Tom Potter - US-CERT Alerts

Main Menu

Internet

US-CERT Alerts

Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.

TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
Original release date: November 14, 2017 | Last revised: November 22, 2017

Systems Affected

Network systems

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
For a downloadable copy of IOCs, see:
- IOCs (.csv)
- IOCs (.stix)
NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see:
- MAR (.pdf)
- MAR IOCs (.stix)
Description

Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.
It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer
The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage:
- India (772 IPs) 25.4 percent
- Iran (373 IPs) 12.3 percent
- Pakistan (343 IPs) 11.3 percent
- Saudi Arabia (182 IPs) 6 percent
- Taiwan (169 IPs) 5.6 percent
- Thailand (140 IPs) 4.6 percent
- Sri Lanka (121 IPs) 4 percent
- China (82 IPs, including Hong Kong (12)) 2.7 percent
- Vietnam (80 IPs) 2.6 percent
- Indonesia (68 IPs) 2.2 percent
- Russia (68 IPs) 2.2 percent
Technical Details
As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.
Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.
Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.
Detection and Response
This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.
When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.
Network Signatures and Host-Based Rules
This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.
Network Signatures
alert tcp any any -> any any (msg:"Malformed_UA"; content:"User-Agent: Mozillar/"; depth:500; sid:99999999;)
___________________________________________________________________________________________________
YARA Rules
rule volgmer { meta: description = "Malformed User Agent" strings: $s = "Mozillar/" condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s }

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Solution

Mitigation Strategies
DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
- Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.
- Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.
- Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.
Response to Unauthorized Network Access
- Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
References
Revision History
- November 14, 2017: Initial version
This product is provided subject to this Notification and this Privacy & Use policy.
TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
Original release date: November 14, 2017 | Last revised: November 22, 2017

Systems Affected

Network systems

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
For a downloadable copy of IOCs, see:
- IOCs (.csv)
- IOCs (.stix)
NCCIC conducted analysis on two samples of FALLCHILL malware and produced a Malware Analysis Report (MAR). MAR-10135536-A examines the tactics, techniques, and procedures observed in the malware. For a downloadable copy of the MAR, see:
- MAR (.pdf)
- MAR IOCs (.stix)
Description

According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.
During analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network nodes. Additionally, using publicly available registration information, the U.S. Government identified the countries in which the infected IP addresses are registered.
Technical Details
FALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting, communication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies as shown in figure 1.
Figure 1. HIDDEN COBRA Communication Flow
FALLCHILL uses fake Transport Layer Security (TLS) communications, encoding the data with RC4 encryption with the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82]. FALLCHILL collects basic system information and beacons the following to the C2:
- operating system (OS) version information,
- processor information,
- system name,
- local IP address information,
- unique generated ID, and
- media access control (MAC) address.
FALLCHILL contains the following built-in functions for remote operations that provide various capabilities on a victim’s system:
- retrieve information about all installed disks, including the disk type and the amount of free space on the disk;
- create, start, and terminate a new process and its primary thread;
- search, read, write, move, and execute files;
- get and modify file or directory timestamps;
- change the current directory for a process or file; and
- delete malware and artifacts associated with the malware from the infected system.
Detection and Response
This alert’s IOC files provide HIDDEN COBRA indicators related to FALLCHILL. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.
When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.
Network Signatures and Host-Based Rules
This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.
Network Signatures
alert tcp any any -> any any (msg:"Malicious SSL 01 Detected";content:"|17 03 01 00 08|"; pcre:"/\x17\x03\x01\x00\x08.{4}\x04\x88\x4d\x76/"; rev:1; sid:2;)
___________________________________________________________________________________________
alert tcp any any -> any any (msg:"Malicious SSL 02 Detected";content:"|17 03 01 00 08|"; pcre:"/\x17\x03\x01\x00\x08.{4}\x06\x88\x4d\x76/"; rev:1; sid:3;)
___________________________________________________________________________________________
alert tcp any any -> any any (msg:"Malicious SSL 03 Detected";content:"|17 03 01 00 08|"; pcre:"/\x17\x03\x01\x00\x08.{4}\xb2\x63\x70\x7b/"; rev:1; sid:4;)
___________________________________________________________________________________________
alert tcp any any -> any any (msg:"Malicious SSL 04 Detected";content:"|17 03 01 00 08|"; pcre:"/\x17\x03\x01\x00\x08.{4}\xb0\x63\x70\x7b/"; rev:1; sid:5;)
___________________________________________________________________________________________
YARA Rules
The following rules were provided to NCCIC by a trusted third party for the purpose of assisting in the identification of malware associated with this alert.
THIS DHS/NCCIC MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. These rules have been tested and determined to function effectively in a lab environment, but we have no way of knowing if they may function differently in a production network. Anyone using these rules are encouraged to test them using a data set representitive of their environment.
rule rc4_stack_key_fallchill { meta: description = "rc4_stack_key" strings: $stack_key = { 0d 06 09 2a ?? ?? ?? ?? 86 48 86 f7 ?? ?? ?? ?? 0d 01 01 01 ?? ?? ?? ?? 05 00 03 82 41 8b c9 41 8b d1 49 8b 40 08 48 ff c2 88 4c 02 ff ff c1 81 f9 00 01 00 00 7c eb } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $stack_key }
rule success_fail_codes_fallchill
{ meta: description = "success_fail_codes" strings: $s0 = { 68 7a 34 12 00 } $s1 = { ba 7a 34 12 00 } $f0 = { 68 5c 34 12 00 } $f1 = { ba 5c 34 12 00 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1)) }
___________________________________________________________________________________________

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Solution

Mitigation Strategies
DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
- Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.
- Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.
- Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.
Response to Unauthorized Network Access
- Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
References
Revision History
- November 14, 2017: Initial version
This product is provided subject to this Notification and this Privacy & Use policy.

TA17-293A: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors

Original release date: October 20, 2017 | Last revised: October 23, 2017

Systems Affected

Domain Controllers
File Servers
Email Servers

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.

DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity.

For a downloadable copy of IOC packages and associated files, see:

Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance.

Description

Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. [1] Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns.

Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity. Of specific note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [2]

This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks. The initial victims are referred to as “staging targets” throughout this alert. The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as “intended target.”

Technical Details

The threat actors in this campaign employed a variety of TTPs, including:

open-source reconnaissance,
spear-phishing emails (from compromised legitimate accounts),
watering-hole domains,
host-based exploitation,
industrial control system (ICS) infrastructure targeting, and
ongoing credential gathering.

Using Cyber Kill Chain for Analysis

DHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of activity within this framework.

Stage 1: Reconnaissance

The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. It is known that threat actors are actively accessing publicly available information hosted by organization-monitored networks. DHS further assesses that threat actors are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations.

Forensic analysis identified that threat actors are conducting open-source reconnaissance of their targets, gathering information posted on company-controlled websites. This is a common tactic for collecting the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publically accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.

Analysis also revealed that the threat actors used compromised staging target networks to conduct open-source reconnaissance to identify potential targets of interest and intended targets. “Targets of interest” refers to organizations that DHS observed the threat actors showing an active interest in, but where no compromise was reported. Specifically, the threat actors accessed publically web-based remote access infrastructure such as websites, remote email access portals, and virtual private network (VPN) connections.

Stage 2: Weaponization

Spear-Phishing Email TTPs

Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the requested file. (Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.

Stage 3: Delivery

When seeking to compromise the target network, threat actors used a spear-phishing email campaign that differed from previously reported TTPs. The spear-phishing email used a generic contract agreement theme, with the subject line “AGREEMENT & Confidential”, and which contained a generic PDF document, titled “’’document.pdf”. (Note the inclusion of two single apostrophes at the beginning of the attachment name.) The PDF itself was not malicious and did not contain any active code. The document prompted the user to click on a link should a download not automatically begin. (Note: No code within the PDF initiated a download.) The link directs users to a website via a shortened URL, which may prompt them to retrieve a malicious file.

In previous reporting, DHS and FBI identified the common themes used in these spear-phishing emails, all emails referred to control systems or process control systems. The threat actors continue to use these themes, specifically against intended target organizations. Email messages include references to common industrial control equipment and protocols. The emails leveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents that entice the user to open the attachment. The list of file names has been published in the IOC.

Stage 4: Exploitation

Threat actors used distinct and unusual TTPs (i.e., successive redirects) in the phishing campaign directed at staging targets. Emails contained a stacked URL-shortening link that directed the user to http://bit[.]ly/2m0x8IH link, which redirected the user to http://tinyurl[.]com/h3sdqck link, which redirected the user to the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained an email address and password input fields mimicking a login page for a website.

When exploiting the intended targets, threat actors used malicious .docx files to capture user credentials, however, DHS did not observe the actors establishing persistence on the user’s system. The documents attempt to retrieve a file through a “file:\\” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139 and User Datagram Protocol (UDP) ports 137 or 138. This connection is made to a command and control (C2) server — either a server owned by the threat actors or that of a compromised system owned by a staging location victim. When a user is authenticated as a domain user, this will provide the C2 server with the hash of the victim. Local users will receive a graphical user interface (GUI) prompt to enter a username and password. This information will be provided to the C2 over TCP ports 445 or 139 and UDP ports 137 or 138. (Note: A file transfer is not necessary for a loss of credential information.) Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign. [3]

Use of Watering Hole Domains

One of the threat actors’ primary uses for staging targets is to develop watering holes. The threat actors compromise the infrastructure of trusted organizations to reach intended targets. [4] Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.

Using a similar SMB collection technique, the actors manipulated these websites by altering JavaScript and PHP files that redirect to an IP address on port 445 for credential harvesting. The compromised sites include both custom developed web applications and template-based frameworks. The threat actors injected a line of code into header.php, a legitimate PHP file that carried out the redirected traffic.

There is no indication that threat actors used zero-day exploits to manipulate the sites; the threat actors more likely used legitimate credentials to access the website content directly.

Stage 5: Installation

The threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication is not used. [5] Once inside of an intended target’s network, the threat actors downloaded tools from a remote server. The initial versions of the file names contained .txt extensions and were renamed to the appropriate extension, typically .exe or .zip.

In one example, after gaining remote access to the network of an intended victim, the threat actor carried out the following actions:

The threat actor connected to 91.183.104[.]150 and downloaded multiple files, specifically the file INST.txt.
The files were renamed to new extensions, with INST.txt being renamed INST.exe.
The files were executed on the host and then immediately deleted.
The execution of INST.exe triggered a download of ntdll.exe, and shortly after, ntdll.exe appeared in the running process list of a compromised system of an intended target.

In their report on Dragonfly, Symantec associated the MD5 hash of INST.exe to Backdoor.Goodor. The MD5 hashes for the previously mentioned files can be found in the IOC list above.

Several of these files were scripts that were used for creating the initial account leveraged by the threat actors. The initial script symantec_help.jsp contained a one-line reference to a malicious script. It was located at C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\.

Contents of symantec_help.jsp

____________________________________________________________________________________________________________________

<% Runtime.getRuntime().exec("cmd /C \"" + System.getProperty("user.dir") + "\\..\\webapps\\ROOT\\<REDACTED SCRIPT NAME>\""); %>

____________________________________________________________________________________________________________________

The malicious script created a user account, disabled the host-based firewall, and globally opened port 3389 for Remote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group for elevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French, and English.

In addition, the threat actors also created a scheduled task “reset”, which was designed to automatically log out of their newly created account every eight hours.

Contents of Scheduled Task

____________________________________________________________________________________________________________________

<?xml version="1.0" encoding="UTF-16"?>

</RegistrationInfo>

</TimeTrigger>

</Triggers>

<RunLevel>LeastPrivilege</RunLevel>

<LogonType>InteractiveToken</LogonType>

</Principal>

</Principals>

<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

<StartWhenAvailable>false</StartWhenAvailable>

<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>

<RestartOnIdle>false</RestartOnIdle>

</IdleSettings>

<Hidden>false</Hidden>

<RunOnlyIfIdle>false</RunOnlyIfIdle>

<WakeToRun>false</WakeToRun>

</Settings>

<Exec>

<Command>logoff</Command>

</Exec>

</Actions>

</Task>

____________________________________________________________________________________________________________________

After achieving access to staging targets, the threat actors installed tools to carry out their mission. On one occasion, threat actors installed the free version of Forticlient, which was presumably used as a VPN client for intended targets.

Consistent with the perceived goal of credential harvesting, the threat actor was observed dropping and executing open source and free tools such as Hydra, SecretsDump, and CrackMapExec. The naming convention and download locations suggest that these files were downloaded directly from publically available locations such as GitHub. Forensic analysis indicates that many of these tools were executed during the timeframe in which the threat actor was accessing the system. Of note, the threat actor installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\Users\<Redacted Username>\Desktop\OWAExchange\. In the previous folder structure, a subfolder named “out” held multiple text files.

Persistence Through .LNK File Manipulation

The threat actors manipulated .lnk files to repeatedly gather user credentials. Default Windows functionality enables icons to be loaded from a local Windows repository. The threat actors exploited this built-in Windows functionality by setting the icon path to their remote controlled server. When the user browses to the directory, Windows attempts to load the icon and initiate an SMB authentication session. During this process, the active user’s credentials are passed through the attempted SMB connection. The threat actors used this tactic in both Virtual Desktop Infrastructure (VDI) and traditional environments.

