In this blog, I will share the top two cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

1) Beware when Banking- DanaBot lurks

DanaBot is a modular trojan written in the Delphi coding language that attempts to steal account credentials and information from online banking websites. It uses different methods such as taking screenshots of active screens, stealing data, and logging keystrokes to achieve this. The stolen information is then collected and sent to a command & control (C&C) server, where it can then be accessed by the threat actors.

This malware can affect all Windows users. DanaBot may even be set up as a “malware as a service” system, in which a single threat actor could control a global C&C panel and infrastructure systems and then sells the access to other threat actors. Being a banking Trojan could possibly mean DanaBot is geo-targeted to a degree. The malware has been found targeting the banking sectors of counties such as Europe, Australia, US and Canada which suggests active development, geographic expansion, and ongoing threat actor interest in this malware.

Attack Description

The initial stage of the attack involves sending spam emails to potential targets. These emails contain an eFax lure and a URL link to download a document containing malicious macros. Once the user enables these malicious macros, they drop the Hancitor payload as a dropper. This is followed by the execution of the embedded Hancitor malware, which in turn receives commands to download the Pony stealer and DanaBot banking malware.

DanaBot is composed of three components:

  • Loader: downloads and loads the main component.
  • Main component: downloads, configures and loads modules.
  • Modules: various malware functionality. Both the main component and the loader contain a list of 10 C&C IPs and this loader uses HTTP-based C&C server communication.

DanaBot uses Windows API functions hashing and encrypted strings in order to prevent analysts and automated tools from determining the code’s purpose. The characters of the encrypted strings are then stored as an array of DWORDs and are later decrypted using a key and a basic substitution cipher.

DanaBot’s loader uses HTTP for communication while its main component uses a binary protocol. But both the mentioned components use a binary protocol over the TCP port 443. Despite using this port, it does not use TLS. DanaBot’s C&C traffic was found to be an evolution of this protocol, and it now uses AES encryption in addition to the Zlib compression.

Recommendations:

  • Secure/restrict the use of remote access functionalities such as Remote Desktop Protocols (RDPs).
  • Always maintain patched and up-to-date systems, networks, servers, and gateways.
  • Employ multi-factor authentications to prevent any access by threat actors in case of stolen credentials.
  • Restrict regular users from using admin privileges at their endpoint machines.
  • Proactively monitor the network for any suspicious activity, such as C&C communication, data exfiltration, and lateral movement.
2) Denial of Service Attacks on Devices with Linux Kernel Vulnerabilities

Gallmaker is a politically motivated Advanced Persistent Threat (APT) group that has focused its attacks against the government, military or defence sectors. This Group has launched attacks on several overseas embassies of Eastern European countries, as well as military and defence organizations in the Middle East.

Gallmaker has been active since December 2017. The most interesting aspect of Gallmaker’s approach is that the Group does not use any sort of malware in its operations. Instead, the threat actors use living off the land (LotL) tactics and publicly available hack tools to carry out their activities.

They perform their attacks by initially using phishing emails to deploy Microsoft Office files, which are further used to exploit the DDE protocol vulnerability. After a successful exploitation, the attacker gains complete remote access on the endpoint device. Once this access has been established, the attacker can perform remote code execution via in-built tools such as PowerShell and WinZip console.

Attack Description:

Gallmaker uses spear phishing messages that contain a weaponized Microsoft Office document that uses the Dynamic Update Exchange (DDE) protocol to execute commands in the memory of the targeted machine. By running solely in the memory, the attacker avoids leaving artifacts/footprints on disk, thus eliminating the possibility of a traceback of the attack. Once the attackers gain access to the target machine, they use various tools including the reverse_tcp reverse shell from Metasploit, the WindowsRoamingToolsTask PowerShell scheduler, the WinZip console, and an open source library named Rex PowerShell, which helps create PowerShell scripts for Metasploit exploits.

Gallmaker APT has been found to use three primary IP addresses to establish its C&C infrastructure. On completion of their attack, the threat actors delete some of the tools from compromised machines to hide traces of their activity. Using just LotL tools, attackers can gain remote access to a device, steal data, or disrupt its operations — without the requirement of any new or already existing malware. The fact that Gallmaker appears to rely completely on LotL tactics and publicly available hack tools makes its activities extremely difficult to detect.

The spear-phishing emails used to perform this attack utilize documents with names related to government, military, or diplomatic themes. The documents are found to be described as “not very sophisticated” and are designed to be of interest to the targets in the mentioned regions. Filenames for these documents include:

  • bg embassy list.docx
  • ro members list.docx

These malicious lures do not contain any malware, but rather take advantage of the exploit in Microsoft Office Dynamic Data Exchange (DDE) protocol. After this document is opened, the user is urged to enable ‘protected’ content, an action which enables the DDE protocol and thus allows attackers to remotely execute commands on the device.

Once the Gallmaker attackers gain access to a device, they execute various tools, such as:

  • WindowsRoamingToolsTask: Which is used to schedule PowerShell scripts and tasks.
  • A “reverse_tcp” payload from Metasploit: Which can be used to obfuscate shellcode that is executed via PowerShell to download this reverse shell.
  • A legitimate version of the WinZip console: Which creates a task to execute commands and communicate with the C&C server. It is likely that this WinZip console is used for archiving data and exfiltration.
  • The Rex PowerShell library- Which is publicly available on GitHub and is also present on the victim machines. This library helps the user to create and manipulate PowerShell scripts for use with the Metasploit exploits.

Recommendations:

  • Monitor the usage of dual-use tools such as netsh and PsExec.exe in your network.
  • Use application whitelisting where applicable.
  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails.
  • Admins must monitor and control attachments, such as Microsoft Office files that prompt users to enable macros.
  • Enable advanced account security features, like two-factor authentication (2FA), multi-factor authentication and login notification.
  • Restrict the use of scripts on endpoint machines whose users do not need that function for their daily tasks.
  • For those who require tools for the execution of scripts, admins must restrict their activities in a virtual environment, if possible.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cybersecurity needs.

Blog By

Ben Abraham, CSOC Lead at Help AG