hccic intelligence briefing · 8/20/2018 · – worm module via brute -force attack to spread...
TRANSCRIPT
HC3 Threat Intelligence BriefingMalware Loaders
OVERALL CLASSIFICATION ISUNCLASSIFIED
TLP:WHITE
8/2/2018
UNCLASSIFIED TLP:WHITE
UNCLASSIFIED
Agenda Intro Overview
– Definition– Evolution
Recent Loader Activity– AZORult– Aurora– Kardon
Older Loaders– Smoke– Quant– Emotet
Protection Recommendations Conclusions
8/2/2018UNCLASSIFIED 2
UNCLASSIFIEDTLP:WHITE
Non-Technical: managerial, strategic and high-level (general audience)
Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT)
Slides Key:
Overview
Loaders / DownloadersLoaders Definition: Malware loader AKA Downloader AKA Dropper Essentially, loaders can be considered basic remote access Trojans (RAT) Loaders provide an attacker the ability to remotely interact with and control a compromised computer Traditionally, loaders are lightweight (smaller than 50 KB in size)
– This gives them a better chance at bypassing detection by antivirus and other security monitoring technology
Purpose: MAIN ROLE gain persistence on a user's computer and then report back to a command and control (C2)
server.– Each victim of a loader is called a "bot" the malware ropes all victims in a giant botnet
Eventually, the loader will download a second-stage payload a more potent malware such as a banking trojan, a password-dumper, a backdoor trojan, or ransomware
8/2/2018UNCLASSIFIED 3
UNCLASSIFIEDTLP:WHITE
Overview
Loaders / Downloaders Threat actors generally employ the loaders in two ways:
– 1: They either incorporate them in their own custom multi-stage malware infection chains, for their own benefits
– 2: They sell "bot space" to other cybercriminals, who then infect users with the second-stage malware of their choice
Loaders Lifecycle
8/2/2018UNCLASSIFIED 4
UNCLASSIFIEDTLP:WHITE
Advertised on lower-tier Russian forum
Advertised on higher-tier Russian, English
forums
Inclusion in active campaigns and/or exploit kits (EK)
Bought and used by particular cyber
criminal / APT groups
Deploy with a number of other malware,
ransomware, miners, etc.
New Loaders
Aurora & Kardon (Flashpoint)Overview Advertised on lower-tier Russian-language forums since March and May respectively
– Most loaders start out on lower-tier Russian forums before they pop up on more elite English-speaking forums
Noticeably more complex than the simpler loaders that are generally preferred by buyers (Smoke) May be an indication of what kinds of features criminals are trying to incorporate into these bits of malicious
code.
Loaders remain relatively inexpensive For sale on hacking forums for the price of only $50 USD Mostly paid in Bitcoin
8/2/2018UNCLASSIFIED 5
UNCLASSIFIEDTLP:WHITE
Aurora / Kardon Loaders
Aurora (Flashpoint) Advertised as fully undetectable Allows for the creation of resilient botnets by using a system of self-healing bots Once executed, the loader instructs bots to create three branches of independent botnets
– If it detects that one branch has been compromised, it will self-heal from the other two and spread the loaders to new victims, creating a new botnet
– This makes takedowns challenging Aurora also comes with relatively standard features for a loader:
– Control panel– Ability to classify victims based on location– Ability to attach multiple files to the initial loader (as well as files from the seller and customers’ servers) – Ability to execute commands from the victim’s command terminal and report back system information to
the attacker, or self-delete if detected
8/2/2018UNCLASSIFIED 6
UNCLASSIFIEDTLP:WHITE
Kardon
Kardon (Flashpoint) June 2018 (Salesforce Engineering) Advertised as a new Trojan Downloader :
– Capabilities of delivering and executing any payload that the actor wants to use in a campaign– Fully functional and is ready to be deployed with custom or commodity malware
Arrives on compromised computers with a fully integrated botshop– Botshops are simple platforms that can be used to sell access to bots from the attacker’s botnet to
other threat actorsConclusionKardon is a basic, simple and lightweight Loader MalwareAll loaders seem to evolve and become more advanced as they are incorporated into more campaigns
8/2/2018UNCLASSIFIED 7
UNCLASSIFIEDTLP:WHITE
Recent Loader Activity
AZORult Update (Proofpoint) Originally observed in 2016 Loader / Information stealerRecent AZORult activity July 17 advertised Significantly improved version of AZORult spyware:
– Immediately included in large spam email campaign– Improved both the stealer and downloader functionality– Distributing Hermes ransomware
The Loader Feature: Conditional, based on the presence of cookies, cryptocurrency wallets, and other parameters
UPD v3.2 (Newest AZORult Version)[+] Added stealing of history from browsers (except IE and Edge)[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]com/soft.exe. Also there is a rule "If there is data from cryptocurrency wallets" or "for all"[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
Stealer + Loader + Ransomware = Devastating for Victims
8/2/2018UNCLASSIFIED 8
UNCLASSIFIEDTLP:WHITE
Smoke Loader
Smoke Loader (WEBROOT) Distributed since 2011 Updated and patched numerous times since Still widely used today used in multiple botnet attacks and infections Modular malware loader, that comes with several different modules based on how much the customer
willing to spend. Inception It immediately gained favor on forums for its size and ability to bypass antivirus and firewall detection Advertised on top-tier Russian and English speaking forums within months Smoke has often been observed included in the RIG exploit kit (EK)Advertised Features (2012) (WEBROOT)
8/2/2018UNCLASSIFIED 9
UNCLASSIFIEDTLP:WHITE
• Progressive download different EXE and run• Geo-targeting (download only for specific countries)• The ability to download files via a URL• Startup and invisible work (Masked by a trusted process)• Detailed statistics on jobs- Self-renewal through the bot’s admin
panel (locally or remotely)
• Protection against loss by blocking bots domain• The small size of the loader ~ 12.6 kb• Ability to use Builder for “sellers” (more accurate statistics)• Statistics on re-launching (useful for assessing the quality of
downloads, or traffic)• “Guest” access to the statistics- Easy kriptovka (does not
contain any additional dll, overlays, etc.)
Smoke Loader
Smoke Loader (WEBROOT)Plugins The plugins are all designed to steal sensitive information from the victim Targets stored credentials or sensitive information transferred over a browser
– including Windows and Team Viewer credentials, email logins, and others.Serves as an example of a successful loader life cycle Initially two versions of Smoke
– Resident loader, came attached with a malicious payload– Non-resident version, allowed a threat actor to remotely upload additional payloads
Recent Activity
8/2/2018UNCLASSIFIED 10
UNCLASSIFIEDTLP:WHITE
Jérôme Segura (@jeromesegura), Twitter post, 11 Oct 2017
Terror EK Smoke Loader Miner payload
Compromised Argentinian government site delivering Smoke Miner
MalwareHunterTeam (@malwrhunterteam), Twitter post, 4 Oct 2017
Emotet
Emotet (McAfee)
Discovered in 2014 Harvests banking credentials Early variants used Outlook contact harvesting to spread via malicious spam
Emotet as a Loader Emotet acts as a loader and can enable several modules:
– Worm module via brute-force attack to spread over the network.– Dropping malware.– Sending spam with compromised emails to spread around the world.– Updating main file to bypass antimalware signatures.
Emotet has evolved to take advantage of several evasion, persistence, and spreading techniques It also downloads additional malware to harvest banking credentials and take other actions (including theft
of email credentials)
8/2/2018UNCLASSIFIED 11
UNCLASSIFIEDTLP:WHITE
Popularity: UP
Observed widely in malicious campaigns with various payloads
Quant Loader
Quant Loader Described as a "professional exe loader / dll dropper" Considered a very basic trojan downloader First advertised on 1 September 2016 on various Russian underground
forums Immediate inclusion in active distribution campaigns (Pony, Locky)Capabilities Configured to download two supplemental modules:
– Z*Stealer (information stealer) Web browsers, email/chat, VNC, Wifi information
– MBS (Bitcoin stealer) Significant code similarities with Madness Pro DDoS (tool by same
group/actor)– Madness Pro is a DDoS bot which utilizes standard methods to be
persistent on the system and evade detection Delivered via RIG EK and malicious attachments Quant Loader - imgurMISP Galaxy Clusters
8/2/2018UNCLASSIFIED 12
UNCLASSIFIEDTLP:WHITE
David Montenegro (@CryptoInsane) Twitter post
Pony Loader
Pony Loader Active since ~2014 Credential harvesting piece of malware with other trojan capabilities.Well-known loader used for data theft. Multiple payloads and modules responsible for stealing credentials, targeting:
– Several password authentication services like FTP accounts and browsers– Credentials from cryptocurrency wallets– Brute-force activity of the user accounts
NetskopeTalos
8/2/2018UNCLASSIFIED 13
UNCLASSIFIEDTLP:WHITE
ConclusionsTraditionally, loaders were financially focused
– Now incorporated in wide variety of malicious campaignsMassive MALSPAM campaigns have the potential of infecting a large number of
victimsThese new and improved loaders have demonstrated significant upgrades and
capabilities:– Credential and cryptocurrency theft Direct financial losses
– Now targeting credentials from browser (except IE and Edge) Email, FTP, etc. (beyond financial)
– Opportunities to establish a foothold in affected organizations Additional direct financial losses and business disruption via infection with
ransomware, miners, etc.
8/2/2018UNCLASSIFIED 14
UNCLASSIFIEDTLP:WHITE
Prevention & ProtectionRecommendations: Netskope Sample policies to enforce:
– Scan all uploads from unmanaged devices to sanctioned cloud applications for malware– Scan all uploads from remote devices to sanctioned cloud applications for malware– Scan all downloads from unsanctioned cloud applications for malware– Scan all downloads from unsanctioned instances of sanctioned cloud applications for malware– Enforce quarantine/block actions on malware detection to reduce user impact– Block unsanctioned instances of sanctioned/well known cloud apps, to prevent attackers from exploiting user trust in
cloud. While this seems a little restrictive, it significantly reduces the risk of malware infiltration attempts via cloud Enforce DLP policies to control files and data en route to or from your corporate environment Regularly back up and turn on versioning for critical content in cloud services Enable the “View known file extensions” option on Windows machines Warn users to avoid executing unsigned macros and macros from an untrusted source, unless they are very sure that they
are benign Whenever you receive a hyperlink, hover the mouse over it to ensure it’s legitimate Enterprise users should always keep their systems and antivirus updated with the latest releases and patches. Administrators can also consider to Improve credential protection for Microsoft Windows Warn users to avoid executing any file unless they are very sure that they are benign Warn users against opening untrusted attachments, regardless of their extensions or filenames Keep systems and antivirus updated with the latest releases and patches
7/26/2018 15
TLP:WHITE
UNCLASSIFIED
UNCLASSIFIED
Upcoming Briefs Trends in Malicious Macro Usage Cryptomining Landscape Various APT/FIN Groups
Analyst-to-analyst webinars are available
Questions / Comments / Concerns?
HHS HCCIC Email Address: [email protected]
16
UNCLASSIFIED TLP:WHITE
6/21/2018
Conclusion
8/2/2018
TLP:WHITE
UNCLASSIFIED
UNCLASSIFIED