Threat Report

Thursday October 3rd 2019

Threat actors are focusing their attention on a number of different industries in this week’s threat report. U.S. Oil and Gas RATs, defense contractors with sensitive info hit by ransomware, and a bunch of well-known online publishers are targeted for malvertising. It’s a good week to join your industry’s ISAC/ISAO if you have one. In addition to the industry focused infections, we’ve got another critical EXIM vulnerability and new Windows malware, Nodersok, is teaching lessons about living-off-the-land.

United States Oil & Gas got some RATs

A new campaign spreading the Adwind RAT has been spotted targeting the petroleum industry in the United States. Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The majority of the campaigns are conducted phishing emails.

When the victim executes the attached payload, there are multiple levels of JAR extractions that occur. The dropped JAR payload creates a copy of itself into the %User% directory. Then, it performs an AES decryption routine on an embedded object to construct and load JRAT class. JRAT class is used for loading and linking the DLL containing RAT functionalities.

Adwind RAT added obfuscation techniques and a multi-stage infection process where nested JAR files conceal the malware’s presence. According to Netskope, the new campaign delivering Adwind RAT is hosted on members.westnet.com.au URLs. The URLs hosting the Adwind RAT were reported to Westnet on September 9, 2019.

Westnet is an Australian Internet Service Provider (ISP). You should review your logs to look for evidence of downloading this RAT.

Adwind RAT URLs

http://members.westnet[.]com.au/~mcleodart/ 
http://members.westnet[.]com.au/~philchief/ 
http://members.westnet[.]com.au/~lionsnortham 
http://members.westnet[.]com.au/~jbush/ 
http://members.westnet[.]com.au/~joeven/ 

North American Defense Contractor operations fall to ransomware

Rheinmetall AG of Germany recently disclosed that its plants in the U.S., Mexico, and Brazil have been hit by a malware infection that disrupted their regular operations.

Rheinmetall AG is one of the biggest manufacturers of armored vehicles, tanks, ammunition, and various electronic systems. The company estimates from the malware event a negative impact on earnings of up to 4M euro per week.

At the time of writing, the company did not reveal any details about the incidents or what type of malware was involved in the attacks, but if I were a betting man (which I am) it was ransomware.

In related news, industry sources say Defence Construction Canada’s computer systems were down earlier in the month.

The Director of Communications with the Defence Construction Canada, Stephanie Ryan, confirmed that the incident happened on September 11. The Crown Corporation’s Cyber Incident Response Team investigated the impact of the attack and is now working to restore their full information technology. Sources say this incident was a ransomware attack.

It is not clear what ransomware was used, if the contractors paid, or if sensitive data was stolen in addition to being ransomed.

GhostCat-3PC delivers for online publications

A new malware strain dubbed “GhostCat-3PC” uses obfuscated code to evade signature-based defenses. The Media Trust Digital Security & Operations (DSO) discovered the malicious ads while analyzing files hosted on two cloud platforms.

Over the span of three months, more than 13 distinct incidents against hundreds of well-known publishers have been identified. The DSO was aware of 130 unique incidents linked to 18 malicious campaigns in a span of three months.

When the malware is executed, a quick check will be performed. If the user was on a list of target publishing domains, GhostCat-3PC would initiate a fraudulent pop-up that leads to malicious content. The theory is that, malware authors check the publishing site to track which attacks work and which ones fail in the presence of certain blockers or other security tools.

Another critical EXIM

Another critical security flaw in Exim Mail Transfer Agent software was patched to address denial-of-service or possibly remote code execution attacks. The vulnerability, tracked as CVE-2019-16928, affects Exim version 4.92 through 4.92.2. According to Exim’s advisory, there is a heap-based buffer overflow in string_vformat (string.c) involving a long EHLO command.

The command allows attackers to crash the Exim process. Additionally, other paths to reach the vulnerable code may exist and remote code execution is reportedly possible. Hundreds of thousands of servers are currently exposed to denial-of-service and remote code execution attacks if not patched against CVE-2019-16928.

Users should update immediately to Exim version 4.92.3 to address the vulnerability.

Nodersok Nodejs malware targets Windows

A new malware strain ‘Nodersok’, aka ‘Divergent’, is dropping its own living-off-the-land binaries to infect Windows-based computers with a malware relying on the popular Node.js framework.

This malware can be used by an attacker to target corporate networks but is primarily designed to conduct click-fraud. Nodersok attacked thousands of machines in a span of weeks with primary targets located in the U.S. and Europe.

According to Microsoft, the campaign is interesting not only because it employs advanced fileless techniques, but because it leverages network infrastructure that causes the attack to fly under the radar.

The attacks had been executed via an HTML Application (HTA) that loads the malware from the registry. The installation begins by creating several registry keys containing different parts of the loader as well as the data of the malware portable executable (PE). The JavaScript bundled with the HTA downloads a second-stage component containing a JavaScript file. Then, it will run a PowerShell command that will launch multiple other PowerShell instances to download and execute the rest of the malicious modules.

The malware is under active development and is expected to change behavior.

Nodersok Nodejs malware

IP Addresses

88.198.26[.]25
31.31.196[.]120
103.31.4[.]11
188.114.96[.]116
45.55.154[.]177
103.31.4[.]54
62.75.189[.]110
54.241.31[.]99
216.239.34[.]21
103.224.248[.]219
107.186.67[.]4
217.160.223[.]93
5.9.41[.]178
50.63.202[.]39
184.168.221[.]45
119.28.87[.]235
23.227.38[.]32
89.163.255[.]171
109.239.101[.]62
202.56.240[.]5
208.91.197[.]25
184.168.221[.]63
184.168.221[.]42
217.160.231[.]125
83.243.58[.]172
13.228.224[.]121
104.28.2[.]169
188.114.96[.]87
198.41.128[.]74
43.250.192[.]98
131.0.72[.]59
131.0.72[.]36
185.243.114[.]111
95.70.244[.]209

URLs

https://1292172017[.]rsc.cdn77[.]org/imtrack/strkp.png
https://1292172017[.]rsc.cdn77[.]org/images/trpl.png

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn