APT41 Serves Up State Hacking with a Side of Personal Gain

Researchers from FireEye have released a detailed report into a Chinese state-sponsored cyber espionage group they have named APT41. Over a period of seven years, the APT41 group has conducted cyber espionage activities against organizations in 14 countries, including the United States, the UK, France, Switzerland, South Korea, South Africa, Turkey, India, Italy and Japan. Targeted organizations belong to various industries including healthcare, media, pharmaceuticals, telecoms, travel, education and retail. Some of those compromises were timed in order to obtain intelligence related to corporate events, such as mergers.

What differentiates APT41 from other state-sponsored groups is that it has also targeted organizations related to the video game industry, in what appears to be financially motivated attacks, for personal rather than state gain. These attacks have occurred since 2014 and have occurred concurrently with the cyber espionage attacks. However, APT41 has used tactics, techniques and procedures developed as part of its video game industry attacks to improve the success rate of its cyber espionage attacks.

The APT41 group often utilizes stolen digital certificates to allows it to sign malware, making it much more likely to appear to be benign. Legitimately signed malware is also a key component of one of APT41’s preferred attack vectors, targeted supply chain compromises. In June 2018, a supply chain compromise identified specific targets to receive malicious payloads based upon MAC address or hard drive serial numbers.

Researchers found APT41 utilizes over 46 different types of malware in its campaigns, including rootkits and master boot record bootkits (when particularly stealthy methods are required for specific targets). The APT41 group has remained persistent and able to adjust to reacquire a foothold into organizations within hours or days of actions taken by security teams to remove its malware. As an example, in a year-long campaign, APT41 utilized almost 150 unique pieces of malware, including backdoors, keyloggers, rootkits and information stealers, resulting in the compromise of hundreds of systems.

The malware deployed by APT41 can use genuine websites for command and control (C2) traffic, sites such as Microsoft Technet, Pastebin and Github.

How Does It Propagate?

APT41 uses spear phishing and supply chain compromises as common initial infection vectors. They are not known to use self-propagating malware, which would be considered too noisy for their purposes.

When/How Did BluVector Detect It?

All of the 14 publicly available samples were detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown the samples would have been detected an average of 20 months prior to their release.



Filecoder.C Ransomware Attacks Android Devices

What Is It?

Following a long period of decline, a new variant of Android ransomware imaginatively dubbed Filecoder.C, has been discovered by researchers at ESET. The ransomware has been in the wild since mid-July.

The attackers attempt to social engineer users by creating threads or posts on Reddit and the XDA Developers forum containing links or QR codes for their malicious Android application. The XDA Developers forum is used by developers of Android applications, which seems an odd choice, given that this group might be more wary of downloading Android applications than the average individual.

Once infected with FileCoder.C, the user’s device sends text messages to all contacts, attempting to socially engineer them to click on the included malicious link. The messages follow the format of “[Contact’s First Name], How can they put your photos in this app, I think I need to tell you, [malicious link]”. The text of the message is available in 42 languages and the language the device is set to is used to select which language the messages will be sent.

Filecoder.C uses RSA encryption and is cryptographically secure. There are 179 file extensions it will encrypt, although it will ignore directories with names containing “.cache”, “tmp” and “temp”. Additionally, likely for performance reasons, it will not encrypt image files less that 150KB or Zip and RAR files greater than 50MB. It appears that the list of file extensions to encrypt has been taken from WannaCry ransomware samples. Therefore, the list includes filetypes not used by Android and excludes specific Android extensions such as apx and dex. The list of targeted file extensions will likely evolve should there be further variants released. Encrypted files have “.seven” appended to the end of their filename.

The ransom note threatens that data will be lost after 72 hours. However, ESET researchers found no indication of this functionality in the code of the malware.

How Does It Propagate?

Initially spread by links in malicious posts to Reddit and an Android developer’s forum, it also spreads by sending text messages containing malicious links to all of the contacts stored on an infected Android device. The attackers utilize social engineering techniques to attempt to convince users to install the malicious Android application.

