Threat Report

Wednesday April 24th 2019

Today we’re talking about some phishy fellows. Let’s start out with trends in phishing from 2018, then cover two APTs that lean on phishing with malicious documents to spread their malware infections and an IE 0-day that enables phishers to bring home the sensitive-data bacon. Finally, in completely unrelated news, we’re closing out with a critical CERT advisory for Broadcom Wi-Fi chips. Hold on to your dongles!

State of the Phishy Union

Since we’re talking about an IE 0-day vulnerability that’s best used through phishing and a threat actor who primarily phishes with maldocs, I thought it would be good to start with some findings on the state of the phishing in 2018 from Phishlabs. Below is a summary of their findings.

Key Findings

  • Phishing attack volume grew 40.9% in 2018
  • 83.9% of attacks targeted credentials for financial, email, cloud, payment, and SaaS services
  • The use of free website infrastructure to stage and launch attacks grew substantially
  • 98% of attacks that made it past enterprise email security controls and into user inboxes contained no malware
  • The most effective lures in simulated phishing exercises were Financial/HR and Ecommerce

Based on reports from Proofpoint, criminals aren’t limiting themselves to email attacks: Web-based social engineering groups grew 150% over the previous quarter and fraudulent social media support account phishing was up 442% over the previous year. This is consistent with stories we’ve published this year related to LinkedIn being used for phishing with PowerRatankba.

Carbanak discovered after two years on VirusTotal

Remember back in 2017 when it was reported that NSA malware was leaked to Kaspersky on accident by an NSA contractor? It appears that the leaky tables have turned in the recent case of Carbanak. According to research from FireEye, samples of Carbanak were uploaded to VirusTotal from a Russian origin and were hanging out for two years before they were discovered. This sample appears to have been uploaded from Russia to VirusTotal while Carbanak was still under development. This could have been a horrible mistake, or they could have been testing if portions of the code were able to make it past virus scanners.

Krebs has detailed the Carbanak group and their success in stealing nearly a billion dollars in a large number of small cyber heists which leverage malicious office docs. Recently, Krebs linked the threat actor to some very real Russians with Symantec and Kaspersky partnerships. Based on Krebs’ discovery of an email address tied to a Russian social networking profile, the Carbanak threat actors are likely involved with the development of Infocube Lion Anti-Virus. So, maybe their own Lion AV submitted the Carbanak sample to VirusTotal. Krebs details his interactions with the likely threat actor in greater detail on his blog.

“Initially, I received a friendly reply from Mr. Tveritinov via email expressing curiosity about […] how I’d discovered his email address. In the midst of composing a more detailed follow-up reply, I noticed that the Vkontakte social networking profile that Tveritinov had maintained regularly since April 2012 was being permanently deleted before my eyes. Tveritinov’s profile page and photos actually disappeared from the screen I had up on one monitor as I was in the process of composing an email to him in the other.”

The source code for Carbanak has now been posted to GitHub.

Kerkoff spreads through same tired old Macros, but it’s working

In another case of malware that initially lands through malicious office documents spread by phishing, Kerkoff was recently discovered by Cisco Talos in use with DNSpionage.

This is a continuation of what Talos called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers’ command and control (C2). Since that initial report, there have been additional DNSpionage attacks. We discussed this in a January Perch threat report in response to an advisory from U.S. Department of Homeland Security.

The threat actors behind the DNSpionage campaign continue to change their tactics to improve the efficacy of their operations. In February 2019, there were changes to the actors’ tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses targets for infection. In April 2019, the actors started using a new strain of malware which researchers are calling “Karkoff.” Karkoff leverages DNS tunneling for C2 activity to the Scarecrow control panel.

Scarecrow C2 Dashboard

DNS tunneling is a popular method of exfiltration for some actors, and recent examples of DNSpionage show that we must ensure DNS is monitored as closely as an organization’s normal proxy or weblogs. DNS is essentially the phonebook of the internet, and when it is tampered with it becomes difficult for anyone to discern if what they are seeing online is legitimate.

