HC3 Threat Intelligence BriefingMalware Loaders

OVERALL CLASSIFICATION ISUNCLASSIFIED

TLP:WHITE

8/2/2018

UNCLASSIFIED TLP:WHITE

UNCLASSIFIED

Agenda Intro Overview

– Definition– Evolution

Recent Loader Activity– AZORult– Aurora– Kardon

Older Loaders– Smoke– Quant– Emotet

Protection Recommendations Conclusions

8/2/2018UNCLASSIFIED 2

UNCLASSIFIEDTLP:WHITE

Non-Technical: managerial, strategic and high-level (general audience)

Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT)

Slides Key:

Overview

Loaders / DownloadersLoaders Definition: Malware loader AKA Downloader AKA Dropper Essentially, loaders can be considered basic remote access Trojans (RAT) Loaders provide an attacker the ability to remotely interact with and control a compromised computer Traditionally, loaders are lightweight (smaller than 50 KB in size)

– This gives them a better chance at bypassing detection by antivirus and other security monitoring technology

Purpose: MAIN ROLE gain persistence on a user's computer and then report back to a command and control (C2)

server.– Each victim of a loader is called a "bot" the malware ropes all victims in a giant botnet

Eventually, the loader will download a second-stage payload a more potent malware such as a banking trojan, a password-dumper, a backdoor trojan, or ransomware

8/2/2018UNCLASSIFIED 3

UNCLASSIFIEDTLP:WHITE

Overview

Loaders / Downloaders Threat actors generally employ the loaders in two ways:

– 1: They either incorporate them in their own custom multi-stage malware infection chains, for their own benefits

– 2: They sell "bot space" to other cybercriminals, who then infect users with the second-stage malware of their choice

Loaders Lifecycle

8/2/2018UNCLASSIFIED 4

UNCLASSIFIEDTLP:WHITE

Advertised on lower-tier Russian forum

Advertised on higher-tier Russian, English

forums

Inclusion in active campaigns and/or exploit kits (EK)

Bought and used by particular cyber

criminal / APT groups

Deploy with a number of other malware,

ransomware, miners, etc.

New Loaders

Aurora & Kardon (Flashpoint)Overview Advertised on lower-tier Russian-language forums since March and May respectively

– Most loaders start out on lower-tier Russian forums before they pop up on more elite English-speaking forums

Noticeably more complex than the simpler loaders that are generally preferred by buyers (Smoke) May be an indication of what kinds of features criminals are trying to incorporate into these bits of malicious

code.

Loaders remain relatively inexpensive For sale on hacking forums for the price of only $50 USD Mostly paid in Bitcoin

8/2/2018UNCLASSIFIED 5

UNCLASSIFIEDTLP:WHITE

Aurora / Kardon Loaders

Aurora (Flashpoint) Advertised as fully undetectable Allows for the creation of resilient botnets by using a system of self-healing bots Once executed, the loader instructs bots to create three branches of independent botnets

– If it detects that one branch has been compromised, it will self-heal from the other two and spread the loaders to new victims, creating a new botnet

– This makes takedowns challenging Aurora also comes with relatively standard features for a loader:

– Control panel– Ability to classify victims based on location– Ability to attach multiple files to the initial loader (as well as files from the seller and customers’ servers) – Ability to execute commands from the victim’s command terminal and report back system information to

the attacker, or self-delete if detected

8/2/2018UNCLASSIFIED 6

UNCLASSIFIEDTLP:WHITE

Kardon

Kardon (Flashpoint) June 2018 (Salesforce Engineering) Advertised as a new Trojan Downloader :

– Capabilities of delivering and executing any payload that the actor wants to use in a campaign– Fully functional and is ready to be deployed with custom or commodity malware

Arrives on compromised computers with a fully integrated botshop– Botshops are simple platforms that can be used to sell access to bots from the attacker’s botnet to

other threat actorsConclusionKardon is a basic, simple and lightweight Loader MalwareAll loaders seem to evolve and become more advanced as they are incorporated into more campaigns

8/2/2018UNCLASSIFIED 7

UNCLASSIFIEDTLP:WHITE

Recent Loader Activity

AZORult Update (Proofpoint) Originally observed in 2016 Loader / Information stealerRecent AZORult activity July 17 advertised Significantly improved version of AZORult spyware:

– Immediately included in large spam email campaign– Improved both the stealer and downloader functionality– Distributing Hermes ransomware

The Loader Feature: Conditional, based on the presence of cookies, cryptocurrency wallets, and other parameters

UPD v3.2 (Newest AZORult Version)[+] Added stealing of history from browsers (except IE and Edge)[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]com/soft.exe. Also there is a rule "If there is data from cryptocurrency wallets" or "for all"[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)

Stealer + Loader + Ransomware = Devastating for Victims

8/2/2018UNCLASSIFIED 8

UNCLASSIFIEDTLP:WHITE

Smoke Loader

Smoke Loader (WEBROOT) Distributed since 2011 Updated and patched numerous times since Still widely used today used in multiple botnet attacks and infections Modular malware loader, that comes with several different modules based on how much the customer

willing to spend. Inception It immediately gained favor on forums for its size and ability to bypass antivirus and firewall detection Advertised on top-tier Russian and English speaking forums within months Smoke has often been observed included in the RIG exploit kit (EK)Advertised Features (2012) (WEBROOT)

8/2/2018UNCLASSIFIED 9

UNCLASSIFIEDTLP:WHITE

• Progressive download different EXE and run• Geo-targeting (download only for specific countries)• The ability to download files via a URL• Startup and invisible work (Masked by a trusted process)• Detailed statistics on jobs- Self-renewal through the bot’s admin

panel (locally or remotely)

• Protection against loss by blocking bots domain• The small size of the loader ~ 12.6 kb• Ability to use Builder for “sellers” (more accurate statistics)• Statistics on re-launching (useful for assessing the quality of

downloads, or traffic)• “Guest” access to the statistics- Easy kriptovka (does not

contain any additional dll, overlays, etc.)

