Threat Report

Thursday November 8, 2018

In this week’s threat report we’re covering a couple 0-days, malware that could have you scrambling for your disaster recovery (DR) plan, and the rising trend of malvertising. Let’s get it goin’.

Full Disclose for VirtualBox 0-Day

Speaking of 0-days, Security researcher Sergey Zelenyuk has publicly disclosed a 0-day in virtual machine software VirtualBox without notifying Oracle, the developer of the free application. The flaw relies on a chain of bugs and can allow maliciouscode to escape the VirtualBox environment (guest) and execute on the underlying (host) operating system. Zelenyuk highlights that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). The flaw affects VirtualBox 5.2.20 and prior versions and impacts any host OS or guest OS with a VM configuration in the default setting. Zelenyuk has published a video demonstrating the attack as well as a detailed technical write-up on Github, viewable in the Validation URL section of this note.

No patches are currently available. In the meantime, Zelenyuk advises users to change the network card of their virtual machines to either PCnetor Paravirtualised Network. If this cannot be done, users should change the mode from NAT to another one. However, the first option is more secure, he adds.

Zelenyuk shared that his reasoning for publishing the 0-day without notifying Oracle first stemmed from personal frustration at how long it takes for patches to be produced and implemented, as well as issues submitting flaws to bug bounty programs. If Zelenyuk has found this, then chances are someone else has too and we are more secure by knowing about this vulnerability than by being unaware of it. Thanks, Zelenyuk. Very pragmatic.

Crypto-jacking Malware forces 3-Day St. Francis Xavier University Network Outage

According to a statement released on November 4, 2018, St. Francis Xavier University in Nova Scotia, Canada was forced to shut down its entire network for at least three days as system administrators attempted to root out a crypto-jacking (or cryptocurrency mining) malware. The attack reportedly began on Thursday, November 1, and targeted the university’s network infrastructure. After the malware was detected, the school immediately shut down its entire network, disabling all online systems including: online courses, cloud storage, email services, debit transactions, and Wi-Fi. The statement reads, “The malicioussoftware attempted to utilize StFX’s collective computing power in order to create or discover Bitcoin for monetary gain.” The statement emphasized that there is no evidence to indicate that personal or sensitive data was compromised by the malware attack. Although no sensitive data was compromised, that was just luck. Ransomware does not typically try to exfiltrate data. Had they been infected with malware that sought to exfiltrate sensitive data, we would see a data breach here instead of an outage. As a safety precaution, university officials advised all students, staff, and faculty to reset their university account passwords as a safety measure; but the university should have forced a password reset.

Disk Cryptor Leveraged by Ransomware Campaign

Another type of malware that could send you into full on DR is ransomware. MalwareHunterTeam has recently discovered new ransomware that installs Disk Cryptor to infect victim machines. Disk Cryptor is an encryption program that encrypts the whole disk and then prompts the user to enter a password on reboot. According to MalwareHunterTeam, this ransomware requires a password argument to be passed. This argument is the decryption key. It is possible that the attackers are hacking into Remote Desktop Services and installing the ransomware manually. During the installation process, a log file will be created at C:\Users\Public\myLog.txt that shows the current stage of the encryption process. Once the entire drive has been encrypted, it will reboot the computer and victims will be greeted with a ransom note that explains to contact mcrypt2018@yandex.comfor payment instructions. It is essential that you have reliable and tested backups of data that can be restored in the case of an emergency, such as a ransomware attack. There is a very narrow window to catch ransomware before it encrypts the disk. If this really is coming in through Remote Desktop Services, it’s way more likely to be a weak password than a 0-day. But, please question if you need RDP open to the world.

Related Registry Keys


  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT\INSTANCES\DCRYPT
  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT\CONFIG
  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT\INSTANCES
  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT

  

Hashes


- 4ae71336e44bf9bf79d2752e234818a5
- f1d81ae5a4ea7a71d5d7147565fecca141a8e03148ef3c9e7583b9159923d17a

Rising Malvertising Opens Gateway for 0-Days

Based on the ad related traffic before this activity, we believe this is likely related to malvertising. Malvertising is the common ground where evil marketing teams and hungry blackhats meet to perform ritual sacrifice on end users. No matter how well you train staff, if they are allowed to get on the Web, they will get ads. Ads are ubiquitouson the Internet. We are all at risk when adversaries can replace a benign, normal, soul-sucking ad with a maliciousone. We’ve been watching a large number of our customers’ users getting pop-ups for fake tech support scams that goes like, “You have been infected with Pornographic Malware please call the number on the screen or we will report you to the police.” We aren’t sure who picked up the phone and called, but we wanted to let everyone know so they can block the sources of the activity. We’re seeing this campaign across approximately 15 percent of our customer base and it does not appear to target one industry more than another. This is just a fake tech support scam. Imagine if an attacker used malvertising to distribute a new Edge 0-day instead.

Researchers recently discovered a 0-day remote code execution (RCE) vulnerability in Microsoft Edge. In a tweet posted November 1, 2018, exploit developer Yushi Liang tweeted, “we just broke #Edge, teaming up with [Alexandr Kochkov] for a stable exploit, brace yourself SBX is coming.” The tweet included an image of the Web browser that appeared to launch the Windows Calculator app. Liang and Kochkov’s objective was to develop a stable exploit and achieve full sandbox escaping of the code. The pair disclosed that they were also looking for a method to escalate execution privileges to SYSTEM, granting them complete control over the victim machine. Liang shared that he discovered the 0-day bug with the assistance of the Wadi Fuzzer utility from SensePost. The pair plans on publishing a proof-of-concept demonstrating the vulnerability soon. We’ll let you know when they do.

