Introduction

Yesterday on Tuesday 2016-09-27, the Afraidgate campaign switched from Neutrino exploit kit (EK) to Rig EK [1]. As we go into Wednesday 2016-09-28, this trend continues.

So lets examine another case of Afraidgate using Rig EK!

Details

The Afraidgate campaign has been sending Locky since it stopped distributing CryptXXX ransomware in mid-July 2016 [2]. Afraidgate started using Neutrino EK after Angler EK disappeared in early June 2016 [3].

Currently, Afraidgate is using Rig EK, and its distributing the newest variant of Locky ransomware. This newest variant is called Odin" />
Shown above:" />
Shown above: Traffic from todays infection filtered in Wireshark.

s from this traffic are:

  • www.allthingsbritish.net - Compromised site
  • 139.59.171.176 port 80 - story.opiniaonline.ro - Afraidgate redirect
  • 195.133.201.49 port 80 - art.unknownproject.com - Rig EK
  • crocotan.com - failed DNS query from Locky downloader to get Locky
  • 45.32.144.151 port 80 - findidlist.com - Locky downloader grabbing Locky
  • kdbbpmrdfnlno.pl - failed DNS query from the Locky ransomware
  • kgijxdracnyjxh.biz - failed DNS query from the Locky ransomware
  • vgcfwrnfrkkarc.work - failed DNS query from the Locky ransomware
  • ehkhxyvvcpk.biz - failed DNS query from the Locky ransomware
  • rluqypf.pw - failed DNS query from the Locky ransomware
  • wfgtoxqbf.biz - failed DNS query from the Locky ransomware
  • ndyevynuwqe.su - failed DNS query from the Locky ransomware
  • dceaordeoe.ru - failed DNS query from the Locky ransomware
  • jlhxyspgvwcnjb.work - failed DNS query from the Locky ransomware
  • gisydkcsxosyokkuv.work - failed DNS query from the Locky ransomware
  • ufyjlxiscap.info - failed DNS query from the Locky ransomware

In the image below, injected script is highlighted in a page from the compromised site. This script kicked off the infection chain by generating HTTP traffic to a gate. Checking the domain registration, we see the gate" />
Shown above:" />
Shown above: The Afraidgate URL redirecting to a Rig EK landing page.

s gone through some changes in recent weeks. Earlier this month, I noticed the landing page for Rig EK included a large amount of non-ASCII characters." />
Shown above:" />
Shown above: Rig EK sends a Flash exploit.

K payload is now encoded with an encryption algorithm. Previously, Rig EK used a more straight-forward method of XOR-ing the binary with an ASCII string. Now the payload is more heavily obfuscated." />
Shown above: Rig EK sends the malware payload.

After Rig EK sent the Locky downloader, that downloader grabbed Locky. In the traffic, we see a fake user agent and fake content type in the HTTP headers." />
Shown above: Locky downloader retrieves Locky.

A closer look at the traffic shows findidlist.com wasnt the first domain the infected host tried when downloading the Locky binary. Crocotan.com was tried first, but that domain has been apparently taken off line.

After Locky was downloaded, the infected host generated several DNS queries for other domains, presumably for the Locky post-infection callback." />
Shown above: Lots of failed DNS queries.

The infected host

Even though Locky wasnt able to perform its post-infection callback, the victim host was still infected. File extensions were .odin for the encrypted files, so this is the most recent variant of Locky (the Odin" />
Shown above: Desktop of the infected host.

Checking the Locky Drecryptor page revealed the ransom instructions. As we" />
Shown above: The Locky decryptor page from this infection.

Malware info

The following artifacts were recovered from the infected host:

Rig EK payload (Downloader for Locky):

  • SHA256 hash: 624568125153d786e21927182b141cd8fe7fd4e97b7eb8b1933b8663bf3652ad
  • Size: 48,640 bytes
  • Location: C:\Users\[username]\AppData\Local\Temp\radA62C2.tmp.exe
  • Location: C:\Users\[username]\AppData\Roaming\rgV54QW5xRCUNWS.exe

Locky samples pulled from the infected host:

  • SHA256 hash: d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc
  • Size: 181,760 bytes
  • Location: C:\Users\[username]\AppData\Local\Temp\d36y0wsMOkSrfEYreNRih1M0U.exe
  • Location: C:\Users\[username]\AppData\Local\Temp\Q5ABR5opm4BFjnrbzzuUX9nAd.exe

Final words

Locky ransomware continues to be an evolving threat. Not only do we see it from near-daily waves of malicious spam (malspam), we also see it distributed in a more stealthy manner through EKs. The Afraidgate campaign is the currently biggest EK-based campaign distributing Locky.

As always, properly-administered Windows hosts are not likely to be infected. As long as your Windows host is up-to-date and fully patched, your risk is minimal. If youre running Windows 10, I doubt you have anything to worry about.

But apparently enough out-of-date Windows hosts browse the web, so this campaign is profitable for the criminal group behind it.

Pcap and malware for this diary are located here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] http://www.malware-traffic-analysis.net/2016/09/27/index.html
[2] http://researchcenter.paloaltonetworks.com/2016/07/unit42-afraidgate-major-exploit-kit-campaign-switches-from-cryptxxx-ransomware-back-to-locky/
[3] http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html
[4] https://blog.opendns.com/2016/09/26/odin-lockys-latest-persona/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apache Xerces-C CVE-2016-4463 Stack Buffer Overflow Vulnerability
 
Apache Axis2 Document Type Declaration Processing Security Vulnerability
 
Apache Derby CVE-2015-1832 XML External Entity Information Disclosure Vulnerability
 
NTP CVE-2015-8138 Denial of Service Vulnerability
 
Symantec Messaging Gateway CVE-2016-5312 Directory Traversal Vulnerability
 
[SECURITY] [DSA 3680-1] bind9 security update
 

Enlarge

The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after discovering it cut corners that undermine the entire transport layer security system that encrypts and authenticates websites.

The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.

"Taking into account all the issues listed above, Mozilla's CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA," Monday's report stated. "Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands."

Read 10 remaining paragraphs | Comments

 
ESA-2016-127: EMC ViPR SRM Stored Cross-Site Scripting Vulnerability
 

You might get into a case where you have only the disk image without having the memory image. Or even if you have the memory image but you wish If you have something back in time.With hibernation file (hiberfil.sys) ,PageFile (pageand crash dump that might be possible. And if you are lucky enough you might be able to recover them from volume shadow copy which is enabled by default in most of modern Windows OS .In forensic point of view Hibernation file is the most useful file type that might have useful information.

hiberfil.sys is the file used by default by Microsoft Windows to save the machines state as part of the hibernation process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.[1]

If you have a disk image of Windows Vista+ or later you can check if you have a previous copy of hiberfil.sys through Volume Snapshot Volume (Aka Shadow Copy) which might be prior to a malware infection or compromised or it might have some artifacts that was deleted.

If you like to check your image for pervious versions of hiberfil.sys and restore it ,you can use LibVShadow by Joachim Metz[2].

When you recover the desired hiberfil.sys version,while Volatility framework can examine hiberfil.sys ,but that will very slow and its better to convert it first to raw memory image.">

vol.py -f hiberfil.sys --profile=Win7SP1x64 imagecopy -O rawimage.img

In the above example I used imagecopy plugin to do the conversation , you have to specify the exact windows version with the service pack level . Another option is using hib2bin.exe by Matt Suiche.[3]

Now let">

vol.py -f rawimage.img --profile=Win7SP1x64 pslist

">

olatility Foundation Volatility Framework 2.4

Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------

0xfffffa800ccca9e0 System 4 0 112 567 ------ 0 2012-03-15 22:34:19 UTC+0000

0xfffffa800d2b5b30 smss.exe 228 4 3 35 ------ 0 2012-03-15 22:34:19 UTC+0000

0xfffffa800e8862f0 csrss.exe 352 344 9 869 0 0 2012-03-15 22:34:44 UTC+0000

0xfffffa800cd049f0 csrss.exe 404 396 9 78 1 0 2012-03-15 22:34:49 UTC+0000

0xfffffa800e9a8060 wininit.exe 436 344 3 77 0 0 2012-03-15 22:34:49 UTC+0000

0xfffffa800e9a7860 winlogon.exe 444 396 4 94 1 0 2012-03-15 22:34:49 UTC+0000

0xfffffa800e9df060 services.exe 508 436 9 274 0 0 2012-03-15 22:34:55 UTC+0000

0xfffffa800e9e3850 lsass.exe 516 436 8 942 0 0 2012-03-15 22:34:56 UTC+0000

0xfffffa800e9ea910 lsm.exe 524 436 14 311 0 0 2012-03-15 22:34:56 UTC+0000

0xfffffa800ea45860 svchost.exe 612 508 11 375 0 0 2012-03-15 22:35:05 UTC+0000

0xfffffa800ea779f0 svchost.exe 688 508 11 364 0 0 2012-03-15 22:35:08 UTC+0000

0xfffffa800ea94b30 LogonUI.exe 764 444 8 201 1 0 2012-03-15 22:35:09 UTC+0000

0xfffffa800eaa8b30 svchost.exe 772 508 22 522 0 0 2012-03-15 22:35:09 UTC+0000

0xfffffa800eaceb30 svchost.exe 832 508 21 517 0 0 2012-03-15 22:35:10 UTC+0000

0xfffffa800ead2b30 svchost.exe 856 508 45 1402 0 0 2012-03-15 22:35:10 UTC+0000

0xfffffa800eb16b30 svchost.exe 972 508 22 395 0 0 2012-03-15 22:35:12 UTC+0000

0xfffffa800eb4d730 svchost.exe 292 508 25 697 0 0 2012-03-15 22:35:14 UTC+0000

0xfffffa800eb51b30 spoolsv.exe 924 508 14 337 0 0 2012-03-15 22:35:26 UTC+0000

0xfffffa800ebd5820 svchost.exe 360 508 21 332 0 0 2012-03-15 22:35:27 UTC+0000

0xfffffa800ec5e650 FireSvc.exe 1168 508 21 349 0 0 2012-03-15 22:35:32 UTC+0000

">

vol.py -f rawimage.img --profile=Win7SP1x64 netscan

">

Volatility Foundation Volatility Framework 2.4

Offset(P) Proto Local Address Foreign Address State Pid Owner Created

0x3636300 UDPv4 0.0.0.0:0 *:* 3736 Skype.exe 2012-04-06 13:09:31 UTC+0000

0x959f010 TCPv4 10.3.58.6:62978 72.14.204.138:80 FIN_WAIT1 7508 chrome.exe

0x29933cf0 TCPv4 10.3.58.6:62979 72.14.204.102:80 FIN_WAIT1 7508 chrome.exe

0x2ac90a50 TCPv4 -:62088 14.0.33.84:80 CLOSED 7508 chrome.exe

0x4ce8d610 TCPv4 -:62054 -:80 CLOSED 7508 chrome.exe

0x578b2430 UDPv6 ::1:53608 *:* 2784 svchost.exe 2012-04-06 13:59:31 UTC+0000

0x58b9ecf0 TCPv4 10.3.58.6:445 10.3.58.7:2034 ESTABLISHED 4 System

0x5a690290 TCPv4 127.0.0.1:5678 127.0.0.1:62149 ESTABLISHED 4256 svchost.exe

0x72b40010 TCPv4 10.3.58.6:62854 74.217.78.140:80 FIN_WAIT1 7508 chrome.exe

0x7c488410 UDPv4 127.0.0.1:1900 *:* 2784 svchost.exe 2012-03-20 03:53:45 UTC+0000

0x7c4eaec0 UDPv4 127.0.0.1:53609 *:* 2784 svchost.exe 2012-04-06 13:59:31 UTC+0000

0x7c5173c0 TCPv4 10.3.58.6:62795 64.12.152.17:80 FIN_WAIT1 7508 chrome.exe

">

vol.py -f rawimage.img --profile=Win7SP1x64 autoruns -t autoruns

">

Autoruns =========================================

Hive: \??\C:\Users\SRL-Helpdesk\ntuser.dat

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-03-15 21:20:12 UTC+0000)

Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000)

Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000)

mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)

Hive: \SystemRoot\System32\Config\SOFTWARE

Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-09-16 20:57:09 UTC+0000)

VMware User Process : C:\Program Files\VMware\VMware Tools\VMwareUser.exe (PIDs: 8984, 4916)

VMware Tools : C:\Program Files\VMware\VMware Tools\VMwareTray.exe (PIDs: 6744, 1844)

McAfee Host Intrusion Prevention Tray : C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe (PIDs: -)

Wow6432Node\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:53:13 UTC+0000)

ShStatEXE : C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE /STANDALONE (PIDs: -)

Adobe Reader Speed Launcher : C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe (PIDs: -)

McAfeeUpdaterUI : C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe /StartedFromRunKey (PIDs: -)

svchost : c:\windows\system32\dllhost\svchost.exe (PIDs: 4256)

Adobe ARM : C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (PIDs: -)

Hive: \??\C:\Users\vibranium\ntuser.dat

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:03:53 UTC+0000)

Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2012-04-05 17:03:53 UTC+0000)

mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)

Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000)

Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000)

mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)

Hive: \??\C:\Users\nfury\ntuser.dat

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-08-25 21:51:37 UTC+0000)

Google Update : C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe /c (PIDs: 3968)

Skype : C:\Program Files (x86)\Skype\Phone\Skype.exe /nosplash /minimized (PIDs: 3736)


[1] http://www.forensicswiki.org/wiki/Hiberfil.sys

[2] https://github.com/libyal/libvshadow

[3] https://comae.typeform.com/to/XIvMa7

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

Enlarge / No, not that sort of fuzzing for bugs. (credit: Micha L. Rieser)

At Microsoft's Ignite conference in Atlanta yesterday, the company announced the availability of a new cloud-based service for developers that will allow them to test application binaries for security flaws before they're deployed. Called Project Springfield, the service uses "whitebox fuzzing" (also known as "smart fuzzing") to test for common software bugs used by attackers to exploit systems.

In standard fuzzing tests, randomized inputs are thrown at software in an effort to find something that breaks the code—a buffer overflow that would let malicious code be planted in the system's memory or an unhandled exception that causes the software to crash or processes to hang. But the problem with this random approach is that it's hard to get deep into the logic of code. Another approach, called static code analysis (or "whiteboxing"), looks instead at the source code and walks through it without executing it, using ranges of inputs to determine whether security flaws may be present.

Whitebox fuzzing combines some of the aspects of each of these approaches. Using sample inputs as a starting point, a whitebox fuzz tester dynamically generates new sets of inputs to exercise the code, walking deeper into processes. Using machine learning techniques, the system repeatedly runs the code through fuzzing sessions, adapting its approach based on what it discovers with each pass. The approach is similar to some of the techniques developed by competitors in the Defense Advanced Research Projects Agency's Cyber Grand Challenge to allow for automated bug detection and patching.

Read 2 remaining paragraphs | Comments

 
LibTIFF CVE-2014-8127 Out of Bounds Read Multiple Remote Denial of Service Vulnerabilities
 
LibTIFF CVE-2014-8129 Out of Bounds Read and Write Multiple Remote Denial of Service Vulnerabilities
 
IBM AIX CVE-2016-6038 Directory Traversal Vulnerability
 
Adobe Digital Editions CVE-2016-6980 Unspecified Use After Free Remote Code Execution Vulnerability
 
GNU Bash CVE-2016-7543 Local Command Execution Vulnerability
 

The Linux kernel today faces an unprecedented safety crisis. Much like when Ralph Nader famously told the American public that their cars were "unsafe at any speed" back in 1965, numerous security developers told the 2016 Linux Security Summit in Toronto that the operating system needs a total rethink to keep it fit for purpose.

No longer the niche concern of years past, Linux today underpins the server farms that run the cloud, more than a billion Android phones, and not to mention the coming tsunami of grossly insecure devices that will be hitched to the Internet of Things. Today's world runs on Linux, and the security of its kernel is a single point of failure that will affect the safety and well-being of almost every human being on the planet in one way or another.

"Cars were designed to run but not to fail," Kees Cook, head of the Linux Kernel Self Protection Project, and a Google employee working on the future of IoT security, said at the summit. "Very comfortable while you're going down the road, but as soon as you crashed, everybody died."

Read 30 remaining paragraphs | Comments

 
libxml2 'HTMLparser.c' Out of Bounds Read Denial of Service Vulnerability
 
libxml2 CVE-2015-8806 Denial of Service Vulnerability
 
Multiple IBM Products CVE-2013-0513 Local Privilege Escalation Vulnerability
 
[SECURITY] [DSA 3679-1] jackrabbit security update
 
ImageMagick 'coders/sgi.c' Remote Buffer Overflow Vulnerability
 
 
[security bulletin] HPSBHF03654 rev.1 - HPE iMC PLAT Network Products using SSL/TLS, Multiple Remote Vulnerabilities
 
[security bulletin] HPSBHF03655 rev.1 - HPE iMC PLAT Network Products running Apache Axis2, Multiple Remote Vulnerabilities
 
[SECURITY] [DSA 3678-1] python-django security update
 
[security bulletin] HPSBHF03652 rev.1 - HPE iMC PLAT Network Products running Apache Commons FileUpload, Remote Denial of Service (DoS)
 
Internet Storm Center Infocon Status