In this blog, I share the top three cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) Windows servers infected by DarkPulsar, an alleged NSA exploit
DarkPulsar; a malware implant that has been allegedly developed by the U.S. National Security Agency (NSA) has been observed targeting potential victims via methods such as phishing, and spam emails. The victims of this malware are primarily located in Russia, Iran, and Egypt and are found to be associated with industries such as telecommunications, IT, aerospace and R&D. The attack is found to mainly affect systems running Windows 2003 and 2008 Servers.
The malware’s main features are its ability to run an arbitrary code via a function called “RawShellcode” and its ability to upload other DanderSpritz payloads via the “EDFStageUpload” function, thus expanding the operator’s control over an infected system.
DarkPulsar’s implant is a dynamic library with a payload that is implemented in exported functions. These functions are as follows:
- Two nameless functions which are used to install the backdoor in the system.
- Functions with names related to TSPI operations to ensure that the backdoor is in the autorun list and is launched automatically.
- A function with a name related to SSPI operations, which implements the main malicious payload. The implementation of the SSPI and the TSPI interfaces are minimalistic. The functions that have been exported by DarkPulsar have the same names as the interface functions; however, they include malicious code instead of the genuine service.
- The implant is installed on the system by the exported nameless function.
- The backdoor is launched with administrator privileges by calling the Secur32.AddSecurityPackage to its own library in the parameter, causing lsass.exe to load DarkPulsar as an SSP/AP and to call its exported function. In this way, AddSecurityPackage is used to inject code and then to add its library name at HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers.
DarkPulsar implements its payload by installing hooks for the SpAcceptLsaModeContext function, which is responsible for authentication. Such injects are performed in several system authentication packets within the process lsass.exe, which allow DarkPulsar to control the authentication process based on the following protocols:
- dll – for the NTLM protocol,
- dll – for the Kerberos protocol,
- dll – for the TLS/SSL protocols,
- dll – for the Digest protocol, and
- dll –for the Negotiate protocol.
The command to be executed must be specified either in the configuration file Darkpulsar- 188.8.131.52.xml or as a command line argument, detailing at least:
- Whether the target machine uses a 32-bit system or a 64-bit system;
- The protocol to deliver the command and port number;
- The private RSA key to decrypt the session’s AES key.
DanderSpritz is a framework for controlling infected machines, quite different from FuzzBunch as the latter provides a limited toolkit for the post-exploitation stage with limited and specific functions such as DisableSecurity and EnableSecurity.
The complete DanderSpritz usage scheme consists of four steps:
- Via FuZZbuNch- run command EDFStagedUpload to launch DarkPulsar.
- In DanderSpritz- run command pc_prep, to prepare the payload and the library to be implanted.
- In DanderSpritz- run command pc_old, which sets it to wait for a socket from Pcdlllauncher.
- Launch Pcdlllauncher via FuZZbuNch by specifying the path to the payload that has been prepared with the command pc_prep in the ImplantFilename parameter.
The FuzzBunch and DanderSpritz frameworks are designed to be flexible and compatible with other tools. Each of them consists of a set of plugins designed for different tasks.
- Manually blacklist the hash value of the file on your security devices.
- Disable default administrative accounts and only allow users with admin privileges to perform administrative activities.
- Always maintain patched and up-to-date systems, networks, servers and gateways.
- Restrict users from running executable files.
- Implement multi-factor authentication to prevent any exploitation in case of a compromised device(s).
- Users must be trained on a regular basis regarding security postures/policies/procedures that must be followed to minimize internal threats.
- Execution of codes/scripts must be denied on endpoint devices or restricted to the virtual environment for domain users.
2) Windows privilege-escalation vulnerability plagues the Middle East
Security researchers have uncovered that Microsoft Windows users are prone to a local privilege-escalation vulnerability that occurs in the Windows kernel. An attacker can exploit this vulnerability to execute arbitrary code with elevated privileges in kernel mode. This zero-day, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. It was observed that an authenticated attacker could exploit the security hole to elevate his/her privileges and take control of the compromised system(s).
The exploit code is written in high quality with the objective of exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4. A very limited number of attacks that use this vulnerability have been observed, but for those affected, the majority belong to the Middle East region.
The exploit is executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system.
The exploitation of this vulnerability depends on a sequence of events that are performed from the hooks set on three user-mode call back functions:
- fnNCDESTROY and
The exploit then installs these hooks by replacing the function pointers in the KernelCallbackTable.
So far, the usage of this exploit has been observed on a small number of targeted attacks, when the exploit is packaged in a malware installer. The installer requires these privileges to install its payload. The payload is a sophisticated implant, which is used by the attackers for persistent access to the victims’ machines. Some of its characteristics include:
- Encrypting the payload using AES-256-CBC with the SHA-1 of the SMBIOS UUID- thus making it impossible to decrypt the payload on machines other than the victim, if the SMBIOS UUID is not known.
- Using Microsoft BITS (Background Intelligent Transfer Service) to communicate with its C2 servers which is an unusual technique
- Storing the payload in a randomly named file on disk. The loader contains a hash of the filename and attempts to find the payload by comparing the filename hash for all files in the Windows directory.
The attackers were found to be using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. An overlap in the domains used for C2 between this new activity and previous FruityArmor campaigns was observed. This makes security researchers believe with confidence that FruityArmor is responsible for the attacks performed using this CVE vulnerability.
- Permit local access for trusted individuals only. If possible, use restricted environments and shells.
- Only accountable users should be granted local access, since for the exploit to work, an attacker would require local access to an infected computer.
- Patch the vulnerability using the updates from Microsoft on the endpoint devices.
- Blacklist the Indicators of Compromise (IoCsO to identify and prevent any possible attempt to exploit this vulnerability.
- Make sure to regularly update the software’s that are used in the environment to their most recent versions.
3) A powerful and highly targeted banking trojan
The recently uncovered sLoad downloader is an example of a stealthy and a smart malware trend. This threat has targeted countries including Italy, Canada, and the United Kingdom, specifically by sending out malicious emails to recipients. The emails are crafted in the targeted country’s language and are personalized to include the recipients’ names and addresses in various parts of the email such as the email body and subject.
This new PowerShell downloader sports impressive reconnaissance tactics and demonstrates a penchant for geofencing, which indicates an increase in sophistication when it comes to targeting efforts. sLoad typically delivers a Ramnit banking trojan. The notable aspect is the lengths to which it will go to learn about a target/potential victim before delivering its payload. The malware gathers information about the infected system such as a list of running processes, Outlook details, the presence of Citrix-related files, and screenshots of the target machine.
The actor have been frequently, but not always, observed to use one or more intermediate downloaders such as PowerShell script, sLoad, Snatch, or Godzilla. We have observed the final payloads to include Ramnit, Gootkit, DarkVNC, Ursnif, and PsiXBot.
The threat actors continue to adopt new, stealthy loaders with rich reconnaissance features. By using loaders that can also assess infected systems, these actors can select their targets wisely and improve the quality of infected hosts. Geofencing i.e. restricting access to content based on the user’s location, determined via the source IP address, is performed at all steps of the infection chain. The below checks have been observed:
- Downloading the zipped-LNK,
- LNK downloading a PowerShell,
- PowerShell then downloading sLoad,
- sLoad communication with its command and control (C2) server and
- sLoad receiving a task/command in a base64-encoded binary.
This loader is being used by an actor referred to as TA554. TA554 uses package delivery or order notification lures and the emails contain URLs linking to zipped LNK files or zipped documents. The LNK file or the document macros in turn download the next stage which is typically a PowerShell script which then downloads the final payload or another downloader such as sLoad.
Banking trojans, by nature, require a degree of geotargeting since they must be configured with web injects for local banks. Geofencing helps them ensure that infected systems are within the regions targeted by the banking trojans based on the IP address of the infected system. In this case, the banking trojan is Ramnit. sLoad checks browsing histories to see if the victim visited specific/targeted banks. sLoad contains a hardcoded array of banking keywords and several host names, and reports on any matches found on the machine to the C2.
In addition to this geofencing that occurs throughout the infection chain, it was also observed that the sLoad examines the DNS cache of the infected machines, looking for evidence that the machines have been used to access online banking sites with web injects configured in the Ramnit payload. sLoad also searches for files with “.ICA” extension, starting in “C:\users” folder.
The final payload is generally a banking trojan via which the actors can not only steal additional data but can also perform ‘man-in-the-browser’ attacks on the infected individuals. Downloaders like the sLoad, Marap and others, provide a high degree of flexibility to threat actors, as they can be used to avoid vendor sandboxes, deliver ransomware to a system, and deliver a banking trojan to potential systems.
- Blacklist the IoCs to help prevent and identify an attempt by similar threat actors to exploit domain user machines.
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails.
- Enable advanced account security features, like 2FA, multi-factor authentication and login notifications.
- Regularly patch and update security devices via the recommended path provided by the vendor.
- Users must be informed and trained about security aspects and postures that must be followed in case of an anomalous behaviour, and incidents.
- Enable strict web filtering features to prevent access to external domains from within the organization.
- Deny privileges to a domain user from running executable files without necessary permissions.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Shaikh Azhar, Cyber Security Analyst at Help AG