Threat Report

In this week’s threat report, we’re shining the spotlight on Hoplight and friends, phishing with LokiBot, meeting Purple Fox, juking Windows Defender, and discovering the weak, hardcoded passwords botnets love on the radio.

Hoplight in the spotlight with Electricfish and Bad Call

DHS, FBI, DoD, and CyberCommand have been busy dropping dimes on North Korean state-sponsored hackers, uploading several samples for malware, and RATs.

Eleven samples were released by U.S. CyberCommand related to a trojan known as Hoplight, which has been used in past operations to gather information on victim operating systems. These samples all query the same registry key and use a public SSL certificate for secure communications.

DHS, FBI, and DoD also released malware analysis on the North Korea-linked Electricfish malware and Bad Call trojan. According to the report, “FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.”

Electricfish implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session.

The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.

Four files were released in the report related to Bad Call trojan. The first three files are 32-bit Windows executables that function as proxy servers and implement a “Fake TLS” method like the behavior described in NCCIC report, MAR-10135536-B. The fourth file is an Android Package Kit (APK) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT).

Hashes

4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc 
93e13ffd2a2f1a13fb9a09de1d98324f75b3f0f8e0c822857ed5ca3b73ee3672 
d1f3b9372a6be9c02430b6e4526202974179a674ce94fe22028d7212ae6be9e7 
edd2aff8fad0c76021adc74fe3cb3cb1a02913a839ad0f2cf31fdea8b5aa8195

Phishing with LokiBot

A new phishing campaign that delivers a LokiBot variant has been spotted in the wild targeting a large U.S. manufacturing company.

LokiBot is known to have been previously delivered as Microsoft Office documents riddled with malicious macros or via RTF docs created to exploit flaws such as the CVE-2017-11882 remote code execution vulnerability.

The malware is being distributed by the spear-phishing attack. The spam email contains a malicious attachment “attache” that is designed to look as urgent requests for quotation to trick potential victims.

Once it compromises the victim’s computer, LokiBot will harvest sensitive information and connect with its command-and-control server via an HTTP POST request.

The IP address 23.83.133[.]8 that is used to deliver phishing emails appears to be registered to LeaseWeb USA, Inc, a Web hosting provider in Phoenix, Arizona.

The IP address appears in two malicious spam attacks that occurred several months earlier. In June, it was involved with malspam to a large German Bakery trying to lure a victim into downloading an electronic invoice. On August 21, a spam campaign spread a malicious Dora The Explorer game executable.

The fileless Purple Fox

Purple Fox is a fileless malware that has affected tens of thousands of users leading up to its initial detection. The new variant retained a rootkit component from the RIG Exploit Kit to use PowerShell delivery for malicious activities.

Once the user accesses a malicious site hosting Rig EK’s landing pages, Purple Fox uses three methods to redirect users to a malicious PowerShell command. First is a Flash (.swf) file that exploits CVE-2018-15982. The second method is two (.htm) files that exploited CVE-2014-6332 and CVE-2018-8174. The third method is an (.hta) file which redirects a user to a malicious PowerShell script.

If the victim has administrative access, the PowerShell script will masquerade an image file, then abuse the msi.dll API to execute Purple Fox.

If the victim does not have administrative privileges, the PowerShell script will abuse a PowerSploit module that exploits CVE-2015-1701 and CVE-20188120. Successful exploitation of the two vulnerabilities will escalate privileges to download and execute Purple Fox.

To deliver the Purple Fox payload, the malware uses a .msi file containing encrypted shellcode.

Successful execution of the payload will restart the system and uses a registry to rename its components.

URLs

http://141.98.216[.]130/1808132.jpg 
http://141.98.216[.]130/pe.jpg 
http://141.98.216[.]130/1603264.jpg 
http://jeitacave[.]org/ps004.jpg 
http://zopso[.]org 
http://141.98.216[.]130/1505132.jpg 
http://141.98.216[.]130/1603232.jpg 
http://nw.brownsine[.]com 
http://141.98.216[.]130/1505164.jpg 
http://141.98.216[.]130/1808164.jpg 

Gootkit jukes Defender on the field

A Gootkit variant in the wild is bypassing Windows Defender by setting path exclusions. Gootkit is a Trojan that infiltrates a system, to steal financial details.

This new variant uses a UAC bypass and WMIC commands to help the remain undetected by Microsoft’s security software.

To perform the evasion, Gootkit first checks if the Windows Defender is enabled. If enabled, Gootkit will execute a command to infiltrate and avoid detection on the system.

Once executed on the machine, Windows Defender will be unable to scan the path and detect the malware’s malicious activities.

1M IoT radios vulnerable

Imperial Dabman IoT radios have a weak password (I’ll give you one guess what it is) that could allow a remote attacker to achieve root access to the gadgets’ embedded Linux BusyBox operating system.

The issue (CVE-2019-13473) exists in an always-on, undocumented Telnet service (Telnetd) that connects to Port 23 of the radio. The Telnetd service uses weak, hardcoded passwords, which can be brute forced easily. Researchers said that the password compromise only took 10 minutes using ncrack because the password was “password.”

From there, an attacker can gain unauthorized access to the radio and its OS.

The researchers also found a second vulnerability (CVE-2019-13474) in the AirMusic client onboard the device, which allows unauthenticated command-execution.

“Using the mobile application on Apple iOS in combination with the port scan result shows us by intuition that the AirMusic client may be connecting on port 80 through 8080 httpd to send and receive commands,” the researchers said.

“In the worst case, a remote attacker could modify the system to spread remotely ransomware or other malformed malicious viruses/rootkits/destructive scripts. He can also use the web server to be part of an IoT botnet.”

The weak password and code execution flaws “[affect] a huge number of models in the Imperial and Dabman web radio series,” according to the researchers, who said more than a million devices are at risk.

Telstar said that it is “discontinuing the use of Telnet” going forward and they will now hardcode their weak passwords into encrypted protocols, like SSH. Telstar has released manual binary patches that none of their customers will be able to figure out.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday September 4th 2019