoverywalet(.)z13(.)web(.)core(.)windows(.)net blockchaintradindinvest(.)z13(.)web(.)core(.)windows(.)net businessdrivefilesharing(.)z33(.)web(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net dlgweu(.)blob(.)core(.)windows(.)net driveoffice- secondary(.)z13(.)web(.)core(.)windows(.)net eastexch030serverdatanet(.)z13(.)web(.)core(.)windows(.)net edustudioapp(.)z19(.)web(.)core(.)windows(.)net exchangeonline80293745(.)z27(.)web(.)core(.)windows(.)net finance51(.)z13(.)web(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net fundingmessan(.)z13(.)web(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net h0vbkkkeebweybv(.)z33(.)web(.)core(.)windows(.)net hgnghhghkkdkdh(.)z13(.)web(.)core(.)windows(.)net hp94549754083400j9302975(.)z21(.)web(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net linknec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net linkp4klg1qkni76yoz8(.)z19(.)web(.)core(.)windows(.)net lpdmsonline(.)blob(.)core(.)windows(.)net macrofinancesoftonline(.)z14(.)web(.)core(.)windows(.)net macrosoft0nlineoffice365(.)z13(.)web(.)core(.)windows(.)net mailingofficeupdate(.)z14(.)web(.)core(.)windows(.)net mailofficemicr0softvalid(.)z35(.)web(.)core(.)windows(.)net mailofficesecurity(.)z13(.)web(.)core(.)windows(.)net mailofficeveridiers(.)z33(.)web(.)core(.)windows(.)net mailoutlookmcrosoftupdat(.)z11(.)web(.)core(.)windows(.)net mailoutnewsecurity(.)z14(.)web(.)core(.)windows(.)net mak17opa54vjxu8(.)z7(.)web(.)core(.)windows(.)net mdj34598720843(.)z10(.)web(.)core(.)windows(.)net microexchyz42nhszseheys(.)z13(.)web(.)core(.)windows(.)net micromuze3rlokoyg(.)z14(.)web(.)core(.)windows(.)net microrel00ukelukleqwkoxl(.)z13(.)web(.)core(.)windows(.)net microsofbt50xjotm45wm7al(.)z11(.)web(.)core(.)windows(.)net microsofd8f82gtrjyaajnsj(.)z11(.)web(.)core(.)windows(.)net microsofdi3o152rpnnt2zr8(.)z11(.)web(.)core(.)windows(.)net microsoffn4xwr5df3emnh1m(.)z11(.)web(.)core(.)windows(.)net microsofn642b7o2un27wptm(.)z13(.)web(.)core(.)windows(.)net microsofq2622c5r3wpfsdnp(.)z11(.)web(.)core(.)windows(.)net microsofzwafvh6bisrici50(.)z11(.)web(.)core(.)windows(.)net offic664ghdtsgdyddux(.)z13(.)web(.)core(.)windows(.)net officcee(.)z13(.)web(.)core(.)windows(.)net office365user37773773673(.)z19(.)web(.)core(.)windows(.)net officedelist(.)z13(.)web(.)core(.)windows(.)net officefiledata(.)z13(.)web(.)core(.)windows(.)net onemailofice365(.)z13(.)web(.)core(.)windows(.)net outlookloffice365user23k-secondary(.)z14(.)web(.)core(.)windows(.)net outlookloffice365user25u-secondary(.)z33(.)web(.)core(.)windows(.)net outlookloffice365user65t-secondary(.)z6(.)web(.)core(.)windows(.)net outlookloffice365user65t(.)z6(.)web(.)core(.)windows(.)net outlookloffice365userl6m(.)z13(.)web(.)core(.)windows(.)net outlookofficecom(.)z33(.)web(.)core(.)windows(.)net outlookproctionmail(.)z9(.)web(.)core(.)windows(.)net outwebsignin2094598209(.)z21(.)web(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net pjkiojxyfngsss(.)z13(.)web(.)core(.)windows(.)net pssastd(.)blob(.)core(.)windows(.)net rel00ukelukleqwkoxl(.)z6(.)web(.)core(.)windows(.)net sams2948818388301(.)z13(.)web(.)core(.)windows(.)net secureofficeportal(.)z19(.)web(.)core(.)windows(.)net sharepo7(.)z22(.)web(.)core(.)windows(.)net sharepointewk8xpzoywq7j(.)z19(.)web(.)core(.)windows(.)net supportoffices365(.)z33(.)web(.)core(.)windows(.)net thursday(.)z19(.)web(.)core(.)windows(.)net ttsokaejqumuamreio(.)z6(.)web(.)core(.)windows(.)net under12(.)z19(.)web(.)core(.)windows(.)net user111777999973sdxc(.)z11(.)web(.)core(.)windows(.)net user37377377733(.)z22(.)web(.)core(.)windows(.)net user7779793e792782(.)z14(.)web(.)core(.)windows(.)net user8877773737(.)z11(.)web(.)core(.)windows(.)net usernamewebmailsingin(.)z14(.)web(.)core(.)windows(.)net v83oybtn5zp5mmz(.)z14(.)web(.)core(.)windows(.)net validatnec39cclzg5l591f(.)z19(.)web(.)core(.)windows(.)net voice88(.)z19(.)web(.)core(.)windows(.)net voicserel00ukeluklwkoxl(.)z13(.)web(.)core(.)windows(.)net webusermicr0softtonlinee(.)z33(.)web(.)core(.)windows(.)net were12(.)z19(.)web(.)core(.)windows(.)net weree(.)z6(.)web(.)core(.)windows(.)net wimdowoutlkjxjy0846335f(.)z13(.)web(.)core(.)windows(.)net yamma(.)z13(.)web(.)core(.)windows(.)net zebra11(.)z19(.)web(.)core(.)windows(.)net azaman(.)blob(.)core(.)windows(.)net dlgeus(.)blob(.)core(.)windows(.)net dlgneu(.)blob(.)core(.)windows(.)net fiattt(.)blob(.)core(.)windows(.)net fukshawefwe22(.)blob(.)core(.)windows(.)net gry1asdqw1(.)blob(.)core(.)windows(.)net hsdv(.)blob(.)core(.)windows(.)net parmalat7(.)blob(.)core(.)windows(.)net funksha1(.)blob(.)core(.)windows(.)net

