What are some of the top cybersecurity threats to look out for in 2021? Our latest threat advisory includes recent cyber threats targeting businesses and individuals: Zeoticus 2.0, W97M, A Star Cruft Adds New Malware Trick, Harvests Information about connected Bluetooth Devices, Re-branded Satan Ransomware 5ss5c Stops Database-related Services and Processes
Threat Identification: DTIN0041: Zeoticus 2.0
SYNOPSIS: Zeoticus 2.0 is promoted under ransomware-as-a-service (RaaS), mainly targeting windows computers. As the name suggests it is the second version of the Zeoticus ransomware family. Within Zeoticus 2.0, there are more functionalities as compared to v1.0.
Malware infects the victim using the Mal-spam technique where the user is unaware of the infection as it penetrates the system via various untrusted email attachments. In general, cybercriminals attempt to trick users into downloading such files by disguising them as legitimate.
Execution and Propagation:
Step 1
Fig 1.1 Infection chain (https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/malspam/)
As shown in Fig 1.1, the user is receiving email attachments. Generally, those are spam emails intended to send across multiple target endpoints. Once the user opens a malicious attachment, it will load a malicious script, and it starts infecting the system.
Step 2
Once the malware infects the system, it will make a copy in the following location of the operating system for further propagation.
C:\Windows%App Data%
On the creation of several copies at different places, ransomware examines running window processes, and terminates those processes with task-kill.exe. Followings are some of the processes killed by ransomware.
- Sqlaent.exe
- Sqlbrowser.exe
- Sqlwriter.exeoracle.exe
- Dbmsnamp.exe
- Agenstsvc.exe
- Mydesktopservice.exe
- Isqlplussvc.exe
- Sfssvccon.exe
Step 3
Once it stops the necessary services; it will slay its program files by using the subsequent command and redirects.
Command: /c ping localhost -n 3 > nul & del %s
Fig 1.2: Malware deletes its own program (https://labs.sentinelone.com/zeoticus-2-0/)
Step 4
- To keep persistence, the malware makes registry records in the following registry locations.
\REGISTRY\USER\----\Software\Microsoft\Windows\CurrentVersion\Run\
- To start a malware instance consistently, it sets registry entry (RUN) to the subsequent location.
Fig 1.3: Persistence method (https://labs.sentinelone.com/zeoticus-2-0/)
Step 5
The malware encrypts all the files and appends an extension as shown below:
[random string]. outsourse@tutanota.com.2020END
Fig 1.4: Malware encrypt data (https://www.pcrisk.com/removal-guides/19675-zeoticus-2-0-ransomware)
Step 6
Post encryption, the ransomware mounts the drive and drop a ransome note as shown below:
Fig 1.5: Ransomware note (https://www.pcrisk.com/19675-zeoticus-2-0-ransomware)
Characteristics:
- Efficient and fast as compared to version 1.0
- No command control server is required to function
- Capable to execute on all versions of Windows operating systems
Indicator Of compromise:
- SHA256
33703e94572bca90070f00105c7008ed85d26610a7083de8f5760525bdc110a6
279d73e673463e42a1f37199a30b3deff6b201b8a7edf94f9d6fb5ce2f9f7f34
- SHA1
25082dee3a4bc00caf29e806d55ded5e080c05fa
d3449118b7ca870e6b9706f7e2e4e3b2d2764f7b
Recommendations:
- Do not open any untrusted email or links
- Use security controls for web defence and phishing
- Make use of CDR technology to identify malicious attachment
- Conduct continuous threat hunting to identify malicious activities
Threat Identification: DTINR0042- W97M: Downloader Malware Dropper
Synopsis: This malware campaign has primarily targeted countries in the western and Asia-pacific region and the malware is capable of stealing banking credentials and other sensitive information that can be shared with adversaries.
Infection and propagation:
Step 1
Initially, the user receives a malicious email attachment. Once the user opens up the email, it silently runs a macro and redirect users to multiple compromised web servers and download additional elements to make the impact larger. The following figure represents the infection process:
Step 2
Later, the malware executes the following PowerShell commands.
In script calls, domain names are comprised of a web server that is used to deliver required components for a further infection which is stored in the % temp % folder. This process is recursive in nature.
Step 3
After downloading all the components, the malware injects payload into a browser.
Step 4
In this step, Malware fetches sensitive banking credentials and transfers sensitive information to the Command & Control server.
Characteristics:
- Uses Mal spam method for infection and propagation.