Smoke Loader

Smoke Loader (WEBROOT)Plugins The plugins are all designed to steal sensitive information from the victim Targets stored credentials or sensitive information transferred over a browser

– including Windows and Team Viewer credentials, email logins, and others.Serves as an example of a successful loader life cycle Initially two versions of Smoke

– Resident loader, came attached with a malicious payload– Non-resident version, allowed a threat actor to remotely upload additional payloads

Recent Activity

8/2/2018UNCLASSIFIED 10

UNCLASSIFIEDTLP:WHITE

Jérôme Segura (@jeromesegura), Twitter post, 11 Oct 2017

Terror EK Smoke Loader Miner payload

Compromised Argentinian government site delivering Smoke Miner

MalwareHunterTeam (@malwrhunterteam), Twitter post, 4 Oct 2017

Emotet

Emotet (McAfee)

Discovered in 2014 Harvests banking credentials Early variants used Outlook contact harvesting to spread via malicious spam

Emotet as a Loader Emotet acts as a loader and can enable several modules:

– Worm module via brute-force attack to spread over the network.– Dropping malware.– Sending spam with compromised emails to spread around the world.– Updating main file to bypass antimalware signatures.

Emotet has evolved to take advantage of several evasion, persistence, and spreading techniques It also downloads additional malware to harvest banking credentials and take other actions (including theft

of email credentials)

8/2/2018UNCLASSIFIED 11

UNCLASSIFIEDTLP:WHITE

Popularity: UP

Observed widely in malicious campaigns with various payloads

Quant Loader

Quant Loader Described as a "professional exe loader / dll dropper" Considered a very basic trojan downloader First advertised on 1 September 2016 on various Russian underground

forums Immediate inclusion in active distribution campaigns (Pony, Locky)Capabilities Configured to download two supplemental modules:

– Z*Stealer (information stealer) Web browsers, email/chat, VNC, Wifi information

– MBS (Bitcoin stealer) Significant code similarities with Madness Pro DDoS (tool by same

group/actor)– Madness Pro is a DDoS bot which utilizes standard methods to be

persistent on the system and evade detection Delivered via RIG EK and malicious attachments Quant Loader - imgurMISP Galaxy Clusters

8/2/2018UNCLASSIFIED 12

UNCLASSIFIEDTLP:WHITE

David Montenegro (@CryptoInsane) Twitter post

Pony Loader

Pony Loader Active since ~2014 Credential harvesting piece of malware with other trojan capabilities.Well-known loader used for data theft. Multiple payloads and modules responsible for stealing credentials, targeting:

– Several password authentication services like FTP accounts and browsers– Credentials from cryptocurrency wallets– Brute-force activity of the user accounts

NetskopeTalos

8/2/2018UNCLASSIFIED 13

UNCLASSIFIEDTLP:WHITE

ConclusionsTraditionally, loaders were financially focused

– Now incorporated in wide variety of malicious campaignsMassive MALSPAM campaigns have the potential of infecting a large number of

victimsThese new and improved loaders have demonstrated significant upgrades and

capabilities:– Credential and cryptocurrency theft Direct financial losses

– Now targeting credentials from browser (except IE and Edge) Email, FTP, etc. (beyond financial)

– Opportunities to establish a foothold in affected organizations Additional direct financial losses and business disruption via infection with

ransomware, miners, etc.

8/2/2018UNCLASSIFIED 14

UNCLASSIFIEDTLP:WHITE

Prevention & ProtectionRecommendations: Netskope Sample policies to enforce:

– Scan all uploads from unmanaged devices to sanctioned cloud applications for malware– Scan all uploads from remote devices to sanctioned cloud applications for malware– Scan all downloads from unsanctioned cloud applications for malware– Scan all downloads from unsanctioned instances of sanctioned cloud applications for malware– Enforce quarantine/block actions on malware detection to reduce user impact– Block unsanctioned instances of sanctioned/well known cloud apps, to prevent attackers from exploiting user trust in

cloud. While this seems a little restrictive, it significantly reduces the risk of malware infiltration attempts via cloud Enforce DLP policies to control files and data en route to or from your corporate environment Regularly back up and turn on versioning for critical content in cloud services Enable the “View known file extensions” option on Windows machines Warn users to avoid executing unsigned macros and macros from an untrusted source, unless they are very sure that they

are benign Whenever you receive a hyperlink, hover the mouse over it to ensure it’s legitimate Enterprise users should always keep their systems and antivirus updated with the latest releases and patches. Administrators can also consider to Improve credential protection for Microsoft Windows Warn users to avoid executing any file unless they are very sure that they are benign Warn users against opening untrusted attachments, regardless of their extensions or filenames Keep systems and antivirus updated with the latest releases and patches

7/26/2018 15

TLP:WHITE

UNCLASSIFIED

UNCLASSIFIED

Upcoming Briefs Trends in Malicious Macro Usage Cryptomining Landscape Various APT/FIN Groups

Analyst-to-analyst webinars are available

Questions / Comments / Concerns?

HHS HCCIC Email Address: HHSHCCIC@hhs.gov

16

UNCLASSIFIED TLP:WHITE

6/21/2018

Conclusion

8/2/2018

TLP:WHITE

UNCLASSIFIED

UNCLASSIFIED