Monday, January 29, 2018

GandCrab Ransomware

Overview

A new ransomware called GandCrab was released recently that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .


GandCrab- How its spreading?

GandCrab is currently being distributed through a malvertising campaign called Seamless that then pushes the visitors to the RIG exploit kit. The exploit kit will then attempt to utilize vulnerabilities in the visitor's software to install GandCrab without their permission. If the exploit kit is able to install the ransomware, the victim will probably not realize they are infected until it is too late. The interesting facts about GandCrab is that it’s the first for ransomware to accept  the DASH currency as a ransom payment.

Another interesting feature is GandCrab's use of the NameCoin .BIT top-level domain.  .BIT is not a TLD that is recognized by the Internet Corporation for Assigned Names and Numbers (ICANN), but is instead managed by NameCoin's decentralized domain name system. This means that any software that wishes to resolve a domain name that uses the .BIT tld, must use a DNS server that supports it. GandCrab does this by making dns queries using the a.dnspod.com DNS server, which is accessible on the Internet and can also  be used to resolve .bit domains.GandCrab uses these .bit domains as addresses for its Command & Control servers. Interestingly, the domain servers used by this ransomware contain names that you might recognize. The developers of GandCrab are using NameCoin's DNS as it makes it harder for law enforcement to track down the owner of the domain and to take the domains down.

How GandCrab Encrypts a Machine?

When GandCrab is first launched it. will attempt to connect to the ransomware's Command & Control server. As this server is hosted on one of Namecoin's .bit domains, it has to query a name server that supports this TLD. It does this by querying for the addresses of the following domains using the command nslookup [insert domain]  a.dnspod.com. This command queries the a.dnspod.com name server, which support the .bit TLD. If the victim's machine is unable to connect to the C2 server, then the ransomware will not encrypt the computer. It will, though, continue running in the background trying to get the IP address for the C2 and connect to it.

Once it is able to resolve the domain, it will connect to the C2 server's IP address. It is not known at this time what data is being sent and retrieved, but the C2 is most likely sending the public key that should be used to encrypt the files. During this process, the ransomware will also connect to  http://ipv4bot.whatismyipaddress.com/ to determine the public IP address of the victim. Before GandCrab encrypts the victim's files it will first check for certain processes and terminate them. This will close any file handles that are open by these processes so that they can be properly encrypted


Indicators Of Compromise (IOC’s)

HASHES
  • aedf80c426fb649bb258e430a3830d85
  • 6866d8d8bf8565d94e0e1479978cf1e5
  • 379e149517f4119f2edb9676ec456ed4

IP
  • 92.53.66.11

URLs

File Associated

  • GDCB-DECRYPT.txt
Posted by at No comments:

Hide N Seek(HNS) IoT Botnet

Overview

A new emerging botnet has been spotted recently  that uses custom-built peer-to-peer communication to exploit victims, ensnare new IoT devices and continue building its infrastructure. Dubbed Hide N' Seek or HNS, the bot was first spotted  on 10 January before it disappeared for a few days. However, it returned 10 days later on 20 January in a new and significantly improved form


How IT Works?

The HNS botnet communicates in a complex and decentralized manner and uses multiple anti-tampering techniques to prevent a third party from hijacking/poisoning it. The bot can perform web exploitation against a series of devices via the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities against networking equipment).

HNS can also carry out multiple commands including data exfiltration, code execution and interference with a device's operation. Featuring a worm-like mechanism that can randomly generate a list of IP addresses to get potential targets, the bot initiates a raw socket SYN connection to every device listed and tries to establish a connection.

Once successful, the bot looks for the "buildroot login" banner presented by the device and tries to login using a set of predefined credentials. If it can't, it attempts to brute force its way through using a dictionary attack that uses a hardcoded list to crack the device's passcode. After it establishes a new session with the infected device, the bot attempts to identify the target device and figure out how best to compromise it.

Global Impact

The botnet now counts more than 20K+ devices geographically distributed as per the heatmap below. What initially started as a 12-device network has become a phenomenon that spreads from Asia to the United States

However, Like other IoT bots, the newly discovered HNS bot cannot achieve persistence, and a reboot would bring the compromised device back to its clean state. It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture. However, if in the case of Hajime, the p2p functionality was based on the BitTorrent protocol, here it is  a custom-built p2p communication mechanism.


Indicators Of Compromise (IOC’s)

HASHES
  • efcd7a5fe59ca8223cd282bfe501a2f92b18312c
  • 05674f779ebf9dc6b0176d40ff198e94f0b21ff9
Posted by at No comments:

Thursday, January 25, 2018

Magniber Ransomware


Magniber Ransomware 

 Overview

After delivering a number of payloads for number of ransomware in selected countries in Asia, The Magnitude EK  exploit kit has resurfaced, this time with a new payload. The delivered malware is also a ransomware, but of a family that was not known before. It has been named “Magniber”. This Magniber ransomware is highly targeted, as it checks at several levels (external IP, the language installed, etc.) to ensure that the attacked system is only South Korean. Targeting a single country is unusual on its own, but performing multiple checks to be sure of the country and language of origin makes this a first for ransomware. Magniber is delivered packed by various crypters, and the unpacking method will depend on the crypter’s features


Behavioral Analysis

This ransomware is dropped only by the Magnitude exploit kit. If the malware is executed on non-Korean systems, the only thing we can see is the operation of deleting itself, delayed by running the ping command. It only starts its malicious operations on systems with Korean language detected. The executable is pretty noisy, because it implements various tasks just by command line. The malware copies itself in %TEMP% and deploys itself with the help of task scheduler.  It can be seen that the ransom note and yet another file are in the same folder . Its name is the same as the part of the domain that has been generated for the particular user, and its extension is the same as the extension of the encrypted files. To each encrypted file is added an extension that is composed of small Latin characters and is constant for the particular sample of Magniber


Ransomware Note
Indicators Of Compromise(IOC’s)


HASHES - SHA- 256
  • 9bb96afdce48fcf9ba9d6dda2e23c936c661212e8a74114e7813082841667508
  • 8968c1b7a7aa95931fcd9b72cdde8416063da27565d5308c818fdaafddfa3b51
  • aa8f077a5feeb9fa9dcffd3c69724c942d5ce173519c1c9df838804c9444bd30
  • 7361a5e7da06f7fa61f53d98e1548436ae6888e6d2decdce36c9ca1387f851df

C&C



For other New variants check below link for details and IOC's
Posted by at No comments:

Sunday, January 21, 2018

Dridex Banking Malware

Dridex Banking Malware Overview

It has been recently reported that the proliferate Dridex banking malware is back in a new and improved version and has begun going after targets in the UK, France and Australia. The malware was first spotted in 2014 and was highly active throughout 2017, targeting banks across the globe. The new campaign has been designed to send out malicious phishing emails using compromised FTP sites instead of the more usual HTTP link as download locations for malicious documents, exposing the credentials of the compromised FTP sites in the process.

The emails were sent primarily to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the UK, and Australia respectively. The sender domains used are observed to be compromised accounts. The sender names rotated around the following names, perhaps to make the emails look more convincing to unsuspecting recipients:

  • admin@
  • billing@
  • help@
  • info@
  • mail@
  • no-reply@
  • sale@
  • support@
  • ticket@

Brief Analysis

The campaign used two types of documents. The first is a DOC that abuses DDE to execute a shell command to download malware. The second type is a XLS file with a Macro that downloads Dridex from the location-
hxxp://theairlab[.]co.za/KJHdey3. The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way. The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. Multiple attributes of the campaign suggest that it may coming from the Necurs botnet:

  • The domains used for distribution were already in present in  records as compromised domains used in previous Necurs campaigns
  • Necurs is historically known to spread Dridex.
  • The document downloaders are also similar to those used by Necurs in the past.
  • The download locations of the XLS file also follows the traditional Necurs format.

However, the volume of this particular campaign is very low compared to typical Necurs campaigns.

Indicators Of Compromise (IOCs)

SHA-1
  • 23b84ed99d9761ce4ffdf928e472ee03afb3615f
  • e6347d6245308e104a1f4225cdd2c814cff1a63a
  • 5697b0e3123b7d9511568d153e5545eb0ec5c906
  • a1843ecc6f0c3f3fe0a3ef13d81d69abfaf6d4c9
  • 7b7cdd64f0e66776303b4c09eefbac23471a58f1

IPs
  • 69.90.132[.]196:443
  • 108.166.114[.]38:4443
  • 138.197.255[.]18:4143

Dridex Download Locations
  • hxxp://theairlab[.]co.za/KJHdey3
  • 185.176.221[.]146

FTP URLs

Also check Below related Blogs.

Posted by at No comments:

Friday, January 19, 2018

Zeus Panda Trojan


These days it's very common to search on internet for the things which we don't know and want to learn. Hackers are taking advantage of the same and injecting malicious payload to the files and make it easily available in normal links. Spreading Trojans through emails is also very common these days.

Researchers have recently come across new variant of "Zeus Panda Trojan" which is spreading via email.

Zeus Trojan Overview
A malspam campaign has been detected which is dropping the Zeus Panda banking Trojan. The email arrives with the subject 'bonifico gennaio' from 'srlsindaco.comune.casalvieri@tiscali.it'. It has an attachment which, in the example analysed, is called 'gennaio_sales.xls'. This is a Microsoft Excel document with malicious macro to install Zeus Panda.


The attacker using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Email Sample

















Indicators Of Compromise (IOC’s)

SHA-256
  • 6dbc95b9f11dd56f557f7912fe89c71c03b2f22d52b7884a6a290f898f9b8cba
  • 3b2cc469e27aca58abc43a3eaa94dab4bee615c29f7995814e0b0a3d238f5408

Domain Associated
  • flavosoftorrent.ml
  • 7AB7F6AE8747.tk

Email Associated

For Microprocessor flaw check flawinmicroprocessor.blogspot.in
Posted by at 1 comment:
Subscribe to: Comments (Atom)