Activity Summary – Week Ending August 10, 2018

Fortinet has a culture of innovation. It isn’t more evident than at the BlackHat conference held this week in Las Vegas, where FortiGuard Labs researcher Kai Lu presented his application behavior monitoring tool called FortiAppMonitor for macOS.

Fortinet developed the FortiAppMonitor tool for macOS to address the need for application behavior monitoring to ensure analysis of macOS applications are more efficient and effective – in particular malicious applications. Users need a simple and user-friendly application behavior monitoring tool that can quickly capture the behaviors of applications and better understand what they do. FortiAppMonitor can monitor file operations such as file open, read, write, rename, and delete operations.

FortiAppMonitor can monitor network communications over both IPv4 and IPv6. Network communications are monitored using Socket Filter, which is a powerful mechanism that enables the interception of network and IPC traffic in the kernel’s socket layer. The tool can also monitor the loading of .dylib files. A .dylib file is a Dynamic Library file that an application references during runtime in order to perform certain functions on an as-needed basis.

FortiAppMonitor can monitor the loading/unloading of kernel extensions (or KEXT). A kernel extension is a dynamically loaded bundle of executable code that runs in kernel space. Users can create a KEXT to perform low-level tasks such as low-level device drivers that cannot be performed in user space.

For more detail on this powerful, innovative tool, please read the Fortinet blog.

Application Vulnerabilities / IPS

ZmEu.Vulnerability.Scanner – Our IPS signature, ZmEu.Vulnerability.Scanner, detects attempts of exploitation of phpMyAdmin and SSH brute-force attempts and leaves a back door for further compromise. ZmEu is a tool that was developed by Romanian hackers to scan web servers running vulnerable versions of the MySQL administration software (phpMyAdmin) in order to take control of those servers. FortiGuard Labs has observed stable activity by hacktivists and blackhats using ZmEu throughout the past several months. To secure web servers against this threat, FortiGuard Labs recommends updating to the latest version of phpMyAdmin. The United States (19%), Japan (5%), and Taiwan (4%) have seen the highest levels of activity this week.

Signatures: ZmEu.Vulnerability.Scanner

WebRTC.Local.IP.Addresses.Disclosure – Our IPS signature WebRTC.Local.IP.Addresses.Disclosure, detects attempts to obtain the IP address of a user through exploitation of WebRTC in various browsers (CVE-2018-6849). WebRTC stands for web real time communications, and is an open source project that provides web browsers and mobile apps the ability to communicate in real time. Essentially, it allows audio and video to work via a web browser via p2p communications without the need for a plugin and/or installation of a program.

The issue is due to a design in various browsers when handling WebRTC calls that probes a STUN server to obtain a user’s IP address. A potentially malicious actor can exploit this to obtain a user’s local and public IP addresses, via a specially crafted web page. The United States (28%), Brazil (5%), and India (5%) are seeing the bulk of the attacks in our telemetry.

Signatures: WebRTC.Local.IP.Addresses.Disclosure

Malware Activity

PhotoMiner – Interesting Name for a CoinMiner – PhotoMiner is a worm that essentially infections websites via open FTP ports and mines Monero. Discovered this week by researchers, it looks for open FTP ports (what is this, 1999?) and brute forces them using dictionary attacks. Once inside, the worm looks to overwrite existing .php, .html, and .aspx extensions in the compromised server and overwrites them with a malicious string that contains a reference to an iframe with the payload.

What makes the attack unique is that PhotoMiner is built in modular fashion and contains several components to make the attack successful. Researchers noticed another nefarious behavior – the addition of a Wi-Fi hotspot in the malware where some variants contained a stealth hard-coded name of “Free_WIFI_abc12345” to allow for further infection. It contains a wrapper that performs the persistence mechanism and spread, but also an executable for mining Monero (XMR) as well. PhotoMiner also tries to spread itself by brute forcing SMB connections and uses WMI to execute additional copies for further infection.

PhotoMiner will then connect over HTTP from a predefined list of hostnames, serving a generic configuration file. Contained within this list is a list of Monero pools and wallets where the malware randomly chooses. Further undermining analysis is that the configuration file contains obfuscation techniques, hindering the efforts of an analyst. PhotoMiner receives commands from the C2 server. This connection appears to be reception of commands only, and not the upload or exfiltration of data. After the routine is initialized, PhotoMiner will then spin off the Monero mining process as a separate process while trying to continue to spread. This ensures that either one of the two goals are met (mining and spread) and also ensures that both processes aren’t detected by antivirus.

Signatures: W32/Miner.AYF!tr, PossibleThreat.P1, W32/Generic.AC.35ED18!tr, W32/CoinMiner.ZT!tr


KillRabbit – Hopefully not Inspired by Fatal Attraction – Yet another ransomware variant discovered this week is the KillRabbit ransomware. The distribution method is unknown, but as with most ransomware, it could be distributed via malicious spam or other social-engineering techniques. Once infected with KillRabbit, the victim is presented with a Spartan black text on white background and (dare we say it, plain) template that states the following:

KillRabbit V2 – User Area
Unique Key
Problems with authorization? Contact us
What Happened?
Oops, it seems the rabbit encrypted all of your files and requires a ransom for their decryption.
Do not worry, all your files will be decrypted after payment of the repayment.

Also, the user is presented with the secondary template that requests a monetary value in the amount of $345 USD:

KillRabbit V2 – Control Panel
Payment Module
Support ChatBot
Unique ID: [Obfuscated]
Redemption amount: 345$
Transaction ID
Check Payment
Number of your deleted files: 0

It is unknown at this time how the transaction is accomplished, as the amount is requested in straight currency and not cryptocurrency. Files that are encrypted are appended with the .killrabbit extension.

Signatures: W32/Filecoder_Autoit.T!tr


Web Filtering

Cobalt Blues – New Cobalt group attacks have been observed by the FortiGuard Labs Web Filtering team spreading malware to users via maliciously crafted email attacks. The group has been observed using Word OLE compound documents with malicious obfuscated VBA macro code, RTF documents containing Microsoft Office exploits or PDF documents. FortiGuard Labs Web Filtering team has blacklisted all the URLs used in this campaign.


Malicious Activity Observed in Open Directory Websites – The FortiGuard Labs Web Filtering Team has observed an IP address 54[.]38[.]53[.]21 hosting many sites with an unprotected directory. The contents hosted on these sites vary from general email phishing pages, WSO shell panels, as well as many other malicious payloads. FortiGuard Labs has blacklisted all the IOCs associated with this IP address.


Threat Research & Insights

FortiGuard Labs Threat Intelligence Podcast #4 – FortiGuard Threat Intelligence Podcast (TIP) provides highlights and commentary into top cyber threats, data breaches, and cybercrime. Join Fortinet’s top threat experts as they delve into today’s critical cybersecurity topics. Informative. Scary. Insightful. [Listen Here]

An Analysis of the DLL Address Leaking Trick used by the “Double Kill” Internet Explorer Zero-Day exploit (CVE-2018-8174) – “Double Kill” is an Internet Explorer(IE) Zero-Day exploit which was discovered in the wild and fixed in the Microsoft May Patch. It exploits a use-after-free vulnerability of vbscript.dll to execute arbitrary code when a vulnerable system browses a malicious web page via IE. Multiple exploit kits have already added this exploit, and it is still active in the wild. [Read More]

News Courtesy: FortiGuard – Weekly Threat Briefs