Backdoor in M.E.Doc Application

I came across an interesting article today, with regards to the Petya / NotPetya cyber attack from last week.  This is a very good write up and analysis of how the organisation M.E.Doc appears to have been compromised and used to spread the malware in a series of updates for the software it produces.

This demonstrates how devastating these types of compromises can be and as a defender can make it very difficult to identify and stop this type of attack from happening, if you happen to be the target of said attack.

I suggest you read this very good article!

 

https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/

Analysis of TeleBots’ cunning backdoor

On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C(aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely.

 

Another good write up by bleeping computer that contains more information.

 

https://www.bleepingcomputer.com/news/security/ukrainian-police-seize-servers-from-where-notpetya-outbreak-first-spread/

Conspiracy theories

Last week, a blog post from a Ukrainian web developer went viral, after it hinted that the real culprit behind the hacked server could have been M.E.Doc’s web host, Wnet, a company that has been accused of having ties to Russia’s intelligence service (FSB).

An investigation into the man’s accusations revealed that the SBU had raided the web host on June 1, for “illegal traffic routing to Crimea in favor of Russian special services.”

 

UIWIX Ransomware

It was just a matter of time until other organisations or individuals followed the path set by WannaCry last weekend.

Seems there is another variant of ransomware doing the rounds which is exploiting the same loop hole as WannaCry is using port 445 to enumerate and infect other machines on your internal and then external networks.  It is exploiting the same SMB vulnerability (MS17-010).

Mitigation – Just need to  make sure you have the latest updates from microsoft.

If you see traffic to these domains, its likely not good!

aa1[.]super5566[.]com
07[.]super5566[.]com
a1[.]super5566[.]com
www[.]super5566[.]com
08[.]super5566[.]com

https://www.hybrid-analysis.com/sample/c72ba80934dc955fa3e4b0894a5330714dd72c2cd4f7ff6988560fc04d2e6494?environmentId=100

https://www.hybrid-analysis.com/sample/c72ba80934dc955fa3e4b0894a5330714dd72c2cd4f7ff6988560fc04d2e6494?environmentId=100

WannaCrypt Ransomware

In what has been big news over the past 24 hours.  Especially here in the UK is that the NHS has been hit with a large ransomware attack.

http://www.bbc.co.uk/news/technology-39901382

http://blog.talosintelligence.com/2017/05/wannacry.html?m=1

This is a pretty good write up of what was known at the time.

There have been easy fixes for this available for the past 2 months and it was just a matter of time until the tools that were developed by our American Friends, that they would be used against the general public.

Hopefully this is lessons learned for many organisations, and they realise that patching and running fairly up to date operating systems is important and not just something to achieve compliance.

Few more articles that contain good information about these events.

https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

 

Also of note.

wannadecrypt

 

If you use intitle:”index of” “@WanaDecryptor@.exe” as a search on google, at the time of this update there are 67 results.

Not a good weekend for the world of IT admins.

The github link referenced below is being kept up today and contains some very good and useful information.

 

 

Infected Webpage

hxxp://petroffpianostudio[.]com/ (This may now be cleaned up at the time of posting)

It looks like the the aforementioned webpage is infected with a redirect to download suspect files

Traffic observed after the infection suggests that it will attempt to download executable files from a few different locations.

hxxp://talk-of-the-tyne.co.uk/download1264/
hxxp://willy.pro.br/download3299/
hxxp://freight.eu.com/download3696/

The analysis of the files on hybrid analysis does confirm that these are malicious files

https://www.hybrid-analysis.com/sample/e8d2f149de58eb45b398a84d6d27d568ab1d239584edcb55531fe11da2f9c51b?environmentId=100

Once the executable file is on the host machine, it then attempts to call out to the following

173.230.137.155
206.214.220.79

Upon further analysis we have another file which has been downloaded from the following location

hxxp://matchpointpro.com/lDu52756eeJMW/

https://www.virustotal.com/en/file/4b97fa91d9f33392fde84a2af3500a78621a71b80b3d3486a7b70cdd47187ce3/analysis/1492020556/

https://www.hybrid-analysis.com/sample/4b97fa91d9f33392fde84a2af3500a78621a71b80b3d3486a7b70cdd47187ce3?environmentId=100

I revisited the links later in the day and have a bit more details, we can see they are still serving executable files. Chrome is now blocking and suggesting these files are malicious, and also so is internet explorer. I have not tried them on firefox at this time.

GET /download3299/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: willy.pro.br
Cache-Control: max-age=259200
Connection: keep-alive

HTTP/1.1 200 OK
Date: Wed, 12 Apr 2017 18:16:51 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Keep-Alive: timeout=15
Server: Apache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="6274.exe"
Content-Transfer-Encoding: binary


GET /download1264/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: talk-of-the-tyne.co.uk
Cache-Control: max-age=259200
Connection: keep-alive

HTTP/1.1 200 OK
Date: Wed, 12 Apr 2017 18:16:09 GMT
Server: Apache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="5198.exe"
Content-Transfer-Encoding: binary
Vary: User-Agent
X-Powered-By: PleskLin
MS-Author-Via: DAV
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream


GET /lDu52756eeJMW/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Host: matchpointpro.com
Cache-Control: max-age=259200
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 12 Apr 2017 18:11:09 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="5345.exe"
Content-Transfer-Encoding: binary
ngpass_ngall: 1

 

Still in the process of building my Analysis Lab, so this is not quite how I would like to post, but some information is better than none.