Paul Scott

Paul Scott
on June 5, 2020

Universities take a course in ransomware

Universities take a course in ransomware

In this week’s usually weekly threat report, we’re covering a few hot topics:

  • New trickbot propagation module
  • NetWalker targeting EDUs
  • Malware hunting NetBeans IDE
  • Hackers actively exploiting Exim
  • Bonus Suricata signatures for recent PoCs

Trickbot releases new nworm module

On May 28, 2020, Trickbot operators updated its propagation methods with a new module, “nworm,” that uses evasion techniques while infecting vulnerable Windows Domain Controllers.

Trickbot uses three modules to spread to a domain controller running in an Active Directory (AD) environment: “mworm,” “nworm,” and “tab.”

Once installed, Trickbot will recon the environment that it’s running in and download various modules to perform malicious activity within the compromised environment

The new nworm module runs in memory, leaves no artifacts on infected domain controllers, and disappears after reboot or shutdown; however, as domain controllers are rarely restarted, persistence through a reboot isn’t an issue.



NetWalker ransomware hits 3 EDUs

NetWalker ransomware hit three higher education schools this week.

University of California San Francisco, Columbia College Chicago, and Michigan State University were all ransomed by NetWaker ransomware. So far, none of the schools have paid the ransom. As a result, the ransomware group threatened to release data exfiltrated from the breaches on NetWalker’s Tor leak site.

If the schools don’t pay the leak extortion in 7 days, the data will be dripped publicly. The ransomware group has already begun posting data from Michigan State University. Columbia College is up next, and then UCSF.

This ransom leak strategy is all part of a new 2020 strategy by ransomware authors to improve their win/loss ratio and/or get additional money from victims.

The leaks contain sensitive student information like passport/driver’s license scans, social security numbers, telephone numbers, and addresses.

I think we’re going to hear about more schools being hit by NetWalker in the near future.

If you’re in education, this is a great example of why you should join an information-sharing group, like REN-ISAC, that can notify you about threats other organizations in education are seeing.

26 NetBeans Projects on GitHub Backdoored by Octopus Scanner

On May 28, 2020, details were released on a new piece of malware, dubbed “Octopus Scanner,” which compromised GitHub NetBeans IDE projects.

Octopus Scanner is capable of identifying NetBeans project files and embedding a malicious payload in the project files and Java Archive (JAR) files.

This allows threat actors to directly target developers and gain access to sensitive information, such as additional projects, production environments, as well as database passwords and other critical data.

According to GitHub researchers, the malware will look for NetBeans Integrated Development Environment (IDE) on a developer’s system and inject a backdoor on NetBeans project builds.

The malware hides as an “ocs.txt” file, but it’s really a JAR file. The JAR contains the first stage dropper, which allows the second stage payload, “octopus.dat,” to be executed on the victim’s system.

Once executed, the repositories are cloned or separated on development systems, and the malware will inject a backdoor on the NetBeans projects built. It then spreads a remote access trojan (RAT) and beacons to command-and-control (C2) servers.

GitHub uncovered 26 open source projects that were infected by the Octopus Scanner. GitHub is reportedly working to improve the integrity and security of Open Source Software (OSS).

Review your old logs for activity related to these IOCs to see if one of your users installed a trojan project.



Sandworm charming with the WIZard

Since August 2019, Russian hacker group Sandworm has been actively exploiting CVE-2019-10149 (“The Return of the WIZard”), according to an NSA press release published in May 2020.

The flaw, patched in June 2019, lets attackers run remote commands on servers with Exim 4.87 through 4.91. Attackers exploit the flaw by sending the target a crafted email with a command added to the “MAIL FROM:” field.

At the time of this writing, nearly one million Exim servers are currently exposed. Software like cPanel and Plesk bundle in Exim. Outdated web host administration software may contain vulnerable components.

Sandworm abuses two additional security bugs in unpatched Exim servers, both of which are critical and can be exploited remotely without authentication to run code or applications with root privileges:

  • CVE-2019-15846 — affects all Exim versions up to and including 4.92.1, reported in July 2019 and patched in early September 2019
  • CVE-2019-16928 — affects all Exim servers 4.92 through 4.92.2, received a fix in late September 2019

The following IP addresses and domain name are associated with Sandworm activity:


Exim 4.93 is considered a safe release.

Perch Labs

At Perch labs, we’re conducting threat research to detect and respond to customer threats. Here’s some extracurricular reading on a few PoCs and Suricata signatures to go with:

Tomcat deserialization RCE – CVE-2020-9484

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security] Apache Tomcat PersistentManager Filestore Session Check (CVE-2020-9484)"; flow:established, to_server; content:"JSESSIONID="; http_cookie; nocase; content:"|2e 2e 2f|"; distance:0; reference:url,; reference:cve, 2020-9484; classtype:web-application-attack; sid:900083; rev:2;)

Liferay RCE Exploit– CVE-2020-7961

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security]
Liferay JSONWS Unauthenticated Remote Code Execution (CVE-2020-7961)";
flow:established, to_server; content:"POST"; http_method; content:"/api/jsonws";
2020-7961-quick-journey-to-poc.html; reference:cve,2020-7961; sid:900082; rev:1;)

Unvalidated IP-in-IP encapsulation – CVE-2020-10136

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"[Perch Security] Inbound IP-in-IP
Tunneling Detected"; ip_proto:4; reference:url,
Exploits/tree/master/cve-2020-10136; reference:cve,2020-10136; sid:900078; rev:1;)

Cybercriminals are using blockchain DNS

alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[Perch Security]
HTTP Traffic to '.bazar' Domains"; flow:established, to_server; content:".bazar";
http_host; reference:url,
cybercriminals-are-using-blockchain-dns-from-the-market-to-the-bazar/; sid:900079;

alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[Perch Security]
HTTP Traffic to '.coin' Domains"; flow:established, to_server; content:".coin"; http_host;
are-using-blockchain-dns-from-the-market-to-the-bazar/; sid:900080; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[Perch Security]
HTTP Traffic to '.bit' Domains"; flow:established, to_server; content:".bit"; http_host;
are-using-blockchain-dns-from-the-market-to-the-bazar/; sid:900081; rev:1;)

That’s all for this week. Stay safe and keep it Perchy!

  • Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to

Next: The DBIR 2020 Lowdown

Share this on:

Paul Scott

Paul Scott
on June 5, 2020

Perchy Subscribe to our blog