Activity Summary – Week Ending August 31, 2018

FortiGuard Labs researchers have been monitoring an invasion of GandCrab malware updates of late. You can read our full blog to get all the chronology details. Below is a synopsis of what we discovered and has transpired lately.

Since the July release of GandCrab v4.0, there has been an active development and release pace of new variants. Among other things, the malware developers switched the file encryption algorithm to the much faster Salsa20 algorithm, and added the ability to encrypt network shares. Version 4.1 added a network communication function that sends encrypted data collected from the victim to a long list of URLs, although no purpose has yet been understood why. Version 4.1.1 brought minor code optimization.

After the security vendor Ahnlab developed a vaccine tool to stop the execution of the malware before it encrypted the file, the GandCrab developers released v4.1.2. This version was focused on allowing their code to bypass the vaccine tool, making it ineffective. No further changes were observed in v4.1.3. But then there was an updated v4.1.2 discovered that again addressed the vaccine tool, in a rather mocking way.

The malware developers continued their agile development by releasing v4.2 on the same day that the v4.1.2 bypass was identified. This new version included some rather basic sandbox evasion techniques. Note, however, that the sandbox detection function was no longer observed in v4.2.1. In retaliation of the vaccine tool, the GandCrab developers continued their attacks by releasing a link to proof-of-concept (POC) source code that could cause a denial-of-service (DOS) attack. When triggered, this attack causes a Blue Screen of Death (BSOD).

The GandCrab authors continued their string of updates with the release of v4.3, which included an added anti-disassembly trick to complicate analysis. While this is not an advanced or a new technique, it does add another step to analyzing the malware. Then along came v4.4 with an unexpected move by the threat actors. It was not an upgraded version of the malware, but instead, a vaccine for itself. Version 4.4 is basically a variant of v4.3 that has been roughly patched to execute a function that creates the mutex that the malware checks before encryption, which then sleeps indefinitely to stay running in the background. Aside from VirusTotal, we were not able to find the variant being distributed through other sources, which probably makes sense. It seems like its sole purpose is to continue its mocking of the previous vaccine tool releases.

FortiGuard Labs will continue to monitor this threat. Due to the malware authors agile development cycle, we assume that we have not seen the last of GandCrab.

FortiGuard customers are protected in the following manners:
– File samples are detected by our specific and heuristic detections
– FortiSandbox rates the GandCrab’s behavior as high risk
– FortiMail blocks malicious spam emails distributing GandCrab

Read our Fortinet blog for the full story.

Application Vulnerabilities / IPS

Apache.Struts.2.OGNL.Script.Injection – Discovered August 22nd, alongside other vulnerabilities using deep semantic code search tool LGTM, this signature detects an attempt to exploit CVE-2018-11776, a remote code execution vulnerability that affects Apache Struts versions 2.3 to 2.3.4 and 2.5 to 2.5.16.

User input is evaluated as an OGNL expression when there is a conversion error, which may allow for remote code execution. The error occurs when there are specific configurations on the server related to AlwaysSelectFullNameSpace=true and the configuration file allows for an action or a URL that does not specify optional namespace attributes or allow for wildcard namespaces. When this happens, a code path within the software is taken, one that allows for the use of unsanitized user input to be executed directly. Apache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17.

At the time of this writing, there were PoC exploits available on popular channels such as GitHub and PacketStorm as Python code.

We are seeing increased activity regarding this vulnerability, with the sensors reporting 47% higher activity in the last 7 days if compared to the 30 days’ average. The most affected regions are the United States (26%) and Taiwan and Japan, both with 5.97% of all traffic.

Signatures: Apache.Struts.2.OGNL.Script.Injection

SonicWall.GMS.XMLRPC.set_time_zone.Remote.Code.Execution – Disclosed July 20th, the vulnerability affects SonicWall Global Management System Appliance versions 8.1 (Build 8110.1197) and below. The issue occurs because of a code injection vulnerability due to lack of checking on unauthenticated, user-supplied data. There is a service called GMC, which runs on port 21009; it is used to list and configure options related to networking parameters on the virtual appliance, and it allows for actions to be sent to it without any authentication.

A remote user can leverage this to run arbitrary commands on the system by typing the command to be executed inside the time zone XML element’s “value” field. The command to be run must be escaped inside backticks. This XML data should then be sent to the GMC service, which will forward the values inside the XML without validation of user-supplied input. This will then be used to set the value on a local system script to configure the time zone, but when escaped, any values that should be on these files will become commands that will be run as root. There are other ways to attack the same service, since there are other variables that are obtained from this interface and used to set other network configuration options.

We are seeing increased activity regarding this vulnerability, with our sensors reporting 214% higher activity in the last 7 days when compared to the last 30 days’ average. The most affected countries are the United States (22.84%), Japan (6.77%), and Canada (3.89%).

Signatures: SonicWall.GMS.XMLRPC.set_time_zone.Remote.Code.Execution

Malware Activity

AcridRain, AcridRain – There is a new infostealer making the rounds, named Acrid Rain. First appearing on the underground forums in July, Acrid Rain is an infostealer that targets many browsers, even some that you may have not heard of. Acrid Rain can steal various credentials, cookies, and credit cards from multiple browsers, such as, but not limited to: Amigo, Google Chrome, Vivaldi, Yandex browser, Kometa, Orbitum, Comodo, Torch, Opera,, Nichrome, Chromium, Epic Privacy browser, Sputnik, CocCoc, and Maxthon 5.

It has the ability to steal telegram and steam sessions, FileZilla connections, and more. It can also dump credentials from the browsers it attacks, and seek out several popular cryptocurrency wallets (Armory, Bitcoin, Electrum, Ethereum, Doge, Dash, Litecoin, Monero, mSIGNA). Also observed is that the malware appears to make use of various malicious tools by borrowing code from known repositories, and incorporating into its own source.

Signatures: W32/Agent.PMO!tr.spy, W32/Agent.OYI!tr.spy

PseudoGate – This week researchers discovered a new banking campaign called PseudoGate. It appears to have multiple tricks up its sleeve, especially in its delivery mechanism. It has been observed to be using multiple delivery vectors to accomplish its infection routine, using the RIG exploit kit as well as the GrandSoft exploit kit to ultimately infect victims.

Observed targeting Japan, PseudoGate is a campaign that uses malvertising in a drive-by download attack that ultimately redirects the victim to compromised sites that contain various Adobe Flash exploits to ultimately compromise the victim machine. Once the victim is compromised, the Trojan downloader, Smoke Loader, will then download either Panda or Kronos, banking Trojans.

Additional vulnerabilities observed being exploited are: RIG Exploit Kit – CVE-2015-2419 (IE) and CVE-2016-0189 (IE), and CVE-2018-8174 (IE), and CVE-2018-4878 (Adobe Flash)

In the GrandSoft Exploit Kit, only CVE-2018-8174 (IE) was observed during the exploitation process.

Signatures: W32/Propagate.GJEV!tr, W32/GenKryptik.CGKR!tr, W32/Kryptik.GITY!tr, W32/NeutrinoPOS.37B!tr, W32/GenKryptik.CIIB!tr, W32/GenKryptik.CEMD!tr, W32/Kryptik.GJUV!tr.ransom, W32/Kryptik.GKEK!tr, W32/Kryptik.GKDT!tr, W32/GenKryptik.CFGU!tr.


Web Filtering

Career-Themed Phishing Attack in the Middle East – Discovered by researchers, IRN2 is known for targeting organizations throughout the Middle East. One of the victims is a key player of the Saudi Arabian oil and gas industry – Doosan Power Systems India (DPSI), which is a subsidiary of Doosan Heavy Industries & Construction.

According to the researcher’s findings – DPSI’s website was compromised with a zip file, believed to have been spread using emails as the medium. The zip file contains two VBScripts. One script navigates to a fake Doosan human resources site for resume submissions, while the other script installs the Helminth PowerShell payloads, which are “Helminth.DnE” and “Helminth.DnS”.

FortiGuard Labs Web Filtering team has blacklisted all the related IOCs.


Threat Research & Insights

FortiGuard Labs Threat Intelligence Podcast #5 – FortiGuard Threat Intelligence Podcast (TIP) provides highlights and commentary into top cyber threats, data breaches, and cybercrime. Join Fortinet’s top threat experts as they delve into today’s critical cybersecurity topics. Informative. Scary. Insightful. [Listen Here]

The Evolving Threat Landscape – Looking at Our 2018 Predictions – Over the past several months, the FortiGuard Labs team has been tracking a number of evolving trends related to the FortiGuard 2018 Threat Landscape Predictions. This mid-year update provides new details concerning recent advances in some of the techniques and malware tied to those predictions. [Read More]

News Courtesy: FortiGuard – Weekly Threat Briefs