Threat Report

Friday December 14, 2018

There has been a lot of interesting development over the last week, so let’s roll through it. In response to world events, nation-states are being implicated in hacking each other. Microsoft and Adobe released critical patches to cover code execution vulnerabilities. Malware authors are increasingly targeting Mac OS X. And, an APT takes aim at academics.

After poisoning ex-spies, Russian government hit with Poison Needles

Adobe has now released a patch for CVE-2018-15982 that was recently used in compromising a Russian medical facility. 360 Core Security researchers disclosed findings related to a security incident from late November 2018 involving the FSBI Polyclinic No.2.

The attacker used spear-phishing with an attached doc that appeared as an in-depth employee questionnaire to exploit a recent flash 0-day (CVE-2018-15982), and deploy a customized trojan with the ability to detect when it has been caught and self-destruct. The primary function of this trojan seems to be maintaining persistence, avoiding detection, and exfiltrating data to an IP in Romania. Researchers named the attack as “Operation Poison Needles” as the target was a medical institution; but I think the name might be fitting for other reasons. The attacker launched the trojan from a compressed package. The PE payload backup.exe masqueraded as an NVIDIA control panel application with detailed file descriptions and version numbers.  

Some commentators believe that this was in response to the Kerch Strait incident which occurred on November 25, 2018. I believe this is a response to Russian activity, but not the Kerch Straight incident. What relevance does an attack on a Russian health organization have in response to a military aggressiveness? I believe this may be a response related to the UK poisoning plot targeting former Russian agent Sergei Skripal. This customized trojan and spear-phishing seem to be an information grab. The FSBI Polyclinic 2 could be the facility that created or stored the Novichok nerve agent used in the poisoning plot. Poison Needles may have been an operation to find evidence related to that attack.

Samples of the customized Trojan were first uploaded to virus total on November 29. The Kerch Straight incident occurred on November 25. If this were a response to any incident, then it was likely a failure. If I were a nation-state hack team, I’d like to get more use out of custom malware and an Adobe 0-day than four days. Although, four days is plenty to completely compromise a network. So, maybe they got what they were looking for. Either way, I feel the response is not relevant to the Kerch Straight incident and so it must be related to something else… or maybe nothing at all. Perhaps the timing was meant to provide false attribution to Ukraine.  

Hashes:

- 2abb76d71fb1b43173589f56e461011b  
- 92b1c50c3ddf8289e85cbb7f8eead077
- 1cbc626abbe10a4fae6abf0f405c35e2

More details about:

IP:

- 188.241.58.68

Windows patch Tuesday - December

Adobe isn’t the only software company releasing some serious patches. This week we’ve got another critical patch, Tuesday from Microsoft. The patch includes a fix for the Win32k Privilege Escalation Vulnerability (CVE-2018-8611) which allows attackers to exploit the Windows Kernel to run arbitrary code to install programs, modify data, or create accounts. The fix also covers a Heap Overflow remote code execution (RCE) that’s being actively exploited in Windows DNS Server when it failed to properly handle a specially crafted request. Attackers can exploit this vulnerability to run arbitrary code in the context of the Local System Account.

OSX.DarthMiner brings MAC OSX to the Darkside

Some malware writing Sith Lords are force pulling Macs into a crypto mining botnet with malware dubbed OSX.DarthMiner. In a recent report from malwarebytes, researchers profiled the Mac malware and found that it was combining EmPyre for a backdoor with XMRig for crypto mining. Although this malware seems focused on mining it does have the ability to execute commands specified by a remote user through EmPyre. DarthMiner is likely stealing passwords and other such sensitive information.  

The malware is being distributed through a fake version of a popular Adobe pirating tool Adobe Zii.

And they say the Empire did nothing wrong.

Hash:

- ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e

More details about:

Academia threatened with STOLEN PENCIL

ASERT researchers from Arbor Networks have disclosed their findings on STOLEN PENCIL, an APT campaign targeting academic institutions. Active since at least May 2018, researchers have not attributed the campaign to any one actor, however, they identify the activity as “possibly originating from DPRK (North Korea).” Attackers appear interested in collecting credentials.  

Targets are sent spear-phishing emails that lead to a website displaying a lure and are prompted to install a malicious Google Chrome extension. Many targets are specialized in biomedical engineering, suggesting a possible motivation. Researchers state that poor operational security led to users finding open Web browsers in Korean, English-to-Korean translators open, and keyboards switched to Korean. The attackers use built-in Windows admin tools and commercial off the shelf software to “live off the land.”  

Post-exploitation persistence is maintained by harvesting passwords from a wide variety of sources such as process memory, Web browsers, network sniffing, and keyloggers. Researchers state that they have not yet discovered evidence of data theft. The following indicators of compromise were released with ASERT’s findings.

Hashes:

- 9d1e11bb4ec34e82e09b4401cd37cf71
- 8b8a2b271ded23c40918f0a2c410571d
- 2ec54216e79120ba9d6ed2640948ce43
- 6a127b94417e224a237c25d0155e95d6
- fd14c377bf19ed5603b761754c388d72
- 1d6ce0778cabecea9ac6b985435b268b
- ab4a0b24f706e736af6052da540351d8
- f082f689394ac71764bca90558b52c4e
- ecda8838823680a0dfc9295bdc2e31fa
- 1cdb3f1da5c45ac94257dbf306b53157
- 2d8c16c1b00e565f3b99ff808287983e
- 5b32288e93c344ad5509e76967ce2b18
- 4e0696d83fa1b0804f95b94fc7c5ec0b
- af84eb2462e0b47d9595c21cf0e623a5
- 75dd30fd0c5cf23d4275576b43bbab2c
- 98de4176903c07b13dfa4849ec88686a
- 09fabdc9aca558bb4ecf2219bb440d98
- 1bd173ee743b49cee0d5f89991fc7b91
- e5e8f74011167da1bf3247dae16ee605
- 0569606a0a57457872b54895cf642143
- 52dbd041692e57790a4f976377adeade

Domains:

- bizsonet.ayar[.]biz
- bizsonet[.]com
- client-message[.]com
- client-screenfonts[.]com
- *.coreytrevathan[.]com (possibly compromised legitimate site)
- docsdriver[.]com
- grsvps[.]com
- *.gworldtech[.]com (possibly compromised legitimate site)
- itservicedesk[.]org
- pqexport[.]com
- scaurri[.]com
- secozco[.]com
- sharedriver[.]pw
- sharedriver[.]us
- tempdomain8899[.]com
- world-paper[.]net
- zwfaxi[.]com

IP Addresses:

- 107.175.130.191
- 172.81.132.211
- 173.248.170.149
- 5.196.169.223
- 104.148.109.48
- 74.208.247.127
- 132.148.240.198
- 134.73.90.114
- 92.222.212.0

Paul Scott

Paul Scott
SOC Nightwatchman
LinkedIn