When/How Did BluVector Detect It?

Two Filecoder.C samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown both samples would have been detected 61 months prior to their release.

Note: BluVector would only detect the malware if the Android device was connected to a corporate network monitored by BluVector.



DoppelPaymer Ransomware Shows Ties to BitPaymer

What Is It?

Researchers from CrowdStrike have recently detailed their findings into a new ransomware variant they have named DoppelPaymer. The ransomware began in June 2019 with victims including government attacks on the Ministry of Agriculture of Chile and the Texas city of Edcouch. In the case of Edcouch, city officials stated their backups were also encrypted. Ransom amounts of 2, 40 and 100 bitcoin have been observed, the latter currently equivalent to almost US$1 million.

Researchers found numerous similarities with previous versions of BitPaymer ransomware, leading them to believe DoppelPaymer is based on earlier BitPaymer source code and then modified and improved. It is possible that one or more members of the so-called Indrik Spider group have formed their own attack group. Indrik Spider first released BitPaymer ransomware in August 2017 after gaining notoriety for releasing the Dridex banking trojan.

One of the DoppelPaymer improvements is that the file encryption now utilizes multiple threads, allowing it to simultaneously encrypt a number of files, therefore taking less time to fully encrypt an infected system’s files. DoppelPaymer also includes a mechanism designed to defeat automated behavioral malware analysis, such as that used by legacy anti-virus vendors.

The malware will only execute correctly if the correct command line parameter is passed. It calculates a checksum of the first parameter passed and adds it to a hard-coded value, it then uses this as the location within the code to begin executing from. The malware will crash if the parameter is incorrect or missing. Researchers found the hard-coded value is different with each variant.

DoppelPaymer also utilizes the legitimate ProcessHacker utility, which is contained and encrypted within the DoppelPaymer sample. It uses ProcessHacker to terminate processes that might stop it from successfully encrypting files. To again make reverse engineering of the sample more difficult, the names of these processes are stored as checksums. They include various backup processes, numerous Microsoft Exchange processes, Dropbox and the processes of several security products, such as Cylance, McAfee, MalwareBytes, Avast, Fortinet and NOD32.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. However, DoppelPaymer will encrypt files on shared drives. The most common attack vector for most ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents. The Dridex 2.0 sample was distributed by Emotet malware and was included by the researchers due to the links to the Indrik Spider group.

When/How Did BluVector Detect It?

One sample each of DoppelPaymer and Dridex 2.0 were listed by CrowdStrike researchers and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown the DoppelPaymer sample would have been detected 57 months prior to its release and the Dridex 2.0 sample 66 months prior.

Who Says Cybercrime Doesn’t Pay?

While cybercrime is just the latest incarnation of theft in the digital age, a new article in Dark Reading offered a new estimate by Internet Society's Online Trust Alliance says that the total financial impact of cybercrime exceeded $45 billion in 2018.

It’s so successful that on May 31, 2019, the creators of the GandCrab ransomware announced they were shutting down their Ransomware-as-a-Service (RaaS) operation. While that sounds like great news for the good guys, they claim that they were earning $2.5 million a week and $150 million a year. They also claimed that their ransomware earned over $2 billion in ransom payments since it was introduced in January, 2018. While these numbers cannot be independently verified, the authors claim to have essentially laundered that money and are now retiring.

Ransomware made headline news in 2017 with the well-known WannaCry ransomware attack. Using an exploit in Microsoft Windows, the files on the infected computer were encrypted, and a decryption key was then made available for the end user to purchase using the cryptocurrency. The attack was contained, but not without a cost. There were 327 payments totaling over $130 million dollars.

While quick thinking was able to find a “kill switch” and help to mitigate additional infections, the potential damage came to light. Europol estimated that up to 200,000 computers in 150 countries were impacted, including up to 70,000 devices of the National Health Service (NHS) in England and Scotland. Impacted devices included computers, MRI scanners and blood storage refrigerators. In addition, non-critical patients needed to be turned away as the attack was underway. While the attack was contained, it is easy to envision the potential for death or destruction.