Three of the observed .lnk files were SETROUTE.lnk, notepad.exe.lnk, and Document.lnk. These names appear to be contextual, and threat actors may use a variety of other file names within this tactic. Two of the remote servers observed in these .lnk files were 62.8.193[.]206 and 5.153.58[.]45.

Establishing Local Accounts

The threat actors created accounts on the staging target for ongoing operations. These accounts, masquerading as legitimate service accounts, appeared to be tailored to each individual staging target. Each account created by the threat actors served a specific purpose in their operation. DHS and FBI identified the creation of four local accounts on a compromised server. The server operated as both a domain controller and an email server for a staging target.

Account 1: The threat actors created a local account, which was named to mimic backup services of the staging target. This account was created by the aforementioned malicious script. The threat actors used this account to conduct open-source reconnaissance and remotely access intended targets. This account was also used to remove the Forticlient software.

Account 2: Account 1 was used to create Account 2 to impersonate an email administration account. The only observed action was to create Account 3.

Account 3: The threat actors created Account 3 in the staging victim’s Microsoft Exchange Server. A PowerShell script created this account during an RDP session while the threat actor was authenticated as Account 2. The naming conventions of the created Microsoft Exchange account followed that of the staging target (e.g., first initial concatenated with the last name).

Account 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator account. Account 4 was then used to delete the following logs: system, security, terminal services, remote services, and audit. Registry analysis indicated that this activity was likely scripted.

Stage 6: Command and Control

The threat actors commonly use web shells to compromise publically available servers to gain a foothold into internal networks. This activity has been observed on both web and email servers. The threat actors then establish an encrypted connection over port 443 to the web shell. Once connected, the threat actors download additional malicious files from the threat actors’ servers to the publically available server. Two of the web shells (AutoDiscover.aspx and global.aspx) used by the actors are detailed in the accompanying IOC list. Despite having different file names, the MD5 hashes of the two web shells indicated that the two files were the same file. These web shells have been associated with the ciklon_z webshell.

DHS and FBI identified the threat actors leveraging remote access services and infrastructure, such as VPN, RDP, and Outlook Web Access (OWA). The threat actors used staging targets to connect to several intended targets, effectively turning the staging targets into command and control points. To date, it is presumed that the threat actors have targeted services that use single-factor authentication. DHS believes that the threat actors employ this methodology to avoid detection and attribution.

Targeting of ICS and SCADA Infrastructure

Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. Specifically, the threat actors focused on identifying and browsing file servers within the intended victim’s network. The threat actors viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were originally named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).

In one instance, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. In this same incident, the threat actors created a malicious scheduled task that invoked “scr.exe” with the arguments “scr.jpg”. The MD5 hash of scr.exe matched the MD5 of ScreenUtil, a tool used by the threat actor, as reported in the Symantec Dragonfly 2.0 report.

Detection and Response

IOCs related to this campaign are provided within the accompanying .csv and .stix files of this alert. DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, network signatures, and YARA rules provided and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization. System owners are also advised to run the YARA tool on any system suspected to have been targeted by these APT actors.

Network Signatures and Host-Based Rules

This section contains network signatures and host-based rules that can be used to detect malicious activity associated with threat actors TTPs. Although these network signatures and host-based rules were created using a comprehensive vetting process, the possibility of false positives always remains.

Network Signatures

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/aspnet_client/system_web/4_0_30319/update/' (Beacon)"; sid:42000000; rev:1; flow:established,to_server; content:"/aspnet_client/system_web/4_0_30319/update/"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)

___________________________________

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/img/bson021.dat'"; sid:42000001; rev:1; flow:established,to_server; content:"/img/bson021.dat"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)

________________________________________

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/A56WY' (Callback)"; sid:42000002; rev:1; flow:established,to_server; content:"/A56WY"; http_uri; fast_pattern; classtype:bad-unknown; metadata:service http;)

_________________________________________

alert tcp any any -> any 445 (msg:"SMB Client Request contains 'AME_ICON.PNG' (SMB credential harvesting)"; sid:42000003; rev:1; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; classtype:bad-unknown; metadata:service netbios-ssn;)

________________________________________

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI OPTIONS contains '/ame_icon.png' (SMB credential harvesting)"; sid:42000004; rev:1; flow:established,to_server; content:"/ame_icon.png"; http_uri; fast_pattern:only; content:"OPTIONS"; nocase; http_method; classtype:bad-unknown; metadata:service http;)

_________________________________________

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'User-Agent|3a 20|Go-http-client/1.1'"; sid:42000005; rev:1; flow:established,to_server; content:"User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip"; http_header; fast_pattern:only; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-z0-9]{32}&/U"; classtype:bad-unknown; metadata:service http;)

__________________________________________

alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SMB Server Traffic contains NTLM-Authenticated SMBv1 Session"; sid:42000006; rev:1; flow:established,to_client; content:"|ff 53 4d 42 72 00 00 00 00 80|"; fast_pattern:only; content:"|05 00|"; distance:23; classtype:bad-unknown; metadata:service netbios-ssn;)

YARA Rules

This is a consolidated rule set for malware associated with, consisting of rules written by US-CERT, as well as contributions by trusted partners.

*/

rule APT_malware_1

{

meta:

description = "inveigh pen testing tools & related artifacts"

author = "US-CERT Code Analysis Team"

date = "2017/07/17"

hash0 = "61C909D2F625223DB2FB858BBDF42A76"

hash1 = "A07AA521E7CAFB360294E56969EDA5D6"

hash2 = "BA756DD64C1147515BA2298B6A760260"

hash3 = "8943E71A8C73B5E343AA9D2E19002373"

hash4 = "04738CA02F59A5CD394998A99FCD9613"

hash5 = "038A97B4E2F37F34B255F0643E49FC9D"

hash6 = "65A1A73253F04354886F375B59550B46"

hash7 = "AA905A3508D9309A93AD5C0EC26EBC9B"

hash8 = "5DBEF7BDDAF50624E840CCBCE2816594"

hash9 = "722154A36F32BA10E98020A8AD758A7A"

hash10 = "4595DBE00A538DF127E0079294C87DA0"

strings:

$s0 = "file://"

$s1 = "/ame_icon.png"

$s2 = "184.154.150.66"

$s3 = { 87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE }

$s4 = { 33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102 }

$s5 = "(g.charCodeAt(c)^l[(l[b]+l[e])%256])"

$s6 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)"

$s7 = "VXNESWJfSjY3grKEkEkRuZeSvkE="

$s8 = "NlZzSZk="

$s9 = "WlJTb1q5kaxqZaRnser3sw=="

$s10 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)"

$s11 = "fromCharCode(d.charCodeAt(e)^k[(k[b]+k[h])%256])"

$s12 = "ps.exe -accepteula \\%ws% -u %user% -p %pass% -s cmd /c netstat"

$s13 = { 22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429 }

$s14 = { 68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D616E6420222E202E5C496E76656967682E70 }

$s15 = { 476F206275696C642049443A202266626433373937623163313465306531 }

//inveigh pentesting tools

$s16 = { 24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F70207265616C2074696D65 }

//specific malicious word document PK archive

$s17 = { 2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0194485B }

$s18 = { 6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90B94E03311086EBF014D6F4D87B48214471D2 }

$s19 = { 8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394A240ACA39 }

$s20 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }

$s21 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }

$s22 = "5.153.58.45"

$s23 = "62.8.193.206"

$s24 = "/1/ree_stat/p"

$s25 = "/icon.png"

$s26 = "/pshare1/icon"

$s27 = "/notepad.png"

$s28 = "/pic.png"

$s29 = "http://bit.ly/2m0x8IH"

condition:

($s0 and $s1 or $s2) or ($s3 or $s4) or ($s5 and $s6 or $s7 and $s8 and $s9) or ($s10 and $s11) or ($s12 and $s13) or ($s14) or ($s15) or ($s16) or ($s17) or ($s18) or ($s19) or ($s20) or ($s21) or ($s0 and $s22 or $s24) or ($s0 and $s22 or $s25) or ($s0 and $s23 or $s26) or ($s0 and $s22 or $s27) or ($s0 and $s23 or $s28) or ($s29)

}

rule APT_malware_2

{

meta:

description = "rule detects malware"

author = "other"

strings:

$api_hash = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }

$http_push = "X-mode: push" nocase

$http_pop = "X-mode: pop" nocase

condition:

any of them

}

rule Query_XML_Code_MAL_DOC_PT_2

{

meta:

name= "Query_XML_Code_MAL_DOC_PT_2"

author = "other"

strings:

$zip_magic = { 50 4b 03 04 }

$dir1 = "word/_rels/settings.xml.rels"

$bytes = {8c 90 cd 4e eb 30 10 85 d7}

condition:

$zip_magic at 0 and $dir1 and $bytes

}

rule Query_Javascript_Decode_Function

{

meta:

name= "Query_Javascript_Decode_Function"

author = "other"

strings:

$decode1 = {72 65 70 6C 61 63 65 28 2F 5B 5E 41 2D 5A 61 2D 7A 30 2D 39 5C 2B 5C 2F 5C 3D 5D 2F 67 2C 22 22 29 3B}

$decode2 = {22 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F 3D 22 2E 69 6E 64 65 78 4F 66 28 ?? 2E 63 68 61 72 41 74 28 ?? 2B 2B 29 29}

$decode3 = {3D ?? 3C 3C 32 7C ?? 3E 3E 34 2C ?? 3D 28 ?? 26 31 35 29 3C 3C 34 7C ?? 3E 3E 32 2C ?? 3D 28 ?? 26 33 29 3C 3C 36 7C ?? 2C ?? 2B 3D [1-2] 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29 2C 36 34 21 3D ?? 26 26 28 ?? 2B 3D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29}

$decode4 = {73 75 62 73 74 72 69 6E 67 28 34 2C ?? 2E 6C 65 6E 67 74 68 29}

$func_call="a(\""

condition:

filesize < 20KB and #func_call > 20 and all of ($decode*)

}

rule Query_XML_Code_MAL_DOC

{

meta:

name= "Query_XML_Code_MAL_DOC"

author = "other"

strings:

$zip_magic = { 50 4b 03 04 }

$dir = "word/_rels/" ascii

$dir2 = "word/theme/theme1.xml" ascii

$style = "word/styles.xml" ascii

condition:

$zip_magic at 0 and $dir at 0x0145 and $dir2 at 0x02b7 and $style at 0x08fd

}

Impact

This APT actor’s campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.

Solution

DHS and FBI encourage network users and administrators to use the following detection and prevention guidelines to help defend against this activity.

Network and Host-based Signatures

DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity.

Detections and Prevention Measures

Users and administrators can detect spear phishing, watering hole, web shell, and remote access activity by comparing all IP addresses and domain names listed in the IOC packages to the following locations:
- network intrusion detection system/network intrusion protection system logs,
- web content logs,
- proxy server logs,
- domain name server resolution logs,
- packet capture (PCAP) repositories,
- firewall logs,
- workstation Internet browsing history logs,
- host-based intrusion detection system /host-based intrusion prevention system (HIPS) logs,
- data loss prevention logs,
- exchange server logs,
- user mailboxes,
- mail filter logs,
- mail content logs,
- AV mail logs,
- OWA logs,
- Blackberry Enterprise Server logs, and
- Mobile Device Management logs.
To detect the presence of web shells on external-facing servers, compare IP addresses, filenames, and file hashes listed in the IOC packages with the following locations:
- application logs,
- IIS/Apache logs,
- file system,
- intrusion detection system/ intrusion prevention system logs,
- PCAP repositories,
- firewall logs, and
- reverse proxy.
Detect spear-phishing by searching workstation file systems, as well as network-based user directories, for attachment filenames and hashes found in the IOC packages.
Detect persistence in VDI environments by searching file shares containing user profiles for all .lnk files.
Detect evasion techniques by the threat actors by identifying deleted logs. This can be done by reviewing last-seen entries and by searching for event 104 on Windows system logs.
Detect persistence by reviewing all administrator accounts on systems to identify unauthorized accounts, especially those created recently.
Detect the malicious use of legitimate credentials by reviewing the access times of remotely accessible systems for all users. Any unusual login times should be reviewed by the account owners.
Detect the malicious use of legitimate credentials by validating all remote desktop and VPN sessions of any user’s credentials suspected to be compromised.
Detect spear-phishing by searching OWA logs for all IP addresses listed in the IOC packages.
Detect spear-phishing through a network by validating all new email accounts created on mail servers, especially those with external user access.
Detect persistence on servers by searching system logs for all filenames listed in the IOC packages.
Detect lateral movement and privilege escalation by searching PowerShell logs for all filenames ending in “.ps1” contained in the IOC packages. (Note: requires PowerShell version 5, and PowerShell logging must be enabled prior to the activity.)
Detect persistence by reviewing all installed applications on critical systems for unauthorized applications, specifically note FortiClient VPN and Python 2.7.
Detect persistence by searching for the value of “REG_DWORD 100” at registry location “HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal”. Services\MaxInstanceCount” and the value of “REG_DWORD 1” at location “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername”.
Detect installation by searching all proxy logs for downloads from URIs without domain names.