- Aforementioned malware act as an intermediatory to ransomware like banking trojan and malware which fall under the Zeus malware family
Indicator of compromises:
- Ip address and associated port
65.182.100.42
80/443
163.172.81.35
80/443
178.79.172.45
80/443
78.47.82.254
80/443
DNS requests:
- hxxp://planasolutions(.)com/wordpress/wp-content/nq3sqe-x875-tt/,
- hxxp://mattheweidem(.)com/ikn0owm-g991-syvw/,
- hxxp://irose(.)com/lpo7qje-wg556-pnv/,
- hxxp://diegoquintana(.)com/myc8h-a675-nglo/,
- hxxp://reichertgroup(.)com/ytw4or-d143-clqwi
- hxxp://polian-studios(.)com/ie6dbg-yz991-im/
MD5 Hash
- 92c1bfe6ab6d61d29cf68de47fd4a613
- 035f854096a0063e8fbe991f1d55dd23
Recommendations:
- Don’t open any malicious email attachments or suspicious links
- Use the next-generation firewall and network controls to thwart nefarious activities
- Disable Autorun Macro functionality in Microsoft Word software
Threat Identification: DTIN0043: A Star Cruft Adds New Malware Trick; Harvests Information About Connected Bluetooth Devices
SYNOPSIS: The Scar Cruft is a cybercriminal group, a freshly developed malware that can accumulate information about Bluetooth devices such as device name, id and connection type. Malware uses windows API to gather such information.
Fig 3.1: Bluetooth path harvester (https://securelist.com/scarcruft/)
Step 1
Malware uses techniques like Spear-Phishing and Strategic-Web-Compromises to deliver the payload to the victim. In this step, malware exploits 'User Access Control Management' and infiltrates the system.
Step 2
The installer creates the downloader & necessary configuration file and executes them. This downloader is capable of connecting with different processes to the Command-and-control server to derive the next payload.
Step 3
The C&C server hides its payload in the image file (using the steganography technique) to evade network defence. This image file carrying a payload, that is stored at end of the file, and needs to decrypt in order to execute it.
Step 4
In the final step, the malware executes its last payload and performs a backdoor function using ROKRAT: The cloud-based backdoor is intended to execute multiple modules to steal sensitive information such as passwords & usernames from the browser.
Fig 3.2: Cloud base backdoor (https://securelist.com/scarcruft/)
Indicator of compromises:
- HASH SHA 256
- Infected path: c:\ProgramData\HncModuleUpdate.exe
- Malicious document: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824
- Dropper #1: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037
- Dropper #2: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14
- Dropper #3: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f
- ROKRAT: b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e
Recommendations:
- Do not open link or attachments from unfamiliar sources
- Enforce strong identity and access management policies
- Implement endpoint detection and response (EDR) technology to capture malicious activities on endpoints
- Don't save your passwords and other credentials in the browser
Threat Identification: DTIN0044: Rebranded Satan Ransomware 5ss5c Stops Database Related Services and Processes
SYNOPSIS: 5ss5c is a renewed variant of Satan ransomware. This malware has resurfaced with the new name '5ss5c' which encrypts all files with defined extensions and stops some essential services. This malware is still in the development phase. It has two major components:
Step 1
The malware is distributed by a threat actor using spam emails, phishing campaigns, cracked software, trojan, or bogus software that are capable of destroying the system.
Step 2
Post malware infection, by using the SSSS_Scan module, it will scan for predefined directories and files to encrypt.
Fig 4.1: The sorted list to be encrypted (https://cybersecuritynews.com/5ss5c-ransomware/)
As shown in Fig 4.1, malware scans for folders according to code and encrypts them.
Following are the most explicit file extensions that malware looks for the encryption:
Step 3
Using the 5ss5c_CRYPT module, malware will encrypt all files and folders and add .5ss5c extension to the files.
https://www.pcrisk.com/16818-5ss5c-ransomware/
Step 4
After file encryption, the ransomware will create the routes as follows to communicate with the command-and-control server.
/api/data.php?code=
- &file=
- &size=
- &status=
- &keyhash=
Parallelly malware will create ransom note in C:\ drive named _如何解密我的文件_.txt.
Fig 4.1: Ransome note (https://www.pcrisk.com/16818-5ss5c-ransomware/)
Indicator of compromises:
- C2 server IP address
- http://61.186.243[.]2
- http://58.221.158[.]90:88/
- Hash
- MD5: 01a9b1f9a9db526a54a64e39a605dd30
- SHA1: a436e3f5a9ee5e88671823b43fa77ed871c1475b
- SHA256: 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
Recommendations:
- Do not click on suspicious links and attachments
- Implement CDR technologies to identify malicious attachments
- Monitor processes using ProcMon and identify suspicious processes
- Make a backup of critical data
