Ordinypt the ransomware targetting German Human Resources.

Ordinypt is a new ransomware in Germany . It appears as a ransomware but destroys data. It seems to be targetting only people in Germany because of  its email delevering language only in German. The email arrives as a ”job advertisement submission” resume with 2 files attachments : – A JPG image of a woman submitting a resume

-a ZIP file supposedly containing a resume and Curriculum Vitae.

HSDFSDCrypt-spam-email

The ZIP archive  contains two EXE files, but appears to be PDFs files to fool the user that those are not executable. Clicking on the EXE files will launch the Ordinypt wiper. This malware does not encrypt files but overwrites these latter with random data.

It displays a ransom note in every folder where it destroys files named  Wo_sind_meine_Dateien.html, translates as where_are_my_files.

HSDFSDCrypt-ransom-note

The only ways to bypass are:

  • Ensure anti-virus software and associated libraries are up to date
  • Ensure attachments do not have hidden / double extensions prior to clicking to open
Advertisements

WannaCry Malware Take Away

The world has experienced a Cyber Attack according to numerous open-source, classified as a ransomware campaign.It created ten of thousands of infections in Over 150 countries including the United States, United Kingdom,Spain, Russia, Taiwan,France and Japan. The software can run in as many as 27 different languages.The piece of code is affecting only Microsoft Windows Operating system. The latest version of this malware (5bef35496fcbdbe841c82f4d1ab8b7c2) was discovered in the morning of May 12 ,2017 by an independent security researcher. It was named Wannacry because of the string “WNcry@2ol7” found in its code.Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

TECHNICAL DETAILS

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector may be through phishing. There exists 3 files belonging to the same malware.The first file is a dropper(worm), which contains and runs the ransomware, propagating via the MS17-010/EternalBlue SMBv1.0 exploit. The remaining two files are ransomware components containing encrypted plug-ins responsible for encrypting the victim users files.

 

Dropper

This artifact (5bef35496fcbdbe841c82f4d1ab8b7c2) is a malicious PE32 executable that has been identified as a WannaCry ransomware dropper. Upon execution, the dropper attempts to connect to the following hard-coded URI:

http[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

Displayed below is a sample request observed:

--Begin request—

GET / HTTP/1.1
Host: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache

--End request--

If a connection is established, the dropper will terminate execution. If the connection fails, the dropper will infect the system with ransomware.
When executed, the malware is designed to run as a service with the parameters “-m security”. During runtime, the malware determines the
number of arguments passed during execution. If the arguments passed are less than two, the dropper proceeds to install itself as the
following service:

--Begin service--

ServiceName = "mssecsvc2.0"
DisplayName = "Microsoft Security Center (2.0) Service"
StartType = SERVICE_AUTO_START
BinaryPathName = "%current directory%5bef35496fcbdbe841c82f4d1ab8b7c2.exe -m security"

--End service--

Once the malware starts as a service named mssecsvc2.0, the dropper attempts to create and scan a list of IP ranges on the local network
and attempts to connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to port 445 is successful, it creates an additional
thread to propigate by exploiting the SMBv1 vulnerability documented by Microsoft Security bulliten MS17-010. The malware then extracts &
installs a PE32 binary from it’s resource section named “R”. This binary has been identified as the ransomware component of WannaCrypt.
The dropper installs this binary into “C:\WINDOWS\tasksche.exe.” The dropper executes tasksche.exe with the following command:

--Begin command--

"C:\WINDOWS\tasksche.exe /i"

--End command—

 

NOTE:When this sample was initially discovered, the domain “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” was not registered, allowing the
malware to run and propagate freely. However within a few days, researchers learned that by registering the domain and allowing the
malware to connect, it’s ability to spread was greatly reduced. At this time, all traffic to “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” is
re-directed to a monitored, non-malicious server, causing the malware to terminate if it is allowed to connect. For this reason, we recommend
that administrators and network security personnel not block traffic to this domain.

RANSOMWARE COMPONENTS

The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the user’s private key needs to be decrypted, which requires the malware author’s private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password “WNcry@2ol7” is not used to encrypt files. It is only used by the malware to decrypt some of its components. Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week.

SOLUTION

-Apply the MS patch

-Basic defense in depth meaning segmentation to isolate vulnerable machines

-Restrict TCP port 445

-use Private Vlans if your edge switches support this feature

-Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.

-Test your backups to ensure they work correctly upon use

-Implement the principle of least privilege

References: IOC with Wannacry:US-CERT

Washington post 150 countries affected

Malware Information Sharing Platform-MISP

The Malware Information Sharing Platform is used to store ,share and collaborate on malware across organizations. The Indicators of Compromise (IoC) are used to detect and prevent Cyber attack. The MISP integrates many features :-Efficient Built-in database to store malwares, information on attackers and intelligence

-Data are stored and shared in a structured format.

-Data can be imported from OpenIOC and exported to integrating with Network IDS, Host IDS and other tools.

MISP is good tool to use by your CERT team.

event-view
Malware Information Sharing Platform web interface

HOME DEPOT BREACH

homedepot
Home depot logo

HOME DEPOT is a big box retailer in the USA. It suffered from a security breach that affected 56 millions payment cards.

The malware used in the attack is most likely to have been used in others attack. Briankrebs who reported the attack suggests that the BlackPOS malware which was used againt  TARGET  was also used in this case. The hackers started by compromising a third-party supplier workstation  and manage to install the malware in the point-of-sale terminal. At this point the collection of credit card entry data was automated and sent to an offsite collection system.The malware was present between April and September 2014, though the incident was first reported in September 02, 2014.

By now, the malware elimination and enhanced encryption of  Payment data in all US stores have been completed.

Lesson learned: In this recent POS attack, Payment Card Industry (PCI) regime could improve this. Home Depot should look to UPSStore example to learn how to report a breach. Online merchants need to resist fraudulent use of credit cards : Verified by VISA, MASTERCARD SecureCode, Paypal, Apple Pay. Finally, Home Depot Customers must demand new account numbers.  Why on this earth aren’t you using white listing on PCs attached to payment devices?.



			
					

Malware Sample Sources

Malware researchers need to test their skills and develop defense with real specimen. They can collect malwares sample from honeypot or download those from URL sources. The following sites can be resourceful:

  1. Contagio Malware Dump (Mobile Malware)
  2. Kernelmode.info
  3. Malshare
  4. Malware.lu AVcaesar
  5. MalwareBlacklist
  6. Malwr
  7. Open Malware
  8. SecuBox Labs
  9. Virusign
  10. VirusShare
  11. TheZoo /Malware DB
  12. ZeuS Tracker

French manufacturer LaCie admits data breah

LaCie is a french manufacturer of  hard drive. It was a victim of a security breach and obviously sent notifications to customers about the incident . The breach was detected by the FBI on March 19,2014 which forwarded the alarm. A malware was used to gain access to customer’s transactions made between March 27,2013 and March 10,2014. Names, addresses,email addresses,payment card numbers and cards expiration dates belonging to customers  have been accessed by the unauthorized party. LaCie urged everyone to change their password believing that customers’ usernames and passwords  on LaCie’s website could have also been accessed.

Ukraine , target of Snake or Uroburo malware

Image

A dangerous cyber weapon has infected many computers in Ukraine in 2014. It is a spyware designed to steal sensitive secret information from high potential networks . Experts believe that this rootkit has been undetected for more than three years. Due to the complexity and the estimated high cost of this malware, G Data the German security company believes a sponsored state is behind this attack, possibly linked to Russia, since the developers of this malicious program speak Russia language.

Uroburo works autonomously and works on peer-to-peer mode .The infected computers spy on documents and send those to a PC connected to the internet. It supports 32 and 64 bit Windows Operating System.