Archive

Archive for July, 2016

MS16-JUL – Microsoft Security Bulletin Summary for July 2016 – Version: 1.1

Revision Note: V1.1 (July 29, 2016): For MS16-087, added a Known Issues reference to the Executive Summaries table. If you are using network printing in your environment, after you apply the 3170005 security update you may receive a warning about installing a printer driver, or the driver may fail to install without notification. For more information about the update and the known issue, see Microsoft Knowledge Base Article 3170005.
Summary: This bulletin summary lists security bulletins released for July 2016.

Categories: Uncategorized Tags:

MS16-JUL – Microsoft Security Bulletin Summary for July 2016 – Version: 1.1

Revision Note: V1.1 (July 29, 2016): For MS16-087, added a Known Issues reference to the Executive Summaries table. If you are using network printing in your environment, after you apply the 3170005 security update you may receive a warning about installing a printer driver, or the driver may fail to install without notification. For more information about the update and the known issue, see Microsoft Knowledge Base Article 3170005.
Summary: This bulletin summary lists security bulletins released for July 2016.

Categories: Uncategorized Tags:

Security Compliance Manager 4.0 now available for download!

July 28th, 2016 No comments

The Security Compliance Manager (SCM) is a free tool from Microsoft that enables you to quickly configure, and manage the computers in your environment using Group Policy and Microsoft System Center Configuration Manager. This version of SCM supports Windows 10, and Windows Server 2016.

You can easily configure computers running Windows 10 and Windows Server 2016 based on Microsoft Recommended Security Baselines and industry best practices.

You can download SCM 4.0 here.

Updates include:

  • Support for existing Windows 10 version 1507, and Windows 10 version 1511 security baselines
  • Support for upcoming Windows 10 version 1607, and Windows Server 2016
  • Bug fixes for ‘Compare’ and ‘Simple View’ features in SCM

The latest version of SCM offers all the same great features as before, plus bug fixes, and added support for upcoming baselines. SCM 4.0 provides a single location for creating, managing, analyzing, and customizing baselines to secure your environment quicker and more efficiently. In addition to the latest software releases, you can also configure previous additions of Windows client, Server, and Microsoft Office.

SCM provides DCM 2007 configuration packs that allow you to manage configuration drifts using Microsoft System Center Configuration Manager. Microsoft’s Operations Management Suite also supports monitoring for Security Baselines in your Server environments.

MS16-058 – Important: Security Update for Windows IIS (3141083) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (July 26, 2016): Bulletin revised to add Updates Replaced information to all entries in the Affected Software table. This is an informational change only. Customers who have already successfully installed the updates do not need to take any action.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS16-058 – Important: Security Update for Windows IIS (3141083) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (July 26, 2016): Bulletin revised to add Updates Replaced information to all entries in the Affected Software table. This is an informational change only. Customers who have already successfully installed the updates do not need to take any action.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

Introducing the Microsoft Secure blog

For the past ten years on this blog we have shared Microsoft’s point of view on security, privacy, reliability, and trust. It has become the place to go for in-depth articles on Microsoft products and services, as well as tips and recommendations for improving security in your organization.

Last November, Microsoft CEO Satya Nadella outlined our new approach to cybersecurity — one that leverages Microsoft’s unique perspective on threat intelligence, informed by trillions of signals from billions of sources. This new approach integrates security into the platform and incorporates solutions from our partners. We invest more than $1 billion in R&D each year to advance our capabilities in all of these areas. The umbrella term we give those investments is Microsoft Secure.

With this fresh perspective, we’ve heard great feedback from our customers—and they’ve asked us to share more. So now is a great time to refresh the blog – with a new look and feel, and a new name: the Microsoft Secure Blog.

We will continue to share information about Microsoft products and services, as well as our perspective on industry trends, from an expanded roster of experts and about an even broader range of topics that we know our readers are interested in.

Categories: Cloud Computing, cybersecurity Tags:

Nemucod dot dot..WSF

July 23rd, 2016 No comments

The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension.

It is a variation of what has been observed since last year (2015) – the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file, using a file name of interest with .js or .jse as extension.

The following screenshots show how the malicious file attachment looks like in the recent campaign:

Example of how an email spam containing the latest version of Nemucod might look like

Figure 1: Example of how an email spam containing the latest version of Nemucod might look like

 

Example of how Nemucod malware looks like when extracted and opened with an archive viewer.

Figure 2: Example of how Nemucod malware looks like when extracted and opened with an archive viewer

What the double dots mean: Social engineering for unsuspecting eyes

As seen in the following file name samples, the double dot paired with the uncommon .wsf extension creates an illusion that the file name was either abbreviated, was intentionally omitted, or shortened by the system because it was too long:

  • profile-d39a..wsf
  • profile-e3de..wsf
  • profile-e7dc..wsf
  • profile-f8d..wsf
  • profile-fb50..wsf
  • spreadsheet_07a..wsf
  • spreadsheet_1529..wsf
  • spreadsheet_2c3b..wsf
  • spreadsheet_36ff..wsf
  • spreadsheet_3a8..wsf

Some might look at the sample file names and assume that they might originally have been a long unique string identifier consisting of random letters and numbers that could be a transaction ID, receipt number or even user ID:

  • profile-d39as1u3e8k9i3m4wsf
  • profile-e3dee1uwl8s10f3m4wsf
  • profile-e7dc4d1u3e83m4wsf
  • profile-f8dsdwsfe8k4i38wsf
  • profile-fb50s1u3l8k9i3m4wsf
  • spreadsheet_07as133e3k9i3e4wsf
  • spreadsheet_1529s15se8f9i3o6wsf
  • spreadsheet_2c3bs1u5dfk9i3m6wsf
  • spreadsheet_36ffs1ure8koei3d5ws
  • spreadsheet_3a8s1udwsf8s9i323wsf

However, this is not the case. These are script files that might contain malicious code which could harm your system.

