Monday, June 14, 2021

Digital artists targeted in RedLine infostealer campaign

2021-06-17: updated with information from Twitter user ARC

In this post, we'll look at a campaign, that targeted multiple 3D or digital artists using NFT, with malware named RedLine. This malware is a so called "infostealer" or "information stealer" that is capable of extracting sensitive data from your machine (such as wallet information, credentials, and so on). As a side-note; NFTs, or non-fungible tokens, are digital tokens tied to assets that can be bought, sold and traded.

This blog post is divided into four parts:

  • Introduction: provides an overview of what happened
  • Analysis: analysis of the attack and the malware used
  • Detection: how to detect and remove the malware (skip to Detection if you just want to clean this up)
  • Prevention: how to prevent this from happening again
  • Conclusion: a brief conclusion and additional thoughts

Introduction

From at least last Thursday, 10th of June 2021, multiple users report on Twitter that they got hacked after being approached to create new digital art. These users, accomplished digital artists and publishing their work on NFT marketplaces, were approached either via Instagram, Twitter DM (message) or directly via email. The attacker has masqueraded themselves behind multiple personas, often claiming to be from South Korea. A few of the users that reported the attack:


Ariel:

 

fvckrender:


 

Nicole:

 

 

ARC:

 

 

Cloudy Night:

 

 

There are many, many more examples - however, we won't list them here. Of note is Ariel's tweet, where you can note the presence of a file named "Rizin_Fight_Federation_Presentation.scr". I'll circle back to that in the next section, Analysis.


Analysis

After scouring the internet for a while, I was unable to discover any of the files mentioned by the artists that reported the attack, that is until I stumbled upon Cloudy Night's tweet - their screenshot included a link to a website "skylumpro.com".



 

 

 

 

 

 

As expected, this is not the legitimate website, but rather a clever copycat of the real Skylum product website (to note, the real website is: https://skylum.com/luminar-ai-b). After clicking the "Download Now" button, a file named "SkylumLuminar (NFT Beta).rar" is downloaded, which you need to unzip with the password "NFT", as we can observe from Cloudy Night's tweet.

The unzipped content looks as follows:



 

 

 

 

 

 

 

One of the first things you may notice is the large filesize of the so called beta version. As you've seen from before in Ariel's tweet, the filesize was 745MB, while this file is a whopping 791MB!

But why is this file so large and why does it matter? 

  • The attacker has appended their original file with a large chunk of overlay data; to put it simply - a bunch of extra data that does nothing.
  • The attacker has increased the filesize this much to try and evade antivirus software and scanning tools; for example, a well-known service to scan suspicious files, VirusTotal, only accepts files up to 500MB, while some antivirus scanners may not even scan a file this large.
  • While you could upload the original RAR file; the attacker has password-protected it and VirusTotal will be unable to scan it properly. You could re-package it, but the file itself may not be scanned.

Having said all that, after removing the excessive overlay, a much more reasonable filesize is obtained: 175KB. This new file's properties are:

Of note is the creation or compilation time: this is the date and time the file has originally been created. While this can be spoofed, I do not believe it is the case here. This time matches with when the attack appeared. It is however highly likely more files, such as the one in Ariel's tweet, do the round.

This file will then execute a new file; which is the RedLine infostealer malware. This file has the following properties:

Note the creation time is different: set in 2042 - this is obviously faked by the attacker to reveal when exactly it has been created. However, with the above data, we can assume it was created in the last 5 days or so.

As mentioned before, once you execute the SkylumLuminarNFTBetaVersion.exe file, you will be infected with the RedLine infostealer malware. ProofPoint has reported on this malware first in March 2020: New Redline Password Stealer Malware. This malware has many capabilities, including, but not limited to:

  • Steal username and password from browsers;
  • Collect extensive system information;
  • Execute commands, such as downloading and uploading other files, opening links and so on;
  • Steal cryptowallet information - both from Chrome extensions as well as typical wallet.dat files. The extensions targeted are:
    • YoroiWallet
    • Tronlink
    • NiftyWallet
    • Metamask (refer also to Nicole's tweet)
    • MathWallet
    • Coinbase
    • BinanceChain
    • BraveWallet
    • GuardaWallet
    • EqualWallet
    • JaxxxLiberty
    • BitAppWallet
  • Steal data from other software, such as:
    • Steam;
    • Telegram;
    • FTP clients such as FileZilla.

The screenshot below displays part of RedLine's functionalities:



 

 

 

 

 

 

 

 

 

 

 

 

RedLine will first gather some basic information about your machine, such as the machine name, external IP address, your geography and so on. It gathers external information by querying one of the following IP lookup services:

  • https://api.ipify.org
  • https://icanhazip.com
  • https://wtfismyip.com/text
  • http://bot.whatismyipaddress.com/
  • http://checkip.dyndns.org 

Note these services are not malicious, they are simply being used by the attacker to gather more information. Interestingly enough, RedLine will use SOAP HTTP (POST) requests to its command and control server (the server or machine controlled by the attacker where your data will end up) using the following IP: 

  • 185.215.113.60;
  • On port 59472;
  • This IP resides in the Seychelles.

Another domain and IP observed is (from ARC's tweet above, the files in that archive were almost 600MB):

  • xtfoarinat.xyz;
  • On IP 92.38.163.189;
  • This IP also has sinaryaror.xyz resolve to it, another RedLine command and control server.

One may also observe connections to tempuri.org. This is a default placeholder for web services, and is not atypical when using SOAP over HTTP. Tempuri is not malicious.

Finally, after receiving all this data, the attacker can start logging into your accounts, attempt to steal your tokens, impersonate you and so on. The attacker can also install other malware if they wish, such as ransomware.

What now? Detection

 

Good news:

The variant discussed in this blog does not appear to persist: in other words, after a reboot, its process will not be active anymore, at least for the variant discussed in this blog post.

Bad news:

Everything else - unfortunately, RedLine works pretty fast and a few minutes are enough to exfiltrate all your data and for the attacker to fully compromise all your accounts.

Luckily for us, RedLine stealer should be detected by most commercial and free antivirus software products on the market. A few recommendations to get rid of the RedLine variant discussed in this blog post - note this may not fully cover the variant you encountered: 

  1. Contact your NFT provider, cryptowallet provider and so on as soon as possible via telephone call or another computer and inform them of what happened; ask for a temporary block of your account or to at least temporarily block any funds from now on.
    >>>
    It is very important you do this first! <<<

  2. If you can, change your credentials from another machine; such as your phone, your partner's laptop, ... Note it's recommended to change your credentials at least for your email accounts and for your wallets - focus on the most important accounts first! If you do not have this possibility, continue with the steps below.

  3. Open Task Manager, go to the Details tab and search for any process with the following names:
    1.  SkylumLuminarNFTBetaVersion.exe;
       Flamingly.exe;
       FieldTemplateFactory.exe;
      PaintingPromoProject;
       Alternatively, the name of the file you executed
    2. Now, kill the process by right-clicking on it  > select End Process (or End Task).

  4. If you have a firewall or proxy, block the IPs 185.215.113.60 and 92.38.163.189.

  5. Run a scan with your currently installed antivirus and a scan with an alternative product, for example, Malwarebytes (has a free version);
    1. You can also use Eset's Online Scanner (free): https://www.eset.com/int/home/online-scanner/

  6. Enable the Windows Firewall: https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f
    1. While this might not have much impact at this point, it will give you an additional layer of protection from other threats;
       
  7. Delete all the files you have previously downloaded if they still exist on your system; if you'd like me to analyse them, you may send me a copy first;

  8. If the above scans have turned up:
    • Clean: have you executed the file? 
      1. If not, you are not infected. 
      2. If you did, and the scanners turn up with nothing, it's possible your current antivirus product has blocked the attack. 
      3. You might also want to Refresh your PC to have peace of mind.
    • Not clean (there were detections): let the above product (e.g. Malwarebytes or Eset) clean them up and reboot your computer.

  9. Finally, reset all (or the rest of) your credentials. Do this only when you know your machine is clean! Alternatively, reset your credentials from another machine as indicated earlier.

It's important to follow these steps as soon as possible to prevent any damages. 


Prevention

You've come this far, or perhaps you simply skipped to this part - arguably the most important one: to prevent this attack from happening in the first place. So how can this be achieved?

  1. First and foremost: ensure you are using Windows 8.1 or later. Older Operating Systems, such as Windows 7, are no longer supported by Microsoft and have additional vulnerabilities attackers may exploit;

  2. Install an antivirus and enable the Windows Firewall. It does not matter if the antivirus is free or not; paid versions do offer more features, but a free version will do just as much.
    1. Starting from Windows 10, Windows Defender should protect adequately from attacks such as the one described in this blog post. Other free alternatives are Kaspersky's free cloud antivirus and Malwarebytes.
    2. When you get any file, scan it with your antivirus first! (typically done by right-clicking on the file or folder) 
    3. When in doubt, upload the file to VirusTotal. Note however the tactics used here: if there's a really large file, it may not be able to be scanned properly - this can be an indication of malicious intent!

  3. Set UAC (User Account Control) to the maximum level: Always Notify - this will stop some additional attacks (you will get more prompts; if you do, take a pause and verify what's on the screen should indeed be executed). Here's how to do that: https://www.digitalcitizen.life/how-change-user-account-control-uac-levels/

  4. Enable file extensions: some extensions, such as .scr, historically a screensaver file; are in fact executables - which could contain malicious code, as was the case in Ariel's tweet. Do not open or run these files. This will also protect you against the "double extensions" trick. A file named commission.jpg.exe will now be visible as such - if file extensions are disabled, you would see commission.jpg - see the difference? Here's how you can enable file extensions: https://www.howtogeek.com/205086/beginner-how-to-make-windows-show-file-extensions/

  5. Create unique passwords where possible; if feasible; use a password manager;

  6. Enable MFA (or 2FA if MFA is not available) on all your sensitive accounts; this will add an additional layer which is typically very hard for the attacker to guess or crack. Google "your service/ account + MFA" for specific instructions;

  7. If you receive a new commission or request to create art, stop and think first - ask yourself these questions:
    1. Is this coming from a reputable account or from a totally new account?
      1. If reputable, can I verify their claim or request somehow?
      2. If from a new account: be extra wary!
      3. If from an account with very low followers/following: be extra wary!
    2. How will they pay me? 
      1. Are they using a verified cryptowallet, or trying to set me up for something shady?
      2. Do they have any reviews on their (public) profile, if any?
    3. What are they asking of me exactly?
      1. Are they indeed sending just images, or is there an executable file or "special software" I am supposed to download/open?
    4. Where are their links or attachments leading to?
      1. Are these leading to another service, e.g. imgur.com, or something different altogether?
    5. I have downloaded the file(s), but I do not trust the source;
      1. Delete it or ask for more information;
      2. Block the sender if you are suspect and report their account, delete any files;
      3. You can double-check by scanning the files with your antivirus, or uploading it to VirusTotal. The same nuance as above applies however.
    6. You can also Google any information they send through to further verify their claims.

  8. Finally and where possible;
    1. Use a hardware instead of software wallet;
    2. Secure your seed phrase; store it offline, for example, on an external drive or use pen and paper;
    3. Verify the security settings in your wallet or crypto provider: perform a check of which other security features you can enable, and enable them. 

 

Manifold, a company that creates blockchain products for NFT communities, has also written an excellent post-mortem of this attack which includes additional advice - I highly recommend you to read it: https://manifoldxyz.substack.com/p/the-fvckrender-hack-post-mortem

 

Conclusion and afterthoughts

It's not the first time a highly targeted or specific attack occurs on communities that use crypto in some form or another, for example, at the end of 2019, Monero's download site and binaries were compromised for a brief time.

If you have been targeted by this attack, and you have been compromised, follow the advice in this blog as soon as possible to clean it up and to prevent any future attack.

This attack was quite specific and targeted - there is really no need to feel bad if you have been affected, as it can happen to anyone. Explain to your crypto provider what happened, and they should be able to help you out.

I'd like to thank all the vigilant users on Twitter out there for creating awareness, and I hope this blog has provided further insight. If you were affected, and you'd like me to analyse any suspicious file, or would just like to comment, use the comment section below or contact me on Twitter. Refer to my About me page for even more contact details.

Monday, November 23, 2020

Blue Team Puzzle

Several years ago, I created a "malware puzzle" - basically, a crossword puzzle but with terms related to malware. You can find that puzzle here: https://bartblaze.blogspot.com/2013/08/malware-puzzle.html

Seeing crosswords are a hobby of mine, I thought it'd be fun to create another one more than seven years later - this time, all things blue team! Obviously you don't need to be part of a blue team to fill in the puzzle, it's for anyone in information or cyber security - but it does help if you've been on the defense side of things.

You can print the puzzle and fill it in, or you can use Adobe Reader to complete the PDF version, or use any tool to your liking (mspaint is also a candidate). There are no spaces - all words are one word.













You can find the puzzle in the following formats:

PNG: https://www.mediafire.com/view/0iuzvxal8redjz2/crossword-iiRh073oLn.png/file

PNG mirror: https://imgur.com/a/ASATRXf

PDF: https://www.mediafire.com/file/b3v7pebohp6c8vn/crossword-xp6dZUU9Ar.pdf/file

PDF mirror: https://www.filedropper.com/crossword-xp6dzuu9ar

If you have the solution, feel free to create a comment or @ me on Twitter: https://twitter.com/bartblaze

To make things more interesting, you can set up a competition between your fellow defenders to see who can complete it first!

If you're stuck, I can always send you a hint - see my About page for contact information, use Twitter, or leave a comment. Note there may be spoilers around. 

Tuesday, January 14, 2020

Satan ransomware rebrands as 5ss5c ransomware


The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named "5ss5c".

In a previous blog post, Satan ransomware adds EternalBlue exploit, I described how the group behind Satan ransomware has been actively developing its ransomware, adding new functionalities (specifically then: EternalBlue) and techniques with each run. Then, it appeared the group halted operations on at least the ransomware front for several months.

However, as it turns out, the group has been working on new ransomware - 5ss5c - since at least November 2019.

The following tweet got my attention:


After some quick checks, it appears this is a downloader for the 5ss5c ransomware, which is extremely reminiscent of how Satan ransomware operated:

Figure 1 - 5ss5c downloader












The malware will leverage certutil and even contains logging:

Figure 2 - certutil logging









It will download and leverage:

  • Spreader (EternalBlue and hardcoded credentials);
  • Mimikatz and what appears another password dumper/stealer;
  • The actual ransomware.

The following hashes are relevant to this new variant:

Name: down.txt
URL: http://58.221.158[.]90:88/car/down.txt
Purpose: Downloader
MD5: 680d9c8bb70e38d3727753430c655699
SHA1: 5e72192360bbe436a3f4048717320409fb1a8009
SHA256: ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
Compilation timestamp: 2020-01-11 19:04:24
VirusTotal report:
ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f

down.txt is, as mentioned, the downloader for the spreader module and for the actual ransomware:

Name: c.dat
URL: http://58.221.158[.]90:88/car/c.dat
Purpose: spreader
MD5: 01a9b1f9a9db526a54a64e39a605dd30
SHA1: a436e3f5a9ee5e88671823b43fa77ed871c1475b
SHA256: 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
Compilation timestamp: 2020-01-11 19:19:54
VirusTotal report:
9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc

Name: cpt.dat
URL: http://58.221.158[.]90:88/car/cpt.dat
Purpose: ransomware
MD5: 853358339279b590fb1c40c3dc0cdb72
SHA1: 84825801eac21a8d6eb060ddd8a0cd902dcead25
SHA256: ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
Compilation timestamp: 2020-01-11 19:54:25
VirusTotal report:
ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
Fun fact: file version information contains "TODO: 5SS5C Encoder".

The compilation times are sequential, which makes sense - the downloader has been developed (and compiled) first, then the spreader and the actual ransomware.

Note that cpt.exe as filename has already been observed in Satan ransomware.

Further indicators, such as hashes, URLs, file paths and so on will be posted at the end of this blog post.


5ss5c - still in development - and with oddities

There's quite some curiosities that indicate 5ss5c is still in active development and stems from Satan ransomware, for example:

  • There are several logs created, e.g. there is a file "C:\Program Files\Common Files\System\Scanlog" that simply logs whether IPC SMB is open/available;
  • Certutil logging (successful download or not);
  • There are several Satan ransomware artefacts;
  • Other Tactics, Techniques and Procedures (TTP) align with both Satan (and DBGer), and slightly overlap with Iron: 
    • One of these is, for example, the use of multiple packers to protect their droppers and payloads. 
    • This time however, they decided to use both MPRESS and Enigma, and even Enigma VirtualBox! (Note: Enigma and Enigma VirtualBox are not the same - the latter is a virtualised packer and also referred to as EnigmaVM.)


However, there are quite some curiosities, one of them being what appear to be hardcoded credentials:

Figure 3 - Hardcoded creds




















These hardcoded credentials will be leveraged in an attempt to connect to an SQL database with the xp_cmdshell command:

Curiously, we can identify the following data inside the ransomware in regards to the SQL database:
  • ecology.url
  • ecology.password
  • ecology.user
Searching a bit further, we can discover a company named Finereport (https://www.finereport.com/en/company), which claims to be "Top 1 in China’s BI market share in IDC "China BI Software Tracker, 2018". You guessed it - it uses SQL as database.

What else is new is, as mentioned before, the use of Enigma VirtualBox for packing an additional spreader module, aptly named poc.exe. This suggest they may be experimenting (poc often is an acronym for proof of concept).

This file will be dropped to C:\ProgramData\poc.exe and will run the following command:

cd /D C:\ProgramData&star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload C:\ProgramData\down64.dll --TargetIp 
Now compare this to Satan ransomware's command:

cmd /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp 
Something looks similar here... :-)


5ss5c ransomware - how it operates

Back to the actual ransomware. It will create the following mutexes:
  • SSSS_Scan (in previous iterations SSS_Scan has also been observed)
  • 5ss5c_CRYPT

Just like its predecessor, 5ss5c also has an exclusion list, where it will not encrypt specific files as well as files in the following folders:

Figure 4 - Exclusion list

















For example, the following folders belonging to Qihoo 360 (an internet security company based in China also offering antivirus) were already excluded in Satan and DBGer ransomware:

  • 360rec
  • 360sec
  • 360sand


While these are new in 5ss5c ransomware:

  • 360downloads
  • 360safe


As in previous iterations, 5ss5c ransomware will stop database-related services and processes.

It will however only encrypt files with the following extensions:
7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip
This extension list is not like before, and includes mostly documents, archives, database files and VMware-related extensions such as vmdk.

The ransomware will then create the following URI structure to communicate with the C2 server (61.186.243[.]2):

  • /api/data.php?code=
  • &file=
  • &size=
  • &status=
  • &keyhash=
It will also create a ransomware note on the C:\ drive as: _如何解密我的文件_.txt which translates to _How to decrypt my file_.txt. Example content is as follows:

Figure 5 - ransom note














The content reads:


部分文件已经被加密
如果你想找回加密文件,发送 (1) 个比特币到我的钱包
从加密开始48小时之内没有完成支付,解密的金额会发生翻倍.
如果有其他问题,可以通过邮件联系我

您的解密凭证是 :

Email:[5ss5c@mail.ru]

Translated:

Some files have been encrypted
If you want to retrieve the encrypted file, send (1) Bitcoins to my wallet
If payment is not completed within 48 hours from the start of encryption, the amount of decryption will double.
If you have other questions, you can contact me by email
Your decryption credentials are:

Email: [5ss5c@mail.ru]

Interestingly, the ransomware note does not contain a Bitcoin address. Additionally, the note only contains instructions in Chinese, not Korean nor English like previous iterations. Is 5ss5c ransomware more targeted, or just actively being tested by the group/developers behind it?

Encrypted files will have the actor's email address prepended and a unique token with the ransomware's name will be appended, for example;
test.txt becomes [5ss5c@mail.ru]test.txt.Y54GUHKIG1T2ZLN76II9F3BBQV7MK4UOGSQUND7U.5ss5c.


Prevention
  • Enable UAC;
  • Enable Windows Update, and install updates (especially verify if MS17-010 is installed);
  • Install an antivirus, and keep it up-to-date and running;
  • Install a firewall, or enable the Windows Firewall;
  • Restrict, where possible, access to shares (ACLs);
  • Create backups! (and test them)
More ransomware prevention can be found here.

Conclusion

Satan is dead, long live 5ss5c! It just doesn't sound as good, does it?

Whoever's behind the development of Satan, DBGer, Lucky and likely Iron ransomware, is back in business with the 5ss5c ransomware, and it appears to be in active development - and is trying to increase (or perhaps focus?) its targeting and spread of the ransomware.

It is recommended organisations detect and/or search for the indicators of compromise (IOCs) below, and have proper prevention controls in place. MITRE ATT&CK IDs can also be found below.

Indicators of Compromise:



Type Indicator
File C:\Program Files\Common Files\System\Scanlog
File C:\Program Files\Common Files\System\cpt.exe
File C:\Program Files\Common Files\System\tmp
File C:\ProgramData\5ss5c_token
File C:\ProgramData\blue.exe
File C:\ProgramData\blue.fb
File C:\ProgramData\blue.xml
File C:\ProgramData\down64.dll
File C:\ProgramData\mmkt.exe
File C:\ProgramData\poc.exe
File C:\ProgramData\star.exe
File C:\ProgramData\star.fb
File C:\ProgramData\star.xml
Registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ss5cStart
Command C:\Windows\system32\cmd.exe /c cd /D C:\ProgramData&blue.exe --TargetIp
Command star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload C:\ProgramData\down64.dll --TargetIp
Mutex SSSS_Scan
Mutex 5ss5c_CRYPT
Email 5ss5c@mail.ru
URL http://58.221.158.90:88/car/down.txt
URL http://58.221.158.90:88/car/c.dat
URL http://58.221.158.90:88/car/cpt.dat
IP 58.221.158.90
IP 61.186.243.2
Hash 82ed3f4eb05b76691b408512767198274e6e308e8d5230ada90611ca18af046d
Hash dc3103fb21f674386b01e1122bb910a09f2226b1331dd549cbc346d8e70d02df
Hash 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
Hash af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
Hash ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
Hash e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
Hash e5bb194413170d111685da51b58d2fd60483fc7bebc70b1c6cb909ef6c6dd4a9
Hash ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
Hash ef90dcc647e50c2378122f92fba4261f6eaa24b029cfa444289198fb0203e067
Hash 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
Hash 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
Hash ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
Hash 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7
Hash a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
Hash cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
Hash 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
Hash ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
Hash de3c5fc97aecb93890b5432b389e047f460b271963fe965a3f26cb1b978f0eac
Hash bd291522025110f58a4493fad0395baec913bd46b1d3fa98f1f309ce3d02f179
Hash 75d543aaf9583b78de645f13e0efd8f826ff7bcf17ea680ca97a3cf9d552fc1f
Hash 50e771386ae200b46a26947665fc72a2a330add348a3c75529f6883df48c2e39
Hash 0aa4b54e9671cb83433550f1d7950d3453ba8b52d8546c9f3faf115fa9baad7e
Hash 5d12b1fc6627b0a0df0680d6556e782b8ae9270135457a81fe4edbbccc0f3552


These indicators are also available on AlienVault OTX:
Satan ransomware rebrands as 5ss5c ransomware

MITRE ATT&CK techniques



Tuesday, November 19, 2019

Monero download site and binaries compromised


Introduction

Earlier this evening I saw a tweet appear which claimed Monero has been hacked and a malicious binary (instead of the real one) has been served:


Post on Reddit:
https://www.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/

Github issue:
https://github.com/monero-project/monero/issues/6151


Linux binary

Thanks to user nikitasius I was able to retrieve the malicious binary:
https://github.com/monero-project/monero/issues/6151#issuecomment-555511805

This binary is an ELF file with the following properties:
When comparing the legitimate file and this ELF file, we notice the file size is different, and a few new functions have been added:

cryptonote::simple_wallet::send_seed

This function is immediately called after either opening or creating a new wallet, as can be seen in Figure 1 and 2 below.


Figure 1 - Create wallet (legitimate)

Figure 2 - Call new seed function






















The seed will be sent to: node.hashmonero[.]com.

cryptonote::simple_wallet::send_to_cc

As you may have guessed, this function will send data off to the CC or C2 (command and control) server - this will be stolen funds.

Figure 3 - Send to cc







Sending funds to the C2 is handled using an HTTP POST request to the following C2 servers:

  • node.xmrsupport[.]co
  • 45.9.148[.]65

As far I can see, it doesn't seem to create any additional files or folders - it simply steals your seed and attempts to exfiltrate funds from your wallet.

Windows binary

The C2 server 45.9.148[.]65 also hosts a Windows binary with the following properties:


The Windows version is essentially doing the same things as the Linux version - stealing your seed and wallet funds - the function names are just different, e.g. _ZN10cryptonote13simple_wallet9send_seedERKN4epee15wipeable_stringE.

Figure 4 - Send to cc








Note: this doesn’t mean the official Windows binary was also compromised - it simply means there’s also a compromised Windows binary out there. Only the Monero team can confirm if other binaries (besides the Linux one mentioned in this blog) have been compromised.

Detection

Note: What is a hash? A hash is a unique identifier. This can be for a file, a word, ... It is preferred to use SHA256 hashes for file integration checks, as it is more secure.

You may also use the following Yara rule to detect the malicious or compromised binaries:
Monero_Compromise.yar
Download Yara (and documentation) from:
https://github.com/VirusTotal/yara

There's an additional analysis by SerHack here:
https://serhack.me/articles/cli-binaries-compromised-monero-analysis/

Recommendations
Note: Especially go through the steps if at any point you downloaded, used or installed new binaries between these dates: Monday 18th 1:30 AM UTC and 5:30 PM UTC. Download the latest version from: https://web.getmonero.org/downloads/.

Monero team statement

The Monero team has issued a statement as follows:

Warning: The binaries of the CLI wallet were compromised for a short time:
https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html

I expect this statement to be updated the following days, so monitor it as well.


Conclusion

Monero is not the first, nor will it likely be the last cryptocurrency (in this case, its website and binaries) that gets compromised.

Follow the steps in this blog post to protect yourself and always watch your online accounts closely, especially those where you have financially invested in. Use strong passwords, use MFA (or 2FA) where possible and always be vigilant. Verify hashes when a new version is available.

Note: this blog post is not intended to be a full analysis, but rather a quick report on the facts, including recommendations. Questions or feedback? Happy to hear it!

Let me know in the comments below or on Twitter.



Indicators


Indicator typeIndicator
FileHash-SHA2567ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31
FileHash-SHA256963c1dfc86ff0e40cee176986ef9f2ce24fda53936c16f226c7387e1a3d67f74
hostnamewww.hashmonero.com
hostnamenode.xmrsupport.co
hostnamenode.hashmonero.com
FileHash-MD5d267be7efc3f2c4dde8e90b9b489ed2a
FileHash-MD572417ab40b8ed359a37b72ac8d399bd7
FileHash-SHA16bd94803b3487ae1997238614c6c81a0f18bcbb0
FileHash-SHA1394bde8bb86d75eaeee69e00d96d8daf70df4b0a
IPv491.210.104.245
IPv445.9.148.65
domainhashmonero.com
domainxmrsupport.co

On AlienVault:

https://otx.alienvault.com/pulse/5dd4574fc7c82cddbdcb8d12

MITRE ATT&CK techniques

ID: T1195 - Supply Chain Compromise
ID: T1199 - Trusted Relationship

Sunday, March 17, 2019

Run applications and scripts using Acer's RunCmd


This weekend I was cleaning up an old Acer laptop of mine and discovered a hidden folder on the root drive, C:\OEM.

Inside's a bunch of interesting files, one of these is a tool called RunCmd_X64.exe.

The file is a legitimate and signed binary by Acer:

Figure 1 - Signed RunCmd_X64




















The tool contains a useful help file as follows:

A tool to execute a command file.
RunCmd.exe filepath [/T | /F]
filepath full path name or file name
/T launch command file and open the console window
/F launch command file and hide the console window
If there is not any flag, /T or /F, the default situation is hiding window
Examples:
RunCmd.exe "D:\EnBT.cmd" /T
RunCmd.exe "EnBT.cmd" /F

Simply put, you can use Acer's tool as an alternative to the built-in command prompt, and to launch other applications! Additionally, using the /F parameter or flag will hide the console window, which is by default if there isn't any parameter!

Some simple examples:

Run an application directly

Figure 2 - Running calc.exe














Run virtually anything using a script 

Figure 3 - Running calc using a batch file










Note that since no parameter is used, the RunCmd tool will run silently and tools such as Process Explorer show a non-existent parent process.

In theory, you can run any script or scriptlet using Acer's tool to execute "command files" :)

For attackers

This "LOLBin", or at the least reusing a legitimate and signed binary for malicious purposes, has the following MD5 hash:

RunCmd_X64 - d71fb1b03bf84fae29af9b2dc525ba33

There is also a 32-bit version, however, this binary is not signed.

RunCmd - 4d50588568cae95331f00cbdb52be37a


For defenders

See "For attackers". Additionally, the RunCmd tool will attempt to create a folder named "RunCmdLog" to store logfiles. An example logfile is as follows:

2019-03-17 21:00:37 [  193C] TRACE main - ENTER: main
2019-03-17 21:00:37 [  193C] TRACE main - EXIT: main
2019-03-17 21:00:37 [  193C] INFO main - Para 1: calc.bat
2019-03-17 21:00:37 [  193C] INFO main - Para 2:
2019-03-17 21:00:37 [  193C] INFO main - command: C:\Tools\Acer\calc.bat
2019-03-17 21:00:37 [  193C] INFO main - command success
Log files will have the following format:
%s%02d-%02d-%02d %02d-%02d-%02d.log

Where %s is RunCmd and %02d is the date and time of execution. In our example above:
RunCmd2019-03-17 21-00-37.log

Why try using LOLBins when you can use tools installed by the manufacturer?


Resources

Github - Living Off The Land Binaries and Scripts (and also Libraries)
Hexacorn - Reusigned Binaries – Living off the signed land