Dashboard Global

ASERT Security Intelligence

Summary: This week, additional content about the weaponization of CVE-2015-2545, a vulnerability in the EPS filter that can be exploited by threat actors embedding crafted EPS files inside Office documents, has been published including a roundup of exploitation activity seen to date. Initially, APT actors were involved in using the bug as a 0day but after patching the hole has been used by other threat actors including cybercriminals. Reports of a targeted exploitation campaign against Middle East Banks profiled the recently common tactic of macro-based malware dropping malcode. In this case, some of the malcode appears to only profile targets and deliver that information back to the threat actors, but the campaign also saw credential theft and data exfiltration over DNS. ASERT provides data enrichment and additional IOCs that augments existing public reports. A recent report about the compromise of defense contractor RUAG, likely by Russian actors using the Turla malware family, provides deep insight into the TTP's of the threat actors, who patiently infiltrated the network and initiated a substantial compromise and data exfiltration. Incident responders and security analysts will find the detailed report of value.In other malware/DNS news, the Wekby threat actor group is now using DNS for C2 purposes. News reports on the occurrence are recent, however indicators suggest the tactic has been used for nearly at year, at least. ASERT provides data enrichment and additional IOCs that augments existing public reports. On the availability front, DDoS attacks against the Metatrader platform have taken a new twist as threat actors are extorting users of the platform instead of those who operate it. Unfortunately, some users have paid the ransom. Proper defense is vital to any type of system where availability is crucial and these trading platforms are a perfect example.Ransomware has been an increasing problem and new activity is taking place such as the expected forthcoming DMA Locker campaign. One victim paid partial ransom, and was then extorted for more funds. When they did not pay the second extortion, they lost access to their files. The Locky ransomware was recently blasted out all over the world via a large spam run claiming to be from Amazon. Ransomware won't be going away any time soon, unfortunately.

Title: Middle East Banks Targeted with Malware
Severity Level: Normal Severity
Published: Thu, 26 May 2016 23:13:54 +0000
Security researchers have profiled a malware that was delivered via spearphishing tactics likely to IT employees working at banks in the Middle East [https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html]. The malware arrives as an Excel file with malicious macros. If the macro executes, then the malware payload detonates. The payload involves the download and execution of other files, and one of the payloads was a customized version of the Mimikatz tool for obtaining passwords from a Windows system. Another payload observed was a batch file that profiles the system. Next, a DNS channel is created for data exfiltration.
Source: Middle East Banks Targeted with Malware

Title: CVE-2015-2545 Weaponized for Threat Actor Campaigns
Severity Level: Normal Severity
Published: Thu, 26 May 2016 23:13:54 +0000
The CVE-2015-2545 vulnerability, exploited by embedding a malicious EPS file inside Microsoft Office documents, was patched in September and November of 2015 but has recently become popular fare for threat actors involved in various types of exploitation campaigns against governments and diplomatic organizations in India and around the world. Cybercriminal actors have also picked up on the exploit and are using it as well. SecureList so far provides the best summary of activity at https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats.
Source: CVE-2015-2545 Weaponized for Threat Actor Campaigns

Title: Wekby Threat Actor Group Uses DNS for C2
Severity Level: Normal Severity
Published: Thu, 26 May 2016 23:13:54 +0000
Threat actor group "Wekby" is also known as APT18, TG-0416 and Dynamite Panda. The group has been potentially attributed to the Chinese PLA Navy. The group has a long history of threat activities since at least 2011 and frequently uses 0day exploit code and leverages exploit code leaks very quickly. In this case, recent analysis indicates that Wekby is using DNS for Command & Control (C2) purpose [http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/].
Source: Wekby Threat Actor Group Uses DNS for C2

Title: Defence Contractor Compromise by Russian Actors
Severity Level: Normal Severity
Published: Thu, 26 May 2016 23:13:54 +0000
A 2014 compromise of RUAG followed by data exfiltration incident by actors associated with the likely Russian Turla group has been analyzed and a report released by MELANIGovCert [https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf]. Tactics involved plenty of patience, and the report is helpful for any incident responder dealing with targeted attacks and lateral movement.
Source: Defence Contractor Compromise by Russian Actors

[more]

Alpha Testing the AlphaLeon HTTP Bot

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]
Wed, 09 Mar 2016 15:21:37 +0000

Estimating the Revenue of a Russian DDoS Booter

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]
Wed, 02 Mar 2016 11:00:15 +0000

Dumping Core: Analytical Findings on Trojan.Corebot

Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]
Wed, 10 Feb 2016 11:00:54 +0000

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]
Wed, 10 Feb 2016 11:00:16 +0000

Uncovering the Seven Pointed Dagger

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here. Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often […]
Mon, 11 Jan 2016 11:00:24 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 219.32 -97.0 %
53.1%
SSH brute-force login attempts 61.47 -62.7 %
14.9%
ntpdx overflow attempt 38.84 -54.3 % CVE-2001-0414
9.4%
MYSQL brute-force login attempts 27.37 -59.6 %
6.6%
POLICY Outbound TFTP Read Request 16.56 -91.6 %
4.0%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
POLICY PE EXE or DLL Windows file download 0.28 +100.0 %
0.1%
ASN.1 constructed bit string 0.28 +100.0 % CVE-2005-1935
0.1%
Microsoft Windows ASN.1 Library buffer overflow attempt 0.28 +100.0 % CVE-2003-0818
0.1%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 569.52 kB -70.3 % CVE-2006-0189
14.6%
UDP/53413 199.67 kB +68.0 %  
5.1%
TCP/23 (telnet) 183.11 kB -61.8 % CVE-2007-0956
4.7%
TCP/5900 70.46 kB -97.3 % CVE-2006-4309
1.8%
UDP/5052 (ita-manager) 30.65 kB +inf %  
0.8%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5052 (ita-manager) 30.65 kB +inf %  
0.8%
UDP/123 (ntp) 26.97 kB +inf % CVE-2001-0414
0.7%
UDP/6060 25.50 kB +inf %  
0.7%
UDP/5079 25.44 kB +inf %  
0.7%
UDP/1020 24.83 kB +inf %  
0.6%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
DE (Germany) 1 2 1.40 MB 1 565 54
CA (Canada) 2 9 1.37 MB 0 408 45
US (United States) 3 62 382.17 kB 3 4089 1199
CN (China) 4 59 187.04 kB 1 22 200
KR (South Korea) 5 2 24.40 kB 1 53 803
TW (Taiwan) 6 138 59.71 kB 0 56 110
RU (Russian Federation) 7 13 59.92 kB 0 196 19
GB (Great Britain) 8 0 27.86 kB 1 1080 29
AU (Australia) 9 0 817.93 B 0 700 165
NL (Netherlands) 10 12 21.18 kB 2 64 45
IN (India) 11 1 6.52 kB 0 52 264
RO (Romania) 12 0 8.21 kB 0 215 136
BR (Brazil) 13 0 15.94 kB 0 79 65
EU (European Union) 14 3 14.03 kB 0 200 4
FR (France) 15 1 13.03 kB 10 124 24
TR (Turkey) 16 1 10.10 kB 0 175 5
MY (Malaysia) 17 0 609.14 B 0 80 193
JP (Japan) 18 13 10.82 kB 1 19 48
CO (Colombia) 19 0 13.45 kB 1 0 0
IT (Italy) 20 0 9.32 kB 0 105 4
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS6428 (CDM) 1 0 1.35 MB 0 0 0
AS6805 (TDDE-ASN1) 2 0 1.25 MB 0 0 6
AS20473 (AS-CHOOPA) 3 0 118.73 kB 0 20 8
AS30083 (SERVER4YOU) 4 0 88.95 kB 0 0 0
AS4134 (CHINANET-BACKBONE) 5 14 76.11 kB 1 0 66
AS24961 (MYLOC-AS) 6 0 69.11 kB 0 0 0
AS4837 (CHINA169-BACKBONE) 7 35 52.22 kB 0 0 13
AS53889 (MICFO) 8 0 51.73 kB 0 0 0
AS8342 (RTCOMM-AS) 9 0 50.54 kB 0 27 0
AS8972 (PLUSSERVER-AS) 10 1 48.20 kB 0 0 0
AS17716 (NTU-TW) 11 136 41.66 kB 0 0 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 12 0 0 B 0 992 6
AS6939 (HURRICANE) 13 38 32.32 kB 0 0 10
AS39572 (Unknown) 14 0 0 B 0 829 0
AS4766 (KIXS-AS-KR) 15 1 13.17 kB 0 0 213
AS36351 (SOFTLAYER) 16 0 1.21 kB 0 576 0
AS34289 (WEBART-AS) 17 0 20.87 kB 0 0 0
AS37963 (CNNIC-ALIBABA-CN-NET-AP) 18 0 20.39 kB 0 0 6
AS16578 (DATANOC) 19 0 19.25 kB 0 0 0
AS24446 (NETREGISTRY-AS-AP) 20 0 0 B 0 523 0