Introduction

Until recently, I hadnt personally seen much malicious spam (malspam) using Microsoft office documents with Hancitor-based Visual Basic (VB) macros to send Pony and Vawtrak. It still happens, though. Occasionally, Ill find a report like this one from 2016-12-19, where Hancitor/Pony/Vawtrak malspam was disguised as a LogMeIn account notification, but I rarely come across an example on my own. And apparently, theres been a recent lull in Hancitor/Pony/Vawtrak malspam until yesterday.

This diary describes a wave of Hancitor/Pony/Vawtrak malspam from Tuesday 2017-01-10.

The malspam

The example I saw was a fake parking ticket notification.

  • Date/Time: Tuesday, 2017-01-10 20:25:41 UTC
  • Received from: kennedyslaw.com
  • Message-Id: [email protected]
  • From: [email protected]
  • Subject:" />
    Shown above: The fake parking ticket notification with a link to a Word document.

    The link from the malspam downloaded a Microsoft Word document. The document contains a malicious VB macro described has Hancitor, Chanitor or Tordal. I generally call it Hancitor. If you enable macros, the document retrieves a Pony downloader DLL." />
    Show above: Flow chart of the infection process.

    The link from the email contains a base64-encoded string representing the recipients email address. Based on that string, the downloaded file will have the recipients name from the email address." />
    Shown above:" />
    Shown above:" />
    Shown above: Infection traffic after activating macros in the Word document.

    ny Vawtrak-specific activity until you start your browser and try to look at a something. Once you do, you" />
    Shown above:" />
    Shown above: Alerts on the traffic using Security Onion with Suricata and the ETPRO ruleset.

    ng>Indicators of Compromise (IOCs)

    Email links noted on Tuesday 2017-01-10 to download the Hancitor Word document:

    • 202.189.180.194 port 80 - www.dreampark.co.jp - GET /api/get.php?id=[base64 string]
    • 123.30.182.73 port 80 - www.thienyhotel.vn - GET /api/get.php?id=[base64 string]

    Traffic after enabling macros on the Word document:

    • api.ipify.org - GET / [IP address check]
    • 80.78.251.134 port 80 - tinhorecrin.com - POST /ls5/forum.php [Hancitor callback]
    • 80.78.251.134 port 80 - tinhorecrin.com - POST /klu/forum.php [Hancitor callback]
    • 80.78.251.134 port 80 - tinhorecrin.com - POST /borjomi/gate.php [Hancitor callback]
    • 206.196.99.49 port 80 - www.mi4nd.com - GET /wp-includes/pm1.dll [DLL for Pony]
    • 206.196.99.49 port 80 - www.mi4nd.com - GET /wp-includes/pm2.dll [DLL for Pony]
    • 178.77.97.61 port 80 - www.worstofbreed.net - GET /wp-content/themes/redoable/inst.exe [EXE for Vawtrak]

    Vawtrak traffic noted after trying to browse the web:

    • 94.242.55.154 port 80 - 94.242.55.154 - HTTP post-infection Vawtrak callback
    • 94.242.55.154 port 443 - geholso.com - HTTPS/SSL/TLS post-infection Vawtrak callback
    • 5.196.129.108 port 443 - ojfbgnruqe.com - HTTPS/SSL/TLS post-infection Vawtrak callback

    Associated file hashes:

    Final words

    Speaking as a security professional, we often become jaded as yet another wave of malspam does the same thing its done before. Patterns behind such activity are often well-documented. So why bother with discussion, if theres nothing new? Why bother talking about it, when we have the technical means to prevent these types of infections?

    Why indeed! That attitude only encourages the criminal groups behind malspam. For various reasons, many environments dont follow best security practices, and theyre still vulnerable. If we discuss on-going waves of malspam in high-visibility forums like this one, more people will be aware of the threat.

    I encourage security professionals to routinely check sites like blog.dynamoo.com, myonlinesecurity.co.uk, and techhelplist.com. Many folks also have Twitter channels with even more timely updates.

    If you know any blogs or Twitter channels you find helpful, feel free to leave a comment below. Lets keep the discussion going!

    Pcap and malware for this diary can be found here.

    ---
    Brad Duncan
    brad [at] malware-traffic-analysis.net

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Foxit Reader for Linux Unspecified Stack Buffer Overflow Vulnerability
 
Foxit Reader and PhantomPDF Multiple Security Vulnerabilities
 
Foxit PDF Toolkit Memory Corruption Vulnerability
 
OSIsoft PI Coresight and PI Web API CVE-2017-5153 Information Disclosure Vulnerability
 

Enlarge / A computer infected by Shamoon System is unable to find its operating system. (credit: Palo Alto Networks)

There's a new variant of the Shamoon disk-wiping malware that was originally unleashed on Saudi Arabia's state-owned oil company in 2012, and it has a newly added ability to destroy virtual desktops, researchers said.

The new strain is at least the second Shamoon variant to be discovered since late November, when researchers detected the return of disk-wiping malware after taking a more than four-year hiatus. The variant was almost identical to the original one except for the image that was left behind on sabotaged computers. Whereas the old one showed a burning American flag, the new one displayed the iconic photo of the body of Alan Kurdi, the three-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece. Like the original Shamoon, which permanently destroyed data on more than 30,000 work stations belonging to Saudi Aramco, the updates also hit one or more Saudi targets that researchers have yet to name.

According to a blog post published Monday night by researchers from Palo Alto Networks, the latest variant has been updated to include legitimate credentials to access virtual systems, which have emerged as a key protection against Shamoon and other types of disk-wiping malware. The actor involved in this attack could use these credentials to manually log into so-called virtual management infrastructure management systems to attack virtual desktop products from Huawei, which can protect against destructive malware through its ability to load snapshots of wiped systems.

Read 5 remaining paragraphs | Comments

 
Microsoft Edge CVE-2017-0002 Remote Privilege Escalation Vulnerability
 
Microsoft Windows LSASS CVE-2017-0004 Local Denial of Service Vulnerability
 
Ansible CVE-2016-9587 Arbitrary Command Execution Vulnerability
 
KDE Ark CVE-2017-5330 Arbitrary Code Execution Vulnerability
 
ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability
 
Directadmin ControlPanel 1.50.1 denial of service Vulnerability
 
ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability
 
ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability
 
libgit2 'smart_pkt.c' Buffer Overflow Vulnerability
 
Adobe Acrobat and Reader APSB17-01 Multiple Buffer Overflow Vulnerabilities
 
Adobe Flash Player APSB17-02 Multiple Heap Buffer Overflow Vulnerabilities
 
Adobe Acrobat and Reader Multiple Unspecified Heap Buffer Overflow Vulnerabilities
 

If your job today is to apply Microsoft patches: You get to go home early today! I think this is the lightest patch Tuesday ever.

Microsoft today released 3 bulletins itself plus one for Adobe. While two of the vulnerabilities are publicly known, they only affect non-critical updates: A privilege escalation vulnerability in Microsoft Edge (%%cve:2017-0002%%) and a denial of service vulnerability in LSASS (%%cve:2017-0004%%). For the first time in a many many months there is no Internet Explorer update this month.

You can find all the details again via our MSFT Patch page:https://isc.sans.edu/mspatchdays.html?viewday=2017-01-10or our API if you prefer a more structured format:https://isc.sans.edu/api/getmspatchday/2017-01-10

I doubt that Microsoft ran out of vulnerabilities to fix, but due to the holidays at the end of December, they likely had less time to fix existing vulnerabilities. January has been historically a light month" />

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Adobe today released a security update for Flash (APSB17-02) and it updated an update released last week for Acrobat/PDF Reader (APSB17-01).

The Acrobat/PDF Reader update addresses 29 vulnerabilities. Many of these vulnerabilities are considered critical as they can lead to code execution, but currently, there are no known exploits available according to Adobe. Later today, we should expect an update from Microsoft addressing these issues in Microsoft products that include Flash.

The Flash update fixes 13 vulnerabilities and exploitation of some of these vulnerabilities may also lead to code execution. Adobe considers this update a higher priority than the PDF Reader update.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
RETIRED: Ghostscript Multiple Security Vulnerabilities
 
Ghostscript CVE-2016-7979 Remote Code Execution Vulnerability
 
Ghostscript CVE-2016-7978 Remote Code Execution Vulnerability
 
Ghostscript CVE-2016-7976 Remote Command Execution Vulnerability
 
PHPMailer CVE-2017-5223 Local Information Disclosure Vulnerability
 
DLink DGS-1100 Switch CVE-2016-10125 Local Hardcoded SSL Certificate Vulnerability
 
Directadmin ControlPanel 1.50.1 Cross-Site-Scripting Vulnerability
 

Thanks to Bj">c1 00 00 00 00 14 00 00 63 6f 6e 66 69 67 00 00
c. o. n. f. i. g
31 00 00 00 00 00 00 00 ">{ Enable : 1, MapTable : [
{ Enable : 1, InnerPort : 85, OuterPort : 85, Protocol : TCP, ServiceName : HTTP },
{ Enable : 1, InnerPort : 37777, OuterPort : 37777, Protocol : TCP, ServiceName : TCP },
{ Enable : 1, InnerPort : 37778, OuterPort : 37778, Protocol : UDP, ServiceName : UDP },
{ Enable : 1, InnerPort : 554, OuterPort : 554, Protocol : TCP, ServiceName : RTSP },
{ Enable : 1, InnerPort : 23, OuterPort : 23231, Protocol : TCP, ServiceName : TELNET },
{ Enable : 1, InnerPort : 23, OuterPort : 23123, Protocol : TCP, ServiceName : NEW } ] }

The payload appears to attempt to configure port forwarding rules, which is typically done via UPNP (and UPNP has been heavily abused, but is typically not reachable from the outside). But the requests are different from UPNP in some ways:

  • UPNP usually uses HTTP like headers. These requests do not use any readable headers, just a brief binary pre-ample.
  • UPNP is typically using UDP. These requests arrive over TCP
  • UPNP uses XML/SOAP for its payload. These requests use what looks like JSON

Some newer versions of UPNP allow for REST/JSON instead of the older SOAP/XML format. But this still doesnt explain the missing headers. Port 37777 is typically used to stream video from CCTV DVRs, not for configuration. But then again, it is possible that some DVRs do accept configuration commands like the one shown above. But a request like this should probably be directed at the gateway/router, not the DVR.-)

[1]https://blgg.no/2017/01/probes-towards-tcp37777/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Real estate transactions are some of the higher value transactionsperformed by individuals and organizations. They often exceed hundreds of thousands of dollars in value, and for commercial properties, millions of dollars are quite normal. Many buyers and sellers are not familiar with what is normal when it comes to real estate transactions. Over the last few years, we have seen this exploited in a specific form of Business E-Mail Compromise, where an attacker is injecting e-mails into conversations to trick the victim to transfer money to the wrong account.

A weak link in this transaction is often the realtor. Realtors e-mail addresses are easy to find. Many realtors work more or less on their ownand do not benefit from a corporate IT department with security monitoring. Instead, they use public webmail systems and heavily rely on cloud-basedfile sharing systems and e-mail attachments to exchange documents.

Recently, a realtor aware of this issue forwarded me the following exchange. Initially, the realtor received an e-mail that is very typical for the type of e-mail realtors receive from new clients:

Hi My name is James . I got your contact while searching for good realtor in Florida. My Partner and I are planning to relocate to the area by year end and would be interested in buying a house. Are you full time realtor?. Are we also suppose to contact bank as we are very new to this.

The realtor sent more or less a standard reply:

Hi, James: I will be very happy to help you with finding a home here. The first step is to get a mortgage pre approval letter. If you do not have any mortgage agent, I can recommend some. Give me a call when you have time.

Note that the realtor is asking for a mortgage pre-approval letter. This is a common first step to find out how much money the buyer can spend on a new house. Of course, James responded the next day:

Thanks for getting back to me on my request to purchase a house and sorry for the late response . I have been busy with some project . I actually got your contact while looking for good realtors online . Presently i live in Palos Hills Chicago, but i wish to have a property in your state for Income Revenue.Am interested in purchasing a 3 to 4 bed room house with a large parking garage ( a house with a pool within our price range will be perfect ). I was told i needed pre approval so i obtained it from my bank. I have shared it with you as well as details on desired location and what Im looking for via google docs . Check it and let me know so i can call you when i finish from meeting to decide when to come and view the property.
Kind Regards James
Approval letter.pdf

Again, the e-mail is in-line with what you would expect from a buyer. Note the link to the Approval Letter.This is where things get more interesting.

The link went tohttp:// myrealestategoogldrive .atspace.cc/ . A fairly plausible URL for a link like this. There are dozens of different file sharing sites out there, and this hostname is certainly in line with what a realtor would consider normal.

The site has been taken down now, but it offered a login screen asking for the realtors webmail credentials. This is where the realtor contacting me got suspicious, so we do not know what James would have done with the credentials. But typically, the next steps involve:

  • James will use the realtors e-mail credentials to log into the webmail system
  • Then, James will add a Forward address. This way, James will receive copies of all e-mails send to the realtor
  • Once an e-mail comes across the realtors inbox asking for bank details to wire money, James will reply with his information

The result, if successful, is that the buyer transfers money to the wrong account. Sadly, these wire transfers (ACH Transfers) are often not reversible. The money will typically go first to a domestic account that James is monitoring, and as soon as the money arrives, it will be forwarded to a foreign account at which point the trail of the money often gets lost.

Yes, the e-mails from James contain typos and bad grammar. But realtors will typically happily do business with you even if you are not an expert in the use of the English language.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status