Bitcoin Phishing Ring CoinHoarder

Cisco’s Talos Group has published their findings on a Bitcoin theft campaign they have been tracking in the Ukraine. By purchasing Google AdWords, the attackers were able to target specific search terms, such as “blockchain” or “bitcoin wallet”. Potential victims, searching for these terms, would see the cybercriminals’ links in the search results as a featured ad. Clicking on the fake ad would send the victim’s browser to a landing page in their native language that attempted to garner credential information. These phishing pages were hosted on blockchalna.info and, except for the URL, appear quite similar to the real site. Using results from DNS queries and WHOIS data, Talos was not only able to track where the victims resided (Nigeria, Ghana, Estonia, and others), but were able to identify other potentially malicious sites as well. During the time Talos was watching this campaign, they noticed it evolving, the phishing pages began to look more like the real ones as well as the use of secure websites (HTTPS). The secure sites made use of certificates issued by Cloudflare and Let’s Encrypt. Another tactic observed was the use of internationalized domain names, referred to as homograph attacks. This is where an international character closely resembles an English character and could be mistaken by a casual viewer for the real URL.

Reference

https://blog.talosintelligence.com/2018/02/coinhoarder.html

https://s3-us-west-1.amazonaws.com/umbrella-blog-uploads/wp-content/uploads/2017/02/26230545/BTC_IOCs.pdf

https://umbrella.cisco.com/blog/2016/12/22/protecting-bank-pocket-rise-criminal-activity-correlates-bitcoin-price-surge-holidays/

Advertisements

5000 websites hacked to serve cryptomining malware

Five thousand websites in the US, UK and Australia have been hacked to serve cryptomining malware. Cryptomining malware is when cybercriminals infect your computer to do the calculations needed to generate a cryptocurrency like Bitcoin, Monero or Euthereum. The crooks use your electricity and processing power but keeps any cryptocoins proceed for themselves. The infection  is coming from browseraloud.com , a site that serves Javascript to your website to convert the page into voice reading to assist blind people. Of course, governments sites are meant to help out visitors even those who are not good at reading English. The browseraloud.com server was hacked , obfuscated javascript was added to download the code from coinhive.com and start mining cryptocurrency.

The only way to bypass this is to shut down your browser.

References

Sophos

Skynews

Cryptominer RubyMiner Targets web servers

According to a Check Point Research finding, a new malware package designed to mine cryptocurrency is attacking web servers in an effort to infect them. The malware uses a variation of an open-source Monero miner (XMRig), possibly because the software required does not require an extremely powerful server to operate. According to the article, the attack uses vulnerabilities from 2012 and 2013. Systems targeted included those running PHP, Ruby on Rails, and Microsoft IIS. The vulnerability in Ruby on Rails is CVE-2013-0156. This vulnerability provides the attacker a means to inject objects into the system that can execute arbitrary code. The malware flushes the crontab (on a Unix system) and then installs its own crontab entry. This entry runs one minute past the hour, every hour. The command downloads a robots.txt file from a web server under the control of the attackers. This downloaded file is then executed each time crontab executes the command. The article postulates this could be so that the attackers could execute a kill switch if desired or possibly to update the malware. The open-source package XMRig normally donates five percent of the earnings to XMRig’s author. Apparently, the individual(s) behind this attack were not inclined to lose any potential gains and removed the donating code from the version used in the infection.

Indicators of Compromise:

  • 761f5cfd0a3cddb48c73bc341a4d07a9
  • 91d31ed8e569c0089fa070ed125e1fc5
  • a6a57e6a216dff346a22f51639c4b99c
  • 203.24.188.242
  • Internetresearch.is
  • dgnfd564sdf.com
  • lochjol.com

It is recommended to patch the operating system,patch the applications and check crontab for unusual entry.

References 

https://research.checkpoint.com/rubyminer-cryptominer-affects-30-ww-networks/

 

A look at Redline from Mandiant

Redline is a nice tool to investigate a particular host for signs of compromises. It works on Windows and is freely available on the FireEye site .

redline1
Redline Interface

At a glance, we have options to collect data from the host or Analyse an existing data collected file. In our case , I am going to create  a Standard Collector for the sake of this demo.

Redline2
Redline Review Script Configuration

It is clear that the script will run the Collector and save it to a folder named ‘Sessions\AnalysisSession2´ in our case because we run the script twice as in the figure below

redline5
AnalysisSession2.mans file to import in Redline

As said in the Readme.txt file, AnalysisSession2.mans has to be openend in Redline to continue with the investigation. We can go through the System Information,Processes,…

The tool is worth a try.

Happy investigations

redline6
Investigative options after opening the AnalysisSession2.mans file

Ordinypt the ransomware targetting German Human Resources.

Ordinypt is a new ransomware in Germany . It appears as a ransomware but destroys data. It seems to be targetting only people in Germany because of  its email delevering language only in German. The email arrives as a ”job advertisement submission” resume with 2 files attachments : – A JPG image of a woman submitting a resume

-a ZIP file supposedly containing a resume and Curriculum Vitae.

HSDFSDCrypt-spam-email

The ZIP archive  contains two EXE files, but appears to be PDFs files to fool the user that those are not executable. Clicking on the EXE files will launch the Ordinypt wiper. This malware does not encrypt files but overwrites these latter with random data.

It displays a ransom note in every folder where it destroys files named  Wo_sind_meine_Dateien.html, translates as where_are_my_files.

HSDFSDCrypt-ransom-note

The only ways to bypass are:

  • Ensure anti-virus software and associated libraries are up to date
  • Ensure attachments do not have hidden / double extensions prior to clicking to open

WannaCry Malware Take Away

The world has experienced a Cyber Attack according to numerous open-source, classified as a ransomware campaign.It created ten of thousands of infections in Over 150 countries including the United States, United Kingdom,Spain, Russia, Taiwan,France and Japan. The software can run in as many as 27 different languages.The piece of code is affecting only Microsoft Windows Operating system. The latest version of this malware (5bef35496fcbdbe841c82f4d1ab8b7c2) was discovered in the morning of May 12 ,2017 by an independent security researcher. It was named Wannacry because of the string “WNcry@2ol7” found in its code.Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

TECHNICAL DETAILS

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector may be through phishing. There exists 3 files belonging to the same malware.The first file is a dropper(worm), which contains and runs the ransomware, propagating via the MS17-010/EternalBlue SMBv1.0 exploit. The remaining two files are ransomware components containing encrypted plug-ins responsible for encrypting the victim users files.

 

Dropper

This artifact (5bef35496fcbdbe841c82f4d1ab8b7c2) is a malicious PE32 executable that has been identified as a WannaCry ransomware dropper. Upon execution, the dropper attempts to connect to the following hard-coded URI:

http[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

Displayed below is a sample request observed:

--Begin request—

GET / HTTP/1.1
Host: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache

--End request--

If a connection is established, the dropper will terminate execution. If the connection fails, the dropper will infect the system with ransomware.
When executed, the malware is designed to run as a service with the parameters “-m security”. During runtime, the malware determines the
number of arguments passed during execution. If the arguments passed are less than two, the dropper proceeds to install itself as the
following service:

--Begin service--

ServiceName = "mssecsvc2.0"
DisplayName = "Microsoft Security Center (2.0) Service"
StartType = SERVICE_AUTO_START
BinaryPathName = "%current directory%5bef35496fcbdbe841c82f4d1ab8b7c2.exe -m security"

--End service--

Once the malware starts as a service named mssecsvc2.0, the dropper attempts to create and scan a list of IP ranges on the local network
and attempts to connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to port 445 is successful, it creates an additional
thread to propigate by exploiting the SMBv1 vulnerability documented by Microsoft Security bulliten MS17-010. The malware then extracts &
installs a PE32 binary from it’s resource section named “R”. This binary has been identified as the ransomware component of WannaCrypt.
The dropper installs this binary into “C:\WINDOWS\tasksche.exe.” The dropper executes tasksche.exe with the following command:

--Begin command--

"C:\WINDOWS\tasksche.exe /i"

--End command—

 

NOTE:When this sample was initially discovered, the domain “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” was not registered, allowing the
malware to run and propagate freely. However within a few days, researchers learned that by registering the domain and allowing the
malware to connect, it’s ability to spread was greatly reduced. At this time, all traffic to “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” is
re-directed to a monitored, non-malicious server, causing the malware to terminate if it is allowed to connect. For this reason, we recommend
that administrators and network security personnel not block traffic to this domain.

RANSOMWARE COMPONENTS

The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the user’s private key needs to be decrypted, which requires the malware author’s private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password “WNcry@2ol7” is not used to encrypt files. It is only used by the malware to decrypt some of its components. Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week.

SOLUTION

-Apply the MS patch

-Basic defense in depth meaning segmentation to isolate vulnerable machines

-Restrict TCP port 445

-use Private Vlans if your edge switches support this feature

-Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.

-Test your backups to ensure they work correctly upon use

-Implement the principle of least privilege

References: IOC with Wannacry:US-CERT

Washington post 150 countries affected