The Talos post has information on the DNSpionage updates, the discovery of the Karkoff malware, and a comparison to OilRig tool leaks that provide a connection between the two. The following Indicators of Compromise (IoCs) were released with this report.

DNSpionage XLS document

2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5 (SHA256)

DNSpionage sample

e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8 (SHA256)

Karkoff samples


C2 server


IE 0-day allows data exfiltration through XML XXE

A 0-day extensible markup language (XML) external entity (XXE) injection vulnerability in Microsoft Internet Explorer (IE) was recently disclosed by security researcher John Page. An attacker can reportedly exploit this vulnerability to steal confidential information or exfiltrate local files from the victim’s machine. Page tested the vulnerability in the latest version of IE (11) with current patches on Windows 7 and 10, and Windows Server 2012 R2 operating systems. We looked at its attack chain to better understand how the security flaw works and how it can be mitigated.

XXE injection works by exploiting an XML parser with an improperly restricted XML external entity reference (CWE-611), which is used to access unauthorized content. XXE injection also exploits misconfigured document type definition (CWE-827) used to define document types for markup languages like XML. For example, an attacker can use a malicious XML file with external entity reference that abuses the ‘file://’ protocol to access local files, or ‘http://’ to access files on Web servers.

In the case of the vulnerability reported by Page, the security flaw is triggered when a specially crafted MIME HTML Web archive (.mht) file is opened and the user interacts with the browser with actions such as opening a new tab in IE (Ctrl+K), or printing a file (Ctrl+P). However, the user interaction can be simulated by JavaScript functions like window.print(). Once the user opens the malicious .mht file, the attacker would be able to exfiltrate files from the user’s system. Note that successfully exploiting this flaw relies heavily on social engineering. For instance, attackers have to lure the user into downloading a malicious .mht file and manually trigger local settings.

Page disclosed the vulnerability and we shared our analysis to Microsoft, who released this official statement: “Internet Explorer alone does not permit this type of malicious behavior. An attacker must trick or convince a user into downloading a malicious document through a socially engineered scheme, for example a spam email attachment or phishing campaign that triggers a download. The file must then be opened with the browser. To guard against this scheme, practice safe computing habits online, such as avoid downloading and opening untrusted files from the Internet.” Sounds like this is a feature of IE.

Turn off your Broadcom Wi-Fi and bust out your wired dongles

Broadcom Wi-Fi chipset drivers contain vulnerabilities impacting multiple operating systems. It allows potential attackers to remotely execute arbitrary code, to trigger denial-of-service according to a DHS/CISA alert, and a CERT/CC vulnerability note.

Hugues Anguelkov reported five vulnerabilities he found in the “Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets” while reverse engineering and fuzzing Broadcom Wi-Fi chips firmware. As he discovered, “The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.” This is especially bad because these chips are found in everything from smartphones to laptops, smart-TVs, and IoT devices.

You are probably using one right now without knowing it. For example, if you have a Dell laptop you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom Wi-Fi chip if you have an iPhone, MacBook, Samsung phone, Huawei phone, etc. Since these chips are so widespread, they constitute a high value target to attackers. Any vulnerability found in them should be considered to pose high risk.

Vulnerabilities in the open source brcmfmac driver:

  • CVE-2019-9503: If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a Wi-Fi dongle.). This can allow firmware event frames from a remote source to be processed.
  • CVE-2019-9500: If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.
    NOTE: The brcmfmac driver only works with Broadcom FullMAC chipsets.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).

  • CVE-2019-9501: By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
  • CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.

NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host’s kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset’s firmware.

A list of all 166 vendors which use potentially vulnerable Broadcom Wi-Fi chipsets within their devices is available at the end of the CERT/CC vulnerability note.

Paul Scott

Paul Scott
Has 6 Gold Stars