General Best Practices Applicable to this Campaign:

Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best Practicesfor more information.
Block the Web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway devices on the network.
Monitor VPN logs for abnormal activity (e.g., off-hour logins, unauthorized IP address logins, and multiple concurrent logins).
Deploy web and email filters on the network. Configure these devices to scan for known bad domain names, sources, and addresses; block these before receiving and downloading messages. This action will help to reduce the attack surface at the network’s first level of defense. Scan all emails, attachments, and downloads (both on the host and at the mail gateway) with a reputable anti-virus solution that includes cloud reputation services.
Segment any critical networks or control systems from business systems and networks according to industry best practices.
Ensure adequate logging and visibility on ingress and egress points.
Ensure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide adequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging, script block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and analysis. See the FireEye blog post Greater Visibility through PowerShell Loggingfor more information.
Implement the prevention, detection, and mitigation strategies outlined in the NCCIC/US-CERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.
Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis, and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.
Implement application directory whitelisting. System administrators may implement application or application directory whitelisting through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software folders. All other locations should be disallowed unless an exception is granted.
Block RDP connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.
Store system logs of mission critical systems for at least one year within a security information event management tool.
Ensure applications are configured to log the proper level of detail for an incident response investigation.
Consider implementing HIPS or other controls to prevent unauthorized code execution.
Establish least-privilege controls.
Reduce the number of Active Directory domain and enterprise administrator accounts.
Based on the suspected level of compromise, reset all user, administrator, and service account credentials across all local and domain systems.
Establish a password policy to require complex passwords for all users.
Ensure that accounts for network administration do not have external connectivity.
Ensure that network administrators use non-privileged accounts for email and Internet access.
Use two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and high-risk environments (e.g., remote access, privileged access, and access to sensitive data).
Implement a process for logging and auditing activities conducted by privileged accounts.
Enable logging and alerting on privilege escalations and role changes.
Periodically conduct searches of publically available information to ensure no sensitive information has been disclosed. Review photographs and documents for sensitive data that may have inadvertently been included.
Assign sufficient personnel to review logs, including records of alerts.
Complete independent security (as opposed to compliance) risk review.
Create and participate in information sharing programs.
Create and maintain network and system documentation to aid in timely incident response. Documentation should include network diagrams, asset owners, type of asset, and an incident response plan.

Report Notice

DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.govor 888-282-0870.

References

Revision History

October 20, 2017: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

TA17-181A: Petya Ransomware
Original release date: July 01, 2017 | Last revised: July 28, 2017

Systems Affected

Microsoft Windows operating systems

Overview

This Alert has been updated to reflect the National Cybersecurity and Communications Integration Center's (NCCIC) analysis of the "NotPetya" malware variant.
The scope of this Alert’s analysis is limited to the newest Petya malware variant that surfaced on June 27, 2017. This malware is referred to as “NotPetya” throughout this Alert.
On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files with extensions from a hard-coded list. Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in its propagation methods.
The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional indicators of compromise (IOCs) in comma-separated-value (CSV) form for information sharing purposes.
Available Files:
Description

NotPetya leverages multiple propagation methods to spread within an infected network. According to malware analysis, NotPetya attempts the lateral movement techniques below:
- PsExec - a legitimate Windows administration tool
- WMI - Windows Management Instrumentation, a legitimate Windows component
- EternalBlue - the same Windows SMBv1 exploit used by WannaCry
- EternalRomance - another Windows SMBv1 exploit
Microsoft released a security update for the MS17-010 SMB vulnerability on March 14, 2017, which addressed the EternalBlue and EternalRomance lateral movement techniques.
Technical Details
NCCIC received a sample of the NotPetya malware variant and performed a detailed analysis. Based on the analysis, NotPetya encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. However, there is no evidence of a relationship between the encryption key and the victim’s ID, which means it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid. It behaves more like destructive malware rather than ransomware.
NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload. Refer to the malware report, MIFR-10130295, for more details on these methods.
The analyzed sample of NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. The malware then writes a text file on the “C:\” drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user’s Bitcoin wallet ID. NotPetya modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored, even if the attacker received the victim’s unique key and Bitcoin wallet ID.
The delivery mechanism of NotPetya during the June 27, 2017, event was determined to be the Ukrainian tax accounting software, M.E.Doc. The cyber threat actors used a backdoor to compromise M.E. Doc’s development environment as far back as April 14, 2017. This backdoor allowed the threat actor to run arbitrary commands, exfiltrate files, and download and execute arbitrary exploits on the affected system. Organizations should treat systems with M.E.Doc installed as suspicious, and should examine these systems for additional malicious activity. [12]

Impact

According to multiple reports, this NotPetya malware campaign has infected organizations in several sectors, including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems are also at risk, such as:
- those that do not have patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145, and
- those who operate on the shared network of affected organizations.
Negative consequences of malware infection include:
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Solution

NCCIC recommends against paying ransoms; doing so enriches malicious actors while offering no guarantee that the encrypted files will be released. In this NotPetya incident, the email address for payment validation was shut down by the email provider, so payment is especially unlikely to lead to data recovery.[1] According to one NCCIC stakeholder, the sites listed below sites are used for payment in this activity. These sites are not included in the CSV package as IOCs.
hxxp://mischapuk6hyrn72[.]onion/
hxxp://petya3jxfp2f7g3i[.]onion/
hxxp://petya3sen7dyko2n[.]onion/
hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ
hxxp://mischapuk6hyrn72[.]onion/MZ2MMJ
hxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ
hxxp://petya3sen7dyko2n[.]onion/MZ2MMJ
Network Signatures
NCCIC recommends that organizations coordinate with their security vendors to ensure appropriate coverage for this threat. Given the overlap of functionality and the similarity of behaviors between WannaCry and NotPetya, many of the available rulesets can protect against both malware types when appropriately implemented. The following rulesets provided in publically available sources may help detect activity associated with these malware types:
- sid:2001569, “ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection”[2]
- sid:2012063, “ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? Function Table Dereference (CVE-2009-3103)”[3]
- sid:2024297, “ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010”[4]
- sid:42944,"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"[11]
- sid:42340,"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"[11]
- sid:41984,"OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt"[11]
Recommended Steps for Prevention
Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6], and consider implementing the following best practices:
- Ensure you have fully patched your systems, and confirm that you have applied Microsoft’s patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5]
- Conduct regular backups of data and test your backups regularly as part of a comprehensive disaster recovery plan.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. Do not assign administrative access to users unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Secure use of WMI by authorizing WMI users and setting permissions.
- Utilize host-based firewalls and block workstation-to-workstation communications to limit unnecessary lateral communications.
- Disable or limit remote WMI and file sharing.
- Block remote execution through PSEXEC.
- Segregate networks and functions.
- Harden network devices and secure access to infrastructure devices.
- Perform out-of-band network management.
- Validate integrity of hardware and software.
- Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices.
Note: Disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. Weigh the benefits of mitigation against potential disruptions to users.
Recommended Steps for Remediation
- NCCIC strongly encourages organizations contact a local Federal Bureau of Investigation (FBI) field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
- Implement a security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.
Report Notice
DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.govor 888-282-0870. You can also report cyber crime incidents to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.

References
Revision History
- July 1, 2017: Initial version
- July 3, 2017: Updated to include MIFR-10130295_stix.xml file. Substituted TA-17-181B_IOCs.csv for TA-17-181A_IOCs.csv.
- July 7, 2017: Included further guidance from Microsoft in the Reference Section
- July 28, 2017: Revised multiple sections based on additional analysis provided
This product is provided subject to this Notification and this Privacy & Use policy.
TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
Original release date: June 13, 2017 | Last revised: August 23, 2017

Systems Affected

Networked Systems

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. Government partners, DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders detect activity conducted by the North Korean government. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information related to HIDDEN COBRA activity, go to https://www.us-cert.gov/hiddencobra.
If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation. This alert identifies IP addresses linked to systems infected with DeltaCharlie malware and provides descriptions of the malware and associated malware signatures. DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network. FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation.
This alert includes technical indicators related to specific North Korean government cyber operations and provides suggested response actions to those indicators, recommended mitigation techniques, and information on reporting incidents to the U.S. Government.
For a downloadable copy of IOCs, see:
- IOCs (.csv)
- IOCs (.stix)
On August 23, 2017, DHS published a Malware Analysis Report (MAR-10132963) that examines malware functionality to provide detailed code analysis and insight into specific tactics, techniques, and procedures (TTPs) observed in the malware.
For a downloadable copy of the MAR, see:
- MAR (.pdf)
- MAR IOCs (.stix)
Description

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group[1] and Guardians of Peace.[2] DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s military and strategic objectives. Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity.
Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover,[3] Wild Positron/Duuzer,[4] and Hangman.[5] DHS has previously released Alert TA14-353A,[6] which contains additional details on the use of a server message block (SMB) worm tool employed by these actors. Further research is needed to understand the full breadth of this group’s cyber capabilities. In particular, DHS recommends that more research should be conducted on the North Korean cyber activity that has been reported by cybersecurity and threat research firms.
HIDDEN COBRA actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.
HIDDEN COBRA is known to use vulnerabilities affecting various applications. These vulnerabilities include:
- CVE-2015-6585: Hangul Word Processor Vulnerability
- CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability
- CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
- CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability
- CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability
DHS recommends that organizations upgrade these applications to the latest version and patch level. If Adobe Flash or Microsoft Silverlight is no longer required, DHS recommends that those applications be removed from systems.
The IOCs provided with this alert include IP addresses determined to be part of the HIDDEN COBRA botnet infrastructure, identified as DeltaCharlie. The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report.[7] This malware has used the IP addresses identified in the accompanying .csv and .stix files as both source and destination IPs. In some instances, the malware may have been present on victims’ networks for a significant period.
Technical Details
DeltaCharlie is a DDoS tool used by HIDDEN COBRA actors, and is referenced and detailed in Novetta’s Operation Blockbuster Destructive Malware report. The information related to DeltaCharlie from the Operation Blockbuster Destructive Malware report should be viewed in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. DeltaCharlie is a DDoS tool capable of launching Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Carrier Grade NAT (CGN) attacks. The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks. Further details on the malware can be found in Novetta’s report available at the following URL:
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
Detection and Response
HIDDEN COBRA IOCs related to DeltaCharlie are provided within the accompanying .csv and .stix files of this alert. DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization.
When reviewing network perimeter logs for the IP addresses, organizations may find numerous instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find that some traffic corresponds to malicious activity and some to legitimate activity. System owners are also advised to run the YARA tool on any system they suspect to have been targeted by HIDDEN COBRA actors. Additionally, the appendices of this report provide network signatures to aid in the detection and mitigation of HIDDEN COBRA activity.
Network Signatures and Host-Based Rules
This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.
Network Signatures
alert tcp any any -> any any (msg:"DPRK_HIDDEN_COBRA_DDoS_HANDSHAKE_SUCCESS"; dsize:6; flow:established,to_server; content:"|18 17 e9 e9 e9 e9|"; fast_pattern:only; sid:1; rev:1;)
________________________________________________________________
alert tcp any any -> any any (msg:"DPRK_HIDDEN_COBRA_Botnet_C2_Host_Beacon"; flow:established,to_server; content:"|1b 17 e9 e9 e9 e9|"; depth:6; fast_pattern; sid:1; rev:1;)
________________________________________________________________
YARA Rules
{
meta:
description = “RSA Key”
strings:
$rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94
A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77
48 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 39
73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2
AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED
39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 68
3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13
B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0}
condition:
any of them
}
________________________________________________________________
{
meta:
description = “DDoS Misspelled Strings”
strings:
$STR1 = "Wating" wide ascii
$STR2 = "Reamin" wide ascii
$STR3 = "laptos" wide ascii
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 2 of them
}
________________________________________________________________
{
meta:
description = “DDoS Random URL Builder”
strings:
$randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7 44 24 28 B4 6F 41 00 C7 44 24 2C B0 6F 41 00 C7 44 24 30 AC 6F 41 00 C7 44 24 34 A8 6F 41 00 C7 44 24 38 A4 6F 41 00 C7 44 24 3C A0 6F 41 00 C7 44 24 40 9C 6F 41 00 C7 44 24 44 94 6F 41 00 C7 44 24 48 8C 6F 41 00 C7 44 24 4C 88 6F 41 00 C7 44 24 50 80 6F 41 00 89 44 24 54 C7 44 24 10 7C 6F 41 00 C7 44 24 14 78 6F 41 00 C7 44 24 18 74 6F 41 00 C7 44 24 1C 70 6F 41 00 C7 44 24 20 6C 6F 41 00 89 44 24 24 FF D7 99 B9 0B 00 00 00 F7 F9 8B 74 94 28 BA 9C 6F 41 00 66 8B 06 66 3B 02 74 34 8B FE 83 C9 FF 33 C0 8B 54 24 60 F2 AE 8B 6C 24 5C A1 ?? ?? ?? ?? F7 D1 49 89 45 00 8B FE 33 C0 8D 5C 11 05 83 C9 FF 03 DD F2 AE F7 D1 49 8B FE 8B D1 EB 78 FF D7 99 B9 05 00 00 00 8B 6C 24 5C F7 F9 83 C9 FF 33 C0 8B 74 94 10 8B 54 24 60 8B FE F2 AE F7 D1 49 BF 60 6F 41 00 8B D9 83 C9 FF F2 AE F7 D1 8B C2 49 03 C3 8B FE 8D 5C 01 05 8B 0D ?? ?? ?? ?? 89 4D 00 83 C9 FF 33 C0 03 DD F2 AE F7 D1 49 8D 7C 2A 05 8B D1 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 BF 60 6F 41 00 83 C9 FF F2 AE F7 D1 49 BE 60 6F 41 00 8B D1 8B FE 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FB 2B F9 8B CA 8B C1 C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7C 24 60 8D 75 04 57 56 E8 ?? ?? ?? ?? 83 C4 08 C6 04 3E 2E 8B C5 C6 03 00 5F 5E 5D 5B 83 C4 48 C3 }
condition:
$randomUrlBuilder
}
________________________________________________________________

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Solution

Mitigation Strategies
Network administrators are encouraged to apply the following recommendations, which can prevent as many as 85 percent of targeted cyber intrusions. The mitigation strategies provided may seem like common sense. However, many organizations fail to use these basic security measures, leaving their systems open to compromise:
1. Patch applications and operating systems – Most attackers target vulnerable applications and operating systems. Ensuring that applications and operating systems are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites.
2. Use application whitelisting – Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others, including malicious software.
3. Restrict administrative privileges – Threat actors are increasingly focused on gaining control of legitimate credentials, especially credentials associated with highly privileged accounts. Reduce privileges to only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to other tiers.
4. Segment networks and segregate them into security zones – Segment networks into logical enclaves and restrict host-to-host communications paths. This helps protect sensitive information and critical services, and limits damage from network perimeter breaches.
5. Validate input – Input validation is a method of sanitizing untrusted input provided by users of a web application. Implementing input validation can protect against the security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly averted include Structured Query Language (SQL) injection, cross-site scripting, and command injection.
6. Use stringent file reputation settings – Tune the file reputation systems of your anti-virus software to the most aggressive setting possible. Some anti-virus products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control.
7. Understand firewalls – Firewalls provide security to make your network less susceptible to attack. They can be configured to block data and applications from certain locations (IP whitelisting), while allowing relevant and necessary data through.
Response to Unauthorized Network Access
Enforce your security incident response and business continuity plan. It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. Meanwhile, you should take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, you are encouraged to contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), the FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
Protect Against SQL Injection and Other Attacks on Web Services
To protect against code injections and other attacks, system operators should routinely evaluate known and published vulnerabilities, periodically perform software updates and technology refreshes, and audit external-facing systems for known web application vulnerabilities. They should also take the following steps to harden both web applications and the servers hosting them to reduce the risk of network intrusion via this vector.
- Use and configure available firewalls to block attacks.
- Take steps to secure Windows systems, such as installing and configuring Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Microsoft AppLocker.
- Monitor and remove any unauthorized code present in any www directories.
- Disable, discontinue, or disallow the use of Internet Control Message Protocol (ICMP) and Simple Network Management Protocol (SNMP) as much as possible.
- Remove unnecessary HTTP verbs from web servers. Typical web servers and applications only require GET, POST, and HEAD.
- Where possible, minimize server fingerprinting by configuring web servers to avoid responding with banners identifying the server software and version number.
- Secure both the operating system and the application.
- Update and patch production servers regularly.
- Disable potentially harmful SQL-stored procedure calls.
- Sanitize and validate input to ensure that it is properly typed and does not contain escaped code.
- Consider using type-safe stored procedures and prepared statements.
- Audit transaction logs regularly for suspicious activity.
- Perform penetration testing on web services.
- Ensure error messages are generic and do not expose too much information.
Permissions, Privileges, and Access Controls
System operators should take the following steps to limit permissions, privileges, and access controls.
- Reduce privileges to only those needed for a user’s duties.
- Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Carefully consider the risks before granting administrative rights to users on their own machines.
- Scrub and verify all administrator accounts regularly.
- Configure Group Policy to restrict all users to only one login session, where possible.
- Enforce secure network authentication, where possible.
- Instruct administrators to use non-privileged accounts for standard functions such as web browsing or checking webmail.
- Segment networks into logical enclaves and restrict host-to-host communication paths. Containment provided by enclaving also makes incident cleanup significantly less costly.
- Configure firewalls to disallow Remote Desktop Protocol (RDP) traffic coming from outside of the network boundary, except for in specific configurations such as when tunneled through a secondary virtual private network (VPN) with lower privileges.
- Audit existing firewall rules and close all ports that are not explicitly needed for business. Specifically, carefully consider which ports should be connecting outbound versus inbound.
- Enforce a strict lockout policy for network users and closely monitor logs for failed login activity. Failed login activity can be indicative of failed intrusion activity.
- If remote access between zones is an unavoidable business need, log and monitor these connections closely.
- In environments with a high risk of interception or intrusion, organizations should consider supplementing password authentication with other forms of authentication such as challenge/response or multifactor authentication using biometric or physical tokens.
Logging Practices
System operators should follow these secure logging practices.
- Ensure event logging, including applications, events, login activities, and security attributes, is turned on or monitored for identification of security issues.
- Configure network logs to provide adequate information to assist in quickly developing an accurate determination of a security incident.
- Upgrade PowerShell to new versions with enhanced logging features and monitor the logs to detect usage of PowerShell commands, which are often malware-related.
- Secure logs in a centralized location and protect them from modification.
- Prepare an incident response plan that can be rapidly administered in case of a cyber intrusion.
References
Revision History
- June 13, 2017: Initial Release
- August 23, 2017: Updated YARA Rules and included MAR-10132963 (.pdf and .stix files)
This product is provided subject to this Notification and this Privacy & Use policy.

TA17-163A: CrashOverride Malware

Original release date: June 12, 2017 | Last revised: July 27, 2017

Systems Affected

Industrial Control Systems

Overview

The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding of the risk this new malware poses to U.S. critical infrastructure.

Although this activity is still under investigation, NCCIC is sharing this report to provide organizations with detection and mitigation recommendations to help prevent future compromises within their critical infrastructure networks. NCCIC continues to work with interagency and international partners on this activity and will provide updates as information becomes available.

For a downloadable copy of indicators of compromise (IOCs), see:

IOCs (.csv)
IOCs (.stix)

To report activity related to this Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870.

Risk Evaluation

NCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color)

Yellow (Medium)

A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.

Details

There is no evidence to suggest this malware has affected U.S. critical infrastructure. However, the tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems.

Description

Technical Analysis

CrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported appear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly used outside the United States in electric power control systems. The platform fundamentally abuses the functionality of a targeted ICS system’s legitimate control system to achieve its intended effect. While the known capabilities do not appear to be U.S.-focused, it is important to recognize that the general TTPs used in CrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical infrastructure. With further modification, CrashOverride or similar malware could have implications beyond electric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined. The malware has several reported capabilities:

Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by Dragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern. This could create conditions where individual utilities may island from infected parties, potentially resulting in a degradation of grid reliability.
Denies service to local serial COM ports on windows devices, therefore preventing legitimate communications with field equipment over serial from the affected device.
Scans and maps ICS environment using a variety of protocols, including Open Platform Communications (OPC). This significantly improves the payload’s probability of success.
Could exploit Siemens relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. In this instance, the relay would need to be manually reset to restore functionality.
Includes a wiper module in the platform that renders windows systems inert, requiring a rebuild or backup restoration.

Detection

As CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2, traditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a result, organizations are encouraged to implement behavioral analysis techniques to attempt to identify precursor activity to CrashOverride. As additional information becomes available on stage one infection vectors and TTPs, this alert will be updated.

NCCIC is providing a compilation of IOCs (see links above) from a variety of sources to aid in the detection of this malware. The sources provided do not constitute an exhaustive list and the U.S. Government does not endorse or support any particular product or vendor’s information referenced in this report. However, NCCIC has included this data to ensure wide distribution of the most comprehensive information available and will provide updates as warranted.

Signatures

import “pe” import “hash”

rule dragos_crashoverride_exporting_dlls { meta: description = “CRASHOVERRIDE v1 Suspicious Export” author = “Dragos Inc” condition: pe.exports(“Crash”) & pe.characteristics }

rule dragos_crashoverride_suspcious { meta: description = “CRASHOVERRIDE v1 Wiper” author = “Dragos Inc” strings: $s0 = “SYS_BASCON.COM” fullword nocase wide $s1 = “.pcmp” fullword nocase wide $s2 = “.pcmi” fullword nocase wide $s3 = “.pcmt” fullword nocase wide $s4 = “.cin” fullword nocase wide condition: pe.exports(“Crash”) and any of ($s*) }

rule dragos_crashoverride_name_search { meta: description = “CRASHOVERRIDE v1 Suspicious Strings and Export” author = “Dragos Inc” strings: $s0 = “101.dll” fullword nocase wide $s1 = “Crash101.dll” fullword nocase wide $s2 = “104.dll” fullword nocase wide $s3 = “Crash104.dll” fullword nocase wide $s4 = “61850.dll” fullword nocase wide $s5 = “Crash61850.dll” fullword nocase wide $s6 = “OPCClientDemo.dll” fullword nocase wide $s7 = “OPC” fullword nocase wide $s8 = “CrashOPCClientDemo.dll” fullword nocase wide $s9 = “D2MultiCommService.exe” fullword nocase wide $s10 = “CrashD2MultiCommService.exe” fullword nocase wide $s11 = “61850.exe” fullword nocase wide $s12 = “OPC.exe” fullword nocase wide $s13 = “haslo.exe” fullword nocase wide $s14 = “haslo.dat” fullword nocase wide condition: any of ($s*) and pe.exports(“Crash”) }

rule dragos_crashoverride_hashes { meta: description = “CRASHOVERRIDE Malware Hashes” author = “Dragos Inc”

condition: filesize < 1MB and hash.sha1(0, filesize) == “f6c21f8189ced6ae150f9ef2e82a3a57843b587d” or hash.sha1(0, filesize) == “cccce62996d578b984984426a024d9b250237533” or hash.sha1(0, filesize) == “8e39eca1e48240c01ee570631ae8f0c9a9637187” or hash.sha1(0, filesize) == “2cb8230281b86fa944d3043ae906016c8b5984d9” or hash.sha1(0, filesize) == “79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a” or hash.sha1(0, filesize) == “94488f214b165512d2fc0438a581f5c9e3bd4d4c” or hash.sha1(0, filesize) == “5a5fafbc3fec8d36fd57b075ebf34119ba3bff04” or hash.sha1(0, filesize) == “b92149f046f00bb69de329b8457d32c24726ee00” or hash.sha1(0, filesize) == “b335163e6eb854df5e08e85026b2c3518891eda8” }

rule dragos_crashoverride_moduleStrings { meta: description = “IEC-104 Interaction Module Program Strings” author = “Dragos Inc” strings: $s1 = “IEC-104 client: ip=%s; port=%s; ASDU=%u” nocase wide ascii $s2 = “ MSTR ->> SLV” nocase wide ascii $s3 = “ MSTR <<- SLV” nocase wide ascii $s4 = “Unknown APDU format !!!” nocase wide ascii $s5 = “iec104.log” nocase wide ascii condition: any of ($s*) }

rule dragos_crashoverride_configReader { meta: description = “CRASHOVERRIDE v1 Config File Parsing” author = “Dragos Inc” strings: $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 } $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 } $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? } $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? } condition: all of them }

rule dragos_crashoverride_weirdMutex { meta: description = “Blank mutex creation assoicated with CRASHOVERRIDE” author = “Dragos Inc” strings: $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 } $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00} condition: all of them }

rule dragos_crashoverride_serviceStomper { meta: description = “Identify service hollowing and persistence setting” author = “Dragos Inc” strings: $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? } $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 } condition: all of them }

rule dragos_crashoverride_wiperModuleRegistry { meta: description = “Registry Wiper functionality assoicated with CRASHOVERRIDE” author = “Dragos Inc” strings: $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 } $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? } $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 } condition: all of them }

rule dragos_crashoverride_wiperFileManipulation { meta: description = “File manipulation actions associated with CRASHOVERRIDE wip¬er” author = “Dragos Inc” strings: $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 } $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 } condition: all of them }

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
financial losses incurred to restore systems and files, and
potential harm to an organization’s reputation.

Solution

Properly implemented defensive techniques and common cyber hygiene practices increase the complexity of barriers that adversaries must overcome to gain unauthorized access to critical information networks and systems. In addition, detection and prevention mechanisms can expose malicious network activity, enabling organizations to contain and respond to intrusions more rapidly. There is no set of defensive techniques or programs that will completely avert all attacks however, layered cybersecurity defenses will aid in reducing an organization’s attack surface and will increase the likelihood of detection. This layered mitigation approach is known as defense-in-depth.
NCCIC has based its mitigations and recommendations on its analysis of the public reporting of this malware and will be provide updates as more information becomes available.
Critical infrastructure companies should ensure that they are following best practices, which are outlined in the Seven Steps to Effectively Defend Industrial Control Systems document produced jointly by DHS, NSA, and FBI.

Application Whitelisting

Application whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries. Application whitelisting hardens operating systems and prevents the execution of unauthorized software. The static nature of some systems, such as database servers and human-machine interface (HMI) computers make these ideal candidates to run AWL. NCCIC encourages operators to work with their vendors to baseline and calibrate AWL deployments.
Operators may choose to implement directory whitelisting rather than trying to list every possible permutation of applications in an environment. Operators may implement application or application directory whitelisting through Microsoft Software Restriction Policy (SRP), AppLocker, or similar application whitelisting software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software folders. All other locations should be disallowed unless an exception is granted.

Manage Authentication and Authorization

This malware exploits the lack of authentication and authorization in common ICS protocols to issue unauthorized commands to field devices. Asset owners/operators should implement authentication and authorization protocols to ensure field devices verify the authenticity of commands before they are actioned. In some instances, legacy hardware may not be capable of implementing these protections. In these cases, asset owners can either leverage ICS firewalls to do stateful inspection and authentication of commands, or upgrade their control field devices.

Adversaries are increasingly focused on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Compromising these credentials allows adversaries to masquerade as legitimate users, leaving less evidence of compromise than more traditional attack options (i.e., exploiting vulnerabilities or uploading malware). For this reason, operators should implement multi-factor authentication where possible and reduce privileges to only those needed for a user’s duties. If passwords are necessary, operators should implement secure password policies, stressing length over complexity. For all accounts, including system and non-interactive accounts, operators should ensure credentials are unique, and changed, at a minimum, every 90 days.

NCCIC also recommends that operators require separate credentials for corporate and control network zones and store them in separate trust stores. Operators should never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks. Specifically, operators should:

Decrease a threat actor’s ability to access key network resources by implementing the principle of least privilege;
Limit the ability of a local administrator account to login from a local interactive session (e.g., “Deny access to this computer from the network”) and prevent access via a remote desktop protocol session;
Remove unnecessary accounts, groups, and restrict root access;
Control and limit local administration; and
Make use of the Protected Users Active Directory group in Windows Domains to further secure privileged user accounts against pass-the-hash attacks.

Handling Destructive Malware

Destructive malware continues to be a threat to both critical infrastructure and business systems. NCCIC encourages organizations to review the ICS-CERT destructive malware white paper for detailed mitigation guidance. It is important for organizations to maintain backups of key data, systems, and configurations such as:

Server gold images,
ICS Workstation gold configurations,
Engineering workstation images,
PLC/RTU configurations,
Passwords and configuration information, and
Offline copies of install media for operating systems and control applications.

Ensure Proper Configuration/Patch Management

Adversaries often target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help render control systems more secure.

Such a program will start with an accurate baseline and asset inventory to track what patches are needed. The program will prioritize patching and configuration management of “PC-architecture” machines used in HMI, database server, and engineering workstation roles, as current adversaries have significant cyber capabilities against these systems. Infected laptops are a significant malware vector. Such a program will limit the connection of external laptops to the control network and ideally supply vendors with known-good company laptops. The program will also encourage initial installation of any updates onto a test system that includes malware detection features before the updates are installed on operational systems.

NCCIC recommends that operators:

Use best practices when downloading software and patches destined for their control network;
Take measures to avoid watering hole attacks;
Use a web Domain Name System (DNS) reputation system;
Obtain and apply updates from authenticated vendor sites;
Validate the authenticity of downloads;
Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path, and only use this path to authenticate;
Never load updates from unverified sources; and
Reduce your attack surface area.

To the greatest extent possible, NCCIC recommends that operators:

Isolate ICS networks from any untrusted networks, especially the Internet;
Lock down all unused ports;
Turn off all unused services; and
Only allow real-time connectivity to external networks if there is a defined business requirement or control function.
- If one-way communication can accomplish a task, operators should use optical separation (“data diode”).
- If bidirectional communication is necessary, operators should use a single open port over a restricted network path.

Build a Defendable Environment

Building a defendable environment will help limit the impact from network perimeter breaches. NCCIC recommends operators segment networks into logical enclaves and restrict host-to-host communications paths. This can prevent adversaries from expanding their access, while allowing the normal system communications to continue operating. Enclaving limits possible damage, as threat actors cannot use compromised systems to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.

If one-way data transfer from a secure zone to a less secure zone is required, operators should consider using approved removable media instead of a network connection. If real-time data transfer is required, operators should consider using optical separation technologies. This allows replication of data without placing the control system at risk.

Additional details on effective strategies for building a defendable ICS network can be found in the ICS-CERT Defense-in-Depth Recommended Practice.

Implement Secure Remote Access

Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even “hidden back doors” intentionally created by system operators. Operators should remove such accesses wherever possible, especially modems, as these are fundamentally insecure.
Operators should:

Limit any accesses that remain;
Where possible, implement “monitoring only” access enforced by data diodes, and not rely on “read only” access enforced by software configurations or permissions;
Not allow remote persistent vendor connections into the control network;
Require any remote access to be operator controlled, time limited, and procedurally similar to “lock out, tag out”;
Use the same remote access paths for vendor and employee connections; do not allow double standards; and
Use two-factor authentication if possible, avoiding schemes where both tokens are similar and can be easily stolen (e.g., password and soft certificate).

Monitor and Respond

Defending a network against modern threats requires actively monitoring for adversarial penetration and quickly executing a prepared response. Operators should:

Consider establishing monitoring programs in the following key places: at the Internet boundary; at the business to Control DMZ boundary; at the Control DMZ to control LAN boundary; and inside the Control LAN;
Watch IP traffic on ICS boundaries for abnormal or suspicious communications;
Monitor IP traffic within the control network for malicious connections or content;
Use host-based products to detect malicious software and attack attempts;
- Use login analysis (e.g., time and place) to detect stolen credential usage or improper access, verifying all anomalies with quick phone calls;
- Watch account and user administration actions to detect access control manipulation;
Have a response plan for when adversarial activity is detected; and
- Such a plan may include disconnecting all Internet connections, running a properly scoped search for malware, disabling affected user accounts, isolating suspect systems, and immediately resetting 100 percent of passwords.
- Such a plan may also define escalation triggers and actions, including incident response, investigation, and public affairs activities.
Have a restoration plan, including “gold disks” ready to restore systems to known good states.

References

Revision History

June 12, 2017: Initial Release
June 13, 2017: Updated IOCs (both STIX and CSV formats)
July 7, 2017: Updated IOCs (both STIX and CSV formats)
July 21, 2017: Corrected typographical error
July 24, 2017: Corrected links to downloadable IOC files

This product is provided subject to this Notification and this Privacy & Use policy.

TA17-156A: Reducing the Risk of SNMP Abuse
Original release date: June 05, 2017

Systems Affected

SNMP enabled devices

Overview

The Simple Network Management Protocol (SNMP) may be abused to gain unauthorized access to network devices. SNMP provides a standardized framework for a common language that is used for monitoring and managing devices in a network.
This Alert provides information on SNMP best practices, along with prevention and mitigation recommendations.

Description

SNMP depends on secure strings (or “community strings”) that grant access to portions of devices’ management planes. Abuse of SNMP could allow an unauthorized third party to gain access to a network device.
SNMPv3 should be the only version of SNMP employed because SNMPv3 has the ability to authenticate and encrypt payloads. When either SNMPv1 or SNMPv2 are employed, an adversary could sniff network traffic to determine the community string. This compromise could enable a man-in-the-middle or replay attack.
Although SNMPv1 and SNMPv2 have similar characteristics, 64-bit counters were added to SNMPv2 so it could support faster interfaces. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. All versions run over the User Datagram Protocol (UDP).
Simply using SNMPv3 is not enough to prevent abuse of the protocol. A safer approach is to combine SNMPv3 with management information base (MIB) whitelisting using SNMP views. This technique ensures that even with exposed credentials, information cannot be read from or written to the device unless the information is needed for monitoring or normal device re-configuration. The majority of devices that support SNMP contain a generic set of MIBs that are vendor agnostic. This approach allows the object identifier (OID) to be applied to devices regardless of manufacturer.

Impact

A remote attacker may abuse SNMP-enabled network devices to access an organization’s network infrastructure.

Solution

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. US-CERT recommends that administrators:
- Configure SNMPv3 to use the highest level of security available on the device; this would be authPriv on most devices. authPriv includes authentication and encryption features, and employing both features enhances overall network security. Some older images may not contain the cryptographic feature set, in which case authNoPriv needs to be used. However, if the device does not support Version 3 authPriv, it should be upgraded.
- Ensure administrative credentials are properly configured with different passwords for authentication and encryption. In configuring accounts, follow the principle of least privilege. Role separation between polling/receiving traps (reading) and configuring users or groups (writing) is imperative because many SNMP managers require login credentials to be stored on disk in order to receive traps.
- Refer to your vendor’s guidance for implementing SNMP views. SNMP view is a command that can be used to limit the available OIDs. When OIDs are included in the view, all other MIB trees are inherently denied. The SNMP view command must be used in conjunction with a predefined list of MIB objects.
- Apply extended access control lists (ACLs) to block unauthorized computers from accessing the device. Access to devices with read and/or write SNMP permission should be strictly controlled. If monitoring and change management are done through separate software, then they should be on separate devices.
- Segregate SNMP traffic onto a separate management network. Management network traffic should be out-of-band; however, if device management must coincide with standard network activity, all communication occurring over that network should use some encryption capability. If the network device has a dedicated management port, it should be the sole link for services like SNMP, Secure Shell (SSH), etc.
- Keep system images and software up-to-date.
References
- The Interfaces Group MIB using SMIv2
Revision History
- June 5, 2017: Initial Release
This product is provided subject to this Notification and this Privacy & Use policy.

TA17-132A: Indicators Associated With WannaCry Ransomware

Original release date: May 12, 2017 | Last revised: May 19, 2017

Systems Affected

Microsoft Windows operating systems

Overview

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in over 150 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.

The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming.

Description

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017.

According to open sources, one possible infection vector may be through phishing.

Technical Details

Indicators of Compromise (IOC)

See TA17-132A_WannaCry.xlsx and TA17-132A_WannaCry_stix.xml for IOCs developed immediately after WannaCry ransomware appeared. These links contain identical content in two different formats.

See TA17-132A_stix.xml for IOCs developed after further analysis of the WannaCry malware.

Analysis

Three files were submitted to US-CERT for analysis. All files are confirmed as components of a ransomware campaign identified as "WannaCry", a.k.a "WannaCrypt" or ".wnCry". The first file is a dropper, which contains and runs the ransomware, propagating via the MS17-010/EternalBlue SMBv1.0 exploit. The remaining two files are ransomware components containing encrypted plug-ins responsible for encrypting the victim users files. For a list of IOCs found during analysis, see the STIX file.

Displayed below are YARA signatures that can be used to detect the ransomware:

Yara Signatures

rule Wanna_Cry_Ransomware_Generic {

meta:

description = "Detects WannaCry Ransomware on Disk and in Virtual Page"

author = "US-CERT Code Analysis Team"

reference = "not set"

date = "2017/05/12"

hash0 = "4DA1F312A214C07143ABEEAFB695D904"

strings:

$s0 = {410044004D0049004E0024}

$s1 = "WannaDecryptor"

$s2 = "WANNACRY"

$s3 = "Microsoft Enhanced RSA and AES Cryptographic"

$s4 = "PKS"

$s5 = "StartTask"

$s6 = "wcry@123"

$s7 = {2F6600002F72}

$s8 = "unzip 0.15 Copyrigh"

$s9 = "Global\\WINDOWS_TASKOSHT_MUTEX"

$s10 = "Global\\WINDOWS_TASKCST_MUTEX"

$s11 = {7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163}

$s12 = {6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68}

$s13 = "WNcry@2ol7"

$s14 = "wcry@123"

$s15 = "Global\\MsWinZonesCacheCounterMutexA"

condition:

$s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15

}

/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.*/

rule MS17_010_WanaCry_worm {

meta:

description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"

author = "Felipe Molina (@felmoltor)"

reference = "https://www.exploit-db.com/exploits/41987/"

date = "2017/05/12"

strings:

$ms17010_str1="PC NETWORK PROGRAM 1.0"

$ms17010_str2="LANMAN1.0"

$ms17010_str3="Windows for Workgroups 3.1a"

$ms17010_str4="__TREEID__PLACEHOLDER__"

$ms17010_str5="__USERID__PLACEHOLDER__"

$wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"

$wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"

$wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"

condition:

all of them

}

Dropper

This artifact (5bef35496fcbdbe841c82f4d1ab8b7c2) is a malicious PE32 executable that has been identified as a WannaCry ransomware dropper. Upon execution, the dropper attempts to connect to the following hard-coded URI:

http[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

Displayed below is a sample request observed:

--Begin request—

GET / HTTP/1.1 Host: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache

--End request--

If a connection is established, the dropper will terminate execution. If the connection fails, the dropper will infect the system with ransomware.
When executed, the malware is designed to run as a service with the parameters “-m security”. During runtime, the malware determines the
number of arguments passed during execution. If the arguments passed are less than two, the dropper proceeds to install itself as the
following service:

--Begin service--

ServiceName = "mssecsvc2.0" DisplayName = "Microsoft Security Center (2.0) Service" StartType = SERVICE_AUTO_START BinaryPathName = "%current directory%5bef35496fcbdbe841c82f4d1ab8b7c2.exe -m security"

--End service--

Once the malware starts as a service named mssecsvc2.0, the dropper attempts to create and scan a list of IP ranges on the local network
and attempts to connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to port 445 is successful, it creates an additional
thread to propagate by exploiting the SMBv1 vulnerability documented by Microsoft Security bulliten MS17-010. The malware then extracts &
installs a PE32 binary from it's resource section named "R". This binary has been identified as the ransomware component of WannaCrypt.
The dropper installs this binary into "C:\WINDOWS\tasksche.exe." The dropper executes tasksche.exe with the following command:

--Begin command--

"C:\WINDOWS\tasksche.exe /i"

--End command—

Note:
=====
When this sample was initially discovered, the domain "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com" was not registered, allowing the
malware to run and propagate freely. However within a few days, researchers learned that by registering the domain and allowing the
malware to connect, it's ability to spread was greatly reduced. At this time, all traffic to "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" is
re-directed to a monitored, non-malicious server, causing the malware to terminate if it is allowed to connect. For this reason, we recommend
that administrators and network security personnel not block traffic to this domain.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
financial losses incurred to restore systems and files, and
potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Recommended Steps for Prevention

Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
Test your backups to ensure they work correctly upon use.

Recommendations for Network Protection

Apply the patch (MS17-010). If the patch cannot be applied, consider:

Disabling SMBv1 and
blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

Note: disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users.

Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations and consider implementing the following best practices:

Segregate networks and functions.
Limit unnecessary lateral communications.
Harden network devices.
Secure access to infrastructure devices.
Perform out-of-band network management.
Validate integrity of hardware and software.

Recommended Steps for Remediation

Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.

Defending Against Ransomware Generally

Precautionary measures to mitigate ransomware threats include:

Ensure anti-virus software is up-to-date.
Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
Only download software—especially free software—from sites you know and trust.
Enable automated patches for your operating system and Web browser.

Report Notice

DHS and FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report information to DHS or law enforcement immediately. We encourage you to contact DHS’s National Cybersecurity and Communications Integration Center (NCCIC) (NCCICcustomerservice@hq.dhs.gov or 888-282-0870), or the FBI through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.govor 855-292-3937) to report an intrusion and to request incident response resources or technical assistance.

References

Revision History

May 12, 2017: Initial post
May 14, 2017: Corrected Syntax in the second Yara Rule
May 14, 2017: Added Microsoft link to patches for Windows XP, Windows 8, and Windows Server 2003
May 14, 2017: Corrected Syntax in the first Yara Rule
May 16, 2017: Provided further analysis and new IOCs in STIX format
May 18, 2017: Provided initial IOCs in a STIX format

This product is provided subject to this Notification and this Privacy & Use policy.

TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors

Original release date: April 27, 2017 | Last revised: May 14, 2017

Systems Affected

Networked Systems

Overview

The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.

According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.

Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.

NCCIC will update this document as information becomes available.

For a downloadable copy of this report and listings of IOCs, see:

To report activity related to this Incident Report Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870.

Description

Risk Evaluation

NCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color)

Yellow (Medium)

A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.

Details

While NCCIC continues to work with a variety of victims across different sectors, the adversaries in this campaign continue to affect several IT service providers. To achieve operational efficiencies and effectiveness, many IT service providers often leverage common core infrastructure that should be logically isolated to support multiple clients.

Intrusions into these providers create opportunities for the adversary to leverage stolen credentials to access customer environments within the provider network.

Figure 1: Structure of a traditional business network and an IT service provider network

Technical Analysis

The threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures (TTPs). The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators’ credentials to access trusted domains as well as the malicious use of certificates. Additionally, the adversary makes heavy use of PowerShell and the open source PowerSploit tool to enable assessment, reconnaissance, and lateral movement.

Command and Control (C2) primarily occurs using RC4 cipher communications over port 443 to domains that change IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity. Listings of observed domains are found in this document’s associated STIX package and .xlsx file. The indicators should be used to observe potential malicious activity on your network.

User impersonation via compromised credentials is the primary mechanism used by the adversary. However, a secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines. In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures. The observed malware includes PLUGX/SOGU and REDLEAVES. Although the observed malware is based on existing malware code, the actors have modified it to improve effectiveness and avoid detection by existing signatures.

Both REDLEAVES and PLUGX have been observed being executed on systems via dynamic-link library (DLL) side-loading. The DLL side-loading technique utilized by these malware families typically involves three files: a non-malicious executable, a malicious DLL loader, and an encoded payload file. The malicious DLL is named as one of the DLLs that the executable would normally load and is responsible for decoding and executing the payload into memory.

REDLEAVES Malware

The most unique implant observed in this campaign is the REDLEAVES malware. The REDLEAVES implant consists of three parts: an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2.

Capabilities

System Enumeration. The implant is capable of enumerating the following information about the victim system and passing it back to the C2:

system name,
system architecture (x86 or x64),
operating system major and minor versions,
amount of available memory,
processor specifications,
language of the user,
privileges of the current process,
group permissions of the current user,
system uptime,
IP address, and
primary drive storage utilization.

Command Execution. The implant can execute a command directly inside a command shell using native Windows functionality by passing the command to run to cmd.exe with the “/c” option (“cmd.exe /c <command>”).

Command Window Generation. The implant can also execute commands via a remote shell that is generated and passed through a named pipe. A command window is piped back to the C2 over the network as a remote shell or alternatively to another process or thread that can communicate with that pipe. The implant uses the mutexRedLeavesCMDSimulatorMutex.

File System Enumeration. The implant has the ability to enumerate data within a specified directory, where it gathers filenames, last file write times, and file sizes.

Network Traffic Compression and Encryption. The implant uses a form of LZO compression to compress data that is sent to its C2. After compression, the data for this implant sample is then RC4-ciphered with the key 0x6A6F686E3132333400 (this corresponds to the string “john1234” with the null byte appended).

Network Communications REDLEAVES connects to the C2 over TCP port 443, but does not use the secure flag when calling the API function InternetOpenUrlW. The data is not encrypted and there is no SSL handshake as would normally occur with port 443 traffic, but rather the data is transmitted in the form that is generated by the RC4 cipher.

Current REDLEAVES samples that have been examined have a hard-coded C2. Inside the implant’s configuration block in memory were the strings in Table 1.

Table 1: REDLEAVES Sample Strings Found in C2

QN4869MD – mutex used to determine if the implant is already running (Varies from sample to sample)

2016-5-1-INCO –Unknown

%windir.\system32\svchost.exe - process that the implant was injected into

john1234 (with the null byte afterward) – RC4 Key

While the name of the initial mutex, QN4869MD in this sample, varies among REDLEAVES samples, the RedLeavesCMDSimulatorMutex mutex name appears to be consistent. Table 2 contains a sample of the implant communications to the domain windowsupdates.dnset[.]com over TCP port 443.

Table 2: REDLEAVES Sample Beacon

--- BEGIN SAMPLE BEACON ---

00000000 c1 0c 00 00 7a 8d 9b dc 88 00 00 00....z.......

0000000C 14 6f 68 6e 16 6f 68 6e c4 a4 b1 d1 c4 e6 24 eb .ohn.ohn......$.

0000001C cf 49 81 a7 a1 c7 96 ff 6d 31 b4 48 8b 3e a3 c1 .I...... m1.H.>..

0000002C 92 e2 c3 7c e4 4c cf e9 e1 fa fb 6a fa 66 2c bf...|.L.....j.f,.

0000004C 7b 13 a7 30 17 3d eb fb d3 16 0e 96 83 21 2e 73 {..0.=.......!.s

0000005C dc 44 a2 72 fb f4 5e d0 4d b7 85 be 33 cd 13 21 .D.r..^. M...3..!

0000006C 3f e2 63 da da 5b 5e 52 9a 9c 20 36 69 cb cd 79 ?.c..[^R .. 6i..y

0000007C 13 79 7a d4 ed 63 b7 41 5d 38 b4 c2 84 74 98 cd .yz..c.A ]8...t..

0000008C f8 32 49 ef 2d e7 f2 ed .2I.-...

0000003C 5e 4b 72 6a f9 47 86 cd f1 cd 6d b5 24 79 3c 59 ^Krj.G.. ..m.$y

--- END SAMPLE BEACON ---

REDLEAVES network traffic has two 12-byte fixed-length headers in front of each RC4-encrypted compressed payload. The first header comes in its own packet, with the second header and the payload following in a separate packet within the same TCP stream. The last four bytes of the first header contain the number of the remaining bytes in little-endian format (0x88 in the sample beacon above).

The second header, starting at position 0x0C, is XOR’d with the first four bytes of the key that is used to encrypt the payload. In the case of this sample, those first four bytes would be “john” (or 0x6a6f686e using the ASCII hex codes). After the XOR operation, the bytes in positions 0x0C through 0x0F contain the length of the decrypted and decompressed payload. The bytes in positions 0x10 through 0x13 contain the length of the encrypted and compressed payload.

To demonstrate, in the sample beacon, the second header follows:

0000000C 14 6f 68 6e 16 6f 68 6e c4 a4 b1 d1

The length of the decrypted and decompressed payload is 0x7e000000 in little-endian format (0x146f686e XOR 0x6a6f686e). The length of the encrypted and compressed payload is 0x7c000000 in little-endian (0x166f686e XOR 0x6a6f686e). This is verified by referring back to the sample beacon which had the number of remaining bytes set to 0x88 and subtracting the length of the second header (0x88 – 0xC = 0x7c).

Strings

Note: Use caution when searching based on strings, as common strings may cause a large number of false positives.

Table 3: Strings Appearing in the Analyzed Sample of REDLEAVES

[ Unique Ascii strings ] --------------------

red_autumnal_leaves_dllmain.dll

windowsupdates.dnset.com windowsupdates.dnset.com

windowsupdates.dnset.com

2016-5-10-INCO

john1234

Feb 04 2015

127.0.0.1 169.254

tcp

https

http

[ Unique Unicode strings ] ------------------

RedLeavesCMDSimulatorMutex

QN4869MD

\\\\.\\pipe\\NamePipe_MoreWindows

network.proxy.type

network.proxy.http_port

network.proxy.http network.proxy.autoconfig_url

network.proxy.

a([a-zA-Z0-9])

b([ \\t])

c([a-zA-Z])

d([0-9])

h([0-9a-fA-F])

n(\r|(\r?\n)) q(\"[^\"]*\")|('[^']*')

w([a-zA-Z]+)

z([0-9]+)

Malware Execution Analysis

File Name: VeetlePlayer.exe

MD5: 9d0da088d2bb135611b5450554c99672

File Size: 25704 bytes (25.1 KB)

Description: This is the executable that calls the exports located within libvlc.dll

File Name: libvlc.dll

MD5: 9A8C76271210324D97A232974CA0A6A3

File Size: 33792 bytes (33.0 KB)

Description: This is the loader and decoder for mtcReport.ktc, the combined shellcode and implant file.

File Name: mtcReport.ktc

MD5: 3045E77E1E9CF9D9657AEA71AB5E8947

File Size: 231076 bytes (225.7 KB)

Description: This is the encoded shellcode and implant file. When this file is decoded, the shellcode precedes the actual implant, which resides at offset 0x1292 from the beginning of the shellcode in memory. The implant has the MZ and PE flags replaced with the value 0xFF.

All three of these files must be present for execution of the malware to succeed.

When all files are present and the VeetlePlayer.exe file is executed, it will make calls to the following DLL exports within the libvlc.dll file:

VLC_Version checks to see if its calling file is named “VeetlePlayer.exe”. If the calling file is named something else, execution will terminate and no shellcode will be loaded.
VLC_Create reads in the contents of the file mtcReport.ktc.
VLC_Init takes in the offset in which the encoded shellcode/implant file is located and deobfuscates it. After deobfuscation, this export executes the shellcode.
VLC_Destroy does nothing other than perform a return 0.
VLC_AddIntf and VLC_CleanUp simply call the export VLC_Destroy, which returns 0.

When the libvlc.dll decodes the shellcode/implant, it calls the shellcode at the beginning of the data blob in memory. The shellcode then activates a new instance of svchost.exe and suspends it. It then makes a call to WriteProcessMemory() and inserts the implant with the damaged MZ and PE headers into its memory space. It then resumes execution of svchost.exe, which runs the implant.

The resulting decoded shellcode with the implant file below it can have a variable MD5 based on how it is dumped from memory. The MD5 checksums of two instances of decoded shellcode are:

ba4b4087370780dc988d55cbb9de885d
3d032ba5f73cbc398f1a77af92077cd8

Table 4 contains the implant resulting from the original implant’s separation from the shellcode and the repair of its MZ and PE flags.

Table 4: Resulting Implant from Shellcode Separation

File Name: red_autumnal_leaves_dllmain.dll

MD5: 3EBBFEEE3A832C92BB60B531F749230E

File Size: 226304 bytes (221.0 KB)

PE Compile Date: 10 May 2016

During execution, the file will create two mutexes called RedLeavesCMDSimulatorMutex and QN4869MD. It checks the QN4869MD mutex to see if it is already running. It will then perform initial enumeration of the system to include operating system versions, number of processors, RAM, and CPU information.

PLUGX

PLUGX is a sophisticated Remote Access Tool (RAT) operating since approximately 2012. Although there are now many variants of this RAT in existence today, there are still characteristics common to most variants.

Typically, PLUGX uses three components to install itself.

A non-malicious executable
A malicious DLL/installer
An encoded payload – the PLUGX RAT.

A non-malicious executable with one or more imports is used to start the installation process. The executable will likely exist in a directory not normally associated with its use. In some cases, the actor may use an executable signed with a valid certificate, and rename the DLL and encoded payload with file names that suggest they are related to the trusted file. Importantly, the actor seems to vary the encoding scheme used to protect the encoded payload to stifle techniques used by AV vendors to develop patterns to detect it. The payload is either encoded with a single byte or encrypted and decompressed. Recently, NCCIC has observed a case where the encoded payload contains a decoding stub within itself, beginning at byte zero. The malware simply reads this payload and executes it starting at byte zero. The stub then decodes and executes the rest of itself in memory. Notably, this stub varies in its structure and algorithm, again stifling detection by signature based security software. The PLUGX malware is never stored on disk in an unencrypted or decoded format.

When the initial executable is launched, the imported library, usually a separate DLL, is replaced with a malicious version that in turn decodes and installs the third and final component, which is the PLUGX rat itself. Typically, the PLUGX component is obfuscated and contains no visible executable code until it is unpacked in memory, protecting it from AV/YARA scans while static. During the evolution of these PLUGX compromises, NCCIC noted an increasing implementation of protections of the actual decoded PLUGX in memory. For example, the most recent version we looked at implements a secure strings method, which hides the majority of the common commands used by PLUGX. This is an additional feature designed to thwart signature based security tools.

Once the PLUGX RAT is installed on the victim, the actors has complete C2 capabilities of the victim system, including the ability to take screenshots and download files from the compromised system. The communications between the RAT (installed on the victim system) and the PLUGX C2 server are encoded to secure the communication and stifle detection by signature based network signature tools.

The advanced capabilities of PLUGX are implemented via a plugin framework. Each plugin operates independently in its own unique thread within the service. The modules may vary based on variants. Table 5 lists the modules and capabilities contained within one sample recently analyzed by NCCIC.

Table 5: Modules and Capabilities of PLUGX

Module Name	Capability
Disk	wide range of system-related capabilities including file / directory / drive enumeration, file / directory creation, create process, and obtain environment variables
Keylog	logs keystrokes and saves data to log file
Nethood	enumerates the host's network resources via the Windows multiple provider router DLL
Netstat	set the state of a TCP connection or obtain the extended TCP or UDP tables (lists of network endpoints available to a process) of each active process on the host
Option	provides the ability to initiate a system shutdown, adjust shutdown-related privileges for a given process, and lock the user's workstation
Portmap	port mapping
Process	process enumeration, termination, and capability to obtain more in-depth information pertaining to each process (e.g. CompanyName, FileDescription, FileVersion of each module loaded by the process)
Regedit	create, read, update & delete registry entries
Screen	capability to capture screenshots of the system
Service	start, stop, remove, configure & query services
Shell	remote shell access
SQL	enumerate SQL databases and available drivers; execute SQL queries
Telnet	provides a telnet interface

The PLUGX operator may dynamically add, remove, or update PLUGX plugins during runtime. This provides the ability to dynamically adjust C2 capabilities based on the requirements of the C2 operator.

Network activity is often seen as POST requests similar to that shown in table 6. Network defenders can look to detect non-SSL HTTP traffic on port 443, which can be indicative of malware traffic. The PLUGX malware is also seen using TCP ports 80, 8080, and 53.

Table 6: Sample PLUGX Beacon

POST /D15DB9E25ADA34EC9E559736 HTTP/1.1

Accept: */*

HX1: 0

HX2: 0

HX3: 61456

HX4: 1

User-Agent:       Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E)

Host: sc.weboot.info:443

Content-Length: 0

Cache-Control: no-cache

Even though the beacon went to port 443, which is commonly used for encrypted HTTP communications, this traffic was plaintext HTTP, as is common for this variant of PLUGX.

For IT Service Providers

All organizations that provide IT services as a commodity for other organizations should evaluate their infrastructure to determine if related activity has taken place. Active monitoring of network traffic for the indicators of compromise (IOCs) provided in this report, as well as behavior analysis for similar activity, should be conducted to identify C2 traffic. In addition, frequency analysis should be conducted at the lowest level possible to determine any unusual fluctuation in bandwidth indicative of a potential data exfiltration. Both management and client systems should be evaluated for host indicators provided. If an intrusion is suspected, please reach out to the NCCIC at the contact information provided at the end of this report.

For Private Organizations and Government Agencies

All organizations should include the IOCs provided in their normal intrusion detection systems for continual analysis. Organizations that determine their risk to be elevated due to alignment to the sectors being targeted, unusual detected activity, or other factors, should conduct a dedicated investigation to identify any related activity. Organizations which leverage external IT service providers should validate with their providers that due diligence is being conducted to validate if there are security concerns with their specific provider. If an intrusion is suspected, please reach out to the NCCIC at the contact information provided at the end of this report.

Detection

NCCIC is providing a compilation of IOCs from a variety of sources to aid in the detection of this malware. The IOCs provided in the associated STIX package and .xlsx file were derived from various government, commercial, and publically available sources. The sources provided does not constitute an exhaustive list and the U.S. Government does not endorse or support any particular product or vendor’s information listed in this report. However, NCCIC includes this compilation here to ensure the distribution of the most comprehensive information. This alert will be updated as additional details become available.

Table 7: Sources Referenced

Source	Title
PaloAltoNetworks	“menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations”
FireEye	“APT10 (Menupass Team) Renews Operations Focused on Nordic Private Industry; operations Extend to Global Partners”. February 23, 2017 10:14:00 AM,17-00001858, Version: 2
CyLance	“The Deception Project: A New Japanese-Centric Threat”
PwC/BAE Systems	“Operation Cloud Hopper: Exposing a systematic hacking operation with an unprecedented web of global victims: April 2017”
JPCERT/CC	“RedLeaves-Malware Based on Open Source Rat” http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html
NCC Group	“RedLeaves Implant-Overview”
National Cyber Security Centre	“Infrastructure Update Version 1.0” Reference: March 17, 2017
FireEye	“BUGJUICE Malware Profile”. April 05, 2017 11:45:00 AM, 17-00003261, Version: 1
JPCERT/CC	“ChChes- Malware that Communicates with C&C Servers Using Cookie Headers” http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html

NCCIC recommends monitoring activity to the following domains and IP addresses, and scanning for evidence of the file hashes as potential indicators of infection. Some of the IOCs provided may be associated with legitimate traffic. Nevertheless, closer evaluation is warranted if the IOCs are observed. If these IOCs are found, NCCIC can provide additional assistance in further investigations. A comprehensive listing of IOCs can be found in the associated STIX package and .xlsx file.

Network Signatures

Table 8: REDLEAVES Network Signatures

alert tcp any any -> any any (msg: "REDLEAVES Implant"; content: "|00 00 7a 8d 9b dc|"; offset: 2; depth: 6; content: "|00 00|"; offset: 10; depth: 2; sid: 314;)

alert tcp any -> any any (msg:”Suspicious PLUGX URI String”; content:”POST”; http_method; content:”/update?id=”; http_uri; fast_pattern:only; pcre:”/update\?id=[a-fA-F0-9]{8} HTTP/”; sid:101;)

Table 9: REDLEAVES YARA Signatures

rule Dropper_DeploysMalwareViaSideLoading {

meta:

description = "Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX"

author = "USG"

true_positive = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. "

strings:

$UniqueString = {2e 6c 6e 6b [0-14] 61 76 70 75 69 2e 65 78 65} // ".lnk" near "avpui.exe"

$PsuedoRandomStringGenerator = {b9 1a [0-6] f7 f9 46 80 c2 41 88 54 35 8b 83 fe 64} // Unique function that generates a 100 character pseudo random string.

condition:

any of them

}

rule REDLEAVES_DroppedFile_ImplantLoader_Starburn {

meta:

description = "Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT"

author = "USG"

true_positive = "7f8a867a8302fe58039a6db254d335ae" // StarBurn.dll

strings:

$XOR_Loop = {32 0c 3a 83 c2 02 88 0e 83 fa 08 [4-14] 32 0c 3a 83 c2 02 88 0e 83 fa 10} // Deobfuscation loop

condition:

any of them

}

rule REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief {

meta:

description = "Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT"

author = "USG"

true_positive = "fb0c714cd2ebdcc6f33817abe7813c36" // handkerchief.dat

strings:

$RedleavesStringObfu = {73 64 65 5e 60 74 75 74 6c 6f 60 6d 5e 6d 64 60 77 64 72 5e 65 6d 6d 6c 60 68 6f 2f 65 6d 6d} // This is 'red_autumnal_leaves_dllmain.dll' XOR'd with 0x01

condition:

any of them

}

rule REDLEAVES_CoreImplant_UniqueStrings {

meta:

description = "Strings identifying the core REDLEAVES RAT in its deobfuscated state"

author = "USG"

strings:

$unique2 = "RedLeavesSCMDSimulatorMutex" nocase wide ascii

$unique4 = "red_autumnal_leaves_dllmain.dll" wide ascii

$unique7 = "\\NamePipe_MoreWindows" wide ascii

condition:

any of them

}

Table 10: PLUGX Network Signatures

alert tcp any any -> any any (msg:"Non-Std TCP Client Traffic contains 'HX1|3a|' 'HX2|3a|' 'HX3|3a|' 'HX4|3a|' (PLUGX Variant)"; sid:XX; rev:1; flow:established,to_server; content:"Accept|3a 20 2a 2f 2a|"; nocase; content:"HX1|3a|"; distance:0; within:6; fast_pattern; content:"HX2|3a|"; nocase; distance:0; content:"HX3|3a|"; nocase; distance:0; content:"HX4|3a|"; nocase; distance:0; classtype:nonstd-tcp; priority:X;)

alert tcp any any -> any any (msg:"Non-Std TCP Client Traffic contains 'X-Session|3a|''X-Status|3a|''X-Size|3a|''X-Sn|3a|'(PLUGX)"; sid:XX; rev:1; flow:established,to_server; content:"X-Session|3a|"; nocase; fast_pattern; content:"X-Status|3a|"; nocase; distance:0; content:"X-Size|3a|"; nocase; distance:0; content:"X-Sn|3a|"; nocase; distance:0; classtype:nonstd-tcp; priority:X;)

alert tcp any any -> any any (msg:"Non-Std TCP Client Traffic contains 'MJ1X|3a|' 'MJ2X|3a|' 'MJ3X|3a|' 'MJ4X|3a|' (PLUGX Variant)"; sid:XX; rev:1; flow:established,to_server; content:"MJ1X|3a|"; nocase; fast_pattern; content:"MJ2X|3a|"; nocase; distance:0; content:"MJ3X|3a|"; nocase; distance:0; content:"MJ4X|3a|"; nocase; distance:0; classtype:nonstd-tcp; priority:X;)

alert tcp any any -> any any (msg:"Non-Std TCP Client Traffic contains 'Cookies|3a|' 'Sym1|2e|' '|2c|Sym2|2e|' '|2c|Sym3|2e|' '|2c|Sym4|2e|' (Chches Variant)"; sid:XX; rev:1; flow:established,to_server; content:"Cookies|3a|"; nocase; content:"Sym1|2e|0|3a|"; nocase; distance:0; fast_pattern; content:"|2c|Sym2|2e|"; nocase; distance:0; content:"|2c|Sym3|2e|"; nocase; distance:0; content:"|2c|Sym4|2e|"; nocase; distance:0; classtype:nonstd-tcp; priority:X;)

Host Signatures

Table 11: PLUGX and REDLEAVES YARA Signatures

rule PLUGX_RedLeaves

{

meta:

author = "US-CERT Code Analysis Team"

date = "03042017"

incident = "10118538"

date = "2017/04/03"

MD5_1 = "598FF82EA4FB52717ACAFB227C83D474"

MD5_2 = "7D10708A518B26CC8C3CBFBAA224E032"

MD5_3 = "AF406D35C77B1E0DF17F839E36BCE630"

MD5_4 = "6EB9E889B091A5647F6095DCD4DE7C83"

MD5_5 = "566291B277534B63EAFC938CDAAB8A399E41AF7D"

info = "Detects specific RedLeaves and PlugX binaries"

strings:

$s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 }

$s1 = "C:\\Users\\user\\Desktop\\my_OK_2014\\bit9\\runsna\\Release\\runsna.pdb"

$s2 = "d:\\work\\plug4.0(shellcode)"

$s3 = "\\shellcode\\shellcode\\XSetting.h"

$s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 }

$s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 }

$s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 }

$s7 = { 8A043233C932043983C10288043283F90A7CF242890D18AA00103BD37CE2891514AA00106A006A006A0056 }

$s8 = { 293537675A402A333557B05E04D09CB05EB3ADA4A4A40ED0B7DAB7935F5B5B08 }

$s9 = "RedLeavesCMDSimulatorMutex"

condition:

$s0 or $s1 or $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 or $s9

}

Other Detection Methods

Examine Port/Protocol Mismatches: Examine network traffic where the network port and protocol do not match, such as plaintext HTTP over port 443.