Underneath the WSF

Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer you increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.

Underneath the WSF is the same typical Nemucod JScript code.

Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

Figure 3: Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

 

This Nemucod version leverages the @cc_on (conditional compilation) command. Such a command can possibly evade AV scanner detection. It tricks the AV scanners to think the command is part of a comment, thus preventing the AV scanners from interpreting it as an executable code.

Upon code decryption, the following URLs – where the malware payload is being hosted – are revealed:

  • hxxp://right-livelihoods.org/rpvch
  • hxxp://nmfabb.com/rgrna1gc
  • hxxp://www.fabricemontoyo.com/v8li8

Recent spam campaign and trends

The latest Nemucod telemetry for the past 15 days shows that it has constantly been active, although there haven’t been any huge spikes.

Daily detection trend for Nemucod. These are the unique machine encounters per day

Figure 4: Daily detection trend for Nemucod. These are the unique machine encounters per day

 

Geographic distribution of Nemucod. Data taken from July 3 to July 18, 2016

Figure 5: Geographic distribution of Nemucod. Data taken from July 3 to July 18,2016

 

Other than using ..wsf and @cc_on technique, we’ve also seen different and old tricks used as part of its social engineering tactics. This includes, but is not limited to:

  • Double extension (for example: <filename>pdf.js)
  • Invoice, receipt, and delivery related file names such as DHL, FedEx delivery, and so forth

Nemucod infection chain

Nemucod infection chain showing spam email distributing WSF which downloads and runs malware

Just like the Nemucod campaigns before this, the malware downloader payload includes ransomware, such as:

Mitigation and prevention

To avoid falling prey from this new Nemucod malware campaign:

Francis Tan Seng and Alden Pornasdoro
MMPC

Categories: Uncategorized Tags:

Kovter becomes almost file-less, creates a new file type, and gets some new certificates

July 22nd, 2016 No comments

Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter’s persistence method and some updates on their latest malvertising campaigns.

New persistence method

Since June 2016, Kovter has changed their persistence method to make remediation harder for antivirus software.

Upon installation, Kovter will generate and register a new random file extension (for example, .bbf5590fd) and define a new shell open verb to handle this specific extension by setting the following registry keys:

Registry setup for Kovter

Figure 1: Registry setup for Kovter

With this setup, every time a file with the custom file extension (.bbf5590fb) is opened, the malicious Kovter command contained in the registry key is executed via the shell extension open verb.

Therefore, all Kovter needs to do to run on infected machines is open a file with their custom file extension .bbf5590fb – causing the malicious shell open command to run. This in turn runs a command using mshta.

Mshta is a clean tool that is used by Kovter to execute malicious JavaScript. This JavaScript then loads the main payload from another registry location, HKCUsoftware67f1a6b24cd0db239. To trigger this shell open command on a regular basis, Kovter drops several garbage files with its custom file extension in different locations, for example:

The contents of these files are not important, since the malicious code is contained within the shell open verb registry key. The last step in the installation process is setting up the auto-start mechanism to automatically open the above files. Kovter uses both a shortcut file and a batch (.bat) file for this:

Using a shortcut file

Kovter drops a shortcut file (.lnk) in the Windows startup folder which points to the garbage files. We have seen it drop the following shortcut file:

  • %APPDATA%MicrosoftWindowsStart MenuProgramsStartup28dd1e3d.lnk

The target command of the shortcut file is the following:

C:WindowsSystem32cmd.exe /C start “” “C:UsersAdminAppDataRoaming33e588393ad319e6.bbf5590fd”

Once executed at startup, this command will open the file, causing the malicious shell open verb to run the malicious mshta command previously set up in the registry system (see Figure 1).

Using a batch script file

Kovter will drop a batch script file (.bat) and set a registry run key to execute the .bat file. The .bat file will be dropped in a randomly generated folder, such as:

The .bat file has the following content:

Content of the .bat file setup in run key

Figure 2: Content of the .bat file setup in run key

 

Once executed, this bat will also run the dropped file, which then executes the malicious shell open verb.

Instead of just adding the mshta script directly as a run key registry as in the old variant, Kovter is now using this shell open trick to start itself. Although Kovter is technically not fully file-less after this latest update, the majority of the malicious code is still held only within the registry. To remove Kovter completely from an infected computer, antivirus software needs to remove all of these dropped files as well as the registry change.

Windows Defender is able to successfully clean up and remove these new versions of this threat.

Kovter malvertising updates

Since our last blog on Kovter spreading through malicious advertisements as a fake Adobe Flash update, we have observed some changes.

On top of the fake Adobe Flash updates, Kovter is now also pretending to be a Firefox update. Kovter has also rotated through a series of new digital certificates, including the following:

Certificate signer hash Valid from Valid until
7e93cc85ed87ddfb31ac84154f28ae9d6bee0116 Apr 21 2016 Apr 21 2017
78d98ccccc41e0dea1791d24595c2e90f796fd48 May 13 2016 May 13 2017
c6305ea8aba8b095d31a7798f957d9c91fc17cf6 Jun 22 2016 Jun 22 2017
b780af39e1bf684b7d2579edfff4ed26519b05f6 May 12 2016 May 12 2017
a286affc5f6e92bdc93374646676ebc49e21bcae May 13 2016 May 13 2017
ac4325c9837cd8fa72d6bcaf4b00186957713414 Nov 18 2015 Nov 17 2016
ce75af3b8be1ecef9d0eb51f2f3281b846add3fc Dec 28 2015 Dec 27 2016

Table 1: List of certificates used by Kovter

 

We’ve notice that every time Kovter actors release a new wave of samples signed with a new certificate they hit a lot of machines. This can be seen in our telemetry for the past three months, with spikes on May 21, June 14, and the first week of July.

Kovter’s prevalence for the past two months

Figure 3: Kovter’s prevalence for the past two months

 

Besides fake Adobe Flash and Firefox updates, Kovter also pretends to be a Chrome update (chrome-update.exe).

We have seen Kovter downloaded from a large list of URLs, including:

  • hxxps://eepheverseoftheday.org/2811826639187/2811826639187/146819749948281/FlashPlayer.exe
  • hxxps://deequglutenfreeclub.org/8961166952189/8961166952189/146809673281840/FlashPlayer.exe
  • hxxps://zaixovinmonopolet.net/5261173544131/5261173544131/146785099939564/FlashPlayer.exe
  • hxxps://feehacitysocialising.net/7561659755159/1468089713424429/firefox-patch.exe
  • hxxps://eepheverseoftheday.org/1851760268603/1851760268603/1468192094476645/firefox-patch.exe
  • hxxps://uchuhfsbox.net/8031143191240/8031143191240/1467996389305283/firefox-patch.exe
  • hxxps://ierairosihanari.org/1461656983266/1461656983266/1467987174641688/firefox-patch.exe
  • hxxps://anayimovilyeuros.net/7601143032510/7601143032510/1465468888898207/chrome-patch.exe

For reference, here are some SHA1s corresponding to each certificate used by Kovter:

Certificate Signer Hash SHA1
7e93cc85ed87ddfb31ac84154f28ae9d6bee0116 7177811e2f7be8db2a7d9b1f690dc9e764fdc8a2
78d98ccccc41e0dea1791d24595c2e90f796fd48 da3261ceff37a56797b47b998dafe6e0376f8446
c6305ea8aba8b095d31a7798f957d9c91fc17cf6 c3f3ecf24b6d39b0e4ff51af31002f3d37677476
b780af39e1bf684b7d2579edfff4ed26519b05f6 c49febe1e240e47364a649b4cd19e37bb14534d0
a286affc5f6e92bdc93374646676ebc49e21bcae 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39
ac4325c9837cd8fa72d6bcaf4b00186957713414 e428de0899cb13de47ac16618a53c5831337c5e6
ce75af3b8be1ecef9d0eb51f2f3281b846add3fc b8cace9f517bad05d8dc89d7f76f79aae8717a24

Table 2: List of Kovter SHA1 for each certificate

 

To protect yourself from this type of attack, we encourage users to only download and install applications or their updates from their original and trusted websites.

Using an up-to-date version of an antimalware scanner like Windows Defender will also help you to stay protected from Kovter.

Duc Nguyen
MMPC

Categories: Uncategorized Tags:

New Microsoft Azure Security Capabilities Now Available

In November, Microsoft CEO Satya Nadella outlined a new comprehensive, cross company approach to security for our mobile-first, cloud-first world. To support this approach, Microsoft invests more than a billion dollars in security research and development, every year. Today we are announcing the general availability of key security capabilities in the Microsoft Cloud, which are products of this research and development investment: Azure Security Center, Azure Active Directory Identity Protection, and Azure Active Directory Privileged Identity Management.

These investments strengthen our efforts in three important areas:

  1. To deliver a holistic security platform where our products and services work in concert with each other, and with our partners in the security ecosystem, to protect our customers.
  2. Microsoft’s unique insights into the threat landscape, informed by trillions of signals from billions of sources, create an intelligent security graph that we use to inform how we protect all endpoints, better detect attacks and accelerate our response.
  3. To ensure that when your organization leverages the Microsoft Cloud, it can improve your security posture, versus what you are doing to protect your on-premises IT environment alone.

Azure Security Center is generally available
We are announcing that Azure Security Center is generally available. Azure Security Center provides customers around the world with security management and monitoring capabilities for the millions of resources they run in Microsoft Azure helping them keep pace with rapidly evolving threats in ways they likely could not achieve in their own datacenters.

Driven by Microsoft’s new approach to security, Azure Security Center is transforming how customers protect their cloud workloads. Powered by advanced analytics and a rich set of protection capabilities built into Azure, Security Center helps customers protect, detect, and respond to threats.

Since the preview launched in December 2015, Azure Security Center has helped protect over a 100,000 Azure subscribers and hundreds of thousands of virtual machines – providing our customers with a unified view of the security state of all their cloud workloads, recommending ways to strengthen their security posture in accordance with their company policies, and using behavioral analysis and machine learning to detect threats.

In addition, Azure Security Center integrates with an ecosystem of partners like Barracuda.

“Microsoft is an important partner to Barracuda as we look to help customers improve security for their deployments in Azure. Azure Security Center is just one part of the compelling security agenda we have seen from Microsoft, and we believe the way it integrates Barracuda solutions will be a great benefit to our customers,” said Nicole Napiltonia, VP Strategic Alliances at Barracuda.