While a direct impact is felt to infected enterprises, there is a second group that is directly impacted by these attacks. The City of Baltimore, Maryland, was hit with a ransomware attack that began on May 7, 2019. Two months later some of the city’s systems were still unavailable. Citizens were unable to pay their taxes or their water bills. City employees resorted to using personal email accounts. Home buyers and sellers had to wait for the city to implement manual processes for home sales. While hackers demanded a ransom of about $76,000 in bitcoin, the projected financial impact from the attack is estimated to have cost the city $18.2 million and that amount is expected to grow.

While ransomware has faded a bit from the headlines, it still is a persistent threat to enterprises. Over a quarter of UK firms have suffered a ransomware attack over the past year, a major increase on figures from 2016. Ransomware is a threat – and one that enterprises need to be on the constant lookout for.

Sodinokibi Ransomware Targets Oracle Weblogic Vulnerability

[Update Aug. 18, 2019: In the wake of 23 Texas local governments being targeted by ransomware in a coordinated attack on August 16th, ZDNet reports via an “authoritative source” that threat has been identified as Sodinokibi. If you remember our previous Threat Report, BluVector’s Machine Learning Engine (MLE) had detected Sodinokibi in 100% of the public samples available early June to mid-July 2019 and, through regression testing, would have detected the ransomware in those samples between 47 and 65 months prior to their release. Based on a report from Carbon Black last week, which listed 122 samples of the latest Sodinokibi variants, BluVector’s MLE successfully detected 100% of the malware at an average of 60 months prior to their release.]

What Is It?

The corporate cyber security equivalent of the old real estate adage location, location, location, is patch, patch, patch. For some time now attackers have been actively exploiting vulnerabilities quickly after they are disclosed publicly, or in the case of actual zero-day vulnerabilities, prior to disclosure. For many organizations, timely patching is made more difficult by the increasing uptime requirements of systems. However, delays in patching can have significant impacts to organizations. The latest example, as described by researchers at Cisco TALOS, exploits a remote code vulnerability in Oracle WebLogic Server to install and execute ransomware with no human interaction required. They found attackers installing a new strain of ransomware dubbed Sodinokibi and also variants of Gandcrab v5.2.

Sodinokibi config file (redacted)
Sodinokibi config file (redacted)

The Oracle Weblogic vulnerability (CVE-2019-2725) is easy to exploit and does not require authentication, meaning any of the large number of internet-facing Weblogic servers are fair game for attackers. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.8 out of 10, demonstrating both its severity and ease of exploitation. While Oracle released a patch for this vulnerability on April 26, TALOS has reported attacks in the wild since April 17.

Once installed, the Sodinokibi ransomware encrypts files, deletes shadow copies in order to make recovery more difficult and presents a ransom note. The ransom note provides details on how to make payment of the ransom, which initially amounts to the bitcoin equivalent of approximately US$2,500, however, the ransom amount doubles if not paid in a timely fashion. For some reason, the attackers apparently felt the need, eight hours after the Sodinokibi infection to install Gandcrab v5.2 on the same systems. This might point to the attackers feeling unsure of the reliability of the new Sodinokibi ransomware.

The BluVector Threat Intel Team reverse engineered one of the Sodinokibi samples in order to extract configuration information. The executing sample was dumped, resulting in a new sample with a compilation date of April 23. 2019. The dumped sample contained a section with the non-standard name of ".bja". This section appeared to contain binary data, preceded by a potential decryption key. Analyzing the code, the decryption routine was identified and executed in isolation, the output of which was a JSON-formatted configuration file. This configuration file includes a base64-encoded version of the ransom note, the file extension to be added to encrypted files and lists of files and directories to be skipped during the encryption process. Interestingly, the configuration file also contains a list of 1079 seemingly legitimate domain and site names.

Sodinokibi Redacted Domains
Listing of Sodinokibi Domains (Redacted)

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The attack vector exploits a Weblogic Vulnerability (CVE-2019-2725).

