Our partner Fortinet publishes a report every week about exposed threats. You can review the weekly report below. If you have questions, do not hesitate to contact us
FortiGuard Labs Research Team recently captured a malicious Microsoft Word document that contains auto-executable malicious VBA code that can spread and install NanoCore RAT software on a victim's Windows system. NanoCore RAT was developed in the .Net framework. The sample we analyzed uses NanoCore to execute malicious behavior on the victim's machine. When the malicious Word document is opened, you see a warning message at the top of the window "Macros have been disabled" with an 'Enable Content' clickable box. Once the victim clicks the 'Enable Content', the malicious VBA code is executed in the background. The VBA code is executed automatically from the function "Document_Open".
For full details on our analysis, read FortiGuard Labs blog: .Net RAT Malware Being Spread by MS Word Documents
Signatures: VBA/Agent.1B7E!tr.dldr, MSIL/Injector.REB!tr
Fake AV Tech Support -- Our FortiGuard Labs Researchers analyzed a new fake AV tech support campaign. In this case, a malicious advertisement uses a fake antivirus page with popups prompting users about a malware breach on their system. The scam hides itself in advertisements on legitimate websites. When unsuspecting victims click on the advertisement, they are redirected to a page pretending to be a Microsoft warning alert. The fake alert notifies the victim that their computer has been compromised with malware and urgently requires antivirus assistance, or else risk having information stolen and further network damage. A hotline is provided for the victims to call, as well as an additional popup mimicking Windows login. If the victim either calls the hotline or enters their login credentials, the fake AV tech support page has achieved its goal.
The threat actor seems to prefer domains from ".xyz" top level domain, and IP hosts with the URL path pattern of "/pc-error'*". Fortinet Logs show the campaign active since October 2018, and still active today. 2000 URLs and 500 hosts identified as IOCs associated with this malicious campaign have been added to FortiGuard Labs web filtering database.
For screen images and a list of IOCs, visit: Malware Traffic Analysis
Emotet is back! -- We last reported on Emotet mid-December, and after a short break for the holiday, the malware operators are again distributing new malicious email campaigns using Microsoft Word attachments with embedded macros that download the malware. The malware authors are using social engineering techniques, including using different languages, to make the emails enticing to open. Another ploy leverages a direct URL download in the email instead of the Microsoft Word document. The malware authors are continuing their evolution by leveraging various new tricks. This new variant checks if the recipient's IP address is blacklisted or on a spam list. This helps attackers deliver their email more effectively through leveraging inboxes without potential to be blocked by spam filters. The malware invokes PowerShell, which contacts the distribution center to retrieve the payload. While the malware traditionally included banking Trojans, the new variants offer additional payloads, such as information stealers, ransomware and more. For more details [Read More]
Signatures: Malicious_Behavior.SB, VBA/Agent.1F50!tr.dldr
Application Vulnerabilities / IPS
WordPress.Plugin.DZS-VideoGallery.Remote.Command.Injection -- DZS (Digital Zoom Studio) is a popular video management plugin for WordPress that allows you to quickly import and manage YouTube/Vimeo videos from your favorite cloud video content provider through your WordPress-enabled website.
It has been discovered that versions prior to 7.85 are vulnerable to multiple cross-site scripting vulnerabilities that if exploited could lead to remote code execution of arbitrary script code in the browser of an unaware website visitor. This may lead to, among other things, stealing of website credentials and other potential attacks made possible by native scripting functions.
The attacks rely on the injection of arbitrary commands via two vulnerable parameters, called swfloc and designrand, so simple queries allow for an attacker to store attacks that will be launched whenever a user visits the page where the injected script resides.
We have observed attacks globally and have seen a significant increase in activity for the WordPress.Plugin.DZS-VideoGallery.Remote.Command.Injection signature.
Ektron.XSLT.Transform.Remote.Code.Execution -- Ektron is a content management system (CMS) that was merged with Episerver back in 2015. At that time, they were a community of close to 9,000 customers and running in some 30,000 websites. It was discovered that Ektron versions previous to 8.02 SP5 used a class dubbed XslCompiledTransform with a security parameter called "enable script" set to true, which in this context allows for unauthenticated remote code execution. The attack relies on crafting a special XSL file with special parameters to execute arbitrary code. On exploitation, the served XSL is parsed and the referenced file is downloaded and executed in the context of the user process running the HTTP daemon. We have observed attacks globally and have seen a significant increase in activity for the Ektron.XSLT.Transform.Remote.Code.Execution signature.
ServHelper Invites FlawedGrace Through the Backdoor -- FortiGuard Labs is aware of malicious activity coined "ServHelper" and "FlawedGrace" launched by threat group TA505. Earlier this week researchers released a detailed analysis of a backdoor family, ServHelper, and a RAT it distributes named FlawedGrace.
TA505 is an extremely prolific actor in the malware landscape and has been credited for the creation or use of many tools including the Dridex banking Trojan, Locky ransomware, and the TrickBot banking Trojan. TA505 is highly financially motivated and has been documented using numerous tactics for monetary gain.
ServHelper: The latest TA505 activity documented involves a backdoor delivered through targeted phishing campaigns. This backdoor drops a file named "ServHelper.dll," hence its name. Between November and December of 2018 there were three documented releases of phishing emails that had this backdoor attached and all of them appeared to target financial institutions. There are two known variants of this backdoor. The first is a malware that embodies traits of classic downloader behavior. The second more sophisticated version is a malware capable of tunneling, that through SSH tunneling and RDP, will allow threat actors to remote control the infected machine.
FlawedGrace: The primary purpose of ServHelper is to download the FlawedGrace RAT. Although there were documented cases of FlawedGrace in the wild as far back as 2017, distribution of this family of malware had decreased considerably until now. FlawedGrace appears to be a sophisticated C++ based malware that uses a binary protocol to communicate with the C2 server. This malware shows capability of downloading other malicious content, stealing sensitive user information including passwords, and running scripts. It may even be able to corrupt the infected machine.
Fortinet's FortiGuard Labs has existing detection on the known executables as well as the known C2 servers.
Signatures: W32/Delf.BHB!tr, W32/Delf.BGZ!tr, VBA/TrojanDownloader.LIZ!tr, VBA/TrojanDownloader.LGD!tr
Malware in a Flash! -- FortiGuard Labs is aware of a recent Adobe Flash Player zero-day vulnerability being utilized in malware attack campaigns. This vulnerability, CVE-2018-15982, was found last month. Researchers discovered a malware utilizing the vulnerability in a Microsoft Word file containing malicious Flash content, and zipped with JPG file including shellcode.
The documents execute through the vulnerability, and the malicious program may install a RAT into the victim's system. This gives the attacker a method to gain remote access to the victim's computer. This malware shares code similarity to a tool created by Hacking Team.
When this type of attack appeared last month, it was found in VirusTotal, submitted from Ukraine. The malicious Word file is written in Russian and compressed as a ZIP file along with a JPG file. It also appeared to be abusing the logo of a Russian medical institution.
Signatures: Adobe.Flash.TVSDK.metadata.Use.After.Free, SWF/Generic!exploit
Web Filtering Activity
Cryptocurrency Theft Utilizing Fake Movie File -- The FortiGuard Labs Web Filtering team is aware of an LNK malware disguised as a movie file that could be downloaded from The Pirate Bay torrent service. It was concealed as a Windows .LNK shortcut that executes a series of PowerShell commands and extracts a script from the shortcut file. This malware appears to have two purposes. The first purpose appears to be an attempt to avoid AV detection and divert the user via code injection. This malware may attempt to inject content into high-profile websites such as Wikipedia, Google, and Yandex. To do so, it attempts to install a Firefox extension called "Firefox Protection" and hijack the Chrome extension called "Chrome Media Router," with the ID "pkedcjkdefgpdelpbcmbmeomcjbeemfm." These extensions, if installed successfully, may pull data from a server to inject into the aforementioned websites. The second purpose is monetary. It will attempt to steal cryptocurrency from the victims infected with this malware. The malware leads to search results being tampered and injected with attacker-promoted search results instead, related to torrent trackers or cryptocurrency. It also inserts a fake donation banner in Wikipedia that accepts cryptocurrency donations and provides bitcoin and Ethereum addresses to "donate" to. The FortiGuard Labs Web Filtering team has blacklisted all the URLs that were discovered to be related to this incident.
Source : https://fortiguard.com/resources/threat-brief/2019/01/18/fortiguard-threat-intelligence-brief-january-18-2019