Threat Report

In this week’s threat report, we’re covering some out-of-band critical patches released by Microsoft to prevent code execution, a malspam campaign targeting U.S. utilities, some new variants info stealing malware for Mac, and a 0-day in popular forum software.

Microsoft releases emergency patches

Microsoft released two out-of-band security updates for a remote code execution vulnerability tracked “CVE-2019-1367” and a denial-of-service vulnerability tracked “CVE-2019-1255”.

CVE-2019-1367 allows attackers to execute arbitrary code in the context of the current user. Successful exploitation could gain the same user rights as the current user. The vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. It can be exploited by redirecting the targets to maliciously crafted websites which would trigger a remote code execution if the victim uses a vulnerable version of Internet Explorer.

CVE-2019-1255 is a denial-of-service vulnerability affecting Microsoft Defender. To exploit the vulnerability, attackers need to require execution on the victim system. A denial-of-service is triggered whenever unpatched Microsoft Defender versions improperly handle files. Users and organizations should keep systems up to date with the latest releases to address these vulnerabilities.

Don’t LookBack

An ongoing campaign to spread a new variant of “LookBack” among U.S. based utilities has been observed with at least 17 entities in the U.S. utility sectors targeted from April 5 through August 29, 2019.

The malware is being delivered via phishing emails that purported to be an invitation to take the Global Energy Certification (GEC) exam to trick potential victims. The email contained malicious VBA macros which led to the installation of LookBack.

Once accessed, the VBA macro within the Microsoft Word attachment installs several privacy-enhanced mail (PEM) files on the host. Phishing tactics, techniques, and procedures (TTPs) observed in these campaigns are consistent with previously reported activity.

It is notable that additional macro variables were utilized in the installation of the “libcurl.dll” loader while both the “GUP” proxy tool and sodom configuration file remained the same.

The “libcurl.dll” module contains the LookBack modules which are responsible for configuring the local host proxy and performing remote access Trojan functions.

The samples from recent LookBack samples utilize the same command-and-control server observed in July campaigns.

IP Addresses

103.253.41[.]75
79.141.169[.]3
103.253.41[.]45

Mac info stealing malware melds with Appstockfolio

Two variants of information-stealing Mac malware have been spotted in the wild disguised as a legitimate app, “Stockfolio,” to hide its malicious activities.

The first variant is detected as “Trojan.MacOS.GMERA.A” that contains a Mach object file format (Mach-O) executable which launches a pair of bundled shell scripts in the Resources directory. The “plugin” shell script collects victims’ username, IP address, applications, files in the Documents and Desktop folders, OS installation date, file system disk space, graphic or display information, wireless network details, and screenshots. It then saves the collected information in a hidden file and uploads to “htttps://appstockfolio.com/panel/upload.php.”

Additionally, if a successful response is sent from the URL, it will write the response in another hidden file. The “stock” shell script runs through a series of processes to decrypt and execute the “appcode,” a suspected malware file that contains additional routines. The second variant tracked as “Trojan.MacOS.GMERA.B” also contains an embedded copy of “Stockfolio.app” version 1.4.13 with the malware author’s digital certificate.

Once opened, it will launch the shell script “run.sh,“which collects usernames and IP addresses using a pair of commands, and then sends the collected information to the attackers’ command-and-control server.

In addition to the malware routine, it also drops files including a persistence mechanism and malware execution logs before creating a reverse shell that allows attackers to run shell commands.

vBulletin 0-day released

An anonymous security researcher has published details of a 0-day for vBulletin, which is one of today’s most popular software for internet forum communities. According to their findings, the 0-day is a pre-authentication remote code execution vulnerability that allows an attacker to execute shell commands on the server running a vBulletin installation.

The attacker does not need an account to exploit the vulnerability. It is estimated that tens of thousands of forums are vulnerable to this 0-day, possibly impacting upwards of 1B internet users.

Two sources have confirmed the 0-day exists and works as described, as reported by ZDNet.

At the time of this writing, it is unclear whether the anonymous researcher reported the vulnerability to the vBulletin team or not, nor is it clear their true motive for making it public.

The vulnerability can be exploited only in vBulletin 5.x forum versions. Prior versions are immune.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday September 19th 2019