Threat Report
Thursday April 16th 2020

It’s another week in paradise here at Perch. This week, we’re covering a few events:

  • 0-day Trio running wild on Patch Tuesday
  • Sodin Ransomware ditches Bitcoin in favor of Monero
  • And, two implants with active campaigns:
    • APT41’s Speculoos Backdoor
    • TA505 phishing with SDBbot RAT

0-day Trio running wild on Patch Tuesday

For April 2020’s Patch Tuesday, Microsoft patched 113 vulnerabilities. Fifteen of these were rated critical, 93 were important, three were moderate, and two rated as low. According to Microsoft telemetry, three 0-days are being actively exploited in the wild:

  • CVE-2020-1020
    • Remote code execution Windows Adobe Type Manager Library vulnerability that takes advantage of how the library improperly handles a specially crafted multi-master font, the Adobe Type 1 PostScript format.
  • CVE-2020-0938
    • Remote code execution Windows Adobe Type Manager Library vulnerability that impacts an OpenType font renderer within Windows.
  • CVE-2020-1027
    • Privilege escalation vulnerability in the Windows kernel that lets attackers elevate privileges to run code with kernel access.

Without specific details from Microsoft, it’s not clear if these three vulnerabilities are being actively exploited by multiple threat actors or in a single campaign.

For the remaining vulnerabilities, impacted software includes Windows, Microsoft Edge (EdgeHTML-based and Chromium-based versions), ChakraCore, Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, and Microsoft Apps for Android and Mac.

Sodin dumps Bitcoin for Monero

On April 13, 2020, researchers reported that the Sodinokibi ransomware operators have started to accept the Monero cryptocurrency instead of Bitcoin as payment for ransoms. The end goal is to successfully hide their money trail against law enforcement agencies.

The Sodinokibi operators announced that they’ll eventually remove Bitcoins as a payment option and that victims will need to learn more about Monero and how to acquire it.

To make Monero payments, victims must use the Tor anonymized network, making it near-impossible to trace the funds or the malicious actors who received them. Any transaction in the Monero cryptocurrency scheme is anonymized due to the use of CryptoNote and the obfuscation added to the protocol. If you’re a speculator, I’d say Monero prices will trend up on this news.

Wired states that before a privacy change from Monero’s developers, “timing analysis correctly identified the real coin more than 90 percent of the time, virtually nullifying Monero’s privacy safeguards. After that change to how Monero chooses its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the real coin to about two possibilities, far fewer than most Monero users would like.”

Speculoos opens the door for APT41

On April 13, 2020, researchers observed APT41 globally deploying “Speculoos” to multiple targeted industries, including healthcare, higher education, manufacturing, government, and technology services. Speculoos is a fully functional backdoor that allows attackers to take control of the victim’s system.

The Speculoos backdoor is an ELF executable compiled with GCC 4.2.1 to run on a FreeBSD system. The attack initially starts by exploiting “CVE-2019-19781,” a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances, which allow attackers to execute arbitrary commands remotely.

Upon execution, Speculoos calls a function to communicate with the command-and-control server domain alibaba.zzux[.]com. If unsuccessful, Speculoos will use a TLS connection to C2 server at 192.28.139[.]20. Once the connection is established, Speculoos will fingerprint the victim’s system, send stolen data back to the C2 server, and begin receiving commands.

We recommend that users and organizations practice proper patch management and threat monitoring.

IP Addresses

66.42.98[.]220
119.28.139[.]120
119.28.139[.]20
192.28.139[.]20

Domains

alibaba.zzux[.]com
exchange.longmusic[.]com

TA505 submits resume for SDBbot

On April 14, 2020, researchers observed TA505 using the “SDBbot” Remote Access Trojan (RAT) as an arsenal to spread the infection throughout an entire corporate environment. The SDBbot RAT can perform typical RAT functions, such as communicating with command-and-control servers to receive commands and exfiltrate data from the victim’s devices and networks.

The attack generally starts through a spear phishing email purporting to be from an HR representative’s account. The body of the email impersonates Onehub, a tool used to organize and access files anywhere, to entice the victims to download a malicious document.

Once the victim downloads the malicious document, a persistence mechanism will install, and a password harvester will execute onto the victim’s machine. In addition, the malicious code also drops a binary similar to CobaltStrike, escalating privileges and moving laterally across additional systems on the network.

In March 2020, researchers noticed a phishing campaign targeting German companies that used trojanized emails with malicious attachments disguised as job applications.

Once a company opened the email attachment, the attackers deployed commercial tools to evade detection, including the NetSupport Manager remote access software, Google Drive for hosting their hacking tools, and the GPG encryption tool as ransomware. After the victim clicked on the resume, an embedded Microsoft shortcut “.lnk” file initiated and ran a PowerShell script from the new host, which is capable of stealing login credentials from browsers and Outlook and obtaining payment card data.

As part of the campaign, researchers observed TA505 using GPG to encrypt the victim’s files and demand a ransom. Additionally, TA505 used NetSupport to steal files, screen captures, and voice recordings.

Once TA505 obtained all the saved credentials, they wrote the output in a directory named “safsff3f”. Then, the directory was compressed and sent back to the attacker’s command-and-control server. Lastly, a “bat” file was used to delete all the files that were downloaded, created, and modified from the host machine.

IP Addresses

91.214.124[.]20
91.214.124[.]25
185.176.221[.]45

Domains

dl1.sync-share[.]com
drm-server-booking[.]com
microsoft-live-us[.]com

URLs

https://sba.yandex[.]net/redirect
https://eur01.safelinks[.]protection.outlook.com
https://dl1.sync-share[.]com
https://dl1.sync-share[.]com/?Or2at

RagnarLocker demands €10m for 10TB of exfiltrated data

Multiple Portuguese media outlets are reporting that Energias de Portugal (EDP), a European utility giant, was hit by a cyberattack on Monday and is facing a €10m ($11M) ransomware demand.

The utility is said to have fallen victim to a “RagnarLocker” ransomware delivered through MSP enterprise support tools (aka the RMM), with criminals gaining access to systems and demanding payment within 20 days to prevent the release of information.

“We had downloaded more than 10TB of private information from EDP group servers,” a post on Ragnarok’s leak site says.

“Below just a couple of files […] from your network only as a proof of possession! At this moment current post is a temporary, but it could become a permanent page and also we will publish this Leak in Huge and famous journals and blogs, also we will notify all your clients, partners and competitors. So it’s depend on you make it confidential or public!”

As a sign of what’s to come, the attackers included an edpradmin2.kdb file — which is a KeePass password manager database — among the already leaked files.

When clicking the link on the leak site, it leads to a database export including EDP employees’ login names, passwords, accounts, URLs, and notes.

According to the ransom note dropped on the EDP encrypted systems, the attackers were able to steal confidential information on billing, contracts, transactions, clients, and partners.

“And be assure that if you wouldn’t pay, all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links,” the ransom note reads.

“So, if you want to avoid such harm for your reputation, better pay the amount that we asking for.”

And on that uplifting note: that’s all we have time for this week! Don’t forget to subscribe to our mailing list to keep informed on all things cybersecurity.

Stay safe, stay healthy, and keep it Perchy.
- Paul

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn