SecurityBrief Australia logo
Australia's leading source of cybersecurity and cyber-attack news
Story image

Carbon Black discovers new adware related threat

Mon 26 Sep 2016
FYI, this story is more than a year old

Earlier this week, Carbon Black, in conjunction with the Cb User Exchange Community, discovered anomalies related to well-known Adware variants, including OpenCandy and Dealply, and trojanised Chromium, using highly sophisticated evasion techniques (previously observed by Carbon Black associated with nation-state attacks - specifically Operation Aurora, which targeted major companies including Google, Adobe, etc).

These obfuscation techniques easily evade sandboxing and other intrusion detection techniques due to Binary Fragmentation. Once these Adware variants are installed on a machine, the actor has the ability to bypass existing security controls and successfully install the secondary payloads, giving the adversary full control of a user’s machine.

These Adware variants started to appear across the Carbon Black customer base early this week, spanning industry and size, which suggests this is a recently launched, pervasive campaign.

We believe this attack vector is being used as a delivery mechanism for Ransomware and other malware classes. The Carbon Black Threat Research team is currently performing a technical deep-dive pertaining to this finding, stay tuned for more information.

For Carbon Black customers who would like to add detection of these Adware variants, please add the following Watchlists**:

PRIMARY BEHAVIOR: cmdline:copy AND cmdline:/b SECONDARY BEHAVIOR: process_name:wscript.exe AND netconn_count:[1 TO *]

**If you see a lot of hits on these Watchlists — that’s expected as there might be legitimate activity performing those actions. Filter by what appears to be legitimate activity until their query only shows the strange activity. As we see more examples, we’ll be sure to post them in the Carbon Black Detection eXchange.

For those that are not Carbon Black customers (and who do not have the ability to inspect command-line arguments), we suggest looking in the “Scheduled Tasks” for suspicious, newly created tasks as these variants establish persistence in the Windows Task Scheduler. A significant takeaway from this alert should be to take Adware and other “PUPs” seriously, as these seemingly innocuous applications are growing progressively more malicious in their impact to an environment. As we learn more, we’ll be sure to update this blog.

It started out like any other Thursday: team meetings, coffee, more meetings, and of course more coffee. At 11:00 AM, I began my first customer call of the day. As it turns out, it was a threat hunting and Kill Chain analysis call. 35 minutes into the call, we found some generic trojans, but at the time they didn’t seem particularly interesting. It was at this point that I just happened to remember an attack vector I had once triaged while doing some work during Operation Aurora. (See #FlashbackToOperationAurora at the end of this article for the whole story).

Just for fun, I asked my customer to the run the query: cmdline:copy AND cmdline:/b. Cb Response showed they had three hits. I bolted upright in my chair. Three years ago, I stumbled upon this this attack vector and I’d never seen it since… until last week.

As we began to triage the event, we began to see .dat files being joined to form all sorts of unusual file types including .txt, .png, .log, .ico, & .dll files. It was highly irregular.

Obviously, I couldn’t think of a legitimate reason for someone to conjoin “random” .dat files to create an image or even a .dll file (As shown in the screenshots below). As we began to follow the process execution, these “icons” and “log files” were then being launched by wscript where they beaconed to multiple “unusual” domains/IPs and established persistence as a scheduled task on the compromised system.

So, now for the “stranger” part. As we began to walk backward up the process tree, we began noticing that the parent processes launching these rather advanced obfuscation techniques were “routine” adware (Flagged multiple times by Virus Total). I was stunned. I kept asking myself why in the world “regular” Adware would need such advanced obfuscation?

Resulting from this meeting, we found several other systems, all demonstrating similar symptoms of compromise. In my next two calls that day, BOTH of my customers (different industries) also had systems compromised in the same manner. 

I felt at this point it was my duty to spread the word and post my findings to Carbon Black’s User Exchange (UX). Within minutes, reports began to pour in regarding similar findings across our customer base. (Direct link to the original thread in the Carbon Black User eXchange: https://community.carbonblack.com/docs/DOC-5307).

The Cb Collective Defense model came through on this attack like a grand slam as all of our customers have access the Detection Exchange to share indicators and comment on detection and analysis methods Just yesterday (09/22/2016), a user in the Community who goes by the alias of “dumonal” made a wild discovery: the “Adware” may be a delivery vector for the Enigma Ransomware. To-date we’ve not been able to replicate this behavior, but will keep you updated as we learn more.

All of a sudden, the level of advanced obfuscation for this “Adware” makes sense. This Adware appears be the stager being used to covertly distribute the binaries (believed to be) attributed to ransomware and other classes of malware.

There are several methods being discussed in our UX to detect and contain these sort of attacks that leverage Binary Fragmentation. Given the widespread nature of this compromise, I strongly recommend scanning your systems for use of the copy command being leveraged with the binary append “/b” parameter.

Another user in our UX who goes by the name “myersjos” has suggested that “Process searching Wscript.exe with Netcons out to the internet may reveal interesting results to you.”

For those that are not Carbon Black customers (and who do not have the ability to inspect command-line arguments), we suggest looking in the “Scheduled Tasks” for suspicious newly created tasks as these variants establish persistence in the Windows Task Scheduler.

A significant takeaway from this alert should be to take Adware and other “PUPs” seriously as these seemingly innocuous applications are growing progressively more malicious in their impact to an environment. As we learn more, we’ll be sure to update this blog.

#FlashbackToOperationAurora

At the time I was managing the SOC for a large financial client and our Division Chief had been targeted by a very skillfully crafted phishing email. (Fortunately for the client, the spam filter blocked the payload as it contained a .rar file). However, given the tailored information contained in the phishing email, I decided to “play around” and see what the presumed malicious payload did. As I opened the rar file, I saw a Word document and a shortcut file, along with a sub directory.

I (wrongly) assumed that there was a malicious macro embedded in the word doc. However, when I fired up MS Word in a VM, much to my surprise nothing malicious happened. I double and triple analyzed the doc and still nothing. From there, I began to explore the subdirectory. I was interested by what appeared to be two temp files as they were named ~$1.tmp & ~$2.tmp. I hashed the files, however an open source query came back null.

When I ran strings on them I was a bit perplexed as when I opened up ~$1.tmp in Winhex it had an MZ header (thus signaling to me that it had executable content), however it was only a 16 character file. Weird, but obviously way too small to actually be a Portable Executable. ~$2.tmp was pure gibberish, nothing really interesting and not many readable characters. I tried a number of different methods to launch these files, however nothing worked.

At this point, I was greatly perplexed. The actor went through a decent bit of work to craft a VERY good spearphish, however, nothing malicious would execute. Just for due diligence sake, I went back and clicked on the shortcut, my jaw nearly hit the floor when all the sudden the system began beaconing and *something* established persistence.

I couldn’t believe what I was seeing and I immediately viewed the properties of that little innocuous shortcut. No, it didn’t send me to a web link, instead it did one of the coolest things I’ve ever seen to date:

The target field of the shortcut ran a Copy command in the using the Binary Append parameter and conjoined the two “temp files” into a single binary. (This is a legitimate function of the standard Windows copy command:https://support.microsoft.com/en-us/kb/71161)

The command executed by the shortcut was something like this to build & launch the payload and then remove the malware fragments:

copy /b “temp/~$1.tmp”+“temp/~$2.tmp” “temp/svcmgr.exe” & start “temp/svcmgr.exe” &  del “temp/~$1.tmp” & del “temp/~$2.tmp”

I remember just sitting back in my chair with my jaw still hanging open and shaking my head at what I just found. I was thoroughly impressed. This was one of those times you see an attack vector that you know is really bad, but was so clever you wanted to almost shake the attacker’s hand congratulate him on his brilliance.

What makes this attack so interesting is how effective it is at evading perimeter and network based IDS/IPS tools. Obviously, hash-based detection mechanisms would fail to catch these fragments as they would be hashed individually. Sandboxing & Detonation based tools would also give a false negative rating & allow these fragments to pass as they would be executed individually as well.

Article by Ben Tedesco, Carbon Black 

Related stories
Top stories
Story image
Ransomware
Examining the future of ransomware threats with Vectra’s CTO
As customers' valuable data move to the cloud, so will ransomware. What is the current landscape and what do we need to know?
Story image
Apple
Your tools, your choice: why allow employees to choose their own devices?
Jamf Australia says giving your team the freedom to work with their digital device of choice could help to attract and retain top talent in a tight labour market.
Story image
Cybersecurity
Palo Alto Networks' cloud security platform receives IRAP assessment
"We provide help protect all forms of compute, cloud native services and access to data within public and private sectors."
Story image
Apple
Jamf introduces new content filtering solution for education providers
Jamf has announced the launch of Jamf Safe Internet, a new offering that looks to deliver a safe online experience to students while offering better management options for admins.
Story image
Cybersecurity
Email threats spike 101%, remains a top attack vector
"Each year we see innovation in the threat landscape, but each year email remains a major threat to organisations."
Story image
Ransomware
Secureworks reveals new information on BRONZE STARLIGHT threat group
New research from Secureworks has uncovered new information on the Chinese threat group BRONZE STARLIGHT and how they are using targeted ransomware to initiate complicated attacks.
Story image
State Library of Victoria
State Library of Victoria entrusts Oracle support and security to Rimini Street
“Our finance team are very happy with the support and security that Rimini Street provides, which keeps our assets and our customers secure."
Story image
WatchGuard Technologies
Ransomware volume doubled 2021 total by end of Q1 2022
Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to a new report. 
Story image
Cybersecurity
Zscaler launches co-located data centres in Canberra and Auckland
The investment will offer public and private sector enterprises greater resilience in support of their zero trust cybersecurity posture.
Story image
Payroll
How New South Wales state departments achieved cloud migration success
State departments in New South Wales are heading to the cloud to achieve better workflow solutions, and one company is paving the way for their success.
Story image
Cyber Criminal
Identity and access: the fight is on
Blue team defenders are used to protecting our data, applications, and users with access controls and other security mechanisms, which is why attacks like this are especially challenging when they target identity and access control systems.
Story image
Cybersecurity
Video: 10 Minute IT Jams - An update from CrowdStrike
Scott Jarkoff joins us today to discuss current trends in the cyber threat landscape, and the reporting work CrowdStrike is doing to prevent further cyber harm.
Story image
Research
New study reveals 51% of employees using unauthorised apps
The research shows that 92% of employees and managers in large enterprises want full control over applications, but they don't have it.
Story image
Internet of Things
Domino's Pizza: A blueprint for secure enterprise IoT deployment
Increasingly, organisations are embracing smart technologies to underpin innovations that can enhance safety and productivity in every part of our lives, from industrial systems, utilities, and building management to various forms of business enablement.
Story image
Solutions
Progress launches latest version of network visibility solution
In Flowmon 12 network solution, Progress has expanded its support for public cloud provider flow log monitoring and launched new features.
Story image
Cybersecurity
Security driving customer identity & access management adoption
"CIAM allows businesses to embed a secure identity layer into their consumer and SaaS applications, facilitating secure, seamless end user experiences."
Story image
HP Inc
Firmware attacks significant threat in age of hybrid work
Changing workforce dynamics are creating new challenges for IT teams around firmware security, according to new research.
Story image
Artificial Intelligence
Vectra AI named as AWS security competency partner
Threat detection and response company Vectra AI has announced that it has become an Amazon Web Services Security Competency Partner.
Story image
Compliance
SentinelOne integrates with Torq to empower security teams
"With Torq, security teams can extend the power of SentinelOne to systems across the organisation to benefit from a proactive security posture.”
Story image
Vendor
Forescout reveals top vulnerabilities impacting OT vendors
Forescout’s Vedere Labs has disclosed OT: ICEFALL, naming 56 vulnerabilities affecting devices from 10 operational technology vendors.
Story image
Cybersecurity
Without trust, your security team is dead in the water
The rise of cyberattacks has increased the need for sound security that works across any type of business, but with any change, buy-in is essential. Airwallex explains why.
Story image
Cloudera
Overcoming hybrid and multi-cloud challenges to drive innovation
Driven by improvements in technology, financial services companies have advanced both internal and external systems and processes, with the likes of digitisation, personalisation and risk management redefining the industry.
Story image
Tech job moves
Tech job moves - ActiveCampaign, Arcserve, LogRhythm & Qlik
We round up all job appointments from June 17-22, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Gartner
Gartner's top recommendations for security leaders
"Leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, philosophy, program and architecture.”
Story image
MSP
Video: 10 Minute IT Jams - An update from CyberArk
Olly Stimpson joins us today to discuss the importance of MSP programmes and how MSP partners are experiencing success with CyberArk.
PwC
PwC's Consulting Business and PwC's Indigenous Consulting are proud to play an important role in helping Australian Indigenous Mentoring Experience build IMAGI-NATION, a free online university for marginalised communities around the world.
Link image
Story image
Cybersecurity
Vulnerable APIs costing businesses billions every year
Large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as they accelerate digital transformation.  
Story image
Compliance
Stock security features inadequate in face of rising risk
"Organisations must proactively find ways of identifying unseen vulnerabilities and should take a diligent, holistic approach to cybersecurity."
Story image
Remote Working
RDP attacks on the rise, Kaspersky experts offer advice
"Given that remote work is here to stay, we urge companies to seriously look into securing their remote and hybrid workforce to protect their data."
Story image
Oracle Cloud
Commvault, Oracle to deliver Metallic Data Management as a Service
"We are excited to partner with Commvault and enable our customers to restore and recover their most mission-critical cloud data."
Story image
Malware
Colt launches new SASE Gateway solution with Versa
Colt Technology Services’ customers now have access to an integrated full SASE solution that brings together SD WAN and SSE features.
Story image
Enterprise Resource Planning / ERP
Five ways your ERP is letting you down and why it's time for a change
Wiise explains while moving to a new system may seem daunting, the truth is that legacy systems could be holding your business back.
Story image
Ransomware
Businesses unprepared to defend against ransomware attacks
Ransomware attacks continue to impact organisations worldwide with high costs, but businesses are still largely unprepared.
Story image
Digital Fingerprint
Decline in counterfeit cherries after digital fingerprinting
Reid Fruits says there’s been a dramatic decline in counterfeit products for its cherries over the past three export seasons to Asia because of digital fingerprinting.
Story image
Cybersecurity
Delinea’s Joseph Carson recognised with OnCon Icon Award
Delinea chief security scientist and advisory CISO Joseph Carson has been recognised as a Top 50 Information Security Professional in the 2022 OnCon Icon Awards.
Story image
Cybersecurity
Tech and data’s role in the changing face of compliance
Accenture's study found that 93% of respondents agree or strongly agree new technologies such as AI and cloud make compliance easier.
Story image
Cybersecurity
How organisations can mitigate IoT and IIoT security risks
IoT and IIoT come with inherent risks because they are often deployed faster than they can be secured, putting organisations in danger of cyber threats. Here are tips on how to mitigate those risks.
Story image
Cybersecurity
Zero trust security adoption rises 27% in just two years
A survey of WAN managers has revealed that multi-factor authentication and single sign-on are the top zero trust features implemented.
Story image
Digital Transformation
What CISOs think about cyber security, visibility and cloud
Seeking to uncover the minds of CISOs and CIOs across Asia Pacific, my company recently asked Frost & Sullivan to take a snapshot of cloud adoption behaviour in the region.
PwC
WSLHD and PwC’s Consulting Business came together to solve through the challenges of COVID-19. A model of care was developed to the NSW Health Agency for Clinical Innovation guidelines with new technology platforms and an entirely new workforce.
Link image
Story image
Cloud Security
Palo Alto Networks bolsters cloud native security offerings
Latest Prisma Cloud platform updates help organisations continuously monitor and secure web applications with maximum flexibility.
Story image
Documentation
Adobe study finds lack of digital trust and utilisation in Australian Government agencies
New research commissioned by Adobe has revealed a significant lack of digital trust within Australian Government departments, along with the continued underutilisation of key digital processes.
Story image
API
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
Trend Micro
5G network projects driven by improving security and privacy
Trend Micro's new study reveals the prospect of improved security and privacy capabilities are the main motivations behind private 5G wireless network projects.