Paul Scott

Paul Scott
on February 27, 2019

Threat Report Wednesday February 27th 2019

Threat Report

Welcome back to our regularly scheduled weekly threat report. There was malware last week. There is malware this week. And, there will be malware for the foreseeable future. Oh, and malware’s best friend, some vulnerabilities too.

Hackers turn to LinkedIn for More_Eggs

Since mid-2018, a campaign spreading More_Eggs malware has targeted U.S. companies in industries that commonly use online payment portals like retail, entertainment, and pharmacy. More_Eggs spreads via LinkedIn’s legitimate direct messaging service, offering fake jobs to victims and repeatedly following up via email to deliver the backdoor More_Eggs. In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor points the victim to a fake website that impersonates a legitimate staffing company and hosts the malicious payload. In other cases, the actor uses malicious attachments to directly distribute More_Eggs. The actor uses LinkedIn scraping, multistep contacts with recipients, personalized lures, and multiple varied attack techniques to distribute More_Eggs – indicating increasing effectiveness of layered defenses.

This activity sounds a lot like the near breach of Redbanc, Chile’s interbank ATM network, that we included in a threat report from January 2019. At the time, researchers found the exe downloaded was PowerRatankba and attributed it to Lazarus (aka Hidden Cobra).

Users are advised to exercise caution when viewing messages from suspicious senders, avoid clicking links or attachments from such senders, and employ a blend of antivirus and network security monitoring to best mitigate the risk of attack. The following indicators of compromise were released with researchers’ findings.

Domains

interrafcu[.]com 

onlinemail[.]kz 

secure.cloudserv[.]ink 

api.cloudservers[.]kz 

contactlistsagregator[.]com 

mail.rediffmail[.]kz 

usstaffing[.]services 

tonsandmillions[.]com 

Hashes

2bca33c8be6483aec5cbb29d18c5f626a86205fca92191468b8b1032d38aebea 

2470ac1632546ecf5c9c9d93c6dc088253ba682ba9cf19ae6984b6cee3f8e2b5 

73defd8066549e5b09c509064bc5bd29e77eca2c18d114c0bcf3dfa1cefe6939 

d39cb07e97fd91e75c51f75ccef1a8d7ce8ec8c951943501f981ce98d6319e01 

edb39c4eb28cf526f1e606365cdef009cb9aa8ba99feb448db615326bf495042 

URL

http://204.155.30[.]109/3521.txt 

Malware from OneDrive

When threat actors are considering a campaign, one of the things that must be closely considered is where will the payload be hosted? In malspam campaigns, attackers have an option to include an attachment, but many security solutions scan email for suspicious attachments or strip attachments altogether. For threat actors concerned with their attachments not making it through security controls, they have a choice to include a link and hope they can lure the user into clicking the link, downloading the malicious file, and executing it.

In a recent campaign, researchers observed a familiar lure to download some malicious software PACKING LIST AND LPO DOC.exe, but this malicious software masquerading as a document was being hosted on Microsoft’s OneDrive. This points out some pain for the blue team. Some valid observables here include a Microsoft IP, a Microsoft domain, and a Microsoft URL. Yes, they are valid observables for this campaign, but if you try to use the Microsoft IP and domain as an indicator you will end up with an extremely high ratio of false positive alerts. The best indicators here are the file hash, the dynamic DNS host name, and any IPs not related to Microsoft.

Hosts

onedrive.live[.]com 

fzdrma.bn.files.1drv[.]com 

mamaput.duckdns[.]org 

13.107.42[.]13 

13.107.42[.]12 

104.109.80[.]115 

194.5.99[.]98 

URLs

https://onedrive.live[.]com/download?cid=957F0765635324CF&resid=957F0765635324CF%21112&authkey=ALO82h-kcRIlDpE 

https://fzdrma.bn.files.1drv[.]com/y4mqGKSFaR4gwOEGF-eK-Z78C0qj8sKdRIcOgoH4NQ6E4RQiiYeP8EqyWJC8QnLqsbm0FOYgDZeUvMdZTjvK6bLKBbEGOL8kAydP_ptAmT_a4_n7EBvlyAwbRVYh3CVW2Bbw4T0FjVlROf2YGNPxPGaLhVqVdlQsZ-3BLa4au62qL7ZX9WzVtps1AFaCRlO9ERMaTNSWdGc-UgEvC8ZJOIkdQ/PACKING%20LIST%20AND%20LPO%20DOC.rar?download&psid=1 

Hashes

edcc9542657978e0bb9b9db632b7c1f31a69fb21b729d5137fe2a88abf9497ad 

Chinese ransomware authors move to Russia for reliability

The ransomware author responsible for FilesL0cker Ransomware is jumping ship. Based on discussion from Exploit.in (the Russian forum where Gandcrab was born) the actor said they are moving away from their own ransomware due to technical issues in favor of GandCrab ransomware. The underlying issue is that FilesL0cker could prevent decryption of an infected host’s data even after obtaining the decryption key.

This sounds like a bug in the software that the author cannot figure out. And, it is understandable why it is a concern for the authors. People have learned to pay ransom because they can trust that the files will be decrypted. If your ransomware is not reliably decrypting even with the correct key then you have unhappy customers that tell others, your ransomware will get a reputation, and people will stop paying the ransom. The threat actor’s wallet is probably already feeling the pain of unpaid infections because they understand their Net Promoter Score(NPS) has seriously tanked. I wouldn’t be surprised if FilesL0cker is pretty much doomed at this point. We should expect a rebranding under a FilesL0cker/Gandcrab variant.

Go-lang brute-forcer targets Magento E-commerce sites

E-commerce websites are regularly targeted by online criminals for multiple reasons. Recently, attacks have been conducted via skimmer, which is a piece of code that is either directly injected into a hacked site or referenced externally. This is similar to attacks carried out by the Magecart threat actor we have previously written about. The purpose of this skimmer is to watch for user input, in particular around online shopping carts, and send the perpetrators that data, such as credit card numbers and passwords, in clear text.

Compromising e-commerce sites can be achieved in more than one way. Vulnerabilities in popular Content Management Systems like Magento, as well as in various plugins are commonly exploited these days. But because many website owners still use weak passwords, brute force attacks are a viable option. A recent campaign shows evidence of this. Researchers have discovered a new golang brute forcing malware that focuses in on Magento, phpMyAdmin, and cPanel. A number of Magento sites have been compromised and skimmers have been installed. For an in-depth analysis of this threat check out the research from Malwarebytes.

Two critical patches for Adobe Reader and Acrobat

On February 12, 2019, Adobe released a security patch addressing CVE-2019-7089 in Adobe Reader that can be triggered via a malicious PDF to perform a SMB call-back, revealing an NTLMv2 hash. This could lead to a breach of an organization or a single user.

On February 21, 2019, another vulnerability had been discovered, tracked as CVE-2019-7815 affecting Adobe Acrobat and Reader versions 2019.010.20098. Adobe disclosed the first flaw which raised the risk of an exploit, while the second version looking to exploit the first issue might stumble across it. Users should keep software up to date with timely patches to prevent exploitation. An in-depth technical analysis from researchers is available.


We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Friday February 22nd 2019

Share this on:

Paul Scott

Paul Scott
on February 27, 2019


Perchy Subscribe to our blog