Activity Summary – Week Ending August 3, 2018

Once again, Fortinet’s membership in the Cyber Threat Alliance (CTA) continues to pay dividends. Sophos, also a CTA member, published their comprehensive research into the SamSam ransomware this week. As part of their CTA membership, Sophos shared all the indicators of compromise (IOCs) with other members before they published their findings. This allows CTA members an early warning and the ability to ensure members’ respective customers are protected. For inquiries into becoming a Cyber Threat Alliance member, click here.

SamSam has been around for nearly three years and has amassed nearly $6 million dollars in ransom since then. SamSam uses a combination of brute-force attacks and exploits designed to take control of a single machine, then eventually takes control of the domain administrator’s machine. The payload is then pushed out and the ransomware is executed on all workstations within the domain. The attacker evades detection by deploying custom-compiled malicious payloads and shutting down security measures as necessary, thereby not triggering alarms. Victims are medium to large organizations – with nearly 75% in the United States. Also targeted are Canada, United Kingdom and the Middle East. Not only is SamSam targeting valuable documents and data files but also configuration files such as Microsoft Office, with the objective to cause total disruption. For the full details on this research, see the links below.

FortiGuard Labs has AV protection in place for all known indicators of compromise.

FortiGuard SE team’s threat research blog: Critical SamSam Ransomware Update

Read the full Sophos report: SamSam: The [Almost] Six Million Dollar Ransomware

Application Vulnerabilities / IPS

Bleeding Hearts Club – Interestingly enough, we are seeing an increase in our IPS signature OpenSSL.Heartbleed.Attack which detects attacks occurring on the Heartbleed vulnerability (CVE-2014-0160), which was discovered back in 2014, affecting various versions OpenSSL. The vulnerability allows the stealing and exfiltration of data over SSL/TLS. Essentially, Heartbleed allows a remote attacker to read the contents of memory on systems that contain the vulnerable versions of OpenSSL.

As stated many times before, attackers are aware that a lot of organizations either delay or put off patching due to various reasons such as lack of security awareness, carelessness, or simply manpower.

Our telemetry reveals that the United States (26%) accounts for a majority of the attacks.

Signatures: OpenSSL.Heartbleed.Attack

China Chopper – Our IPS signature China.Chopper.Web.Shell.Client.Connection detects attacks on webservers and exploitation attempts using the China Chopper webshell, which is a very small but powerful tool at 4kb in size. First discovered in 2012, the China Chopper Web Shell which consists of two parts which is the interface and the small file placed on the compromised webserver. The small file that is placed on the webserver can communicate back with the client which provides unique features like a file explorer, a DB client, and a reverse shell. Interestingly enough, considering its small size, it has a security scan feature which allows it to guess authentications of various web portals and to get in via brute force. The China Chopper can run on both Linux and Windows machines, running JSP, ASP/X, and PHP or CFM.

Signatures: China.Chopper.Web.Shell.Client.Connection

Malware Activity

Bisonal – Sounds like a Type of Burger – Bisonal is an APT group targeting industries in South Korea and Russia. Attacks have also been seen in Japan as well. Discovered this week by researchers, this campaign has been seen in the wild since 2014 and is also known as Operation Butter Biscuit. The campaign uses social engineering techniques to compel the victim by sending them spear-phishing emails that contain maliciously crafted Windows executables by masquerading them as benign PDF files. According to the report, the PDF files will render in some email clients as PDF, and some will not, due to the file extension of .exe. A well-trained eye will be able to catch these discrepancies; however, it appears that the attackers are hoping their victims will be deceived into opening the attachment either through sheer curiosity or complete carelessness.

The main components of the attack contain a dropper, a DLL file, and the decoy PDF. The dropper hides the encrypted DLL file and decoy PDF file at the end of its body. Once executed, the DLL file, which is the Bisonal malware, will set itself in the registry for persistence, and allow the malware to communicate directly with a C2. The malware can get system info, run processes, kill processes, access the CMD shell, and download, execute, and create files.

Signatures: W32/OnlineGames!tr, W32/Bisonal.3613!tr, W32/Possible_Threat, W32/Agent.TAJ!tr, Dx.BC3H!tr

Ghost in the Shell – Fileless attacks are often the dream attack vector of bad actors because they can leverage fileless techniques while often evading AV and IPS detection. Flying under the radar is a new attack dubbed PowerGhost, was discovered this week by researchers. PowerGhost utilizes obfuscated PowerShell script to conduct its attacks to ultimately mine Monero. PowerGhost contains add-on modules such as the actual miner, and Mimikatz, and also libraries such as msvcp120.dll and msvcr120.dll, which are required for the miner’s operation. Also, another module contains shellcode for EternalBlue, which can allow propagation from stolen Mimikatz credentials, and ultimately download the miner via WMI, via a command and control server.

PowerGhost can perform the following:
Auto Update
Propagation (via stolen credentials using MimiKatz and WMI)
Escalation of Privileges using (CVE-2018-8120)
Establishing a Foothold
Payload (miner)

FortiGuard Labs is currently investigating this development and will provide any relevant updates when feasible.

Signatures: W32/GenericRXAB.PL!dos, W32/Skillis.BLRU!tr

Web Filtering

Yet Another Rat! – Recently, the FortiGuard Labs Web Filtering team has observed a new Remote Access Trojan (RAT) available for sale on darknet markets. Discovered by researchers, the RAT, dubbed Parasite HTTP, is a professionally coded modular remote administration tool for Windows written in C that has no dependencies except the OS itself. For now, Parasite HTTP is delivered in a single, small email campaign targeting information technology, healthcare and retail industries.

FortiGuard Labs has blacklisted all IOCs into the database.

Indicator(s):
hxxp://dboxhost.tk/moz/bza.exe
Xetrodep[.]top
Jekoslo[.]space
befrodet[.]top

Hancitor Lecter – The FortiGuard Labs Web Filtering team has observed a recent Hancitor malspam running alongside the Zeus Panda Banker Trojan. In a nutshell, the attack provides the targeted victim with a link to download a malicious Word document that will ultimately infect the victim’s computer. FortiGuard Labs Web Filtering team has blacklisted several domains which were identified in this campaign.

Indicator(s):
altilium[.]com
altilium[.]net
dryerventwizardcanada[.]biz
getlintout[.]biz
getthelintout[.]info
pbtmail[.]com
pbtmail[.]net
thedryerventwizard[.]biz
thedryerventwizard[.]ca
wegetthelintout[.]ca
wegetthelintout[.]net
hinwasslysed[.]com
harforusero[.]ru
berofaked[.]ru

Threat Research & Insights

Critical SamSam Ransomware Update – An overview of how to defend your organization from SamSam and other ransomware. [Read More]

Debugging PostScript with Ghostscript – A quick guide on how to analyze PostScript. The software has been targeted by attackers. [Read More]

News Courtesy: FortiGuard – Weekly Threat Briefs