Until then, here are some domains to block. If you want the IPs hit me up on Slack. To see if your users got hit by this malvertising campaign, check out Perchybana:

https://app.perchsecurity.com/perchybana/#/discover?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-30d,mode:quick,to:now))&_a=(columns:!(perch_company_name,event_type,src_ip,src_port,dest_ip,dest_port,payload_printable,flow.bytes_toclient,flow.bytes_toserver,http.hostname,http.url,http.http_refer,http.status,http.redirect,http.xff,http.protocol,fileinfo.filename,fileinfo.sha1,fileinfo.size),index:'*-records',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'(%22%2Ftpage3%2F%22%20%7C%7C%20%22%2Fwelcome%2F%3Fa%3D%22)')),sort:!(timestamp,desc))

IPs


- 138.197.218.89 - Organization: DigitalOcean, LLC (DO-13)
- 159.203.166.119 - Organization: DigitalOcean, LLC (DO-13)
- 159.89.222.164 - Organization: DigitalOcean, LLC (DO-13)
- 159.89.240.50 - Organization: DigitalOcean, LLC (DO-13)
- 159.89.253.173 - Organization: DigitalOcean, LLC (DO-13)
- 162.248.246.162 - Organization: Centrilogic, Inc. (CENTR-60)
- 165.227.115.97 - Organization: DigitalOcean, LLC (DO-13)
- 165.227.71.84 - Organization: DigitalOcean, LLC (DO-13)
- 178.128.132.138 - Organization:  US-DIGITALOCEANLLC-20100303
- 185.44.66.174 - Organization:  UK-MASSIVEGRID-20131231
- 192.129.248.58 - Organization: Hostwinds LLC. (HL-29)
- 216.116.91.94 - Organization: Jack Henry & Associates, Inc. (JHA-1)
- 38.128.66.252 - Organization: PSINet, Inc. (PSI)
- 38.75.137.163 - Organization: PSINet, Inc. (PSI)
- 38.91.107.252 - Organization: PSINet, Inc. (PSI)
- 66.165.233.43 - Organization: NOC4Hosts Inc. (NOC4H)
- 66.165.247.187 - Organization: NOC4Hosts Inc. (NOC4H)

URIs:


- /fonts/glyphicons-halflings-regular.ttf
- /fonts/glyphicons-halflings-regular.woff
- /fonts/glyphicons-halflings-regulard41d-.eot
- /tpage3/a.htm
- /tpage3/gb.mp3
- /tpage3/iframe.js
- /tpage3/jquery-1.js
- /tpage3/login.php
- /tpage3/retreaver.js
- /welcome/?a=AZ&pagex=1&s1=[campaign id]%2C%2C&os=[operating system]&browser=[browser name]&isp=[internetservice provider]&ip=[public ip]&geo=[geo ip code]&q1=[string]%2C
- /tpage3/?a=AZ&pagex=1&s1=[campaign id]%2C%2C&os=[operating system]&browser=[browser name]&isp=[internetservice provider]&ip=[public ip]&geo=[geo ip code]&q1=[string]%2C

Hashes:


- 69db1a94309e88008bbadacf301526edce59374410c83f888ec866ad6b2d8e47- iframe.js
- 71a861100e206eeee88876cd5313553e0fdc07046cce33a1a96b96d9485070e1 - retreaver.js

Domains:


- ganglioblast[.]pw
- gathering[.]pw
- gaultherin[.]pw
- glycolysis[.]pw
- haematoscope[.]pw
- haemoglobin[.]pw
- hemizygote[.]pw
- hemocyanin[.]pw
- hidradenomas[.]pw
- hologamies[.]pw
- holographies[.]pw
- homeopathies[.]pw
- homoeotic[.]pw
- homogeneous[.]pw
- homogeniser[.]pw
- homolytic[.]pw
- junaket[.]us
- kremlins[.]pw
- laudably[.]pw
- leafless[.]pw
- mannikin[.]pw
- massaged[.]pw
- metamers[.]pw
- ministrytwo[.]stream
- minusnine[.]stream
- misatone[.]pw
- misbills[.]pw
- misdeeds[.]pw
- misdoing[.]pw
- misdraws[.]pw
- misjoins[.]pw
- mislearn[.]pw
- misspent[.]pw
- mistrust[.]pw
- miterers[.]pw
- modified[.]pw
- monazite[.]pw
- monitive[.]pw
- monotony[.]pw
- mustered[.]pw
- mutating[.]pw
- muteness[.]pw
- nailfold[.]pw
- news[.]hellosite[.]info
- sp[.]cwfservice[.]net
- swiftone[.]us
- tellinglynine[.]us
- torousten[.]pw
- trivetnine[.]pw
- turgitefour[.]pw
- unearthsix[.]pw
- unkindnine[.]pw
- unlockten[.]pw
- unmetsix[.]pw
- unplaittwo[.]pw
- unplugfive[.]pw
- unresttwo[.]pw
- unretireten[.]pw
- untunedone[.]pw
- upraiseten[.]pw
- usheredfour[.]pw

Paul Scott

Paul Scott
SOC Nightwatchman
LinkedIn