Blog

Archive for June 9th, 2020

Job application-themed malspam pushes ZLoader, (Wed, Jun 10th)

Introduction

Last week, I published a diary about ZLoader malware spread through Polish malspam.  Today’s diary reviews more ZLoader spread through a different malspam campaign.  Two interesting points about this campaign:

  • The campaign uses password-protected XLS files, so they are not usually detected as malware on their own without the password.
  • The URL for the initial ZLoader URL is geo-fenced.  Although the emails and XLS files were in English, I could not get an infection from an IP address within the United States.  I was able to successfully infect a lab host by going through a Canadian IP address.
  • The Registry update to keep ZLoader persistent didn’t happen until after I rebooted my infected lab host.  I forgot to check if it would happen when I merely signed out and signed back in through the same user account.


Shown above:  Flow chart for this infection chain.

Images from the infection


Shown above:  Screenshot of an email from this campaign.


Shown above:  You need the password from the email to unlock and open the XLS file.


Shown above:  Screenshot of the XLS file after it’s unlocked.


Shown above:  Traffic seen for the ZLoader DLL after enabling macros on the unlocked XLS file.


Shown above:  The initial ZLoader DLL as it was first saved to my infected Windows host.


Shown above:  Three minutes later, I saw a new ZLoader DLL the same size as the old one with a different SHA256 file hash.


Shown above:  Traffic from the infection filtered in Wireshark.


Shown above:  TCP stream with an example of ZLoader post-infection traffic.


Shown above:  ZLoader on the infected Windows host.  Other folders in the AppDataRoaming directory created during this infection often had decoy files consisting of random binary data.


Shown above:  Registry update to keep ZLoader persistent.  The registry update didn’t happen until after I rebooted my infected Windows host.

Indicators of Compromise (IoCs)

SHA256 hashes for password-protected XLS files (password: 1234)

Malware retrieved from an infected Windows 10 host:

SHA256 hash: 0829886e0ca34a32fa545e0a53d7a2208d963b7b826a14aefde94d9ff4f549e5

  • File size: 503,296 bytes
  • File location: hxxp://205.185.122[.]246/files/june9.dll
  • File location: C:ZIIuhIerGmFquUPLyUKBP.dll
  • File description: Initial DLL file for ZLoader retrieved by Word macro
  • Run method: rundll32.exe PLyUKBP.dll,DllRegisterServer

SHA256 hash: aa8fc19f16e4e185f6464d2e18ec7731c235d2b0d364f76965cf5967d5eef613

  • File size: 503,296 bytes
  • File location: C:Users[username]AppDataLocalTemp]isen.dll
  • File location: C:Users[username]AppDataRoamingOkgeanin.dll
  • File description: Follow-up DLL for ZLoader persistent on the infected Win10 host
  • Run method: regsvr32.exe /s anin.dll

Traffic from an infected Windows 10 host:

  • 205.185.122[.]246 port 80 – 205.185.122[.]246 – GET /b9xBB3
  • 205.185.122[.]246 port 80 – 205.185.122[.]246 – GET /files/june9.dll
  • 188.68.221[.]239 port 80 – snnmnkxdhflwgthqismb[.]com – POST /post.php

Final words

As always, these types of infections are not very effective against fully-patched and up-to-date computers running the latest version of Microsoft Windows.  The default virus & threat protection settings should stop these samples of ZLoader from infecting a Windows 10 host.  Real-time protection and Tamper Protection are designed to prevent such activity.

And as I mentioned last week, malware authors continually adjust their malware in an attempt to escape detection.  With the low cost of distribution through email, and with poor security practices among potential victims, campaigns pushing ZLoader and other malware will likely remain cost-effective.

Pcap and malware samples for today’s diary can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft June 2020 Patch Tuesday, (Tue, Jun 9th)

This month we got patches for 130 vulnerabilities. Of these, 12 are critical and none of them was previously disclosed or is being exploited according to Microsoft. 

Amongst critical vulnerabilities, there is a remote code execution in Windows Graphics Device Interface (GDI) – CVE-2020-1248 . An attacker could exploit this vulnerability by convincing users to view a specially crafted website or sending them an e-mail attachment with a malicious attachment. This vulnerability affects multiple versions of Windows 10 and Windows Server versions 1903, 1909, and 2004. The CVSS v3 score for this vulnerability is 8.40.

There is also an RCE affecting Windows OLE (CVE-2020-1281) due to improper validation of user input. As for the previous vulnerability, an attacker could exploit this vulnerability using specially crafted websites or via e-mail phishing campaigns. This vulnerability affects virtually all supported Windows versions – from Windows 7 to Windows Server 2019. 

The highest CVSS v3 this month (8.60) was given to an important Information Disclosure vulnerability in SMBv3 Client/Server (CVE-2020-1206). According to Microsoft, the information that could be disclosed if an attacker successfully exploits this vulnerability is uninitialized memory. This vulnerability reminds me CVE-2020-0796, known as SMBGhost publish last March. The workarounds suggested by Microsoft are the same for both – disabling SMBv3 compression. But, of course, SMBGhost is an RCE vulnerability.

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Azure DevOps Server HTML Injection Vulnerability
%%cve:2020-1327%% No No Less Likely Less Likely Important    
Component Object Model Elevation of Privilege Vulnerability
%%cve:2020-1311%% No No Less Likely Less Likely Important 7.8 7.0
Connected Devices Platform Service Elevation of Privilege Vulnerability
%%cve:2020-1211%% No No Less Likely Less Likely Important 7.8 7.0
Connected User Experiences and Telemetry Service Denial of Service Vulnerability
%%cve:2020-1120%% No No Less Likely Less Likely Important 7.1 6.4
%%cve:2020-1244%% No No Less Likely Less Likely Important 6.3 5.7
Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability
%%cve:2020-1202%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-1203%% No No Less Likely Less Likely Important 7.8 7.0
Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
%%cve:2020-1278%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1257%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1293%% No No Less Likely Less Likely Important 7.8 7.0
DirectX Elevation of Privilege Vulnerability
%%cve:2020-1258%% No No Less Likely Less Likely Important 6.4 5.8
GDI+ Remote Code Execution Vulnerability
%%cve:2020-1248%% No No Less Likely Less Likely Critical 8.4 7.6
Group Policy Elevation of Privilege Vulnerability
%%cve:2020-1317%% No No Less Likely Less Likely Important 7.8 7.0
Internet Explorer Information Disclosure Vulnerability
%%cve:2020-1315%% No No Less Likely Less Likely Important 2.4 2.2
Jet Database Engine Remote Code Execution Vulnerability
%%cve:2020-1208%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1236%% No No Less Likely Less Likely Important 7.8 7.0
June 2020 Adobe Flash Security Update
ADV200010 No No Critical    
LNK Remote Code Execution Vulnerability
%%cve:2020-1299%% No No Less Likely Less Likely Critical 6.8 6.1
Media Foundation Information Disclosure Vulnerability
%%cve:2020-1232%% No No Less Likely Less Likely Important 6.5 5.9
Media Foundation Memory Corruption Vulnerability
%%cve:2020-1238%% No No Less Likely Less Likely Important 8.8 7.9
%%cve:2020-1239%% No No Less Likely Less Likely Important 8.8 7.9
Microsoft Bing Search Spoofing Vulnerability
%%cve:2020-1329%% No No Important    
Microsoft Browser Memory Corruption Vulnerability
%%cve:2020-1219%% No No More Likely More Likely Critical    
Microsoft Edge (Chromium-based) in IE Mode Spoofing Vulnerability
%%cve:2020-1220%% No No Important 5.4 4.9
Microsoft Edge Information Disclosure Vulnerability
%%cve:2020-1242%% No No Important 4.3 3.9
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2020-1225%% No No Less Likely Less Likely Important    
%%cve:2020-1226%% No No Less Likely Less Likely Important    
Microsoft Graphics Component Information Disclosure Vulnerability
%%cve:2020-1160%% No No Less Likely Less Likely Important 5.5 5.0
Microsoft Office Remote Code Execution Vulnerability
%%cve:2020-1321%% No No Less Likely Less Likely Important    
Microsoft Office SharePoint XSS Vulnerability
%%cve:2020-1183%% No No Less Likely Less Likely Important    
%%cve:2020-1298%% No No Less Likely Less Likely Important    
%%cve:2020-1320%% No No Less Likely Less Likely Important    
%%cve:2020-1177%% No No Less Likely Less Likely Important    
%%cve:2020-1297%% No No Less Likely Less Likely Important    
%%cve:2020-1318%% No No Less Likely Less Likely Important    
Microsoft Outlook Security Feature Bypass Vulnerability
%%cve:2020-1229%% No No Less Likely Less Likely Important    
