Information Security News
This diary is a follow-up to my previous diary on the actor using Rig exploit kit (EK) to deliver Qbot . For this diary, Ive infected more Windows hosts from other compromised websites, so we have additional data on this actor.
As previously noted, this actor has been delivering Qbot (also known as Qakbot) malware. The actor uses a gate to route traffic from the compromised website to the EK landing page. In this case, the gate returns a variable that is translated to a URL for the EK landing page. The sequence of events is:
Ive collected more samples of Rig EK infections from this actor as shown below. Of note:
The following four infection occurred within the past 24 hours:
Below are images of pcaps from the traffic filtered in Wireshark." />
The FTP server shown in the last example had information from my infected host, along with other infected hosts." />
Gate traffic review
Although I went over it in my last diary, lets review again how the gate traffic works. First, we get the malicious script added to a .js file from the compromised website. Its usually appended, and youll find it at the end. Ive also seen the malicious script at the beginning of the .js files. It might take a while for people to find it, but its there." />
The first highlighted section shows how the value from the main_color_handle variable is translated by replacing all symbols with a % and replacing all alphabetic characters g and higher with nothing. This returns a through f and 0 through 9 that will be grouped as two-character hexadecimal pairs, with a % before each pair.
The second highlighted section shows the URL for the gate. As I mentioned in my previous diary about this actor, the text is obfuscated, so its not easy to find. However, if you know what youre looking for, you can find it.
This injected script calls the main_color_handle variable from the gate URL and translates the variable to the EK landing page URL." />
Todays diary provides more examples of Rig EK infections by this particular actor. Hopefully, it provides a better understanding of the infection traffic. If anyone has access to your organizations web proxy logs, search for 126.96.36.199 and see if the HTTP GET requests follow the patterns seen in this diary. If you can find the referer for that HTTP GET request, you may have discovered another website compromised by this actor.
Pcap and malware samples used in this diary are available here.
The Intercept has written that if you have bought a Windows PC recently then Microsoft probably has your encryption key. This is a reference to Windows' device encryption feature. We wrote about this feature when it was new, back when Microsoft introduced it in Windows 8.1 in 2013 (and before that, in Windows RT).
Device encryption is a simplified version of the BitLocker drive encryption that made its debut in Windows Vista in 2006. The full BitLocker requires a Pro or Enterprise edition of Windows, and includes options such as integration with Active Directory, support for encrypting removable media, and the use of passwords or USB keys to unlock the encrypted disk. Device encryption is more restricted. It only supports internal system drives, and it requires the use of Secure Boot, Trusted Platform Module 2.0 (TPM), and Connected Standby-capable hardware. This is because Device encryption is designed to be automatic; it uses the TPM to store the password used to decrypt the disk, and it uses Secure Boot to ensure that nothing has tampered with the system to compromise that password.
Infosec Professionals Needed for Annual Wireless and Wired Device Threat Study
BOSTON, MA -- (Marketwired) -- 12/29/15 -- Pwnie Express, the only company providing threat detection of the billions of wireless and wired devices in and around your workplace, today announced its second annual Device Threat Survey. The company is ...