Threat Report

Let’s get going with some of the top threats we’re highlighting this week. Notably, there have been a number of advisories released by different governments related to ongoing campaigns and new critical vulnerabilities.

Watch out for DNS hijacking campaigns

The UK’s National Cyber Security Centre (NCSC) has released an advisory highlighting a large scale global Domain Name Systems (DNS) hijacking campaign.

DNS is the service responsible for translating domain names to IP addresses hosting services. The attackers are altering the DNS settings for malicious purposes. By hijacking DNS for an organization, the attackers can direct users to attacker controlled infrastructure which can result in user compromise.

Based on telemetry data from Avast, between February and June of 2019 at least 180K users in Brazil had their routers compromised and DNS settings altered.

UK’s NCSC published a document on Friday outlining the risks that come with DNS hijacking attempts and offering organizations advice to protect themselves from this sort of danger.

To prevent and be aware of DNS hijacking, organizations should monitor the DNS servers used and ensure that their devices are using approved DNS servers belonging to the organization.

In related DNS hijacking news, Extenbro is a new DNS-changer that comes with an adware bundle and can block access to security-related sites so the victims cannot download and install security software to remove the infection.

The Extenbro is bundled with Trojan.IStartSurf. The trojan changes the DNS settings of infected systems to hide its presence. Additionally, the Trojan adds a root to allow PowerShell commands.

The trojan modifies the Windows registry to disable IPV6 and forces the system to use the new DNS servers. The trojan also modifies Firefox’s user.js file which configures Firefox to use the Windows Certificate Store where the root certificate was added.

These are not the first advisories related to DNS hijacking campaigns we’ve seen this year. Earlier this year, The National Cybersecurity and Communications Integration Center (NCCIC) published an advisory related to attackers using compromise credentials to modify the domain name resources for organizations. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

Drupalgeddon 3

Is this Drupalgeddon 3? A security update for Drupal CMS has been released to address a critical vulnerability, tracked CVE-2019-6342, affecting Drupal CMS components that could allow attackers to take over the impacted sites. US-CERT has released an advisory on this vulnerability.

Attackers can exploit the vulnerability without authentication.

According to usage statistics for Drupalcore, approximately 290,958 websites are using Drupal 8.x out of a total of 1,093,220. Websites running the Drupal CMS version 8.7.4, 8.7.3, and earlier are vulnerable with CVE-2019-6342.

Users are advised to update to Drupal version 8.7.5 to address this vulnerability.

Gamaredon Group finds EvilGnome a home on Linux hosts

A new malware strain dubbed EvilGnome has been observed in the wild. EvilGnome spies Linux users to harvest files and to download and execute further modules.

EvilGnome is disguised as a Gnome extension and currently undetected across all major security software. Additionally, EvilGnome appears to be connected with the Russian-based APT group, dubbed Gamaredon Group.

Gamaredon Group is known for targeting individuals involved in Ukranian governments and infecting victims using malicious attachments that are being delivered via spear-phishing emails.

The reason behind the connection is the use of the same hosting provider, as well as by EvilGnome’s use of command-and-control servers connected to the domains associated with the Russian threat group.

They also use the same port for connecting to their command-and-control servers via SSH, with two additional servers and domains that are similar to the pattern of Gamaredon domains.

Users should consider adopting security solutions which can track malicious related activities to prevent any potential attacks.

SWEED links to Agent Tesla campaign

A large number of ongoing Agent Tesla campaigns have been observed in the wild using notable malware families including Formbook, Lokibot, and Agent Tesla that links to the threat group SWEED.

SWEED is primarily known for targeting victims using stealers and remote access Trojans and has been active since 2017. The actors remain consistent on using spear-phishing emails with malicious documents.

In this ongoing campaign, the actors are compromising victims using a packed version of information stealer, Agent Tesla.

In the 2017 campaign, the actors placed droppers inside of ZIP archives containing a packed version of Agent Tesla.

In early 2018, SWEED utilized Java-based droppers to obtain information about the infected system and facilitate the download of a packed version of Agent Tesla.

In April 2018, SWEED used a vulnerability in Microsoft .NET framework, tracked CVE-2017-8759, to decode a URL and download a packed version of Agent Tesla hosted on an attacker-controlled Web server.

Around May 2018, SWEED used a vulnerability in Microsoft Office, tracked CVE-2017-11882, that is used in commodity malware distribution.

In the 2019 campaign, SWEED leveraged spear-phishing emails and malicious attachments to initiate the infection process. One of the common characteristics with several of the campaigns associated with SWEED is the use of various techniques to bypass User Account Control on infected systems.

The various distribution campaigns linked to SWEED feature use of a limited amount of distribution and command-and-control infrastructure with the same servers used across many different campaigns over long periods of time. Another element of many of the campaigns associated with SWEED is the use of typosquatting for the domains used to host the packed Agent Tesla binaries that have been distributed over the past few years.

According to reports, SWEED targeted companies all over the world.

At this time, it is unclear whether the accounts and associated individuals associated with SWEED are business associates or customers. However, they all use the same infrastructure in a coordinated manner across domains, rely on the same malware and packers, and all operate very similarly.

The following indicators of compromise were released with this report.

Domains

aelna[.]com 
blssleel[.]com 
quycarp[.]com 
mglt-mea[.]com 
usarmy-mill[.]com 
lnnovalues[.]com 
kayneslnterconnection[.]com 
aidanube[.]com 
sweedoffice-olamide[.]duckdns.org 
oralbdentaltreatment[.]tk 
cawus-coskunsu[.]com 
candqre[.]com 
dougiasbarwick[.]com 
spedaqinterfreight[.]com 
cablsol[.]com 
etqworld[.]com 
jyexports[.]com 
mti-transt[.]com 
samhwansleel[.]com 
aiaininsurance[.]com 
www[.]sweedoffice-olamide.duckdns.org 
repotc[.]com 
snapqata[.]com 
anernostat[.]com 
sweedoffice-bosskobi[.]duckdns.org 
worldjaquar[.]com 
sweedoffice-chuks[.]duckdns.org 
regionaitradeinspections[.]com 
sukrltiv[.]com 
www[.]sweedoffice-kc.duckdns.org 
xlnya-cn[.]com 
kn-habour[.]com 
jltqroup[.]com 
zurieh[.]com 
crosspoiimeri[.]com 
rsaqencies[.]com 
wlttraco[.]com 
virdtech[.]com 
bwayachtng[.]com 
sweed-office[.]comie.ru 
gufageneys[.]com 
zarpac[.]us 
willistoweswatson[.]com 
sweeddehacklord[.]us 
sweed-viki[.]ru 
profbuiiders[.]com 
sweedoffice-goodman[.]duckdns.org 
hybru[.]com 
www[.]sweedoffice-chuks.duckdns.org 
erieil[.]com 
sweedoffice[.]duckdns.org 
catalanoshpping[.]com 
sweedoffice-kc[.]duckdns.org 
serec[.]us 
intermodaishipping[.]net 
leocouriercompany[.]com 
supe-lab[.]com 
evegreen-shipping[.]com 

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday July 10th 2019