Administrative Share Mapping: When a malicious actor tries to move laterally on a network, one of the techniques is to mount administrative shares to perform operations like uploading and downloading resources or executing commands. In addition, tools like System Internals PSEXEC will mount the shares automatically for the user. Since administrators may map administrative shares legitimately while managing components of the network, this must be taken into account.

Filter network traffic for SMB mapping events and group the events by source IP, destination IP, the mounted path (providing a count of total mounts to that path), the first map time, and the last map time
Collect Windows Event Logs – Event ID 5140 (network share object was accessed) can be used to track C$ and ADMIN$ mounts by searching the Share Name field

VPN User authentication mismatch: A VPN user authentication match occurs when a user account authenticates to an IP address but once connected the internal IP address requests authentication tokens for other users. This may create false positives for legitimate network administrators but if this is detected, organizations should verify that the administrative accounts were legitimately used.

VPN activity from VPS providers: While this may also produce false positives, VPN logins from Virtual Private Server (VPS) providers may be an indicator of VPN users attempting to hide their source IP and should be investigated.

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
financial losses incurred to restore systems and files, and
potential harm to an organization’s reputation.

Solution

Properly implemented defensive techniques and programs make it more difficult for an adversary to gain access to a network and remain persistent yet undetected. When an effective defensive program is in place, actors should encounter complex defensive barriers. Actor activity should also trigger detection and prevention mechanisms that enable organizations to contain and respond to the intrusion more rapidly. There is no single or set of defensive techniques or programs that will completely avert all malicious activities. Multiple defensive techniques and programs should be adopted and implemented in a layered approach to provide a complex barrier to entry, increase the likelihood of detection, and decrease the likelihood of a successful compromise. This layered mitigation approach is known as defense-in-depth.

NCCIC mitigations and recommendations are based on observations made during the hunt, analysis, and network monitoring for threat actor activity, combined with client interaction.

Whitelisting

Enable application directory whitelisting through Microsoft Software Restriction Policy (SRP) or AppLocker;
Use directory whitelisting rather than trying to list every possible permutation of applications in an environment. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32. All other locations should be disallowed unless an exception is granted.
Prevent the execution of unauthorized software by using application whitelisting as part of the security hardening of operating systems insulating.
Enable application directory whitelisting via the Microsoft SRP or AppLocker.

Account Control

Decrease a threat actor’s ability to access key network resources by implementing the principle of least privilege.
Limit the ability of a local administrator account to login from a local interactive session (e.g., “Deny access to this computer from the network”) and prevent access via a Remote Desktop Protocol session.
Remove unnecessary accounts, groups, and restrict root access.
Control and limit local administration.
Make use of the Protected Users Active Directory group in Windows Domains to further secure privileged user accounts against pass-the-hash compromises.

Workstation Management

Create a secure system baseline image and deploy to all workstations.
Mitigate potential exploitation by threat actors by following a normal patching cycle for all operating systems, applications, software, and all third-party software.
Apply asset and patch management processes.
Reduce the number of cached credentials to one if a laptop, or zero if a desktop or fixed asset.

Host-Based Intrusion Detection

Configure and monitor system logs through host-based intrusion detection system (HIDS) and firewall.
Deploy an anti-malware solution to prevent spyware, adware, and malware as part of the operating system security baseline.
Monitor antivirus scan results on a regular basis.

Server Management

Create a secure system baseline image, and deploy to all servers.
Upgrade or decommission end-of-life non Windows servers.
Upgrade or decommission servers running Windows Server 2003 and older versions.
Implement asset and patch management processes.
Audit for and disable unnecessary services.

Server Configuration and Logging

Establish remote server logging and retention.
Reduce the number of cached credentials to zero.
Configure and monitor system logs via a centralized security information and event management (SIEM) appliance.
Add an explicit DENY for “%USERPROFILE%”.
Restrict egress web traffic from servers.
In Windows environments, utilize Restricted Admin mode or remote credential guard to further secure remote desktop sessions against pass-the-hash compromises.
Restrict anonymous shares.
Limit remote access by only using jump servers for such access.

Change Control

Create a change control process for all implemented changes.

Network Security

An Intrusion Detection System (IDS) should:
- Implement continuous monitoring.
- Send alerts to a SIEM tool.
- Monitor internal activity (this tool may use the same tap points as the netflow generation tools).
Netflow Capture should:
- Set a minimum retention period of 180 days.
- Capture netflow on all ingress and egress points of network segments, not just at the Managed Trusted Internet Protocol Services (MTIPS) or Trusted Internet Connections (TIC) locations.
Network Packet Capture (PCAP):
- Retain PCAP data for a minimum of 24 hours.
- Capture traffic on all ingress and egress points of the network.
Use a virtual private network (VPN):
- Maintain site-to-site VPN with customers.
- Authenticate users utilizing site-to-site VPNs through adaptive security appliance (ASA).
Use authentication, authorization, and accounting (AAA) for controlling network access.
- Require Personal Identity Verification (PIV) authentication to an HTTPS page on the ASA in order to control access. Authentication should also require explicit rostering of PIV distinguished names (DNs) that are permitted to enhance the security posture on both networks participating in the site-to-site VPN.
- Establish appropriate secure tunneling protocol and encryption.
- Strengthen router configuration (e.g., avoid enabling remote management over the Internet and using default IP ranges; automatically logout after configuring routers; use encryption).
- Turn off Wi-Fi protected setup (WPS), enforce the use of strong passwords, keep router firmware up-to-date; and
- Improve firewall security (e.g., enable auto updates, revise firewall rules as appropriate, implement whitelists, establish packet filtering, enforce the use of strong passwords, and encrypt networks).
Conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities.
Define areas within the network that should be segmented to increase visibility of lateral movement by an adversary and increase the defense in-depth posture.
Develop a process to block traffic to IP addresses and domain names that have been identified as being used to aid previous malicious activities.

Network Infrastructure Recommendations

Ensure you are following National Security Agency (NSA) network device integrity (NDI) best practices.
Ensure your networking equipment has the latest available operating system and patches.

Host Recommendations

Implement policies to block workstations-to-workstation remote desktop protocol (RDP) connections through group policy object (GPO) on Windows, or a similar mechanism.
Store system logs of mission critical systems for at least one year within a SIEM.
Review the configuration of application logs to verify fields being recorded will contribute to an incident response investigation.

Users Management

Immediately set the password policy to require complex passwords for all users (minimum of 15 characters); this new requirement should be enforced as user passwords expire.
Reduce the number of domain and enterprise administrator accounts.
Create non-privileged accounts for privileged users and ensure they use the non-privileged account for all non-privileged access (e.g., web browsing, email access);
If possible, use technical methods to detect or prevent browsing by privileged accounts (authentication to web proxies would enable blocking of domain administrators).
Use two-factor authentication (e.g., security tokens for remote access and to any sensitive data repositories);
If soft tokens are used, they should not exist on the same device that is requesting remote access (laptop), and instead should be on a telephone or other out-of-band device.
Create privileged role tracking;
- Create a change control process to all privilege escalations and role changes on user accounts;
- Enable alerts on privilege escalations and role changes; and
- Log privileged user changes in the environment and alert on unusual events.
Establish least privilege controls; and
Implement a security-awareness training program.

Best Practices

Implement a vulnerability assessment and remediation program.
Encrypt all sensitive data in transit and at rest.
Create an insider threat program.
Assign additional personnel to review logging and alerting data.
Complete independent security (not compliance) audit.
Create an information sharing program.
Complete and maintain network and system documentation to aid in timely incident response, including:
- network diagrams,
- asset owners,
- type of asset, and
- an up-to-date incident response plan.

References

Revision History

April 27, 2017: Initial post
April 28, 2017: Updated guidance under the sub-section: Network Infrastructure Recommendations
May 2, 2017: In table 11, fixed trailing quote on date
May 11, 2017: STIX and XLSX package was updated

This product is provided subject to this Notification and this Privacy & Use policy.

TA17-075A: HTTPS Interception Weakens TLS Security
Original release date: March 16, 2017

Systems Affected

All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected.

Overview

Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. The CERT Coordination Center (CERT/CC) explored the tradeoffs of using HTTPS interception in a blog post called The Risks of SSL Inspection [1].
Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide.

Description

TLS and its predecessor, Secure Sockets Layer (SSL), are important Internet protocols that encrypt communications over the Internet between the client and server. These protocols (and protocols that make use of TLS and SSL, such as HTTPS) use certificates to establish an identity chain showing that the connection is with a legitimate server verified by a trusted third-party certificate authority.
HTTPS inspection works by intercepting the HTTPS network traffic and performing a man-in-the-middle (MiTM) attack on the connection. In MiTM attacks, sensitive client data can be transmitted to a malicious party spoofing the intended server. In order to perform HTTPS inspection without presenting client warnings, administrators must install trusted certificates on client devices. Browsers and other client applications use this certificate to validate encrypted connections created by the HTTPS inspection product. In addition to the problem of not being able to verify a web server’s certificate, the protocols and ciphers that an HTTPS inspection product negotiates with web servers may also be invisible to a client. The problem with this architecture is that the client systems have no way of independently validating the HTTPS connection. The client can only verify the connection between itself and the HTTPS interception product. Clients must rely on the HTTPS validation performed by the HTTPS interception product.
A recent report, The Security Impact of HTTPS Interception [2], highlighted several security concerns with HTTPS inspection products and outlined survey results of these issues. Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM attack. Furthermore, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server. This report provided a method to allow servers to detect clients that are having their traffic manipulated by HTTPS inspection products. The website badssl.com [3] is a resource where clients can verify whether their HTTPS inspection products are properly verifying certificate chains. Clients can also use this site to verify whether their HTTPS inspection products are enabling connections to websites that a browser or other client would otherwise reject. For example, an HTTPS inspection product may allow deprecated protocol versions or weak ciphers to be used between itself and a web server. Because client systems may connect to the HTTPS inspection product using strong cryptography, the user will be unaware of any weakness on the other side of the HTTPS inspection.

Impact

Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.

Solution

Organizations using an HTTPS inspection product should verify that their product properly validates certificate chains and passes any warnings or errors to the client. A partial list of products that may be affected is available at The Risks of SSL Inspection [1]. Organizations may use badssl.com [3] as a method of determining if their preferred HTTPS inspection product properly validates certificates and prevents connections to sites using weak cryptography. At a minimum, if any of the tests in the Certificate section of badssl.com prevent a client with direct Internet access from connecting, those same clients should also refuse the connection when connected to the Internet by way of an HTTPS inspection product.
In general, organizations considering the use of HTTPS inspection should carefully consider the pros and cons of such products before implementing [1]. Organizations should also take other steps to secure end-to-end communications, as presented in US-CERT Alert TA15-120A [4].
Note: The U.S. Government does not endorse or support any particular product or vendor.

References
Revision History
- March 16, 2017: intial post
This product is provided subject to this Notification and this Privacy & Use policy.

Main Menu

Internet

Systems Affected

Overview

Description

Technical Details

Detection and Response

Network Signatures and Host-Based Rules

Network Signatures

YARA Rules

Impact

Solution

Mitigation Strategies

Response to Unauthorized Network Access

References

Revision History

Systems Affected

Overview

Description

Technical Details

Figure 1. HIDDEN COBRA Communication Flow

Detection and Response

Network Signatures and Host-Based Rules

Network Signatures

YARA Rules

Impact

Solution

Mitigation Strategies

Response to Unauthorized Network Access

References

Revision History

Systems Affected

Overview

Description

Technical Details

Using Cyber Kill Chain for Analysis

Spear-Phishing Email TTPs

Use of Watering Hole Domains

Persistence Through .LNK File Manipulation

Establishing Local Accounts

Targeting of ICS and SCADA Infrastructure

Detection and Response

Network Signatures and Host-Based Rules

Network Signatures

YARA Rules

Impact

Solution

Network and Host-based Signatures

Detections and Prevention Measures

General Best Practices Applicable to this Campaign:

References

Revision History

Systems Affected

Overview

Description

Impact

Solution

References

Revision History

Systems Affected

Overview

Description

Impact

Solution

References

Revision History

Systems Affected

Overview

Risk Evaluation

Details

Description

Technical Analysis

Detection

Signatures

Impact

Solution

Application Whitelisting

Manage Authentication and Authorization

Handling Destructive Malware

Ensure Proper Configuration/Patch Management