Lucifer Brings Crypto Miner and DDoS Functions to Linux and IoT

What Is It?

In June 2020, we reported on Lucifer, a Windows crypto mining bot capable of participating in DDoS (Distributed Denial of Service) attacks. Recently, researchers at Checkpoint published their analysis of the latest iteration of Lucifer for Linux and IoT systems. Checkpoint found evidence of infections of more than 25 banking, insurance, legal and manufacturing companies in India, Ireland, the Netherlands, Turkey and the U.S.

Servers previously compromised by the attackers were the source of the analyzed attacks. While web servers are the main target for the Linux version, the exploitation of the CVE-2018-10561 vulnerability found in Dasan GPON home routers is currently the most common attack vector for the IoT version.

Researchers found that current variants are directly related to those described by Trend and Tencent in June 2019, named Blacksquid and Spreadminer/Rudeminer, respectively. Comparison of the variants shows that the authors are continuing to develop the malware with additional monetization opportunities, such as the DDoS functionality.

Upon initial execution, the Linux version runs in the background and uses cron to obtain persistence. It attempts to begin listening on a specific port number, solely to ensure that it is the only instance of the malware currently executing. Depending on whether the malware is running under the root userid, it attempts to alter the file descriptor limit to the maximum value available to be optimized for its participation in a DDoS attack. Lucifer then downloads the crypto miner and attempts to kill processes containing specific, hardcoded strings. It then contacts its C2 (command and control) site, then uploads system resource utilization specifics and waits for instructions. These instructions can include start and stop DDoS attacks, download and execute a file or a command, start and stop crypto mining operations and provide usage reports.

The IoT version sample, written for the ARM processor architecture, was initially uploaded to the VirusTotal service on May 10th. When initially uploaded, none of the products listed on VirusTotal detected the sample. As of the time of writing this Threat Report, this is still the case. Owing to the limitations of IoT platforms, the IoT sample does not contain any crypto mining functionality, with its use being limited to participating in DDoS attacks.

How Does It Propagate?

Only the Windows versions of Lucifer are capable of self-propagation; the Linux and ARM versions are not. The attacks, which originate from attacker-controlled servers, mainly target Linux web servers and Dasan GPON routers.

When/How Did BluVector Detect It?

Seven Linux and IoT Lucifer samples associated with this attack are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected for an average of nine months prior to their release – this includes the ARM IoT sample, which is currently not detected by any product on VirusTotal.

Zeppelin Ransomware Floats Back With New Attacks

What Is It?

In late August 2020, researchers at Juniper Threat Labs discovered a new Zeppelin ransomware campaign, the first for this variant in several months. Juniper found that this campaign was poorly detected by legacy anti-virus applications because of a new downloader component used in the attack chain.

In this latest campaign, the initial attack vector is Microsoft Word documents containing malicious macros attached to emails. When opened, the documents display a blurred image of a “medical invoice” with instructions on how to view the “content” of the document, which if followed, allow the macro to execute. In an attempt, which appears to have largely been successful, to avoid detection by legacy anti-virus applications, the macro extracts the code for another macro from what appears to be junk text hidden behind the blurred image. The extracted macro is executed when the document is closed.

This macro downloads the actual Zeppelin ransomware from a domain controlled by the attackers and saves it to the local hard drive. However, in an attempt to avoid detection by automated sandbox tools, which are heavily used by endpoint detection vendors, the Zeppelin ransomware is not executed for 26 seconds.

As with all previous variants going back to VegaLocker, the ransomware will not encrypt files if the infected system is located in Russia or the former Soviet states of Belarus, Kazakhstan and Ukraine. The displayed ransom note provides an email address for victims to contact the attackers and provide one encrypted file which will be decrypted for free.

First discovered in December 2019, named due to the string ZEPPELIN being written into encrypted files, was originally a variant of Buran ransomware, itself a variant of VegaLocker. All of these variants are written in the Borland Delphi programming language, popular with some malware authors due it being potentially more difficult to reverse engineer than other languages such as C++. All variants have been offered for sale using the Ransomware-as-a-Service (RaaS) model. In the case of Buran, clients would keep 75% of all ransom payments with the remaining 25% being retained by the authors. The initial Zeppelin campaign was targeted at IT and healthcare organizations in Europe and the U.S. It is believed that the initial infection vectors were poorly secured, internet-facing, Remote Desktop Protocol (RDP) servers.

How Does It Propagate?

This Zeppelin campaign utilizes what remains the most common attack vector for most ransomware, social engineering, in this case, malicious Microsoft Word document attachments. The malware does not contain the necessary code to self-propagate.

When/How Did BluVector Detect It?

A total of 49 samples related to this campaign are publicly available – two VBScript samples, 46 malicious Microsoft Word samples and the Zeppelin ransomware sample itself - and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 74 months prior to their release.

Chinese APT Campaigns Target Indian and Hong Kong Users

What Is It?

Researchers from Malwarebytes have released their research into three malicious campaigns they observed in early July 2020. The first two campaigns, which occurred within a day of each other, were aimed at Indian government entities. The third campaign targeted users in Hong Kong. Due to the targets, the timing and the techniques utilized, researchers believe the attacks originated from an undocumented Chinese-based APT group, potentially active since 2014. In each campaign, the initial attack vector was malicious Word documents, resulting in a modified Cobalt Strike variant or the MgBot RAT (Remote Access Trojan). They also found malicious Android RATs believed to be used by the APT group.

Two real-world events in late June 2020 strained political relations between India and China. The first was a border skirmish along their disputed shared border in the Himalayas, reportedly resulting in casualties on both sides. Secondly, the Indian government banned 59 Chinese apps, most notably TikTok, on national security and privacy grounds.

The two APT campaigns were aimed at users with Indian government email addresses. Messages contained a Word document claiming to be a security check required due to a leak of email addresses. The Word document uses a technique known as “template injection” to download a malicious macro. This then led to the download and execution of the Cobalt Strike variant or the MgBot RAT.

The third APT campaign, targeting users in Hong Kong, used a lure and associated document based around statements made by UK Prime Minister, Boris Johnson. The statements, made in response to China’s new national security law for Hong Kong, describe provisions for up to 3 million Hong Kong citizens to live and work in the UK. The document again made use of “template injection” which resulted in the installation of the MgBot RAT.

The MgBot malware claims to be the legitimate Realtek Audio Manager utility. The malware also contains a number of techniques to make analysis more difficult. It attempts to determine if it is running on a VM or under analysis and if various endpoint security products are running. It connects to a C2 (Command and Control) server, ironically located in Hong Kong, over port 12800. As expected of a RAT, MgBot is capable of keystroke logging, saving screenshots, manipulating files and folders and controlling processes on the infected system.

The Android RATs associated with this APT group also communicate with C2 servers located in Hong Kong, using random port numbers. They are capable of geographically locating the infected phone; sending SMS messages; exfiltrating contacts, call logs, SMS messages and browsing history; recording audio via the phone’s microphone and recording screen activity.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The attack vector used in these campaigns are malicious Word documents attached to spear phishing emails, attempting to leverage social engineering in order to compromise targeted users.

When/How Did BluVector Detect It?

The 14 publicly available samples associated with these campaigns consist of malicious Word documents, the Windows RAT MgBot and an Android RAT. BluVector’s patented Machine Learning Engine (MLE) detected all of these diverse samples. Regression testing has shown the all samples, including those first seen in the wild as early as 2017, would have been detected an average of 34 months prior to their release.



Conti Ransomware Accelerates File Encryption Process

What Is It?

Researchers from Carbon Black’s Threat Analysis Unit (TAU) have analyzed a new ransomware variant they have named Conti, based on the file extension appended to the files it encrypts. The ransomware is designed to access as many files as possible and encrypt them quickly without drawing undue attention to itself.

Through the use of command line parameters, Conti provides a unique option to execute three different ways: encrypt files on the infected system’s local drive, encrypt files on network shares, or both (which is the default behavior). An additional parameter allows a text file containing a list of IP addresses or hostnames to be used to identify the first targets for file encryption. When determining network targets, most ransomware will perform a scan of the whole network, a process that not only takes time to complete, it is also potentially noisy, betraying the presence of the ransomware. To avoid this, Conti extracts a list of recent network connections the infected machine has made and then reduces that list to only include IP addresses beginning with the most frequently used prefixes for private networks.

