Blog

Archive for November 12th, 2019

An example of malspam pushing Lokibot malware, November 2019, (Wed, Nov 13th)

Introduction

I posted two diaries last year (2018) about Lokibot malware (sometimes spelled “Loki-bot”).  One was in June 2018 and one was in December 2018.  It’s been a while, so I wanted to share a recent example that came to my blog’s admin email on Tuesday 2019-11-12.

The email

You can get a copy of the sanitized email from this Any.Run link.


Shown above:  A copy of the email opened in Thunderbird.

The attachment was a RAR archive (link) and the RAR archive contained a Windows executable file disguised as a PDF document (link).


Shown above:  The attached RAR archive and the extracted Windows executable file.

The infection traffic

Infection traffic is easily detectable by signatures from the EmergingThreats Open ruleset.


Shown above:  Traffic from an infection filtered in Wireshark.


Shown above:  TCP stream from one of the HTTP requests caused by my sample of Lokibot malware.


Shown above:  EmergingThreats alerts from an Any.Run sandbox analysis of the Windows executable file.

Post-infection forensics on an infected Windows host

I was able to infect a Windows 10 host in my lab environment, and Lokibot made itself persistent through the Windows registry.


Shown above:  Lokibot on an infected Windows host.


Shown above:  Windows registry update caused by Lokibot to stay persistent.

Final words

SHA256 hash of the email:

SHA256 hash of the attached RAR archive:

SHA256 hash of the extracted Windows executable file (Lokibot malware):


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

November 2019 Microsoft Patch Tuesday, (Tue, Nov 12th)

Microsoft today patched a total of 74 vulnerabilities. This patch Tuesday release also includes two advisories. 15 of the vulnerabilities are rated critical.

Two vulnerabilities had been disclosed prior to today, and one critical scripting engine vulnerability has already been exploited in the wild. The vulnerability, CVE-2019-1429, may lead to remote code execution due to memory corruption in the scripting engine. All current versions of Windows / Internet Explorer are affected. This is probably the most important issue you need to patch. At the recent “Pwn2Own” contest in Tokyo, JavaScript engine issues were used to breach anything from smart TV to smartphones via not-so-smart browsers.

The first publicly disclosed problem, a confidentiality issue with Trusted Platform Module (TPM) chip firmware, is probably not as severe. It only affects the ECDSA algorithm, which isn’t used in Windows so far. Patching this issue will be difficult. You will need to update the TPM firmware (and the page Microsoft links to with details from the TPM manufacturer is down right now). Once updated, you need to re-enroll into security services. 

The second publicly known vulnerability affects the Microsoft Office Click-to-Run system (C2R). A crafted file could abuse these components to escalate privileges and execute code as System.

 

 

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Azure Stack Spoofing Vulnerability
%%cve:2019-1234%% No No Important    
DirectWrite Information Disclosure Vulnerability
%%cve:2019-1432%% No No Important 4.4 4.0
%%cve:2019-1411%% No No Less Likely Less Likely Important 4.4 4.0
Hyper-V Remote Code Execution Vulnerability
%%cve:2019-0719%% No No Less Likely Less Likely Critical 8.0 7.2
%%cve:2019-0721%% No No Less Likely Less Likely Critical 8.0 7.2
Jet Database Engine Remote Code Execution Vulnerability
%%cve:2019-1406%% No No Less Likely Less Likely Important 6.7 6.0
Latest Servicing Stack Updates
ADV990001 No No Critical    
Microsoft ActiveX Installer Service Elevation of Privilege Vulnerability
%%cve:2019-1382%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Edge Security Feature Bypass Vulnerability
%%cve:2019-1413%% No No Important 4.3 3.9
Microsoft Excel Information Disclosure Vulnerability
%%cve:2019-1446%% No No Less Likely Less Likely Important    
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2019-1448%% No No Less Likely Less Likely Important    
Microsoft Exchange Remote Code Execution Vulnerability
%%cve:2019-1373%% No No Less Likely Less Likely Critical    
Microsoft Guidance for Vulnerability in Trusted Platform Module (TPM)
ADV190024 Yes No      
Microsoft Office ClickToRun Security Feature Bypass Vulnerability
%%cve:2019-1449%% No No Less Likely Less Likely Important    
Microsoft Office Excel Security Feature Bypass
%%cve:2019-1457%% Yes No Important    
Microsoft Office Information Disclosure Vulnerability
%%cve:2019-1402%% No No Less Likely Less Likely Important    
Microsoft Office Online Spoofing Vulnerability
%%cve:2019-1445%% No No Important    
%%cve:2019-1447%% No No Important    
Microsoft Office Security Feature Bypass Vulnerability
%%cve:2019-1442%% No No Important    
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2019-1443%% No No Less Likely Less Likely Important    
Microsoft Windows Information Disclosure Vulnerability
%%cve:2019-1381%% No No Less Likely Less Likely Important 6.6 5.9
Microsoft Windows Media Foundation Remote Code Execution Vulnerability
%%cve:2019-1430%% No No Critical 7.3 6.6
Microsoft Windows Security Feature Bypass Vulnerability
%%cve:2019-1384%% No No Less Likely Less Likely Important 8.5 7.6
Microsoft splwow64 Elevation of Privilege Vulnerability
%%cve:2019-1380%% No No Less Likely Less Likely Important 7.8 7.0
NetLogon Security Feature Bypass Vulnerability
%%cve:2019-1424%% No No Less Likely Less Likely Important 8.1 7.3
Open Enclave SDK Information Disclosure Vulnerability
%%cve:2019-1370%% No No Less Likely Less Likely Important 7.0 6.3
OpenType Font Driver Information Disclosure Vulnerability
%%cve:2019-1412%% No No Important 5.0 4.5
OpenType Font Parsing Remote Code Execution Vulnerability
%%cve:2019-1456%% No No Important 7.8 7.0
%%cve:2019-1419%% No No Less Likely Less Likely Critical 7.8 7.0
Scripting Engine Memory Corruption Vulnerability
%%cve:2019-1429%% No Yes Detected Detected Critical 6.4 5.8
%%cve:2019-1426%% No No Critical 4.2 3.8
%%cve:2019-1427%% No No Critical 4.2 3.8
%%cve:2019-1428%% No No Critical 4.2 3.8
VBScript Remote Code Execution Vulnerability
%%cve:2019-1390%% No No More Likely More Likely Critical 6.4 5.8
Visual Studio Elevation of Privilege Vulnerability
%%cve:2019-1425%% No No Important    
Win32k Elevation of Privilege Vulnerability
%%cve:2019-1434%% No No Important 7.0 6.3
%%cve:2019-1393%% No No More Likely More Likely Important 7.8 7.0
%%cve:2019-1394%% No No More Likely More Likely Important 7.8 7.0
%%cve:2019-1395%% No No More Likely More Likely Important 7.8 7.0
%%cve:2019-1396%% No No More Likely More Likely Important 7.8 7.0
%%cve:2019-1408%% No No More Likely More Likely Important 7.8 7.0
Win32k Graphics Remote Code Execution Vulnerability
%%cve:2019-1441%% No No Critical 6.7 6.0
Win32k Information Disclosure Vulnerability
%%cve:2019-1436%% No No More Likely More Likely Important 5.5 5.0
%%cve:2019-1440%% No No Less Likely Less Likely Important 5.0 4.5
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
%%cve:2019-1385%% No No Less Likely Less Likely Important 7.8 7.0
Windows Certificate Dialog Elevation of Privilege Vulnerability
%%cve:2019-1388%% No No Less Likely Less Likely Important 7.8 7.0
Windows Data Sharing Service Elevation of Privilege Vulnerability
%%cve:2019-1417%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1379%% No No Important 7.8 7.0
%%cve:2019-1383%% No No Important 7.8 7.0
Windows Denial of Service Vulnerability
%%cve:2018-12207%% No No Less Likely Less Likely Important 4.7 4.2
%%cve:2019-1391%% No No Less Likely Less Likely Important 5.5 5.0
Windows Elevation of Privilege Vulnerability
%%cve:2019-1420%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1422%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1423%% No No Important 7.8 7.0
Windows Error Reporting Information Disclosure Vulnerability
%%cve:2019-1374%% No No Less Likely Less Likely Important 5.5 5.0
Windows GDI Information Disclosure Vulnerability
%%cve:2019-1439%% No No Less Likely Less Likely Important 4.7 4.2
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2019-1433%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2019-1435%% No No More Likely More Likely Important 7.0 6.3
%%cve:2019-1437%% No No More Likely More Likely Important 7.0 6.3
%%cve:2019-1438%% No No More Likely More Likely Important 7.0 6.3
%%cve:2019-1407%% No No Important 7.8 7.0
Windows Hyper-V Denial of Service Vulnerability
%%cve:2019-0712%% No No Less Likely Less Likely Important 5.8 5.2
%%cve:2019-1309%% No No Less Likely Less Likely Important 5.8 5.2
%%cve:2019-1310%% No No Less Likely Less Likely Important 5.8 5.2
%%cve:2019-1399%% No No Less Likely Less Likely Important 5.4 4.9
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2019-1389%% No No Critical 7.6 6.8
%%cve:2019-1397%% No No Less Likely Less Likely Critical 7.6 6.8
%%cve:2019-1398%% No No Less Likely Less Likely Critical 7.6 6.8
Windows Installer Elevation of Privilege Vulnerability
%%cve:2019-1415%% No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2019-1392%% No No Important 7.0 6.3
Windows Kernel Information Disclosure Vulnerability
%%cve:2019-11135%% No No Less Likely Less Likely Important 4.7 4.2
Windows Modules Installer Service Information Disclosure Vulnerability
%%cve:2019-1418%% No No Less Likely Less Likely Important 3.5 3.2
Windows Remote Procedure Call Information Disclosure Vulnerability
%%cve:2019-1409%% No No Less Likely Less Likely Important 5.5 5.0
Windows Subsystem for Linux Elevation of Privilege Vulnerability
%%cve:2019-1416%% No No Less Likely Less Likely Important 7.8 7.0
Windows TCP/IP Information Disclosure Vulnerability
%%cve:2019-1324%% No No Less Likely Less Likely Important 5.3 4.9
Windows UPnP Service Elevation of Privilege Vulnerability
%%cve:2019-1405%% No No Less Likely Less Likely Important 7.8 7.0


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →