Go Becomes the New Go-To for Malware
Thursday May 7th 2020

We have some special stuff for you in this usually weekly threat report. We’re releasing several IDS signatures and IoCs you can use to detect many of the threats we mention below. This week, we’re discussing:

  • Two new malware strains choose Go
  • An evolution in Qakbot campaigns
  • And, Black Rose Lucy bringing ransomware to your Android

NSPPS RAT goes live

Citrix products are under attack in a recent wave of scans and exploits for CVE-2019-197811234.

According to IronNet Threat Research, a new remote access tool (RAT) has been taking advantage of this vulnerability. The new RAT, dubbed NSPPS, is written in Go (a.k.a. “GoLang”) and built for FreeBSD targets. It’s a fully-featured utility suitable for gaining persistence.

The campaign leverages NSPPS and CVE-2019-197811234 and seems to be focused on launching “XMRig 5.5.0” to mine cryptocurrency. Attacks that result in installing cryptominers are unfortunate; however, there are worse alternatives like ransomware.

Although the cryptominer was easily detected, only 1 out of 59 antivirus engines in VirusTotal detected the NSPSS binary as of April 17, 2020. You should monitor your network traffic for abnormal communications to detect latent threats not found by your AV.

The good news is that Perch has helped Citrix customers detect NSPPS infections. Here are some of the signatures we’ve developed in Perch Labs to catch NSPPS:

Suricata sigs

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] nspps Go 
RAT/Backdoor C2 GET Health Check"; flow:established, to_server; content:"GET"; http_method; 
content:"/h"; http_uri; urilen:2; tag:session,5,packets; 
reference:url,https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; 
classtype:trojan-activity; sid:900050; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] nspps Go
RAT/Backdoor C2 GET Task Fetch"; flow:established, to_server; content:"GET"; http_method;
content:"/get"; http_uri; urilen:4; tag:session,5,packets;
reference:url,https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/;
classtype:trojan-activity; sid:900051; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] nspps Go
RAT/Backdoor C2 GET Fetch Targets"; flow:established, to_server; content:"GET"; http_method;
content:"/getT"; http_uri; urilen:5; tag:session,5,packets;
reference:url,https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/;
classtype:trojan-activity; sid:900052; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] nspps Go
RAT/Backdoor C2 POST log data"; flow:established, to_server; content:"POST"; http_method;
tag:session,5,packets; reference:url,https://ironnet.com/blog/malware-analysis-nspps-a-go-rat
backdoor/; classtype:trojan-activity; sid:900053; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] nspps Go 
RAT/Backdoor C2 POST exec output"; flow:established, to_server; content:"POST"; 
http_method; content:"/o"; http_uri; urilen:2; tag:session,5,packets; 
reference:url,https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; 
classtype:trojan-activity; sid:900054; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] nspps Go 
RAT/Backdoor C2 POST results"; flow:established, to_server; content:"POST"; http_method; 
content:"/r"; http_uri; urilen:2; tag:session,5,packets; 
reference:url,https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; 
classtype:trojan-activity; sid:900055; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] nspps Go 
RAT/Backdoor C2 POST SOCKS5 user/pass"; flow:established, to_server; content:"POST"; 
http_method; content:"/s"; http_uri; urilen:2; tag:session,5,packets; 
reference:url,https://ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; 
classtype:trojan-activity; sid:900056; rev:1;) 

Kaiji has a Go at DDoS attacks

Threat researcher MalwareMustDie discovered a piece of Go malware that was built to infect Linux-based servers and Internet of Things (IoT) devices, and launch DDoS attacks.

Kaiji is part of a trend we see in malware using Go programming language instead of C or C++, like most IoT malware.

Go malware is rare because there are so many C or C++ projects freely available on GitHub and hacking forums that make creating an IoT botnet from C or C++ simple. Most IoT botnets are remixes from multiple strains. We’ll likely see parts of this Go bot reused by other bots later.

Kaiji botnet spreads via brute-force attacks against IoT devices and Linux servers that have left their SSH port exposed on the internet and use weak passwords for the root account. As Kaiji evolves, I would expect to see it add the ability to spread via exploits, like Mirai-variants.

Once Kaiji gains access to a device’s root account, Kaiji will use the device in three ways:

  • Perform DDoS attacks
  • Perform SSH brute-force attacks
  • Steal SSH keys and spread

According to researchers, the botnet appears to be the work of a Chinese developer, since many functions in the code, while written in English, were mere transliterations of Chinese terms.

C2 IP

66.11.125[.]66

Domain

1.versionday[.]xyz

Qakbot on the rise

Qakbot, a seasoned banking trojan, remains active and continues evolving. Initially discovered in 2007 as Pinkslipbot, Qakbot typically spreads via malspam using a zip file containing a .vbs loader running with wscript.exe.

Perch observed a new Qakbot campaign leveraging new URL patterns when compared to other recent Qakbot examples. The Qakbot payloads involved in this new campaign were able to avoid detection by customer antivirus solutions before being detected by Perch analysts. This is not uncommon for Qakbot, which actively evolves new AV evasion techniques.

Here are some signatures we found successful at catching variations in Qakbot payload downloads:

Suricata sigs

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"[Perch Security] Possible 
Qakbot Zip Download"; flow:established,from_server; content:"application/zip"; 
http_content_type; pcre:"/(?:\/(?:[a-z0-9-]{2,32}|[0-9]{2,32})){1,5}\/[0-9]{3,16}\.zip$/Ui"; 
tag:session,5,packets; sid:900044; rev:2;) 

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"[Perch Security] Possible 
Qakbot PNG Download"; flow:established,from_server; content:"image/png"; 
http_content_type; pcre:"/\/([2-9])\1{3,}\.png/Ui"; tag:session,5,packets; sid:900045; rev:2;) 

Black Rose Lucy

Ransomware have been around for decades. We’ve discussed ransomware like DoppelPaymer, Ryuk, and Sodin — all of which have successfully extracted millions from organizations.

Over the last few years, mobile ransomware has been evolving quickly. We’ve recently seen some activity related to the ‘Black Rose Lucy’ malware family. Lucy is a Malware-as-a-Service (MaaS) botnet and dropper for Android devices. Two years after its discovery, Lucy added capabilities to drop ransomware.

Lucy now encrypts files on the infected device and displays a ransom note in the browser window. The note claims to be an official message from the US FBI, accusing the victim of possessing pornographic content on their device. The message also states that as well as locking the device, the user’s details have been uploaded to the FBI Cyber Crime Department’s Data Center, accompanied by a list of legal offenses that the user is accused of committing.

The ransomware takes an unusual turn when it instructs the victim to provide their credit card information to pay a $500 “fine” instead of the more common method of using BitCoin.

Check Point researchers have discovered more than 80 samples that were distributed mainly via social media links and IM apps associated with this newly active Lucy variant in the wild. Here are some signatures we’ve developed to detect Black Rose Lucy infections:

Suricata sigs

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] Black Rose Lucy 
Ransomware C2 Domain (gapsoinasj .in)"; content:"gapsoinasj.in"; http_host; 
reference:url,https://research.checkpoint.com/2020/lucys-back-ransomware-goes-mobile; 
classtype:trojan-activity; sid:900046; rev:1;)  

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] Black Rose Lucy 
Ransomware C2 Domain (q9120qwpsa .in)"; content:"q9120qwpsa.in"; http_host; 
reference:url,https://research.checkpoint.com/2020/lucys-back-ransomware-goes-mobile; 
classtype:trojan-activity; sid:900047; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] Black Rose Lucy 
Ransomware C2 Domain (ja0h12p14k .in)"; content:"ja0h12p14k.in"; http_host; 
reference:url,https://research.checkpoint.com/2020/lucys-back-ransomware-goes-mobile; 
classtype:trojan-activity; sid:900048; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Perch Security] Black Rose Lucy 
Ransomware C2 Domain (jqeoq0r1hgf03ds .in)"; content:"jqeoq0r1hgf03ds.in"; http_host; 
reference:url,https://research.checkpoint.com/2020/lucys-back-ransomware-goes-mobile; 
classtype:trojan-activity; sid:900049; rev:1;) 

That’s all for this week. Don’t forget to apply the IDS signatures and IoCs for detection.

Stay safe, healthy, and keep it Perchy.

- Paul

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn