Security Now
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
Latest Articles
Effective Microsegmentation in VMware NSX deployments with Juniper SDSN

Effective Microsegmentation in VMware NSX deployments with Juniper SDSN

Data centers using Juniper Networks vSRX Virtual Firewall and Junos Space Security Director with Policy Enforcer in combination with VMware’s NSX platform can microsegment intra-data center traffic to effectively defend applications and systems against threat propagation in both north-south and east-west traffic.

Read more...

Juniper Employee
GDPR and the Information Lifecycle

GDPR and the Information Lifecycle

29280.png

 

 

 

 

 

I’m keen to change the perception that GDPR (General Data Protection Regulation) will act as a drag on organizations. I also want to avoid others falling into the trap of thinking the only inducement for an organization to comply is to avoid a fine. But before I attempt this, I’m going to briefly stray into another passion of mine; cars – just to make a point.

Read more...

Juniper Employee
Leverage the Entire Network for Lateral Threat Remediation

Leverage the Entire Network for Lateral Threat Remediation

Today’s dynamic business environment requires organizations to defend themselves against increasingly sophisticated cybersecurity attacks powered by advanced threat intelligence and enforcement capabilities. That demands a comprehensive security platform that ties together and coordinates various threat analytics platforms, as well as a simpler policy mechanism.  Most important, you must be able to leverage the entire network—not just the perimeter—as a threat detection and enforcement tool.

Read more...

Juniper Employee
So many things, so little security

So many things, so little security

As the "Internet of Things (IoT)" phenomenon is catching on in a big way, I wanted to quickly capture the state of affairs of IoT in the context of security and how different Juniper technologies can help provide security to IoT infrastructure as well as protect other enterprise infrastructure from IoT devices

Read more...

Juniper Employee
A look into LokiBot infostealer

A look into LokiBot infostealer

Introduction

We recently detected a Lokibot sample that was delivered as an email attachment to one of our customers in the healthcare vertical. Below is the technical analysis of the sample.

 

LokiBot is an infostealer that is known to steal various kinds of data like ftp credentials, email clients passwords, passwords stored in the browser, etc. Lokibot is distributed in phishing emails and known to exfiltrate data using the POST method over http.

 

Indicators of Compromise

  • iso file :
    • Md5: 17c9e6f0df7557962d6bc90a891693d9
    • Sha1: 2ee42a051823b4e1bc0ed643c0b15843cce7c056
  • filename: Proforma Invoice pdf.exe

    • Md5: 66837f4f5ee989a119eb7dcd8c5425b3
    • Sha1: 76a5919be86a7035fa6766d01a26094c49a30078
  • Unpacked:
    • Md5: 9335ce514bbdd9d146f30970569be44f
    • Sha1: 06aacbc54f93afcf29e3ee7966e236d7d9b98e60
  • .hdb file found in appdata
  • Connects to URLs that end with fre.php

Technical Analysis

The file is packed with a VB-compiled packer which usually makes the reversing tougher.

Additionally,  this sample uses anti-debug techniques and runpe which makes it harder to reverse engineer.

 

The obfuscated code decrypts to a virtually allocated memory by pushing to stack and then popping and xoring the data:

1.png

Fig: Obfuscated code in the file

 

The obfuscated code is copied to memory using a sequence of push and pop created in reverse order.The content can be decrypted with the xor key  0x5BD09268.

2.png

Fig: Decryption loop

 

Anti-debugging

The malware then jumps to the decrypted code. First it checks for anti-debug techniques. If a debugger present it jumps to a code which throws an exception.

3.png

Fig:Checks BeingDebugged falg in PEB

 

Sandbox detection code:

The above code detects a sandbox by saving the CurCursorPos then sleeping for a second and then comparing the cursor position to its previously known location. If it is the same, the malware throws an exception.

4.png

Fig: sandbox Detection

 

Other anti-debug checks

5.png

Fig: Checks for NtGlobalFlag in PEB for debugger detection

 

When satisfied it is not being monitored, the malware uses process hollowing to inject a payload into its own newly created suspended process.

 

Unpacked sample:

After unpacking, we can identify a lot of strings in the malware. The malware strings look similar to the strings observed in LokiBot.

 

The malware checks for the presence for various configs, settings files for ftp, browsers, email clients with hopes it can steal their credentials.

6.png

 Fig:Reads config files of of various softwares in loop

 

7.png

Fig:config files of various softwares

 

8.png

Fig:List of FTP files

 

9.png

Fig: malware reads config files of Secure FTP Expert

  

A .hdb is created in appdata folder which indicates the presence of lokiBot . This file seems to be some kind of database used by the malware. This can be used as IOC for LokiBot.

 

10.png

LokiBot is known to compress this data before sending it to the CnC server.

The malware uses an http POST method to send the stolen data to the CnC server.

11.png

Fig: LokiBot sends data to CnC server

 

CnC:

The sample connects to following URL and sends the stolen data:

http://newpanelme.info/042/fre[.]php

These C&C URLs usually end with fre.php

Here are a few more URLs used for the same purpose, discovered by other security vendors

  • southeasterncontractingco.com/AM/G00gle/fre[.]php     
  • axpired.xyz/013/fre[.]php  
  • 154.16.49.153/loved/know/fre[.]php
  • toopolex.com/controllers/user/fre[.]php  

Detection

Both Juniper Sky ATP and Cyphort(now a Juniper company) on-prem solutions detect this threat as seen in the screenshots below:

12.png

13.png

 cyphort.png

 

 

amohanta
Data - Valuable Asset or Business Risk?

Data - Valuable Asset or Business Risk?

 

Commerce is built on the concept of the value chain. The notion that you can take something of relatively little worth and, through various processes, increase its value is fundamental to a sustainable global economy. And, in the early part of the 21st century, it is “data” that gives rise to perhaps the most significant contemporary value chain of all.

Read more...

Juniper Employee
Top Kudoed Authors
Latest Comments
networkingnow | 11-10-2017
Re: A look into LokiBot infostealer
networkingnow | 11-10-2017
Re: Managing Enterprise Security
networkingnow | 11-08-2017
Re: Introducing the Juniper Networks App for Splunk - Now Available in Splunkbase