Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Latest Articles
HoneyProcs : Going Beyond Honeyfiles for Deception on Endpoints

HoneyProcs : Going Beyond Honeyfiles for Deception on Endpoints

Deploying detection solutions on an endpoint host comes with constraints - limited availability of CPU, memory, disk and other resources, stability constraints, policy adherence and restrictions, the need to be non-intrusive to the user, the host OS and other applications on the host.

Read more...

Juniper Employee
Virobot Ransomware

Virobot Ransomware

Juniper Threat Labs has been monitoring the activity of a botnet, which is now being referred to as ViroBot by TrendMicro in their blog, and would like to share additional information that can provide insight into the TTP (techniques, tactics and procedure) of the threat actor. During our investigation, we also found a Unix keylogger related to this threat actor. The keylogger is a 64-bit ELF malware, and at the time of this writing, it has 0 hits on Virustotal. This blog shares technical aspects of both the Windows and Unix malware.

Read more...

Juniper Employee
Kronos - The Banking Chronicle

Kronos - The Banking Chronicle

The Kronos banking malware family was first known to be sold in the underground market in 2014. It surfaced again in mid-2017 after being dormant for some time. Then, in April 2018 we saw a resurgence of Kronos in new avatar Orosis. Some security vendors reported its presence in September 2018.

 

IOC’s

MD5: F085395253A40CE8CA077228C2322010

sha1:0B2A845E4EAF1505634B6E3BD40D47E94FD630FE

 

Kronos Attack Vectors:

Kronos is known to be distributed via various attack vectors, some versions known to spread through malvertising. Some have also spread using phishing emails containing document attachments containing macros that can then download the malware. Some of the attachments are also known to exploit a Microsoft Word vulnerability CVE-2017-11882.

 

Packer Evolution:

The initial versions of Kronos were known to use the well-known process hollowing technique. This is a technique frequently used by malware to impersonate legitimate processes. The malware launches a legitimate process and replaces the the code in runtime with a malicious payload. The latest version of this seems to use a new technique very similar to Doppelgänging already analysed in this Malwarebytes blog. The concept was described at Black Hat 2017.

 

Technical Description of the Payload:

 

The malware creates a copy of itself into app data and maintains persistence by creating a run entry in the registry. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

It uses a technique called Web-injects. Web Inject is a man-in-the-browser-attack, a technique by which malware can manipulate the web page in the browser and display a custom web page.  As an example, if a banking website displays username and password in the login page, the malware can modify the web page on the client side to have an additional field to enter ATM pin. Thus the end user gets fooled into thinking that the the original bank site is asking for their ATM pin. This kind of attack is effective against sites using SSL encryption too as opposed to man-in-the-middle attacks which only work on unecrypted traffic (unless a malicious certificate is inserted in the browser and accepted by the user). Kronos web-injects are very similar to  those of the infamous Zeus family.

 

The trojan is then modularized and uses a configuration file which makes it easier to update the malware.  

 

     

cfg.pngmalware uses config file with extension cfg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The configuration file is very much similar to Zeus. The configuration file has specifications of the web injects. It mentions what modifications (html code injections) need to be done to the web page of a certain banking website on the victim’s machine. The Zeus type of configuration file usually has strings like set_url,data_before,data_after,data_inject,data_end. These strings indicate fields in the configuration file. These fields tell where and what to be injected.  

 

config.pngstring related to zeus style config file

 

 

 

 

 

  • set_url field specifies the target URL
  • data_before and data_after are used to indicate the location in the web page when malicious code is injected
  • data_inject and data_end used enclose the content that needs to be injected

 

Some versions of Kronos are also known to steal and inject code into social networking sites.

 

Unpacked versions of Kronos can be identified easily as they have the “Kronos” string in them.    

 

                           

atrings.png"Kronos" string in unpacked sample

 




 

 

 

 

 

 

 

Latest versions are known to use TOR network and also have VNC modules.

 

Detection

Both Juniper Sky ATP and Juniper ATP Appliance on-prem solutions detect this threat as seen in the screenshots below. Keeping security solutions up-to-date can keep the customer protected against this type of threat, as well as others.                                                                                                                                                                        

cyphort.png

 






 

 

juniper.png

 

 

Juniper Employee
New Worm Leverages Open Source Tools and GitHub to Build its Botnet

New Worm Leverages Open Source Tools and GitHub to Build its Botnet

On September 19, 2018, Juniper Threat Labs discovered a new wave of attacks from a cryptominer worm targeting Linux servers, home networking devices, and IOT devices. These attacks were bundled with a number of exploits to spread rapidly and widely. The attack has three parts: infection, mining, and spreading.

Read more...

Juniper Employee
Mirai variant has Android devices in its crosshair

Mirai variant has Android devices in its crosshair

When the master learns from the student: following on Satori’s use of the misconfigured Android phones with a debug port enabled in shipping units, Juniper Threat Labs has identified a Mirai variant active in the wild, which for the first time is targeting the same channel to compromise misconfigured Android devices.

Read more...

Juniper Employee
The Gozi Sleeper Cell

The Gozi Sleeper Cell

Co-Authors:  Anoop Saldanha and  Paul Kimayong

  

Gozi, also known as Ursnif, is a well-known banking malware. Many variants of the malware family were identified in different attacks after its source code was leaked sometime back. Various instances of Gozi are still active. Criminals have modified the code and distributed it around the web. The sample was seen in one of our customer premises. Here is the hash of the sample.

 

IOCs

md5:8e29fa5f88ea28e36893f0b82b4d75e3,

sha1:220c38a509a2f0e62b279ad4f140e0aed79f2816

 

Attack Vector

Gozi is known to spread through spam emails with JavaScript attachments or Microsoft Office documents. Cisco Talos has referred to the spam campaigns in their blog: https://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html

 

The recent Gozi malware we discovered arrives downloaded by malicious Office files. These Office files are sent as attachments to spam, such as the example below:

 

 

email.pngspam email

 

 

 

 

'

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The Office document contains malicious macros and when enabled, it starts executing a PowerShell script to download the Ursnif binary.

 

 

 

javascript.pngjavascript attachment 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In the past, Gozi also arrived via exploit kits.

Installation

When executed, Gozi drops a copy of itself in the %APPDATA%\{random}\{filename}.exe

In our sample, it drops as:

%APPDATA%\{random}\cicsapi.exe

 

Please note that the filename (cicsapi.exe) may vary per variant of Ursnif.

 

It also creates an autostart entry:

 

autostart.pngautostart entry 

 

 

 

Gozi’s main module is a DLL which is injected into explorer.exe

 

After successfully injecting to explorer.exe, the initial executable, cicsapi.exe, terminates. Variants may exhibit slightly different behavior.

 

Technical Details 

Gozi tries to evade analysis by manually “zeroing” out the PE header in memory. This behavior makes investigation more challenging due to the fact that most of the memory analysis tools usually check the PE header when inspecting a memory region.

zeroed PE header.pngzeroed PE Header 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Gozi itself has many anti-sandbox tricks, but this sample also has a trick embedded in the  covering packer layer. This is a sleep mechanism that has not been implemented directly by calling windows API sleep() but instead uses WaitforSingleObject() API with an invalid handle. This is to avoid sandbox detection.

 

waitForSingleObject() sleep.pngWaitForSingleObject() sleep

 The malware uses multi-level encryption. The malware unpacks by overwriting itself and upon unpacking, you can see a number of strings specific to the Gozi family.

 

Here is the unpacked file for the studied sample:

Md5:c6a85b251c197cbe25603468c8df9392

sha1:05afa48a229314b9cc3f785499799403e4f3076c

 

Here is a screenshot of the strings present in the unpacked file:

 

crmdllunpacked.pngfirst level unpacked strings

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  

 

 

 

 

Gozi creates mailslot with the name “mailslot\ms10”, which is visible in the memory string. Mailslot is meant for interprocess communication, but Gozi tweaked the usage to make debugging harder.   Most of the time malware decrypt the code to memory buffer, but here it tries to write it to a mailslot. Standard debugging tools don’t provide a direct mechanism to look at what’s written to the mailslot.

 

The malware creates a mailslot using CreateMailslot API from one thread. In another thread, it gets handed to mailslot by using CreatFile API with a mailslot name as parameter. Then it writes the decoded buffer to mailslot.

 

 

mailslot.pngmailslot created

 mailslot2.pngwrite to mailslot

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To see what is written into the mailslot, a reverser can change the file name in CreateFile from the mailslot to “C:\out”. Be sure that you manually create a file with that name as parameter to createFile is “OPEN_EXISTING”.

 

 

mailslot_write.pngReplace maislot name in createfile with a name

 

 

 

 

 

 

 

 

 

 

The WriteFile API writes the decoded content into the file “C:\out” and one can easily visualize it. We see that the partially decrypted DLL is written to the file. Looking into the strings, the DLL name seems to be crm.dll.

 

 

 crmpng.pngCRM.dll in memory

 

 

 

 

 

 

 

 

Hash for crm.dll

MD5:5afedfdd57b7ea0c03977a10f64fd2f4

SHA1:532ad626191e905010a0c00f3878927bcdfa0173

 

Crm.dll is responsible for further unpacking the payload into memory. But, this is not the final payload. It loads the actual Gozi payload further. The sample has various well-known anti-sandbox features like sleep delay. But, our deep memory inspection feature allows us to identify the payload in case the sample forbids us to execute completely. We can identify a lot of string in memory that has high resemblance to the leaked source code.

 

 

memory.pngMemory block showing URL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  

Below is a snapshot of one of the memory regions in the malware.If we search for the URL we can see a a number of GitHub forks.

github.pngMemory block showing URL 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The sample has additional interesting memory strings that show the pattern of CnC communication.

crmdllunpacked.pngCnC pattern in memory

 

 

 The sample connects to its C2 server:

  • Qf1q48wdq1dd[.]net

It communicates to its C2 server via SSL.

 

cnc.pngCnC communication via SSL  

 

 

 

 

 

 

 

 

 

There are other strings ie.. PR_Read that indicates that the malware tries to install a hook into browsers like Firefox in order to steal data.

 

firefox hook.pngstrings indicating firefox hook

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

These patterns can be used in intrusion detection signature and yara rules to identify the malware. The malware hooks API’s WSARecv, WSASend in order to intercept network communications.  

 

In addition to its malware, it also has the following capabilities:

  • Cookie theft
  • Email Credential theft
  • Log Browsing Activity
  • Keylogging

 

The stolen data is stored in the %temp% folder as a bin file with random 4-hexadecimal characters as filename, e.g, 676A.bin. It uses mscab.exe tool to archive the stolen data and sends this data to its C2 server.

 

stolen data stored.pngstolen data stored

 

 

 

 

 

 

 

 

 

 

 

 

 

 

stolen data transmitted.pngstolen data transmitted

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Detection

Both Juniper Sky ATP and JATP on-prem solutions detect this threat as seen in the screenshots below.  Keeping security solutions up-to-date can keep the customer protected against this threat.

 

cyphort.pngskyatp detection.png

 

Juniper Employee
Top Kudoed Authors
Latest Comments
threatresearch | 09-28-2018
Re: Kronos - The Banking Chronicle
threatresearch | 05-24-2018
Re: VPNFilter: a nation state campaign for surveillance and destruction
By  omarg
threatresearch | 02-20-2018
Re: Mobile Malware and Sky ATP