Introduction

Mass-distribution campaigns pushing commonly-seen malware are not often considered newsworthy.  But these campaigns occur on a near-daily basis, and I feel they should be documented as frequently as possible.  Frequent documentation ensures we have publicly-available records that reveal how these campaigns evolve.  Minor changes add up over time.

Today's diary illustrates a small part of my workday, as I review information and track down a campaign using malicious spam (malspam) to distribute Trickbot malware.

Reporting methods

A growing number of people are using social media tools like Twitter to share information about malware and malicious network activity.  Twitter offers a near-real-time way to push information to a large amount of people.  Security professionals and enthusiasts can easily find, share, and act on this information.

Keep in mind, this sort of public sharing should never include sensitive data.  You should never reveal your organization's internal network or divulge any classified or confidential documents.  Criminals are likely monitoring public-facing services like VirusTotal and other malware scanning sites, because they "are becoming containers for personal, business and even classified information..."

Some security professionals use private communication methods with a restricted audience, but those methods don't often apply to the vast majority of people working in information security.  When possible, I prefer to share malware information publicly.

Gathering information

Like many researchers, I use a combination of public and non-public resources when investigating malware.  One great public resource is URLhaus.  URLhaus is a project operated by abuse.ch that helps security researchers, vendors and law enforcement agencies make the Internet a safer place.

On Tuesday 2018-11-13, I was browsing through URLhaus and found two URLs tagged as Trickbot.  I've researched a great deal of Trickbot activity, so I knew these URLs could be traced to malspam with an attached Microsoft Office document using macros to download and install Trickbot.


Shown above:  Two URLs tagged as Trickbot according to URLhaus.

I checked my employer's tools, where I found at least 20 examples of malspam using attached Word documents with macros to generate these URLs.  The malspam was very recent, and no samples of the attached Word documents had yet been submitted to VirusTotal.  I could find information and file hashes from my employer's tools, but I could not acquire a Word doc to generate any infection traffic.

However, those two URLs from the URLhaus list were still active, so I used one to retrieve a Trickbot binary.  I then used that binary to infect a Windows host in my lab which generated the expected infection traffic.  Post-infection activity revealed the campaign ID as sat101.  These campaign IDs are tagged as <gtag> in configuration files on infected Windows hosts, and they can be used to determine distribution characteristics of the campaign.  For example, Trickbot using campaign IDs starting with "sat" are used in malspam targeting recipients in the United States.


Shown above:  Tuesday's Trickbot infection traffic filtered in Wireshark.

Quick reporting

With enough information to describe Tuesday's Trickbot campaign in the US, I wanted to quickly report it.  But compiling a blog post would take at least two hours.  Twitter was my speediest alternative.  I dumped the data to a Pastebin page, created some images, and tweeted the results.


Shown above:  The tweet I sent.

Final words

This diary shows a small part of my workday, and it reveals how I found a recent wave of Trickbot malspam.  As of 20:24 UTC on Tuesday 2018-11-13, none of the associated Word documents were available on VirusTotal.  But a sample of the Trickbot binary had been submitted to hybrid-analysis.com.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SAP Fiori Client CVE-2018-2485 Multiple Unspecified Security Vulnerabilities
 
Microsoft Team Foundation Server CVE-2018-8529 Remote Code Execution Vulnerability
 

This month, Microsoft patches two issues that have already been disclosed publically. One is related to BitLocker trusting SSDs with faulty encryption. If an SSD offers its own hardware-based encryption, BitLocker will not add its own software encryption on top of it, to save CPU cycles. But last month, it became known that SSD hardware encryption is often implemented badly and can easily be bypassed. As a result, Microsoft releases a patch and also an advisory with details regarding Bitlocker's behavior and how to override it.

The second publicly disclosed vulnerability is the ALPC elevation of privilege issue that was disclosed by SandboxEscaper via Twitter. ScandboxEscaper disclosed a very similar issue a couple months ago. Microsoft patched the issue, but apparently not completely. 

Finally, these updates address a Win32k elevation of privilege vulnerability (cve:2018-8589) which has been exploited in the wild.

For a more detailed breakdown, see Renato's dashboard: 

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Core Tampering Vulnerability
%%cve:2018-8416%% No No Less Likely Less Likely Moderate    
Active Directory Federation Services XSS Vulnerability
%%cve:2018-8547%% No No Less Likely Less Likely Important 6.5 5.9
Azure App Service Cross-site Scripting Vulnerability
%%cve:2018-8600%% No No - - Important    
BitLocker Security Feature Bypass Vulnerability
%%cve:2018-8566%% Yes No Less Likely Less Likely Important 4.6 4.6
Chakra Scripting Engine Memory Corruption Vulnerability
%%cve:2018-8588%% No No - - Critical 4.2 3.8
%%cve:2018-8541%% No No - - Critical 4.2 3.8
%%cve:2018-8542%% No No - - Critical 4.2 3.8
%%cve:2018-8543%% No No - - Critical 4.2 3.8
%%cve:2018-8551%% No No - - Critical 4.2 3.8
%%cve:2018-8555%% No No - - Critical 4.2 3.8
%%cve:2018-8556%% No No - - Critical 4.2 3.8
%%cve:2018-8557%% No No - - Critical 4.2 3.8
DirectX Elevation of Privilege Vulnerability
%%cve:2018-8485%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2018-8554%% No No More Likely More Likely Important 7.0 6.3
%%cve:2018-8561%% No No Less Likely Less Likely Important 7.0 6.3
DirectX Information Disclosure Vulnerability
%%cve:2018-8563%% No No - - Important 4.7 4.2
Guidance for configuring BitLocker to enforce software encryption
ADV180028 Yes No - -      
Internet Explorer Memory Corruption Vulnerability
%%cve:2018-8570%% No No - - Important 6.4 5.8
Latest Servicing Stack Updates
ADV990001 No No - -      
MSRPC Information Disclosure Vulnerability
%%cve:2018-8407%% No No Less Likely Less Likely Important 3.3 3.3
Microsoft Dynamics 365 (on-premises) version 8 Cross Site Scripting Vulnerability
%%cve:2018-8605%% No No - - Important    
%%cve:2018-8606%% No No - - Important    
%%cve:2018-8607%% No No - - Important    
%%cve:2018-8608%% No No - - Important    
Microsoft Dynamics 365 (on-premises) version 8 Remote Code Execution Vulnerability
%%cve:2018-8609%% No No - - Critical    
Microsoft Edge Elevation of Privilege Vulnerability
%%cve:2018-8567%% No No - - Important 5.4 4.9
Microsoft Edge Information Disclosure Vulnerability
%%cve:2018-8545%% No No - - Important 4.3 3.9
Microsoft Edge Spoofing Vulnerability
%%cve:2018-8564%% No No - - Important 4.3 3.9
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2018-8574%% No No More Likely More Likely Important    
%%cve:2018-8577%% No No More Likely More Likely Important    
Microsoft Exchange Server Elevation of Privilege Vulnerability
%%cve:2018-8581%% No No Less Likely Less Likely Important    
Microsoft Graphics Components Remote Code Execution Vulnerability
%%cve:2018-8553%% No No - - Critical 7.4 6.7
Microsoft JScript Security Feature Bypass Vulnerability
%%cve:2018-8417%% No No More Likely More Likely Important 4.5 4.5
Microsoft Outlook Information Disclosure Vulnerability
%%cve:2018-8558%% No No Less Likely Less Likely Important    
%%cve:2018-8579%% No No Less Likely Less Likely Important    
Microsoft Outlook Remote Code Execution Vulnerability
%%cve:2018-8522%% No No More Likely More Likely Important    
%%cve:2018-8576%% No No More Likely More Likely Important    
%%cve:2018-8524%% No No Less Likely Less Likely Important    
%%cve:2018-8582%% No No More Likely More Likely Important    
Microsoft PowerShell Remote Code Execution Vulnerability
%%cve:2018-8256%% No No Less Likely Less Likely Important 6.3 6.3
Microsoft PowerShell Tampering Vulnerability
%%cve:2018-8415%% No No Less Likely Less Likely Important 3.3 3.3
Microsoft Project Remote Code Execution Vulnerability
%%cve:2018-8575%% No No Less Likely Less Likely Important    
Microsoft RemoteFX Virtual GPU miniport driver Elevation of Privilege Vulnerability
%%cve:2018-8471%% No No Less Likely Less Likely Important 7.0 7.0
Microsoft SharePoint Elevation of Privilege Vulnerability
%%cve:2018-8572%% No No Less Likely Less Likely Important    
%%cve:2018-8568%% No No Less Likely Less Likely Important    
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2018-8578%% No No - - Important    
Microsoft Skype for Business Denial of Service Vulnerability
%%cve:2018-8546%% No No Unlikely Unlikely Low    
Microsoft Word Remote Code Execution Vulnerability
%%cve:2018-8539%% No No - - Important    
%%cve:2018-8573%% No No More Likely More Likely Important    
November 2018 Adobe Flash Security Update
ADV180025 No No - - Important    
Team Foundation Server Cross-site Scripting Vulnerability
%%cve:2018-8602%% No No - - Important    
Win32k Elevation of Privilege Vulnerability
%%cve:2018-8562%% No No More Likely More Likely Important 7.0 6.3
Win32k Information Disclosure Vulnerability
%%cve:2018-8565%% No No - - Important 4.7 4.2
Windows ALPC Elevation of Privilege Vulnerability
%%cve:2018-8584%% Yes No More Likely More Likely Important 7.8 7.5
Windows Audio Service Information Disclosure Vulnerability
%%cve:2018-8454%% No No Less Likely Less Likely Important 2.5 2.5
Windows COM Elevation of Privilege Vulnerability
%%cve:2018-8550%% No No Less Likely Less Likely Important 7.0 6.3
Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
%%cve:2018-8476%% No No More Likely More Likely Critical 8.1 8.1
Windows Elevation Of Privilege Vulnerability
%%cve:2018-8592%% No No Less Likely Less Likely Important 6.4 6.1
Windows Kernel Information Disclosure Vulnerability
%%cve:2018-8408%% No No More Likely More Likely Important 3.3 3.3
Windows Scripting Engine Memory Corruption Vulnerability
%%cve:2018-8552%% No No More Likely More Likely Important 2.4 2.2
Windows Search Remote Code Execution Vulnerability
%%cve:2018-8450%% No No More Likely More Likely Important 7.5 6.7
Windows Security Feature Bypass Vulnerability
%%cve:2018-8549%% No No Less Likely Less Likely Important 5.5 5.0
Windows VBScript Engine Remote Code Execution Vulnerability
%%cve:2018-8544%% No No More Likely More Likely Critical 6.4 5.8
Windows Win32k Elevation of Privilege Vulnerability
%%cve:2018-8589%% No Yes Detected More Likely Important 7.8 7.5

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SAP Disclosure Management CVE-2018-2487 Arbitrary File Overwrite Vulnerability
 
Adobe Flash Player Out-Of-Bounds Read CVE-2018-15978 Information Disclosure Vulnerability
 
This message, shown during Windows upgrades, is going to be salt in the wound.

Enlarge / This message, shown during Windows upgrades, is going to be salt in the wound.

Just over a month since its initial release, Microsoft is making the Windows 10 October 2018 Update widely available today. The update was withdrawn shortly after its initial release due to the discovery of a bug causing data loss.

New Windows 10 feature updates use a staggered, ramping rollout, and this (re)release is no different. Initially, it'll be offered only to two groups of people: those who manually tell their system to check for updates (and that have no known blocking issues due to, for example, incompatible anti-virus software), and those who use the media-creation tool to download the installer. If all goes well, Microsoft will offer the update to an ever-wider range of Windows 10 users over the coming weeks.

For the sake of support windows, Microsoft is treating last month's release as if it never happened; this release will receive 30 months of support and updates, with the clock starting today. The same is true for related products; Windows Server 2019 and Windows Server, version 1809, are both effectively released today.

Read 8 remaining paragraphs | Comments

 
Adobe Acrobat and Reader CVE-2018-15979 Information Disclosure Vulnerability
 
Adobe Photoshop CC CVE-2018-15980 Information Disclosure Vulnerability
 
SAP Basis CVE-2018-2478 Remote Code Execution Vulnerability
 
SAP NetWeaver CVE-2018-2476 Open Redirection Vulnerability
 
SAP NetWeaver Knowledge Management CVE-2018-2477 XML External Entity Injection Vulnerability
 
SAP BusinessObjects Business Intelligence CVE-2018-2483 Security Bypass Vulnerability
 
IBM DB2 Multiple Privilege Escalation Vulnerabilities
 

Posted by InfoSec News on Nov 12

https://www.cyberscoop.com/forescout-securitymatters-113m-acquisition/

By Zaid Shoorbajee
CYBERSCOOP
NOV 9, 2018

ForeScout Technologies, a network security company that focuses on
internet-of-things, operational technology and cloud computing, announced
on Thursday that it acquired OT security company SecurityMatters for $113
million.

With the increasing convergence of IT and OT, the purchase is meant boost
ForeScout's ability to...
 

Posted by InfoSec News on Nov 12

https://techcrunch.com/2018/11/12/with-the-paris-call-macron-wants-to-limit-cyberattacks/

By Romain Dillet
Techcrunch.com
November 12, 2018

French President Emmanuel Macron gave a speech at the Internet Governance
Forum at the UNESCO in Paris. While the IGF has been around for a while,
it hasn’t been as active as some would have hoped.

That's why the French government is issuing the Paris Call, a short
three-page document on...
 

Posted by InfoSec News on Nov 12

https://www.newsweek.com/who-dimed-out-american-traitor-super-spy-robert-hanssen-1196080

By Jeff Stein
Newsweek.com
11/1/18

For over two decades, students of the spy wars between Russia and America
have pondered one of the great remaining mysteries of the Cold War: Who
finally dimed out Robert Hanssen, the FBI turncoat said to be the most
destructive traitor in the annals of U.S. intelligence?

Now we know, according to an posthumously...
 

Posted by InfoSec News on Nov 12

https://motherboard.vice.com/en_us/article/3k9zzk/hacking-team-hacker-phineas-fisher-has-gotten-away-with-it

By Lorenzo Franceschi-Bicchierai
Motherboard.Vice.com
Nov 12 2018

At 3:15 a.m. local Italian time on July 5, 2015, the usually quiet Twitter
account of the infamous spyware company Hacking Team posted a confusing
message: "Since we have nothing to hide, we're publishing our emails,
files, and source code."

The company,...
 

Posted by InfoSec News on Nov 12

https://www.independent.co.uk/life-style/gadgets-and-tech/news/pakistan-banks-data-stolen-dark-web-hackers-cyber-security-breach-a8630176.html

By Anthony Cuthbertson
The Independent
November 12, 2018

Hackers sole customer data from "almost all major Pakistani banks" and
placed it on the dark web, the country's cyber-crime chief has revealed.

The comments from Mohammad Shoaib, director of Pakistan's Federal
Investigation...
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status