Threat Report

Ever wonder what attackers do once they get code execution to your hosts? Easy, they roll out ransomware or crypto miners to maximum effect. This week we’re focusing on rats, ransoms, and miners.

RATS!

Remote access trojans (RATs) on a corporate system may serve as a key pivot point to access information laterally within an enterprise network. By analyzing network metadata, Recorded Future analysts were able to identify RAT command-and-control (C2) servers, and more crucially, which corporate networks were communicating to those controllers.

Researchers from Recorded Futures partnered with Shodan Malware Hunter project to identify active malware controllers for 14 malware families between December 2, 2018 and January 9, 2019. They focused their analysis on a subset of malware — Emotet, Xtreme RAT, and ZeroAccess — to profile RAT communications from third-party organizations to the controllers. You should check out the full analysis on their site.

Trojans and RATs pose significant threats to government and company networks around the world. For instance, the developers behind Emotet continue to innovate and develop modularized functionality to aid propagation efficacy and evade traditional network defenses; resulting in widespread infection which according to a US-CERT alert issued in July 2018, have cost state, local, tribal, and territorial (SLTT) governments up to $1 million per incident to remediate.

Indicators:

Xtreme RAT CnC

101.132.69.78 

116.62.60.109 

212.46.104.104 

196.200.160.201 

198.255.100.74 

192.240.110.98 

Emotet CnC

181.111.60.39 

190.171.237.189 

186.103.219.114 

179.33.30.194 

181.60.57.250 

190.146.169.53 

190.158.193.245 

190.84.160.195 

186.4.167.166 

186.66.93.242 

45.123.3.54 

115.88.75.245 

187.163.183.194 

189.163.1.225 

78.187.173.144 

213.120.119.231 

81.136.148.196 

165.227.213.173 

192.155.90.90 

198.74.58.47 

69.195.223.154 

Ransom demands for world’s largest aluminum manufacturer

Norwegian power and metals giant, Norsk Hydro, is battling an extensive ransomware outbreak on its computers. Norsk Hydro is one of the world’s biggest makers of aluminum with sites in 50 countries. On Tuesday it was stated that ransomware had infected its IT systems in the U.S. and Europe. This cyber-intrusion forced a shutdown of its global computer network to contain the spread. Workers have had to switch to manual operations at its plants or temporarily halt production entirely as a precaution.

Norsk Hydro did not say whether the cyber-plague is limited to office PCs or if embedded industrial control hardware was also infected by the malware. Presumably, the software nasty has encrypted documents and data, and is demanding a ransom be paid to restore the files. It sounds as though the infection, described as “severe” by CFO Ivan Eivind Kallevik, was kept within its office network.

“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible,” Norsk Hydro said in a statement today. “Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.”

A company spokesperson told The Register that the infection is believed to have originated in America. Media reports have named LockerGoga as the ransomware culprit, though Norsk Hydro told us that this particular malware is just one of several possible suspects.

So far there is no indication that Norsk Hydro has any plans to pay the ransom, and there’s still no news on restoring the encrypted systems and how long it will impact day-to-day operations.

Norsk Hydro ASA confirmed that a ransomware attack was behind production outages across the aluminum producer’s operations in Europe and the United States.

The perpetrators are still unknown, but the work is similar to other recent breaches. The Norwegian company, one of the world’s biggest aluminum producers, called the situation “quite severe,” and said it was still working to contain the effects. It couldn’t immediately detail how much output had been impacted but said the so-called potlines, which process molten aluminum and need to be kept running 24 hours a day, had switched to manual mode.

This attack does share characteristics with other attacks that have been observed. It’s important to share intelligence so that fewer of us are impacted by new threats. Mining companies are recommended to join information security and analysis sharing groups like MM-ISAC so they can stay aware of threats targeting mining companies.

CryptoSink asks, “How strong is your Kung-Fu?”

Researchers have discovered a new crypto-mining campaign targeting Elasticsearch instances which contain sinkholing capabilities to squash any competing miners.

The aptly named “CryptoSink” malware campaign exploits an Elasticsearch vulnerability from 2014 (CVE-2014-3120) to mine cryptocurrency in Windows and Linux environments, according to F5’s Andrey Shalnev and Maxim Zavodchik.

At the time of the research, just one of the three hard-coded C&C domains was operational, resolving to a server located in China.

However, most interesting was the way it finds and kills any competing crypto-mining malware on the same host.

Typically, attackers do this by scanning running processes to find known malware names, or else looking to see which processes are consuming the most CPU.

“In this case, the malware dropper introduces a more sophisticated tactic to paralyze competitors who survive the initial purge. We’ve called it ‘CryptoSink’ because it sinkholes the outgoing traffic that is normally directed at popular cryptocurrency pools and redirects it to localhost (127.0.0.1) instead,” F5 explained.

“It achieves this by writing the target pools’ domains to the ‘/etc/hosts’ file. In doing so, the competitors’ miners are not able to connect to those cryptocurrency pools and fail to start the mining process, which frees up system resources on the infected machine.”

The malware has another trick up its sleeve, this time to achieve persistence. It renames the original rm binary relating to the Linux “remove” command, to “rmm” and replaces it with a malicious file named “rm”, downloaded from its C&C server.

“Now, each time the user executes the rm command, the forged rm file will randomly decide if it should additionally execute a malicious code, and only then will it call the real rm command (that is, execute the file now that’s now named rmm). The malicious code in the rm binary will check if the cronjob exists and if not, it will be added again,” F5 explained.

“The irony is that even if the infected server’s administrator were to detect the other malicious files and try to remove them, she would probably use the rm command which, in turn, would reinstall the malware.”

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday March 13th 2019