Tuesday, November 19, 2019

Monero download site and binaries compromised


Introduction

Earlier this evening I saw a tweet appear which claimed Monero has been hacked and a malicious binary (instead of the real one) has been served:


Post on Reddit:
https://www.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/

Github issue:
https://github.com/monero-project/monero/issues/6151


Linux binary

Thanks to user nikitasius I was able to retrieve the malicious binary:
https://github.com/monero-project/monero/issues/6151#issuecomment-555511805

This binary is an ELF file with the following properties:
When comparing the legitimate file and this ELF file, we notice the file size is different, and a few new functions have been added:

cryptonote::simple_wallet::send_seed

This function is immediately called after either opening or creating a new wallet, as can be seen in Figure 1 and 2 below.


Figure 1 - Create wallet (legitimate)

Figure 2 - Call new seed function






















The seed will be sent to: node.hashmonero[.]com.

cryptonote::simple_wallet::send_to_cc

As you may have guessed, this function will send data off to the CC or C2 (command and control) server - this will be stolen funds.

Figure 3 - Send to cc







Sending funds to the C2 is handled using an HTTP POST request to the following C2 servers:

  • node.xmrsupport[.]co
  • 45.9.148[.]65

As far I can see, it doesn't seem to create any additional files or folders - it simply steals your seed and attempts to exfiltrate funds from your wallet.

Windows binary

The C2 server 45.9.148[.]65 also hosts a Windows binary with the following properties:


The Windows version is essentially doing the same things as the Linux version - stealing your seed and wallet funds - the function names are just different, e.g. _ZN10cryptonote13simple_wallet9send_seedERKN4epee15wipeable_stringE.

Figure 4 - Send to cc








Note: this doesn’t mean the official Windows binary was also compromised - it simply means there’s also a compromised Windows binary out there. Only the Monero team can confirm if other binaries (besides the Linux one mentioned in this blog) have been compromised.

Detection

Note: What is a hash? A hash is a unique identifier. This can be for a file, a word, ... It is preferred to use SHA256 hashes for file integration checks, as it is more secure.

You may also use the following Yara rule to detect the malicious or compromised binaries:
Monero_Compromise.yar
Download Yara (and documentation) from:
https://github.com/VirusTotal/yara

There's an additional analysis by SerHack here:
https://serhack.me/articles/cli-binaries-compromised-monero-analysis/

Recommendations
Note: Especially go through the steps if at any point you downloaded, used or installed new binaries between these dates: Monday 18th 1:30 AM UTC and 5:30 PM UTC. Download the latest version from: https://web.getmonero.org/downloads/.

Monero team statement

The Monero team has issued a statement as follows:

Warning: The binaries of the CLI wallet were compromised for a short time:
https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html

I expect this statement to be updated the following days, so monitor it as well.


Conclusion

Monero is not the first, nor will it likely be the last cryptocurrency (in this case, its website and binaries) that gets compromised.

Follow the steps in this blog post to protect yourself and always watch your online accounts closely, especially those where you have financially invested in. Use strong passwords, use MFA (or 2FA) where possible and always be vigilant. Verify hashes when a new version is available.

Note: this blog post is not intended to be a full analysis, but rather a quick report on the facts, including recommendations. Questions or feedback? Happy to hear it!

Let me know in the comments below or on Twitter.



Indicators


Indicator typeIndicator
FileHash-SHA2567ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31
FileHash-SHA256963c1dfc86ff0e40cee176986ef9f2ce24fda53936c16f226c7387e1a3d67f74
hostnamewww.hashmonero.com
hostnamenode.xmrsupport.co
hostnamenode.hashmonero.com
FileHash-MD5d267be7efc3f2c4dde8e90b9b489ed2a
FileHash-MD572417ab40b8ed359a37b72ac8d399bd7
FileHash-SHA16bd94803b3487ae1997238614c6c81a0f18bcbb0
FileHash-SHA1394bde8bb86d75eaeee69e00d96d8daf70df4b0a
IPv491.210.104.245
IPv445.9.148.65
domainhashmonero.com
domainxmrsupport.co

On AlienVault:

https://otx.alienvault.com/pulse/5dd4574fc7c82cddbdcb8d12

MITRE ATT&CK techniques

ID: T1195 - Supply Chain Compromise
ID: T1199 - Trusted Relationship

Sunday, March 17, 2019

Run applications and scripts using Acer's RunCmd


This weekend I was cleaning up an old Acer laptop of mine and discovered a hidden folder on the root drive, C:\OEM.

Inside's a bunch of interesting files, one of these is a tool called RunCmd_X64.exe.

The file is a legitimate and signed binary by Acer:

Figure 1 - Signed RunCmd_X64




















The tool contains a useful help file as follows:

A tool to execute a command file.
RunCmd.exe filepath [/T | /F]
filepath full path name or file name
/T launch command file and open the console window
/F launch command file and hide the console window
If there is not any flag, /T or /F, the default situation is hiding window
Examples:
RunCmd.exe "D:\EnBT.cmd" /T
RunCmd.exe "EnBT.cmd" /F

Simply put, you can use Acer's tool as an alternative to the built-in command prompt, and to launch other applications! Additionally, using the /F parameter or flag will hide the console window, which is by default if there isn't any parameter!

Some simple examples:

Run an application directly

Figure 2 - Running calc.exe














Run virtually anything using a script 

Figure 3 - Running calc using a batch file










Note that since no parameter is used, the RunCmd tool will run silently and tools such as Process Explorer show a non-existent parent process.

In theory, you can run any script or scriptlet using Acer's tool to execute "command files" :)

For attackers

This "LOLBin", or at the least reusing a legitimate and signed binary for malicious purposes, has the following MD5 hash:

RunCmd_X64 - d71fb1b03bf84fae29af9b2dc525ba33

There is also a 32-bit version, however, this binary is not signed.

RunCmd - 4d50588568cae95331f00cbdb52be37a


For defenders

See "For attackers". Additionally, the RunCmd tool will attempt to create a folder named "RunCmdLog" to store logfiles. An example logfile is as follows:

2019-03-17 21:00:37 [  193C] TRACE main - ENTER: main
2019-03-17 21:00:37 [  193C] TRACE main - EXIT: main
2019-03-17 21:00:37 [  193C] INFO main - Para 1: calc.bat
2019-03-17 21:00:37 [  193C] INFO main - Para 2:
2019-03-17 21:00:37 [  193C] INFO main - command: C:\Tools\Acer\calc.bat
2019-03-17 21:00:37 [  193C] INFO main - command success
Log files will have the following format:
%s%02d-%02d-%02d %02d-%02d-%02d.log

Where %s is RunCmd and %02d is the date and time of execution. In our example above:
RunCmd2019-03-17 21-00-37.log

Why try using LOLBins when you can use tools installed by the manufacturer?


Resources

Github - Living Off The Land Binaries and Scripts (and also Libraries)
Hexacorn - Reusigned Binaries – Living off the signed land


Monday, March 4, 2019

Analysing a massive Office 365 phishing campaign


Last week, a friend of mine reached out with a query: a contact in his address book had sent him a suspicious email. As it turns out, it was. In this blog post, we'll have a quick look at an Office 365 phishing campaign, which turned out to be massive. This type of phishing has been on the rise for a while now (at least since 2017), and it's important to point out, as seemingly attacks are only increasing.


Analysis

As mentioned earlier, Office 365 (O365) phishing isn't new, but it is definitely prevalent. A high-level overview of a typical attack is as follows:

Figure 1 - High-level overview of typical O365 phishing
















A typical flow of such an attack may be as follows:


  1. An attacker sends an O365 spearphishing email, likely from a spoofed or fake email address;
  2. The user is enticed to click on the link, or open the attachment which includes a link;
  3. The user will then unknowingly enter their credentials on the fake O365 page;
  4. Credentials get sent back to the attacker;
  5. Attacker will access the now compromised user's mailbox; and,
  6. The cycle repeats: the attacker will send spearphish emails to all of the compromised user's contacts - with this difference, it's coming from a legitimate sender.
This is exactly what happened to a friend of mine: he got sent an email from a legitimate email address, which was a contact in his address book - only the sender never intentionally sent this email! 

Let's have a look at the infection chain.

The initial email

The initial email sent looked as follows:

Figure 2 - "P.AYMENT COPY"












Clicking on the "OPEN" button would redirect you to a legitimate but compromised Sharepoint (part of O365) webpage. Seeing as a legitimate business has been compromised, I won't post the link here. Its web administrators have been notified.


Figure 3 - "Access OneDrive"













The PDF document

Next step is hosting a PDF named "INVOICE.PDF", which entices the user to access OneDrive to view the shared file. If the user were to click on "OPEN PDF HERE":


Figure 4 - "Login with Office 365"















URI: https://happymachineit[.]info/Michael/b4fb042ba2b3b35053943467ac22a370/OFE1.htm

The final landing or phishing page


Finally, clicking on "Login with Office 365" will redirect the user to the final phishing page, which will look as follows:

Figure 5 - Final landing page
















The final landing page is as follows:
https://happymachineit[.]info/Michael/b4fb042ba2b3b35053943467ac22a370/7hsfabvj2b0b9rguzbzw910d.php

When entering credentials, they will be sent off to the attacker, and the cycle from Figure 1 will repeat itself. Note that other scenarios are possible, for example:
  1. The attacker may try to (re-)sell credentials that have been gathered so far on criminal forums
  2. The attacker may send more targeted spearphishes to potentially interesting victims
  3. The attacker may attempt to access other services or accounts using the same user/password combination
In short, there's countless other possibilities.

The phishing infrastructure

Avid readers will have noticed the phishing website uses a valid SSL certificate, which has the following details:


  • Subject DN: CN=happymachineit.info
  • Issuer DN: C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority
  • Serial: 169382499542171049850152621295591104087
The SSL cert was issued by Comodo in January. Details can be found on Censys.io.

An additional email address is connected with "happymachine": fudtoolshop@gmail.com

The phishing website encountered here, https://happymachineit[.]info, is hosted on the following IP: 178.159.36[.]107

Pivoting on that IP brings us to the following SSL certificate details:

emailAddress=ssl@server.localhost.com, CN=server.localhost.com

This means the certificate is a local and self-signed one. In other words, if you are accessing a secure website, and you see "server.localhost.com" as the SSL certificate, do NOT trust it. This is sometimes from an automatic setup from the hosting provider.

As a side-note, a search for the Common Name (CN) mentioned above with Censys currently yields 473 (unexpired certs) results: https://censys.io/certificates?q=%28server.localhost.com%29+AND+tags.raw%3A+%22unexpired%22&

Performing a search with RiskIQ's PassiveTotal as well as VirusTotal, and after filtering results, we obtain a whopping total of 875 unique Office 365 phishing sites, hosted on that IP alone! It appears this campaign has been active since December 2018.

Searching a bit further, it appears the whole ASN (which is a collection of IP prefixes controlled by a single entity, typically an ISP), AS48666 is in fact riddled with Office 365 as well as other phishing sites. Using URLscan.io we can quickly gauge the ASN is hosting multiple phishing sites for Office 365 as well as Adobe:

Figure 6 - AS48666 hosting badness










General Info:

  • Geo: Russian Federation (RU) — 
  • AS: AS48666 - AS-MAROSNET Moscow, Russia, RU 
  • Registrar: RIPENCC

As shown in this blog post, one IP address can host tons of phishing instances, while the ASN controls multiple IPs. Bonus bad IP: 178.159.36[.]120. 


Detection

For the phishing websites itself, any network traffic that resolves to the IP above.

I've noticed there are countless similar PDFs from this same campaign. Due to the way these are created (likely in bulk), a simple Yara rule can be developed as follows:











The Yara rule can be found on Pastebin here or on Github Gist here.

Note: in specific instances, this rule may false-positive - so use at your own will.

The following MITRE ATT&CK techniques are relevant:



Disinfection

There isn't much to disinfect, since there's no actual malware involved.

However, if you have been affected by this phishing campaign, do the following immediately:

  • Contact your network and/or system administrator or managed services provider if you have one and wait for their response - if not;
  • Note down the phishing page/URL, then close any open phishing pages - in fact, close the whole browser;
  • Perform an antivirus scan with your installed product, and a scan with another application, for example Malwarebytes (better be safe than sorry);
  • Change your O365 password immediately;
  • Change passwords on other websites where you used the same combination;
  • Reach out to the people in your address book you were compromised and they are not to open your email(s) or at least not any attachments or links from your email(s);
  • Verify your "Sent" emails folder (or "Outbox") for any suspicious activity. If there are no Sent emails - the attacker may have deleted them, or you may have a full compromise on your hands.;
  • Verify any (newly) created rules in your mail application (in this case O365), for example, verify there are no new forwarding rules or perhaps rules that delete new incoming emails - forwarding rules and deletion rules are sometimes set up by an attacker to gather more information or as an attempt to remain hidden; and,
  • File a complaint with your CERT, local police station, or whichever authority would handle such cases. If you are unsure how to do so, have a look here for assistance.


Prevention

  • Block the IP (or whole subnet 178.159.36[.]0/24) mentioned in this report in your firewall or proxy or other appliance;
  • Use strong and preferably unique passwords (use a password manager);
  • Set up 2FA for accounts or, preferably, MFA (multi-factor authentication);
  • Enable, deploy or implement anti-spam and anti-phishing protection;
  • Enable, deploy, or implement a URL phishing filter;
  • Trust, but verify: "did this contact really need to send me a "Payment Copy"? - if needed, verify via a phone call - not via email;
  • Be generally cautious with links and attachments. Do not click on links or open attachments from unknown senders;
  • If possible, use Firefox with NoScript enabled; and,
  • If you're in an organisation: create or organise user awareness training.

Conclusion

Phishing has been around for a long time - Office 365 phishing, on the other hand, has been around since, well, Office 365 was created. Every time a new service is created, you can imagine that phishing emails targeting that service will follow - maybe one month later, perhaps a year later - but they will.

Always try to be vigilant and follow the prevention tips mentioned above to stay safe.

As a side-note, the real Office 365 page is: https://outlook.office365.com/owa

You may find more information in the Resources section below.

Resources

Blaze's Security Blog - Cybercrime Report Template
Decent Security - Easily Report Phishing and Malware
Microsoft - Anti-phishing protection in Office 365
Microsoft - Microsoft publishes guidance to boost public sector cloud security
Microsoft - Set up multi-factor authentication
Microsoft - Set up Office 365 ATP anti-phishing and anti-phishing policies

Indicators