Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 54 min 59 sek zpět

DDoS attacks in Q2 2021

28 Červenec, 2021 - 12:00

News overview

In terms of big news, Q2 2021 was relatively calm, but not completely eventless. For example, April saw the active distribution of a new DDoS botnet called Simps — the name under which it introduced itself to owners of infected devices. The malware creators promoted their brainchild on a specially set-up YouTube channel and Discord server, where they discussed DDoS attacks. The actual DDoS functionality of Simps is not original: the code overlaps with the Mirai and Gafgyt botnets.

That said, nor does Gafgyt rely on originality: a handful of modules in the new variants (detected by Uptycs) were all borrowed from Mirai, the most widespread botnet. In particular, Gafgyt’s authors copied its implementation of various DDoS methods, such as TCP, UDP and HTTP flooding, as well as its brute-force functionality for hacking IoT devices via the Telnet protocol.

Mirai’s code formed the basis of the ZHtrap botnet, which became known this quarter. This malware is of interest for its use of infected devices as honeypots. ZHtrap first collects the IP addresses of devices that attack the trap, and then attempts to attack these devices itself.

Lately cybercriminals have been actively seeking out new services and protocols for amplifying DDoS attacks. Q2 2021 was no exception: in early July researchers at Netscout reported an increase in attacks using the Session Traversal Utilities for NAT (STUN) protocol. This protocol is used to map internal IP addresses and ports of hosts hidden behind NAT to external ones. Using it, attackers were able to increase the volume of junk traffic by a factor of just 2.32, but in combination with other attack vectors, the DDoS power reached 2TB/s. In addition, hijacking STUN servers to be used as reflectors can disable their main functionality. The organizations that use STUN would be wise to make sure their servers are protected against such attacks. At the time of posting, there were more than 75,000 vulnerable servers worldwide.

Another new DDoS vector has yet to be harnessed by cybercriminals. It is linked to a vulnerability in DNS resolvers that allows amplification attacks on authoritative DNS servers. The bug was named TsuNAME. It works as follows: if a configuration error causes the DNS records of certain domains to point to each other, the resolver will endlessly forward the request from one domain to another, significantly increasing the load on their DNS servers. Such errors can occur by accident: in early 2020, two misconfigured domains caused a 50% increase in the traffic flow on authoritative DNS servers in the NZ domain zone, and a similar incident in a European domain zone led to a tenfold rise in traffic. If an attacker were to create multiple domains pointing to each other, the scale of the problem would be considerably greater.

Attacks on DNS servers are dangerous because all the resources they serve become unavailable, regardless of their size and level of DDoS protection. This is well illustrated by the attack on DNS provider Dyn that downed more than 80 major websites and online services in 2016. To prevent the TsuNAME vulnerability from having the same devastating consequences, the researchers recommend owners of authoritative servers to regularly identify and fix such configuration errors in their domain zone, and owners of DNS resolvers to ensure detection and caching of looped requests.

It was a DNS flood in early April that disrupted the operation of Xbox Live, Microsoft Teams, OneDrive and other Microsoft cloud services. Although the Azure DNS service, which handles the domain names of most of the services, has mechanisms to protect against junk traffic, an unnamed coding error meant it could not cope with the flow of requests. The situation was aggravated by legitimate users trying in vain to access the unresponsive services. However, Microsoft fixed the bug fairly quickly, and the services were soon up and running again.

One other large-scale DDoS attack swept through Belgium, hitting Belnet and other ISPs. Users across the country experienced service interruptions, and websites in the BE domain zone were temporarily unavailable. Junk traffic was sent from IP addresses in 29 countries worldwide, and, as Belnet noted, the attackers kept changing tactics, making the attack extremely difficult to stop. It forced the Belgian parliament to postpone several sessions, while educational institutions had problems with distance learning, and the transport company STIB likewise with the sale of tickets. Online registration systems for COVID-19 vaccinations were also affected.

The council of Grenoble-Alpes Métropole in France also had to suspend a session for several hours. A DDoS attack involving about 60,000 bots made it impossible to broadcast the event live.

Besides Belnet, several other European ISPs were targeted by DDoS attacks. For example, Ireland’s Nova fell victim to cybervillains. No confidential data was affected, a spokesperson said, adding that “we are the latest Irish ISP to be attacked and we won’t be the last, as the criminals cycle through Irish networks one by one.”

That said, there is no need to direct junk traffic at ISPs’ own resources in order to disrupt their networks. For instance, Zzoomm, a British broadband provider, suffered from a DDoS assault on one of its upstream suppliers, which in turn was not the real target: cybercriminals were trying to extort a ransom from one of its customers.

In general, DDoS ransomware attacks continued to gain momentum. A cybercriminal group known for its fondness of masquerading as various APT outfits again made the news, this time under the fictitious moniker Fancy Lazarus, composed of the names of two groups: Lazarus and Fancy Bear. Although cybercriminals attack organizations the world over, the victims of Fancy Lazarus were predominantly in the US, and the size of the ransom was lowered from 10–20 to 2 BTC.

Avaddon ransomware operators also tried to intimidate victims through DDoS attacks. In early May, they flooded the site of Australian company Schepisi Communications with junk traffic. The organization partners Telstra, a major Australian provider, selling SIM cards and cloud services on the latter’s behalf. Later that same month, French insurance company AXA, one of the largest in the field, also fell victim to Avaddon. As in the case of Schepisi Communications, besides encrypting and stealing data from several of its branches, the cybercriminals carried out a DDoS attack on its websites. After a string of devastating attacks in June, the ransomware creators announced its retirement.

In May, the Irish Health Service Executive (HSE) was hit by DDoS. The attacks would have been unremarkable had they not been immediately followed by an invasion of Conti ransomware. Whether these events are related is uncertain, but the ransomwarers could have used DDoS as a cover to penetrate the company’s network and steal data.

Attacks on educational institutions continued in Q2, occurring as they do throughout the school year. For example, malicious actors forced Agawam Public Schools in Massachusetts to shut down their guest network to protect the main network. This meant that Internet access was available only on school-issued devices.

Nor did video games escape attention this reporting period. The Titanfall and Titanfall 2 servers suffered DDoS-related outages in April and May. At least some of these attacks may have targeted specific streamers. To protect against attackers, enthusiasts created a mod that hides players’ names. However, this did not stop the attacks on the game servers. As for the developer, Respawn Entertainment, it took care of DDoS protection, but not in Titanfall, rather in Apex Legends, where the new version, in the event of an attack, chucks everyone out of the game, with compensation for any losses incurred. Back in Titanfall, however, the problem is so acute that a hacktivist player decided to hack Apex Legends to raise awareness of it.

Another hacktivist, after a decade of hiding from the law, was caught in Mexico and deported to the US. Christopher Doyon had been one of the organizers of the 2010 protests against a law banning rough sleeping in Santa Cruz, California. Following the crackdown on the protests, Doyon launched a DDoS attack on the Santa Cruz County website. Having been charged, the hacktivist failed to appear at a court hearing pending trial in 2012. Consequently, he was put on the international wanted list. Now Doyon will finally stand trial on the decade-old charges.

Quarter trends

As expected, Q2 2021 was calm. We recorded a slight fall in the total number of DDoS attacks compared to the previous quarter, which is typical for this period and seen every year, barring the anomalous 2020. This drop we traditionally associate with the start of the vacation period. It tends to continue through Q3, and we expect no change this year.

Comparative number of DDoS attacks, Q1 and Q2 2021, and Q2 2020. Q2 2020 data is taken as 100% (download)

Note the exceptional duration of smart DDoS attacks in the past quarter. This is due to several abnormally long, though not too powerful, attacks on law enforcement resources. We see no correlation between these attacks and any high-profile event. There may be a causal connection somewhere, but since there is no way of knowing, it remains to interpret them as statistical anomalies, which do crop up every so often. With these attacks excluded from the sample, the data on DDoS duration is closer to the norm with different periods fluctuating by no more than 30% relative to each other.

DDoS attack duration, Q1 and Q2 2021, and Q2 2020. Q2 2020 data is taken as 100% (download)

Statistics Methodology

Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. The company experts monitor botnets using the Kaspersky DDoS Intelligence system.

As part of the Kaspersky DDoS Protection solution, DDoS Intelligence intercepts and analyzes commands sent to bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2021.

