Threat advisories

Top Middle East Cyber Threats- 4 February 2020

10 min to read
Top Middle East Cyber Threats- 4 February 2020

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Active Exploitation of Citrix Vulnerability CVE-2019-19781
A recent study conducted by FireEye shows that there has been a lot of exploitation taking place globally on CVE-2019-19781 – a vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance leading to an arbitrary code execution. The Citrix ADC and Gateway instances that remain unpatched or do not have the right mitigations applied are impacted as a result of this vulnerability. Recently, this vulnerability is also being used to deploy ransomware.
Citrix announced that this vulnerability affects the following supported product versions on all supported platforms:
• Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24
• NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18
• NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13
• NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15
• NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12
• Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b
Attack Description
This vulnerability was identified in Citrix Application Delivery Controller (ADC), previously known as NetScaler ADS and Citrix Gateway. The exploitation of this vulnerability allows the attacker or unauthorized person to perform arbitrary code execution.
The attacker having IP address 45[.]120[.]53[.]214 attempted to exploit the CVE-2019-19781 aimed at dozens of FireEye clients. Once the exploit was successful, the affected systems executed the cURL command to download a shell script with the file named “ld.sh” from the same IP address mentioned above. In some cases, the shell script was also download from an alternate source hxxp://198.44.227[.]126:81/citrix/ld.sh
The shell script starts finding the python2 binary and then proceeds with downloading two additional files to the system as follows
1. piz.LAN – It is a XOR encoded data blob
2. de.py – A python script, to a temporary directory
This script changes the permissions which eventually decodes and decompresses piz.Lan. Next, the script clears the initial files and executes scan.py.
Based on the information gathered from de.py, the file “.net.zip” is decoded and there was a total of 5 files recovered.
The script has a lot more to offer as well. For instance, it was able to identify whether a system is a 32- or a 64-bit. Since this information is already available, the function exploit_main can choose the appropriate DLL for injection.
The abilities of the 32- and 64- bit DLLs, named respectively x86.dll and x64.dll were further analysed and it was found that they performed several tasks as follows:
1. Download a file named patch32 or patch64, depending on the operating system, from a URL using certutil which is a tool as a part of the Windows Certificate Services (associated with MITRE’s ATT&CK framework).
2. Execute the downloaded binary since1969.exe, located in C:\Users\Public
3. Delete the URL from the current user’s certificate cache.
At the time of analysis, neither patch32 nor patch64 were available. FireEye identified a file on VirusTotal having following details:
Name: avpass.exe
MD5: e345c861058a18510e7c4bb616e3fd9f
This was linked to the IP address 45[.]120[.]53[.]214. This file is an example of a publicly available Meterpreter backdoor that was uploaded on 12th November 2019. The communication with the said IP took place over TCP port 1234.
Within the avpass.exe binary, a PDB string was found that provided more information about the tool’s author.
“C:\Users\ragnarok\source\repos\avpass\Debug\avpass.pdb”
Using “ragnarok” as the keyword, a separate copy of since1969.exe was uploaded to VirusTotal on 23rd January 2020.
On further analysis and sandboxing of this binary, the hacker was attempting to deploy a ransomware called “Ragnarok”. This was possible after a Tweet from Kasten Hahn mentioning Ragnarok related artifacts.
Recommendations
CVE-2019-19781 is a directory traversal exploit that involves initiating a large scan and upon the discovery of a successful connection, files are dropped onto the infected system. This creates a backdoor allowing the attackers to maintain the connections and fully exploit the system.
Citrix has released a new round of security updates to resolve a critical vulnerability that exposes thousands of servers to code execution attacks. The core vulnerability is CVE-2019-19781, a security error that can be exploited by malicious people to execute arbitrary code. Different versions of Citrix Application Delivery Controller (ADC), Citrix Gateway as well as the SD-WAN WANOP are affected. In the latest set of fixes to stop server security holes, Citrix has now pushed patches for Citrix ADS and Citrix Gateway versions 12.1 and 13.0. Fixes for ADC and Gateway can now be downloaded from the Citrix support website and must be applied as quickly as possible. Researchers estimated that up to 80,000 organizations in 158 countries may be susceptible to cyber-attacks due to this bug.
Metamorfo variants target financial organizations
During a recent investigation, FortiGuard Labs captured a suspicious sample from a phishing email. After a comprehensive analysis, it was determined that this was a new variant of the Metamorfo malware, which was known for collecting data from the customers of Brazilian financial organizations. The previous version of this malware depicted earlier in 2018 suggests that cybercriminals behind these assaults utilized abbreviated connections to disperse banking malware variations.
Over different campaigns since 2018, researchers observed the utilization of numerous tactics and techniques to evade detection and delivery of the malicious payload. Attackers related to this malware family on different occasions tried gathering financial and personal data like credit card information and login credentials for different internet banking or financial service websites for monetary benefits.
Attack Description
Deep analysis of the attack helped in understanding what this new variant of Metamorfo does and what data it collects from the victim as well as how it communicates with its command and control server.
The content of the email was in Portuguese , the official language of Brazil . It appears as a notice asking the victim to download an Electronic Invoice.The downloaded file is not an electronic invoice instead it is an installation file abbreviated as  ““XlsPlan_Visualize.msi”. Researchers noticed that there is something suspicious because an email which supposedly has invoice details actually downloads a .msi installer file. This installer file was further dissected by the security researchers to understand the motivation of this new variant. MSI files typically have the capability to download and execute other files and these could also bypass traditional security solutions. However, the use of msiexec.exe to download a malicious MSI package is not something typically witnessed in most malware.
The “XlsPlan_Visualize.msi” file contains 48 similar streams. This MSI file was not the final malware itself rather a malware downloader.
The “!_StringData” stream has a segment of VBS code that gets executed by MsiExec.exe to download another file which is malicious in nature. As per the researchers the code was blended in with a ton of false strings which was misleading.
After analysing the VBS code researchers found out that the code downloads a zip file named “img.zip” from the URL
“hxxps[:]//raw[.]githubusercontent[.]com/edx23/X435/master/img.zip” and calls the unzip () function to decompress the file into a folder located at %Public%\Downloads\KJFLDKRE”, the code then renames the file as “KJFLDKRE.msi”. Finally, this file gets executed with the parameter “/quiet”. This parameter runs the process in the background without a user interface and the victim has no clue about the background.
The MSI file running in MsiExec.exe restores the PE file (EXE File) into C:\Windows\Installer and this file is then executed. The filename could be random as per the researchers but during research the artefacts contained a file “MSIA1F6.tmp”. After further analysis of this file it was found that the file was written in Delphi which is an event-driven programming language based on Object Pascal and an associated integrated development environment for rapid application development of desktop, mobile, web, and console software.
“KJFLDKRE.msi” is the original Metamorfo malware which runs in the background. The “MSIA1F6.tmp” is extracted from “KJFLDKRE.msi” and is executed in a child process. The “MSIA1F6.tmp” uses multiple Timers to accomplish its work. A total of 3 finance applications are installed by calling the API FindWindowA(), with the Windows class for each.
When the victim opens the web page of an online bank, the title of the page will include the bank name information. Metamorfo uses string matching to determine if the victim is working on a financial web page using different institution names and acronyms related to such institutions.
The tricky part about the malware is that tries to avoid blocking by persisting a unique feature where the host of C&C server is generated dynamic in a special manner which keeps the host string mutative at every occurrence through a function within the code.
During the POC (Proof of Concept) researchers browsed some listed financial organizations to trigger a string match in the Timer1 function. This established a connection to the C&C server and relayed the information that a financial organization has been connected.
When the connection is established, it sends “[<<MANDASOCKET>>]” first, and the server replies “<|OK|>”, which requests information about series of occurrences in the victim’s device. An “<|Info|>” packet is then sent out containing the port number (8974), “Bank Name” is the name of the financial organization, the victim’s computer name (****-PC), client version (V.8), as well as victim’s OS name (Windows 7 Ultimate).
NOTE: “<|>” is kind of a delimiter, while “<<|” is an end symbol.
Metamorfo client has a function called Conn1Read(), a function of the Conn1 socket which processes the control, commands from the C&C server for this main socket.
Recommendations
If you are a customer of a targeted Brazilian financial institution and you never run their financial or proprietary applications or opened one of their pages on a contaminated PC, this variation of Metamorfo won’t gather any data.
Help AG recommends the following controls to be accounted for successful detection and mitigation of the malicious vector.

  • Use antivirus programs, with automatic updates of signatures and software, on clients and servers.
  • Apply appropriate patches and updates immediately (after appropriate testing).
  • Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  • If your organization does not have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails be reported to the security or IT department.
  • Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
  • Provide employees training on social engineering and phishing. Urge employees not to open suspicious emails, click links contained in such emails, or post sensitive information online, and to never provide usernames, passwords, or personal information in answer to any unsolicited request.
  • Educate users to hover over a link with their mouse to verify the destination prior to clicking on the link.
  • Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, .msi and attachments that cannot be scanned by antivirus software, such as .zip files.
  • Adhere to the principle of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.

REFERENCES

  • https://www.fortinet.com/blog/threat-research/analysis-metamorfo-variant-targets-financial-organizations.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+fortinet%2Fblogs+%28Fortinet+All+Blogs%29
  • https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate
  • https://www.fireeye.com/blog/threat-research/2020/01/nice-try-501-ransomware-not-implemented.html
  • https://support.citrix.com/article/CTX267027

 

Share this article

title
Upcoming event

Help AG & Zscaler – Perimeter Re- Imagined with Zero Trust and AI

Help AG and Zscaler's exclusive event – Perimeter ...

  • Dubai