Threat Report

Alright, what’s up this week? A vulnerability in all Intel chips opens the door for stealthy malware, container hosts beware nothing is safe anymore, adware slays macOS gatekeeper, and a new malware variant exploits your antivirus to steal data.

ROP-Roh, Shaggy

Researchers recently discovered a way to abuse Intel Software Guard eXtensions (SGX) enclaves to hide malicious code from security software. Intel SGX is a feature found in all modern Intel CPUs that allow developers to isolate applications in secure enclaves. The only known vulnerabilities impacting Intel SGX enclaves have been side-channel attacks that leaked the data being processed inside an enclave, but researchers exploited this through return-oriented programming (ROP).

Once executed, Intel Transactional Synchronization eXtensions (TSX) allows the malicious enclave to access a wider set of commands that it is normally entitled to. Researchers note that Intel SGX enclaves could be used as a place to hide undetectable malware.

The researchers released the implementations of the paper “Practical Enclave Malware with Intel SGX” to a Github repository. The repository consists of three parts: tap_claw, egghunter, and demo.

• TAP + CLAW – Contains the Intel TSX-based primitives to check whether a page is mapped and writable without using syscalls.
• Egg Hunter – Shows how to use TAP as egg hunter for classical exploits.
• Demo – Uses TAP + CLAW inside a (malicious) Intel SGX enclave to break ASLR of the host application, create a ROP payload, and mount a simple PoC attack (e.g. create a file in the current directory).

RunC vulnerability Critical for Containers

“RunC” is a command line utility that spawns and runs containers. It is used as the default runtime for Docker, containerd, Podman, and CRI-O. A vulnerability found in RunC, tracked as CVE-2019-5736, allows malicious containers to overwrite the host RunC binary and gain root-level code execution on the host machine.

When the hosts’ root is mapped in the container’s user namespace, the container is vulnerable. Researchers have detected approximately “4,000” Docker daemons which have the vulnerability. Users and organizations were advised to update to the latest releases to prevent any potential attacks. A proof-of-concept was posted on Github by user feexd on February 11, 2017. You might want to run this PoC on a host machine you can promptly throw in a flaming dumpster.

Shlayer slays macOS Gatekeeper to Run Unsigned Code

Carbon Black recently discovered “Shlayer” targeting macOS users and disabling the Gatekeeper protection to run unsigned second stage payloads. Shlayer targets all macOS releases from 10.10.5 up to the latest 10.14.3 and will arrive on the target machines as a legitimate signed Apple developer ID to trick victims.

The threat actor has been using legitimate websites to redirect users to a malicious Flash installer, so this is likely a malvertising campaign. Once the user executes the compromised Flash installer, a malicious “.command” script is launched that downloads additional payloads. The final payload contains adware to run on the compromised machine by disabling the Gatekeeper protection mechanism. Researchers released indicators of compromise on GitHub. We have checked these indicators for all Perch users over the last 30 days. While indicators of compromise were seen there was no sign that a Perch user has been infected by Shlayer. If you want to keep reading about Shalyer, check out this article.

Astaroth Exploits Avast to steal data

Cybereason security firm recently discovered a new Astaroth Trojan campaign targeting Brazil and European countries via antivirus software to steal information and load malicious modules. The Astaroth Trojan campaign was phishing based, gaining momentum towards the end of 2018 and identified in thousands of incidents. Researchers observed the actors executing the exploit through “.7zip” archive delivered to the target in the form of an email message attachment or hyperlinks.

Once executed, the malware connects to a C&C server and exfiltrates information about the infected computer. Then, the last stage of attack uses BITSAdmin to grab a payload from another C&C server. Cybereason also noticed security tools that can be exploited through a malicious module in “aswrundll.exe” and used to gather information on compromised machine, and “uninsooo.exe”, a security solution developed by GAS Technologia, which it will also use to collect personal user information without being detected if Avast is not present on the infected computer. We checked all users over the last 30 days, and we saw no signs of compromise within any of our clients’ data related to the indicators of compromise released with this research. Although the revived campaign is currently targeting South America and Europe, it’s only a matter of time before the campaign pivots to North America. If you want to read more about Astaroth there is a great article here.

Lucky number 77 for Windows

On February 12, 2019, Microsoft released a security update for the IE Zero-Day tracked as CVE-2019-0676 that addresses “77 security flaws” across a wide range of products. Microsoft disclosed the flaw after they detected an exploitation attempt against Microsoft Edge to the Azure IoT SDK. CVE-2019-0676 is a flaw which allows an attacker to test for the presence of files on disk. Microsoft fixed two vulnerabilities in the Server Message Block (SMB) protocol that can lead to remote code execution. Then, a vulnerability affecting the DHCP server component included with Windows Servers and a vulnerability known as PrivExchange. It is unclear at present if the vulnerability has been used by cyber criminals in their operations, but it can compromise your DHCP server with a single packet. Users and organizations were advised to update to the latest security patch to address this vulnerability.

BONUS POINTS

With all this talk of malware and browser exploits, you should check out Malwarebytes’ in-depth review of recent exploit kits used to attack browsers and install malware on end user machines.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday February 6th 2019