Magecart activity and campaign enhancements
Source:  Zscaler Research
Thursday, 27 June 2019 01:54

Magecart is a hacker group known for skimming credit or debit card details by injecting malicious JavaScript code into e-commerce sites. Back in September 2018, the Zscaler ThreatLabZ research team published a blog on Magecart activity that analyzed its attack methods and evasion tactics. We are now following up on that blog to report on recent activity we’ve seen and some enhancements in the campaign.   Magecart attack chain In the recent campaign, we noticed a change in the attack chain. One example is the use of heavily obfuscated JavaScript with encrypted data. Also, in some cases, the malicious JavaScript code is now being injected directly in the compromised e-commerce sites, whereas in earlier attacks, the malicious code was injected remotely. Fig 1: Hits of compromised websites in the last three months   1. Injecting heavily obfuscated malicious JavaScript dynamically The below credit card stealer JavaScript payload is dynamically loaded when the victim presses the checkout button after loading the cart. Fig 2: Heavily obfuscated malicious JavaScript code injected on the checkout page   The ThreatLabZ team’s smart crawler with heuristic detection shows that various JavaScript functions are obfuscated in the payload. Fig 3: Crawler’s heuristic detection Fig 4: Malicious script after three levels of deobfuscation by the crawler.   Analysis of the skimming toolkit The above discussed malicious script looks for the keywords “onepage|checkout|onestep|firecheckout” in the URL and, if found, injects another script from hxxps://dnsden[.]biz/a.js. Fig 5: Script injected from hxxps://dnsden[.]biz   The above injected obfuscated script hxxps://dnsden[.]biz/a.js contains encrypted data which is decrypted by the RC4 algorithm in the runtime.   Fig 6: Use of RC4 algorithm in ‘a.js’   The encrypted data in ‘a.js’ script after RC4 decryption ends up injecting the main skimming script, which is responsible for extracting and sending the victim's credit card details back to the attacker. Encrypted data - w5rDvcOKwrnCnsKYcWHCgAcaUsOFVcOQXnZpw48KfjZ/CMObMMOiwq7Cm1XDvFDCl8KBEsKRE8Oyw6krWcK0wo1Xw7J+w6/DknoJasKVScKZOhzCoRI= Decrypted data - The ‘universal.js’ is also obfuscated and has the same encryption algorithm as ‘a.js’. After decryption, it calls a function on the form change event and collects all the payment info entered by the victim. Fig 7: Collecting payment card details Fig 8: Sends victim’s credit card details to C&C   Fig 9: POST request with the stolen credit card details   info=Base64(stolen_data)&hostname=compromised_site&key=random_key Stolen data includes billing and payment details. Fig 10: Decoded stolen data   2. Injecting malicious JavaScript directly in the compromised site   Fig 11: Malicious JavaScript code hosted on the compromised e-commerce site is injected   Fig 12: Malicious JavaScript code hosted on a compromised site for skimming payment card details   Analysis of the skimming toolkit The malicious JavaScript code first checks for the two cookie names “$s” and “$sent”; if these cookies are set, data is stored into variable after decoding. These cookie values are referred to each time any payment card details are being entered, and values are updated if the payment card details are new. Fig 13: Getting values from the two cookie names “$s” and “$sent”   To get payment card details, data from all the tags, such as input, select, and text area, are stored and the script undergoes a basic length check on the card details. Fig 14: Validating length of payment card details   After validating payment card details, a hash of the card details is calculated