|
FortiGuard Labs recently encountered malicious traffic traveling to a C2 server located in China. The connection was established by a domain using a name that closely resembled one of Japan's most famous express post delivery services. Our analysis showed that the website making this connection is fake, there is no SSL certificate, and the page layout is broken. Moreover, it is spreading on Android malware.
At first glance the Android file looks like FakeSpy, a malware discovered by Trend Micro researchers in June of 2018. But our analytics platform revealed that while the code base of the sample is based on FakeSpy, this new variant contains new features, and the malicious campaign is continuing to grow.
Interestingly, we found that this was not the only domain related to this malicious activity. We were able to find 347 additional domains with only the last or first parts of the real website of the Japanese express post service that had been tampered with. There are some odd characteristics discovered during our analysis that make us believe that the threat actors still have this campaign under active development.
We know that the actors involved in this malicious activity own a huge number of domains faking the original domain name of the express post delivery service in Japan. This means they are investing a lot of time and money into this campaign, but are probably still thinking of ways to make a profit from it. Most of the domains registered on the actors' e-mails are inactive, but that doesn't mean that they will never be used. The scripts, comments and unused lines located on the websites may indicate that the actors are still improving the campaign and trying different ways of achieving their goals.
This malware campaign appears to be in the early days of creation, and still evolving. The malware itself is based on an existing codebase, but it shows attempts at improvement by adding different functionalities, not all of which are currently being used - however, we cannot say that will be the case for long.
Read the Fortinet blog for the full analysis and related indicators.
Fortinet has protection in place:
Android/Agent.CIJ!tr
Android/Fakespy.Z!tr
Application Vulnerabilities / IPS
|
Rank
|
Name
|
Prevalence
|
|
1
|
MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow
|
26,814
|
|
2
|
D-Link.DSL-2750B.CLI.OS.Command.Injection
|
21,920
|
|
3
|
TCP.Split.Handshake
|
21,811
|
|
4
|
MS.IE.COM.Object.Instantiation.Buffer.Overflow
|
20,298
|
|
5
|
PHP.CGI.Argument.Injection
|
17,874
|
MS.SMB.Server.SMB1.WriteAndx.Trans2.Secondary.Code.Execution – This is a signature that detects an attempt to exploit a bug in the SMBv1 server in Microsoft Windows operating systems. More specifically it tries to identify if a remote connection is trying to exploit the EternalSynergy vulnerability (CVE-2017-0145). This vulnerability was patched by Microsoft last year on MS17-010 and it was disclosed as being distributed on the wild by the group known as Shadow Brokers back in Q2 2017. This bug can be triggered by sending a few packets to an open SMBv1 server, and if correctly exploited, will execute code remotely, giving the attacker a chance to gain a foothold on the system.
This was used in the past by the attacker to inject the DoublePulsar implant into an exploited system, giving the attacker remote unrestricted access in the future. We are seeing increased telemetry relating to this attack, with our last 7 days' average being 15% higher than the average recorded on the last 30 days.
Signatures: MS.SMB.Server.SMB1.WriteAndx.Trans2.Secondary.Code.Execution
ElasticSearch.Dynamic.Script.Arbitrary.Java.Execution – This signature detects attempted exploits to remote command execution (RCE) vulnerability in Elasticsearch, exploitable by default on Elasticsearch prior to 1.2.0, which does enable something called dynamic scripting and allows remote attackers to execute arbitrary MVEL expressions and java code via the source parameter to _search.
The bug is found in the REST API, which does not require authentication, where the search function allows dynamic scripts execution. It can be used for remote attackers to execute arbitrary Java code. All that is needed is access to the API and a crafted request. At the time of this writing, there were multiple PoC exploits incorporated in common exploitation frameworks to test/exploit this issue. We are seeing increased activity regarding this attack, with our last 7 days' average being 7% higher than the last 30 days' average.
Signatures: ElasticSearch.Dynamic.Script.Arbitrary.Java.Execution
Malware Activity
|
Rank
|
Name
|
Prevalence
|
|
1
|
Android/Agent.FJ!tr
|
5,338
|
|
2
|
Adware/Agent
|
4,129
|
|
3
|
W32/Agent.AJFK!tr
|
3,294
|
|
4
|
VBA/Agent.KRG!tr.dldr
|
3,289
|
|
5
|
VBA/Agent.KVT!tr.dldr
|
3,131
|
Sounds Like a Payday Lender – HIDDEN COBRA and FASTCash – A new advisory was issued by the U.S. Department of Homeland Security (DHS) and US-CERT for HIDDEN COBRA. This joint Technical Alert (TA) was released by the DHS, the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). This is the latest advisory in a string of advisories related to HIDDEN COBRA. What makes this advisory unique is that this is the first advisory from US-CERT related to automated teller machine (ATM) attacks, for what they refer to as an ATM cash-out scheme which is officially named "FASTCash."
According to a trusted partner of US-CERT, their estimation is that HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries. HIDDEN COBRA is also known as the Lazarus Group, which is credited with the Sony Pictures attack in 2014, and various other notable attacks such as the Bangladeshi cyber heist (2016) of a bank, which netted $81 million. According to US-CERT, FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. According to the advisory, HIDDEN COBRA actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals across national borders. HIDDEN COBRA actors have configured and deployed legitimate scripts on compromised switch application servers in order to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages. According to US-CERT, the infection vector at this time is unknown. The samples that are publicly available are Windows-related (signed and revoked and unsigned) and data files that are not malicious by themselves. The Windows-related files contain two types, one a Trojan downloader that downloads an encrypted payload. According to US-CERT, the payload was not available for further analysis. The second Windows-related file is a proxy-related module that intercepts traffic and can modify the Windows firewall and force the victim machine to act as a proxy server.
Other notable functions of this sample are that it can:
- Retrieve information about the logon sessions, drives installed, and operating system -Search for files
- Execute processes -Terminate processes
- Delete files
- Execute commands
- Download and upload files
- Read files
- Write files
- Compress and decompress files
Signatures: W32/NukeSped.AA!tr, W32/NukeSped.AK!tr
Roaming Mantis, Malicious APKs – FortiGuard Labs has observed a reemergence of the infamous Roaming Mantis campaign. Roaming Mantis was first seen attacking routers to change its DNS, where it ultimately allowed the hijacking of traffic to spread malicious Android applications, and at the same time it was observed spoofing legitimate applications such as Facebook and Chrome. It appears the group is now back and targeting 27 languages for further penetration. It has been seen distributing various cryptocurrency miners but also targeting iOS users via web-based cryptomining. The attackers behind this campaign have also shifted their efforts back and forth between Android and iOS types of attacks. Delivery mechanisms for the attacks, especially on the Android side, were observed to be SMS-based phishing attacks, where the victim would receive a text message that contained a link to an attacker-controlled site, which would then start the download of the malicious APK to the victim machine. Another attack observed was a manipulation of the legitimate site prezi.com, which is a site dedicated to online presentations. In this case, the attacker created various slide decks of interest, which ranged from games, hacks, adult themes, and so forth in the hopes of compelling the victim to visit the link to install the malicious APK file. Other observations made of the malicious APK file contained snippets of data that appeared to have been exfiltrated and were not only personally identifiable information (PII) but also banking and credit card information.
Signatures: Android/Wroba.BII!tr, Android/Wroba.AP!tr, Android/Agent.CIJ!tr, Android/Wroba.B
Indicator(s):
sagawa-otqwt[.]com
sagawa-polsw[.]com
Web Filtering Activity
Another HWP Attack on Korean Speaking Users – The FortiGuard Labs Web Filtering team is aware of a malicious Hangul Word Processor document file targeting Korean speaking users. 'Notification of similar behavior violation .hwp' which utilizes social engineering techniques and contains malicious "Ghostscript" vulnerability code within the file. The Hangul Word Processor is popular in Korea, and with speakers of the Korean language.
When the user unknowingly executes the file, malicious code is downloaded when the compressed "PostScript" is executed, and it downloads the payload which performs the malicious remote control and RAT functionality. FortiGuard Labs Web Filtering team has blacklisted all the IOCs involved in this operation.
Indicator(s):
hxxp://new.titanik.fr/wp-includes/common.php
hxxp://www.51shousheng.com/include/partview.php
hxxps://itaddnet.com/res/prof3.db
hxxps://itaddnet.com/res/prof6.db
secexconference[.]com
|