Conti takes several steps to encrypt as many files as possible on an infected system. For instance, it issues almost 150 commands to stop various Windows services, mainly those that may lock open files and prevent them from being encrypted, such as database servers. Conti also uses the previously unseen technique of calling the Windows Restart Manager for every file it attempts to encrypt. In normal use, Windows Restart Manager attempts to cleanly end applications and close their open files when the system is restarting.

Regarding file selection, most ransomware uses a list of file extensions to determine which files will be encrypted. In the case of Conti, it will encrypt all files except for executable files (.dll, .exe and .sys file extensions) and link files (.lnk files). Conti also contains a hardcoded list of directories to skip when encrypting and an optional, additional exclusion list can be provided. When encryption begins, Conti can create up to 32 concurrent encryption threads to ensure all targeted files are quickly encrypted. A text ransom note is dropped in each directory and contains two contact email addresses.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. No specific infection vector is known, though ransomware is often a secondary download, with the initial infection vector being malicious Office document attachments. In the case of Conti ransomware, it also contains optional command line options, suggesting the attackers may also manually deploy it into environments they have compromised.

When/How Did BluVector Detect It?

The sample analyzed by Carbon Black TAU is publicly available and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 26 months prior to its release.


Lucifer Brings Cryptojacking and DDoS Attacks to Unpatched Systems

What Is It?

Researchers from Palo Alto Network’s Unit42 have described details about Lucifer, a new cryptojacking malware they discovered at the end of May 2020. Though the author named the malware Satan, this name had already been used for a widely-distributed ransomware variant. To avoid confusion, Unit42 renamed it Lucifer. Differentiating itself from the average cryptojacking malware, Lucifer includes the ability to participate in DDoS attacks and exploits at both infection and propagation vectors. It also possesses command and control (C2) functionality.

Though there are more severe potential consequences for compromised organizations than having infected systems participate in mining Monero crypto currency or DDoS attacks, Lucifer is a timely reminder that patching remains a critical component of a secure cyber security posture. Unit42 researchers actually discovered Lucifer when investigating the exploitation of the CVE-2019-9081 vulnerability in the Laravel Framework. This vulnerability was disclosed in February 2019 and is the most recent of those exploited by Lucifer. Other vulnerabilities exploited are found in web servers, frameworks and Windows including CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, CVE-2018-20062, CVE-2018-7600, CVE-2017-9791, CVE-2017-0144, CVE-2017-0145 and CVE-2017-8464.

Lucifer has multiple self-propagation functions. It contains a hardcoded list of common passwords and attempts to use these to brute force access to systems it scans with Remote Procedure Call (RPC) or MSSQL ports open. If a system has the default SMB port (445) open, Lucifer will attempt to use the DoublePulsar, EternalBlue and EternalRomance backdoors (as leaked by the Shadow Brokers in 2017) to spread. It will also scan for systems vulnerable to the exploits listed earlier.

On June 11, 2020, a new Lucifer variant added functionality to attempt to detect if it is running in a sandbox, along with the addition anti-debugging code and changes to the exploits it contains.

As with the original variant, Lucifer includes three components containing an XMRig miner for x86 systems, a x64 version of XMRig and SMB exploitation functionality.

How Does It Propagate?

Lucifer has several methods of self-propagation. It attempts to exploit a series of previously known vulnerabilities that have been patched within the past one to six years. It will also attempt to brute force logins using a hardcoded password list. Additionally, it attempts to utilize the DoublePulsar, EternalBlue and EternalRomance SMB backdoor exploits.

When/How Did BluVector Detect It?

Samples listed in the report from the first variant are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 34 months prior to their release.


Multiple new StrongPity APT Attacks Exposed

What Is It?