and checked to determine if the same hash value is available in the data retrieved from the cookie “$sent” earlier. Payment details are dropped if any hash match is found. Fig 15: Checking the hash value of card details against data retrieved earlier from the cookie   Each time any new payment card details are entered, the details are sent to the attacker and the hash value for these details is appended to the cookie value “$sent”;  this cookie value is used to check if the details being entered are new. Fig 16: Value of the cookie “$sent” stored in the victim's browser   On decoding the above Base64 encoded value of the cookie “$sent,” we get the MD5 array of the payment card details. By storing the encrypted payment card details as a cookie, the attacker has added the ability to drop duplicate details being sent to the attacker, as payment details are always checked against the cookie value and only unique card details are sent to the attacker. After all the above checks are encoded, the payment card details are sent to the attacker-controlled site. Fig 17: GET request with the stolen information   In a similar skimming toolkit, along with the above-discussed cookie logic, attackers are injecting fake payment card fields into the compromised site and hiding legitimate fields once the victim selects credit card as the payment method. Fig 18: Fake credit card details field and malicious JavaScript file   Fig 19: HTML code for the fake credit card details fields in the malicious script   Fig 20: Malicious script injecting the fake credit card details fields   Fig 21: Above, injected credit card fields; below, legitimate credit card fields   The injected and legitimate credit card fields look similar, but from the HTML input field attributes (ID and type), there are noticeable differences. In the injected fields, the card number ID is "_ccnumber" and the type is "text," while in a legitimate card number, the ID is "credit-card-number" and the type is "tel."   IOCs dnsden[.]biz jquery-bin[.]com/gate[.]php lumbertrans[.]com/errors/default/gate[.]php luxbagsgirl[.]com/errors/default/gate[.]php jsreload[.]pw/gate[.]php saterday-race[.]com/gate[.]php jqueryextd[.]at/gate[.]php routingzen[.]com/gate[.]php mz-at-shop[.]de/errors/default/gate[.]php 93[.]187[.]129[.]249/gate[.]php developer-js[.]info/gate[.]php google-anaiytic[.]com/fonts[.]googleapis/gate[.]php magento-analytics[.]com/gate[.]php gtows[.]com   Compromised sites shop.triggerbrothers[.]com[.]au custommagnetsdirect[.]com lumbertrans[.]com sunbuggy[.]com saterday-race[.]com windblox[.]com cakedecoratingsolutions[.]com[.]au network-ed[.]com[.]au adooq[.]com mz-at-shop[.]des reddotarms[.]com sprucela[.]com/ t[.]cltradingfl[.]com worldcraftindustries[.]com reallifecatholic[.]com wbminternational[.]com whistlerrides[.]ca/ smartsilk[.]com/ classictruckglass[.]com oconnellsclothing[.]com/skin/ purefruittechnologies[.]com/ cornerstone-arch[.]com minitruckusa[.]com magformers[.]com ravishingcosmetics[.]com alamoshoes[.]com/ salonsavings[.]com/ bathroompanelsuperstore[.]com britishfitness[.]com bumperworksonline[.]com niftyconcept[.]com cornerstone-arch[.]com decorprice[.]com   Conclusion These new developments in an ongoing campaign illustrate some of the ways that attackers are continuously enhancing their methods for stealing sensitive information like login credentials, bank or payment card details, personally identifiable information, and so on. The Magecart campaign has been active for a long time and continues to evolve and hone its techniques to get better at stealing payment card information and related data.  Zscaler ThreatLabZ actively tracks such campaigns and protects customers from these types of attacks.  

