Activity Summary – Week Ending September 7, 2018

A new banking Trojan has been identified targeting major Brazilian banking customers, as well as public sector organizations. This malware, code-named CamuBot, uses interesting new tactics with social engineering and malware techniques to bypass security controls, including strong authentication.

CamuBot operators begin their attacks with basic reconnaissance to find people that likely have access to the business’s bank account credentials. The attackers, pretending to be bank employees, phone the banking customer and using social engineering get the victim to download the malware. The malware disguises itself as a required security module, using valid banking logos, allowing the victim to think it is indeed a required security update. Once this malware is downloaded, a fake application appears in the foreground while the malware is silently installed in the background. A connection with a command-and-control server is then started. At this time the victim is directed to what they think is the bank’s online portal and they are prompted to enter login credentials, which are then captured by the threat operators.

Interesting, when the threat actor encounters a situation where strong authentication is required, the malware installs a driver that enables remote sharing of any hardware-based device. The attackers get the victim to approve sharing such device, and are now able to capture any one-time passwords that the bank generates for authentication. The attacker then creates a fraudulent session and then steals money from the victim.

FortiGuard Labs detects this malware as W32/CamuBot.A!tr. See Dark Reading for a detailed write-up.

Application Vulnerabilities / IPS

Underminer.Exploit.Kit – The Underminer exploit kit delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera. It transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). It appears to be active since at least Q4 2017 and it is targeting mostly Asian countries such as Japan, Taiwan, and South Korea.

Underminer works in the same way other exploit kits do, such as browser profiling, filtering, and prevention of double visits, but with added functionality such as URL randomization and asymmetric encryption of payloads, which makes analysis harder for reverse engineers.

Once someone visits the payload delivery URL, the exploit kit creates a token to the browser cookie, and if the victim already accessed the page, they will not deliver the malicious payload, but will instead deliver a 404 HTTP error message. This essentially deters researchers from reproducing the attack by trying to visit the URL more than once, and also prevents the exploit kit from attacking the same victim twice.

Underminer uses three main exploits to infect users, and they are:
* CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015. ( Adobe.Flash.Player.ByteArray.Memory.Corruption )
* CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016. (MS.VB.Script.Engine.Memory.Corruption)
* CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018. (Adobe.Flash.PSDK.Listener.Use.After.Free)

We are tracking the development of this exploit kit and will keep you up to speed if any major developments are spotted on this threat.

Signatures: Underminer.Exploit.Kit

VideoLan.VLC.Media.Player.MKV.Header.Handling.Use.After.Free – VLC media player through 2.2.8 is prone to a use-after-free (UAF) vulnerability in the module MP4 demuxer; the issue if exploited correctly allows an attacker to execute arbitrary code in the context of the logged-in user via crafted MKV files.

Failed exploit attempts will likely result in denial-of-service conditions. The exploit can work on both 32 bits and 64 bits of VLC media player. This problem has been fixed in version 3.0.3.

If the user interacts in a specific way, by opening a maliciously crafted file with VideoLAN, especially if downloading unknown media files via torrents and/or unknown sources, this attack will be successful.

This affects all systems that support VLC media player, such as Windows, Linux, and macOS. There is exploit code freely available for Windows 10 x64 on popular websites dedicated to sharing threat intelligence for the open source community, such as SecLists and GitHub.

Signatures: VideoLan.VLC.Media.Player.MKV.Header.Handling.Use.After.Free

Malware Activity

CeidPagelock and Search Hijacks/Hijinks – CEIDPageLock is a new rootkit observed this week intercepting search results of users. CEIDPageLock is reminiscent of search page hijacker malware, such as CoolWebSearch and Bayrob of past lore. CEIDPageLock has been observed being distributed via a RIG exploit kit. It mostly is targeting users in China, one mechanism for distribution, a dropper that is a signed certificate, appears to be revoked, at the time of this writing. The dropper’s main goal is to extract the driver and place it into the \\ Windows \\ Temp directory. Once extracted, the driver connects to tj999[.]top, to send the MAC address and user ID of the victim machine. The driver contains tricks to evade AV detection, and will connect to two predetermined C2 servers in order to serve the victim with the tampered homepage. The attacker then gathers statistics on the victim and makes a profit off the victim every time a search is queried. The driver employs anti-evasion tactics and is protected by VMProtect, which makes analysis difficult.


A Code of Dishonor – Bushido – Bushido is a new IoT botnet that researchers discovered this week. Observations for this new IoT botnet malware include the ability to connect to an IRC server, where it can receive a multitude of commands from it, which makes it very modular in scope. It appears that Bushido propagates by brute forcing common passwords on Telnet port 23. Bushido then propagates where the infection script essentially downloads various Linux binaries from the malicious server and runs them. It is also observed that these binaries are compiled for different platforms, furthering spread and impact.

Observed strings within the malware are: C2 server IP, username, and password used to brute force Telnet service. HTTP headers, user agent strings, lots of IRC commands and strings, libc function names, and nmap scan commands and error logging. The main functionality observed in this botnet is DDoS functionality, via TCP/UDP/ICMP attacks. Another interesting functionality observed in the malware is its ability to download the source, compile itself, and then delete it to thwart analysis. It appears to have incorporated some of Mirai’s source as well.

Signatures: PHP/PBot.G!tr.bdr, BASH/Shell_Agent.P!tr.dldr

Web Filtering

How Do They Come Up with These Names? (aka Asacub) – This malicious payload is distributed through SMS containing a phishing link and offering to view a photo or MMS. Upon clicking the link, a webpage prompting the victim to download the APK file of the Trojan will appear. However, in order for the Trojan to be installed into the device, the victim would need to allow installation of apps from an unknown service. During the installation, Asacub will prompt the victim for Device Administrator rights or Accessibility Service, depending on the version of Trojan. Once the selection has been made, it will then set itself as a default SMS app and disappears from the screen. If the selection has been rejected, the window will reopen every few seconds. The Trojan would then begin communicating with the C&C servers upon successful installation. The purpose of this malware is intended to obtain money from the victims of mobile banking services.

FortiGuard Labs has blacklisted all the related IOCs into the database.


Threat Research & Insights

Key Cyber Trends Impacting State and Local Government and Education – Fortinet discusses the major trends impacting K-12 and higher education institutions and state and local governments. Read what our National SLED Practice Director has to say about priorities, defenses, cloud security, and other trends. [Read More]

News Courtesy: FortiGuard – Weekly Threat Briefs