In the context of this report, an incident is counted as a single DDoS attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS victims and C&C servers are determined by their IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • Q2’s leader by number of DDoS attacks is again the US (36%). The share of China (10.28%) continued to fall, while Poland (6.34%) climbed into the TOP 3 most attacked countries.
  • The most DDoS-active day in the quarter was June 2, when we registered 1,164 attacks. On the quietest day, we observed only 60 DDoS attacks.
  • Most DDoS attacks occurred on Tuesdays (15.31%), while the calmest day of the week was Sunday (13.26%).
  • The longest DDoS attack lasted 776 hours (more than 32 days).
  • UDP flooding was used in 60% of DDoS attacks.
  • The country with the most botnet C&C servers was the US (47.95%), while the bulk of bots attacking IoT devices in order to assimilate them were located in China.
DDoS attack geography

In Q2 2021, as in Q1, most DDoS attacks were directed at US-based resources (36%). China (10.28%), the perennial leader until this year, continued to lose ground, shedding another 6.36 p.p. Third place this quarter was taken by a newcomer in the ranking, Poland (6.34%), whose share was up by 4.33 p.p. against the previous reporting period. Canada (5.23%), which rounded out the TOP 3 in Q1, fell to fifth place, despite gaining 0.29 p.p.

In fourth place by number of DDoS attacks in Q2 was Brazil (6.06%), whose share almost doubled. Sixth in the ranking was France (5.23%), behind Canada by a fraction of a fraction. Germany (4.55%) remained in seventh position, while the UK (3.82%) moved into eighth. At the foot of the ranking are the Netherlands (3.33%) and Hong Kong (2.46%), whose shares, like China’s, continued to nosedive.

Distribution of DDoS attacks by country, Q1 and Q2 2021 (download)

A look at the countries with the highest number of unique targets also shows an increase in DDoS activity in Poland (7.44%) and Brazil (6.25%), which ranked second and third, respectively, and a decrease in activity in China (5.99%), which dropped to fourth place. The TOP 10 tends to be pegged to the list of countries with the highest number of DDoS attacks: the US remains in top spot (38.60%), fifth to eighth places belong to France (4.97%), Germany (4.86%), the UK (4.40%) and Canada (4.20%), respectively, followed by the Netherlands (3.40%) and Hong Kong (1.81%).

Distribution of unique DDoS targets by country, Q1 and Q2 2021 (download)

Dynamics of the number of DDoS attacks

As noted above, Q2 turned out relatively calm. On average, the number of DDoS attacks per day fluctuated between 500 and 800. On the quietest day of the reporting period, April 18, we observed only 60 attacks. On two other days, June 24 and 25, the number of attacks fell short of 200. Nevertheless, Q2 had its share of turbulent days with more than 1,000 DDoS attacks. For instance, we observed 1,061 attacks on April 13 and 1,164 on June 2.

Dynamics of the number of DDoS attacks, Q2 2021 (download)

The distribution of DDoS attacks by day of the week in Q2 was, if anything, even more uniform than in Q1: the difference between the busiest and quietest days was only 2.05 p.p. At the same time, activity shifted to the start of the week. The share of Monday through Thursday relative to Q1 increased, while the end of the week, having been the most turbulent in the previous reporting period, grew calmer. We observed the highest number of attacks on Tuesdays (15.31%), while the quietest day this time was Sunday (13.26%).

Distribution of DDoS attacks by day of the week, Q1 and Q2 2021 (download)

Duration and types of DDoS attacks

In Q2, the average DDoS attack duration remained virtually unchanged from the previous reporting period: 3.18 hours versus 3.01 in Q1. What’s more, there was a slight increase both in the share of very short attacks lasting less than 4 hours (from 91.37% to 93.99%) and in the share of long (from 0.07% to 0.13%) and ultra-long (from 0.13% to 0.26%) ones. By contrast, the share of moderately long attacks in Q2 fell slightly, and attacks lasting 5–9 hours (2.65%) lost 1.51 p.p.

The maximum attack duration continued to increase. If in Q4 2020 we saw no attacks lasting more than 302 hours, the longest attack in Q1 2021 was 746 hours (more than 31 days), and Q2 topped that with a 776-hour-long attack (more than 32 days).

Distribution of DDoS attacks by duration, Q1 and Q2 2021 (download)

Looking at the distribution by type of attack, we see that UDP flooding in Q2 significantly increased its slice (60% vs 42% in Q1). SYN flooding (23.67%), which until 2021 was the most common type of DDoS, is fighting to regain lost territory: this quarter it swapped places with TCP flooding (13.42%) to claim second place.

Distribution of DDoS attacks by type, Q2 2021 (download)

Botnet distribution geography

Among botnet C&C servers, 90% were located in ten countries in Q2. The biggest share was in the US (47.95%), which added 6.64 p.p. to its score in the previous reporting period. In second place, as in Q1, is Germany (12.33%), and in third place the Netherlands (9.25%). France (4.28%) retained fourth position, followed by Canada (3.94%), whose share has doubled since last quarter.

The sixth-placed country by number of botnet C&C servers, as in Q1, is Russia (3.42%). The Czech Republic (2.57%) climbed to seventh place, overtaking Romania (2.40%), which shared eighth and ninth places with the UK (2.40%). Singapore (1.54%) props up the TOP 10, while the Seychelles dropped out of the ranking, having almost no C&C servers used by active botnets.

Distribution of botnet C&C servers by country, Q2 2021 (download)

Attacks on IoT honeypots

Also in Q2 2021 we analyzed in which countries bots and servers were attacking IoT devices with a view to botnet expansion. This involved studying the statistics on Telnet and SSH attacks on our IoT honeypots. The country with the most devices from which SSH attacks were launched this quarter was China (31.79%). In second place was the US (12.50%), and in third Germany (5.94%). However, the bulk of attacks via SSH originated in Ireland (70.14%) and Panama (15.81%), which both had relatively few bots. This could suggest that among the attacking devices located in these countries there were powerful servers capable of infecting multiple devices worldwide simultaneously.

Geography of devices from which attempts were made to attack Kaspersky SSH traps, Q2 2021 (download)

The biggest share of bots attacking Telnet traps in Q2 also belonged to China (39.60%). In addition, many bots were located in India (18.54%), Russia (5.76%) and Brazil (3.81%). The attacks originated mostly in these same countries, the only difference being that bot activity in Russia (11.25%) and Brazil (8.21%) was higher than in India (7.24%), while China (56.83%) accounted for more than half of all attacks on Telnet honeypots.

Geography of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q2 2021 (download)

Conclusion

The DDoS market continues to stabilize after last year’s shakeup. As expected, Q2 2021 demonstrated the traditional summer lull. That said, we did see some abnormally long attacks, as well as shifts in the DDoS geography. The number of attacks in China, which long topped the ranking, continued to decline, at the same time as DDoS activity in Poland and Brazil increased markedly. Other than that, it was a pretty ordinary second quarter.

At present, we see no grounds for a sharp rise or fall in the DDoS market in Q3 2021. As before, the market will be heavily dependent on cryptocurrency prices, which have been riding high, despite declining relative to their spring peak: 1 BTC is worth US$30,000–35,000, less than a couple of months ago, but still a tidy sum. With cryptocurrency prices still attractive, the DDoS market is not expected to grow. Most likely, the summer decline typical of the vacation period will continue through Q3.

Managed Detection and Response in Q4 2020

21 Červenec, 2021 - 12:00

 Download full report (PDF)

As cyberattacks become more sophisticated, and security solutions require more resources to analyze the huge amount of data gathered every day, many organizations feel the need for advanced security services that can deal with this growing complexity in real time, 24/7.

This article contains some analytical findings from Managed Detection and Response (MDR) operations during Q4 2020.

What is Kaspersky MDR

Kaspersky MDR uses Kaspersky Endpoint Security and Kaspersky Anti Targeted Attack Platform as low-level telemetry suppliers after MDR license activation. Raw telemetry is initially enriched and correlated in the cloud, then two levels of SOC analysis process the resulting alerts. The first level of SOC analysis is a neural network-based supervised ML model that is trained on alerts investigated by human analysts. The second level consists of on-duty SOC analysts, who triage alerts and provide recommendations on response to customers.

