Threat Report

Welcome back to the Perch weekly threat report. Over the last week there has been a lot of security related news, but we’re focusing on a ransomware outbreak reported by a state-run utility and spotlighting one of Zeus’ lesser-known offspring, Panda Banker.

Ransomware Demands Flushed by North Carolina Sewer Authority

Disaster recovery plans are essential when attempting to recover from a ransomware attack, as shown recently by Onslow Water and Sewer Authority. That may include ready-to-restore backups or having manual processes in place for different disaster scenarios. If ransomware isn’t a scenario you plan for, you should.

According to an official statement released Monday, October 15, 2018, Jacksonville, North Carolina-based Onslow Water and Sewer Authority (ONWASA) suffered an attack that resulted in malware infection. The company states that on October 4th, they began experiencing persistent virus attacks from Emotet malware. On Saturday, October 13, at 3AM local time, the company states that Emotet dropped Ryuk ransomware, which spread along the network, rapidly infecting databases and files. ONWASA refused to pay the ransom and instead chose to “undertake the painstaking process of rebuilding its databases and computer systems from the ground up.” The attack did not expose customer information, nor did it interrupt water and wastewater services to homes and businesses.

The statement notes that the incident is similar to another ransomeware attack on official county computer systems in Mecklenburg County, North Carolina, which occurred last year. An FBI spokesperson confirmed that they are currently investigating the incident.

The faster a threat is detected the less it costs to remediate. That’s why having threat detection and a SOC in place is key. Had this attack been caught at the initial Emotet infection and stopped, it would have cost less than responding to a ransomware outbreak.

Malware Spotlight: Panda Banker

I heard sunlight is the best disinfectant. So this week we’re decided to shine some light on the well-maintained Panda Banker malware, a variant of the Zeus banking trojan.

Researchers have identified that Panda Banker has been updated numerous times and has remained active since 2016. Recently, Panda Banker is being installed by the Emotet malware. The attack appears in the form of a malspam phishing campaign that uses weaponized Microsoft documents that deploy the payload. Researchers note that financial institutions and other video streaming service/e-commerce company were targeted in Japan. Other primary targets were organizations from United States and Canada.

Researchers note that the malware has a sophisticated attack cycle, combined with heavily coded obfuscation techniques and multi-encryption layering. After execution, it first checks if it is running in a sandbox, then creates a copy of itself. The malware then creates two “svchost.exe” and injects it with the Trojan. It downloads the configuration from its C&C Server and injects a DLL to intercept traffic through API hooking.

Panda Banker uses the Mersenne Twister algorithm to generate a URL to connect to its C&C Server. Panda Banker will lie in wait until the infected browser visits a targeted website, such as an online banking system, credit card company, and blockchain information. The malware will then steal bank or credit card details, personal data, and web wallet information. This campaign shows that financial gain is a major factor in how Trojans are being used by threat actors.

The Perch SOC regularly goes thrunting, a term they lovingly created for threat hunting, for observables in all customer environments. If you’re a customer, good news! We’ve checked your security event data for over 200 indicators related to Panda Banker. We found no signs of Panda Banker being downloaded or smuggling bits out of your environment. At Perch, we enable customers to see further because we give a flock. Below is a list of domains Perch found linked from malspam.

Domains:

• apx[.]email
• carolinegraham[.]me
• carvanadenver[.]com
• carvanamemphis[.]com
• carvananashville[.]com
• colleenmansfield[.]com
• genesisatoxmoor[.]com
• genesiseastlouisville[.]com
• genesisofeaslouisville[.]com
• genesisofindiana[.]com
• genesisofwestlouisville[.]com
• jclgraham[.]com
• laurengraham[.]me
• michaelagraham[.]com
• newlacafe[.]com
• oxmoorusedcars[.]com
• pegasussoilsolutions[.]com
• pegasussoilsolutionsllc[.]com
• sellittooxmoor[.]com
• selltooxmoor[.]com
• zombiedebtslayer[.]com

Resource:

threatvector

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday October 11th 2018