Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-12-18 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Actor using Rig EK to deliver Qbot

Published: 2015-12-18
Last Updated: 2015-12-18 22:28:21 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

On Thursday 2015-12-18 during a Rig exploit kit (EK) infection in my lab environment, I saw the same infection chain patterns from a criminal group I hadn't noticed in a long time.

This appears to be the same actor that was using Sweet Orange EK to distribute Qbot malware in 2014 and early 2015 [1, 2, 3].  Why?  Because the same type of obfuscation is used to generate the gate URL that I saw last year.  The payload is also the same that I've seen from this actor (Qbot).

This actor appears to be using Rig EK now.  Let's take a closer look at the infection traffic.


Shown above: Flow chart for today's infection by this actor.

The traffic

The EK traffic was identified as Rig EK when I read a traffic of the traffic using Snort 2.9.8.0 with the Snort registered rule set.  It was also identified as Rig EK when I used tcpreplay in Security Onion using the EmergingThreats (ET) Pro ruleset.

The ET Pro rule set also identified HTTP and FTP traffic caused by Qbot malware after the Windows host was infected through Rig EK.


Shown above: A pcap of the traffic filtered in Wireshark.


Shown above: Alerts from the traffic using the ET Pro ruleset.


Shown above: Alerts from the traffic using the Snort subscriber ruleset.

Gate traffic

How does this actor generate the gate URL from the compromised website?  It's done through injected script that uses several obfuscation tricks.  One of the HTTP GET requests to the compromised website returned a .js file withe the malicious script tacked on the end of it.  If you look at the TCP stream for this HTTP GET request in Wireshark, it'll look like garbage, because the data is gzip-compressed.


Shown above: HTTP GET request for the .js file when viewing the TCP stream in Wireshark.

You'll neet to export HTTP objects from the pcap to look at the actual .js file.  When I opened the extracted .js file in a text editor, I found the malicious script at the end of it.


Shown above: Malicious script in .js file from the compromised site.

In the above image, the end of the normal .js file is highlighted in orange near the top.  Everything after that is the injected malicious script.  I've highlighted code for the gate URL in yellow.  How do you translate that to the actual gate URL?  It uses both unicode and hexadecimal obfuscation for some of the letters in the URL.  There's also a j7aMn function that's previously defined earlier in the script, and that's used to generate other letters in the gate URL.


Shown above: How to resolve some of the obfuscation for the gate URL.

The gate URL returns a variable called main_color_handle.  This contains a long string of characters that the earlier malicious script uses to get the Rig EK landing page URL.  First, you'll have to take everything away except 0 through 9 and a through f from the variable.  Then translate the result from hexadecimal to ASCII.  That's how you'll find the EK landing page.


Shown above: How to get the EK landing page URL from data returned by the gate.

Final words

Today's Rig EK example follows the same traffic patterns that I've examined many times before.  Of note, the gate IP address and domain name in this example was st.dynamicwords.us on 192.185.21.183 which has been active with the same gate URL traffic patterns since 2015-12-02 [4].


Shown above: VirusTotal results showing recent URLs on 192.185.21.183.

Pcap and malware samples used in this diary are available here.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://www.malware-traffic-analysis.net/2014/10/27/index2.html
[2] https://isc.sans.edu/forums/diary/An+Example+of+Evolving+Obfuscation/19403/
[3] http://malware-traffic-analysis.net/2015/02/09/index2.html
[4] https://www.virustotal.com/it/ip-address/192.185.21.183/information/

Keywords:
0 comment(s)

ScreenOS vulnerability affects Juniper firewalls

Published: 2015-12-18
Last Updated: 2015-12-18 16:21:38 UTC
by Brad Duncan (Version: 1)
4 comment(s)

Earlier today, we were notified of a vulnerability in an operating system named ScreenOS used to manage firewalls sold by Juniper Networks.  Yesterday, Juniper Networks announced that ScreenOS contains unauthorized code that surreptitiously decrypts traffic sent through virtual private network (VPN) connections [1].

The vulnerability has been designated as CVE-2015-7755.  Juniper's Security Incident Response Team (SIRT) strongly recommends users upgrade to a fixed release of ScreenOS to resolve these critical vulnerabilities [2].

Juniper firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and should be patched immediately.

A notification has come out through the US CERT [3].  Some other sources have also issued reports about it [4, 5].

See the CVE link above or references below for more information.

References:

[1] http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
[2] http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713
[3] https://www.us-cert.gov/ncas/current-activity/2015/12/17/Juniper-Releases-Out-band-Security-Advisory-ScreenOS
[4] http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/
[5] https://threatpost.com/juniper-finds-backdoor-that-decrypts-vpn-traffic/115663/

Keywords:
4 comment(s)

TeslaCrypt ransomware sent using malicious spam

Published: 2015-12-18
Last Updated: 2015-12-18 01:09:30 UTC
by Brad Duncan (Version: 1)
4 comment(s)

Introduction

Since late November 2015, malicious spam (malspam) distributing TelsaCrypt ransomware has surged in a recent attack offensive [1].  This offensive is on-going.  Criminal groups are sending out massive amounts of emails containing attachments with zipped .js files.  These zipped .js files--called Nemucod by ESET and some other security vendors [2]--download and install the TeslaCrypt ransomware.

This is no different from other zipped .js file downloaders that I've already posted diaries about [3, 4].  The only difference is the payload.  Below is a flow chart for TeslaCrypt infections caused by this malspam.

As the malspam continued, other sources began reporting about it [for example: 5, 6, 7, 8, 9].  Two of my favorite sites for malspam analysis have good information on this campaign: Dynamoo's Blog [references 10 through 18] and TechHelpList.com [references 19 through 28].  Every day or two, these two blogs have reported on these waves of TeslaCrypt malspam.

Reviewing my organization's spam filters, I've found a few of these emails spreading TeslaCrypt; however, I've heard a great deal more about it from other security professionals.  Let's review an example from Thursday 2015-12-17.

The email

Thursday's wave of emails had Required your attention as the subject line as shown in the image below.

The zip attachment contains a .js/nemucod file downloader.

The extracted .js file is quite obfuscated.  For me, the quickest way to find out what it downloads is to run it in a test environment.

The infection

Running this malware on an unpatched Windows 7 host quickly gave me a TeslaCrypt infection.


Shown above:  Desktop of the Windows host after a TeslaCrypt infection.

Encrypted files are given the suffix .vvv which indicates this was version 2.2 of TeslaCrypt [1].  Below are images of the files dropped on the desktop of my infected Windows 7 host.

The traffic

Traffic is pretty straight-forward for a .js file downloader infecting a host with TeslaCrypt ransomware.


Shown above:  A pcap of the infection traffic filtered in Wireshark.

First is the HTTP GET request caused by the .js file downloader to retrieve the TeslayCrypt binary.


Shown above:  .js file downloader retrieving the TeslayCrypt binary.

Next we see a connectivity check by the infected host as it calls out to determine its public IP address.


Shown above:  The infected host checking its IP address.

 

Finally, the infected host calls back to a command and control server.


Shown above:  Callback traffic from the infected host.

I read a pcap of the traffic using snort on a Debian 7 host running Snort 2.9.8.0 with the Snort subscriber ruleset.  That gave me alerts for the TeslaCrypt binary being downloaded to the host right before it was infected.


Shown above:  Alerts from the traffic using the Snort subscriber ruleset.

I also used tcpreplay on a pcap of the infection traffic in Security Onion with the EmergingThreats (ET) Pro ruleset.  The ET alerts still show the malware as AlphaCrypt, which is what TeslaCrypt ransomware was calling itself earlier this year.


Shown above:  Alerts from the traffic using the ET Pro ruleset.

Final words

This is a notable trend, but it's not a serious threat.  Properly-administered Windows hosts and a decent mail filtering system should protect users from getting infected by the malspam.  However, this type of campaign is apparently profitable for the criminals behind it.  Why?  Somewhere, people's computers are getting infected because of the TeslaCrypt malspam.  Otherwise, why would it continue?

Pcap and malware samples used in this diary are available here.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://www.symantec.com/connect/blogs/major-teslacrypt-ransomware-offensive-underway
[2] http://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/
[3] https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
[4] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/
[5] https://heimdalsecurity.com/blog/security-alert-teslacrypt-infections-rise-spam-campaign-hits-companies-europe/
[6] http://www.computerworld.com/article/3015454/security/teslacrypt-ransomware-attacks-are-increasing.html
[7] http://www.infosecurity-magazine.com/news/teslacrypt-reappears-with-savvy/
[8] http://www.csoonline.com/article/3015498/security/attacks-using-teslacrypt-ransomware-intensify.html
[9] http://www.computing.co.uk/ctg/news/2439008/teslacrypt-criminals-launch-very-strong-spam-campaign-to-spread-crypto-malware
[10] http://blog.dynamoo.com/2015/12/malware-spam-november-invoice-60132748.html
[11] http://blog.dynamoo.com/2015/12/malware-spam-invoice-from-passion.html
[12] http://blog.dynamoo.com/2015/12/fake-fretter-inc-leads-to-teslacrypt.html
[13] http://blog.dynamoo.com/2015/12/malware-spam-foreman-ltd-last-payment.html
[14] http://blog.dynamoo.com/2015/12/malware-spam-invoice-66626337ba2deb0f.html
[15] http://blog.dynamoo.com/2015/12/malware-spam-your-order-12345678-11.html
[16] http://blog.dynamoo.com/2015/12/malware-spam-reference-number-89044096.html
[17] http://blog.dynamoo.com/2015/12/malware-spam-unpaid-invoice-from.html
[18] http://blog.dynamoo.com/2015/12/malware-spam-required-your-attention.html
[19] https://techhelplist.com/spam-list/996-invoice-from-cimquest-ingear-malware
[20] https://techhelplist.com/spam-list/997-your-order-corresponding-invoice-malware
[21] https://techhelplist.com/spam-list/999-invoice-from-datacorp-inc-malware
[22] https://techhelplist.com/spam-list/1000-reference-number-last-payment-notice-malware
[23] https://techhelplist.com/spam-list/1002-payment-request-ref-nr-2015-malware
[24] https://techhelplist.com/spam-list/1003-invoice-our-finance-department-malware
[25] https://techhelplist.com/spam-list/1005-agri-basics-invoice-and-malware
[26] https://techhelplist.com/spam-list/1007-reference-number-notice-of-unpaid-invoice-malware
[27] https://techhelplist.com/spam-list/1009-unpaid-invoice-from-staples-inc-ref-urgent-notice-malware
[28] https://techhelplist.com/spam-list/1014-required-your-attention-special-prices-malware

Keywords:
4 comment(s)
Diary Archives