Blog

Archive for March 11th, 2020

Hancitor distributed through coronavirus-themed malspam, (Thu, Mar 12th)

Introduction

The criminal group behind Hancitor malware has been quiet during the past few weeks.  For the past year or so, this group has stuck with DocuSign-themed malspam to distribute Hancitor (like this example from January 2020).  However, today @mesa_matt reported a new wave of Hancitor malspam using a coronavirus theme.  Today’s diary reviews two quick infection runs using information from @mesa_matt’s Twitter thread on Wednesday 2020-03-11.

My thanks to everyone on Twitter who keeps an eye on Hancitor and tweets about it.


Shown above:  Screenshot of the malspam from a tweet by @mesa_matt on 2020-03-11.

Infection traffic

We’re still seeing the same sequence of events from previous Hancitor runs so far this year.

  • Step 1:  Link from malspam
  • Step 2:  leads to another URL that returns a zip archive
  • Step 3:  Extract VBS from zip archive
  • Step 4:  VBS drops and executes Hancitor DLL
  • Step 5:  Hancitor-style post-infection traffic


Shown above:  Traffic from an infection filtered in Wireshark.

Indicators of Compromise (IoCs)

Traffic from an infected Windows host:

  • URL from link in the malspam (various URLs from step 1, not in my pcaps)
  • 8.208.77[.]171 port 80 – freetospeak[.]me – GET /0843_43.php
  • port 80 – api.ipify[.]org – GET /
  • 45.153.73[.]33 port 80 – thumbeks[.]com – POST /4/forum.php
  • 45.153.73[.]33 port 80 – thumbeks[.]com – POST /mlu/forum.php
  • 45.153.73[.]33 port 80 – thumbeks[.]com – POST /d2/about.php
  • 68.183.232[.]255 port 80 – shop.artaffinittee[.]com – GET /wp-includes/sodium_compat/1
  • 68.183.232[.]255 port 80 – shop.artaffinittee[.]com – GET /wp-includes/sodium_compat/2

Malware from my infected lab hosts:

SHA256 hash: 4f6d4d8f279c03f1ddfa20f95af152109b7578a2bec0a16a56ff87745585169a

  • File size: 230,431 bytes
  • File location: hxxp://freetospeak[.]me/0843_43.php
  • File name: SE-670131329809_5500.zip
  • File description: zip archive downloaded from link in malspam distributing Hancitor (1st run)

SHA256 hash: 6897a3b85046ba97fb3868dfb82338e5ed098136720a6cf73625e784fc1e1e51

  • File size: 1,130,515 bytes
  • File name: SE670131329809.vbs
  • File description: VBS file extracted from downloaded zip archive (1st run)

SHA256 hash: 8a9333204db83c2571463278cb6a6241ae5f215b2166bf4af5693d611049d5a9

  • File size: 228,383 bytes
  • File location: hxxp://freetospeak[.]me/0843_43.php
  • File name: QU-555033076467_5558.zip
  • File description: zip archive downloaded from link in malspam distributing Hancitor (2nd run)

SHA256 hash: 8da0eb3a2378d218043e9f3188e59e3158f1fd01bbcd979f05197c74c2fb7a1c

  • File size: 1,125,138 bytes
  • File name: QU555033076467.vbs
  • File description: VBS file extracted from downloaded zip archive (2bd run)

SHA256 hash: 291a4eb06358eca87fbc1f133ee162b6c532f4ec3e6f39c2646cde5de60e80f9

  • File size: 253,952 bytes
  • File location: C:Users[username]AppDataLocalTempadobe.txt
  • File description: Hancitor DLL dropped after executing above VBS files (both runs)

For further information:

  • Twitter thread from @mesa_matt with a screenshot of a malspam example:  link
  • Initial info on Pastebin for Hancitor malspam from @mesa_matt Twitter thread:  link
  • Any.Run sandbox analysis for URL used to kick off my infection runs:  link
  • File hashes on Pastebin for this Hancitor from paste by JAMES_INTHE_BOX:  link

Final words

Pcaps of my infection traffic along with the associated malware can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Critical SMBv3 Vulnerability: Remote Code Execution, (Wed, Mar 11th)

SMB has already been a targeted protocol several times and it came back today in stage with a new CVE: %%cve:2020-0796%. This time, version 3 of the protocol is affected by a remote code execution vulnerability. The SMB protocol was enhanced multiple times by Microsoft and more features were added. The one that is targeted today seems to be the data compression. At this time, Microsoft did not release information and no patch is available. What do we know?