Within days of each other, researchers at both BitDefender and Cisco Talos have released details of separate campaigns attributed to the StrongPity APT (Advanced Persistent Threat) group. This group, also known as Promethium, has been active since 2012 and has continued to operate undaunted, despite numerous previously published research findings, potentially indicating a nation state-sponsored group. The first of these was in October 2016 by Kaspersky and related to attacks against targets in Italy and Belgium during the middle of 2016. This was followed by a report from Microsoft in December 2016 with Microsoft referring to the group as Promethium. Since then, StrongPity have been the subject of reports from ESET in December 2017, Citizen Lab in March 2018, Cylance in October 2018 and Alien Labs in July 2019.

BitDefender’s report concerns attacks against targets in Turkey and Syria beginning in October 2019. However, the location of the infected systems and the timing suggest StrongPity was acting in support of Turkish military activity, though it is unknown whether there is any direct affiliation. A watering hole attack was used to deliver trojanized versions of legitimate applications to users with IP addresses of interest. If a user was not in the target IP range, the legitimate application was provided. Applications include common, popular software such as 7-Zip, WinRAR, Recuva, TeamViewer, CCleaner and even McAfee Security Scan Plus. The purpose of the malware is to scan for files (generally documents) with specified extensions and exfiltrate them. Researchers also noticed the compilation times of the malware suggests that the APT’s actors work during normal business hours, Monday to Friday.

The campaign described by Cisco Talos, which they named StrongPity3, began in July 2019. While the campaign mainly targeted users in Canada, Columbia, India and Vietnam, it has also infected users in Turkey, South Africa, Russia, Poland, Germany, France, Italy and the Netherlands. The focus of the malware remains the same, to locate and exfiltrate all documents from infected systems. They found StrongPity3 utilized trojanized versions of Firefox, VPNPro, 5kPlayer and DriverPack. The trojanized Firefox installer will abort if it determines either BitDefender or ESET anti-virus software is installed on the system.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. StrongPity have frequently used trojanized versions of legitimate applications and watering hole attacks to compromise the target’s systems.

When/How Did BluVector Detect It?

BitDefender’s report contained 133 publicly available samples and Cisco Talos’ report listed 100 publicly available malicious samples. When regression tested, BluVector’s patented Machine Learning Engine (MLE) detected all samples from both campaigns. Average detection was 21 months prior to release in the case of the BitDefender samples and 28 months for the Cisco Talos samples.

Thanos/Hakbit Ransomware Uses RIPlace Evasion Method

What Is It?

A new ransomware, Thanos (named by its creator) was recently described by researchers from Recorded Future as the first ransomware variant that makes use of the RIPlace anti-ransomware evasion method.

Details of the RIPlace evasion method were released by Nyotron researchers in November 2019. Nyotron followed responsible disclosure practices and had advised numerous endpoint security vendors of the issue six months prior to publicly releasing the details. RIPlace allows ransomware to bypass anti-ransomware protections used by endpoint security products and by Windows 10 itself.

RIPlace uses a slight variation on a method that ransomware uses to replace the original file with an encrypted version. This method involves copying the encrypted file data from memory to a new file and then renaming that file to replace the original file. The RIPlace method creates a DOS device name that points to the original file and is passed to the rename command. It requires very little in the way of code changes. RIPlace also bypasses the Controlled Folder Access feature built into Windows 10.

Thanos was first discovered in January 2020 and sold on Russian hacker forums, using the RaaS (Ransomware as a Service) model. Researchers believe that Thanos was originally distributed privately in October 2019. Over time the ransomware has continued to be developed, with newer Thanos variants renamed to Hakbit.

As expected of RaaS malware, subscribers are given access to a tool in order to create their own specific variants of the ransomware. This allows them to choose various options relating to the configuration of the ransomware, including anti-analysis techniques, the filename extensions to encrypt, the filename extension to be added to encrypted files and a specific date and time when the encryption process will begin. This option gives attackers time to wait until the maximum number of endpoints in a network is infected and then have each endpoint encrypt files at the same time for maximum impact. Also optional is the exfiltration of files of certain file types via FTP prior to their encryption, as the threat of releasing these files publicly is then used in order to coerce the victim organization to pay the ransom in a timely manner. The ransomware can also be instructed via configuration to attempt to spread to other systems on the network, using the legitimate PSExec tool and wake-on-LAN magic packets.

