Friday, January 28, 2022

, , , ,

VirusTotal Multisandbox += SecneurX


VirusTotal welcomes SecneurX to the multi-sandbox project. This new behavioral analysis platform is helping provide additional details on Windows executables, Office documents, and Android APKs.

In their own words:

SecneurX Advanced Malware Analysis (SnX) platform provides visibility and context into advanced threats with its extensive malware analysis & detection capabilities. The analysis platform is based on a unique architecture that emulates an enterprise environment for analyzing the most evasive and concealed malware. It performs both static and dynamic behavior analysis of different file types (.doc, .pdf, .msg, .eml, .xlsx, .exe, .ppt, .csv, .apk etc.) and generates a detailed report describing the malware behavior. Extracted Indicators of compromise (IOCs) and human-readable behavior reports can be used to augment existing intelligence data and help to give "context" about IPs, domains, URLs, Registry, Process activity, file names, and hashes.

On VirusTotal you can find the SecneurX reports on the Behavior tab:

Let's take a deeper look at some interesting samples showcasing SecneurX capabilities:

EXE file which spreads via SMB protocol

602b3c6dba465a535293d06ff498354a6a5631299f8edbaba4bec7d4df98e1e6

This EXE is a crypto mining worm that uses exploits to steal credentials and spreads laterally to other machines in the network. It communicates with its CNC and transfers its malicious binary through SMB protocol to other machines on the local network.

Click on the full report icon, to see the SecneurX detailed report.
A few interesting points in the full report are highlighted:


VirusTotal enterprise customers may search other samples on VirusTotal that use this firewall command you can use the behaviour_processes file search modifier in a query similar to:

behaviour_processes:"netsh firewall add portopening tcp 65533 DNSd"

An example searching for scheduled tasks:

behaviour_processes:"schtasks /create /ru system"




Email with attached password-protected XLS spreadsheet which launches PowerShell


This email message contains an attached password-protected XLS spreadsheet which when triggered launches a Living of the Land attack using an obfuscated PowerShell script to download a second-stage attack payload. SecneurX extracts and executes them




Within the process tree we can see powershell commands to create a TLS connection, You can search VirusTotal to find other samples using this technique with a query like behaviour_processes:"System.Net.SecurityProtocolType" and behaviour_processes:powershell


Android App (APK) with multi-stage payload downloader showing Joker malware behavior

The APK: 1e2c99c68390baefa7d9eba4a429f9b009aa4ade281909831fa2c50a944ae5ab downloads malicious payload via HTTP. In this VT-Graph view we can investigate how it is related to other malware samples.

Excel spreadsheet abusing the legacy equation editor to execute a custom payload

This excel spreadsheet https://www.virustotal.com/gui/file/1a022d0240a252df61e043a2a17a0a41da0dfb94c3e3de8d0a9f4d411559cfa3/behavior/SecneurX exploits Office’s legacy equation editor to download a remote artifact and execute it



We welcome this new addition to VirusTotal, SecneurX will help put the spotlight on malware. Happy hunting.

Friday, January 07, 2022

Monitoring malware abusing CVE-2020-1599

CVE-2020-1599 is a vulnerability that can be abused by adding data (that will be later executed) to the signature section of a file, for instance appending a VB script. Unfortunately, Microsoft signature chain certification will not detect that the signature was modified and accept the file as legitimately signed, which can be used to avoid security checks. This is all described in this blog post by our colleagues at Checkpoint, also explaining how ZLoader is using this technique for persistence in recent campaigns.

A non-malicious file abusing this technique can be found here. The file is not malicious per se, as it simply opens the calc.exe utility.

This malicious technique can be mitigated as described here

In order to monitor any additional malware abusing this vulnerability, we decided to create a YARA and run a VirusTotal Livehunt, so we will get notified any time a new suspicious file shows up in VirusTotal:

import "pe"
import "vt"

rule CVE-2020-1599_suspicious_signed {

meta:
      author = "@fcojsantos"
      created = "2022.01.07"
      reference = "https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/"

strings:
      $script = "<script" nocase
      $script2 = "language" nocase
      $script3 = "vbscript" nocase

condition:
      pe.is_pe
      and pe.number_of_signatures > 0
      and not for all i in (0..pe.number_of_signatures - 1): (
      
      pe.signatures[i].valid_on(pe.timestamp)
      )
// Searches for script literal from the signature offset on
      and $script in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize)
      and $script2 in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize)
      and $script3 in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize)
      and for any tag in vt.metadata.tags : ( tag == "signed" )
}

This YARA searches for suspicious script-related strings appended to the signature. However, YARA cannot check the certificate chain that confirms if the signature itself is valid or not, it only checks that the certificate exists. And here is where the YARA’s vt module comes to the rescue.

In this case, the last condition ‘for any tag in vt.metadata.tags : ( tag == "signed" )’ will check that there exists at least one “signed” tag for the file, meaning that Microsoft Windows WinVerifyTrust function confirms this is a fully valid signature (it is not, as it abuses CVE-2020-1599).

Now, armed with this, we can find several interesting samples abusing this vulnerability that we added to a VT collection.

Additionally, we were interested in understanding how these files were distributed. We created a small graph to visualize any distribution vectors:

In addition to teamworks455[.]com (already listed as malicious in Checkpoint’s blog post), we found commandaadmin[.]com distributing similar malware. You can monitor any malware distributed in the wild by these domains with the following VT intelligence query:

entity:file (itw:commandaadmin or itw:teamworks455)

This query returns some of the indicators already published by Checkpoint plus a few new ones that might be interesting to take a look at.

We hope this post will be useful to understand how we can quickly monitor and do some hunting every time attackers use new techniques. Happy hunting!