Affected Windows versions:

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

The victim’s computer can be compromised by exposing a vulnerable SMBv3 resource in the wild but a client might be affected just by visiting a malicious SMBv3 server. Both clients and servers are affected!

How to protect your resources?

  • Microsoft published a workaround[1] via Powershell (see below)
  • Restrict SMB traffic to the strict minimum
    • Do not expose servers in the wild, restrict access to them
    • Do not allow SMB traffic to the outside world. We can guess that malicious emails and malware will include “smb://” URLs soon.

The Powershell workaround is:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 1 -Force`

We will continue to update this diary based on the information collected. 

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Agent Tesla Delivered via Fake Canon EOS Notification on Free OwnCloud Account, (Wed, Mar 11th)

For a few days, there are new waves of Agent Tesla[1] landing in our mailboxes. I found one that uses two new “channels” to deliver the trojan. Today, we can potentially receive notifications and files from many types of systems or devices. I found a phishing sample that tries to hide behind a Canon EOS camera notification. Not very well designed but it’s uncommon to see this. It started with a simple email:

Note the beautiful typo in the mail subject! (“Qoute”)

The malicious payload is delivered via the following path:

A ZIP archive is attached to the mail:

Photos and specification.zip (SHA256:0875804511b077f7e8b4d5f4dd11b61f2334b9b61da1018f6246739a348a6d19)

The archive contains an HTML file (Unicode): 

photos and specification.html (SHA256:ab6b5faa826f5f503d9b9c8c5de0e3b0d65bf88812a9f7b83bf97901c39d6ebe)







DOWNLOAD     VIEW
hxxps://nuesterish742[.]owncloud[.]online/index.php/s/rEbK2f0fHiMTy2k

Here is the page rendered in a browser:

The next stage payload is hosted on a public OwnCloud account. OwnCloud is a very popular cloud storage solution. You can run your private cloud on-premises but they also offer a “cloud” solution and a free trial:

A file is shared via this trial account: “Photos and specification.cab” (SHA256:d6404503a8257ebf3d153e91d0b92c9ae8da7c710124781ae27e6a55c40b887f). It contains the final payload:

Photos and specification.exe (SHA256:5254a36f51199786127851940e49c50ffe04aafa091ba6518118125bd68a4c31) with a current VT score of 24/72[2]. This is the Agent Tesla itself.

It copies itself into C:UsersadminAppDataRoaming and implements persistence via a scheduled task:

C:WindowsSystem32schtasks.exe" /Create /TN "UpdatesPHIvtqf" /XML "C:UsersuserAppDataLocalTemptmp6CEB.tmp

The scheduled task configuration is also dumped on disk:


  
    2014-10-25T14:27:44.8929027
    SANDBOXuser
  
  
    
      true
      SANDBOXuser
    
    
      false
    
  
  
    
      SANDBOXuser
      InteractiveToken
      LeastPrivilege
    
  
  
    StopExisting
    false
    true
    false
    true
    false
    
      true
      false
    
    true
    true
    false
    false
    false
    PT0S
    7
  
  
    
      C:UsersuserAppDataRoamingPHIvtqf.exe
    
  

You can detect hosts infected by Agent Tesla by checking connections over TCP/587 (SMTP submissions) which is usually permitted compared to TCP/25. In this case, it used the IP address %%ip:78.142.19.101% to exfiltrate data.

I also found other suspicious OwnCloud accounts:

nuesterish742.owncloud.online   
wighteredd264.owncloud.online
ntyclighta026.owncloud.online
idompoomel467.owncloud.online
titiollaug517.owncloud.online

Probably there are many more…

[1] https://any.run/malware-trends/agenttesla
[2] https://www.virustotal.com/gui/file/5254a36f51199786127851940e49c50ffe04aafa091ba6518118125bd68a4c31/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →