Activity Summary – Week Ending November 9, 2018

The TrickBot malware family has been around for many years, initially focused on stealing victim’s online banking credentials. However, FortiGuard Labs has analyzed some new samples where we have found TrickBot, utilizing a new module, has evolved to much more trickery.

This new variant spreads via a Microsoft Excel file, using a malicious macro VBS code that executes once the victim opens the Excel file and clicks on the ‘Enable Content’ button. The malware installs itself on systems ‘Task Scheduler’ so it can run automatically. After ‘pointes.exe’ runs for a time, it sends a request to its C&C server to download additional module files. Here is where it downloads ‘pwgrab32’ or ‘pwgrab64’ (dependent on your platform). Note that ‘pointes.exe’ utilizes some anti-analysis techniques – it encrypts all string information to protect itself from being analyzed statically and dynamically.

Trickbot has many C&C commands. Module pwgrab32’s intent is to collect credentials from victim’s browsers, FTP client, and Microsoft Outlook. Another command grabs autofill information form Google Chrome. Trickbot’s module structure allows the malware authors the ability to update itself from the C&C server and easily make changes to the malware by updating and downloading new module components.

FortiGuard Labs researcher, Xiaopeng Zhang, has much deeper analysis on our blog site. Please read our full analysis here: Deep Analysis of TrickBot New Module pwgrab

FortiGuard Labs has the following AV signatures:

Apache Struts is an extensible open-source framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. It is an enticing platform for attackers. In fact, Apache Struts continues to hold three spots in Fortinet’s quarterly list of top 20 exploits by prevalence, quarter-over-quarter. You may recall that an Apache Struts exploit was used in the infamous Equifax breach a year ago. Now we are seeing the Mirai and Gafgyt botnets add this exploit to their arsenal. Fortinet recommends that you implement any update for Apache Struts vulnerability as a priority.

This week the Apache Software Foundation released an advisory, urging users who run Apache Struts 2.3.x to update the commons-fileupload component. This critical update addresses the two-year old vulnerability that can lead to arbitrary remote code execution.

Struts 2.3.x uses by default the old 1.3.2 version of commons-fileupload. There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Additionally, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application’s implementation of the FileUpload library.

You are vulnerable if you run Struts 2.3.x, and if your site makes use of the file upload mechanism built into Struts. You are not vulnerable if you are running Struts 2.5.x, as it includes a patched commons-fileupload component.

There is no simple “new Struts version” to fix this. You will have to manually swap out the commons-fileupload library. Download version 1.3.3 and place it inside WEB-INF/lib, replacing the old version. And while you are addressing this – double check that you don’t have any other copies of the vulnerable library on your system. Struts is not the only one using the vulnerable component.

FortiGuard has an IPS signature to detect the vulnerability: Apache.Commons.FileUpload.DiskFileItem.Deserialization

Application Vulnerabilities / IPS

Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities – AVTECH is a Taiwanese maker of CCTV solutions that has been in business for over two decades and is now one of the leaders in this market worldwide. In November 2016, SearchLab, a Budapest-based security testing laboratory, contacted AVTECH in order to coordinate the responsible disclosure of flaws in their line of products, which was followed by the coordinated public disclosure of the vulnerability ( Among those were vulnerabilities relating to plain-text storage of passwords, lack of protection for CSRF, unauthenticated information disclosure, command injection, and authentication bypass, among others, totaling 14 overall. The devices affected were all devices and firmware versions that the company has ever produced until that time, noting that not every device was vulnerable to all vulnerabilities disclosed, but they were all at least affected by one vulnerability. More information about the actual list can be found at ( For the first time ever, this signature has reached the top 2 position, having been seen by almost 40% of all sensors on October 12.The countries that experienced the majority of the hits were the United States (20.01%), Japan (6.02%), and Taiwan (4.31%).