The MDR team also has a dedicated group for threat-hunting activities — proactive searching for threats through raw telemetry to find attacks that were not detected by automated logic, including ML/AI in the MDR cloud infrastructure. The threat-hunting team is responsible for detection engineering, so all threats found manually are then covered with automatic detection and prevention logic to speed up customer protection.
During the reporting period, Kaspersky MDR was used across all industry verticals as shown below along with the share of detected incidents for each.

Data processing pipeline and security operations

In Q4 2020, the average number of collected raw events from one host was around 15 000. This comparatively low amount is explained by comprehensive analysis performed by Kaspersky Endpoint Security right at the endpoint, such as objects reputation checks, and the fact that only a required minimum of telemetry is sent to the cloud for further analysis.

During the reported period, MDR processed approximately 65 000 alerts, followed by an investigation that resulted in 1 506 incidents reported to customers, approximately 93% of which were mapped to the MITRE ATT&CK framework.

From a security operations standpoint, incident processing depends on alert severity. High severity typically requires more time to investigate and provide recommendations on remediation steps.

Incident remediation efficiency

Most of the incidents (80.1%) were detected based on the first analyzed alert. This means that after the first true positive alert, remediation activities stopped the attack from happening and no new alerts were linked to the incident. This demonstrates that remediation is fairly efficient.

Incidents linked to 2-4 alerts account for 15.3%; they represent the main directions for detection engineering, both in new alert development and improvements to existing alerts.

Incidents linked with larger numbers of alerts are related to cases where fast remediation is not efficient or not allowed. Examples of these incidents include a new targeted attack that requires thorough investigation before active response, or security assessment engagements, where active counteraction to attacker is not allowed.

Incident severity

According to the MDR incident severity classification, High-severity incidents are related to human-driven attacks or malware outbreaks with a high impact. Medium severity is related to incidents that significantly affect the efficiency or performance of assets covered by MDR. Finally, Low severity is related to incidents without a significant impact, which still ought to be fixed, for example, infection with grayware, such as adware, riskware, etc.

High-severity incidents can be caused by a number of factors:

  • APT, targeted attack
  • Offensive exercise
  • Artefacts of APT, targeted attack
  • Malware with critical impact
  • Likely-to-be-exploited vulnerability
  • DDOS/DOS with impact
  • Insider threat with impact (subversion, fraud)
  • Social engineering

In the analyzed period, the incident severity statistics and distribution of High-severity incidents were as follows.

Distribution of incidents by criticality Types of High-severity incidents

Almost all of the verticals in the analyzed period were victims of targeted attacks. IT, Government and Industrial are the TOP 3. Companies that suffered from targeted attacks typically engaged in offensive exercises, a sign of adequate risk assessment.

Adversary tactics, techniques and procedures

As for the attack kill-chain stage, we do not see any correlation between incident severity and tactics at the moment of detection, although it might be expected that more complex attacks would be detected at a later stage.

Analysis of the detection technology has confirmed that there is a need for a combination of different detection systems, because the endpoint tactics are efficiently detected by EPP; SB provides better results at analyzing content before it reaches the endpoint, and all network communications are subject to IDS.

Next, there are the top performing (by the number of reported incidents) MITRE ATT&CK techniques, detected by telemetry from each sensor.

Analysis of tools that attackers use in the incidents shows that PowerShell is still number one and especially popular in High-severity incidents.

Recommendations

Analysis of incident statistics suggests the following recommendations on improving the security controls in place.

  • One third of all high-severity incidents were human-driven targeted attacks. Automated tools are not enough for fully detecting these, so manual threat hunting in combination with classical alert-driven monitoring should be implemented.
  • Professional red team exercises are very similar to advanced attacks and are thus a good approach to assessing the organization’s operational efficiency.
  • Nine percent of reported High-severity incidents were successful social engineering attacks, which demonstrates the need for raising employee security awareness.
  • Be ready to detect threats that use every tactic (attack kill chain phase).
  • Even a complex attack consists of simple steps and techniques; the detection of a particular technique can expose the whole attack.
  • Different detection technologies have different levels of efficiency with different attacker techniques. Maintain a variety of security technologies to increase the chances of successful detection.
  • Monitor PowerShell with built-in Windows events or comprehensive EDRs.

Arrests of members of Tetrade seed groups Grandoreiro and Melcoz

14 Červenec, 2021 - 20:00

Spain’s Ministry of the Interior has announced the arrest of 16 individuals connected to the Grandoreiro and Melcoz (also known as Mekotio) cybercrime groups. Both are originally from Brazil and form part of the Tetrade umbrella, operating for a few years now in Latin America and Western Europe.

Grandoreiro is a banking Trojan malware family that initially started its operations in Brazil. Similarly to two other malware families, Melcoz and Javali, Grandoreiro first expanded operations to other Latin American countries and then to Western Europe. We have witnessed Grandoreiro’s campaigns since at least 2016, with the attackers regularly improving techniques, striving to stay undetected and active for longer periods of time. Based on our analysis of campaigns we have seen Grandoreiro operate as a Malware-as-a-Service (MaaS) project.

Since January 2020, our telemetry shows that Grandoreiro has attacked mostly Brazil, Mexico, Spain, Portugal, and Turkey.

On the other hand, Melcoz (also known as Mekotio) is a banking Trojan family developed by the Tetrade group which has been active since at least 2018 in Brazil, before they decided to expand overseas. We found the group attacking assets in Chile in 2018 and, more recently, in Mexico. There are also likely victims in other countries, as some of the targeted banks have international operations. Generally, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. This malware steals passwords from browsers and from the device’s memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module.

Our telemetry confirms that since January 2020, Melcoz has been actively targeting Brazil, Chile, and Spain, among other countries.

If we compare Grandoreiro and Melcoz in terms of proliferation, it’s clear that Grandoreiro is more aggressive when targeting victims worldwide.

What can we now expect after the arrest of 16 individuals in Spain? The work carried out by the Guardia Civil of Spain in actioning these arrests is remarkable. However, since both malware families are from Brazil, the individuals arrested in Spain are just operators. In other words, the creators of Grandoreiro and Melcoz will likely remain in Brazil where they may develop new malware techniques and recruit new members in their countries of interest.

Kaspersky technologies detect both families as Trojan-Banker.Win32.Grandoreiro and Trojan-Banker.Win32.Melcoz.

We recommend that financial institutions stay vigilant and watch the threats that are part of the Tetrade umbrella closely while improving their authentication processes, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate such risks. Detailed information about Tetrade with full IOCs and Yara rules and hashes of these threats is available to our Financial Threat Intel services users.

LuminousMoth APT: Sweeping attacks for the chosen few

14 Červenec, 2021 - 12:00

APT actors are known for the frequently targeted nature of their attacks. Typically, they will handpick a set of targets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and payloads being tailored to the victims’ identities or environment. It’s not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying operation at risk of being compromised by security products or researchers.

We recently came across unusual APT activity that exhibits the latter trait – it was detected in high volumes, albeit most likely aimed at a few targets of interest. This large-scale and highly active campaign was observed in South East Asia and dates back to at least October 2020, with the most recent attacks seen around the time of writing. Most of the early sightings were in Myanmar, but it now appears the attackers are much more active in the Philippines, where there are more than 10 times as many known targets.

Further analysis revealed that the underlying actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda. This is evident in both network infrastructure connections, and the usage of similar TTPs to deploy the Cobalt Strike Beacon as a payload. In fact, our colleagues at ESET and Avast recently assessed that HoneyMyte was active in the same region. The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed for the activity of LuminousMoth.

Most notably though, we observed the capability of the culprit to spread to other hosts through the use of USB drives. In some cases, this was followed by deployment of a signed, but fake version of the popular application Zoom, which was in fact malware enabling the attackers to exfiltrate files from the compromised systems. The sheer volume of the attacks raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering hole or a supply chain attack.

In this publication we aim to profile LuminousMoth as a separate entity, outlining the infection chain and unique toolset it leverages, the scale and targeting in its campaigns as well as its connections to HoneyMyte through common TTPs and shared resources.

What were the origins of the infections?

