Cryptomining Malware Uninstalls Cloud Security Products

New samples of cryptomining malware performs a never-before-seen function: uninstalling cloud security products.

Researchers say they have discovered a unique malware family capable of gaining admin rights on targeted systems by uninstalling cloud-security products. Instances of the malicious activity are tied to coin-mining malware targeting Linux servers.

Palo Alto Networks’ Unit 42, which published the report Thursday, said that the malware samples it found do not compromise, end-run or attack the security and monitoring products in question; they rather simply uninstall them from compromised Linux servers.

“In our analysis, these attacks did not compromise these security products: Rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would,” Xingyu Jin and Claud Xiao, Unit 42 researchers, said in a technical write-up.

Specifically, the malware samples set about uninstalling products developed by Tencent Cloud and Alibaba Cloud (Aliyun), two leading cloud providers in China that are expanding their business globally, researchers said. These security suites include key features such as trojan detection and removal based on machine learning, logging activity audits and vulnerability management.

“Palo Alto Networks Unit 42 has been cooperated with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure,” Ryan Olson, vice president of threat intelligence for Unit 42, told Threatpost. “To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products.”

Attack Process

The new malware is being actively used by the Rocke threat group. Rocke was first reported by Cisco Talos in July 2018, and pegged as an increasingly formidable Chinese-language threat actor leveraging a wide array of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.

To deliver the malware to the victim machines, Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion, Unit 42 researcher said.

Once the malware is downloaded, it establishes a command and control server connection and downloads a shell script called “a7” on the system.

That shell script begins to execute an array of malicious activities, including killing other cryptomining processes on the system, downloading and running a coin-miner, and hiding its malicious actions from Linux through using the open source tool “libprocesshider.”

It is at this stage where the latest malware samples flaunt a function that deploys the never-before-seen trick: they can uninstall cloud workload protection platforms, the agent-based security protection solutions for public cloud infrastructure.

That includes the Alibaba Threat Detection Service agent, Alibaba CloudMonitor Agent, Alibaba Cloud Assistant agent; as well as the Tencent Host Security agent and Tencent Cloud Monitor agent.

The Tencent Cloud and Alibaba Cloud official websites provide documents to guide users about how to uninstall their cloud security products; researchers said it appears the new malware samples used by Rocke group follow these official uninstallation procedures.

Neither Tencent Cloud nor Alibaba Cloud responded to Threatpost’s request for comment.

Malware Origins

As for the malware itself, Unit 42 researchers also suspected that the family appears to be developed by the Iron cybercrime group (the payload for Iron and Rocke’s malware are similar, and the malware reaches out to similar infrastructure, Talos researchers said in their report).

The malware is also associated with the Xbash malware, a sophisticated family in the wild disclosed by Unit 42 researchers in September, which wrecks havoc on Windows and Linux systems with a combination of data destructive ransomware and malicious cryptomining.

However, this sample’s ability to uninstall security tactics on systems brings it a step further when it comes to targeting public cloud infrastructure.

“The variant of the malware used by Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure,” researchers said in their report. “We believe this unique evasion behavior will be the new trend for malwares which target at public cloud infrastructure.”

Google Patches ‘High Severity’ Bug

UPDATE Google is urging users to update their Chrome desktop browsers to avoid security issues related to a high-severity stack-based buffer overflow vulnerability. Google issued the alert Thursday and said an update for most browsers has been released.

“The stable channel has been updated to 62.0.3202.75 for Windows, Mac and Linux which will roll out over the coming days/weeks,” wrote Abdul Syed, a Google Chrome engineer, in a security bulletin to Google’s Chrome Release blog.

The bug is tied to the browser’s Chrome V8 open-source JavaScript engine used on Windows 7 and later, macOS 10.5 and later and Linux systems that use processors Intel Architecture 32-bit (i386), ARM or MIPS, according to Google.

Google is not releasing any details surrounding this stack buffer overflow vulnerability (CVE-2017-15396) stating, “access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain (disclosure) restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” Chrome V8 is written in C++ and in Node.js and can be embedded into any C++ applications or can run standalone, according to Google.

This type of bug typically allows attackers to execute arbitrary code within the context of a targeted application. A failed exploit attempt causes a denial-of-service condition, according to an OWASP Foundation description of the vulnerability.

According to an analysis of the vulnerability by researchers at Risk Based Security, the flaw is in the International Components for Unicode for C/C++, which is a library used by V8. “Ultimately, while it does affected V8 and Chrome, the flawed code is not Google’s,” according to Risk Based Security. The vulnerability, a “NUL-terminated buffer handling buffer overflow, was made public Oct. 11, according to the firm.

