Activity Summary – Week Ending August 24, 2018

For years there have been tools developed for malware research with a primary focus on the Windows platform, whereas tools for alternative operating systems, such as Linux and macOS, were few and far between. This made sense given the enormous adoption rate and market share that Windows operating systems had over the past several decades. Most recently the industry has seen a shift over to these alternative operating systems, due to the popularity of devices running them. This also means bad actors have taken notice and are looking at ways of distributing their malware.

Introducing FortiAppMonitor

FortiAppMonitor is a freeware utility developed and released by Fortinet designed to monitor the behaviors of programs on macOS. It enables users to understand malware capabilities and quickly analyze the malicious behaviors of malware targeting macOS. This utility, presented by FortiGuard Labs researcher Kai Lu at the Black Hat USA 2018 Arsenal, was titled “Learn How to Build Your Own Utility to Monitor Malicious Behaviors of Malware on macOS.”

Its capabilities include the following features:

  1. Monitors process execution with command line arguments and process exit
  2. Monitors all common file system events, including file open, read, write, delete, and rename operations
  3. Monitors network activities, including UDP, TCP, DNS query and response, and ICMP for both IPv4 and IPv6 protocols
  4. Monitors .dylib loading events
  5. Monitors KEXT loading and unloading events

It also provides a fine-grained filter so that users can track those event types they are interested in, as well as powerful search functionality so users can quickly hunt through records based on keywords. Users can also save all records into a JSON formatted file. In addition, all these FortiAppMonitor features are accessed through an easy-to-navigate GUI design. Users can also copy one specific record on a GUI screen to the clipboard using the shortcut key “Command+C.”

FortiAppMonitor can be downloaded from here. Kai Lu’s slides from his presentation at BlackHat can be accessed from here. Users are welcome to send feedback or submit bugs to: fortiappmon@fortinet.com.

Application Vulnerabilities / IPS

Flir.Systems.Camera.HTTP.Request.Handling.Code.Execution — The FLIR-FC-S/PT series are thermal network security cameras being manufactured by FLIR Systems, Inc. (http://www.flir.com), the world’s largest commercial company specializing in the design and production of thermal imaging cameras. They are used by high-end military and government agencies alike as well as the average home user, as the company portfolio of services is very extensive. These cameras suffer from an authenticated OS command injection vulnerability and unauthenticated remote code execution, which can be exploited to inject and run arbitrary shell commands on the system. Cameras with software version 10.0.2.43 are affected. The cameras also suffer from hard-coded credentials and stream disclosure vulnerabilities, which were discovered at the same time by the same researcher.

Exploitation is as trivial as sending an HTTP GET request to the camera’s web server; known exploits have been available since the time the vulnerability was disclosed. We are seeing increased activity in the last seven days when comparing the number from the 30 days’ average (the jump was 30%). The most affected regions are Taiwan (95.96%), South Korea (2.43%), and China (1.44%).

Signatures: Flir.Systems.Camera.HTTP.Request.Handling.Code.Execution

GnuTLS.Security.Null.Signature.Bypass — A security bypass vulnerability exists in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 due to improper error handling when parsing X.509 certificates. An attacker could impersonate a legitimate server with a specially crafted certificate. This can result in a MITM attack.

When such an error occurred, it would report that a certificate validation was successful, even though it might have failed. The attack is delivered through the crafting of a special certificate file and using it against a vulnerable implementation of GnuTLS, in which the certificate would be accepted as valid even though it wasn’t signed by any of the trusted authorities.

The certificate signature checks in GnuTLS allow an attacker to impersonate the real server in an SSL-protected communication. We are seeing a 16% increase in the detection of this attack when comparing this to the last 30 days. Countries with more detected activity were Chile (35%), Argentina (12.50%), and Peru (12.21%).

Signatures: GnuTLS.Security.Null.Signature.Bypass

Malware Activity

Dark Tequila and its Hangover — FortiGuard Labs is aware of a new attack discovered by researchers called Dark Tequila. It is an attack that has been observed targeting users in Mexico. The threat contains an infostealing Trojan that focuses on credential thefts of banks, web hosts, online services, and file repositories (Dropbox) and domain registrar credential theft. Additional observations are a multistage payload that will only be delivered if there are no known security suites installed. Anti-analysis techniques also include the fact that it will not deliver the payload in a virtualized environment.

The threat also contains six modules that perform the following checks: (1) a C2 connection that verifies if a MITM attack is occurring by validating itself with several popular websites, (2) if there are AV analysis tools or if it is running in a virtualized environment; if this is the case, it will immediately exit and remove traces of itself, including persistence mechanisms, (3) a keylogger that checks for known banks, Plesk, cPanel, Office 365, various registrars, Dropbox, and AWS and Rackspace online-based services for credential harvesting, (4) an infostealer, focused on email and FTP clients’ credential theft, (5) a USB infector for network spread, and finally, (6) a service watchdog that checks to see if the malware and its processes are operational.

Indicator(s):
hxxps://46.17.97.12/website/
hxxps://174.37.6.34/98157cdfe45945293201e71acb2394d2
hxxps://75.126.60.251/store/

More Ransomware from HIDDEN COBRA — There is another ransomware variant making the rounds. Dubbed “Ryuk” after a fictional manga character from a series called “Death Note.”

Discovered earlier this week by researchers, Ryuk, which is an offshoot of Hermes ransomware, first gained publicity in October 2017 via an attack against the Far Eastern International Bank (FEIB) in Taiwan.

Sources suggest that the latest attack has similarities to Hermes, suggesting a connection to HIDDEN COBRA or a possible smokescreen. Analysis has concluded that the file marker for encrypted files have a structure similar to Hermes. Also the function for the encryption routine is similar to Hermes.

Ryuk also incorporates the following evasion tactics:
– Destroy its encryption key
– Delete shadow copies via a .BAT file
– Also observed is that Ryuk will kill more than 40 processes and stop over 180 services.

Payments so far have allocated the attackers $640 million in ransomware payments. The distribution vector remains unknown at this time, and could be either via spearphishing or RDP brute force attacks. According to researchers, it appears that Ryuk attacks are targeted.

Signatures: W64/Filecoder.T!tr

Web Filtering

Scratch and Ursnif — The FortiGuard Labs Web Filtering team has recently observed new activity from the Ursnif/Gozi gang. Researchers have discovered a list of IOCs related to Ursnif/Gozi and C2 domains from Twitter. Ursnif is a data-stealing malware which targets banks and attempts to steal online banking credentials. The FortiGuard Labs Web Filtering team has added all the malicious IOCs into our database.

Indicator(s):
hxxp://tapertoni[.]com/Flux/tst/index[.]php?l=ab3[.]tkn
hxxp://nesocina[.]com/Flux/tst/index[.]php?l=abc2[.]tkn
hxxp://seritopola[.]com/Flux/tst/index[.]php?l=zxc2[.]tkn
mlfafafafa[.]host
gbasdyqwe12[.]com
igjqwnedjgqwnqwemnta[.]net

Donot Call List — A new APT group, also known as Donot targets primarily government agencies in the disputed Kashmir region. They have started to spread malware to smartphones and mobile networks. The payload delivery is in a form of a typical spearphishing attack using social engineering techniques to compel victims to install malicious APK files. From the operation, victims’ credentials are stolen, such as mails and mobile phone number. The execution of the malware is hidden in two ways. It will either display a normal form of application after running or disguised the application icon similar to a legit mobile application. The FortiGuard Labs Web Filtering team has blacklisted all the known malicious URLs.

Indicator(s):
138.68.81.74
139.59.46.35
206.189.42.61
godspeed[.]geekgalaxy[.]com
jasper[.]drivethrough[.]top

Threat Research & Insights

Russian Army Exhibition Decoy Leads to New BISKVIT Malware — A few days ago, the FortiGuard Labs team found a malicious PPSX file exploiting CVE-2017-0199 that had been crafted for Russian speakers. [Read More]

News Courtesy: FortiGuard РWeekly Threat Briefs