Category Archives: Advisories

Ransomware Roundup – 2022/06/09

Read Time:4 Minute, 47 Second

FortiGuard Labs has become aware of several ransomware that caught public attention for the week of June 6th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week’s Ransomware Roundup Threat Signal covers YourCyanide, LockBit, WhiteCat, and DeadBolt ransomware along with the Fortinet protections against them.What is YourCyanide ransomware?YourCyanide ransomware is a CMD-based ransomware variant still under development and abuses PasteBin, Discord, Telegram and Google services. The ransomware belongs to GonnaCope ransomware family that was discovered in April 2022.YourCyanide ransomware reportedly arrives as an LNK (Link) file that contains a PowerShell script that downloads and runs a malicious file from Discord. The downloaded file then drops and executes a CMD file. The CMD file downloads another CMD file from Pastebin, which performs several activities that include:Checks for usernames for which the ransomware avoids infection.Drops a Batch file that continues to open the Blank Screen Saver fileChecks for specific services and security applications which the ransomware tries to terminateSwaps the mouse buttonDisables TaskManagerRanames files in Desktop, Documents, Music, Pictures, Videos, and Downloads folders. Renamed files have a “.cyn” file extensionCreates two VBS files that send the ransomware as an email attachment Copies itself to D, E, F, G, and H drivers as well as UserProfile folderDrops a ransom note to DesktopDownloads a remote CMD file from DiscordThe CMD file downloaded from Discord steals access token from applications including Chrome, Discord, and Microsoft Edge, and collects information such as installed applications, and machine information from the compromised machine. The collected information will be then sent to a Telegram chat bot.It also reportedly downloads an executable file from Google Docs and executes it. The remote executable file is no longer accessible, however the file is likely used to steal credentials from various Web browsers.Screenshot of YourCyanide’s ransom noteWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples associated with YourCyanide ransomware:BAT/Agent.QU!tr.dldrBAT/Agent.C20D!trLNK/Agent.AG!tr.dldrLNK/Agent.3D7B!tr.dldrPossibleThreatWhat is LockBit ransomware?LockBit is a ransomware that encrypts files in victims’ machines and exfiltrate data. It then demands ransom in exchange for decrypting the affected files and not releasing the stolen data to the public. LockBit functions as Ransomware-as-a-Service (RaaS) that has been active for years and provides Lockbit ransomware, operates data leaks and ransom payment sites, and offers ransom negotiation service to its affiliate. Affiliates of LockBit typically earn approximately 70-80% of earnings, while the LockBit operators earn the rest.LockBit ransomware recently came to light again this week because Evil Corp reportedly switched their ransomware to LockBit in order to avoid sanctions imposed by the U.S. government. Evil Corp is a threat actor group that is known to have developed and use Dridex banking malware for financial gain. Dridex was also used to deliver another malware such as ransomware to victims’ machines. Alleged ransomware that were previously associated with Evil Corp includes Bitpaymer, Doppelpaymer, Wastedlocker and Hades. FortiGuard Labs previously released a Threat Signal on LockBit. See the Appendix for a link to “LockBit 2.0 Ransomware as a Service (RaaS) Incorporates Enhanced Delivery Mechanism via Group Policy”.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against recent Lockbit ransomware samples:W32/LockBit.29EA!tr.ransomW32/Generic.AC.171!trMSIL/Generic.EBMY!trW32/Filecoder.NXQ!tr.ransomW32/Filecoder.OAN!tr.ransomWhat is WhiteCat ransomware?WhiteCat is a new Chaos ransomware variant. It checks for “forbidden country” by looking at the current input language/keyboard. If the current inpur/keyboard is set to “az-Latn-AZ” (Latin, Azerbaijani) and “tr-TR” (Turkish), the ransomware stops infection. The ransomware then searches for files smaller than 2,117,152 bytes on the compromised machine and encrypts them. It also overwrites files larger than 2,117,152 bytes on the compromised machine. The affected files will have a random 4 letter file extension. Lastly, WhiteCat drops and displays a ransom note in READMEPLEASE.txt.Screenshot of WhiteCat’s ransom noteWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against WhiteCat ransomware:MSIL/ClipBanker.SX!trWhat is DeadBolt ransomware?DeadBolt ransomware is a new ransomware that was first discovered in early 2022 and targeted QNAP Network-Attached Storage (NAS) devices for file encryption. It has since evolved to infect Asustor NAS devices. NAS devices are often used by SOHO (Small Office/Home Office) and home users for backup and file sharing purposes. QNAP released a security advisory on May 19th, warning its users of the ransomware. The advisory also urges the users to apply the latest update to the NAS devices or remove them from internet, which is an indication that DeadBolt ransomware was seen to exploit an unspecified QNAP vulnerability.Files encrypted by DeadBolt ransomware typically have a “.deadbolt” file extension. Its ransom note is “ALL YOUR FILES HAVE BEEN LOCKED BY DEADBOLT.html” and demands ransom from the victim to obtain a decryption key for the affected files. What’s curious about DeadBolt’s ransom note is that it includes a link to another ransomware directed at QNAP and Asustor. The ransom note for QNAP states that the company will receive information on the QNAP vulnerability that DeadBolt exploited to infect QNAP devices in exchange for Bitcoin payment. If the company pays extra ransom, QNAP will receive the vulnerability information as well as master decryption key that can decrypt all files encrypted by DeadBolt ransomware.Screenshot of DeadBolt’s ransom note courtesy of AsustorWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against DeadBolt ransomware:Linux/Filecoder_DeadBolt.A!trLinux/Filecoder_DeadBolt.B!tr

Read More

Qakbot Delivered Through CVE-2022-30190 (Follina)

Read Time:2 Minute, 12 Second

FortiGuard Labs is aware of a report that CVE-2022-30190 is exploited in the wild to deliver Qakbot malware. Currently, a patch is not available for CVE-2022-30190. Also known as Qbot and Pinkslipbot, Qakbot started off as a banking malware. In recent years, Qakbot was seen as a delivery vehicle for other malware, which often results in a compromised machine being infected with ransomware.Why is this Significant?This is significant because CVE-2022-30190 is a Windows vulnerability that has no available patch and is being abused in the field. The current attack campaign delivers Qakbot to victim’s machine. While final payload has not been identified nor reported, often Qakbot infection leads to ransomware deployed to the compromised machine. A publicly available report suggests Black Basta ransomware was deployed through Qakbot.What is CVE-2022-30190?CVE-20022-30190, also known as Follina, is a vulnerability in Microsoft Support Diagnostic Tool, which uccessful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. FortiGuard Labs previously released Outbreal Alert and Threat Signal on CVE-2022-30190. See the Appendix for links to “MSDT Follina” and “Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild”.How does the Current Qakbot Campaign Work?Reportedly, malicious emails arrive with an HTML attachment. Opening the HTML attachment downloads and saves a .zip file that an inner IMG file inside. The IMG file contains a DLL, a Word document, and a .LNK file. The DLL is a Qakbot variant which the link file will execute. Alternatively, the Word file will download and execute a remote HTML file, which has a script to abuse CVE-2022-30190, which then download and execute a Qakbot variant. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available samples associated with the current Qakbot campaign that abuses CVE-2022-30190:W32/Qbot.DM!trMSOffice/CVE_2021_40444.A!tr LNK/Agent.BD!trHTML/CVE_2022_30190.A!trRegarding IPS coverage, the following signature will detect the retrieval of remote HTML files that contain the MSDT command:MS.Office.MSHTML.Remote.Code.Execution.Known network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.FortiEDR will provide protection from exploitation of this vulnerability and subsequent post-exploitation activity. See the Appendix for a link to “Technical Tip: How FortiEDR protects against CVE-2022-30190 ‘Follina’ Microsoft Office protocol vulnerability” for more information.Th FortiGuard Content Disarm and Reconstruction (CDR) service can detect the attack in real-time and prevent it by disarming the “oleobject” data from Microsoft Office files.

Read More

CVE-2017-20021

Read Time:20 Second

A vulnerability, which was classified as critical, was found in Solare Solar-Log 2.8.4-56/3.5.2-85. This affects an unknown part of the component File Upload. The manipulation leads to privilege escalation. It is possible to initiate the attack remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component.

Read More