When/How Did BluVector Detect It?

Five samples are publicly available and BluVector's patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 50 months prior to their release.

Beapy Cryptominer Targets Corporate Networks

What Is It?

Symantec first detected the Beapy cryptominer malware in January 2019. Since then, it has seen increasing activity since March with 98% of infections found in corporate networks. Approximately 80% of infections were detected in China, with the remainder being made up in Japan, South Korea, Hong Kong, Taiwan, Philippines, Vietnam and Bangladesh. A small percentage of infections occurred outside of Asia in the U.S. and Jamaica.

The infection vector is a spam email containing a malicious Microsoft Excel attachment, unsurprising as this is currently the most common infection vector for malware attacks. If a user opens the attachment, the leaked NSA DoublePulsar backdoor is installed on the system, followed by the coinminer itself, using PowerShell commands. Beapy uses multiple methods to propagate through an infected corporate network. First, it uses a hardcoded list of usernames and passwords, in addition to the Mimikatz tool to extract credentials from infected systems and finally by uses the leaked NSA EternalBlue exploit to propagate.

Beapy is an example of attackers returning to file-based crypto miners, after previously focusing on browser-based miners. Browser-based miners were the most popular as even fully patched systems could be targeted as the only prerequisite was an internet-connected browser.

The Coinhive coin mining service, which shutdown in early March 2019 after being active for 18 months, made it much simpler to perpetrate browser-based coin mining. The advantage to attackers of file-based mining is the significantly greater return when compared to browser-based mining, given a file-based attack can access all the resources of an infected system at all times. As detailed by Symantec, a 100,000 bot mining botnet for 30 days could be expected to return a profit of US$30,000, where a file-based botnet of the same size, over the same timeframe could return $750,000.

The recently released Malwarebytes Labs Cybercrime Tactics and Techniques report for Q1 2019 found that cryptomining attacks against home users have nearly ceased. As we predicted in Threat Report Q4 2018, the decline in the value of crypto currencies and lack of stability in the crypto currency market have greatly reduced the profit potential and incentive for attackers to target home user’s systems. However, attackers seemingly still find corporate networks offer a sufficient return on investment for cryptomining.

How Does It Propagate?

Beapy utilizes the leaked NSA exploit, EternalBlue, to propagate. The infection vector for this attack is a spam email containing a malicious Microsoft Excel attachment.

When/How Did BluVector Detect It?

Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected for an average of 11 months prior to their release.

Emotet Makes Good Websites Go Bad - Uniden Edition

What Is It?

Legitimate websites are prized by malicious actors as distribution sites for their malware. The primary reason is that a link to a legitimate website is more likely to be clicked on by potential victims. The more well known the organization, the more likely its website or entire domain is whitelisted and less likely to be blocked by security products. There are numerous examples of legitimate websites being compromised that end up serving malware of all types, including trojans and ransomware. In this case, the website of the commercial security division of electronics manufacturer Uniden was compromised.

Discovered by a threat researcher known by the Twitter handle “JTHL” found malicious Word documents stored in the site’s /wp-admin/legale directory. According to URLhaus, the malicious documents contained a macro that downloads a variant of the Emotet banking trojan (aka Hedo). Within the past year, working with 300 volunteers, the URLhaus project has assisted in the removal or remediation of approximately 100,000 sites distributing malware.

First discovered by security researchers in 2014, the Emotet trojan is mainly distributed by malicious spam emails, containing either an attached Office document with a malicious macro or a simple link to a malicious document.

Favorite lures used by the spam emails attempting to socially engineer users to open a document or click a link include perennial favorites such as unpaid invoices or undeliverable packages. Emotet, which was Initially a banking trojan, has evolved to include the theft of cryptocurrency wallets, installation of addition malware and sending of malicious spam from an infected system. The Emotet code is polymorphic, meaning it alters itself each time it’s executed, which makes it harder for legacy security products to detect. Emotet can also determine when it is being executed on a virtual machine, which slows down analysis.