In addition to announcing general availability, Azure Security Center includes a number of new features today:

  • Integrated vulnerability assessment from partners like Qualys
  • Options for integrating Security Center recommendations and alerts with existing operations and security information event management (SIEM) solutions
  • Expanded support for Linux and Cloud Services VMs
  • New algorithms which detect lateral movement, internal reconnaissance, outgoing attacks, malicious scripts, and more
  • Alerts are now mapped against cyber kill chain patterns to provide customers with a single view of an attack campaign and all of the related alerts – so they can quickly understand what actions the attacker took and what resources were impacted

You can get more details on new security capabilities for Azure customers from the blog post by Sarah Fender, Principal Program Manager, Azure Cybersecurity. The blog provides information on how to quickly get started with Azure Security Center to get better control and protection for your Azure resources.

Azure Active Directory Identity Protection
Another great example of a new Microsoft security investment is Azure Active Directory Identity Protection. Azure Active Directory security capabilities are built on Microsoft’s long experience protecting identities used to access Microsoft’s consumer and enterprise services, and gains tremendous accuracy by analyzing the signal from over 14 billion logins every day to help identify potentially compromised user accounts.

Azure Active Directory Identity Protection builds on these capabilities and detects suspicious activities for end users and privileged identities based on signals like brute force attacks, leaked credentials, logins from unfamiliar locations and infected devices. Based on these suspicious activities, a user risk severity is calculated and risk-based policies can be configured allowing the service to automatically protect the identities of your organization from future threats.

Azure Active Directory Identity Protection will become generally available later in the quarter. Enterprise customers should evaluate the preview of Azure Active Directory Identity Protection now, so that they are ready to use it when it becomes generally available.

Azure Active Directory Privileged Identity Management
Some of the threats that keep Chief Information Security Officers up at night include threats to privileged identities like administrator accounts. Some examples of these threats include:

  • Malicious or rogue administrators
  • Administrator credentials leaked via phishing attacks
  • Administrator credentials cached on compromised systems
  • User accounts that are granted temporary elevated privileges that become permanent.

More and more organizations are realizing that they have to strictly manage privileged accounts and monitor their activities because of the risk associated with their misuse. With Azure AD Privileged Identity Management you can manage, control, and monitor access to resources in Azure AD as well as other Microsoft online services like Office 365 or Microsoft Intune.

Azure Active Directory Privileged Identity Management will become generally available later in the quarter. I encourage you to evaluate the preview that became available in May so that you are ready to adopt this great new cloud security capability when it is generally available next month.

More good news is that we’ve made it super easy and cost effective for enterprise customers to get Azure Active Directory Identity Protection and Azure AD Privileged Identity Management by including them in the new Microsoft Enterprise Mobility + Security (EMS) E5 suite. You can get all the details, including all the other mobility and security related products and services included in EMS that were just announced, here. If your security strategy reaches more broadly to include Office 365, Windows 10 Enterprise, and EMS, consider the recently announced offering called Secure Productive Enterprise.

These key cloud security capabilities are a big step forward, and will help our customers protect, detect and respond to threats in a mobile-first, cloud-first world. To learn more about our security strategy and investments, visit the Microsoft Secure website.

Michal Braverman-Blumenstyk
General Manager, Azure Security

Categories: Cloud Computing Tags:

MS16-094 – Important: Security Update for Secure Boot (3177404) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (July 18, 2016): Bulletin revised to add an Update FAQ to inform customers running Windows Server 2012 that they do not need to install the 3170377 and 3172727 updates in a particular order.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow Secure Boot security features to be bypassed if an attacker installs an affected policy on a target device. An attacker must have either administrative privileges or physical access to install a policy and bypass Secure Boot.

Categories: Uncategorized Tags:

MS16-092 – Important: Security Update for Windows Kernel (3171910) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (July 18, 2016): Bulletin revised to add an Update FAQ to inform customers running Windows Server 2012 that they do not need to install the 3170377 and 3172727 updates in a particular order.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow security feature bypass if the Windows kernel fails to properly validate permissions.

Categories: Uncategorized Tags:

MS16-094 – Important: Security Update for Secure Boot (3177404) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (July 18, 2016): Bulletin revised to add an Update FAQ to inform customers running Windows Server 2012 that they do not need to install the 3170377 and 3172727 updates in a particular order.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow Secure Boot security features to be bypassed if an attacker installs an affected policy on a target device. An attacker must have either administrative privileges or physical access to install a policy and bypass Secure Boot.

Categories: Uncategorized Tags:

MS16-092 – Important: Security Update for Windows Kernel (3171910) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (July 18, 2016): Bulletin revised to add an Update FAQ to inform customers running Windows Server 2012 that they do not need to install the 3170377 and 3172727 updates in a particular order.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow security feature bypass if the Windows kernel fails to properly validate permissions.

Categories: Uncategorized Tags:

Reverse engineering DUBNIUM –Stage 2 payload analysis

July 14th, 2016 No comments

Recently, we blogged about the basic functionality and features of the DUBNIUM advanced persistent threat (APT) activity group Stage 1 binary and Adobe Flash exploit used during the December 2015 incident (Part 1, Part 2).

In this blog, we will go through the overall infection chain structure and the Stage 2 executable details. Stage 2 executables are the core of this activity groups’ operation, as it is the final payload delivered to possible targets that matches its profile.

Infection chain overview

The picture below shows the overall infection chain we analyzed.

Flow chart describing how Dubnium is installed

Figure 1: Infection chain overview

 

In most cases, the daily operation of the DUBNIUM APT depends on social engineering through spear-phishing. They are observed to mainly rely on an .LNK file that has an icon that looks like a Microsoft Word file. If the victim clicks the file thinking it’s a Microsoft Office Word file, it downloads a simple dropper that will download and execute next stage binary – which in this case, has the file name of kernelol21.exe.