The bug was reported by researcher Yu Zhou, of Ant-Financial Light-Year Security Lab on Sept. 30. He was awarded $3,000 for the discovery through Google’s bug bounty program.

In December of 2016, Google also addressed high-severity vulnerabilities in Chrome’s V8 JavaScript engine. One of the flaws is described as a “private property access in V8” vulnerability. The other V8 issue is a use after free vulnerability in V8.

The United States Computer Emergency Readiness Team issued an alert for the buffer overflow vulnerability on Friday.

On Thursday Google also released an update for Chrome for Android (62.0.3202.73) that fixes a memory leak bug and a “major crash issue,” according the advisory.

Google had previously updated the desktop Chrome 62 browser on Oct. 17. That update (62.0.3202.62) included 35 security updates, eight rated high severity and seven ranked medium. The largest bug bounty payout was $8,837 for a UXSS with HHTML vulnerability (CVE-2017-5124) and paid to an anonymous researcher. The flaw, according to a Red Hat description, is “found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim.”

BadRabbit Hitting Russia!

A ransomware attack has put a halt to business inside a handful of Russian media outlets and a number of major organizations in the Ukraine, including Kiev’s public transportation system and the country’s Odessa airport.

The attacks are known as Bad Rabbit and harken back to the ExPetr/NotPetya attacks of this summer which also concentrated in Ukraine and Russia, but instead spread wiper malware used in the Petya attacks of 2016.

Today’s outbreak is spreading via drive-by download attacks from legitimate news sites, according to researchers at Kaspersky Lab who published an analysis on Securelist. Russia’s Interfax is one such agency reporting its services are down because of the attack. Host sites are infected with a dropper in the guise of a phony Adobe Flash Player installer. Kaspersky Lab said it has observed victims in Turkey and Germany as well, counting almost 200 targets.

There are no exploits involved in this attack, Kaspersky Lab said, and victims must manually launch the downloaded file named install_flash_player.exe. The executable requires elevated privileges to run, and uses a Windows UAC prompt to obtain them, again with the victim’s permission. If the executable runs as expected, it grabs a file-encrypting malware called infpub.dat, Kaspersky Lab said, adding that the file may be capable of brute-forcing NTLM login credentials for Windows machines with pseudorandom IP addresses.

“This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack,” Kaspersky Lab said in a statement. “However, we cannot confirm it is related to ExPetr. We continue our investigation.”

ExPetr emerged in late June and was quickly scrutinized as more dangerous than WannaCry, which spread globally just a month earlier. Like WannaCry, the attackers behind ExPetr used the leaked NSA exploit EternalBlue to spread the malware. In the early hours of the attack, Danish shipping giants Maersk and Russian oil company Rosneft were reporting infections and impacts to their respective businesses. It was eventually determined that ExPetr was not a ransomware attack, but a wiper.

The infpub.dat file prominent in today’s attack will also install another malicious executable called dispci.exe. It creates tasks in the registry to launch the executable; the tasks are named after the dragons in Game of Thrones: Viserion, Drogon and Rhaegal. There’s also a reference to a Game of Thrones character GrayWorm in the code.

“The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor,” Kaspersky Lab said. “It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.”

Porn Site Becomes Hub for Malvertising Campaigns

Pornhub, a top-20 ranked U.S. website according to Alexa, was serving up large-scale malvertising attacks exposing millions of visitors to click-fraud.

Behind the attacks is the KovCoreG Group, best known for distributing Kovter click-fraud malware. The campaigns, spotted by researchers at Proofpoint, also impacted a number of other major websites that used the TrafficJunky advertising network that was exploited by the adversaries. The ad network works primarily with adult-themed websites, based on a review of its marketing material.

“This attack chain exposed millions of potential victims in the U.S., Canada, the U.K., and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers,” wrote Proofpoint in a blogpost explaining KovCoreG’s recent activity and its most recent campaigns targeting Pornhub.

Pornhub and TrafficJunky did not respond to inquiries for this story.

Researchers said the attacks have been ongoing for the past year, but these recent campaigns are notable given the popularity of the site impacted. Pornhub receives on average 8.7 million unique visitors a day.

“We do not have data on the precise length of time that Pornhub and TrafficJunky were compromised but, as noted, we know that the KovCoreG Group has been using this type of attack on multiple sites for over a year,” said Kevin Epstein, VP of threat operations at Proofpoint in an interview with Threatpost. “It is likely that Pornhub in particular was being abused for some time, although both Pornhub and TrafficJunky moved very quickly to address the issue as soon as we informed them of the problem.”

The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network. Once the adversary qualifies a victim by browser and geographic region, a malicious ad “delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds,” researchers said.

Researchers cautioned, there are no links between those behind the Neutrino exploit kit and KovCoreG other than some shared code used by a possible common coder.

“Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce,” researchers said. To improve infection rates criminals have turned to advanced filtering techniques and social engineering over the use of exploits.

As for Chrome users stumbling on the malvertising campaign via Pornhub, a fake browser update massage “Critical Chrome update” is presented to the potential victims. If the target clicks on the “Download Now” link a zipped runme.js file is dropped onto the target’s PC.

“The runme.js file associated with the fake Chrome update and beacons back to the same server hosting the social engineering scheme. This adds an extra layer of protection against replay or study,” researcher said.

Latin American ATM Thieves Turning to Hacking

MADRID—ATM jackpotting is hardly a novelty act in Latin America where criminals are more than ever connecting with hackers to figure out how to more efficiently steal money from an automated teller than, say, by using a stick of dynamite.

No, it’s not uncommon to hear about thefts in Brazil, Mexico, Colombia, Peru and elsewhere that involve explosives and a mangled ATM left in their wake. In fact, Kaspersky Lab researchers Fabio Assolini and Thiago Marques on Thursday at Virus Bulletin showed a couple of surveillance videos during a talk on the subject that show criminals vandalizing machines, destroying them with dynamite and leaving behind sometimes more than just a charred ATM.

But that is changing.

A quick tour through some underground forums, and you’re bound to find posts from Latin American criminals soliciting help. Posts written in Portuguese and Spanish on Russian and Eastern European forums are looking for purpose-built ATM malware, and even ATM manuals in order to learn more about the inner workings of these cash boxes.

“Eastern European hackers are leading the way in creating malware for ATMs, with Latin American hackers right behind,” Assolini said.

They’re investing in, or learning how to write, ATM malware from scratch, the researchers said. Sometimes they’re penetrating bank networks to conduct remote attacks, but more often than not, these attacks require physical access to an ATM. That means, Assolini and Marques explained, loading malware from a USB stick, CDs (on older ATMs) or plugging in a USB keyboard in order to access the backend of one of these machines.

Once they’re on, criminals can dictate how much money they want to take from the machines, and don’t expect them to hang around for a long while.

“They want to jackpot ATMs quickly after infecting the machine or the network,” Assolini said, pointing out that the criminals want a hasty exit in order to avoid detection.

In a paper released alongside their talk, Assolini and Marques write about longstanding business relations between Eastern European and Latin American cybercriminals, mostly around cloned credit cards. ATM malware, meanwhile, surfaced starting in 2008 with Skimer, which was able to either steal money or data from cards used at machines. Kaspersky has also published reports on the Tyupkin ATM malware in 2014 and a year later published another report demonstrating evidence of cooperation between Latin American criminals and the Eastern European groups behind the Zeus and SpyEye banking Trojans.

“The facts demonstrate that Latin American cybercriminals are adopting new techniques as a result of collaboration with their Eastern European counterparts,” they wrote in the Virus Bulletin paper. “We believe this is only the tip of the iceberg, as this kind of exchange tends to increase over the years as crime develops and criminals look for ways to attack businesses and individuals.”

The researchers covered during today’s talk four malware families prevalent among ATM hackers: Ploutus, Prilex , Green Dispenser and Ice5.

Ploutus, Marques said, has been on the scene since 2013 primarily infecting machines in Mexico, and has accounted for more than $64M USD in losses. Ploutus requires physical access via a USB or CD to deploy the malware in order to steal the ATM ID used to activate and identify an ATM before cashing out. A variant of the malware now interacts with a popular ATM platform called Kalignite, which runs on a number of machines made by different vendors including Diebold.

Once an attacker connects to the machine via keyboard, they can use the malware to generate an activation code and access funds stored inside the machine. Marques said the attackers aren’t shy about their work, leaving messages in the code such as “Ploutus: Made in Latin America.”

Ice5 and Prilex are almost exclusive to Brazil and were developed in the country. Ice5 targets ATMs manufactured by NCR, while Prilex was a bit more complex and interacted with libraries from specific vendors, indicating particular knowledge of the ATM and related network.

“Once the malware is running, it has the capability to dispense money from the sockets using a special window this is activated using a special key combination that is provided to the money mules by the criminals,” the researchers wrote, adding that the malware also includes a component that steals strip data from cards that would be collected later.