Thursday, March 30, 2017

Nuclear Bot (Nuke Bot) Code Leaked Online

A couple of months back Arbornetworks done analysis of nuclear bot under title, dismantling a nuclear bot. We already analysed malware abusing swift banking. That time it was mentioned as a new banking trojan module and appeared in sale on underground hacking forums at the price of $2.5K. They analyzed the following sample: https://www.virustotal.com/en/file/ff83aaa74ec364f4c2403409a28df93ef97e8a61ba79fdb1c94d7081f48e794e/analysis/1490938720/
This is where that sample ping back. And we also checked anything interesting apart from the analysis made Arbornetworks. We found the sample variant have anti analysis modules like analysis aware strings:







This week the source code of the nuclear bot (nuke bot) leaked in online code sharing platform. The author made the code available on the net due to the distrust of the hacking community members. Members of underground forum treated the authors as just like spammer, due to the lack of free trial of the module for premium members.


Important samples seen in the wild:
https://www.virustotal.com/en/file/ff83aaa74ec364f4c2403409a28df93ef97e8a61ba79fdb1c94d7081f48e794e/analysis/1490938720/
https://www.virustotal.com/en/file/53af22828a2a1190105c6846ae9e32ab6ce87388b77838d456432ee6e9de7343/analysis/1490938116/
https://www.virustotal.com/en/file/25a361f297c6d399410b47af5504f4bb2c9327de55168a31154fbee21fa4b186/analysis/1490938074/


Popular AV detection:
a variant of Win32/Agent.YOB
Trojan-Banker.Win32.Nuclear.a
Trojan.Win32.Nuclear.ekazpz
TR/Spy.Banker.qexzn




Post created by
newWorld

CVE-2017-0022 Windows Zero-Day flaw used by AdGholas hackers

Synopsis



March 2017 Patch Tuesday updates from Microsoft, it has fixed several security flaws. Security experts from trendmicro and proofpoint revealed the list of fixed vulnerabilities includes three flaws that had been exploited in the wild since last summer. One of the vulnerabilities, is an XML Core Services information disclosure vulnerability, tracked as CVE-2017-0022 that can be exploited by attackers by tricking victims into clicking on a specially crafted link.


Vulnerability And Impact


Security researchers from Trend Micro and ProofPoint have conducted a joint investigation were the flaw was discovered and even it was reported to vendor (Microsoft) in September 2016. Specially-crafted website to invoke MSXML through Internet Explorer which allows the attacker to exploit this vulnerability. It is tough for the attacker to lure the user to click and visit this specially-crafted website. Mostly attacker will convince the user to click the link by convincing messages in the mail or messenger.
AdGholas malvertising campaign widely used this vulnerability and also integrated it with Neutrino exploit kit. (If you want to know more about information about AdGholas hackers, please refer our article: http://www.edison-newworld.com/2017/03/adgholas-malvertising-campaign.html).
This vulnerability is listed in CVE as CVE-2017-0022: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0022

Description given by cve mitre: "Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2008 SP2 and R2 SP1; Windows Server 2012 Gold and R2; Windows Server 2016; and Windows Vista SP2 improperly handles objects in memory, allowing attackers to test for files on disk via a crafted web site, aka "Microsoft XML Information Disclosure Vulnerability."


Affected Products
Product Platform
Microsoft XML Core Services 3.0 Windows 7 for x64-based Systems Service Pack 1
Microsoft XML Core Services 3.0 Windows 10 Version 1607 for x64-based Systems
Microsoft XML Core Services 3.0 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Microsoft XML Core Services 3.0 Windows 8.1 for x64-based systems
Microsoft XML Core Services 3.0 Windows 10 Version 1511 for x64-based Systems
Microsoft XML Core Services 3.0 Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft XML Core Services 3.0 Windows 7 for 32-bit Systems Service Pack 1
Microsoft XML Core Services 3.0 Windows Server 2008 for Itanium-Based Systems Service Pack 2
Microsoft XML Core Services 3.0 Windows 8.1 for 32-bit systems
Microsoft XML Core Services 3.0 Windows 10 for 32-bit Systems
Microsoft XML Core Services 3.0 Windows Vista x64 Edition Service Pack 2
Microsoft XML Core Services 3.0 Windows Server 2012 R2 (Server Core installation)
Microsoft XML Core Services 3.0 Windows Server 2012 (Server Core installation)
Microsoft XML Core Services 3.0 Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft XML Core Services 3.0 Windows Server 2012
Microsoft XML Core Services 3.0 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Microsoft XML Core Services 3.0 Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft XML Core Services 3.0 Windows RT 8.1
Microsoft XML Core Services 3.0 Windows Vista Service Pack 2
Microsoft XML Core Services 3.0 Windows 10 for x64-based Systems
Microsoft XML Core Services 3.0 Windows 10 Version 1511 for 32-bit Systems
Microsoft XML Core Services 3.0 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Microsoft XML Core Services 3.0 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Microsoft XML Core Services 3.0 Windows Server 2012 R2
Microsoft XML Core Services 3.0 Windows 10 Version 1607 for 32-bit Systems
Microsoft XML Core Services 3.0 Windows Server 2016  (Server Core installation)
Microsoft XML Core Services 3.0 Windows Server 2016


Conclusion
Patches are available for this vulnerability and need to update those patches. There is no workarounds available for this vulnerability from Microsoft.


Post created by
newWorld

AdGholas Malvertising Campaign

What is Malvertising Campaign?

Term Malvertising is meant to online ads for malware spreading. Injecting or embedding the malicious code in the legitimate webpages and online advertisement is the way how malvertising works. Most of the cases, we seen attackers or hackers use the legitimate websites and find the loopholes in those sites then add their malicious code in it.  They use several exploit kits to find the exploits and use to compromise the websites. We observed that Several popular websites and news sources have been victims to malvertising and have had malicious advertisements placed on their webpages or widgets unknowingly, including Horoscope.com, The New York Times, the London Stock Exchange, Spotify, and The Onion. Malvertising campaign is a set of incidents processed by attackers to achieve the spreading of malware using online advertisement. In most of the times, campaign will be used to target particular sector or business.



AdGholas Malvertising Campaign

A group of rogue actors involved in stealthy attacks was exposed by security giants like eset, proofpoints, and Trend micro. According malwarebytes telemetry, AdGholas hackers are the largest malvertising attacks in the end of 2016. This operation has been running since at least October 2015. According to security vendor Proofpoint, this gang managed to distribute malicious advertisements through more than 100 ad exchanges, attracting between 1 million and 5 million page hits per day.




Please refer our article on windows zeroday exploit used by AdGholas hackers:


Post created by


Monday, March 13, 2017

Top Ten Excel Formulas used in day to day job:

Top Ten Excel Formulas used in day to day job:
Used the web source, we created this post and it can be used as slideshow or presentation.










These formulas will be helpful in daily job activities and it can be used to train the people in the presentation or as slideshow. And the above video contains same information.                                        

                                                                                                                                                               Post made by
newWorld                   


Friday, March 10, 2017

Important Fields in Virustotal:

In Virustotal malware sample link, mostly there are seven tabs:
Analysis: It is about scan result.
File detail: It is about packer, PE details (header, section, imports), file metadata.
Relationship: It contains details about similar samples or malware variants, bundles.
Additional Information: File identification (Hashes- MD5, SHA1, SHA256), File size, File type, Virustotal submission details and File names (name when it is uploaded- It might contains many names for files, because the person who uploads the file can change the name of the file before uploading the file.
Comments: Malware researchers comments, if the sample is widely seen.
Votes: (It is not important to our analysis.)  Ignore this section.
Behavioral Information: It is like dynamic analysis of the given sample. It gives more detail about file creation, deletion, network communication, etc. by the given samples.


Fields need to look:
File name: If you got proper file name, like readable file name, then you can take that for search in the log.
Hash of the file: MD5, SHA1, SHA256, any of these hashes can be used if the client have hash of the files in the logs. So that we can easily relates to the infection and go for in depth analysis.
IP address/ Url: Any malicious IP address or Url in the file association in the VT, can be used to search in the logs as indicator of compromise.


Important fields in the above seven tabs:
Relationship,
Additional Information,
Behavioral Information, and
comments.

Relationship:
We will get more information about similar or related file infection in the virustotal. So, analyst need to check all those links and look for any malicious IP, Url and file names which will be helpful for our analysis.

Additional Information:
File name: If you got proper file name, like readable file name, then you can take that for search in the log.
Hash of the file: MD5, SHA1, SHA256, any of these hashes can be used if the client have hash of the files in the logs. So that we can easily relates to the infection and go for in depth analysis.

Behavioral Information:
-IP address/ Url: Any malicious IP address or Url in the file association in the VT, can be used to search in the logs as indicator of compromise.
-New files created
-CNC communication (IPaddress/Url)

Comments:
In this, some times you get the important information from malware researcher like more information about the propagation, IOC and even sandbox link.



Post created by
newWorld

Thursday, March 9, 2017

Evolution of Ransomware: Part II

  • Winlocker

This variant of ransomware also locks your computer, but it displays a more intimidating ransom message which appears to be from your local law enforcement agency. Unlike SMS ransomware, this particular kind instructs you to pay through an online payment system such as Ukash, Paysafecard, or Moneypak.
Image shows:  The lock screen indicates that the FBI has locked down the user’s computer for committing some sort of cybercrime. The lock screen also includes instructions on how the user can pay for the fine via an online payment service. This type of malware is more commonly known as the “FBI Virus” or “Moneypak Virus”. Police ransomware, porno blocker ransomware were other locker ransomware.

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...