Microsoft Project Information Disclosure Vulnerability
%%cve:2020-1322%% No No Less Likely Less Likely Important    
Microsoft SharePoint Elevation of Privilege Vulnerability
%%cve:2020-1295%% No No Less Likely Less Likely Important    
Microsoft SharePoint Server Elevation of Privilege Vulnerability
%%cve:2020-1178%% No No Less Likely Less Likely Important    
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2020-1181%% No No Less Likely Less Likely Critical    
Microsoft SharePoint Spoofing Vulnerability
%%cve:2020-1148%% No No Less Likely Less Likely Important    
%%cve:2020-1289%% No No Important    
Microsoft Store Runtime Elevation of Privilege Vulnerability
%%cve:2020-1222%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1309%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Windows Defender Elevation of Privilege Vulnerability
%%cve:2020-1163%% No No Less Likely Less Likely Important    
%%cve:2020-1170%% No No Less Likely Less Likely Important    
NuGetGallery Spoofing Vulnerability
%%cve:2020-1340%% No No Important    
OLE Automation Elevation of Privilege Vulnerability
%%cve:2020-1212%% No No Less Likely Less Likely Important 7.8 7.0
OpenSSH for Windows Elevation of Privilege Vulnerability
%%cve:2020-1292%% No No Less Likely Less Likely Important 8.8 7.9
Scripting Engine Memory Corruption Vulnerability
%%cve:2020-1073%% No No Critical 4.2 3.8
SharePoint Open Redirect Vulnerability
%%cve:2020-1323%% No No Less Likely Less Likely Important    
System Center Operations Manager Spoofing Vulnerability
%%cve:2020-1331%% No No Important    
VBScript Remote Code Execution Vulnerability
%%cve:2020-1213%% No No More Likely More Likely Critical    
%%cve:2020-1214%% No No More Likely More Likely Important    
%%cve:2020-1215%% No No More Likely More Likely Important    
%%cve:2020-1216%% No No More Likely More Likely Critical    
%%cve:2020-1230%% No No More Likely More Likely Important 7.5 6.7
%%cve:2020-1260%% No No More Likely More Likely Critical 6.4 5.8
Visual Studio Code Live Share Information Disclosure Vulnerability
%%cve:2020-1343%% No No Important    
Win32k Elevation of Privilege Vulnerability
%%cve:2020-1207%% No No More Likely More Likely Important 6.4 5.8
%%cve:2020-1247%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-1310%% No No Less Likely Less Likely Important 6.4 5.8
%%cve:2020-1251%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-1253%% No No More Likely More Likely Important 6.4 5.8
Win32k Information Disclosure Vulnerability
%%cve:2020-1290%% No No Less Likely Less Likely Important 5.5 5.0
Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
%%cve:2020-1255%% No No Less Likely Less Likely Important 8.5 7.6
Windows Backup Service Elevation of Privilege Vulnerability
%%cve:2020-1271%% No No Less Likely Less Likely Important 7.8 7.0
Windows Bluetooth Service Elevation of Privilege Vulnerability
%%cve:2020-1280%% No No Less Likely Less Likely Important 7.8 7.0
Windows Denial of Service Vulnerability
%%cve:2020-1283%% No No Less Likely Less Likely Important 5.5 5.0
Windows Diagnostics & feedback Information Disclosure Vulnerability
%%cve:2020-1296%% No No Less Likely Less Likely Important 5.0 4.5
Windows Elevation of Privilege Vulnerability
%%cve:2020-1324%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1162%% No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2020-1234%% No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Information Disclosure Vulnerability
%%cve:2020-1261%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-1263%% No No Less Likely Less Likely Important 5.5 5.0
Windows Error Reporting Manager Elevation of Privilege Vulnerability
%%cve:2020-1197%% No No Less Likely Less Likely Important 6.3 5.7
Windows Feedback Hub Elevation of Privilege Vulnerability
%%cve:2020-1199%% No No Less Likely Less Likely Important 7.8 7.0
Windows GDI Elevation of Privilege Vulnerability
%%cve:2020-0915%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-0916%% No No Less Likely Less Likely Important 7.8 7.0
Windows GDI Information Disclosure Vulnerability
%%cve:2020-1348%% No No Less Likely Less Likely Important 5.5 5.0
Windows Host Guardian Service Security Feature Bypass Vulnerability
%%cve:2020-1259%% No No Less Likely Less Likely Important 4.3 3.9
Windows Installer Elevation of Privilege Vulnerability
%%cve:2020-1277%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1312%% No No Less Likely Less Likely Important    
%%cve:2020-1272%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1302%% No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2020-0986%% No No Less Likely Less Likely Important    
%%cve:2020-1237%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1246%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1262%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1269%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1274%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1275%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1307%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1316%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1264%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1266%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1273%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1276%% No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Security Feature Bypass Vulnerability
%%cve:2020-1241%% No No More Likely More Likely Important 5.3 4.8
Windows Lockscreen Elevation of Privilege Vulnerability
%%cve:2020-1279%% No No Less Likely Less Likely Important 7.8 7.0
Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
%%cve:2020-1204%% No No Less Likely Less Likely Important 6.3 5.7
Windows Modules Installer Service Elevation of Privilege Vulnerability
%%cve:2020-1254%% No No Less Likely Less Likely Important 7.8 7.0
Windows Network Connections Service Elevation of Privilege Vulnerability
%%cve:2020-1291%% No No Less Likely Less Likely Important 7.0 6.3
Windows Network List Service Elevation of Privilege Vulnerability
%%cve:2020-1209%% No No Less Likely Less Likely Important 7.0 6.3
Windows Now Playing Session Manager Elevation of Privilege Vulnerability
%%cve:2020-1201%% No No Less Likely Less Likely Important 7.8 7.0
Windows OLE Remote Code Execution Vulnerability
%%cve:2020-1281%% No No Less Likely Less Likely Critical 7.8 7.0
Windows Print Configuration Elevation of Privilege Vulnerability
%%cve:2020-1196%% No No Less Likely Less Likely Important 7.0 6.3
Windows Registry Denial of Service Vulnerability
%%cve:2020-1194%% No No Less Likely Less Likely Important 5.5 5.0
Windows Remote Code Execution Vulnerability
%%cve:2020-1300%% No No Less Likely Less Likely Critical 7.8 7.0
Windows Runtime Elevation of Privilege Vulnerability
%%cve:2020-1334%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1231%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1233%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1235%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1282%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1265%% No No Important 7.8 7.0
%%cve:2020-1304%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1306%% No No Less Likely Less Likely Important 7.8 7.0
Windows Runtime Information Disclosure Vulnerability
%%cve:2020-1217%% No No Less Likely Less Likely Important 7.0 6.3
Windows SMB Remote Code Execution Vulnerability
%%cve:2020-1301%% No No More Likely More Likely Important 7.5 6.7
Windows SMBv3 Client/Server Denial of Service Vulnerability
%%cve:2020-1284%% No No Important 7.5 6.7
Windows SMBv3 Client/Server Information Disclosure Vulnerability
%%cve:2020-1206%% No No More Likely More Likely Important 8.6 7.7
Windows Service Information Disclosure Vulnerability
%%cve:2020-1268%% No No Less Likely Less Likely Important 5.5 5.0
Windows Shell Remote Code Execution Vulnerability
%%cve:2020-1286%% No No Less Likely Less Likely Critical 7.8 7.0
Windows State Repository Service Elevation of Privilege Vulnerability
%%cve:2020-1305%% No No Less Likely Less Likely Important 7.8 7.0
Windows Text Service Framework Elevation of Privilege Vulnerability
%%cve:2020-1314%% No No Less Likely Less Likely Important 7.0 6.3
Windows Update Orchestrator Service Elevation of Privilege Vulnerability
%%cve:2020-1313%% No No Less Likely Less Likely Important    
Windows WLAN Service Elevation of Privilege Vulnerability
%%cve:2020-1270%% No No Less Likely Less Likely Important 7.8 7.0
Windows WalletService Elevation of Privilege Vulnerability
%%cve:2020-1294%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1287%% No No Less Likely Less Likely Important 7.8 7.0
Word for Android Remote Code Execution Vulnerability
%%cve:2020-1223%% No No Important    


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →