Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Latest Articles
Mirai variant has Android devices in its crosshair

Mirai variant has Android devices in its crosshair

When the master learns from the student: following on Satori’s use of the misconfigured Android phones with a debug port enabled in shipping units, Juniper Threat Labs has identified a Mirai variant active in the wild, which for the first time is targeting the same channel to compromise misconfigured Android devices.


Juniper Employee
The Gozi Sleeper Cell

The Gozi Sleeper Cell

Co-Authors:  Anoop Saldanha and  Paul Kimayong


Gozi, also known as Ursnif, is a well-known banking malware. Many variants of the malware family were identified in different attacks after its source code was leaked sometime back. Various instances of Gozi are still active. Criminals have modified the code and distributed it around the web. The sample was seen in one of our customer premises. Here is the hash of the sample.






Attack Vector

Gozi is known to spread through spam emails with JavaScript attachments or Microsoft Office documents. Cisco Talos has referred to the spam campaigns in their blog:


The recent Gozi malware we discovered arrives downloaded by malicious Office files. These Office files are sent as attachments to spam, such as the example below:



email.pngspam email






















The Office document contains malicious macros and when enabled, it starts executing a PowerShell script to download the Ursnif binary.




javascript.pngjavascript attachment 















In the past, Gozi also arrived via exploit kits.


When executed, Gozi drops a copy of itself in the %APPDATA%\{random}\{filename}.exe

In our sample, it drops as:



Please note that the filename (cicsapi.exe) may vary per variant of Ursnif.


It also creates an autostart entry:


autostart.pngautostart entry 




Gozi’s main module is a DLL which is injected into explorer.exe


After successfully injecting to explorer.exe, the initial executable, cicsapi.exe, terminates. Variants may exhibit slightly different behavior.


Technical Details 

Gozi tries to evade analysis by manually “zeroing” out the PE header in memory. This behavior makes investigation more challenging due to the fact that most of the memory analysis tools usually check the PE header when inspecting a memory region.

zeroed PE header.pngzeroed PE Header 





























Gozi itself has many anti-sandbox tricks, but this sample also has a trick embedded in the  covering packer layer. This is a sleep mechanism that has not been implemented directly by calling windows API sleep() but instead uses WaitforSingleObject() API with an invalid handle. This is to avoid sandbox detection.


waitForSingleObject() sleep.pngWaitForSingleObject() sleep

 The malware uses multi-level encryption. The malware unpacks by overwriting itself and upon unpacking, you can see a number of strings specific to the Gozi family.


Here is the unpacked file for the studied sample:




Here is a screenshot of the strings present in the unpacked file:


crmdllunpacked.pngfirst level unpacked strings


























Gozi creates mailslot with the name “mailslot\ms10”, which is visible in the memory string. Mailslot is meant for interprocess communication, but Gozi tweaked the usage to make debugging harder.   Most of the time malware decrypt the code to memory buffer, but here it tries to write it to a mailslot. Standard debugging tools don’t provide a direct mechanism to look at what’s written to the mailslot.


The malware creates a mailslot using CreateMailslot API from one thread. In another thread, it gets handed to mailslot by using CreatFile API with a mailslot name as parameter. Then it writes the decoded buffer to mailslot.



mailslot.pngmailslot created

 mailslot2.pngwrite to mailslot





















To see what is written into the mailslot, a reverser can change the file name in CreateFile from the mailslot to “C:\out”. Be sure that you manually create a file with that name as parameter to createFile is “OPEN_EXISTING”.



mailslot_write.pngReplace maislot name in createfile with a name











The WriteFile API writes the decoded content into the file “C:\out” and one can easily visualize it. We see that the partially decrypted DLL is written to the file. Looking into the strings, the DLL name seems to be crm.dll.



 crmpng.pngCRM.dll in memory









Hash for crm.dll




Crm.dll is responsible for further unpacking the payload into memory. But, this is not the final payload. It loads the actual Gozi payload further. The sample has various well-known anti-sandbox features like sleep delay. But, our deep memory inspection feature allows us to identify the payload in case the sample forbids us to execute completely. We can identify a lot of string in memory that has high resemblance to the leaked source code.



memory.pngMemory block showing URL




















Below is a snapshot of one of the memory regions in the malware.If we search for the URL we can see a a number of GitHub forks.

github.pngMemory block showing URL 

































The sample has additional interesting memory strings that show the pattern of CnC communication.

crmdllunpacked.pngCnC pattern in memory



 The sample connects to its C2 server:

  • Qf1q48wdq1dd[.]net

It communicates to its C2 server via SSL.


cnc.pngCnC communication via SSL  










There are other strings ie.. PR_Read that indicates that the malware tries to install a hook into browsers like Firefox in order to steal data.


firefox hook.pngstrings indicating firefox hook

















These patterns can be used in intrusion detection signature and yara rules to identify the malware. The malware hooks API’s WSARecv, WSASend in order to intercept network communications.  


In addition to its malware, it also has the following capabilities:

  • Cookie theft
  • Email Credential theft
  • Log Browsing Activity
  • Keylogging


The stolen data is stored in the %temp% folder as a bin file with random 4-hexadecimal characters as filename, e.g, 676A.bin. It uses mscab.exe tool to archive the stolen data and sends this data to its C2 server.


stolen data stored.pngstolen data stored















stolen data transmitted.pngstolen data transmitted
























Both Juniper Sky ATP and JATP on-prem solutions detect this threat as seen in the screenshots below.  Keeping security solutions up-to-date can keep the customer protected against this threat.


cyphort.pngskyatp detection.png


Juniper Employee
VPNFilter: a global threat beyond routers

VPNFilter: a global threat beyond routers

When first publicly announced on May 23, the threat dubbed VPNFilter was thought to only infect some brands of home routers and Network Attached Storage devices. While it was known that the list of router brands was probably not complete, little did we know that the malware has the ability to infect the very computers sitting behind those routers and firewalls.


Juniper Employee
VPNFilter: a nation state campaign for surveillance and destruction

VPNFilter: a nation state campaign for surveillance and destruction


VPNfilter is a campaign to compromise small office and home routers as well as Network Attached Storage devices from several popular manufacturers. According to a Cisco Talos blog, there are upward of 500,000 infected devices already and the list may not be exhaustive. The malware used has surveillance capabilities as well as destructive capabilities, including the ability to render the infected device unusable permanently.




VPNfFilter has been lurking in the shadows for the better part of the last two years. It is unknown whether it uses any sophisticated means to breach internet connected devices, but the prevailing thinking in the security community is that it is exploiting previously known and unpatched vulnerabilities or just weak or default passwords. The malware is fairly sophisticated as it has multiple layers of redundancy in communicating with its command and control servers, using photo sharing site Photobucket, the specific hardcoded domain toknowall[.]com and a fallback plan of direct connection from the attackers to the compromised device itself. At some point in this fallback plan, it will open a socket connection and listen in on incoming packets looking for the specific packet from it's C2 server that will trigger an action.


As with any sophisticated implant, VPNfilter is capable of accepting a secondary payload that will perform most of the malware functions, but can also be augmented with purpose-built plugins. Two of the known plugins provide capability to sniff traffic looking for credentials or Modbus SCADA protocol and use TOR for communication. It is capable of doing anything a botnet can do, and more. The troubling part is its capability to wipe out a critical section of the infected device’s firmware rendering it permanently non functional, unless you are good with a soldering iron. If the threat actor behind this campaign pulls the trigger on this capability, hundreds of thousands of users will lose their connection to the internet until they purchase a new router.


There is evidence that the authors of this malware are the same as the authors of the BlackEnergy malware which crippled Ukraine’s energy grid in December 2015 and which the US Government attributed to Russian state actors. Additionally, Cisco observed on May 8 a heightened compromise activity focused on Ukrainian targets. Given that Ukraine’s Constitution Day on June 28 is fast approaching and given that Ukraine has suffered cyber attacks around this day in the past, there is circumstantial evidence that this build up is for an impending attack.


Call to action


Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboot their home routers and NAS devices once. This will remove any second and third stage malware from their device since the malware does not have persistence capabilities. It will leave the first stage in place, which will try to download the second stage again, but with the law enforcement efforts to take down the known command and control infrastructure and the efforts by security vendors who provide equipment to Internet Service Providers, the threat should be partially mitigated. Additionally, make sure your device is patched to the latest firmware version released by the manufacturer, ensure default passwords are changed and disable any internet facing non necessary services, like remote management UI, SSH, Telnet, Ftp, etc.


Thanks to the Cyber Threat Alliance partnership that Juniper Networks is a member of, we have been able to put in place mitigation against all known actionable IOCs from this campaign.

Juniper Employee
Nukebot Banking Trojan targeting people in France

Nukebot Banking Trojan targeting people in France

Nukebot (aka TinyNuke, or NuclearBot) made the news in spring of 2017 when the author released the source code in an attempt to restore their/his/her reputation in the cybercrime .... According to IBM, a hacker calling himself “Gosya” tried to sell this malware in such a clumsy and inexperienced fashion that he managed to get himself banned from multiple cybercrime forums for violating specific rules about how such products should be soldA few weeks ago, Juniper Threat Labs started seeing an active attack involving this malware that specifically targets computers in France. The malware arrives as a ZIP file downloaded from malicious links. Inside the ZIP is an executable file that appears to be an installer built from the “Inno Setup” tool. When the malware executes, it drops a legitimate standalone version of Firefox browser in the %TEMP% and %APPDATA% that it uses to load a malicious dll. This dll is dropped in the same directory as firefox.exe, and then loaded by Firefox by taking advantage of a dll-sideloading attack affecting an old version of the browser. The dll checks if the system’s UI language or keyboard layout is French before conducting its malicious bidding.



Juniper Employee
Practical tips for preventing Ransomware

Practical tips for preventing Ransomware

Crypto ransomware seems to be a never-ending threat in today’s cyber world. It’s comparable to the “Kaiju” in the 2013 Hollywood blockbuster, Pacific Rim. One crypto ransomware dies and another is born that has more evolved features. The second half of 2017 witnessed back-to-back outbreaks of Wannacry, Petya, NotPetya and BadRadbbit ransomware.





  But, we do not have to rely exclusively on security software to defend ourselves. Sometimes, the software already installed on our systems and proper configuration of our operating system can save the day.


Let’s go through some of the simplest things anyone can do on their Windows PC to prevent or limit the damage of a crypto ransomware attack.


Software Updates

Operating systems and all installed software should be updated on a regular basis. WannaCry and Petya exploited a vulnerability in SMB2 on Windows OS to spread across the network, even though a patch to close that vulnerability was available for months. Many of the ransomware and other malware are downloaded after being successfully exploited using exploit kits. The latest exploit kits like Angler and Neutrino contain exploits for various Adobe flash versions, Sun Java and Internet Explorer. Unpatched software may lead to your computer being compromised.


Most applications have an auto update capability - make sure this is enabled. Alternatively, you can update your applications manually by typing “update” in the Windows search bar and selecting “software update”.


software update.pngsoftware update















java update.pngjava update


































System Configuration

Windows has lot of features. Many of these features are have default settings for a better user interaction . Changing these default settings can sometimes help to elevate security


View File Extension

Ransomware like Locky is distributed through spam emails. To hide the executable, the attachment often has a name similar to “invoice.pdf.exe”. By default, Windows hides the extension of some common file types, so when the victim downloads the executable from the email, it shows as “invoice.pdf” without the .exe extension. You can change this default behavior of folder options to always display file extensions. On Windows 7, you can type “folder options” into the window search option to get the folder option menu and make sure “hide extensions…” is not checked.


file extension.pngfolder option


































Additionally, you should only download attachments or click on URLs after carefully inspecting emails. Sometimes, emails can have javascript attachments, which can download other malware or ransomware.


Account Privilege

All programs run within a certain privilege level, typically the privilege level of the user who started the program. In general, user accounts on a Windows system should not have administrator privileges unless absolutely necessary. This will prevent programs for having access to the entire system should your computer be compromised by malware. You can check and change this setting in the user account type settings page.


change account type.pnguser account setting

















User Account Control

User Account Control (UAC) is a Windows feature that prevents unauthorized changes to the operating system. It displays a pop-up window asking for permission whenever a new program tries to make changes. You can find the setting for UAC on Windows 7 by going to control panel->system and security->action center->change user control setting.


UAC.pngUAC setting
























When the UAC setting is set to "always notify", you will always get a pop-up similar to the one shown in below image whenever a program tries to modify the system settings.Although this may be a bit irritating, it is a useful and preventive feature.


UAC_2.pngUAC pop up



















Disable Autoplay:

The Windows Autoplay feature is meant to facilitate the use of removable media by automatically launching the content upon insertion. When the user inserts a detachable drive into the system, Autoplay executes the script called “autorun.inf” present in that drive. A lot of malware and some ransomware are known to misuse this feature to spread from one machine to another.


As a preventive measure, we recommend disabling this feature. To disable, type in "gpedit.msc" and you will see a window for group policy editor. You can browse through Administrative Templates >Windows Components > Autoplay Policies and turn off Autoplay.


autoplay.pngautoplay settings


















Security Software Configuration

Many computers have pre-installed anti-virus software, as well as firewalls. These and other security related features need to be configured properly in order to boost the security posture of the device.


Windows Defender:

Windows Defender is an antivirus from Microsoft. All versions of Windows since Windows 7 include Windows Defender. Windows Defender should have real-time protection enabled. This feature scans each new file before it is written to the hard drive and hence can prevent infection. Signatures for all antivirus software, including Windows Defender, should be updated regularly and automatically.


windows_defender.pngwindows defender real time protection


























Additionally, the entire system should be scanned on a regular basis. The latest version of Windows Defender has an anti-exploitation feature too. Up until the end of 2017, a lot of ransomware was delivered via exploit kits. Microsoft Enhanced Mitigation Experience Toolkit (EMET) is another tool from Microsoft meant to protect against exploitation. It has the Data Execution Prevention (DEP) capability, Address Space Layout Randomization (ASLR), Structured Exception Handler (SEH Protection) and the Anti-Return Oriented Programming (Anti-ROP) feature. Some older versions of Windows lack many of the anti-exploitation features listed above. For those systems, installing EMET can act as an exploit-prevention shield in that case. In 2017, Windows introduced anti-exploitation features in Windows Defender known as Windows Defender Exploit Guard (WDEG).  This blog [] talks about the introduction of Windows Defender Exploit Guard (WDEG). Other than EMET, WDEG had inducted a few more features into it. Controlled folder access is one such feature that is meant to protect data from ransomware.


By implementing this recommended configuration, you can significantly reduce the possibility of getting infected by ransomware. Should an infection happen anyway, these recommendations will at least limit the scope of the damage to the local user.


Juniper Employee
Top Kudoed Authors
Latest Comments
threatresearch | 09-28-2018
Re: Kronos - The Banking Chronicle
threatresearch | 05-24-2018
Re: VPNFilter: a nation state campaign for surveillance and destruction
By  omarg
threatresearch | 02-20-2018
Re: Mobile Malware and Sky ATP