Security Bulletin #120 – 5 June 2017
QakBot Banking malware causes massive Active Directory lockouts
Malware researchers at IBM noticed that hundreds to thousands of Active Directory users were locked out of their organization’s domain, the incident is caused by the Qbot banking malware. The Qbot banking malware was designed to target businesses and steal money from bank accounts, it implements network wormable capabilities to self-replicate through shared drives and removable media. The Qbot banking malware is also able to steal user data such as digital certificates, keystrokes, cached credentials, HTTP(S) session authentication data, cookies, authentication tokens, and FTP and POP3 credentials. The QakBot Banking malware leverages a dropper for distribution, researchers observed it uses delayed execution (10 to 15 minutes) to evade detection. The dropper executes an explorer.exe instance and injects the QakBot Dynamic Link Libraries (DLL) into that process, then it corrupts its original file. The dropper uses the ping.exe utility to invoke a ping command that will repeat six times in a loop. Once the pings are complete, the contents of the original QakBot dropper are overwritten by the legitimate Windows autoconv.exe command. QakBot gains on the target machine using a Registry runkey and scheduled tasks. The malware used man-in-the-browser (MitB) attacks to inject malicious code into online banking sessions, it fetches the scripts from the domain it controls.
NSA Exploit EternalBlue is becoming even common in hacking tools and malware
ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack. ETERNALBLUE targets the SMBv1 protocol and is has become widely adopted in the community of malware developers. Now a new ransomware, dubbed UIWIX, was discovered to be using the NSA-linked EternalBlue exploit for distribution. UIWIX is a fileless malware discovered by experts at Heimdal Security early this week while investigating on WannaCry. Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue. Last discovery in order of time was made by experts from FireEye who observed threat actors using the exploit code to deliver non-WannaCry payloads, including the Gh0st RAT and the Backdoor Nitol. Gh0st RAT is a Windows malware that has been used in many espionage campaigns powered by nation-state actors.
WannaCry Coding Mistakes Can Help Files Recovery Even After Infection
The WannaCry ransomware that hit more than 300,000 PCs across the world within just 72 hours doesn't mean WannaCry was a high-quality piece of ransomware. Security researchers have recently discovered some programming errors in the code of the WannaCrypt ransomware worm that might allow victims to restore their locked files without paying for any decryption key. After deeply analysing the WannaCry code, Security Company at Kaspersky Lab found that the ransomware was full of mistakes that could allow some of its victims to restore their files with publicly available free recovery tools or even with simple commands. According to researchers, the issues reside in the way WannaCry ransomware deletes original files after encryption. In general, the malware first renames files to change their extension to ``.WNCRYT,`` encrypt them and then delete the original files. Since it is not at all possible for malicious software to directly encrypt or modify read-only files, WannaCry copies the files and creates their encrypted copies. While the original files remain untouched but are given a 'hidden' attribute, getting the original data back simply requires victims to restore their normal attributes. That wasn't the only mistake within the WannaCry's code, as in some cases, the malware fails to delete the files after encrypting them properly. Researchers have said that files stored on the important folders, like Desktop or Documents folder, cannot be recovered without the decryption key because WannaCry has been designed to overwrite original files with random data before removal. However, researchers noticed that other files stored outside of important folders on the system drive could be restored from the temporary folder using a data recovery software. Researchers also found that for non-system drives, the WannaCry Ransomware creates a hidden '$RECYCLE' folder and moves original files into this directory after encryption. You can recover those files just by unhiding the '$RECYCLE' folder. Also, due to ``synchronization errors`` in WannaCry's code, in many cases the original files remain in the same directory, making it possible for victims to restore insecurely deleted files using available data recovery software.