MS.Office.RTF.File.OLE.autolink.Code.Execution – This signature detects an attempt to exploit CVE-2017-0199, which pertains to issues on a well-known Office suite feature called Object Linking and Embedding. This vulnerability was leveraged as a zero-day as of January 2017, seen in the wild by various security researchers and vendors to deliver various malicious payloads. In a nutshell, the vulnerability allows a malicious actor to embed OLE2 objects on Office documents, which then grants the ability to download and execute PowerShell commands from the Internet. Microsoft has patched this issue back in April (

Through analyzing samples, it was found that this exploit would function perfectly fine on a (at that time) fully patched Windows 10 running Office 2016. This exploit was used in malspam campaigns where the malicious Word document with the OLE2 object would be emailed to a massive email list. If the user opened the document they would receive a warning that reads:

“This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”

Seems harmless enough, right? Then Microsoft Word, with the approval of the user, would grab malicious PowerShell payloads in the form of .hta documents from the Internet and run them on the local system. We have seen this signature fluctuating between 1.76% and 3.5% this week, with the last seven days averaging 3.0%, affecting mostly Taiwan (13.64%), the United States (6.05%), and Turkey (5.84%).

Signatures: MS.Office.RTF.File.OLE.autolink.Code.Execution

Malware Activity

Inception (Not the Movie!) – FortiGuard Labs is aware of the re-emergence of the Inception Group, an APT group that has been around since 2014. The previous attack used various proxies and IoT devices to help conceal the attacker’s origins. The latest discovery reveals how the group has adapted newer techniques to further their goals. The latest technique highlights a clever infection vector, where the victim receives a maliciously crafted Microsoft Word document. Once the document is opened, the template will connect to a remote command and control server that will send over requested data from the victim machine, and if the parameters meet the defined requirements, it will return with a response and ultimately drop a specially crafted malicious RTF file that contains PowerShell to perform further malicious activity. This is a clever tactic, as it evades AntiVirus and makes historical analysis difficult if the command and control servers are down. Observations of the PowerShell reveal the ability to fingerprint the machine for reconnaissance purposes, clean itself up to thwart forensic analysis, and then run a secondary payload for further infection.

Beware of the Exodus! – FortiGuard Labs is aware of a new malicious spam campaign targeting Mac users. Discovered by researchers earlier this week, the campaign takes advantage of users who have the Exodus cryptocurrency wallet installed. The malware, disguised as an update to Exodus, comes in a targeted email that is sent to the unsuspecting victim as: “Subject: Update 1.64.1 Release — New Assets and more” The application contains a Mach-O binary with the filename “rtcfg,” which should arouse suspicion, as the legitimate Exodus application contains the word exodus in the file. Observations made during analysis reveal that the strings referenced in the binary refer to a website that sells MAC-based remote access tools, which are for sale. Thankfully, this appears to be a less than sophisticated attack, as the user of this remote access tool uses off-the-shelf files for easy detection by antivirus software.

Signatures: Adware/RealtimeSpy


Web Filtering

The Zombie Phish Campaign – FortiGuard Labs Web Filtering team is aware of a new phishing campaign, called “Zombie Phish.” Discovered by researchers, the Zombie Phish campaign uses the technique of hijacking, or compromising email accounts, which is also known as conversation hijacking. The actor is seen to be replying on old, long-dead, random emails to deliver phishing links or malicious attachments. An automatically generated infection URL is used to evade detection. In this incident, they mainly use .ICU TLD to target victims. In order to appear more legitimate, they also used official organizational logos to confuse victims, causing victims to fall into their trap. Victims that visit the website will be fingerprinted using the host’s IP and redirected to the spam website. If the same host attempts to visit the phishing link again, the spoofed login page is skipped and will be directed to the spam page. FortiGuard Labs Web Filtering team has blacklisted the IOCs associated with this campaign.


Threat Research & Insights

How-to Guide: Defeating an Android Packer with FRIDA – FortiGuard Labs shows how we handle some of the problems that arise when analyzing Android Malware.[Read More]

News Courtesy: FortiGuard – Weekly Threat Briefs