Threat Report

Wednesday August 7th 2019

We’ve got a lot of wild botnet and phishing activity in this week’s threat report. Let’s get this party started.

Richard’s First Echobot

First observed in May 2019, a new variant of Echobot Botnet is picking up steam targeting various Internet-of-Things (IoT) devices, including routers, cameras, smart home hubs, network-attached storage systems, servers, and more. We expect to see this IoT focused botnet evolve to add exploits for the Urgent/11 vulnerabilities we discussed in the Perch Monthly User’s Meeting.

Researchers have observed Richard using 59 different remote code execution (RCE) exploits. A list of those payloads has been shared on pastebin for your viewing pleasure. Based on the payloads, the threat actor relies on known exploits, some disclosed as early as 2010.

The malware dropper is hosted on a webserver in Iran (185.164.72[.]155) in a file called Richard. At Perch, we have observed Richard’s scanning activity. Researchers observe that the author has employed exploits without targeting a specific category of products and note that the code incorporated is available from multiple public exploit repositories. The following is a list of exploits used by this Echobot variant, all of which are available via open-sourced repositories.

1. Asustor ADM 3.1.2RHG1 - RCE 
2. Ubiquity Nanostation5 (Air OS) - 0day RCE 
3. Alcatel-Lucent OmniPCX Enterprise 7.1 - RCE 
4. ASMAX AR 804 gu Web Management Console - ACE 
5. ASUS DSL-N12E_C1 1.1.2.3_345 - RCE 
6. Asus RT56U 3.0.0.4.360 - RCI 
7. AWStats Totals 1.14 - multisort RCE 
8. AWStats 6.0 - 'configdir' RCE 
9. AWStats 6.0 - 'migrate' Remote Command Execution 
10. Barracuda - IMG.pl Remote Command Execution 
11. Beckhoff CX9020 CPU Module - RCE 
12. Belkin Wemo UPnP - RCE 
13. BEWARD N100 H.264 VGA IP Camera M2.1.6 - RCE 
14. Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus - RCI 
15. Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution 
16. EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution 
17. Dogfood CRM - 'spell.php' Remote Command Execution 
18. CTEK SkyRouter 4200/4300 - Command Execution 
19. NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection 
20. Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution 
21. D-Link - OS-Command Injection via UPnP Interface 
22. OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution 
23. FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution 
24. Fritz! Box Webcm - Command Injection 
25. Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution 
26. Gitorious - Remote Command Execution 
27. HomeMatic Zentrale CCU2 - Remote Code Execution 
28. Hootoo HT-05 - Remote Code Execution 
29. Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution 
30. Linksys WAG54G2 - Web Management Console Arbitrary Command Execution 
31. Mitel AWC - Command Execution 
32. Nagios 3.0.6 - 'statuswml.cgi' - Arbitrary Shell Command Injection 
33. NUUO NVRmini - 'upgrade_handle.php' - Remote Command Execution 
34. NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution 
35. EyeLock nano NXT 3.5 - Remote Code Execution 
36. OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'welcome' Remote Command Execution 
37. op5 7.1.9 - Remote Command Execution 
38. HP OpenView Network Node Manager 7.50 - Remote Command Execution 
39. Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution 
40. PHPMoAdmin - Unauthorized Remote Code Execution 
41. Plone and Zope - Remote Command Execution 
42. QuickTime Streaming Server - 'parse_xml.cgi' - Remote Execution 
43. Realtek SDK - Miniigd UPnP SOAP Command Execution 
44. Redmine SCM Repository 0.9.x/1.0.x - Arbitrary Command Execution 
45. Rocket Servergraph Admin Center - fileRequestor Remote Code Execution 
46. SAPIDO RB-1732 - Remote Command Execution 
47. Seowonintech Devices - Remote Command Execution 
48. Spreecommerce 0.60.1 - Arbitrary Command Execution 
49. LG SuperSign EZ CMS 2.5 - Remote Code Execution 
50. FLIR Thermal Camera FC-S/PT - Command Injection 
51. Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated - Command Injection 
52. MiCasaVerde VeraLite - Remote Code Execution 
53. VMware NSX SD-WAN Edge - Command Injection 
54. WePresent WiPG-1000 - Command Injection 
55. Wireless IP Camera (P2P) WIFICAM - Remote Code Execution 
56. Xfinity Gateway - Remote Code Execution 
57. Yealink VoIP Phone SIP-T38G - Remote Command Execution 
59. ZeroShell 1.0beta11 - Remote Code Execution 

Lord EK on deck

A new exploit kit (EK), Lord Exploit Kit, has been observed in the wild that uses the PopCash ad network to compromise victims. As we mentioned in the Monthly User’s Meeting, this is not the first time we’ve seen a campaign leveraging ad networks to redirect to an exploit kit.

