Blog

Archive for February 11th, 2020

Malpsam pushes Ursnif through Italian language Word docs, (Wed, Feb 12th)

Introduction

For the past two weeks or so, I haven’t found any malspam using password-protected zip archives with Word documents having macros for Ursnif.  However, on Tuesday 2020-02-11, malspam from this campaign has resumed.  This time, it used Italian language Word documents with macros for Ursnif.  @reecdeep started a Twitter thread with some of the details (link).


Shown above:  An infection chain from this campaign seen on Tuesday 2020-02-11.

Today’s diary has a quick review of an infection from this campaign from Tuesday 2020-02-11.

Finding the associated Word documents

I searched VirusTotal Enterprise using the following criteria and found at least 66 password-protected zip archives containing the file info_02_11.doc from Tuesday 2020-02-11:

info_02_10.doc tag:zip fs:2020-02-10+

None of the associated emails had been submitted to VirusTotal, so I had to guess at the password.  Several of these zip archives used 111 as the password.  One of them used 222 as the password.  The example I used for an infection had 333 as the password.


Shown above:  Searching VirusTotal Enterprise for zip archives containing info_02_11.doc.


Shown above:  After a couple of guesses, I found the proper password for one of the zip archives from my VirusTotal search.


Shown above:  Word document extracted from the password-protected zip archive.

Infection traffic

Infection traffic was typical from what I’ve seen with this campaign.


Shown above:  Traffic from the infection filtered in Wireshark.

Indicators of Compromise (IoCs)

Traffic from an infected Windows host:

  • 194.61.2[.]16 port 80 – qr12s8ygy1[.]com – GET /khogpfyc8n/215z9urlgz.php?l=xubiz8.cab
  • port 443 – settings-win.data.microsoft.com – HTTPS traffic (not inherently malicious)
  • 95.169.181[.]35 port 80 – lcdixieeoe[.]com – GET /images/[long string of characters].avi
  • 45.141.103[.]204 port 443 – q68jaydon3t[.]com – HTTPS/SSL/TLS traffic caused by Ursnif

Associated files:

SHA256 hash: 28931260f23f2b669be6bd26ddb7f93cf75b2c2790373a3a45a34b09fa9ef907

  • File size: 63,761 bytes
  • File name: Genial.zip
  • File description: Password-protected zip archive (password: 333)

SHA256 hash: 00d986b615d4082fe0ba0aa677b15eb97015f2b357ae87828be85b1e895e0d0b

  • File size: 70,429 bytes
  • File name: info_02_11.doc
  • File description: Word doc with macro for Ursnif

SHA256 hash: 4268d7a5f33d411ab4c4fae7363b21755ad9e576e2094df18f3615399945fd41

  • File size: 3,605 bytes
  • File location: C:WindowsTempa6c9p.xsl
  • File description: XSL file dropped by Word macro

SHA256 hash: 996fcd8c55f923e86477d3d8069f9e9b56c6301cf9b2678c5c5c40bf6a636a5f

  • File size: 188,416 bytes
  • File location: hxxp://qr12s8ygy1[.]com/khogpfyc8n/215z9urlgz.php?l=xubiz8.cab
  • File location: C:WindowsTempaVQl7d.dll
  • File description: Ursnif binary retrieved using XSL file

Final words

A pcap of the infection traffic along with the associated malware can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft Patch Tuesday for February 2020, (Tue, Feb 11th)

This month we got patches for 99 vulnerabilities total. Five of them have been previously disclosed, and one was being exploited, according to Microsoft. 

One of the patches fixes the CVE-2020-0674, a 0-day affecting Script Engine on Internet Explorer that has been exploited in the wild. Microsoft released an out-of-band advisory for this vulnerability on Jan, 17 ADV200001 [1] suggesting mitigations for the vulnerability – now fixed. The vulnerability could allow a malicious content to corrupt the memory in such a way an attacker could execute arbitrary code in the context of the current user. 

Among the other 16 RCE vulnerabilities, it’s worth also mentioning CVE-2020-0738, a memory corruption vulnerability in Media Foundation. An attacker who successfully exploited the vulnerability could allow an attacker to run arbitrary code on the impacted system. The CVSS v3 for this vulnerability is 8.80 – the highest for this month’s Patch Tuesday. 

It’s also worth mentioning an elevation of privilege vulnerability affecting Windows SSH (CVE-2020-0757). The way Windows improperly handles Security Shell remote commands may allow an attacker to exploit the vulnerability and run arbitrary code with elevated privileges. To exploit the vulnerability, the attacker would first log into the system and run a specially crafted application. 

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Active Directory Elevation of Privilege Vulnerability
%%cve:2020-0665%% No No Important 6.6 5.9
Connected Devices Platform Service Elevation of Privilege Vulnerability
%%cve:2020-0740%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0741%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0742%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0743%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0749%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0750%% No No Less Likely Less Likely Important 7.8 7.0
Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability
%%cve:2020-0727%% No No Less Likely Less Likely Important 7.8 7.0
DirectX Elevation of Privilege Vulnerability
%%cve:2020-0709%% No No Important 7.0 6.3
%%cve:2020-0732%% No No Important 7.0 6.3
DirectX Information Disclosure Vulnerability
%%cve:2020-0714%% No No Less Likely Less Likely Important 4.7 4.2
February 2020 Adobe Flash Security Update
ADV200003 No No Important    
LNK Remote Code Execution Vulnerability
%%cve:2020-0729%% No No Less Likely Less Likely Critical 7.5 6.7
Media Foundation Memory Corruption Vulnerability
%%cve:2020-0738%% No No Less Likely Less Likely Critical 8.8 7.9
Microsoft Browser Information Disclosure Vulnerability
%%cve:2020-0706%% Yes No Less Likely Less Likely Important 4.3 3.9
Microsoft Edge Elevation of Privilege Vulnerability
%%cve:2020-0663%% No No Important 4.2 3.8
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2020-0759%% No No Less Likely Less Likely Important    
Microsoft Exchange Memory Corruption Vulnerability
%%cve:2020-0688%% No No More Likely More Likely Important    
Microsoft Exchange Server Elevation of Privilege Vulnerability
%%cve:2020-0692%% No No More Likely More Likely Important    
Microsoft Graphics Components Information Disclosure Vulnerability
%%cve:2020-0746%% No No Less Likely Less Likely Important 5.5 5.0
Microsoft Office Online Server Spoofing Vulnerability
%%cve:2020-0695%% No No Important    
Microsoft Office SharePoint XSS Vulnerability
%%cve:2020-0693%% No No Less Likely Less Likely Important    
%%cve:2020-0694%% No No Less Likely Less Likely Important    
Microsoft Office Tampering Vulnerability
%%cve:2020-0697%% No No Important    
Microsoft Outlook Security Feature Bypass Vulnerability
%%cve:2020-0696%% No No Less Likely Less Likely Important    
Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
%%cve:2020-0618%% No No Important    
Microsoft Secure Boot Security Feature Bypass Vulnerability
%%cve:2020-0689%% Yes No Less Likely Less Likely Important 8.2 7.6
Remote Desktop Client Remote Code Execution Vulnerability
%%cve:2020-0681%% No No More Likely More Likely Critical 7.5 6.7
%%cve:2020-0734%% No No More Likely More Likely Critical 7.5 6.7
Remote Desktop Services Remote Code Execution Vulnerability
%%cve:2020-0655%% No No Important 8.0 7.2
Scripting Engine Memory Corruption Vulnerability
%%cve:2020-0673%% No No Critical 6.4 5.8
%%cve:2020-0674%% Yes Yes Detected Detected Critical 6.4 5.9
%%cve:2020-0710%% No No Critical 4.2 3.8
%%cve:2020-0711%% No No Critical 4.2 3.8
%%cve:2020-0712%% No No Critical 4.2 3.8
%%cve:2020-0713%% No No Critical 4.2 3.8
%%cve:2020-0767%% No No Critical 4.2 3.8
Surface Hub Security Feature Bypass Vulnerability
%%cve:2020-0702%% No No Less Likely Less Likely Important    
Win32k Elevation of Privilege Vulnerability
%%cve:2020-0691%% No No Unlikely Unlikely Important 4.7 4.2
%%cve:2020-0719%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-0720%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-0721%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-0722%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-0723%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-0724%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-0725%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-0726%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-0731%% No No More Likely More Likely Important 7.0 6.3
Win32k Information Disclosure Vulnerability
%%cve:2020-0716%% No No Important 5.5 5.0
%%cve:2020-0717%% No No Less Likely Less Likely Important 5.5 5.0
Windows Backup Service Elevation of Privilege Vulnerability