The Stage 1 binary extensively checks-up on the system for the existence of security products or usual analysis tools for the reverse engineers or security analysts. It will pass the client’s IP address, hostname, MAC address, software profile information, and locale information to the download server. When the server thinks that the client matches profile for possible prospect, the next stage dropper will be downloaded.

 

Stage 0: Social Engineering vs. Exploits

In our previous blogs we described the Adobe Flash Exploit the malware recently used. In this blog we want to provide a brief overview of the social engineering method DUBNIUM uses for its daily infection operations. The activity group uses the .LNK file with an icon image of a Word document as one of its social engineering methods.

Shortcut icon disguised as Word document

Figure 2: Shortcut icon disguised as Word document

 

The shortcut contains commands to download and execute the next level executable or script. Unsuspecting victims will double click this icon and will be unknowingly launching a PowerShell command.

The commands in the shortcut

Figure 3: The commands in the shortcut

 

For example, the following shows the script that downloads a binary and executes it on the target system using PowerShell.

PowerShell script for downloading and execution of next stage binary

Figure 4: PowerShell script for downloading and execution of next stage binary

 

To make the attack more benign, the dropper drops an Office Word document and displays it on the screen. One of the samples we saw had content similar to the following screenshot:

Fake document contents - North Korean style language and mentions on North Korean leaders with New year’s celebration

Figure 5: Fake document contents – North Korean style language and mentions on North Korean leaders with New year’s celebration

 

Stage 2 infection process

Acquiring a Stage 2 binary is very difficult for the analysts because the download server is very selective upon the infection targets. The main direction of the infection strategy is not to infect as many as it can, instead it focuses on infecting targets that matches the desired profile, and avoids detection from security products. One very interesting fact is that the command and control (C2) server we have been observing didn’t go down for months. Overall security product coverage on Stage 2 executables is very poor, and so the strategy with this activity group (with a very selective Stage 2 infection) appears to have been effective.

The following diagram shows the transition from Stage 1 to Stage 2 through the downloaded binary.

Stage 1 to 2 transition

Figure 6: Stage 1 to 2 transition

 

The dropped binary (Dropper PE module) is never written to disk and directly injected to a new process created. In this case plasrv.exe is used, but the process name can actually vary each time. The dropper PE module will drop kbkernelolUpd.dll and kernelol21.exe (which happens to have the same name as the Stage 1 binary – but different contents). The dropper PE module will look for usual system processes, for example dwm.exe in this case, and will inject kbkernelolUpd.dll.

This is the main C2 client that will communicate with the C2 server and process downloaded commands. It performs the extra work of creating a process of usual Windows binary under systems folder and injecting the kernelol21.exe binary into it. This is a process persistency module, which will re-inject kbkernelolUpd.dll if the process is killed for some reason. The kbkernelolUpd.dll module also constantly monitors the existence of the kernelol21.exe injected process and will re-launch and re-inject the module if the infected host process is killed. This makes a process persistency loop.

The following screenshot shows the typical process tree when the Stage 2 infection happens. The dwm.exe and cipher.exe processes are infected with kbkernelolUpd.dll and kernelol21.exe.

Typical process list with Stage 2 infection

Figure 7 Typical process list with Stage 2 infection

 

The persistency of whole infection is carried by the Windows logon key shown in the following picture.

kernelol21.exe load key

Figure 8 kernelol21.exe load key

 

The following table shows the infection targets used for each stage. All infection target process files are default Windows executables under the system32 folder.

Components Injection targets Description
Stage 1 dropper PE module
  • plasrv.exe
  • wksprt.exe
  • raserver.exe
  • mshta.exe
  • taskhost.exe
  • dwm.exe
  • sdiagnhost.exe
  • winrshost.exe
  • wsmprovhost.exe
Creates new process
Stage 2 kbkernelolUpd.dll
  • dwm.exe
  • wuauclt.exe
  • ctfmon.exe
  • wscntfy.exe
Injects into existing process

If the process is killed, svchost.exe will be created by stage kernelol21.exe.

Stage 2 kernelol21.exe
  • cipher.exe
  • gpupdate.exe
  • services.exe
  • sppsvc.exe
  • winrshost.exe
Creates new process

Table 1: DUBNIUM infection targets

 

Process image replacement technique

When the main C2 client module, kbkernelolUpd.dll, is injected, it uses LoadLibrary call that is initiated through CreateRemoteThread API. This is a very typical technique used by many malware.

Injected LoadLibrary code

Figure 9: Injected LoadLibrary code

 

But, for dropper PE module in Stage 1 and kernelol21.exe injection in Stage 2, it uses a process image replacement technique. It creates the usual Windows process, injects the PE module to this process, fabricates PEB information and modifies startup code to achieve process injection.

 

Writing PE Image

The technique starts with creating a process from the executable under Windows system folder. Table 1 shows each target processes the injection will be made into, depending on the stage and the binary. The process is created as suspended and modifications will be performed on the image. The first step is injecting the infection PE image upon the process. It uses WriteProcessMemory APIs.

Figure 10 shows the code that injects the PE header, and Figure 11 shows the memory of the target process where the PE header is injected.

Injecting PE header

Figure 10: Injecting PE header

 

PE header written on target process

Figure 11 PE header written on target process

 

After the injection of PE header, it will go through each section of the source PE image and inject them one by one to the target process memory space.

PE section injection

Figure 12: PE section injection

 

The injected PE module has dependencies on the hardcoded base and section addresses. If VirtualAlloc function upon the desired base or section addresses fails, the whole injection process will fail.

 

Acquiring context and PEB information

The next step of infection is using GetThreadContext API to retrieve current context of the target process.

GetThreadContext

Figure 13: GetThreadContext

 

One of the thread contexts retrieved is shown in the following image.

Retrieved Context

Figure 14: Retrieved Context

 

When the process is started as suspended, the ebx register is initialized with the pointer to PEB structure. The following shows the original PEB data from the target process. The ImageBaseAddress member is at offset of +8 and the value is 0x00e0000 in this case. This is the image base of the main module of the target process.

Original PEB structure

Figure 15: Original PEB structure

 

After retrieving the PEB.ImageBaseAddress from the target process (Figure 16), it will replace it with the base address of the injected module (Figure 17).

Reading PEB.ImageBaseAddress

Figure 16: Reading PEB.ImageBaseAddress

Overwriting PEB.ImageBaseAddress

Figure 17: Overwriting PEB.ImageBaseAddress

 

The PEB.ImageBaseAddress of the target process is replaced, as in the following figure, to point to the base address of the injected PE module.

Overwritten PEB.ImageBaseAddress

Figure 18: Overwritten PEB.ImageBaseAddress

 

Overwriting wmainCRTStartup

 

After overwriting PEB.ImageBaseAddress to an injected module’s base address, the next step is patching wmainCRTStartup code from the original main module.

wmainCRTStartup patch code

Figure 19: wmainCRTStartup patch code

 

The following code shows original disassembly from wmainCRTStartup code.

Original code

Figure 20: Original code

 

After patch, it will just jump to the entry code of the injected module located at address of 0x4053d0, which is the entry point of the injected module. When ResumeThread is called upon this thread, it will start the main module from the injected module’s entry code.

Patched code

Figure 21: Patched code

 

Main C2 Client (kbkernelolUpd.dll)

As kbkernelolUpd.dll is the main module of the infection chain, we are going to focus on the analysis of this binary. As we stated before, the detection coverage and information on this specific component is limited in the security industry.

 

The string for the C2 server hostname and URI is encoded in a configuration block inside the binary.

C2 server string decoding

Figure 22: C2 server string decoding

 

From the following disassembly list, get_command uses wininet.dll APIs to send basic client information and to retrieve commands from the server. The process_command is the routine that will parse message and execute designated commands.

C2 command fetch & execution loop

Figure 23: C2 command fetch & execution loop

 

Between each contact to the C2 server, there is a timeout. The timeout value is saved inside the encoded configuration block in the binary. For example, the sample we worked on had a 30-minute time out between each contact request to the server.

Sleep interval between C2 accesses

Figure 24: Sleep interval between C2 accesses

 

Cryptographic C2 channel and message format

The following diagram shows the basic message format of the C2 server payload that is downloaded when the client contacts the server.

Decrypting C2 message

Figure 25: Decrypting C2 message

 

The message from the C2 server can be encoded in various ways. The first byte in the payload is the XOR key that is used to decode following bytes. The encryption type byte indicates what encryption algorithm is used in the code. It has three different encryption schemes (0x50, 0x58, 0x70) supported.

From our static analysis, 0x58 is for AES 256 encryption algorithm, 0x70 and 0x50 are for 3DES 168 algorithm. If this type is 0x40, no encryption will be used and it looks like 0x50 and 0x58 encryption type is not fully implemented yet. So 0x70 encryption type with 3DES 168 algorithm is the only encryption type that is fully working here.

The decryption scheme is using an embedded RSA private key with the decryption key embedded in the binary. By calling CryptHashData upon the embedded password string and using CryptDeriveKey, it will acquire a key to decrypt the encrypted RSA private key. (Figure 26)

Setting encryption key

Figure 26: Setting encryption key

 

This decryption key is used to import 0x258 bytes of private key embedded inside the binary. And this private key is used to decrypt the encrypted key (Key data 02 from Figure 25) passed through the response packet from the C2 server. Next, the IV (Initialization Vector) passed through the response packet is set as a parameter to the key object.

Importing keys and IV

Figure 27: Importing keys and IV

 

Finally, the actual decryption of the payload happens through CryptDecrypt API call. The question still remains why the C2 server and the client are using such an overcomplicated encryption scheme.

Decrypting message

Figure 28: Decrypting message

 

Command processor

The C2 command processor looks very typical. It has a simple packet parser for TLV (type, length, value) data structure. The following picture shows the main routine that processes packet length and types. It will call relevant functions for each packet type.

Main command processor function

Figure 29: Main command processor function

 

Each command provides usual functionalities that are typically seen in backdoors. They include registry, file system manipulations, and searching files with specific patterns, and retrieving and transferring them back to the server and gathering network status information.

Infections statistics

The following chart shows the relative prevalence of the threat overall. We included Stage 1 and Stage 2 payload detections in this map.

Bar chart showing countries with most infections in China and Japan

Figure 30: Infection distribution by countries

 

Most of the infections we saw focused on East Asia—mostly China and Japan. We already described that the Stage 1 dropper collects and sends IP and language locale of the machines it infected to the Stage 2 dropper distribution site. We think this distribution site has a logic to determine whether to drop next payload or not.

The Stage 1 dropper is also known to collect information on culture-specific software like messengers and security software mainly used in mainland China. If the distribution site doesn’t push back Stage 2 payload, Stage 1 payload doesn’t have any means of persistency at all. This means that with all the cost of infiltrating into the machine, the malware simply gives up the machine if the machine doesn’t fit into its profile. Based upon the actual infection map and the behavior of this Stage 1 dropper, it might be a good indication that the activity group has a good geolocation preference with their targets.

 

Conclusion

DUBNIUM is a very cautious actor. From the vendor detections for Stage 2 binaries, we can see that there are no serious detections upon them in the industry. This is partially due to the strategy that DUBNIUM employs. It doesn’t try to infect as many machines as possible, instead it will potentially expose important components, like C2 client modules, to unintended targets. The very long lifespan of the domain it controls and uses for C2 operation supports the story.

Other features with DUBNIUM is that it uses encoding and encryption schemes over the executables and network protocols. Each stage has different styles of encoding and decoding schemes. Some are complicated and some are relatively simple. Stage 1 binaries have a stronger obfuscation and payload encoding scheme than Stage 2 binaries. The C2 server payload has its own format with encrypted message support.

The other feature with DUBNIUM is that over each stages, it always checks the running environment. It focuses on security products and analyst tools on Stage 1, but it is very cautious on debugging tools on Stage 2 binaries. From Stage 1, it also collects extensive information on the client system including locale, IP and MAC address and they are sent to the Stage 2 distribution site. The distribution site also serves each client once based upon this information. Getting served on the next stage binary is sometimes very challenging as we don’t know the backend algorithm behind to determine whether to serve the next stage binary or not.

 

Appendix – Indicators of Compromise

 

Stage 0

Adobe Flash Player Exploit

3eda34ed9b5781682bcf7d4ce644a5ee59818e15 SWF File

 

LNK

25897d6f5c15738203f96ae367d5bf0cefa16f53

624ac24611ef4f6436fcc4db37a4ceadd421d911

 

Droppers

09b022ef88b825041b67da9c9a2588e962817f6d

35847c56e3068a98cff85088005ba1a611b6261f

7f9ecfc95462b5e01e233b64dcedbcf944e97fca

aee8d6f39e4286506cee0c849ede01d6f42110cc

b42ca359fe942456de14283fd2e199113c8789e6

cad21e4ae48f2f1ba91faa9f875816f83737bcaf

ebccb1e12c88d838db15957366cee93c079b5a8e

4627cff4cd90dc47df5c4d53480101bdc1d46720

 

Fake documents displayed from droppers

24eedf7db025173ef8edc62d50ef940914d5eb8a

7dd3e0733125a124b61f492e950b28d0e34723d2

24eedf7db025173ef8edc62d50ef940914d5eb8a

afca20afba5b3cb2798be02324edacb126d15442

 

Stage 1

Droppers

0ac65c60ad6f23b2b2f208e5ab8be0372371e4b3

1949a9753df57eec586aeb6b4763f92c0ca6a895

4627cff4cd90dc47df5c4d53480101bdc1d46720

561db51eba971ab4afe0a811361e7a678b8f8129

6e74da35695e7838456f3f719d6eb283d4198735

8ff7f64356f7577623bf424f601c7fa0f720e5fb

b8064052f7fed9120dda67ad71dbaf2ac7778f08

dc3ab3f6af87405d889b6af2557c835d7b7ed588

 

Stage 2

Dropper

2d14f5057a251272a7586afafe2e1e761ed8e6c0

3d3b60549191c4205c35d3a9656377b82378a047

 

kernelol21.exe

6ce89ae2f1272e62868440cde00280f055a3a638

 

kbkernelolUpd.dll

b8ea4b531e120730c26f4720f12ea7e062781012

0ea2ba966953e94034a9d4609da29fcf11adf2d5

926ca36a62d0b520c54b6c3ea7b97eb1c2d203a9

db56f474673233f9b62bef5dbce1be1c74f78625

 

UserData

147cb0d32f406687b0a9d6b1829fb45414ce0cba

 

Acknowledgement: Special thanks to Mathieu Letourneau at MMPC for providing statistical coverage data on the DUBNIUM multi-stage samples and providing insight on the interpretation of the data. Special thanks to HeungSoo David Kang for providing screenshots from the fake Office Word document file.

 

Jeong Wook Oh
MMPC

 

Categories: Uncategorized Tags:

Troldesh ransomware influenced by (the) Da Vinci code

July 13th, 2016 No comments

We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32/Troldesh ransomware family.

Ransomware, like most malware, is constantly trying to change itself in an attempt to evade detection. In this case, we’ve seen the following updates to Troldesh:

  • Tor functionality
  • Glyph/symbol errors on the wallpaper ransom note
  • Modified extension names for encrypted files
  • New malware being delivered (Trojan:Win32/Mexar.A)
  • Updates the ransom note to cover the Tor functionality

The biggest change in this update is the addition of Tor links. Using Tor addresses as the ransom payment method (as opposed to standard www addresses) is the current fashion among ransomware.

The ransom note now includes links to the Tor address (previously, the only method provided for obtaining decryption was an email address):

The ransom note now includes onion.to addresses for payment

However, upon investigation it appears that Tor has blocked the address:

Screenshot showing that the Troldesh payment site has been blocked by Tor

Errors have been introduced into the image that replaces the user’s desktop wallpaper (this occurred to several samples, but not all):

Errors and unknown symbols have been seen in some versions of the wallpaper - the symbols look like blank boxes and random characters

After encryption, Troldesh changes the file’s extension. In the latest update, we’ve seen it use the following strings:

  • .da_vinci_code
  • .magic_software_syndicate

For example, an encrypted file might appear as follows:

A file name that is a series of random characters and ends in .da_vinci_code

The list of file types that Troldesh encrypts has also increased – see the Win32/Troldesh description for a full list.

Prevention

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Enable file history or system protection. On Windows 10 and Windows 8.1, set up a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe Internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)

Detection

Recovery

In the Office 365 “How to deal with ransomware” blog, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.

