Kategorie

A vaccine for $4.95!? Nah, we didn't think so, either. Shuttering the alleged rip-off site is the DOJ's 1st takedown of COVID-19 flimflam.

In August 2019, Kaspersky discovered a malicious campaign distributing a fully fledged C++ Trojan that we call Milum. All the victims we registered were organizations from the Middle East. At least some of them are related to industrial sector. Our Kaspersky Threat Attribution Engine (KTAE) doesn’t show any code similarities with known campaigns. Nor have we seen any target intersections. In fact, we found just three almost unique samples, all in one country. So we consider the attacks to be targeted and have currently named this operation WildPressure.

The compilation timestamps for all these files is the same – March 2019. This is consistent with the fact that we registered no infections before May 31, 2019, so the compilation dates don’t seem to be spoofed. For their campaign infrastructure, the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service.

The malware uses the JSON format for configuration data and as a C2 communication protocol over HTTP as well. Inside the encrypted communications within the HTTP POST requests, we found several interesting fields. One of them shows the malware version – 1.0.1. A version number like this indicates an early stage of development. Other fields suggest the existence of, at the very least, plans for non-C++ versions.

The only encryption implemented is the RC4 algorithm with different 64-byte keys for different victims. Also, the developers were kind enough to leave RTTI data inside the files. Kaspersky products detect this malware as Backdoor.Win32.Agent. For more information, please contact: intelreports@kaspersky.com

Why we call it Milum and why it’s of interest

All the aforementioned C++ Trojans are compiled as standalone PE files, originally named Milum46_Win32.exe. The word ‘milum’ is used in the C++ class names inside the malware, so we named the Trojan after it.

Another distinctive characteristic is that the malware exports lots of zlib compression functions, such as zlibVersion(), inflate() or deflate(). This compression is needed for C2 communication, but in reality there is no need to export them in the case of a standalone application.

The JSON configuration fields are not limited to just the version and programming language; the campaign operators also use target IDs that are found in the samples. Among them, we found HatLandM30 and HatLandid3 – neither of which we are familiar with. The following table provides Milum samples that have similar PE header compilation timestamps but different target IDs:

Milum46_Win32.exe sample MD5 hash Timestamp (GMT) clientid 0C5B15D89FDA9BAF446B286C6F97F535 2019.03.09 06:17:19 839ttttttt 17B1A05FC367E52AADA7BDE07714666B 2019.03.09 06:17:19 HatLandid3 A76991F15D6B4F43FBA419ECA1A8E741 2019.03.09 06:17:19 HatLandM30

Rather than describing all the configuration fields one by one, we have gathered them together in the following table, with all the main characteristics for this malware family:

Programming language C++ with STL functions used mostly to parse JSON data and exception handling. Configuration data Base64-encoded JSON data in PE resources. Includes timeouts, C2 URLs and keys for communication, including RC4 64-byte key. Network protocol Trojan transmits compressed JSON data in HTTP POST requests with gzip, base64-encoded and RC4 encrypted. Beacon data Encrypted JSON contains the malware version “1.0.1”, Epoch timestamp and client id. It also has specific fields such as “vt” and “ext” that correspond to programming language “c++” and file extension “exe”. If our hypothesis is correct, this suggests that non-C++ Trojan versions may be planned, if not already implemented. Persistence HKCU autorun system registry keys Run and RunOnce. Encryption The communication encryption used is RC4 with the 64-byte key stored in the configuration data. Compression For compression the Trojan uses an embedded gzip code. For some reason gzip functions are exported from PE, although the samples are standalone executables, not DLLs. Let’s dig a little deeper inside

The most popular sample in our telemetry was:

MD5 0c5b15d89fda9baf446b286c6f97f535 Compiled 2019.03.09 06:17:19 (GMT) Size 520704 Internal name Milum46_Win32.exe

This application exists as an invisible toolbar window. The main malicious functions are implemented in a separate thread. Milum decodes its configuration data and, besides timeouts, it gets the parameters “clientid” and “encrypt_key” to use in RC4 encryption.

Example of the decoded and beautified configuration data. The “clientid” field differs in every sample observed

The following table describes the different configuration parameters:

Config parameter Parameter features shortwait Pause in milliseconds between C2 communication working cycles clientid Unique ASCII target name encrypt_key RC4 encryption key for JSON-based C2 communications relays – url Full URL to send HTTP POST beacon and GET commands relays – key Unique ASCII key for each C2 to communicate with it

The operators can run the Trojan using the key (“b” or “B”) as the first argument and the file name as the second. In this case, Milum will delete the file sent as a parameter. Then the Trojan will create the C:\ProgramData\Micapp\Windows\ directory and parse its configuration data to form the beacon to send to its C2.

To send the beacon, Milum uses the HTTP POST request with three parameters as enumerated in the table below.

Beacon parameter Parameter values md Clientid from config, with prefix 01011 and random five-character ASCII suffix nk Key from config to communicate with C2, differs for each server val Compressed, encrypted and encoded command JSON data

The first two parameters are taken from the configuration data. The third one is encrypted and after decryption, decompression, decoding and beautifying, it looks like this:

Decoded and beautified JSON beacon to C2. In this case, the connection to the first server was unsuccessful

There are several fields worth mentioning here. We referred above to different programming languages besides C++: “vt” seems to reference a programming language and “ext” a file extension. The only reason that we could think of for keeping these is if the attackers have several Trojans, written in different languages, to work with the same control server.

Regarding the “command” field, the control servers were inaccessible at the time of the analysis, so we don’t have commands from them. However, we analyzed the command handlers in Milum’s code as described below:

Code Meaning Features 1 Execution Silently execute received interpreter command and return result through pipe 2 Server to client Decode received content in “data” JSON field and drop to file mentioned in “path” field 3 Client to server Encode file mentioned in received command “path” field to send it 4 File info Get file attributes: hidden, read only, archive, system or executable 5 Cleanup Generate and run batch script to delete itself 6 Command result Get command execution status 7 System information Validate target with Windows version, architecture (32- or 64-bit), host and user name, installed security products (with WQL request “Select From AntiVirusProduct WHERE displayName <>’Windows Defender'”) 8 Directory list Get info about files in directory: hidden, read only, archive, system or executable 9 Update Get the new version and remove the old one Who was attacked?

According to our telemetry, the Milum Trojan was exclusively used to attack targets in the Middle East from at least the end of May 2019.

Number of detections for one of the samples from September 2019

We were able to sinkhole one of the WildPressure C2 domains (upiserversys1212[.]com) in September 2019. The vast majority of visitor IPs were also from the Middle East, and we believe the rest were network scanners, TOR exit nodes or VPN connections.

C2 domain sinkholing also shows active infections mostly from the Middle East

And who’s behind it?

To date we haven’t observed any strong code- or victim-based similarities with any known actor or set of activity. Their C++ code is quite common, regarding configuration data and communication protocol malware uses base64-encoded JSON-formatted configuration data stored in the binary’s resource section and parses it with Standard Template Library (STL) functions. However, these commonalities are not conclusive enough for attribution and our hypothesis is that they are merely coincidence. We will continue to monitor this activity

To sum up

To date, we don’t have any data regarding Milum’s spreading mechanism. A campaign that is, apparently, exclusively targeting entities in the Middle East (at least some of them are industrial-related) is something that automatically attracts the attention of any analyst. Any similarities should be considered weak in terms of attribution, and may simply be techniques copied from previous well-known cases. Indeed, this “learning from more experienced attackers” cycle has been adopted by some interesting new actors in recent years.

We should also be cautious regarding the true targeting of this new set of activities, as it is probably too soon to jump to conclusions. The targeted nature seems to be clear, but the targeting itself might be limited by our own visibility. The malware is not exclusively designed against any kind of victim in particular and might be reused in other operations.

Indicators of compromise

Files MD5
0C5B15D89FDA9BAF446B286C6F97F535
17B1A05FC367E52AADA7BDE07714666B
A76991F15D6B4F43FBA419ECA1A8E741
Original file names are Milum46_Win32.exe; on the target side they exist as system32.exe

URLs
upiserversys1212[.]com/rl.php
37.59.87[.]172/page/view.php
80.255.3[.]86/page/view.php

Researchers said that a working exploit for CVE-2020-1938 leaked on GitHub makes is a snap to compromise webservers.

Criminals behind botnets Chalubo, FBot and Moobot attack unpatched vulnerabilities in the commercial DVRs made by LILIN.

Microsoft today issued a new security advisory warning billions of Windows users of two new critical, unpatched zero-day vulnerabilities that could let hackers remotely take complete control over targeted computers. According to Microsoft, both unpatched flaws are being used in limited, targeted attacks and impact all supported versions of the Windows operating system—including Windows 10, 8.1

The unpatched Windows zero day flaws are being exploited in "limited, targeted" attacks, according to Microsoft.

Two old WhatsApp hoaxes are back, with a grain-of-truth story in the middle to add a veneer of believability. Don't spread this stuff!

If there is one thing that can’t be denied, the Web has made the world a smaller place. People are able to work together towards common goals from across the planet, hang out, game and teach without many of the costs or barriers to entry that would have been in place five or ten years […]

The post Advantages of online cybersecurity training [Updated 2020] appeared first on Infosec Resources.

Advantages of online cybersecurity training [Updated 2020] was first posted on March 23, 2020 at 11:03 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction When I was working on this article, I was trying to figure out something witty for the title, but all I kept coming up with was “Fear and Loathing in UAC.” Very few built-in Windows functions have caused as much teeth-grinding as when Windows Firewall was first implemented, but UAC certainly seems to have […]

The post How to configure UAC in Windows 10 appeared first on Infosec Resources.

How to configure UAC in Windows 10 was first posted on March 23, 2020 at 10:55 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Authorities have cracked down on a website that claimed to give out coronavirus vaccine kits - but that was actually stealing victims' payment card data and personal information.

Have you heard that Firefox is planning to drop support for the vulnerable file transfer protocol in version 77 of the web browser?

Today, we will be continuing with our exploration of Hack the Box (HTB) machines as seen in previous articles. This walkthrough is of an HTB machine named Joker. HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple […]

The post Hack the Box (HTB) machines walkthrough series — Joker appeared first on Infosec Resources.

Hack the Box (HTB) machines walkthrough series — Joker was first posted on March 23, 2020 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction In this article, we will discuss the top techniques that hackers use today when performing privilege escalation within Windows machines. Where necessary, we shall give examples of the techniques being discussed in order to show how it can be done.  This article is intended for hackers who already have an idea of Windows hacking, […]

The post Ethical hacking: Top privilege escalation techniques in Windows appeared first on Infosec Resources.

Ethical hacking: Top privilege escalation techniques in Windows was first posted on March 23, 2020 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Cisco has patched a clutch of high-priority vulnerabilities in its SD-WAN routes and their management software.

The dead drops were very James Bond: once, the data mule taped the SD card to the underside of a desk in a hotel.

A comment from one buyer of data purportedly from Brooks International: "It even has credit card number & a password. lol !!"

Heads up, Firefox users who rely on FTP: the browser is eliminating support for this venerable protocol.

From the EARN IT Act to the Martinelli hoax - and everything in between. It’s your weekly security roundup.

For the first time ever, the Apache Pulsar PMC team is publishing a user survey report. The 2020 Apache Pulsar User Survey Report reveals Pulsar's accelerating rate of global adoption, details how organizations are leveraging Pulsar to build real-time streaming applications, and highlights key features on Pulsar's product roadmap. Apache Pulsar is a cloud-native, distributed open source

Serif v rámci kampaně zlevnil na polovinu své kreativní programy z rodiny Affinity, stejné marketingové příležitosti ale využili i jiní – třeba darknetová komunita. Ta pochopitelně nabízí trošku jiný typ služeb. V době globální krize tak alespoň podle bezpečnostních expertů z Check Pointu ...