SANS Internet Storm Center

RSS Feed SANS Internet Storm Center
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Updated: 7 hours 22 min ago

NemucodAES and the malspam that distributes it, (Fri, Jul 14th)

Thu, 07/13/2017 - 9:44pm

Introduction

During the past two weeks or so, Ive noticed a significant increase in malicious spam (malspam) with attached zip archives disguised as delivery notices from the United Parcel Service (UPS). These zip archives contain JavaScript files designed to download and install NemucodAES ransomware and Kovter malware on a victims Windows computer. My Online Security reported on this recent wave of malspam late last month, and it border-width:2px" />
Shown above: Example of an email from Thursday 2017-07-13.

Malspam with zip archives containing JavaScript files are easy for most organizations to detect. Yesterday, I visited one such organization, where someone showed me several of these messages blocked by mail filters and identified as malware. But most people have more pressing concerns. Investigating blocked emails is pretty low on their list of priorities.

However, this is an ongoing concern, and the Nemucod ransomware currently pushed by this malspam is a new variant called NemucodAES. According to BleepingComputer, different researchers have identified and tracked this new variant. A decryptor for NemucodAES is currently available from Emisoft.

Kovter is an older malware, but its also an ongoing concern. Together, these two pieces of malware could deliver a nasty punch. This diary reviews some emails and traffic from recent malspam pushing Kovter and NemucodAES.

History of Nemucod

Nemucod is a term for text-based script (usually a JavaScript file) that downloads and installs malware. By the last quarter of 2015, the term Nemucod was used by several security vendors to identify JavaScript-based Trojan downloaders. In several cases, Nemucod downloaded and installed ransomware binaries like TeslaCrypt. By March 2016, we started seeing reports of Nemucod ransomware that stopped downloading ransomware binaries in favor of using its own script-based ransomware component.

And now in July 2017, we see the next phase of Nemucod ransomware: NemucodAES. Emisoft states this new variant is written in JavaScript and PHP. It uses AES and RSA to encrypt a victims files.

History of Kovter

In 2013, Kovter acted as police ransomware that waited on a users Windows host waiting for specific types of events to happen. An example? After getting infected with Kovter, if a victim started a file-sharing application, Kovter would generate a popup message stating he or she violated the law. Then the infected host would demand the victim pay a fine.

By 2014, we started seeing Kovter identified as click-fraud malware. Click-fraud is when a person, computer program, or automated script generates network traffic by contacting numerous websites (or the same website numerous times). This simulates people clicking a web page or online advertisement. Advertisers are paid based on how many people click on their ads. Regular websites can charge more for ads based on how many people view the site. border-width:2px" />
Shown above: Example of click-fraud traffic caused by non-Kovter malware in May 2016, filtered in Wireshark.

By 2015, Kovter started hiding in the Windows registry to avoid detection. Kovters persistence in an infected Windows host consists of various elements. The end result? The initial executable deletes itself after infecting the Windows host, and Kovter effectively becomes a fileless infection.

Kovter hasnt changed much since I started documenting it in 2016. Post-infection traffic is remarkably similar from a sample I collected in January 2016 to the one from July 2017 discussed in this diary. I see a lot of post-infection events for Kovter command and control traffic. But I border-width:2px" />
Shown above: border-width:2px" />
Shown above: Kovter post-infection traffic from July 2017 filtered in Wireshark.

Kovter/NemucodAES malspam from July 2017

As mentioned earlier, this malspam has appeared daily during the past two weeks or so. I collected three for this diary:

  • Date/Time: Tuesday 2017-07-11 at 21:39 UTC
  • From: lprpxzt@host1.watutechnology.com
  • Subject: Status of your UPS delivery ID:008850576
  • Attachment: 008850576.zip
  • Date/Time: Wednesday 2017-07-12 at 23:26 UTC
  • From: test@server.profichi.com.ua
  • Subject: Problems with item delivery, n.5268714
  • Attachment: UPS-Package-5268714.zip
  • Date/Time: Thursday 2017-07-13 at 07:18 UTC
  • From: vtjobs@162-144-72-168.webhostbox.net
  • Subject: UPS parcel #08192149 delivery problem
  • Attachment: border-width:2px" />
    Shown above: Example of a malicious zip attachment and extracted .js file.

    Infection traffic

    Network traffic was typical for an infection by one of the .js files. We first see HTTP requests for the NemucodAES JavaScript, followed by requests for various executables. Then we see the post-infection Kovter traffic. NemucodAES doesn border-width:2px" />
    Shown above: border-width:2px" />
    Shown above: border-width:2px" />
    Shown above: Using Sguil, but we can escalate the Kovter alerts and review them individually.

    The infected Windows host

    The infected windows host opened a notification with the decryption instructions. Encrypted files retained their original file names (no added file extensions as we often see with other ransomware). And I found artifacts in the users AppData\Local and AppData\Local\Temp directories. Some of these files are not inherently malicious. A legitimate PHP executable and DLL file were found in user border-width:2px" />
    Shown above: border-width:2px" />
    Shown above: border-width:2px" />
    Shown above: Artifacts from the user border-width:2px" />
    Shown above: Artifacts from a folder in the users AppData\Local directory.

    Indicators of Compromise (IOCs)

    The following IOCs are associated with the emails and infection on Thursday 2017-07-13:

    Attached zip archives:

    Extracted .js files:

    Kovter executable (deletes itself after infection):

    Domains used in the .js files and NemucodAES decryption instructions:

    • anahata2011.ru - GET /counter [followed by long string of characters]
    • b2stomatologia.pl - GET /counter [followed by long string of characters]
    • bandanamedia.com - GET /counter [followed by long string of characters]
    • chatawzieleni.pl - GET /counter [followed by long string of characters]
    • connexion-zen.com - GET /counter [followed by long string of characters]
    • dilaratahincioglu.com - GET /counter [followed by long string of characters]
    • ekokond.ru - GET /counter [followed by long string of characters]
    • emsp.ru - GET /counter [followed by long string of characters]
    • infermierifktmatuziani.org - GET /counter [followed by long string of characters]
    • infosoft.pl - GET /counter [followed by long string of characters]
    • ionios-sa.gr - GET /counter [followed by long string of characters]
    • it.support4u.pl - GET /counter [followed by long string of characters]
    • jesionowa-dental.pl - GET /counter [followed by long string of characters]
    • ongediertebestrijding.midholland.nl - GET /counter [followed by long string of characters]
    • serdcezemli.ru - GET /counter [followed by long string of characters]
    • snw.snellewieken.nl - GET /counter [followed by long string of characters]
    • www.shiashop.com - GET /counter [followed by long string of characters]

    Kovter post-infection traffic:

    • 24.96.108.157 port 80 - 24.96.108.157 - POST /
    • 61.134.39.188 port 80 - 61.134.39.188 - POST /
    • 133.30.115.97 port 80 - 133.30.115.97 - POST /
    • 135.175.22.211 port 80 - 135.175.22.211 - POST /
    • Various IPs over port 80, 443, and 8080 - Encrypted traffic

    Final words

    Traffic and artifacts from this infection can be found here.

    As mentioned earlier, with proper filtering, these emails are easily blocked. With proper network monitoring, traffic from an infection is easily detected. But some of these messages might slip past your filtering, and some people could possibly get infected. With the NemucodAES decryptor, people can recover their files, but I expect this ransomware will continue to evolve.

    Has one of these messages hit your inbox? If so, please share your story in the comments section.

    ---
    Brad Duncan
    brad [at] malware-traffic-analysis.net

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISC Stormcast For Friday, July 14th 2017 https://isc.sans.edu/podcastdetail.html?id=5582, (Thu, Jul 13th)

Thu, 07/13/2017 - 1:50pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 3 ? Physical Memory artefacts), (Thu, Jul 13th)

Thu, 07/13/2017 - 4:35am

[This is third guest diary by Dr.Ali Dehghantanha. You can find his first diaryhereand second here. If you would like to propose a guest diary, please let us know]

Continuing my earlier posts on investigation of BitTorrent Sync version 2.0, this post explains remaining artefacts of user activities in physical memory of Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS related to BitTorrent Sync version 2.0.
Analysis of the running processes using the pslist function of Volatility was able to recover the process name associated with the BitTorrent Sync client application (e.g., BitTorrent Sync.exe for Windows OS, BitTorrent Sync for Linux OS, and BitTorrent Sync Examinations of the network details using the netscan or netstat width:800px" />

Figure 1: An excerpt of BitTorrent Sync network information recovered using the netscan function of Volatility.

Undertaking data carving of the RAM captures and swap files determined that only the images used by the client application and synced files could be recovered. However, a search for the term btsync or bittorrent sync was able to recover the complete text of the log and metadata files of forensic interest (e.g., sync.log, sync.dat, history.dat, and settings.dat) in the RAM in plain text. In cases when the original file has been deleted, a Yarascan search for the text from the remnants could help attribute the remnants to the BitTorrent Sync or other processes of relevance to identify its origin. Figure 2 illustrates an occurrence of history.dat in the memory space of BitTorrent Sync.exe of the Windows 8.1 VM investigated. width:625px" />

Figure 2: Copy of history.dat file recovered from the memory space of BitTorrent Sync.exe.

Username (login email) and password for the Linux client applications web GUI can be detected following the strings username= and nwpwd= in the RAM respectively. These appeared to be remnants from the form input field of the Linux client application an example is shown in Figure 3. In addition, we also located several password hits in the similar fragments containing the login email in the memory space of BitTorrent Sync. width:663px" />

Figure 3: Username and password recovered from the RAM of Ubuntu OS.

The next post will illustrate Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts of BitTorrent v2.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Pages