Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools

The CVE-2018-8174 vulnerability, also dubbed “Double Kill,” was discovered in the beginning of May 2018, when it was exploited as a 0-day in an APT attack leveraging malicious Office files in China. The vulnerability affects users with Internet Explorer installed, either after they browse the web or after they open crafted Office documents – even if the default browser on the victim’s machine is not set to IE. Moreover, it will also affect IE11, even though VBScript is no longer supported by using the compatibility tag for IE10. Microsoft patched the vulnerability on May 8, 2018.

Our monitoring revealed that since its discovery, various threat actors in the Russian underground hacking scene have shown a keen interest in this particular vulnerability, indicating their strong intent to exploit it in attacks. Since then, we have observed exploits for this vulnerability incorporated into several prominent attack tools used by Russian threat actors, including the RIG Exploit Kit and the Threadkit package of Office exploits indicating that cybercriminals see it as a profitable attack vector. Concurrently, security reports state the exploitation of this vulnerability has been witnessed in additional attack campaigns.

The CVE-2018-8174 Exploit

The vulnerability exists in the VBScript – incorporated both in the Internet Explorer browser and in Microsoft Office software. Being a use-after-free (UAF) memory vulnerability, it is particularly dangerous because of the enabling of the execution of arbitrary code, or, in some cases, full remote code execution, due to access to read and write primitives.

The APT attack spotted in China, later attributed to North Korean threat actors, used the URL Moniker technique to load the VisualBasic exploit leveraging CVE-2017-8174 into the Office process. Unlike previously-known Office exploits that used the same technique, the URL link in the current exploit calls the mshtml.dll, which is a library that contains the Visual Basic engine in Internet Explorer. Thus, albeit delivered via a Word document as the initial attack vector, the exploit takes advantage of a vulnerability in VBScript, and not in Microsoft Word.

This attack vector allows the attackers to incorporate Internet Explorer Browser exploits directly into Office documents, enabling them to use it via spear-phishing and drive-by campaigns. Immediately upon its discovery, it was estimated that the vulnerability would be exploited in multiple attack campaigns in the near future.

The in-the wild exploit consisted of three stages:

  • Delivery of a malicious Word document
  • Once opened, an HTML page containing a VBScript code is downloaded to the victim’s machine
  • A UAF vulnerability is triggered, and shellcode is executed

Microsoft Office alert pops-up when opening the crafted document
Microsoft Office alert pops-up when opening the crafted document

In less than two weeks, the exploit for CVE-2018-8174 was incorporated into the Metasploit framework. At the same time, we have spotted vigorous chatter regarding this vulnerability emerging on underground sources, in particular Russian-languages ones. Threat actors sought to purchase the exploit, and others shared PoC samples for the explicit purpose of their analysis and further modification.

CVE-2018-8174 exploit is mentioned on underground chatter. Source: Verint DarkAlert
CVE-2018-8174 exploit is mentioned on underground chatter. Source: Verint DarkAlert

Moreover, and in accordance with predictions made by security researchers, exploitation of this vulnerability was included in some of the most popular attack tools on the Russian underground. Of note, operators of malware targeting both Microsoft Office and IE browser announced the addition of the exploit to their attack tools, indicating that the malicious payload is to be delivered by one of these two vulnerable software types. As explained above, the attack vector can be a malicious Microsoft Office file that will trigger the launch of IE browser, even if not configured as the default browser, or a crafted URL link directly provided to the target.

We detected an exploit for CVE-2018-8174 added to the following attack tools traded on the Russian underground:

  • The RIG exploit kit[1] – in the wild attacks using this exploit to deliver the Monero Miner were already spotted.

    The RIG campaign’s infection chain. Source: Trend Micro
    The RIG campaign’s infection chain. Source: Trend Micro
  • The Threadkit Office exploits package – the modified version that includes the CVE-2018-8174 exploit is yet to be discovered in the wild. However, the malware’s author already announced its incorporation several days ago. The update for the kit will cost US$ 400.
  • Another Office exploits package – the new version includes exploits for the following vulnerabilities: CVE-2018-8174, CVE-2018-0802, CVE-2017-11882 and CVE-2017-8570.

    Exploit for CVE-2018-8174 is added to another office exploitation package. Source: Verint Dark Alert
    Exploit for CVE-2018-8174 is added to another office exploitation package. Source: Verint Dark Alert

Sharp Rise in Mining-Related Malware on the Russian-speaking Underground

Verint’s powerful portfolio of interception and monitoring solutions provides full monitoring and operational value. Dedicated systems address separate real-time and retroactive investigation needs, for lawful monitoring, field operations and background research. In the case below, we have used our Cyber and Webint suite to constantly monitor, collect and analyze malware-related items, to gain actionable intelligence and perform the investigation.

We constantly monitor groups, markets and IM channels manually and automatically, in this case, our monitoring has revealed in recent months a sharp rise in mining malware traded on numerous Dark Web forums, where hackers of various underground communities reside. This is hardly surprising, considering the rise in the value of cryptocurrency since late 2017. As a ramification of this trade, in recent months, a sharp rise in mining malware attacks has also been observed.

The rise in the trade in mining malware originates with cybercriminals engaged in attacks against banks and their clients, who are currently opting to focus on attacks designed to bring various kinds of cryptocurrency into their hands. For instance, SenseCy analysts spotted known sellers of banking malware, starting to offer for sale malware related to crypto-currency mining. These attacks can be divided into two types:

  • Infection with mining malware – we have spotted a rise in the trade of mining malware in hacking communities, as well as an increase in the number of discussions related to these types of attacks. This indicates an elevated interest in this field and a shift by hackers previously engaged in other criminal activities to acquiring knowledge and attack tools in the illegal mining field. These attacks are targeting a wide scope of end users and servers, and are designed to take advantage of their systems’ resources to mine cryptocurrency. Along with the slowdown of the infected system, mining malware can sometimes cause significant damage to the hardware, as in the case of the Loapi Android Trojan that worked a phone so hard its battery overheated and burst open the device’s back cover.
  • Attacks against cryptocurrency holders, be they private wallet owners or cryptocurrency exchange platforms. While the former are usually targeted by phishing or Man-in-the-Middle (MitM) attacks designed to steal credentials, the latter is a large-scale attack designed to steal cryptocurrency from the exchange platform. We see a large volume of evidence related to the first type in closed sources, but the second type is usually coordinated outside of hacking forums.

The picture received from our automatic monitoring systems surfaced according to pre-defined queries supports these findings, which were manually identified by our analysts. More than 4,000 mentions of “miner” on password-protected forums were identified in the period between September 1, 2017, and February 24, 2018, compared to just 1,000 for the same period one year earlier. In addition, a sharp rise in the number of discussions can be clearly observed starting from mid-October 2017, following the rise in the price of Bitcoin and other cryptocurrencies. In fact, the number of discussions on hacking-dedicated platforms correlates with the fluctuations in Bitcoin value (with a slight delay of several days).

The number of discussions from password-protected hacking sources in which the word “miner” was mentioned. Source: Verint DarkAlert
The value of Bitcoin in USD during the same period. Source: CoinDesk
The value of Bitcoin in USD during the same period. Source: CoinDesk

For instance, we identified two prominent threat actors from the Russian underground, who usually offer mobile “injections” – fake overlay pages designed to be used along with mobile Trojans to steal user credentials (usually for banking and e-commerce apps.) These threat actors started offering injections targeting users of popular Bitcoin wallets during the same period that the Bitcoin price increased.

Another example is the trade of a new mining malware dubbed CryptoNight, which started two months ago (February 10, 2018). For US$ 50, the author offers a miner for a variety of cryptocurrencies (those that use the CryptoNight or CryptoNight-lite algorithm), with a relatively low detection rate (according to tests run by other forum members). The malware also possesses clipboard stealer capabilities designed to steal credentials of the most popular cryptocurrency wallets (Bitcoin, Ethereum, Dogecoin and others).

Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web

Since April 14th, when the Shadow Brokers leaked a new batch of files allegedly affiliated with Equation Group – an APT threat actor suspected of being tied to the NSA – Darknet forum members have been sharing the leaked attack tools and zero-day exploits among themselves. Continue reading “Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web”

Exploit Kits Out, Loaders and Macros Back in

During 2016, we witnessed the collapse of three major exploit kits that were previously used for massive malware delivery: Nuclear (first), Angler and then Neutrino (later). Along with other more private EKs (such as Magnitude), they caused major damage in previous years and served as infection vectors for many malicious malware-distributing campaigns. Continue reading “Exploit Kits Out, Loaders and Macros Back in”

The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants

Written by Mickael S. and Tanya K.

Last week, SenseCy analysts happened upon a new sample of Shade ransomware, also known as Troldesh, which uses a no_more_ransom extension for encrypted files. This ransomware is far from famous, lacking the glorious Continue reading “The Shade (Troldesh) Ransomware: One More Soldier in the Army of Encryption Miscreants”

Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers

Insiders pose the most substantial threat to organizations everywhere, a recent across-the-board study conducted by IBM demonstrates. Although in the majority of the cases, the insider is an employee of the company, he could also be a third party, such as an external contractor, a consultant or a business partner. An insider generally has all the Continue reading “Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers”

Cerber Ransomware JavaScript Loader Goes Undetected

We have been closely monitoring Cerber ransomware since it first emerged on a Russian password-protected forum, offered as-a-service for members only.

At present, Cerber ransomware constitutes a sophisticated malware threat to organizations. (it was responsible for more than 25% of the total number of ransomware infections recorded worldwide in June 2016, according to Microsoft). Files encrypted by Cerber are currently non-decryptable.

On August 23, 2016, a member of the same closed forum where Cerber ransomware is traded posted a detailed analysis of the loader that the malware uses to install itself. According to his post, he did this after hearing that the loader is very useful and capable of installing any malware without detection. His conclusion was that the loader does not employ any extraordinary methods to install the ransomware, but its tremendous advantage of being fully undetectable by AV programs is due to the usage of several rare code functions that are difficult to emulate.

First, he posted the full obfuscated code of the loader, explaining parts of it:

  • Replacement of the Eval function, i.e. it receives a parameter that contains JavaScript code and executes it. Usually, AV programs emulate this function. Replacing the Eval function blocks this emulation.
  • Another part of the code creates a Desktop shortcut, probably also as an anti-emulator measure (the post writer comments that in his opinion AV would quickly detect it).
  • The next part of the code is obfuscated – a HEX code which is divided and deobfuscated using XOR.After deobfuscation, we can see that the code contains anti-emulation.
  • Then a random string is created and a path from %TEMP% environment obtained for it.
  • The next stage involves downloading the malicious file from an URL address and saving it in the system.
  • A parameter is added to the header to block AV bots and researchers: setRequestHeader(‘cerber’,’true’)
  • If the malicious payload was downloaded properly, it is executed.
  • Finally, the Eval alternative is launched.

Summarizing the analysis, the post author concludes that the advantages of the loader are a good implementation of the payload download and execution and errors control. The disadvantages he mentions are weak implementation of obfuscation and anti-emulation, and low level of usability functionality. He also attached an AV scanner report from August 23, showing a detection rate of 15/40.

Several days later, on August 27, 2016, the same forum member posted that he had analyzed the latest version of the loader and was surprised by the fact it is totally undetectable by AV programs. Moreover, this version is capable of installing payloads from several alternative URL addresses and it uses improved debugging. This version does not use anti-emulation at all, but employs a unique method that totally blocks the AV syntax emulation. 

Below is a description of the main techniques used by the loader to remain undetected:

  • Replacement of the Eval function (even though it is a simple technique, it is used extensively by JS packers and therefore cannot be detected by AV as malicious).
  • The part of the code that avoids emulation is an array that contains random data, with the first element being the important one. The functions Math.floor and Math.random always output only the first element in the array and AV cannot properly emulate them. Full undetectability is achieved by using these two functions.

The emulator will always output one single value and will never reach the part of the array when the right value is located. As a result, the emulator cannot perform the calculations, a critical error occurs and the AV programs are unable to identify the loader as a malicious file.

1
The message that analyzes what code feature allows the malware to avoid AV detection

The post author attached an AV scanner report showing a 0/35 detection rate (as of August 27, 2016).

2
The scan showing that the loader is not detected by AV engines

Russian Cyber Criminal Underground – 2015: The Prosperity of Ransomware and Office Exploits

The prominent products traded during 2015 on Russian underground forums were Ransomware programs and exploits targeting Microsoft Office. Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms. Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and Crypting malware to avoid detection were also extremely popular on Russian forums.

Check out the new Infographic from SenseCy illustrating key trends observed on Russian underground in 2015.

Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report: https://www.sensecy.com/contact

Russian_underground_final

Handling a Ransomware Attack

A recent wave of ransomware attacks has hit countries around the world, with a large number of infections reported in the United States, the United Kingdom, Germany and Israel. It appears that the attackers have no specific target, since the attacks have struck hospitals, financial institutions and private institutions, indicating that no specific industry has been targeted.

In Israel, two types of ransomware were identified in the most recent attacks: the familiar TeslaCrypt and the new ransomware, Locky.

The Evolution of Ransomware

The vigorous usage of ransomware tools by cybercriminals and their success in this area has led to the development of new ransomware and the constant upgrading of known models. During the past several months, researchers have reported on the development of ransomware that is capable of file encryption without Internet connection, i.e., they do not communicate with their C&C servers for the encryption process.

New ransomware tools that were reported are Locky ransomware, whose modus operandi resembles the Dridex banking Trojan, and a new version of CTB-Locker that attacks web servers.

Additionally, RaaS (Ransom-as-a-Service) offers are becoming popular on closed DeepWeb and Darknet forums. These services allow potential attackers to easily create ransomware stubs, paying with profits from future successful infections. Recently, we identified a new RaaS dubbed Cerber ransomware, which is offered on a Russian underground forum. Previously it was ORX-Locker, offered as a service via a platform hosted on an .onion server.

1
The ransom message presented by the Cerber ransomware

Ransomware Distribution

The majority of the distribution vectors of ransomware stubs involve some kind of social engineering trap, for example, email messages including malicious Office files, spam messages with nasty links or malvertising campaigns exploiting vulnerable WordPress or Joomla websites with an embedded malevolent code. The distribution also takes advantage of Macro commands and exploit kits, such as Nuclear or Angler. Sometimes browser vulnerabilities are exploited, as well as stolen digital certificates.

In November 2015, attempts to deliver ransomware to Israeli clients were identified. In this case, the attackers spoofed a corporate email address and tried to make recipients believe the email was sent from a company worker.

2
RaaS offered on a Darknet forum

Handling a Ransomware Attack

Please find below our suggestions for recommended action to avoid ransomware attacks on an organization, and how to deal with an attack after infection:

Defend Your Organization from Potential Threats

  • Train your employees – since the human link is the weakest link in the organizational cybersecurity and the majority of the cases involve social engineering on one of the employees, periodical employee briefing is extremely important. Specify the rules regarding using the company systems, and describe what phishing messages look like.
  • Raise awareness regarding accepting files that arrive via email messages – instruct your employees not to open suspicious files or files sent from unfamiliar senders. Consider implementing an organizational policy addressing such files. We recommend blocking or isolating files with the following extensions: js (JavaScript), jar (Java), bat (Batch file), exe (executable file), cpl (Control Panel), scr (Screensaver), com (COM file) and pif (Program Information file).
  • Disable running of Macro scripts on Office files sent via email – in recent months, many cases of ransomware attacks employing this vector were reported. Usually, Macro commands are disabled by default and we do not recommend enabling them. In addition, we suggest using Office Viewer software to open Word and Excel files.
  • Limit user privileges and constantly monitor the workstations – careful management of user privileges and limited administrator’s privileges may help in avoiding the spread of the ransomware in the organizational network. Moreover, monitoring the activity on workstations will be useful for early detection of any infection and blocking it from propagating to other systems and network resources.
  • Create rules that block programs from executing from AppData/LocalAppData folders. Many variants of the analyzed ransomware are executed from these directories, including CryptoLocker. Therefore, the creation of such rules may reduce the encryption risk significantly.
  • Install a Russian keyboard – while monitoring closed Russian forums where several ransomware families originated, we discovered that many of them will check if the infected computer is located in a post-Soviet country. Usually, this check is performed by detecting which keyboard layout is installed on the machine. If a Russian (or other post-Soviet language) keyboard layout is detected, the ransomware will not initiate the encryption process.
  • Keep your systems updated – in many cases, hackers take advantage of outdated systems to infiltrate the network. Therefore, frequent updates of the organizational systems and implementing the published security patch will significantly reduce the chances of infection.
  • Use third-party dedicated software to deal with the threat – many programs aimed at addressing specific ransomware threats are constantly being released. One is Windows AppLocker, which is included in the OS and assists in dealing with malware. We recommend contacting the organizational security vendor and considering the offered solutions.
  • Implement technical indicator and YARA rules in the company organizations. We provide our clients with intelligence items accompanied by technical indicators. Additionally, a dedicated repository that includes ransomware indicators was launched.
    3
    A closed forum member looks to blackmail companies using ransomware

    What if I am Already Infected?

  • Restore your files – some ransomware tools create a copy of the file, encrypt it and then erase the original file. If the deletion is performed via the OS erase feature, there is a chance to restore the files, since in majority of the cases, the OS does not immediately overwrite the deleted filed.
  • Decryption of the encrypted files – the decryption will be possible if you were infected by one of these three ransomware types: Bitcryptor, CoinVault or Linux.Encoder.1. Therefore, detecting the exact kind of ransomware that attacked the PC is crucial.
  • Back-up files on a separate storage device regularly – the best practice to avoid damage from a ransomware attack is to backup all your important files on a storage disconnected from the organizational network, since some ransomware variants are capable of encrypting files stored on connected devices. For example, researchers recently reported a ransomware that encrypted files stored on the Cloud Sync folder.
  • If ransomware is detected in the organization, immediately disconnect the infected machine from the network. Do not try to remove the malware or to reboot the system before identifying the ransomware. In some cases, performing one of these actions will make the decryption impossible, even after paying the ransom.