We identified two infection vectors used by LuminousMoth: the first one provides the attackers with initial access to a system. It consists of sending a spear-phishing email to the victim containing a Dropbox download link. The link leads to a RAR archive that masquerades as a Word document by setting the “file_subpath” parameter to point to a filename with a .DOCX extension.

hxxps://www.dropbox[.]com/s/esh1ywo9irbexvd/COVID-19%20Case%2012-11- 2020.rar?dl=0&file_subpath=%2FCOVID-19+Case+12-11-2020%2FCOVID-19+Case+12-11-2020(2).docx

The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files. We found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19 Case 12-11-2020(MOTC).rar” or “DACU Projects.r01” (MOTC is Myanmar’s Ministry of Transport and Communications, and DACU refers to the Development Assistance Coordination Unit of the Foreign Economic Relations Department (FERD) in Myanmar).

Infection chain

The second infection vector comes into play after the first one has successfully finished, whereby the malware tries to spread by infecting removable USB drives. This is made possible through the use of two components: the first is a malicious library called “version.dll” that gets sideloaded by “igfxem.exe”, a Microsoft Silverlight executable originally named “sllauncher.exe”. The second is “wwlib.dll”, another malicious library sideloaded by the legitimate binary of “winword.exe”. The purpose of “version.dll” is to spread to removable devices, while the purpose of “wwlib.dll” is to download a Cobalt Strike beacon.

The first malicious library “version.dll” has three execution branches, chosen depending on the provided arguments, which are: “assist”, “system” or no argument. If the provided argument is “assist”, the malware creates an event called “nfvlqfnlqwnlf” to avoid multiple executions and runs “winword.exe” in order to sideload the next stage (“wwlib.dll”). Afterwards, it modifies the registry by adding an “Opera Browser Assistant” entry as a run key, thus achieving persistence and executing the malware with the “assist” parameter upon system startup.

Registry value to run the malware at system startup

Then, the malware checks if there are any removable drives connected to the infected system. If any are found, it enumerates the files stored on the drive and saves the list to a file called “udisk.log”. Lastly, the malware is executed once again with the “system” parameter.

If the provided argument is “system”, a different event named “qjlfqwle21ljl” is created. The purpose of this execution branch is to deploy the malware on all connected removable devices, such as USB sticks or external drives. If a drive is found, the malware creates hidden directories carrying non ascii characters on the drive and moves all the victim’s files there, in addition to the two malicious libraries and legitimate executables. The malware then renames the file “igfxem.exe” to “USB Driver.exe” and places it at the root of the drive along with “version.dll”. As a result, the victims are no longer able to view their own drive files and are left with only “USB Driver.exe”, meaning they will likely execute the malware to regain access to the hidden files.

Copying the payload and creating a hidden directory on the removable drive

If no argument is provided, the malware executes the third execution branch. This branch is only launched in the context of a compromised removable drive by double-clicking “USB Driver.exe”. The malware first copies the four LuminousMoth samples stored from the hidden drive repository to “C:\Users\Public\Documents\Shared Virtual Machines\”. Secondly, the malware executes “igfxem.exe” with the “assist” argument. Finally, “explorer.exe” gets executed to display the hidden files that were located on the drive before the compromise, and the user is able to view them.

The second library, “wwlib.dll”, is a loader. It gets sideloaded by “winword.exe” and emerged two months prior to “version.dll”, suggesting that earlier instances of the attack did not rely on replication through removable drives but were probably distributed using other methods such as the spear-phishing emails we observed.

“Wwlib.dll” fetches a payload by sending a GET request to the C2 address at “103.15.28[.]195”. The payload is a Cobalt Strike beacon that uses the Gmail malleable profile to blend with benign traffic.

Downloading a Cobalt Strike beacon from 103.15.28[.]195

Older spreading mechanism

We discovered an older version of the LuminousMoth infection chain that was used briefly before the introduction of “version.dll”. Instead of the usual combination of “version.dll” and “wwlib.dll”, a different library called “wwlib.dll” is in fact the first loader in this variant and is in charge of spreading to removable drives, while a second “DkAr.dll” library is in charge of downloading a Cobalt Strike beacon from the C2 server. This variant’s “wwlib.dll” offers two execution branches: one triggered by the argument “Assistant” and a second one with no arguments given. When this library is sideloaded by “winword.exe”, it creates an event called “fjsakljflwqlqewq”, adds a registry value for persistence, and runs “PrvDisk.exe” that then sideloads “DkAr.dll”.

The final step taken by “wwlib.dll” is to copy itself to any removable USB device. To do so, the malware checks if there are any files carrying a .DOC or .DOCX extension stored on the connected devices. If such a document is found, the malware replaces it with the “winword.exe” binary, keeping the document’s file name but appending “.exe” to the end. The original document is then moved to a hidden directory. The “wwlib.dll” library is copied to the same directory containing the fake document and the four samples (two legitimate PE files, two DLL libraries) are copied to “[USB_Drive letter]:\System Volume Information\en-AU\Qantas”.

If the malware gets executed without the “Assistant” argument, this means the execution was started from a compromised USB drive by double-clicking on the executable. In this case, the malware first executes “explorer.exe” to show the hidden directory with the original documents of the victim, and proceeds to copy the four LuminousMoth samples to “C:\Users\Public\Documents\Shared Virtual Machines\”. Finally, it executes “winword.exe” with the “Assistant” argument to infect the new host, to which the USB drive was connected.

Since this variant relies on replacing Word documents with an executable, it is possible that the attackers chose the “winword.exe” binary for sideloading the malicious DLL due to its icon, which raises less suspicions about the original documents being tampered with. However, this means that the infection was limited only to USB drives that have Word documents stored on them, and might explain the quick move to a more pervasive approach that infects drives regardless of their content.

Post exploitation tool: Fake Zoom application

The attackers deployed an additional malicious tool on some of the infected systems in Myanmar. Its purpose is to scan the infected systems for files with predefined extensions and exfiltrate them to a C2 server. Interestingly, this stealer impersonates the popular Zoom video telephony software. One measure to make it seem benign is a valid digital signature provided with the binary along with a certificate that is owned by Founder Technology, a subsidiary of Peking University’s Founder Group, located in Shanghai.

Valid certificate of the fake Zoom application

To facilitate the exfiltration of data, the stealer parses a configuration file called “zVideoUpdate.ini”. While it is unclear how the malware is written to disk by the attackers, it is vital that the .ini file is dropped alongside it and placed in the same directory in order to work. The configuration parameters that comprise this file are as follows:

Parameter Name Purpose meeting Undetermined integer value that defaults to 60. ssb_sdk Undetermined integer value that defaults to 60. zAutoUpdate URL of the C2 server which the stolen data will be uploaded to. XmppDll Path to the utility used to archive exfiltrated files. zKBCrypto List of exfiltrated file extensions that are searched in target directories. The extensions of interest are delimited with the ‘;’ character. zCrashReport Suffix string appended to the name of the staging directory used to host exfiltrated files before they are archived. zWebService Path prefix for the exfiltration staging directory. zzhost Path to the file that will hold a list of hashes corresponding to the  files collected for exfiltration. ArgName AES key for configuration string encryption. Version AES IV for configuration string encryption. zDocConverter Path #1 to a directory to look for files with the extension intended for exfiltration zTscoder Path #2 to a directory to look for files with the extension intended for exfiltration zOutLookIMutil Path #3 to a directory to look for files with the extension intended for exfiltration

Each field in the configuration file (with the exception of Version, ArgName and zCrashReport) is encoded with Base64. While the authors incorporated logic and parameters that allow the decryption of some of the fields specified above with the AES algorithm, it remains unused.

The stealer uses the parameters in order to scan the three specified directories (along with root paths of fixed and removable drives) and search for files with the extensions given in the zKBCrypto parameter. Matching files will then be copied to a staging directory created by the malware in a path constructed with the following structure: “<zWebService>\%Y-%m-%d %H-%M-%S<zCrashReport>”. The string format in the directory’s name represents the time and date of the malware’s execution.

In addition, the malware collects the metadata of the stolen files. One piece of data can be found as a list of original paths corresponding to the exfiltrated files that is written to a file named ‘VideoCoingLog.txt’. This file resides in the aforementioned staging directory. Likewise, a second file is used to hold the list of hashes corresponding to the exfiltrated files and placed in the path specified in the zzhost parameter.

After collection of the targeted files and their metadata, the malware executes an external utility in order to archive the staging directory into a .rar file that will be placed in the path specified in the zWebService parameter. The malware assumes the existence of the utility in a path specified under the XmppDll parameter, suggesting the attackers have prior knowledge of the infected system and its pre-installed applications.

Finally, the malware seeks all files with a .rar extension within the zWebService directory that should be transmitted to the C2. The method used to send the archive makes use of a statically linked CURL library, which sets the parameters specified below when conducting the transaction to the server. The address of the C2 is taken from the zAutoUpdate parameter.

CURL logic used to issue the archive of exfiltrated files to the C&C

Post exploitation tool: Chrome Cookies Stealer

The attackers deployed another tool on some infected systems that steals cookies from the Chrome browser. This tool requires the local username as an argument, as it is needed to access two files containing the data to be stolen:

C:\Users\[USERNAME]\AppData\Local\Google\Chrome\User Data\Default\Cookies C:\Users\[USERNAME]\AppData\Local\Google\Chrome\User Data\Local State

The stealer starts by extracting the encrypted_key value stored in the “Local State” file. This key is base64 encoded and used to decode the cookies stored in the “Cookies” file. The stealer uses the CryptUnprotectData API function to decrypt the cookies and looks for eight specific cookie values: SID, OSID, HSID, SSID, LSID, APISID, SAPISID and ACCOUNT_CHOOSER:

Cookie values the stealer looks for

Once found, the malware simply displays the values of those cookies in the terminal. The Google policy available here explains that these cookies are used to authenticate users:

Google policy explaining the purpose of the cookies

During our test, we set up a Gmail account and were able to duplicate our Gmail session by using the stolen cookies. We can therefore conclude this post exploitation tool is dedicated to hijacking and impersonating the Gmail sessions of the targets.

Command and Control

For C2 communication, some of the LuminousMoth samples contacted IP addresses directly, whereas others communicated with the domain “updatecatalogs.com”.

  • 103.15.28[.]195
  • 202.59.10[.]253

Infrastructure ties from those C2 servers helped reveal additional domains related to this attack that impersonate known news outlets in Myanmar, such as MMTimes, 7Day News and The Irrawaddy. Another domain “mopfi-ferd[.]com” also impersonated the Foreign Economic Relations Department (FERD) of the Ministry of Planning, Finance and Industry (MOPFI) in Myanmar.

  • mmtimes[.]net
  • mmtimes[.]org
  • 7daydai1y[.]com
  • irrawddy[.]com
  • mopfi-ferd[.]com

“Mopfi-ferd[.]com” resolved to an IP address that was associated with a domain masquerading as the Zoom API. Since we have seen the attackers deploying a fake Zoom application, it is possible this look-alike domain was used to hide malicious Zoom traffic, although we have no evidence of this.

Potentially related Zoom look-alike domains

Who were the targets?

We were able to identify a large number of targets infected by LuminousMoth, almost all of which are from the Philippines and Myanmar. We came across approximately 100 victims in Myanmar, whereas in the Philippines the number was much higher, counting nearly 1,400 victims. It seems however that the actual targets were only a subset of these that included high-profile organizations, namely government entities located both within those countries and abroad.

It is likely that the high rate of infections is due to the nature of the LuminousMoth attack and its spreading mechanism, as the malware propagates by copying itself to removable drives connected to the system. Nevertheless, the noticeable disparity between the extent of this activity in both countries might hint to an additional and unknown infection vector being used solely in the Philippines. It could, however, simply be that the attackers are more interested in going after targets from this region.

Connections to HoneyMyte

Over the course of our analysis, we noticed that LuminousMoth shares multiple similarities with the HoneyMyte threat group. Both groups have been covered extensively in our private reports, and further details and analysis of their activity are available to customers of our private APT reporting service. For more information, contact: intelreports@kaspersky.com.

LuminousMoth and HoneyMyte have similar targeting and TTPs, such as the usage of DLL side-loading and Cobalt Strike loaders, and a similar component to LuminousMoth’s Chrome cookie stealer was also seen in previous HoneyMyte activity. Lastly, we found infrastructure overlaps between the C2 servers used in the LuminousMoth campaign and an older one that has been attributed to HoneyMyte.

Some of LuminousMoth’s malicious artifacts communicate with “updatecatalogs[.]com”, which resolves to the same IP address behind “webmail.mmtimes[.]net”. This domain was observed in a campaign that dates back to early 2020, and was even found on some of the systems that were later infected with LuminousMoth. In this campaign, a legitimate binary (“FmtOptions.exe”) sideloads a malicious DLL called “FmtOptions.dll”, which then decodes and executes the contents of the file “work.dat”. This infection flow also involves a service called “yerodns.dll” that implements the same functionality as “FmtOptions.dll”.

The domain “webmail.mmtimes[.]net” previously resolved to the IP “45.204.9[.]70”. This address is associated with another MMTimes look-alike domain used in a HoneyMyte campaign during 2020: “mmtimes[.]org”. In this case, the legitimate executable “mcf.exe” loads “mcutil.dll”. The purpose of “mcutil.dll” is to decode and execute “mfc.ep”, a PlugX backdoor that communicates with “mmtimes[.]org”. Parts of this campaign were also covered in one of our private reports discussing HoneyMyte’s usage of a watering hole to infect its victims.

Therefore, based on the above findings, we can assess with medium to high confidence that the LuminousMoth activity is indeed connected to HoneyMyte.

Connection between HoneyMyte and LuminousMoth C2s

Conclusions

LuminousMoth represents a formerly unknown cluster of activity that is affiliated to a Chinese-speaking actor. As described in this report, there are multiple overlaps between resources used by LuminousMoth and those sighted in previous activity of HoneyMyte. Both groups, whether related or not, have conducted activity of the same nature – large-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest.

On the same note, this group’s activity and the apparent connections may hint at a wider phenomenon observed during 2021 among Chinese-speaking actors, whereby many are re-tooling and producing new and unknown malware implants. This allows them to obscure any ties to their former activities and blur their attribution to known groups. With this challenge in mind, we continue to track the activity described in this publication with an eye to understanding its evolution and connection to previous attacks.

Indicators of Compromise Version.dll payloads Hashes Compilation Date 0f8b7a64336b4315cc0a2e6171ab027e
2d0296ac56db3298163bf3f6b622fdc319a9be23
59b8167afba63b9b4fa4369e6664f274c4e2760a4e2ae4ee12d43c07c9655e0f Dec 24 09:20:16 2020 37054e2e8699b0bdb0e19be8988093cd
5e45e6e113a52ba420a35c15fbaa7856acc03ab4
a934ae0274dc1fc9763f7aa51c3a2ce1a52270a47dcdd80bd5b9afbc3a23c82b Dec 24 09:19:51 2020 c05cdf3a29d6fbe4e3e8621ae3173f08
75cd21217264c3163c800e3e59af3d7db14d76f8
869e7da2357c673dab14e9a64fb69691002af5b39368e6d1a3d7fda242797622 Dec 29 11:45:41 2020 5ba1384b4edfe7a93d6f1166da05ff6f
6d18970811821125fd402cfa90210044424e223a
857c676102ea5dda05899d4e386340f6e7517be2d2623437582acbe0d46b19d2 Jan 07 11:18:38 2021 afb777236f1e089c9e1d33fce46a704c
cf3582a6cdac3e254c017c8ce36240130d67834a
1ec88831b67e3f0d41057ba38ccca707cb508fe63d39116a02b7080384ed0303 Jan 14 11:18:50 2021 wwlib.dll payloads Hashes Compilation Date 4fbc4835746a9c64f8d697659bfe8554
b43d7317d3144c760d82c4c7506eba1143821ac1
95bcc8c3d9d23289b4ff284cb685b741fe92949be35c69c1faa3a3846f1ab947 Dec 24 10:25:39 2020 Related payloads Hashes Name Compilation Date b31008f6490ffe7ba7a8edb9e9a8c137
c1945fd976836ba2f3fbeafa276f60c3f0e9a51c
4a4b976991112b47b6a3d6ce19cc1c4f89984635ed16aea9f88275805b005461 FmtOptions.dll Jan 11 10:00:42 2021

  ac29cb9c702d9359ade1b8a5571dce7d
577ad54e965f7a21ba63ca4a361a3de86f02e925
d8de88e518460ee7ffdffaa4599ccc415e105fc318b36bc8fe998300ee5ad984 yerodns.dll Oct 29 10:33:20 2019

  afe30b5dd18a114a9372b5133768151c
9a6f97300017a09eb4ea70317c65a18ea9ac49bd
cf757b243133feab2714bc0da534ba21cbcdde485fbda3d39fb20db3a6aa6dee mcutil.dll Jun 13 16:35:46 2019

  95991f445d846455b58d203dac530b0b
cee6afa1c0c8183900b76c785d2989bd1a904ffb
f27715b932fb83d44357dc7793470b28f6802c2dc47076e1bc539553a8bfa8e0 mcutil.dll Feb 21 09:41:11 2020 Post exploitation tools Hashes Name Compilation Date c727a8fc56cedc69f0cfd2f2f5796797
75d38bf8b0053d52bd5068adf078545ccdac563f
361ccc35f7ff405eb904910de126a5775de831b4229a4fdebfbacdd941ad3c56 ZoomVideoApp.exe Mar 02 10:51:31 2021 Domains and IPs

103.15.28[.]195
202.59.10[.]253
updatecatalogs[.]com
mopfi-ferd[.]com
mmtimes[.]net
mmtimes[.]org
7daydai1y[.]com
irrawddy[.]com

Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)

8 Červenec, 2021 - 07:00

Summary

Last week Microsoft warned Windows users about vulnerabilities in the Windows Print Spooler service – CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare). Both vulnerabilities can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers.

Kaspersky products protect against attacks leveraging these vulnerabilities. The following detection names are used:

  • HEUR:Exploit.Win32.CVE-2021-1675.*
  • HEUR:Exploit.Win32.CVE-2021-34527.*
  • HEUR:Exploit.MSIL.CVE-2021-34527.*
  • HEUR:Exploit.Script.CVE-2021-34527.*
  • HEUR:Trojan-Dropper.Win32.Pegazus.gen
  • PDM:Exploit.Win32.Generic
  • PDM:Trojan.Win32.Generic
  • Exploit.Win32.CVE-2021-1675.*
  • Exploit.Win64.CVE-2021-1675.*

Our detection logic is also successfully blocks attack technique from the latest Mimikatz framework v. 2.2.0-20210707.

We are closely monitoring the situation and improving generic detection of these vulnerabilities using our Behavior Detection and Exploit Prevention components. As part of our Managed Detection and Response service Kaspersky SOC experts are able to detect exploitation of these vulnerabilities, investigate such attacks and report to customers.

Technical details CVE-2021-34527

When using RPC protocols to add a new printer (RpcAsyncAddPrinterDriver [MS-PAR] or RpcAddPrinterDriverEx [MS-RPRN]) a client has to provide multiple parameters to the Print Spooler service:

  • pDataFile – a path to a data file for this printer;
  • pConfigFile – a path to a configuration file for this printer;
  • pDriverPath – a path to a driver file that’s used by this printer while it’s working.

The service makes several checks to ensure pDataFile and pDriverPath are not UNC paths, but there is no corresponding check for pConfigFile, meaning the service will copy the configuration DLL to the folder %SYSTEMROOT%\system32\spool\drivers\x64\3\ (on x64 versions of the OS).

Now, if the Windows Print Spooler service tries to add a printer again, but this time sets pDataFile to the copied DLL path (from the previous step), the print service will load this DLL because its path is not a UNC path, and the check will be successfully passed. These methods can be used by a low-privileged account, and the DLL is loaded by the NT AUTHORITY\SYSTEM group process.

CVE-2021-1675

The local version of PrintNightmare uses the same method for exploitation as CVE-2021-34527, but there’s a difference in the entrypoint function (AddPrinterDriverEx). This means an attacker can place a malicious DLL in any locally accessible directory to run the exploit.

Mitigations

Kaspersky experts anticipate a growing number of exploitation attempts to gain access to resources inside corporate perimeters accompanied by a high risk of ransomware infection and data theft.

Therefore, it is strongly recommended to follow Microsoft guidelines and apply the latest security updates for Windows.

Quoting Microsoft (as of July 7th, 2021):
“Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object (GPO).
While this security assessment focuses on domain controllers, any server is potentially at risk to this type of attack.”

WildPressure targets the macOS platform

7 Červenec, 2021 - 12:00

New findings

Our previous story regarding WildPressure was dedicated to their campaign against industrial-related targets in the Middle East. By keeping track of their malware in spring 2021, we were able to find a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant with the same version (1.6.1) and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based a field in the C2 communication protocol that contains the “client” programming language.

Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named “Guard”. Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors.

The versioning system shows that the malware used by WildPressure is still under active development. Besides commercial VPS, this time the operators used compromised legitimate WordPress websites. With low confidence this time, we believe their targets to be in the oil and gas industry. If previously the operators used readable “clientids” like “HatLandid3”, the new ones we observed in the Milum samples appear to be randomized like “5CU5EQLOSI” and “C29QoCli33jjxtb”.

Although we couldn’t associate WildPressure’s activity with other threat actors, we did find minor similarities in the TTPs used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.

Python multi-OS Trojan

SHA1 872FC1D91E078F0A274CA604785117BEB261B870 File type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows File size 3.3 MB File name svchost.exe

This PyInstaller Windows executable was detected in our telemetry on September 1, 2020, showing version 2.2.1. It contains an archive with all the necessary libraries and a Python Trojan that works both on Windows and macOS. The original name of the script inside this PyInstaller bundle is “Guard”. The malware authors extensively relied on publicly available third-party code[1] to create it. Near the entry point one can find the first operating system-dependent code, which checks on macOS if another instance of the Trojan is running.

macOS-specific code snippet to check if another Trojan instance is already running

The Guard class constructor contains initial values, such as an XOR key (enc_key field) to decrypt the configuration. In this sample, it is set to decimal 110 and the C2 message type (answer_type_value field) to “Check”. The code that initializes class members for encryption and network communications is OS independent, but persistence methods aren’t.

For macOS, Guard decodes an XML document and creates a plist file using its contents at $HOME/Library/LaunchAgents/com.apple.pyapple.plist to autorun itself; while for Windows, the script creates a RunOnce registry key Software\Microsoft\Windows\CurrentVersion\RunOnce\gd_system. We provide the full list of persistence IoCs at the end of this article.

Malware decodes the XML, fills [pyscript] placeholder with its path and drops .plist file for persistence

For fingerprinting Windows and macOS operating systems, Guard uses standard Python libraries. Beacon data for the C2 contains the hostname, machine architecture, OS release name. To fingerprint Windows targets, Guard also uses WQL (WMI Query Language) requests similarly to Milum and WMIC command line utility features. For example, to distinguish the installed security products it executes the following command:

cmd /c wmic /NAMESPACE:\\\\root\SecurityCenter2 PATH AntiVirusProduct GET displayName, productUptoDate /Format:List

On macOS, Guard enumerates running processes using the “ls /Applications” command and compares the results against a list of security solutions: [“kaspersky security.app”,”kaspersky anti-virus for mac.app” , “intego”, “sophos anti-virus.app” , “virusbarrier.app”,”mcafee internet security.app”]

The path to the file containing Guard’s configuration data is %APPDATA%\Microsoft\grconf.dat under Windows and $HOME\.appdata\grconf.dat under macOS.

Guard’s configuration data has to start with the string “*grds*”. Below is a comparison between different WildPressure sample parameters, including magic values used to pre- and post-fix the configuration data.

Parameter C++ Milum Python Guard VBScript Tandis Version 1.0.1 – 1.6.1 2.2.1 1.6.1 Serial Comparable to “clientid” with values like “HatLandid3” 1——-C29QoCli———————— 1——-Tandis_7———————— Relays List of .php pages hosted on VPS List of hacked WordPress websites List of hacked WordPress websites Encoded configuration start\end (ws32) (we32) *grds* *grde* Configuration embedded inside the script

These prefix and suffix values allowed us to decode Mulim and Guard configuration data as well as the self-decrypted Tandis with Bash and Python scripts. Following configuration parsing, the Trojan is ready for its main working cycle. It awaits commands from its C2 that are XML-based and XOR-encrypted with the aforementioned decimal value 110. Among them are typical Trojan functions: downloading files, uploading files, executing commands with the OS command interpreter, updating the Trojan and cleaning up the target.

VBScript self-decrypted variant

SHA1 CD7904E6D59142F209BD248D21242E3740999A0D File type Self-decrypting VBScript File size 51 KB File name l2dIIYKCQw.vbs

We named the Tandis Trojan after its “serial” configuration parameter. This VBScript Trojan version is Windows-only and relies much more on WQL queries than Guard. It was first detected in our telemetry on September 1, 2020, showing version 1.6.1. The abilities, parameters and working cycle are quite similar to Guard and other WildPressure malware.

The persistence is again system registry-based (please check the IoCs at the end). The function HexToBin() is in charge of the additional encryption used inside the script for some strings and C2 communication. The basic unhexlify-XOR algorithm is the same as in the initial self-decryption; and to read plain text we used the same aforementioned script with corresponding key (again 110 decimal, stored in a class data member). The C2 communication protocol is “encrypted XML over HTTP” (using Msxml2.XMLHTTP and Msxml2.DOMDocument objects).

Below are the commands that Tandis supports:

Command Description 1 Wait 2 Silently execute command with interpreter with cmd /c 3 Download file 4 Update the script from server 5 Clean up, remove persistence and the script file 6 Upload file 7 Update wait timings in the configuration 8 Fingerprint the host. In particular, Tandis gathers all the installed security products besides Defender with a WQL query

Plugin-based C++ malware

In addition to the already enumerated scripting implants that WildPressure uses, some findings are related to C++ developments. We discovered several, previously unknown, interconnected modules used to gather data on target hosts in our telemetry. The compilation times seen in this malware precedes our detection date by a large margin, and we therefore consider them to be tampered with.

The plugins we found are rather simplistic. We will therefore focus on the implemented interface between the orchestrator and its plugins.

Orchestrator

SHA1 FA50AC04D601BB7961CAE4ED23BE370C985723D6 File type PE32 executable (console) Intel 80386, for MS Windows File size 87 KB File name winloud.exe

This main module checks for the presence of a configuration file named “thumbnail.dat”. The precise directory of this configuration file varies across Windows versions:

  • %ALLUSERSPROFILE%\system\thumbnail.dat
  • %ALLUSERSPROFILE%\Application Data\system\Windows\thumbnail.dat

The orchestrator uses a timer function that runs every two minutes and parses the configuration file for the plugin file path, function name, etc., and attempts to execute the corresponding plugin.

The overall communication workflow between orchestrator and the plugins

Plugins come in the form of a DLL that exports a function named accessPluginInterface(), which returns a pointer to a class object to the orchestrator. This main module then runs the second function from the virtual functions table, passing it the pointer to instantiated class objects. The plugins we’ve seen so far contained RTTI information.

Fingerprinting plugin

SHA1 c34545d89a0882bb16ea6837d7380f2c72be7209 File type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows File size 194 KB File name GetClientInfo.dll

This plugin gathers really detailed data about the host with WQL queries and creates a JSON with a publicly available library. The data includes OS version and the set of installed hotfixes, BIOS and HDD manufacturers, installed and running software and security products separately, user accounts and network adapters settings, etc. The corresponding executed WQL queries look like this:

SELECT Domain, DomainRole, TotalPhysicalMemory, UserName, SystemType FROM Win32_ComputerSystem SELECT DHCPServer, DNSDomain, MACAddress, DHCPEnabled, DefaultIPGateway, IPAddress, IPSubnet FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled ='TRUE'"

Keylogging and screenshotting plugins

SHA1 fb7f69834ca10fe31675bbedf9f858ec45c38239 File type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows File size 90.5 KB File name Keylogger.dll

 

SHA1 2bb6d37dbba52d79b896352c37763d540038eb25 File type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows File size 78 KB File name ScreenShot.dll

These plugins are quite straightforward. The keylogger sets a WH_KEYBOARD_LL hook to gather the keystrokes and gets clipboard content and Windows titles. The second takes screenshots by timer and by mouse events, setting a WH_MOUSE_LL hook.

Campaign infrastructure

The actor used both VPS and compromised servers in their infrastructure, most of which were WordPress websites. The legitimate, compromised websites served as Guard relay servers. In our previous 2019 investigation, we were able to sinkhole the Milum C2, upiserversys1212[.]com. During our current investigation we managed to sinkhole another Milum C2, mwieurgbd114kjuvtg[.]com. However, we haven’t registered any recent Milum requests sent to these domains with the corresponding main.php or url.php URI.

Domain IP First seen ASN Malware N/A 107.158.154[.]66 2021-04-07 62904, EONIX Milum 185.177.59[.]234 2021-04-07 44901, BELCLOUD 37.59.87[.]172 2014-12-26 16276, OVH 80.255.3[.]86 2019-08-28 201011, NETZBETRIEB mwieurgbd114kjuvtg[.]com 139.59.250[.]183

(Sinkholed) 2021-04-07

(Sinkholed) 14061, DIGITALOCEAN

Legitimate, compromised Guard relay servers:

  • hxxp://adelice-formation[.]eu
  • hxxp://ricktallis[.]com/news
  • hxxp://whatismyserver123456[.]com
  • hxxp://www.glisru[.]eu
  • hxxp://www.mozh[.]org
Who was hit and by whom

We have very limited visibility for the samples described in this report. Based on our telemetry, we suspect that the targets in the same Middle East region were related to the oil and gas industry.

We consider with high confidence that the aforementioned Tandis VBScript, PyInstaller and C++ samples belong to the same authors that we dubbed WildPressure due to the very similar coding style and victim profile. However, another question remains: is WildPressure connected to other threat actors operating in the same region?

Among other actors that we’ve covered in the region Chafer and Ferocious Kitten are worth mentioning. Technically, there’s not much in common with their malware, but we observed some minor similarities with another actor in the region we haven’t described publicly so far. Minor similarities with WildPressure are:

  • The “pk” parameter in HTTP requests to distinguish the Trojan beacons from, for example, scanners;
  • The usage of hacked WordPress websites as relays.

Both tactics aren’t unique enough to come to any attribution conclusion – it’s possible both groups are simply using the same generic techniques and programming approaches.

Learn threat hunting and malware analysis with Denis Legezo and other GReAT experts.

Indicators of Compromise

Milum version 1.6.1
0efd03fb65c3f92d9af87e4caf667f8e

PyInstaller with Guard
92A11F0DCB973D1A58D45C995993D854 (svchost.exe)

Self-decrypting Tandis VBScript
861655D8DCA82391530F9D406C31EEE1 (l2dIIYKCQw.vbs)

Orchestrator
C116B3F75E12AD3555E762C7208F17B8 (winloud.exe)

Plugins
F2F6604EB9100F58E21C449AC4CC4249 (ScreenShot.dll)
D322FAA64F750380DE45F518CA77CA43 (Keylogger.dll)
9F8D77ECE0FF897FDFD8B00042F51A41 (GetClientInfo.dll)

File paths

macOS .plist files
$HOME/Library/LaunchAgents/com.apple.pyapple.plist
$HOME/Library/LaunchAgents/apple.scriptzxy.plist

Config files under Windows
%APPDATA%\Microsoft\grconf.dat
%APPDATA%\Microsoft\vsdb.dat
%ALLUSERSPROFILE%\system\thumbnail.dat
%ALLUSERSPROFILE%\Application Data\system\Windows\thumbnail.dat

Config files under macOS
$HOME/.appdata/grconf.dat

Registry values
Software\Microsoft\Windows\CurrentVersion\RunOnce\gd_system

WQL queries examples
SELECT * FROM Win32_Process WHERE Name = ‘<all enumerated names here>’
Select * from Win32_ComputerSystem
Select * From AntiVirusProduct
Select * From Win32_Process Where ParentProcessId = ‘<all enumerated ids here>’

Milum C2
hxxp://107.158.154[.]66/core/main.php
hxxp://185.177.59[.]234/core/main.php
hxxp://37.59.87[.]172/page/view.php
hxxp://80.255.3[.]86/page/view.php
hxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php

[1] E.g. https://gist.github.com/vaab/2ad7051fc193167f15f85ef573e54eb9 and https://code.activestate.com/recipes/65222-run-a-task-every-few-seconds/

REvil ransomware attack against MSPs and its clients around the world

5 Červenec, 2021 - 15:00

An attack perpetrated by REvil aka Sodinokibi ransomware gang against Managed Service Providers (MSPs) and their clients was discovered on July 2. Some of the victims have reportedly been compromised through a popular MSP software which led to encryption of their customers. The total number of encrypted businesses could run into thousands.

REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific RaaS operations. According to an interview with the REvil operator, the gang earned over $100 million from its operations in 2020. The group’s activity was first observed in April 2019 after the shutdown of GandCrab, another now-defunct ransomware gang. More details about that gang can be found in our articles Ransomware world in 2021: who, how and why and Sodin ransomware exploits Windows vulnerability and processor architecture.

In this latest case, the attackers deployed a malicious dropper via the PowerShell script, which, in turn, was executed through the vendor’s agent:

This script disables Microsoft Defender features and then uses the certutil.exe utility to decode a malicious executable (agent.exe) that drops a legitimate Microsoft binary (MsMpEng.exe, an older version of Microsoft Defender) and malicious library (mpsvc.dll), which is the REvil ransomware. This library is then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique (T1574.002).

Execution map for the “agent.exe” dropper – Kaspersky Cloud Sandbox

Using our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time of writing.

Geography of attack attempts (based on KSN statistics)

REvil uses the Salsa20 symmetric stream algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm. Decryption of files affected by this malware is impossible without the cybercriminals’ keys due to the secure cryptographic scheme and implementation used in the malware.
Kaspersky products protect against this threat and detect it with the following names:

  • UDS:DangerousObject.Multi.Generic
  • Trojan-Ransom.Win32.Gen.gen
  • Trojan-Ransom.Win32.Sodin.gen
  • Trojan-Ransom.Win32.Convagent.gen
  • PDM:Trojan.Win32.Generic (with Behavior Detection)

Section of Kaspersky TIP lookup page for the 0x561CFFBABA71A6E8CC1CDCEDA990EAD4 binary

The vendor whose software was reportedly compromised, issued a special advisory which is being periodically updated.

To keep your company protected against ransomware 2.0 attacks, Kaspersky experts recommend:

  • Not exposing remote desktop services (such as RDP) to public networks unless absolutely necessary and always using strong passwords for them.
  • Promptly installing available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  • Always keeping software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
  • Focusing your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections. Back up data regularly. Make sure you can quickly access it in an emergency when needed. Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
  • Using solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service which help to identify and stop attacks at the early stages, before the attackers reach their main goals.
  • Protecting the corporate environment and educating your employees. Dedicated training courses can help, such as those provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect against ransomware attacks is available here.
  • Using a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that can roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.
Indicators of Compromise

agent.cer (encrypted agent.exe)
95F0A946CD6881DD5953E6DB4DFB0CB9

agent.exe
561CFFBABA71A6E8CC1CDCEDA990EAD4

mpscv.dll, REvil ransomware
7EA501911850A077CF0F9FE6A7518859
A47CF00AEDF769D60D58BFE00C0B5421

Do cybercriminals play cyber games in quarantine? A look one year later

1 Červenec, 2021 - 14:00

Last year, we decided to take a look at how the pandemic influenced the gaming industry and what new threats gamers could be facing. What we found was that, with the transition to remote work and remote learning, the number of blocked attempts to visit malicious game-related websites or follow malicious links from legitimate game-related websites and forums, increased by more than 50%. One year later, as the pandemic continues, we decided to revisit the threat landscape for gamers and the gaming industry.

Here’s what we found:

  • Online gamers have become even more active over the past year, and cybercriminals continue to exploit this.
  • Criminals are actively targeting leaders in the gaming industry to retrieve the source code of their games.
  • The games most often used as bait were Minecraft and Counter-Strike: Global Offensive (CS: GO).
They played, they play, and they’ll keep playing

In 2020, the number of gamers worldwide surpassed 2.7 million. According to data from Newzoo, the largest percentage of active users live in the Asia-Pacific.

And the number of video-game enthusiasts just keeps on growing every year. This is reflected in the statistics on the number of active players using the Steam platform. They dropped off slightly after reaching the all-time peak in May 2020 mentioned in our last year’s report. However, they didn’t fall back to pre-COVID levels. At the end of the summer holidays, the number of active users began to grow again reaching an all-time high of almost 27 million players in March 2021.

The number of Steam users per day. Source: steamdb.info

Last year, we also reviewed reports from Steam on the hardware players used and noticed an increase in the share of Intel and AMD graphics cards, which was maintained until spring 2020. This growth suggests hundreds of thousands of work computers were connected to Steam. This year’s report looked at the period from December 2019 to May 2021, which shows that not only were work computers connected to Steam, but they also remained connected. The percentage of Intel and AMD video graphics cards stabilized again, but at the level it had reached at the beginning of the pandemic. Given that the amount of Intel and AMD cards has remained the same while the number of Steam users continues to grow, this means that even more office computers are being connected to Steam.

Source: steampowered.com

What are cybercriminals playing?

There’s been more than just a handful of cybercriminal attacks aimed at the gaming industry over the past year. In May for example, criminals attacked one of Sony’s flagship games — Little Big Planet. The developers were even forced to turn off the gaming servers for a period of time. And not long ago at the beginning of June 2021, one of the largest gaming companies — EA Games — was hacked, with attackers managing to steal the source code for several games. At the same time, the company CD Projekt reported the theft of their data, which could possibly have included the source code for Cyberpunk 2077 and The Witcher 3. Not only can these attacks result in source code falling into the hands of competitors, but the attackers may also discover and exploit previously unknown vulnerabilities in the gaming software.

Cybercriminals aren’t just attacking companies, they’re still attacking gamers too. If you look at the statistics for web antivirus detections on sites that exploit the gaming theme, there was a very notable surge in sites using the names of popular video games and gaming platforms from November to December 2020. This surge is most likely connected with the launch of Cyberpunk 2077. Attackers were probably trying everything they could to exploit the hotly anticipated release by tricking impatient gamers.

The number of web attacks exploiting gaming themes from January 2020 to May 2021. Source: Kaspersky Security Network (KSN) (download)

The list of malicious programs most frequently distributed via purportedly game-related links significantly changed when compared with the previous year. One of the most frequently encountered malware families in such attacks this year was a Trojan called Badur.

At the same time, the set of tricks used by cybercriminals didn’t change substantively. As usual, the malware was disguised as free versions, updates, extensions for popular games or cheat programs.

HEUR:Trojan.MSOffice.Badur.gena 4,72% HEUR:Trojan.Script.Miner.gen 3,02% HEUR:Trojan.PDF.Badur.gena 2,36% HEUR:Trojan.OLE2.Badur.gena 1,57% HEUR:Trojan.Multi.Preqw.gen 1,46% HEUR:Trojan-PSW.Script.Generic 0,86% Trojan-Downloader.Win32.Upatre.vwi 0,82% HEUR:Trojan.Win32.Generic 0,81% HEUR:Trojan.Script.SAgent.gen 0,70% HEUR:Trojan.Script.Fraud.gen 0,43%

The statistics do not take into account the category of threats known as Hacktools, which are usually installed by users themselves but, in some cases, can be used for malicious purposes. Hacktool refers to things like remote access clients, traffic analyzers, cheat programs etc. It’s worth noting that modern cheat programs often use the same technology as malicious programs such as memory injection and the exploitation of vulnerabilities to bypass protection.

Based on the statistics from our web antivirus, cybercriminals are still mainly placing their bets on exploiting Minecraft as a decoy.

The number of attacks that exploited the name of a particular online game, January 2020 — May 2021. Source: KSN (download)

The dynamics of attacks using specific online games as a lure, January 2020 — May 2021. Source: KSN (download)

At the same time, if you look at the attack dynamics during the reporting period you can see that CS: GO is gradually becoming the most popular bait for gamers. Also entering the ratings of the most popular games used as lures are Dota, Warcraft, and PUBG.

The dynamics in attacks exploiting the mobile game Dota are particularly interesting. Last summer, malicious links exploiting the name of this game even climbed to the top spot.

Conclusion

For almost a year and a half of the pandemic, the demand for video games has only continued to increase. The total number of active gamers is approaching 3 billion worldwide, with more and more users connecting their work devices to Steam.

Against the backdrop of this growth in the gaming industry, there’s been a rise in the number of cyberattacks in this sphere. Attackers have taken their trickery to the next level over the past year, now not only targeting gamers but also frequently targeting game developers. In some cases, the cybercriminals have managed to steal source code which may enable them to exploit new vulnerabilities in these games in the future.

To avoid falling victim to these cybercriminals, gamers should remain vigilant: do not trust emails sent on behalf of gaming services, do not enter your account details on dubious resources, and only download games from official sources.