(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco Firepower Management Center and FireSIGHT System Software Security Bypass Vulnerability
 
MuJS Multiple Heap Based Buffer Overflow Vulnerabilities
 

A recently fixed security vulnerability that affected both the Firefox and Tor browsers had a highly unusual characteristic that caused it to threaten users only during temporary windows of time that could last anywhere from two days to more than a month.

As a result, the cross-platform, malicious code-execution risk most recently visited users of browsers based on the Firefox Extended Release on September 3 and lasted until Tuesday, or a total of 17 days. The same Firefox version was vulnerable for an even longer window last year, starting on July 4 and lasting until August 11. The bug was scheduled to reappear for a few days in November and for five weeks in December and January. Both the Tor Browser and the production version of Firefox were vulnerable during similarly irregular windows of time.

While the windows were open, the browsers failed to enforce a security measure known as certificate pinning when automatically installing NoScript and certain other browser extensions. That meant an attacker who had a man-in-the-middle position and a forged certificate impersonating a Mozilla server could surreptitiously install malware on a user's machine. While it can be challenging to hack a certificate authority or trick one into issuing the necessary certificate for addons.mozilla.org, such a capability is well within the means of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model. Such an attack, however, was only viable at certain periods when Mozilla-supplied "pins" expired.

Read 6 remaining paragraphs | Comments

 
Multiple IBM Products CVE-2016-5945 Arbitrary File Upload Vulnerability
 
Multiple IBM Products CVE-2016-5944 Cross Site Scripting Vulnerability
 
Cisco Cloud Services Platform CVE-2016-6374 Command Execution Vulnerability
 
Multiple IBM Products CVE-2016-5947 Clickjacking Vulnerability
 

Introduction

Malicious spam (malspam) campaigns sending Locky ransomware are nothing new. We see reports of it on a near daily basis [1, 2]. But last month, Locky ransomware changed. It used to be downloaded as an executable file, but now its being implemented as a DLL [3]. I looked into Locky earlier this month and reported some data on my personal blog [4]. As common as Locky malspam is, I think this near-daily phenomenon deserves another round of investigation.

For this dairy, I reviewed 20 samples of Locky malspam found on Tuesday 2016-09-20." />
Shown above: Various senders and subject lines from Locky malspam on Tuesday, 2016-09-20.

The malspam all contained zip archives as file attachments. Those zip archives contained either a .js file or a .wsf file. The .js files contain JavaScript and can be run with Windows Script Host by double-clicking the file. The .wsf file extension is used for a Windows Script File." />
Shown above:" />

ng>The malicious script files

We can examine the script files after extracting them from the zip archives attached to the emails." />
Shown above:" />
Shown above: Extracted .wsf file from one of the attachments.

ng>Chain of events

All 20 samples are designed to infect computers with Locky ransomware, but there are some differences. I saw the same chain of events with with all the .js files. But I saw a different chain of events with the .wsf files.

The biggest difference? Locky samples downloaded by the .js files generated post-infection callback traffic." />
Shown above: Chain of events from the different types of malicious script files.

Traffic

Traffic is still typical of Locky infection from malspam. In traffic generated by the .js files, I saw a single Locky download followed by post-infection callback traffic. In traffic from the .wsf files, I saw three downloads of Locky without any post-infection traffic." />
Shown above:" />
Shown above:" />
Shown above: An infected Windows host from either type of malicious script (.js or .wsf).

malicious script file download Locky as an encrypted or obfuscated binary from a web server, then it" />
Shown above:" />
Shown above: Downloaded binary and decoded Locky DLL on the local host.

ng>Indicators of compromise (IOCs)

The first batch of .js files from Locky malspam with the subject line Tracking data generated the following traffic:

Locky download:

  • 95.173.164.205 port 80 - vetchsoda.org - GET /5pnqv2
  • 178.212.131.10 port 80 - solenapeak.com - GET /2zg3kl
  • 178.212.131.10 port 80 - solenapeak.com - GET /fs3e3a
  • 178.212.131.10 port 80 - solenapeak.com - GET /ha4n2

Post-infection callback:

  • 46.38.52.225 port 80 - 46.38.52.225 - POST /data/info.php

By the time I checked the first two batches of .wsf files from Locky malspam, I didnt get any HTTP traffic. However, these .wsf files changed victims preferred DNS server to 167.114.34.61 and generated DNS queries for the following domains:

  • 167.114.34.61 port 53 - DNS query for writewile.su (response: Server failure)
  • 167.114.34.61 port 53 - DNS query for steyjixie.net (response: Server failure)
  • 167.114.34.61 port 53 - DNS query for wellyzimme.com (response: Server failure)

The second batch of .js files from Locky malspam with the subject line Out of stock generated the following traffic:

Locky download:

  • 5.173.164.205 port 80 - musguhefty.com - GET /6lj76w3l
  • 178.212.131.10 port 80 - musguhefty.com - GET /oi3zsb
  • 178.212.131.10 port 80 - nawabmyops.net - GET /bubs031
  • 178.212.131.10 port 80 - vumdaze.com - GET /pknjo995
  • 178.212.131.10 port 80 - vumdaze.com - GET /t98uo
  • 178.212.131.10 port 80 - youthmaida.net - GET /1ly8w
  • 178.212.131.10 port 80 - youthmaida.net - GET /1p6zoyym

Post-infection callback:

  • 46.38.52.225 port 80 - 46.38.52.225 - POST /data/info.php
  • 109.248.59.80 port 80 - 109.248.59.80 - POST /data/info.php

The last batch of .wsf files came from Locky malspam disguised as a receipt from The Music Zoo. Unlike the first two batches of .wsf files, these caused a proper Locky infection, but they didnt generate any Locky post-infection traffic. Like the earlier .wsf files, this batch changed victims preferred DNS server to 167.114.34.61 and used that for any DNS queries. Examples of traffic from these .wsf files are:

  • 193.150.247.12 port 80 - awaftaxled.com - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
  • 62.84.69.75 port 80 - uphershoji.net - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
  • 193.150.247.12 port 80 - thokelieu.com - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
  • 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
  • 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
  • 62.84.69.75 port 80 - thokelieu.com - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
  • 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
  • 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
  • 62.84.69.75 port 80 - thokelieu.com - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
  • 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?luVkLlTEgMf=IBOiJDl
  • 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?luVkLlTEgMf=IBOiJDl
  • 193.150.247.12 port 80 - thokelieu.com - GET /bcreubf321?luVkLlTEgMf=IBOiJDl

The infected host

Locky caused by this malspam is the Zepto variant." />
Shown above: Encrypted files with the .zepto file extension.

Checking the decryptor page through the Tor network, youll find the standard Locky description." />
Shown above:" />
Shown above: Ransom stated as 3 bitcoins.

ng>Final words

Ransomware like Locky continues to be a well-known threat. Fortunately these waves of malspam are usually blocked for most organizations using any decent email security and spam filtering. Furthermore, properly-administered Windows hosts are not likely to be infected.

So why examine these emails?

Because some of these emails make it through, and people still get infected. All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away.

A solid strategy for any sort of ransomware is to make regular backups of any important files. Remember to test those backups, so youre certain to recover your data.

Pcap and malware for this diary are located here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] http://blog.dynamoo.com/search/label/Locky/
[2] https://myonlinesecurity.co.uk/tag/locky/
[3] http://www.bleepingcomputer.com/news/security/locky-zepto-ransomware-now-being-installed-from-a-dll/
[4] http://malware-traffic-analysis.net/2016/09/12/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge / This is how we used to mess with the results of elections. The Internet has made it a lot easier. (credit: US Air Force photo)

Even if the Russian government was behind the hack of the Democratic National Committee (DNC) and various other political organizations and figures, the US government's options under international law are extremely limited, according to Jack Goldsmith, a Harvard law professor and former US assistant attorney general.

Goldsmith, who served at the Justice Department during the administration of George W. Bush and resigned after a dispute over the legal justifications for "enhanced interrogation" techniques, spoke on Tuesday about the DNC hack during a Yale University panel.

"Assuming that the attribution is accurate," Goldsmith said, "the US has very little basis for a principled objection." In regard to the theft of data from the DNC and others, Goldsmith said that "it's hard to say that it violates international law, and the US acknowledges that it engages in the theft of foreign political data all the time."

Read 15 remaining paragraphs | Comments

 
Cisco Security Advisory: Cisco Cloud Services Platform 2100 Remote Command Execution Vulnerability
 
Cisco Security Advisory: Cisco Cloud Services Platform 2100 Command Injection Vulnerability
 
IBM WebSphere Application Server Liberty CVE-2016-3040 Open Redirect Vulnerability
 
Multiple Rockwell Automation RSLogix Products CVE-2016-5814 Local Buffer Overflow Vulnerability
 
PCRE 'compile_regex()' Function Heap Buffer Overflow Vulnerability
 
Adobe Flash Player APSB16-29 Multiple Unspecified Memory Corruption Vulnerabilities
 
libvirt CVE-2015-5313 Local Directory Traversal Vulnerability
 
libvirt CVE-2016-5008 Local Security Bypass Vulnerability
 
Adobe Flash Player APSB16-29 Multiple Use After Free Remote Code Execution Vulnerabilities
 
OpenStack Nova Denial of Service Vulnerability
 
Apple iOS Prior to 10 Multiple Security Vulnerabilities
 
Internet Storm Center Infocon Status