How Does It Propagate?

Some Emotet variants do contain the necessary code to self-propagate, exploiting the use of poor passwords on network shares or even the EternalBlue vulnerability as used by the devasting WannaCry and NotPetya attacks. The most likely infection vector is malicious spam emails containing a link to the malicious documents hosted on the Uniden website, which users are socially engineered to click on.

When/How Did BluVector Detect It?

Fifteen malicious Word document samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected the malware in all the 15 samples. Regression testing has shown that all samples would have been detected for 62 months prior to their release.

GlitchPOS and DMSniff Join Point-of-Sale Malware Category

What Is It?

Researchers at Cisco TALOS and Flashpoint recently reported their findings into two pieces of Point-of-Sale (POS) trojan malware, known respectively as GlitchPOS and DMSniff.

GlitchPOS malware, as detailed by Cisco TALOS, is being marketed by the author similarly to legitimate software. The author has provided screenshots of the control panel, where the user can monitor infections and extracted data. A video showing the malware capturing payment card details is also provided. On a technical level, the malware is packed using Visual Basic with a hidden fake game screen, which extracts the malicious payload. As with most POS malware, the payload is quite small, though it can connect to a command and control (C2) site to register itself, upload stolen card details, update itself, alter its configuration and execute other code.

DMSniff malware, despite its use since late 2015, has gone unanalyzed by researchers. One unique aspect about DMSniff is a function which is unusual for POS malware, the ability to dynamically generate the domain name for its C2 site. An ability that provides the malware with more resilience to takedowns. After generating the domain name, the malware appends .in, .ru, .net, .org and .com, until a C2 site responds. In common with GlitchPOS and most other POS malware, DMSniff has a list of processes which it will skip when reading system memory looking for payment card details.

Point-of-Sale malware is quite common and designed to infect systems that process credit and debit card transactions for retailers. POS malware has been responsible for numerous high-profile breaches, including Chili’s and Applebee’s restaurant chains during 2018. In fact, the Verizon Data Breach Investigations Report 2018 found that within the hospitality industry, 90% of all breaches were due to POS malware. It also found POS malware breaches were 40 times more likely in the hospitality industry than the overall average.

POS malware continues to be popular with attackers, as it allows them to immediately monetize the intercepted payment card details for their own purposes or by selling the data in various "carder" forums found mainly on the dark web. Often POS terminals are Windows-based PCs and due to the limited resources required to operate POS software, tend to be older hardware systems running outdated versions of Windows. Due to the downtime required to regularly patch systems, POS terminals frequently lack recent security patches. The result being, POS systems can be regarded as soft targets by attackers, with the potential for significant profit. POS malware generally scans system memory, looking for the data captured from the magnetic stripe on payment cards. This data is either stored locally or immediately exfiltrated to the attackers.

How Does It Propagate?

Neither malware contains the necessary code to self-propagate. Specific infection vectors are not known in these cases, though exploitation of remote access software and social engineering via phishing are known to be commonly used in POS malware attacks.

When/How Did BluVector Detect It?

Two samples of GlitchPOS are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown both samples would have been detected 61 months prior to their release. Three samples of DMSniff are publicly available and are also all detected. The average detection time prior to release for these samples is 37 months, due to the age of these samples. This translates into both sets of samples being detected by BluVector’s MLE since December 2013.

Danabot Trojan Evades IDS/IPS Detection

What Is It?

As previously discussed in a threat report in October 2018, the Danabot trojan has been under active development since it was first observed in May 2018. This development has continued as researchers at ESET noted a new version in December 2018 that added email address harvesting and spam sending functions.

The most recent version, discussed in a new ESET blog post, shows that the authors have implemented an entirely new communication protocol for traffic between the malware and its C2 (command and control) host. Previously the C2 traffic was unencrypted. In the new version, several layers of encryption have been implemented. Encrypting the traffic means that existing network signatures, such as those used by traditional intrusion detection systems (IDS) and intrusion protection systems (IPS), won’t work. This is further complicated as creating new signatures will be significantly more difficult and increasingly prone to false positives.

Encrypting the C2 traffic also means that any packet captures created by automated malware analysis sandboxes will be unable to be read by security analysts attempting to determine the capabilities of this malware. Therefore, manual reverse engineering, which utilizes significantly more skilled and experienced analysts, will now be required. The authors have also streamlined the architecture, which now consists of only two parts: the loader which then downloads, configures and executes the main payload, plugins for various functions and the configuration files.

The Danabot malware uses numeric campaign IDs to ensure that the relevant configuration files and instructions of which fields to inject into specific website pages are used. Current campaign IDs observed by ESET researchers include those targeting users in both Italy and Poland, Australia and one specific to Poland.

The C2 traffic encryption in this new Danabot version is an effort by the authors to evade detection by another legacy, signature-based technology, the IDS/IPS. While the BluVector solution includes IDS/IPS functionality, it also contains multiple detection engines, including BluVector’s patented Machine Learning Engine (MLE).

How Does It Propagate?

The malware does not contain the necessary code to self-propagate over a network as a worm would. However, it can potentially spread via malicious spam sent from infected systems. Currently this updated Danabot version is being distributed by malicious spam and by the malware’s own update functionality.

When/How Did BluVector Detect It?

The ESET report contains four publicly available samples and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 49 months prior to their release.

Ursnif Trojan Campaign Uses Steganography and Mario

What Is It?

A new Ursnif campaign discovered by researchers at Bromium, and later reported by media, utilizes a Microsoft Excel file containing a malicious macro, Powershell and an image of the Nintendo character Mario.

There are a few noteworthy aspects of this attack, beginning with the Mario image. The image was not downloaded to be displayed, it is encoded with an obfuscated Powershell script that uses steganography. Steganography, in computing terms, is a technique that is used to hide data within the data of another file, most commonly an image file. It is an example of hiding in plain sight, as the image file containing the concealed data will still appear normal when viewed.

Also, this campaign is specifically targeted at users in Italy. The malicious Excel macro will terminate if the language is not set to Italian, as will the Powershell script that runs later in the attack chain. The attacker may have considered it humorous to use an image of Mario, an Italian-American character for a campaign specific to Italian users.

The initial Excel contains the usual request (in Italian) for the user to enable macros to execute in order to view the content. On execution, the macro deobfuscates a Powershell script, which attempts to download a portable network graphics (PNG) formatted image file from one of two hardcoded sites. The script then uses a common steganography technique to extract embedded data from the image. The extracted data is a Powershell script that uses multiple layers of obfuscation to conceal its final objective, which is to download and execute a variant of the Ursnif trojan.

The image of Mario is a 24-bit RGB PNG file. This means each pixel in the image is represented by an 8-bit value (0-255) for each of the red, green and blue components of the color which, when combined, give a total of 16.7 million possible colors. The steganography technique used here uses the lower four bits of the blue and green components to store the embedded data. The largest number the lower four bits can represent is 15, out of the maximum 8-bit value of 255. This visually translates to very minor variances in color that the human eye will struggle to discern. Additionally, the image uses a multi-colored background, which makes it harder to notice anything amiss (see Fig 1 below).

Ursnif attack uses Mario image with obfuscated Powershell script
Fig 1: Part of the Mario image zoomed

The basic attack chain here is not uncommon, an Excel file attachment with a malicious macro -> Powershell -> downloads and executes a malware payload. Targeting Italian users specifically and utilizing steganography to hide a component of the attack, and potentially evade signature-based defenses (at least until a signature is created and deployed), makes this significantly less common.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The attack vector here is an Excel attachment containing a malicious macro.

When/How Did BluVector Detect It?

One sample of the malicious Excel file and two Ursnif samples are listed in the blog entry and BluVector’s patented Machine Learning Engine (MLE) detected all three. Regression testing has shown the samples would have been detected an average of 13 months prior to their release.