One interesting option that attackers should use judiciously is setting a static password for file encryption, rather than the more secure choice of a randomly generated password which is then encrypted with the attacker’s RSA public key. If a static password is used and a sample of the ransomware used to encrypt a given set of files is identified and analyzed, it is highly likely the files could be decrypted. The inclusion of this option may be more appealing to less skilled attackers, for whom the concept of public/private key cryptography might be too advanced.

How Does It Propagate?

If enabled, the malware can make use of the legitimate PsExec command-line tool to copy and execute the ransomware on other network-connected devices. The most common attack vector for most initial ransomware infections remains social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

A total of 42 publicly available samples of Thanos and Hakbit ransomware were listed in the Recorded Future research. BluVector’s patented Machine Learning Engine (MLE) detected them all, with regression testing showing the samples would have been detected an average of 67 months prior to their release.


Naikon APT Targets Asia Pacific Governments

Researchers from Check Point have detailed cyber espionage activities conducted during the past five years by the Naikon APT (Advanced Persistent Threat) group against the governments of Australia, Brunei, Myanmar, Indonesia, Philippines, Thailand and Vietnam.

What Is It?

Naikon have been observed utilizing several methods to infect targets, with the goal of installing their backdoor trojan, which has been named Aria-body. Through an email campaign, attackers use social engineering techniques to try and convince the recipient to open included attachments. The first of these is a RTF (Rich Text Format) document that has been weaponized with a tool called RoyalRoad.

When opened by the user, the attack begins. First, the document drops a downloader onto the user’s device, which then downloads the Aria-body backdoor. Then, a zip file containing a legitimate executable and a malicious downloader DLL file downloads Aria-body. Finally, a RAR archive file containing a legitimate executable and the Aria-body DLL is then downloaded. This last option was potentially used as Naikon were aware that email recipients would not be able to download these files over the internet.

Aria-body is a RAT (Remote Access Trojan), so named due to strings found in the code. It has functionality expected of a RAT, such as creation and deletion of files and directories, taking screenshots, searching for files, executing files and gathering system information. It has also been expanded over time, with variants adding the ability to gather information regarding USB devices, keylogging and a proxy. Gathered data is placed in a zip file which is encrypted with a random eight-character password. The password is then simply obfuscated by XORing it with a single byte and sent as part of the communication with the C2 (command and control) server.

The Naikon APT group was first discovered by researchers at Kaspersky in 2015 and were linked to China’s People’s Liberation Army’s Unit 78020. Their primary focus is gathering intelligence from governments and militaries in the South China Sea and Asia Pacific regions. After a report in September 2015 identified an individual member of Naikon, visible activity from the group appeared to have ceased. However, Check Point found that the group has continued to operate and develop new malware. During 2019 and into 2020, Naikon increased the frequency of its attacks.

How Does It Propagate?

The Aria-body malware does not self-propagate. The attack vector is emails containing malicious attachments that utilize social engineering techniques to convince recipients to open them.

When/How Did BluVector Detect It?

The components of these Naikon attacks have been regression tested against BluVector’s patented Machine Learning Engine (MLE). The malicious DLL files would have been detected an average of 55 months prior to their discovery in February and March of 2020 respectively. Though none of the malicious RTF documents used in these attacks are publicly available, recent samples of RoyalRoad RTF documents, similar to those used by Naikon, would have also been detected an average of 55 months prior to their discovery. Publicly available samples of the Aria-body malware used in these attacks would have been detected an average of 48 months prior to their discovery.


Cerberus Attacks Via Mobile Device Manager Server

What Is It?

A variant of the Cerberus banking trojan has been used in a targeted attack on a multinational organization’s mobile phones. Yet, the approach is completely new. Researchers at Proofpoint described an incident where the organization’s Mobile Device Manager (MDM) server was compromised and then used by attackers to infect their Android powered mobile devices with the Cerberus banking trojan. Researchers stated they had not previously seen an MDM server used as the attack vector for mobile malware.

When first executed, Cerberus displays a window purporting to be an update to the Accessibility service. This window will be redisplayed until the user accepts the update. Using the permissions granted to it, the malware is then able to automatically select menu options and bypass user interaction. The malware contacts its command and control server (C2) server to receive commands to upload details regarding the infected device, stolen data and credentials.