Lord EK leverages a user-after-free vulnerability in Adobe Flash and relies on the “ngrok” service that can set up a secure connection to expose to the internet local servers behind NATs and firewalls. The attackers pull victims via the PopCash ad network and then use a compromised site to redirect to a landing page and the exploit kit.

The Lord EK checks for the presence and version of the Flash Player, to exploit CVE-2018-15982. After exploiting the vulnerability, it launches shellcode to download and execute its payload.

The initial payload was njRAT, however, the actors switched it for the Eris Ransomware. The second part of the landing page collects information that includes the Flash version and other network attributes about the victim.

Users and organizations best defense is to keep software and firmware up-to-date with the latest releases to prevent any potential attacks and monitor your network for signs of intrusion.

Hashes

8c1aaf20e55a5c56498707e11b27d0d8d56dba71b22b77b9a53c34936474441a
26107d42e0d8684f4250628d438fb0869132faa298648feec17b25e5db9a8c3b

Domains

57189bbb.ngrok[.]io
7b2cdd48.ngrok[.]io
extreme-ip-lookup[.]com
Liader.com[.]ua

IP Address

81.171.31[.]247

U.S. Utilities sector targeted by LookBack in phishing campaign

Several phishing campaigns between July 19 and July 25 have been observed in the wild targeting three utility sectors in the United States. The phishing email impersonates a U.S.-based engineering licensing board that contains a malicious Microsoft Word attachment that uses macros to install and run a malware dubbed LookBack.

LookBack is a remote access Trojan that relies on a proxy communication tool to relay data from the infected host to a command and control IP. When the attachment is executed, the malicious VBA macro within the Microsoft Word attachment drops three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt.

In addition, the malware can also enumerate services, delete files, execute commands, reboot the machine, and delete itself from an infected host. In the attachments identified as part of the July 2019 campaigns, the actors appeared to utilize many concatenation commands within the macro to obfuscate the VBA function.

It is possible these concatenations were an attempt to evade static signature detection for the macro strings while maintaining the integrity of the installation mechanism. Users should always be cautious when viewing email content that pretends to be legitimate (from a company or vendor) to prevent phishing attacks.

Hashes

3a03509d1036f4ccf4bd4cb28717287791bf5e90f94b6edd4bffe40a66a4b237
cf57eb331b09cb2bc8992ea253d301161f1fa38583cba0733ea6dc2da2bdf740
360057ef2c4c14e263bbe2fc2df9ed4790bd8ed66256c827f1af349da31d47be
a2d41af0b4f8f0fd950fd4ac164cb2c836fd3c679688b4db75e85ffabfc20d94
f8fae5b912ca61068a2be64e51273e90a10ebf7ffbd7feaf9a29475387f99a6d
368ae77c829c29db2c3e719ce423104db86165422391403ad0483944aa287c20

IP Addresses

103.253.41[.]45
79.141.168[.]137

Domain

Nceess[.]com

Presbyterian Health Services phished into HIPPA violation

Presbyterian Healthcare Services discovered a data breach on June 9, 2019 and is now notifying approximately 183K patients and health plan members that their protected health information (PHI) has been exposed.

Around May 6, 2019, several employees of the organization received phishing emails where some of them responded to it and unknowingly disclosed their credentials to the attackers. Those credentials were used to gain access to accounts containing sensitive information such as names, dates of birth, and social security numbers.

Affected individuals were offered credit monitoring and identity theft protection services for 12 months and were advised to monitor their accounts and explanation of benefits statements carefully for any sign of fraudulent activity.

Presbyterian Healthcare Services has secured the affected accounts they are aware of. An investigation into the incident resulted a handwavy statement like, “no evidence to suggest any personal information was accessed or stolen by the attacker.” But they wouldn’t be notifying everyone and paying for credit monitoring if they could prove that personal information was not accessed. They likely didn’t have any logs to prove or disprove data theft.

The lesson here is to have enough data to prove that you weren’t breached, otherwise the assumption is that you have been.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn