Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Latest Articles
Nukebot Banking Trojan targeting people in France

Nukebot Banking Trojan targeting people in France

Nukebot (aka TinyNuke, or NuclearBot) made the news in spring of 2017 when the author released the source code in an attempt to restore their/his/her reputation in the cybercrime .... According to IBM, a hacker calling himself “Gosya” tried to sell this malware in such a clumsy and inexperienced fashion that he managed to get himself banned from multiple cybercrime forums for violating specific rules about how such products should be soldA few weeks ago, Juniper Threat Labs started seeing an active attack involving this malware that specifically targets computers in France. The malware arrives as a ZIP file downloaded from malicious links. Inside the ZIP is an executable file that appears to be an installer built from the “Inno Setup” tool. When the malware executes, it drops a legitimate standalone version of Firefox browser in the %TEMP% and %APPDATA% that it uses to load a malicious dll. This dll is dropped in the same directory as firefox.exe, and then loaded by Firefox by taking advantage of a dll-sideloading attack affecting an old version of the browser. The dll checks if the system’s UI language or keyboard layout is French before conducting its malicious bidding.

 

Read more...

Juniper Employee
Practical tips for preventing Ransomware

Practical tips for preventing Ransomware

Crypto ransomware seems to be a never-ending threat in today’s cyber world. It’s comparable to the “Kaiju” in the 2013 Hollywood blockbuster, Pacific Rim. One crypto ransomware dies and another is born that has more evolved features. The second half of 2017 witnessed back-to-back outbreaks of Wannacry, Petya, NotPetya and BadRadbbit ransomware.

 

petya.pngransomware

 

 

  But, we do not have to rely exclusively on security software to defend ourselves. Sometimes, the software already installed on our systems and proper configuration of our operating system can save the day.

 

Let’s go through some of the simplest things anyone can do on their Windows PC to prevent or limit the damage of a crypto ransomware attack.

 

Software Updates

Operating systems and all installed software should be updated on a regular basis. WannaCry and Petya exploited a vulnerability in SMB2 on Windows OS to spread across the network, even though a patch to close that vulnerability was available for months. Many of the ransomware and other malware are downloaded after being successfully exploited using exploit kits. The latest exploit kits like Angler and Neutrino contain exploits for various Adobe flash versions, Sun Java and Internet Explorer. Unpatched software may lead to your computer being compromised.

 

Most applications have an auto update capability - make sure this is enabled. Alternatively, you can update your applications manually by typing “update” in the Windows search bar and selecting “software update”.

 

software update.pngsoftware update

 

 

 

 

 

 

 

 

 

 

 

 

 

 

java update.pngjava update

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

System Configuration

Windows has lot of features. Many of these features are have default settings for a better user interaction . Changing these default settings can sometimes help to elevate security

 

View File Extension

Ransomware like Locky is distributed through spam emails. To hide the executable, the attachment often has a name similar to “invoice.pdf.exe”. By default, Windows hides the extension of some common file types, so when the victim downloads the executable from the email, it shows as “invoice.pdf” without the .exe extension. You can change this default behavior of folder options to always display file extensions. On Windows 7, you can type “folder options” into the window search option to get the folder option menu and make sure “hide extensions…” is not checked.

 

file extension.pngfolder option

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Additionally, you should only download attachments or click on URLs after carefully inspecting emails. Sometimes, emails can have javascript attachments, which can download other malware or ransomware.

 

Account Privilege

All programs run within a certain privilege level, typically the privilege level of the user who started the program. In general, user accounts on a Windows system should not have administrator privileges unless absolutely necessary. This will prevent programs for having access to the entire system should your computer be compromised by malware. You can check and change this setting in the user account type settings page.

 

change account type.pnguser account setting

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

User Account Control

User Account Control (UAC) is a Windows feature that prevents unauthorized changes to the operating system. It displays a pop-up window asking for permission whenever a new program tries to make changes. You can find the setting for UAC on Windows 7 by going to control panel->system and security->action center->change user control setting.

 

UAC.pngUAC setting

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

When the UAC setting is set to "always notify", you will always get a pop-up similar to the one shown in below image whenever a program tries to modify the system settings.Although this may be a bit irritating, it is a useful and preventive feature.