Currently, the organization’s MDM server was compromised by unknown means. With control of the MDM server, the attackers quickly began deploying Cerberus and infected 75% of the organization’s Android devices. As Cerberus malware is capable of sending all credentials used on an infected device to the C2, the organization made the decision to factory reset all its mobile devices enrolled with the compromised MDM server. Despite the financial implications of this decision – in terms of the time, resources and lost productivity – this was the only option available to ensure that all traces of the compromise and subsequent infections were removed.

Centralized management of all endpoint devices is commonplace due to the numerous advantages it provides when attempting to manage a large number of devices within a corporate environment. However, there is one significant disadvantage to this approach. If the management server is compromised, all those managed devices are now vulnerable to compromise via software update servers. Most notably, the initial propagation method for the devastating NotPetya malware in 2017 was a software update for a Ukrainian tax accounting product.

First released in June 2019, Cerberus is available to attackers using the highly popular MaaS (Malware as a Service) model. The new variant used in this MDM distribution attack extends the original banking trojan’s capabilities to include RAT (Remote Access Trojan). Cerberus gives attackers access to numerous sensitive information, such as text messages, credentials, call logs, Google Authenticator codes, details on installed applications, the phone unlocking patterns and logs all keystrokes. Full remote access to the infected device is also possible using the TeamViewer app.

How Does It Propagate?

In this case, the Cerberus variant was distributed by the organization’s own compromised MDM server.

When/How Did BluVector Detect It?

Three publicly available Android samples of the Cerberus banking trojan were listed as IOCs and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected 71 months prior to their release.

Asnarök Exploits Compromised Sophos Firewalls

What Is It?

The newly discovered Asnarök malware avoids the most common infection vectors (computer, server or mobile device) for a more uncommon device and informationally valuable device in any organization’s north-south connectivity – a network firewall.

The attackers exploited a previously unknown remote code execution SQL injection vulnerability by inserting a single line command into an existing database table. This command downloaded a shell script from a legitimate-sounding domain name and executed it. This script issued several SQL commands intended to modify the values of certain database elements. The script also created additional scripts, one of which was designed to ensure the malware was executed following each reboot, also known as “persistence.”

One of these additional scripts attempted to download and execute a malicious Linux ELF binary from the same legitimate sounding domain. The binary utilized techniques that are commonly seen in Windows malware, as it would delete itself from the firewall’s disc storage, leaving it only resident in memory and appearing in the process list using a name very close to a legitimate process. At a regular interval, the malware would attempt to connect to a specific IP address or another legitimate sounding domain name. It then attempted to download another Linux ELF binary, used for data exfiltration. A third Linux ELF binary was downloaded which attempted to download a further shell script, though the domain it attempted to contact was not active during the analysis timeframe. However, this domain did lead to Sophos to naming the malware used in this attack as “Asnarök.”

More specifically, this attack exploited a zero-day SQL injection vulnerability in Sophos XG firewalls in order to compromise the device. How was it discovered? After receiving a report from a customer that a suspicious string was visible in the management interface of the firewall, Sophos investigated. As it turned out, the attack caused the injected SQL command to be displayed on the management console on some of the firewall devices, thus alerting vigilant customers to the presence of suspicious activity.

The data exfiltration malware was specifically designed to collect device system information, as well as firewall usernames and encrypted passwords. This data was temporarily stored on the firewall, before being compressed and encrypted using “GUCCI” as a password and uploaded to a specific IP address. Once uploaded, the temporary file was deleted.

With admirable speed, Sophos deployed a hotfix to patch the vulnerability and mitigate any future attacks. They published an article detailing the attack which sought to steal sensitive information from the firewall.

How Does It Propagate?

The Asnarök malware does not self-propagate, the attackers exploited a zero-day SQL injection vulnerability in Sophos XG firewalls in order to compromise the device.

When/How Did BluVector Detect It?

The two publicly available Linux ELF executables samples used in this attack have been regression tested against BluVector’s patented Machine Learning Engine (MLE) and both would have been detected for 72 months prior to their release.