%%cve:2020-0703%% No No Less Likely Less Likely Important 7.8 7.0
Windows COM Server Elevation of Privilege Vulnerability
%%cve:2020-0685%% No No Less Likely Less Likely Important 7.0 6.3
Windows Client License Service Elevation of Privilege Vulnerability
%%cve:2020-0701%% No No Less Likely Less Likely Important 7.8 7.0
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2020-0657%% No No More Likely More Likely Important 7.8 7.0
Windows Common Log File System Driver Information Disclosure Vulnerability
%%cve:2020-0658%% No No Important 5.5 5.0
Windows Data Sharing Service Elevation of Privilege Vulnerability
%%cve:2020-0659%% No No Important 7.8 7.0
%%cve:2020-0747%% No No Less Likely Less Likely Important 7.8 7.0
Windows Elevation of Privilege Vulnerability
%%cve:2020-0737%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0739%% No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2020-0753%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0754%% No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Manager Elevation of Privilege Vulnerability
%%cve:2020-0678%% No No Less Likely Less Likely Important 7.8 7.0
Windows Function Discovery Service Elevation of Privilege Vulnerability
%%cve:2020-0679%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0680%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0682%% No No Less Likely Less Likely Important 7.8 7.0
Windows GDI Information Disclosure Vulnerability
%%cve:2020-0744%% No No Less Likely Less Likely Important 5.5 5.0
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2020-0715%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-0745%% No No More Likely More Likely Important 7.8 7.0
%%cve:2020-0792%% No No Less Likely Less Likely Important 7.0 6.3
Windows Hyper-V Denial of Service Vulnerability
%%cve:2020-0661%% No No Less Likely Less Likely Important 6.8 6.1
%%cve:2020-0751%% No No Important 6.0 5.4
Windows IME Elevation of Privilege Vulnerability
%%cve:2020-0707%% No No Less Likely Less Likely Important 7.8 7.0
Windows Imaging Library Remote Code Execution Vulnerability
%%cve:2020-0708%% No No Less Likely Less Likely Important 7.8 7.0
Windows Information Disclosure Vulnerability
%%cve:2020-0698%% No No Less Likely Less Likely Important 5.5 5.0
Windows Installer Elevation of Privilege Vulnerability
%%cve:2020-0683%% Yes No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-0686%% Yes No Less Likely Less Likely Important 7.0 6.3
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2020-0668%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0669%% No No Important 7.8 7.0
%%cve:2020-0670%% No No Important 7.8 7.0
%%cve:2020-0671%% No No Important 7.8 7.0
%%cve:2020-0672%% No No Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
%%cve:2020-0736%% No No Important 5.5 5.0
Windows Key Isolation Service Information Disclosure Vulnerability
%%cve:2020-0675%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-0676%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-0677%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-0748%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-0755%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-0756%% No No Less Likely Less Likely Important 5.5 5.0
Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability
%%cve:2020-0733%% No No Important    
Windows Modules Installer Service Information Disclosure Vulnerability
%%cve:2020-0728%% No No Less Likely Less Likely Important 3.3 3.0
Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability
%%cve:2020-0705%% No No Less Likely Less Likely Important 5.5 5.0
Windows Remote Code Execution Vulnerability
%%cve:2020-0662%% No No Critical 8.6 7.7
Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
%%cve:2020-0660%% No No Less Likely Less Likely Important 7.5 6.7
Windows SSH Elevation of Privilege Vulnerability
%%cve:2020-0757%% No No Less Likely Less Likely Important 8.2 7.4
Windows Search Indexer Elevation of Privilege Vulnerability
%%cve:2020-0666%% No No Important 7.8 7.0
%%cve:2020-0667%% No No Important 7.8 7.0
%%cve:2020-0735%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0752%% No No Less Likely Less Likely Important 7.8 7.0
Windows User Profile Service Elevation of Privilege Vulnerability
%%cve:2020-0730%% No No Less Likely Less Likely Important 6.3 5.7
Windows Wireless Network Manager Elevation of Privilege Vulnerability
%%cve:2020-0704%% No No Less Likely Less Likely Important 7.8 7.0

Total Vulnerabilities: 99

References:

[1] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001


Renato Marinho
Morphus Labs| LinkedIn| Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →