Tag Archives: Malware

Latest News about Russia & Ukraine Cyber War

Before Russian troops entered Ukraine, both government and companies of Ukraine faced several cyber attacks. While these cyber attacks are expected to spread all over the world, the attacks on Ukraine continue. A few days ago, according to Reuters, Ukraine asks hackers to help defending its cyber structure. “The government of Ukraine is asking for volunteers from the country’s hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops, according two people involved in the project” said Reuters. “Ukrainian cyber community! It’s time to get involved in the cyber defense of our country,” said in the post..

While all this is happening, Anonymous, international hacking collective announced they support Ukraine and has declared war against Russia. After this statement, we saw that several Russian government and company websites faced issues.

As recent progress, Ukraine’s Computer Emergency Response Team (CERT-UA) has warned of Belarusian state-sponsored hackers targeting its military personnel as a phishing campaign. “Mass phishing emails have recently been observed targeting private ‘i.ua’ and ‘meta.ua’ accounts of Ukrainian military personnel and related individuals.. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages” the CERT-UA said.

Before, in November, Mandiant announced that UNC1151 Assessed with High Confidence to have Links to Belarus government. UNC is a naming of Mandiant for the threat actors that under investigation, but not yet matched to an existing group. and Ukraine now blames UNC1151 group for these attacks.

UNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany,” Mandiant researchers said in the report. “The targeting also includes Belarusian dissidents, media entities, and journalists.

Another statement on the subject, some threat actors behind Conti ransomware posted a warning Friday that said it was “officially announcing a full support of Russian government.” Previously, Mandiant announced that “at least a portion of actors involved with Conti ransomware are based in Russia“. As in the past, it seems that Russian government is taking advantage of their talents.

What is CONTI?

CONTI is a Windows ransomware family that has been used in recent years. Later, a linux version was also encountered. Until today, many different people using this ransomware were encountered in the Russian forums.

Will Cyber Attacks Spread from Ukraine to the Whole World?

Russian troops entered Ukraine, the whole world is watching this situation with surprise and sadness. Before the invasion, numerous Ukrainian organizations getting hit with a sophisticated new disk-wiping malware. Mandiant is tracking this threat as ‘NEARMISS’ and ESET is tracking as ‘HermeticWiper’ and they reported that they found traces of the malware in hundreds of systems in Ukraine. According to their statement, ESET observed the first sample around 14h52 UTC on 23th of February. “The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two monthsESET explained.

According to researches, malware being deployed against organizations in several industries in Ukraine and designed solely to damage the Master Book Record (MBR) on Windows systems, making them unbootable once compromised. The malware does not contain any propagation functionality and, according to several reports. The attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd., hence the wiper’s name (MD5: 94bc2ff3969d9775de508e1181318deb).

In January, Microsoft reported another similar malware targeting organizations in Ukraine. This malware was designed to overwrite and destroy the MBR too.

Currently, while the invasion continues, cyber attacks continue too. And most of the world stands against Russia about this attacks. Also the sanctions are increasing against Russia and with these situation, it is easy to understand that other nations will be the target of these cyber attacks. “Russia and its allies will conduct cyber espionage, information operations, and disruptive cyber attacks during this crisis. Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of UkraineMandiant says about that.

All organizations and security teems should be aware of these threat. Events and incidents should be followed closely. We should work together with strong intelligence services that closely monitor threat groups to follow situation closer.

IoCs:

MD5 – 84ba0197920fd3e2b7dfa719fee09d2f

SHA-1 – 912342f1c840a42f6b74132f8a7c4ffe7d40fb77

SHA-256 – 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

MD5 – 3f4a16b29f2f0532b7ce3e7656799125

SHA-1 – 61b25d11392172e587d8da3045812a66c3385451

SHA-256 – 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

Retired Ransomware Developers Release Decryption Keys

Decryption keys for Egregor, Sekhmet and Maze shared by someone claiming to be the developer of all three malware.

The keys were published in BleepingComputer forum. As stated in the forum post, this was a planned leak and is not related to the recent law enforcement against attackers. Again, according to the post, none of their team members will ever return to ransomware attacks and the source code of the malware has been destroyed.

The post was containing a link to download a 7zip file with four archives containing the Maze, Egregor and Sekhmet decryption keys, as well as the source code for the M0yv malware used by the operators. However, because of being malicious, the link removed from post. It may be possible to contact to get them again.

Meanwhile, some experts corrected the decryption keys’ performance.

BotenaGo Malware Source Code Published

AT&T Alien Labs last week announced that the source code of BotenaGo malware has been published in GitHub. BotenaGo was discovered and named in November 2021 by Alien Labs again, and according to the post of Alien Labs, the source code of this malware has been published on 16th of October 2021.

It is noticed that too few AV vendors can detect (3/60) this malware already and now it is more dangerous because with the published source code, it is possible to change code simply and create new variants to bypass the detection.

It is also possible to find a source code analysis and IoCs of the malware in the post with recommended actions suggestions.

Importing Module in Powershell

Modules are typically work in Powershell directly. “Get-Module” command can be used to see imported modules.

“Get-Module -ListAvailable” command show the modules available.

For the additional modules we want to use, we should import them first. Once we import the module, we can use its all commands anymore. We will add PowerSploit as example. PowerSploit project is a project no longer supported but sometimes we may want to use its capabilities. For importing, we firstly download the package from here. After downloading the module, we need to copy it to one of the module folders in PC. There are different module locations and we can see them with “$Env:PSModulePath” command.

We create a folder called PowerSploit and copy all files here from the downloaded package.

“Import-Module PowerSploit” command will install the module and all its commands will be available for us to use.

“Get-Command -Module PowerSploit” command can list all commands of this module.

“Get-Help <command>” command will show you the usage of the commands.

Searching for IoC with Redline

Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline.

In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example.

We will go on with “Create an IOC Search Collector” menu in the main page of Redline. For doing this, we browse the folder that including IoCs we want to search in the PC. We have only one IoC here but if you have more IoCs in the folder, you will see all of them in “Indicators” tab.

Then we create a folder for IoC Collector and after clicking “Next” button, we show this folder. Redline creates the IoC Collector in this folder. We will now use RunRedlineAudit.bat file with the command line. Once the bat file finishes running, it will create a folder called “Sessions” and save outputs to this folder in the same directory.

Just run the “RunRedlineAudit.bat” file and wait for finishing. Then, open the “Sessions” folder. Each IoC sweep placed in its own folder calle “AnalysisSessionX”. This was our first sweep, so we click on “AnalysisSession1” folder. Our IoC report will be in “AnalysisSession1.mans” file. So, we click on this file, and it will take some time it generates the report.

When IoC report generated, we can see it on Redline tool, “IOC Reports” tab. As you can see in the screenshot, our WinSCP Indicator IoC got hits. When we click on it, we can see why this IoC got hit. Here, our IoC catch the file with its MD5 hash value and file name. With clicking on “View Details” button, we can see more details about the hit.

Threat Hunting II – Recommendations

An effective threat hunting is critical because it is hard to think like attackers and to search for the unknown in an enterprise network. This post may help organizations for an effective and successful threat hunting.

Knowledge of Topology and Environment

The purpose of threat hunting is to find the anomalies and their sources in the network and endpoint. So, a threat hunter should know what is normal and so can understand what is not normal.

From the risk management point of view, critical assets – servers, applications, data – should be known to protect more effectively. With the knowledge of the environment, the threat hunter knows the critical assets and hunts according to this. If there is segmentation in network, it is also critical to know the network topology and networks – or vlans – of these critical assets.

It is also necessary to know which application is running on which operating system, so the threat hunter can know the weaknesses of the system and can search according to these weaknesses.

Effective Endpoint Management

For threat hunting, the most used tools are EDRs. Organizations should be sure that they installed endpoint security tools to all endpoints and detect when they removed or stopped. Asset management is something more than CMDB. It must be managed by security teams whose understanding the criticality of the lack of endpoint security tool in an endpoint.

Intel

Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats. Many malicious are produced and detected every day. This situation causes a lot of noises about intel. To avoid this noise, hunters should get valuable intelligence about their organization’s sector and geolocation, and integrate these IoCs with SIEM, EDR, etc..

Personnel

We all know that new tactics and techniques are created by attackers in general. The most important reason for this is while security professionals in organizations have to deal with so many different things, attackers can only focus on their target. Even if it so important to have valuable/experienced personnel, if they are dealing with different organizational missions while they are working, it will be difficult for them to think like an hacker and detect the unknown in the network. Threat hunters should focus to their mission to create their methodology and hunt. So, there should be dedicated personnels for threat hunting.

Coordination Across the Organization

Yes, threat hunters work in a strange mission, think like a hacker and search across the network but they must not work alone. A threat hunter should have a good relationships with key personnel in IT departments like network and system admins, help desk personnel and so on. With these relationships, they better understand the network, systems and more importantly the company’s and personnels’ way of doing business. For organization’s perspective, when a threat hunter finds a weaknesses during the hunting process, they inform critical IT personnel for remediation. This team working will result as a success in remediation phase of the incidents or weaknesses.

TTPs

Pyramid of Pain

Intelligence is critical for hunting for the known threats but hunters should be familiar with the TTPs of the attackers against the zero day threats. Threat hunters also should be aware of the updated or newly TTPs. Only with this knowledge hunters can act like an attacker. TTPs are at the top of Pyramid of Pain (defined by David Bianco).

Tools

To disclose the anomaly or malicious activity, threat hunters should use advanced tools like EDR, NDR, SIEM, FIM, etc.. These tools will help hunter to find abnormal activities if configured properly. In different posts, we tried to explain why they should be used.

Threat Hunting I – Understanding Threat Hunting

Although Threat Hunting is nothing new, it is a very hot topic lately. Even if you have perimeter and endpoint security devices and SIEM for collecting and correlating logs from them, it is not a good way to wait for incidents coming. Without Threat Hunting, dwell time is increasing more than 150 days, and this is not acceptable anymore. While attackers are working proactively and developing new techniques day by day, security teams need to be more proactive too. Threat Hunting is the most proactive approach in an organization’s security structure and improves its security posture.

Dwell time is the dirty metric nobody wants to talk about in cyber security. It signifies the amount of time threat actors go undetected in an environment, and the industry stats about it are staggering.
Source: Extrahop

In its simplest definition, Threat Hunting is detecting abnormal activities on endpoints and network. But, what to look for hunting threats?

What to Hunt?

Threat Hunting is a continuous process. Hunters should check anything that could be an evidence of an incident.

  • Processes: Processes are important components of OSs. Adversaries may inject malicious code into hijacked processes. Therefore, hunters should check processes and child processes regularly.
  • Binaries: Hunters should check binaries with their checksum, name and other specifications.
  • Network: Network activities to specific destinations and anomalies in network should be checked.
  • Registery: Hunters should check registery key additions and modifications.

The Team

For a continuous hunting, organizations need to have threat hunters in their CSIRT. The difference between analysts and threat hunters is the proactive approach as mentioned before. Also in smaller organizations, SOC analysts may work on threat hunting but actually, a threat hunter may has more specifications than an analyst. In larger organizations, it is important to have a dedicated threat hunting leader and team. This team should has detailed knowledge about;

  • OSs: The Threat Hunting team should have knowledge about OSs that organization is using. This knowledge must include process structures, files, permissions, and registery depending on the OS. This is important because malicious files and attackers make changes in OS here. A threat hunter need to understand what is normal and what is not. Something is not normal could be a sign of an intrusion. For having this knowledge, baselines could be created for all critical systems. These baselines will help to know the normal and the anomalies.
  • Apps: Threat Hunters should have knowledge about the applications used in the organization. It is also important to know perimeter and endpoint security devices and applications used by organization.
  • Business: Threat Hunting team should have knowledge about the organization’s business so they need to follow adversaries working on the organization’s sector and geographical location. It is also important to know third party companies the organization works and communication ways with them.
  • Network: In a big and segmented network structure, it is important to know where the critical assets are.
  • The Lockheed Martin Cyber Kill Chain: Also known as APT phases, represents the phases of an advanced attack.
  • TTPs: IoCs are important components for hunting but they provide to detect “known knowns”. TTPs are at the top of Pyramid of Pain (defined by David Bianco) and especially adversaries’ techniques and tactics should be known those are threatening the organization’s sector and location.
  • Threat Hunting Tools: In CSIRT plan, it needs to be included that which tools and techniques can be used for threat hunting. Threat hunters should have knowledge of these tools and techniques.
  • IR&H Plan: Threat hunting is only a step of proactive approach. If threat hunters successfully find an intrusion or anomaly in systems, they need to know the next step. Who should they inform? What should be done?..etc..

Requirements

  • Threat Intelligence: Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats.
  • EDR: Threat hunters need IoCs but also need to know how to use these IoCs. After gathering the most recent IoCs from TI platforms, an IoC sweep must be made on endpoints.
  • NDR: Just like endpoints, network traffic also need to be checked with the latest IoCs. For doing this, CSIRT need to collect all east-west and south-north network traffic. NDR devices those have AI capabilities also detect anomalies in the network.
  • SIEM: Depending on the hunt’s scope, the threat hunter may need to check IPS/IDS, proxy, DNS, firewall or some other tools’ logs. Because logs are coming from different sources, CSIRT need to collect and correlate these logs in SIEM and feeding SIEM with the latest IoCs, these logs will more meaningful.
  • FIM: We said that baselines must be created for critical systems. FIM solutions will help CSIRT to create baselines for OSs and alert analysts when an unauthorized transaction is made.

New Tools of Kali

Kali Linux 2021.2 is released with some new tools called Kaboxer and Kali-Tweaks and some cosmetic changes.

Kaboxer provides dockers to use applications that they cannot work in newly OSs anymore or need isolation.

Kali-Tweaks is a tool that makes it easy for users to configure their OS. Users can customize their Kali easily with Kali-Tweaks.

There are also some more differences in new Kali release. Some of the differences in Kali Linux 2021.2 are

  • Opening a listener on TCP and UDP ports 0-1023 no longer requires super-user access
  • More Kali Docker images
  • New packages for Raspberry Pi
  • Pacu for AWS exploitation framework
  • Peirates for Kubernetes penetration
  • Dirsearch for brute forcing directories and files in web servers
  • Quark-Engine for Android malware scoring

Prometei Exploits MS Exchange Vulnerabilities

A new malicious called Prometei has been determined, that including Exchange servers have ProxyLogon vulnerability to cryptocurrency network. Prometei is a modular malicious code and has different features like credential dumping, usage of the system for cryptocurrency minning, and lateral movement. Prometei has two different versions for both Windows and GNU/Linux.

Prometei exploits the ProxyLogon vulnerabilities (CVE-2021-27065 and CVE-2021-26858) and uploads China Chopper web Shell. After uploading China Chopper, attackers downloads the zsvc.exe on the victim’s machine with PowerShell. After gaining persistence, another malicious file called sqhost.exe is downloade by attacker. With sqhost.exe, attackers can use the victim system for Monero minning with using XMRig open source code. However, Prometei uses Mimikatz for lateral movement.

A more detailed investigation of Prometei can be found on the cybereason blog page. It looks like threat actors still keep using Prometei. To avoid of this risk, exchange vulnerabilities need to be eliminated fastly, and these IoCs can be used to detect and prevent Prometei.

IoCs:

File Hashs – SHA256

f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4

D8e3e22997533300c097b47d71feeda51dca183c35a0d818faa12ee903e969d5

b0e743517e7abf75a80b81bb7aadc9c166ac47ba89c0654ba855dda1e4d96c3e

55fc69a7e1b2371d8762be0b4f403d32db24902891fdbfb8b7d2b7fd1963f1b4

e4bd40643f64ac5e8d4093bddee0e26fcc74d2c15ba98b505098d13da22015f5

fb8f100e646dec8f19cb439d4020b5f5f43afdc2414279296e13469f13a018ca

e961c07d534bc1cb96f159fce573fc671bd188cef8756ef32acd9afb49528331

2f114862bd999c38b69b633488bcbb6c74c9a11e28b7ef335f6c77bba32ed2d6

5de7afdde08f7b8ba705c8332c693747d537fd5b1bb0e7b0c757c0f364a60eb8

dc73a88f544efc943da73c9f6535facdb61800f6205ad3dddb9adb7c6ab229ab