THREAT INSIGHTS REPORT
September 2019
THREAT INSIGHTS REPORT SEPTEMBER 2019
THREAT LANDSCAPE
The Bromium Threat Insights Report is designed to help our customers become more aware of emerging threats, equip
security teams with tools and knowledge to combat today’s attacks, and manage their security posture.
Bromium Secure Platform is deployed on desktops and laptops, capturing any potential threats and allowing them to
detonate inside secure containers. Adding isolation to the endpoint security stack transforms your endpoints into your
strongest defence, while giving security teams a unique advantage to be
able to monitor, track and trace any malware that tries to enter your
networks.
NOTABLE THREATS
Emotet’s command and control (C2) infrastructure was observed returning
online on 22 August, after taking a long summer break since early June
2019. At the time of writing, no new malicious spam campaigns have been
observed, but the resumption of the botnet is likely a precursor to new
campaigns.
In August, Bromium Labs analysed a dropper that contained a fascinating anti-
analysis feature. The malware attempted to evade detection by removing any
hooked APIs by tampering with the memory-mapped ntdll.dll, the dynamic-link library that contains user mode system calls.
API hooking is commonly used by endpoint detection and response (EDR) tools to detect and block malicious activity. The
dropper ultimately delivered Agent Tesla, a family of credential-stealing malware.
In early August, TrickBot’s operators started using Ostap, a commodity JavaScript (or more specifically, JScript) downloader.
Previously, phishing campaigns relied on downloaders that used obfuscated Command shell (cmd.exe) and PowerShell
commands triggered by Visual Basic for Applications (VBA) macros to deliver their TrickBot payloads. Ostap is notable for its
low detection rate, large size and aggressive anti-analysis measures. Bromium Labs posted Deobfuscating Ostap, which
steps through how to deobfuscate the downloader and released a tool to automate its deobfuscation.
In July, we observed phishing campaigns that delivered a new variant of the Dridex banking Trojan. The variant is notable
because it used five code injection techniques to avoid detection:
• AtomBombing
• DLL order hijacking
• Process hollowing
• PE injection
• Thread execution hijacking
In the Bromium Labs blog post, Dridex’s Bag of Tricks, we explore how Dridex uses each technique to achieve its objectives.
In a two-part blog series, An Analysis of L0rdix RAT, Panel and Builder and Decrypting L0rdix RAT’s C2, Bromium Labs
analysed a cracked copy of the bot, builder, web panel of L0rdix, a .NET remote access Trojan (RAT), that has been
circulating among underground forums. The default AES key used to encrypt L0rdix’s C2 traffic was discovered in the panel,
Bromium Labs wrote a tool that decrypts L0rdix’s traffic from a packet capture.
Malware type classifications, August 2019
THREAT INSIGHTS REPORT SEPTEMBER 2019
Bromium Labs also analysed a new variant of FlawedAmmyy, a RAT that received attention for campaigns targeting Korean-
speaking organisations, and how the protect-before-you-detect approach of Bromium Secure Platform thwarts such attacks.
NOTABLE TECHNIQUES
The API unhooking technique used by a dropper that delivered Agent Tesla is an interesting form of defence evasion
(TA0005). The dropper contained shellcode that removed any hooked APIs by performing the following steps:
1. The shellcode changed the memory permissions of ntdll.dll to PAGE_EXECUTE_READWRITE through a call to
NtProtectVirualMemory.
2. It removes API hooks by overwriting the five bytes before the location of the value of Wow64Transition, where any
hooks would be located. Any hooking instructions that are five bytes or less in size would be replaced with the
instructions that were there originally.
3. The shellcode then changes the page permissions of the region back to PAGE_EXECUTE_READ and launches the
payload through a call to ShellExecuteW.
ACTIONABLE INTELLIGENCE
Bromium Secure Platform Recommendations
Bromium customers are always protected because malware is isolated from the host computer and cannot spread onto the
corporate network. We recommend updating to the latest Bromium Secure Platform software release and to use the
Annotated AMSI C# bypass observed in June 2019
PHP function responsible for decrypting L0rdix’s C2 traffic, including the default key
Shellcode in Agent Tesla dropper that removes API hooks (August 2019)
THREAT INSIGHTS REPORT SEPTEMBER 2019
Operational and Threat Dashboards in your Bromium Controller to ensure isolation is running correctly on your endpoint
devices.
In your Bromium Secure Platform policy, we recommend that untrusted
file support for email clients and Microsoft Office protection options are
enabled (these are enabled by default in our recommended policies).
Switching on these settings is an easy way to reduce the risk of infection
posed by phishing campaigns. Please contact Bromium Support if you
need help applying suggested configurations.
General Security Recommendations
Tracking the use of potentially unwanted applications (PUAs) in your
enterprise can uncover previously unknown vectors for data exfiltration.
For example, many third-party software companies offer remote support
for their products using legitimate remote access software, such as
Bomgar and TeamViewer. Although legitimate, these applications may
also be used for malicious purposes and so are normally classified as
PUAs. We recommend tracking the use of any remote access software
in your enterprise to ensure that its use is authorised.
Signatures
The focus of this month’s signatures are methods of detecting Ostap and L0rdix malware. Below are YARA rules for
detecting these families. Python scripts to automate the decryption of L0rdix’s C2 traffic and the deobfuscation of Ostap are
also available to download from GitHub.
MITRE ATT&CK heatmap showing the range of techniques used by threats isolated in August 2019
Top 10 MITRE ATT&CK techniques used by threats isolated in August 2019
THREAT INSIGHTS REPORT SEPTEMBER 2019
rule win_ostap_jse {
meta:
author = "Alex Holland @cryptogramfan (Bromium Labs)"
date = "2019-08-29"
sample_1 = "F3E03E40F00EA10592F20D83E3C5E922A1CE6EA36FC326511C38F45B9C9B6586"
sample_2 = "38E2B6F06C2375A955BEA0337F087625B4E6E49F6E4246B50ECB567158B3717B"
strings:
$comment = { 2A 2A 2F 3B } // Matches on **/;
$array_0 = /\w{5,8}\[\d+\]=\d{1,3};/
$array_1 = /\w{5,8}\[\d+\]=\d{1,3};/
condition:
((($comment at 0) and (#array_0 > 100) and (#array_1 > 100)) or
((#array_0 > 100) and (#array_1 > 100))) and
(filesize > 500KB and filesize < 1500KB)
}
rule win_l0rdix {
meta:
author = "Bromium Labs"
date = "2019-07-19"
sample_1 = "18C6AAF76985404A276466D73A89AC5B1652F8E9659473F5D6D656CA2705B0D3"
sample_2 = "C2A4D706D713937F47951D4E6E975754C137159DC2C30715D03331FC515AE4E8"
strings:
$ua = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0" wide // Firefox 53 on Windows 10
$sig = "L0rdix" wide ascii
$sched_task = "ApplicationUpdateCallback" wide
$exe = "syscall.exe" wide
$cnc_url_1 = "connect.php?" wide
$cnc_url_2 = "show.php" wide
$browser_1 = "\\Kometa\\User Data\\Default\\Cookies" wide
$browser_2 = "\\Orbitum\\User Data\\Default\\Cookies" wide
$browser_3 = "\\Amigo\\User\\User Data\\Default\\Cookies" wide
$coin_regex_1 = "[13][a-km-zA-HJ-NP-Z1-9]{25,34}" wide // Bitcoin
$coin_regex_2 = "0x[a-fA-F0-9]{40}" wide // Ethereum
$coin_regex_3 = "L[a-zA-Z0-9]{26,33}" wide // Litecoin
condition:
uint16(0) == 0x5A4D and (any of ($ua,$sig,$sched_task,$exe)) and (any of
($cnc_url_*)) and (any of ($browser_*)) and (any of ($coin_regex_*))
}
THREAT INSIGHTS REPORT SEPTEMBER 2019
STAY CURRENT
The Bromium Threat Insights Report is made possible by customers who opt-in to share their threats on the Bromium Threat
Cloud. Alerts that are forwarded to us are analysed by our security experts to reduce false positives and generate higher
fidelity alerts. You can also use the threat data collected from isolated malware to protect other critical assets that are not
secured by Bromium. To learn more, review the Knowledge Base article on Threat Sharing.
We recommend that customers take the following actions to ensure that they get the most out of their Bromium
deployments:
• Enable Bromium Cloud Services and Threat Forwarding. This will keep
your endpoints updated with the latest Bromium Rules File (BRF) and
make sure we report the latest security incursions to you. Plan to update
the Controller with every new release to receive the latest operational
and threat intelligence report templates. See the latest release notes and
software downloads available on the Customer Portal.
• Update Bromium endpoint software at least twice a year to stay current
with emerging attack technique detections added by Bromium Labs.
For the latest threat research, head over to the Bromium Blog, where our researchers regularly dissect new threats and
share their findings.
Bromium Labs Webinar: Mapping Threat Intelligence to the MITRE ATT&CK Framework
Join the Bromium Labs team to learn how threats play out in MITRE’s command and control (C2) tactics using isolation for
endpoint security and how Bromium threat telemetry is mapped to the MITRE ATT&CK framework.
Thursday, Sept 26, 2019 10am PT / 1pm ET
Register on BrightTalk
ABOUT THE BROMIUM THREAT INSIGHTS REPORT
Enterprises are most vulnerable from users opening email attachments, clicking on hyperlinks in emails or chats and
downloading files from the web. Bromium Secure Platform protects the enterprise by isolating risky activity into micro-VMs,
ensuring that malware cannot infect the host computer or spread onto the corporate network. Since the malware is
contained, Bromium Secure Platform collects rich forensic data to help our customers harden their entire infrastructure. The
Bromium Threat Insights Report addresses key takeaways from the latest reported and analysed threats to ensure that our
customers are thoroughly protected.