Magento CMS Multiple Cross-Site Request Forgery Vulnerabilities
 
Magento CMS Flash File Uploader Cross Site Scripting Vulnerability
 
PHP 'password_verify()' Function Out-of-Bounds Read Denial of Service Vulnerability
 

Enlarge / One of the Sierra Wireless devices that can be infected by Mirai. (credit: Sierra Wireless)

This week, the US government-backed ICS-CERT warned that the troubling new generation of computer attacks is powered by malware that can infect cellular modems used to connect automotive and industrial equipment to the Internet.

An advisory published Wednesday listed five industrial control devices manufactured by Sierra Wireless that are vulnerable to malware known as Mirai when default passwords that ship with the equipment aren't changed on the gateways. The advisory referenced a separate notice from Sierra Wireless (PDF) that reported infections have succeeded against actual devices by connecting to the ACEmanager, a graphical interface used to remotely administer and configure them.

The Sierra Wireless post stated:

Read 7 remaining paragraphs | Comments

 
Microsoft Internet Explorer and Edge CVE-2016-3382 Remote Memory Corruption Vulnerability
 
Microsoft Internet Explorer CVE-2016-3383 Remote Memory Corruption Vulnerability
 
Microsoft Internet Explorer CVE-2016-3384 Remote Memory Corruption Vulnerability
 

Introduction

Since Monday 2016-10-03, the pseudoDarkleech campaign has been using Rig exploit kit (EK) to distribute Cerber ransomware." />
Shown above: An infection chain of events.

Let" />
Shown above:" />
Shown above: UDP traffic seen during this infection.

aused by this infection chain of events:

  • 5.200.55.214 port 80 - add.qualitiesforlife.com - Rig EK
  • 31.184.234.0 through 31.184.235.255 (31.184.234.0/23) port 6892 - UDP traffic caused by Cerber
  • 107.161.95.138 port 80 - ffoqr3ug7m726zou.nbz4dn.top - HTTP traffic caused by Cerber ransomware

Other domains from the Cerber ransomware decryption instructions:

  • ffoqr3ug7m726zou.19jmfr.top
  • ffoqr3ug7m726zou.5y6w0n.top
  • ffoqr3ug7m726zou.onion.to

A variant of Rig Exploit Kit

Since 2016-09-26, Ive noticed a new variant of Rig EK. I believe its one that security researcher Kafeine has designated RIG-v (link). Kafeine describes RIG-v as a VIP version of Rig EK. RIG-v uses a slightly different obfuscation for its landing page. It also displays some Neutrino-style traits and uses RC4 encryption. Luis Rocha has a good write-up on this version of Rig EK in two parts (part 1, part 2).

The Flash exploits used by RIG-v are similar to what I saw from Neutrino EK before it nearly disappeared last month (something also discussed by Kafeine). I still see a trickle of detections for Neutrino EK, but thats dwarfed by the amount of Rig EK (both regular Rig EK and the newer RIG-v) I find on a daily basis.

RIG-v is currently used by the pseudoDarkleech campaign to distribute Cerber ransomware. Its also being used by the Afraidgate campaign to distribute Locky ransomware. The other EK-based campaign I regularly track is the EITest campaign, and it currently uses what I now call regular Rig EK." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: RIG-v sends the payload (Cerber ransomware) as an encrypted binary.

rtifacts

Flash exploit sent by RIG-v:

  • File size: 50,368 bytes
  • SHA256 hash: b95fa5beddf64653bf88456ed521a0b7226d4fb4f5e8983b85ca5d03d8621be5
  • Location: C:\Users\[username]\AppData\Local\Microsoft\Windows\Temporary Internet Files\index[1].swf

Malware payload (Cerber ransomware):

  • File size: 481,175 bytes
  • SHA256 hash: a31a437f86ee5b5325b77d1956c19b3c144a8d1059b47a642992684ee68bbda0
  • Location:" />
    Shown above:" />
    Shown above: Desktop of the infected Windows host after rebooting.

    Getting to the ransom payment page

    This Cerber ransomware is a newer version I hadnt noticed until recently. Previous versions of Cerber left more artifacts on the desktop with the decryption instructions (a text file, an html file, a VBS file to generate spoken instructions, and a shortcut). This most recent version of Cerber leaves only one file on the desktop, an .HTA file." />
    Shown above: The web page that appeared when I clicked on one of the links from the HTA file.

    Using the window generated by the HTA file, you can get to the decryption instructions. However, this requires getting past a different type of CAPTCHA than before. This newer Cerber variant uses an image-based CAPTCHA that requires multiple clicks to get through." />
    Shown above:" />
    Shown above:" />
    Shown above:" />
    Shown above: The price to decrypt your files.

    ords

    ke other ransomware, Cerber continues to be an evolving threat. I usually see Cerber distributed through EK traffic, but malicious spam (malspam) is another popular method for mass distribution of ransomware. However, these arent the only vectors. Social media is another vector thats increasingly popular for more targeted attacks. One reader shared a story of being targeted with ransomware through a person contacting her on Skype (see comments from SaraTheEnthusiast at the end of this diary).

    For EK traffic, properly-administered Windows hosts are not likely to be infected. As long as your Windows host is up-to-date and fully patched, your risk is minimal for ransomware delivered through an EK. If youre running Windows 10, you have little to worry about.

    But enough people are running outdated versions of Windows that are un-patched or poorly-administered, so EK campaigns will continue. The pseudoDarkleech campaign has been using EKs to push ransomware, quite literally, for years now. And like other EK-based campaigns, it shows no signs of stopping.

    Pcap and malware for this diary can be found here.

    ---
    Brad Duncan
    brad [at] malware-traffic-analysis.net

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apache Tomcat CVE-2016-6325 Local Privilege Escalation Vulnerability
 
Apache Tomcat CVE-2016-5388 Security Bypass Vulnerability
 
QEMU 'hw/dma/rc4030.c' Divide By Zero Denial of Service Vulnerability
 
QEMU '/hw/char/serial.c' Divide By Zero Denial of Service Vulnerability
 
OpenSSL CVE-2016-2178 Side Channel Attack Information Disclosure Vulnerability
 
Adobe Flash Player APSB16-32 Multiple Use After Free Remote Code Execution Vulnerabilities
 
Evernote for Windows DLL Loading Remote Code Execution Vulnerability
 
Siemens Automation License Manager Multiple Security Vulnerabilities
 
OSIsoft PI Web API 2015 R2 CVE-2016-8353 Account Permission Security Vulnerability
 
[security bulletin] HPSBNS03661 rev.1 - NonStop Backbox, Remote Disclosure of Information
 
Internet Storm Center Infocon Status