You can also use OneDrive and SharePoint to backup and restore your files:

  

Patrick Estavillo
MMPC

Categories: Uncategorized Tags:

MS16-077 – Important: Security Update for WPAD (3165191) – Version: 1.2

Severity Rating: Important
Revision Note: V1.2 (July 13, 2016): Bulletin revised to correct the workarounds for CVE-2016-3213 and CVE-2016-3236. This is an informational change only. Customers who have successfully installed the updates do not need to take any further action.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.

Categories: Uncategorized Tags:

MS16-035 – Important: Security Update for .NET Framework to Address Security Feature Bypass (3141780) – Version: 2.2

Severity Rating: Important
Revision Note: V2.2 (July 13, 2016): Revised bulletin to inform customers that the 3135996 update has been refreshed. This is an informational notification only. Customers who have already successfully installed the update do not need to take any further action.
Summary: This security update resolves a vulnerability in Microsoft .NET Framework. The security feature bypass exists in a .NET Framework component that does not properly validate certain elements of a signed XML document.

Categories: Uncategorized Tags:

MS16-077 – Important: Security Update for WPAD (3165191) – Version: 1.2

Severity Rating: Important
Revision Note: V1.2 (July 13, 2016): Bulletin revised to correct the workarounds for CVE-2016-3213 and CVE-2016-3236. This is an informational change only. Customers who have successfully installed the updates do not need to take any further action.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.

Categories: Uncategorized Tags:

MS16-035 – Important: Security Update for .NET Framework to Address Security Feature Bypass (3141780) – Version: 2.2

Severity Rating: Important
Revision Note: V2.2 (July 13, 2016): Revised bulletin to inform customers that the 3135996 update has been refreshed. This is an informational notification only. Customers who have already successfully installed the update do not need to take any further action.
Summary: This security update resolves a vulnerability in Microsoft .NET Framework. The security feature bypass exists in a .NET Framework component that does not properly validate certain elements of a signed XML document.

Categories: Uncategorized Tags:

MSRT July 2016 – Cerber ransomware

July 12th, 2016 No comments

As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detection for Win32/Cerber, a prevalent ransomware family. The inclusion in MSRT complements our Cerber-specific family detections in Windows Defender, and our ransomware-dedicated cloud protection features.

We started seeing Cerber in February 2016, and since then it has continuously evolved and is now one of the most encountered ransomware families – beating both Exxroute and Locky. The evolution is mostly based around the way in which Cerber is being distributed – with a focus on exploit kits, compromised websites, and email distribution.

When looking at data for the past 30 days, Cerber is the most detected ransomware, taking over a quarter of all ransomware infections.

Ransomware family Share
Cerber 25.97%
Exxroute 15.39%
Locky 12.80%
Brolo 11.66%
Crowti 9.97%
FakeBsod 9.19%
Teerac 3.94%
Critroni 3.72%
Reveton 2.86%
Troldesh 1.21%
Ranscrape 1.18%
Sarento 0.76%
Urausy 0.70%
Genasom 0.65%

 

Cerber is especially prevalent in the US, Asia, and Western Europe.

However, infections occur across the globe, and the following heat map demonstrates the geographical spread of infected machines:
Map showing highlighted areas in Eastern US, Western Europe, Asia, South America

 

Cerber infection chain

Cerber can enter your system or PC either through downloaders from spam email or exploits on malicious or compromised sites.

Diagram showing spam email using macro and scripts to install cerber onto a PC

When delivered via spam, we’ve seen the use of both macros and OLE objects to deliver Cerber. We described how malware authors can maliciously use OLE in our blog “Where’s the macro?“, and we’ve previously talked about how macros have been used to deliver malware (although new features in Office 2016 has seen a decrease in macro-based malware).

In this case, we’ve seen malicious files using VisualBasic Script (VBS) and JavaScript to download Cerber from a command and control (C2) server. We’ve also seen malicious macros both downloading Cerber, and dropping VBS scripts that then download Cerber.

The other infection vector – exploit kits – occurs when a user visits a malicious or compromised website that hosts an exploit kit. The exploit kit checks for vulnerabilities on the PC, and tailors an infection to target those vulnerabilities. This allows the exploit kit to download Cerber onto the PC.

Neutrino, Angler, and Magnitude exploit kits have been identified as distributing Cerber.

 

Cerber updates

As with most other encryption ransomware, Cerber encrypts files and places “recovery” instructions in each folder. Cerber provides the instructions both as .html and .txt formats, and replaces the desktop wallpaper.

Cerber, however, also includes a synthesized audio message.

We described the Cerber infection process in detail in our blog “The three heads of the Cerberus-like Cerber ransomware“.

 

Screencap showing a long note explaining how a user was infectedThere have been some updates to this family, however, including a much more detailed description of how ransomware encryption works, and how users can recover their files.

Note that the ransom message now makes claims about Cerber attempting to help make the Internet a safer place, and they don’t mention the payment of fees or ransom to decrypt your files.

Upon investigation, however, we have determined (as of July 8, 2016) that they are asking for a ransom in the form of bitcoins, as shown in the following screenshot of the Tor webpage:

Note showing that Cerber is request bitcoin payment to decrypt files

 

The Cerber desktop wallpaper has also been updated:

Grey wallpaper with a few lines of black text showing links to decrypt files

 

Prevention

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Download and apply security patches associated with the exploit kits that are known to distribute this ransomware (for example: Neutrino).
  • Enable file history or system protection. On Windows 10 and Windows 8.1, set up a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe Internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)

Detection

Recovery

In the Office 365 blog “How to deal with ransomware“, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.

You can also use OneDrive and SharePoint to backup and restore your files:

 

Carmen Liang and Patrick Estavillo MMPC

 

Categories: Uncategorized Tags: