(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

Its been one month since my last diary on malcious spam (malspam) with links to malicious Word documents containing Hancitor [1]. Back then, we saw Hancitor use Pony to download Vawtrak malware. Since then, Ive seen indicators for this type of malspam on a near-daily basis.

Recently, these emails have stopped leading to Vawtrak. Instead, Im now seeing malware that triggers alerts for Terdot.A [2, 3, 4, 5, 6, 7]. Tools from my employer identify this malware as DELoader, and a Google search indicates Terdot.A and DELoader are the same thing.

For now, Im keeping my flow chart open on the final malware. With that in mind, let border-width:2px" />
Shown above: Flow chart for the infection process.

The email

These emails generally have different subject lines each day, and they have spoofed sending addresses. The example I saw on 2017-02-09 was a fake message about a money transfer. Its similar to a wave of malspam seen the day before.

  • Date: Thursday, 2017-02-09 16:05 UTC
  • Received: from polsinelli.com [spoofed host name]
  • Message-ID: [email protected]
  • From: Polsinelli LLP [email protected] [spoofed sender]
  • Subject: RE:RE: wife tf

The link from the email contains a base64-encoded string representing the recipients email address. Based on that string, the downloaded file will have the recipients name from the email address. border-width:2px" />
Shown above: Fake money transfer email with link to a Word document.

The link from the malspam downloaded a Microsoft Word document. The document contains a malicious VB macro described as Hancitor, Chanitor or Tordal. I generally call it Hancitor. If you enable macros, the document retrieves a Pony downloader DLL. border-width:2px" />
Shown above: border-width:2px" />
Shown above: Enabling macros will activate Hancitor.

ng>The traffic

Pattern-wise, URLs from this infection are similar to previous cases of Hancitor/Pony malspam reported I border-width:2px" />
Shown above: Infection traffic after activating macros in the Word document.

Alerts show post-infection traffic for Terdot.A/Zloader, which is consistent with recent infections I border-width:2px" />
Shown above: Alerts on the traffic using Security Onion with Suricata and the ETPRO ruleset.

Indicators of Compromise (IOCs)

Email link noted on Thursday 2017-02-09 to download the Hancitor Word document:

  • 187.17.111.102 port 80 - www.jasa.adv.br - GET /api/get.php?id=[base64 string]

Traffic after enabling macros on the Word document:

  • api.ipify.org - GET / [IP address check]
  • 91.226.93.57 port 80 - hadrylego.com - POST /ls5/forum.php [Hancitor callback]
  • 91.226.93.57 port 80 - hadrylego.com - POST /klu/forum.php [Hancitor callback]
  • 98.138.19.143 port 80 - caleduc.com - GET /blog/wp-content/themes/sketch/1 [call for Pony DLL]
  • 104.196.224.112 port 80 - main-meats.com - GET /1 [call for Pony DLL]
  • 199.204.248.138 port 80 - patsypie.com - GET /wp-content/themes/sketch/1 [call for Pony DLL]
  • 98.138.19.143 port 80 - caleduc.com - GET /blog/wp-content/themes/sketch/a1 [call for DELoader]
  • 104.196.224.112 port 80 - main-meats.com - GET /a1 [call for DELoader]
  • 199.204.248.138 port 80 - patsypie.com - GET /wp-content/themes/sketch/a1 [call for DELoader]
  • 91.221.37.160 port 80 - ughtoftritret.ru - POST /bdk/gate.php [DELoader callback]

Associated file hashes:

Final words

As this campaign progresses, IOCs will continue to change, and Im sure traffic patterns will continue to evolve.

Pcap and malware for this diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919
[2] http://malware-traffic-analysis.net/2017/01/25/index2.html
[3] http://malware-traffic-analysis.net/2017/01/30/index2.html
[4] http://malware-traffic-analysis.net/2017/01/31/index3.html
[5] http://malware-traffic-analysis.net/2017/02/01/index.html
[6] http://malware-traffic-analysis.net/2017/02/06/index2.html
[7] http://malware-traffic-analysis.net/2017/02/07/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge

Encrypted connections established by at least 949 of the top 1 million websites are leaking potentially sensitive data because of a recently discovered software vulnerability in appliances that stabilize and secure Internet traffic, a security researcher said Thursday.

The bug resides in a wide range of firewalls and load balancers marketed under the F5 BIG-IP name. By sending specially crafted packets to vulnerable sites, an attacker can obtain small chunks of data residing in the memory of connected Web servers. The risk is that by stringing together enough requests, an attacker could obtain cryptographic keys or other secrets used to secure HTTPS sessions end users have established with the sites, security researcher Filippo Valsorda told Ars. He didn't identify the sites that tested positive in his scans, but results returned by a publicly available tool included with his vulnerability disclosure included the following:

  • www.adnxs.com
  • www.aktuality.sk
  • www.ancestry.com
  • www.ancestry.co.uk
  • www.blesk.cz
  • www.clarin.com
  • www.findagrave.com
  • www.mercadolibre.com.ar
  • www.mercadolibre.com.co
  • www.mercadolibre.com.mx
  • www.mercadolibre.com.pe
  • www.mercadolibre.com.ve
  • www.mercadolivre.com.br
  • www.netteller.com
  • www.paychex.com

Update: A little more than three hours after this post went live, a representative with Appnexus said its adnx.com domain was no longer vulnerable.

Read 9 remaining paragraphs | Comments

 
 
MIT Kerberos KDC CVE-2016-3120 NULL Pointer Dereference Denial Of Service Vulnerability
 

Early today on 2017-02-09, a new vulnerability based on CVE-2016-9244 was announced by f5 affecting the companys Big-IP appliances [1]. According to f5:

A BIG-IP SSL virtual server with the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory.

This new vulnerability has a website (https://ticketbleed.com/) and a logo. border-width:2px" />
Shown above: A creative logo for yet another vulnerability.

Ticketbleed.com (currently redirects to filippo.io/Ticketbleed) has interesting details about the discovery and timeline. It also has a link for a complete technical walkthrough on the vulnerability.

At this point, organizations using f5 products will start spinning up their security teams to determine if they are impacted. As I write this, Its shortly after midnight in the US Central Time Zone. Later as the business day begins, leadership in many organizations will be asking about Ticketbleed. Some will find echoes of 2014s Heartbleed vulnerability in this. As I just heard from a fellow security professional, There goes my tomorrow.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://support.f5.com/csp/article/K05121675
[2] https://www.theregister.co.uk/2017/02/09/f5s_bigip_leaks_lots_of_little_chunks_of_memory/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

At the end of January 2017, BleepingComputer published a report about an updated variant of CryptoMix (CryptFile2) ransomware calling itself CryptoShield [1]. It was first discovered by Proofpoint security researcher Kafeine. At that time, CryptoShield was distributed by the EITest campaign using Rig exploit kit (EK).

Since then, other researchers continued seeing CryptoShield from EITest Rig EK. Ive already documented this Rig EK/CryptoShield combo twice [2, 3], and it shows no signs of stopping.

With that in mind, lets look at a recent infection generated on Wednesday, 2017-02-08.

Traffic

As I border-width:2px" />
Shown above: Flow chart for this infection traffic.

I tried the site and saw injected EITest script leading to a Rig EK landing page. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Pcap of traffic from the second infection filtered in Wireshark.

ng the site, the Windows host was infected. I first saw an application error, then received a User Account Control (UAC) notification. After clicking through those two popup notifications, the host was fully infected. The infected Windows host then showed indicators of CryptoShield. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Screenshot of the infected Windows host.

lware

CryptoShield uses .CRYPTOSHIELD as the suffix for any files it encrypts. Based on the HTML file, the sample I saw (the same sample during both infections) was version 1.1 of the ransomware. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Windows Registry update and file location for the ransomware.

dicators of compromise (IOCs)

Rig EK IP address and domains:

  • 194.87.93.53 port 80 - need.southpadreforsale.com
  • 194.87.93.53 port 80 - star.southpadrefishingguide.com

Post infection traffic from the CryptoShield sample:

  • 45.63.115.214 port 80 - 173.66.46.112 - POST /images/gif_png/gif.php

File information for the Rig EK Flash exploit:

File information for the Rig EK payload:

  • SHA256 hash: 8ce1ce2e7b15cadee04ce6b32c30531e808e2869200d39e04f43788ec21283ac
  • File description: CryptoShield ransomeware
  • File location: C:\Users\[username]\AppData\Local\Temp\rad4F812.tmp.exe
  • File location: C:\Users\[username]\AppData\Local\Temp\rad1BB53.tmp.exe
  • File location: C:\ProgramData\MicroSoftTMP\system32\winlogon.exe

Final words

Thanks to the people on Twitter who tweet information about compromised websites leading to Rig EK. Without help from the community, this type of traffic would be much harder to obtain.

Rig EK has been around for a while. I wrote a diary about Rig EK back in April 2015, and Rig EK was active well before then. As always, if you follow best security practices (keep your Windows computer up-to-date and patched), your risk of infection is minimal. Unfortunately, not enough people follow best practices, so it apparently remains profitable for criminals to continue using Rig EK as a method of malware distribution.

For now, CryptoShield ransomware from Rig EK remains a continuing presence in our threat landscape.

Pcaps, malware, and artifacts for this diary are available here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/
[2] http://www.malware-traffic-analysis.net/2017/01/31/index2.html
[3] http://www.malware-traffic-analysis.net/2017/02/06/index.html
[4] http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status