Felipe, a new infostealer Trojan
Source:  Zscaler Research
Thursday, 13 June 2019 02:36

The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim's debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine. The files dropped by malware include: Win XP: %UserProfile%\Local Settings\Temp\vshost.exe %UserProfile%\Local Settings\Temp\explorer32.exe %UserProfile%\Local Settings\Temp\install2.bat %UserProfile%\Local Settings\Temp\infect.txt Win7/Win10: %UserProfile%\AppData\Local\Temp\vshost.exe %UserProfile%\AppData\Local\Temp\explorer32.exe %UserProfile%\AppData\Local\Temp\install2.bat %UserProfile%\AppData\Local\Temp\infect.txt The Felipe Trojan enumerates the system and tries to determine whether it has already been infected by checking the files vshost32.exe and vshost64.exe in the compromised system. The parent file downloads its payloads to %UserProfile%\AppData\Local\Temp\update2804. If this folder already exists, the malware deletes the folder and files inside. Once the folder is deleted, the malware will create a new folder with the same name in hidden mode.   When the update2804 folder is created, the malware downloads its different payloads within a gap of just 50 milliseconds. After downloading the payload, the malware copies it to a special directory temp folder in the system in hidden mode and executes it. First, it will execute the install2.bat file and then it will execute vshost.exe. Below is the code of install2.bat: The batch file will perform registry changes responsible for the following: Run entries for vshost.exe, exolorer32.exe to ensure persistence Disable Windows Defender Bypass UAC control Excluding path of temp folder in Windows Defender Vshost.exe checks the victim's bank cards by checking a card's length or the starting numbers of cards, such as: American Express card: number should begin from 34 or 37 Visa: card length between 13 or 16 Mastercard: card length to be 16 Discover: card length to be 16 and begin from 6011 or 65 Below is a snapshot of some of these instructions: The following is the algorithm to check the card's validity: Process digits from right to left. Double the alternate digit starting from first. Break the alternative digits if addition is greater than 10 (e.g., 28 = 2 + 8 (10) or 19 = 1 + 9 (10)). Return the 10's complement of the total. Finally, it verifies the checksum digit. It will be invalid if the checksum is not modular 10. Snapshot of the algorithm:   If the system is already infected, the malware looks for the filename infect.txt in the temp folder. If it is already there, it sends the below data; otherwise, it sends a request to the C&C to further download the file infect.text. It also sends the victim's system information and writes “infect” in the infect.txt file. The Felipe Trojan gets a memory dump of processes by checking the memory addresses that can store data. Basically, it scans the process memory and, whenever a process starts, the system allocates enough memory for its heap, stack, and regions. However, Windows won't allocate an "entire block" of memory; it tries to allocate any free memory available for the User-Mode. The following are the methods used for the memory dump: GetSystemInfo() Retrieves random information about the system in a structure called SYSTEM_INFO. This structure also contains two variables: minimumApplicationAddress & maximumApplicationAddress, which store the minimum and the maximum address where the system can allocate memory for User-Mode applications. VirtualQueryEx() This method gets information about a range of memory addresses and returns it into a structure named MEMORY_BASIC_INFORMATION. It tells us the range of a memory chunk that starts from the specified address. ReadProcessMemory() Used to read a number of bytes starting from a specific memory address. OpenProcess() Returns a handle to a specific process; the process must be opened. WriteProcessMemory() Writes data to an area of memory in a specified process. After the memory dump, the malware tries to find the victim's used bank card from memory, and fetches this information to send to the C&C. Below is a snapshot of it: Encryption method for sending data to C&C: The malware uses Triple Data Encryption Standard (3DES) algorithm. The first step is to create a simple wrapper class that encapsulates the 3DES algorithm and stores the encrypted data as a base-64 encoded string. Then, that wrapper is used to securely store private user data in a publicly accessible text file.  The 3DES algorithm provides two-way encryption. It needs the private key string as the wrapper to generate a unique decrypted string. Here, the malware uses "L%f@Y7Boolean4%()F$y" as a private key. For more info: https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/strings/walkthrough-encrypting-and-decrypting-strings   Sending data to the C&C:   The malware uses the free “geoPlugin” web service to determine the victim's system and location information. The following are the services used by the malware from the geoPlugin web service: System IP City Region code Country name Timer Set: The malware sets the time in the program to shut down the system and restart on a specific day. In this example, the time should be between 5:06 a.m. and 6:09 a.m. on Friday, then the system gets shut down. The command to shutdown is: Interaction.Shell("shutdown /r /t 0", AppWinStyle.MinimizedFocus, false, -1); Switches: /r: shut down and then restart the local computer /t: time, in seconds, between the execution of the shutdown command and the actual shutdown or restart AppWinStyle.MinimizedFocus: starts the program minimized and with focus   After the restart, the malware fetches hardware information from the victim's system, including the serial number and running processes. If the “explorer32.exe” process is not found in the running processes, the malware downloads from the C&C and executes it from the temp folder for performing further malicious activities. It uses the GetAsyncKeyState() Win API to query the state of each key on the keyboard. From the return value of GetAsyncKeyState(), it can be determined whether the key is up or down at the time the function is called.   Network communication:   Indicators of Compromise: Filename Md5 vshost.exe 15CE8F849FFF4CC8675900EC838A93F9 down.exe 61B06E49D514F3DC5BE4F4EF08F6B43C explorer32.exe D912771C8CD5720AD835E08EB80A77B6 install2.bat 7D016A3BB29904A6E00161694FC6AB4E Download URLs: 192.99.215[.]95/uploads Inmemory[.]tech

Malicious JavaScript injected into WordPress sites using the latest plugin vulnerability
Source:  Zscaler Research
Thursday, 30 May 2019 04:59

WordPress is by far the most popular content management system (CMS) and, because of its wide usage, it is also popular among cybercriminals. Most of the WordPress sites that have been compromised are the result of attackers exploiting vulnerable versions of the plugins used. A stored cross-site script vulnerability was discovered last week in the popular WordPress Live Chat Support plugin. The vulnerability allows an unauthenticated attacker to update the plugin settings by calling an unprotected "admin_init hook" and injecting malicious JavaScript code everywhere on the site where Live Chat Support appears. All versions of this plugin prior to version 8.0.27 are vulnerable. The patched version for this vulnerability was released on May 16, 2019,  and has been fixed for version 8.0.27 and higher. ThreatLabZ researchers recently discovered what may be the first campaign in which attackers are exploiting the Live Chat Support plugin vulnerability and injecting a malicious script that is responsible for malicious redirection, pushing unwanted pop-ups and fake subscriptions. While it is not yet seen as a widespread attack, the number of compromised websites is growing (at the end of this blog there is a link to the names of the compromised sites). Fig 1: Hits of the compromised WordPress sites Fig 2: WordPress site using a vulnerable version of the Live Chat Support plugin   Fig 3: Obfuscated script injected in the compromised WordPress site   Fig 4: Deobfuscated version of the injected script   The injected script sends a request to the URL hxxps://blackawardago[.]com to execute the main script. Fig 5: Request and response to the hxxps://blackawardago[.]com   After the execution of the above script, the victim is redirected to multiple URLs, mainly related to pushing unwanted popup ads and fake error messages. Fig 6: Highlighted (red) multiple redirected URLs after the execution of the malicious script.   Fig 7: Popups after execution of the malicious script   The domain that hosts the malicious script is a newly created domain hosted on a dedicated IP address. Fig 8: Whois information of the domain   Conclusion Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular the plugins that are found in many websites. An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites. It is critical for website owners to apply the security update if they are using the vulnerable plugin, particularly because it is a pre-auth vulnerability and can lead to widespread compromise. The Zscaler ThreatLabZ team is actively tracking and reviewing all such malicious campaigns to ensure that our customers are protected.   IOCs blackawardago[.]com 216[.]10[.]243[.]93 List of compromised sites is available here.

Ready to Get Started?

Come and find out and understand more about our products, solutions and also our technical support offerings. 

Get started now

Our Partners

Are you a network / hardware supplier? Why not consider joining our partners program? We have benefits that you'll like!

Learn More


We offer rewarding career paths and growth opportunities that help unlock your potential while broadening your experience.

Apply Now


Have questions regarding software and hardware implementation? Our technical experts are here to answer your queries.

Contact us now