 

UAC_2.pngUAC pop up

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Disable Autoplay:

The Windows Autoplay feature is meant to facilitate the use of removable media by automatically launching the content upon insertion. When the user inserts a detachable drive into the system, Autoplay executes the script called “autorun.inf” present in that drive. A lot of malware and some ransomware are known to misuse this feature to spread from one machine to another.

 

As a preventive measure, we recommend disabling this feature. To disable, type in "gpedit.msc" and you will see a window for group policy editor. You can browse through Administrative Templates >Windows Components > Autoplay Policies and turn off Autoplay.

 

autoplay.pngautoplay settings

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Security Software Configuration

Many computers have pre-installed anti-virus software, as well as firewalls. These and other security related features need to be configured properly in order to boost the security posture of the device.

 

Windows Defender:

Windows Defender is an antivirus from Microsoft. All versions of Windows since Windows 7 include Windows Defender. Windows Defender should have real-time protection enabled. This feature scans each new file before it is written to the hard drive and hence can prevent infection. Signatures for all antivirus software, including Windows Defender, should be updated regularly and automatically.

 

windows_defender.pngwindows defender real time protection

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Additionally, the entire system should be scanned on a regular basis. The latest version of Windows Defender has an anti-exploitation feature too. Up until the end of 2017, a lot of ransomware was delivered via exploit kits. Microsoft Enhanced Mitigation Experience Toolkit (EMET) is another tool from Microsoft meant to protect against exploitation. It has the Data Execution Prevention (DEP) capability, Address Space Layout Randomization (ASLR), Structured Exception Handler (SEH Protection) and the Anti-Return Oriented Programming (Anti-ROP) feature. Some older versions of Windows lack many of the anti-exploitation features listed above. For those systems, installing EMET can act as an exploit-prevention shield in that case. In 2017, Windows introduced anti-exploitation features in Windows Defender known as Windows Defender Exploit Guard (WDEG).  This blog [https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-gu...] talks about the introduction of Windows Defender Exploit Guard (WDEG). Other than EMET, WDEG had inducted a few more features into it. Controlled folder access is one such feature that is meant to protect data from ransomware.

 

By implementing this recommended configuration, you can significantly reduce the possibility of getting infected by ransomware. Should an infection happen anyway, these recommendations will at least limit the scope of the damage to the local user.

 

Juniper Employee
Juniper Threat Labs at RSA: Mobile Threat Inspector

Juniper Threat Labs at RSA: Mobile Threat Inspector

What is your phone up to?

Your average enterprise security team requires access to all traffic in order to provide the secure environment that companies need to safely perform their work. In this environment, traffic information is collected and logged through various devices; a secure web gateway has a log of all the web requests that we make, while a next-generation firewall has app ID logs of all of the apps we use along with the domains and IPs that we connect to.

Read more...

Juniper Employee
BitPaymer Ransomware hides behind windows Alternate Data Streams

BitPaymer Ransomware hides behind windows Alternate Data Streams

Threat name: BitPaymer Ransomware

IOC Hash: Sha256: 8943356b0288b9463e96d6d0f4f24db068ea47617299071e6124028a8160db9c

IOC Files:

  • Files encrypted changed to extension .locked
  • Files ending with Readme_txt are created containing the Ransom Notes

BitPaymer ransomware was first seen in mid 2017 and was known to infect hospitals and ask for a huge Ransom. Earlier versions of BitPaymer allegedly demanded a whopping amount of 20 to 50 bitcoins, which would  approximately amount to a hundred thousand dollars. This means that the ransomware was targeting organizations rather than individuals . Recently, we came across a variant of this ransomware .

 ransom_note.png

 Fig: BitPaymer ransom note

 

BitPaymer uses a unique hiding mechanism that  exploits  alternate data streams (ADS), a feature of a NTFS file system that allows it to hide itself from plain sight.

 

Earlier versions of BitPaymer hid their own files by adding themselves to  blank files as an ADS. The latest version copies a clean Windows system executable to application data folder and then adds a copy of itself as an ADS stream to that copy of clean executable file . This can evade security tools that are not able to look into ADS. The file name of the copy of the clean executable is usually 8 character with “~1” at the end ie .”SOWI3D~1”. In this version of BitPaymer, , the name of the ADS   is “:bin”, while versions of the malware is “:exe” .So, the file name in this case is  ”SOWI3D~1:bin”, where bin is  the copy of the malware hidden as an ADS . You can only see “SOWI3D~1” as the file name when using Windows Explorer or file browsing tools like Far Manager.

 file.png

 Fig: stream not visible in Windows Explorer

 

Tools like AlternateStreamView can be used to view the ADS. The tool is available at the following URL: “https://www.nirsoft.net/utils/alternate_data_streams.html”.

 alternate_stream viewer tool.png

  Fig: alternateStreamView tool

 

After adding itself as an ADS to the copy of the clean Windows system executable, the malware launches the copied executable.

createProcess.png

   Fig: process created from ADS

 

The ransomware also tries to delete backup files like other ransomware. Most ransomware is known to use only VSSAdmin to delete the shadow copies but this one also seems to use “diskshadow.exe”.(note: shadow copies are used for the purpose of backup). The malware then executes the following commands to delete backups.

 

"C:\WINDOWS\system32\vssadmin.exe C:\WINDOWS\system32\vssadmin.exe Delete Shadows /All /Quiet"

 

"C:\WINDOWS\system32\diskshadow.exe C:\WINDOWS\system32\diskshadow.exe /s C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yP34.tmp".

 

 The ransomware has also embedded a public key  that is used for encryption purposes. public key.png

 

 

                                                           

 

 

Fig: public key embedded in the ransomware

 

After encrypting the files, the malwares drops a ransom note file for the victim.

The ransom note is slightly different in this version of BitPaymer. This version demands the ransom to be paid within 24 hours, while the earlier gave a period of 72 hours.

 

The malware encrypts the files  and leaves a ransom note in the directory. The encrypted files usually end with “.ini.locked” . The ransom note file name usually has the same file name with

extension “ini.readme_txt”.  

infected_folder.png

 Fig: Files encrypted by BitPaymer

 

BitPaymer is meant to spread by Brute force Remote Desktop Protocols (RDP).

  

Detection

Both Juniper Sky ATP and JATP on-prem solutions detect this threat as seen in the screenshots below .

cyphort.png

Screen Shot 2018-04-02 at 11.53.44 AM.png

 

Screen Shot 2018-04-02 at 11.53.56 AM.png

 Fig: Juniper Sky ATP and JATP  Detection

  

Customers using Juniper Sky ATP and JATP solutions are protected from the threat.

 

 

 

 

 

 

 

 

 

 

 

 

 

Juniper Employee
Wave of Spam Uses RTF Exploit, Delivers a Trojan-Spyware

Wave of Spam Uses RTF Exploit, Delivers a Trojan-Spyware

During the early weeks of February 2018, Juniper Threat Labs detected several malicious email campaigns involving a malicious MS Office file. The file attachment is an RTF file that includes an exploit. As we discovered, the RTF is exploiting CVE 2017-8570. This exploit is related to CVE-2017-0199, but a little less popular. Back in April 2017, CVE-2017-0199, considered a zero-day attack, was actively exploited in the wild. In an attack scenario, Microsoft Office documents can be embedded with OLE objects such as “EXE, VBS, JS, ZIP, HTA, SCT, etc.”

Read more...

Juniper Employee
New Gootkit Banking Trojan variant pushes the limits on evasive behavior

New Gootkit Banking Trojan variant pushes the limits on evasive behavior

 

On January 19, 2018, Juniper Threat Labs detected a Gootkit banking trojan at one of our customers sites. The file was hosted on a compromised golfing site, namely “carolinalakesgc[.]com”.  This malware uses some unique anti-analysis and anti-sandboxing tricks. It also employs a new persistence method taking advantage of the Pending GPO feature. The malware spawns a suspended mstsc.exe (Remote Desktop Process) and injects itself into it. Before installing itself into the system, it performs several checks related to sandboxes and tools associated with malware analysis.

 

 

Read more...

Juniper Employee
Top Kudoed Authors
Latest Comments
threatresearch | 01-18-2018
Re: Meltdown & Spectre: Modern CPU vulnerabilities
threatresearch | 01-07-2018
Re: Meltdown & Spectre: Modern CPU vulnerabilities
By  spuluka
threatresearch | 01-06-2018
Re: Meltdown & Spectre: Modern CPU vulnerabilities