threat insights report - bromium ... threat insights report september 2019 threat landscape the...

Download THREAT INSIGHTS REPORT - Bromium ... THREAT INSIGHTS REPORT SEPTEMBER 2019 THREAT LANDSCAPE The Bromium

Post on 26-Jul-2020

1 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • THREAT INSIGHTS REPORT

    September 2019

  • THREAT INSIGHTS REPORT SEPTEMBER 2019

    THREAT LANDSCAPE

    The Bromium Threat Insights Report is designed to help our customers become more aware of emerging threats, equip

    security teams with tools and knowledge to combat today’s attacks, and manage their security posture.

    Bromium Secure Platform is deployed on desktops and laptops, capturing any potential threats and allowing them to

    detonate inside secure containers. Adding isolation to the endpoint security stack transforms your endpoints into your

    strongest defence, while giving security teams a unique advantage to be

    able to monitor, track and trace any malware that tries to enter your

    networks.

    NOTABLE THREATS

    Emotet’s command and control (C2) infrastructure was observed returning

    online on 22 August, after taking a long summer break since early June

    2019. At the time of writing, no new malicious spam campaigns have been

    observed, but the resumption of the botnet is likely a precursor to new

    campaigns.

    In August, Bromium Labs analysed a dropper that contained a fascinating anti-

    analysis feature. The malware attempted to evade detection by removing any

    hooked APIs by tampering with the memory-mapped ntdll.dll, the dynamic-link library that contains user mode system calls.

    API hooking is commonly used by endpoint detection and response (EDR) tools to detect and block malicious activity. The

    dropper ultimately delivered Agent Tesla, a family of credential-stealing malware.

    In early August, TrickBot’s operators started using Ostap, a commodity JavaScript (or more specifically, JScript) downloader.

    Previously, phishing campaigns relied on downloaders that used obfuscated Command shell (cmd.exe) and PowerShell

    commands triggered by Visual Basic for Applications (VBA) macros to deliver their TrickBot payloads. Ostap is notable for its

    low detection rate, large size and aggressive anti-analysis measures. Bromium Labs posted Deobfuscating Ostap, which

    steps through how to deobfuscate the downloader and released a tool to automate its deobfuscation.

    In July, we observed phishing campaigns that delivered a new variant of the Dridex banking Trojan. The variant is notable

    because it used five code injection techniques to avoid detection:

    • AtomBombing

    • DLL order hijacking

    • Process hollowing

    • PE injection

    • Thread execution hijacking

    In the Bromium Labs blog post, Dridex’s Bag of Tricks, we explore how Dridex uses each technique to achieve its objectives.

    In a two-part blog series, An Analysis of L0rdix RAT, Panel and Builder and Decrypting L0rdix RAT’s C2, Bromium Labs

    analysed a cracked copy of the bot, builder, web panel of L0rdix, a .NET remote access Trojan (RAT), that has been

    circulating among underground forums. The default AES key used to encrypt L0rdix’s C2 traffic was discovered in the panel,

    Bromium Labs wrote a tool that decrypts L0rdix’s traffic from a packet capture.

    Malware type classifications, August 2019

    https://twitter.com/BlackLotusLabs/status/1164648560933199872 https://twitter.com/BlackLotusLabs/status/1164648560933199872 https://twitter.com/BlackLotusLabs/status/1164648560933199872 https://twitter.com/BlackLotusLabs/status/1164648560933199872 https://www.bromium.com/agent-tesla-evading-edr-by-removing-api-hooks/ https://www.bromium.com/agent-tesla-evading-edr-by-removing-api-hooks/ https://www.bromium.com/agent-tesla-evading-edr-by-removing-api-hooks/ https://www.bromium.com/agent-tesla-evading-edr-by-removing-api-hooks/ https://www.bromium.com/agent-tesla-evading-edr-by-removing-api-hooks/ https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/ https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/ https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py https://www.bromium.com/dridex-threat-analysis-july-2019-variant/ https://www.bromium.com/dridex-threat-analysis-july-2019-variant/ https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/ https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/ https://www.bromium.com/decrypting-l0rdix-rats-c2/ https://www.bromium.com/decrypting-l0rdix-rats-c2/ https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py

  • THREAT INSIGHTS REPORT SEPTEMBER 2019

    Bromium Labs also analysed a new variant of FlawedAmmyy, a RAT that received attention for campaigns targeting Korean-

    speaking organisations, and how the protect-before-you-detect approach of Bromium Secure Platform thwarts such attacks.

    NOTABLE TECHNIQUES

    The API unhooking technique used by a dropper that delivered Agent Tesla is an interesting form of defence evasion

    (TA0005). The dropper contained shellcode that removed any hooked APIs by performing the following steps:

    1. The shellcode changed the memory permissions of ntdll.dll to PAGE_EXECUTE_READWRITE through a call to

    NtProtectVirualMemory.

    2. It removes API hooks by overwriting the five bytes before the location of the value of Wow64Transition, where any

    hooks would be located. Any hooking instructions that are five bytes or less in size would be replaced with the

    instructions that were there originally.

    3. The shellcode then changes the page permissions of the region back to PAGE_EXECUTE_READ and launches the

    payload through a call to ShellExecuteW.

    ACTIONABLE INTELLIGENCE

    Bromium Secure Platform Recommendations

    Bromium customers are always protected because malware is isolated from the host computer and cannot spread onto the

    corporate network. We recommend updating to the latest Bromium Secure Platform software release and to use the

    Annotated AMSI C# bypass observed in June 2019

    PHP function responsible for decrypting L0rdix’s C2 traffic, including the default key

    Shellcode in Agent Tesla dropper that removes API hooks (August 2019)

    https://www.bromium.com/flawedammyy-endpoint-detection-weakness/ https://www.bromium.com/flawedammyy-endpoint-detection-weakness/ https://www.bromium.com/agent-tesla-evading-edr-by-removing-api-hooks/ https://www.bromium.com/agent-tesla-evading-edr-by-removing-api-hooks/ https://attack.mitre.org/tactics/TA0005/ https://attack.mitre.org/tactics/TA0005/ https://attack.mitre.org/tactics/TA0005/ https://attack.mitre.org/tactics/TA0005/ https://support.bromium.com/s/documentation https://support.bromium.com/s/documentation

  • THREAT INSIGHTS REPORT SEPTEMBER 2019

    Operational and Threat Dashboards in your Bromium Controller to ensure isolation is running correctly on your endpoint

    devices.

    In your Bromium Secure Platform policy, we recommend that untrusted

    file support for email clients and Microsoft Office protection options are

    enabled (these are enabled by default in our recommended policies).

    Switching on these settings is an easy way to reduce the risk of infection

    posed by phishing campaigns. Please contact Bromium Support if you

    need help applying suggested configurations.

    General Security Recommendations

    Tracking the use of potentially unwanted applications (PUAs) in your

    enterprise can uncover previously unknown vectors for data exfiltration.

    For example, many third-party software companies offer remote support

    for their products using legitimate remote access software, such as

    Bomgar and TeamViewer. Although legitimate, these applications may

    also be used for malicious purposes and so are normally classified as

    PUAs. We recommend tracking the use of any remote access software

    in your enterprise to ensure that its use is authorised.

    Signatures

    The focus of this month’s signatures are methods of detecting Ostap and L0rdix malware. Below are YARA rules for

    detecting these families. Python scripts to automate the decryption of L0rdix’s C2 traffic and the deobfuscation of Ostap are

    also available to download from GitHub.

    MITRE ATT&CK heatmap showing the range of techniques used by threats isolated in August 2019

    Top 10 MITRE ATT&CK techniques used by threats isolated in August 2019

    https://support.bromium.com/ https://support.bromium.com/ https://github.com/cryptogramfan/Malware-Analysis-Scripts/ https://github.com/cryptogramfan/Malware-Analysis-Scripts/

  • THREAT INSIGHTS REPORT SEPTEMBER 2019

    rule win_ostap_jse {

    meta:

    author = "Alex Holland @cryptogramfan (Bromium Labs)"

    date = "2019-08-29"

    sample_1 = "F3E03E40F00EA10592F20D83E3C5E922A1CE6EA36FC326511C38F45B9C9B6586"

    sample_2 = "38E2B6F06C2375A955BEA0337F087625B4E6E49F6E4246B50ECB567158B3717B"

    strings:

    $comment = { 2A 2A 2F 3B } // Matches on **/;

    $array_0 = /\w{5,8}\[\d+\]=\d{1,3};/

    $array_1 = /\w{5,8}\[\d+\]=\d{1,3};/

    condition:

    ((($comment at 0) and (#array_0 > 100) and (#array_1 > 100)) or

    ((#array_0 > 100) and (#array_1 > 100))) and

    (filesize > 500KB and filesize < 1500K

Recommended

View more >