Threat advisories

TOP MIDDLE EAST CYBER THREATS-30 AUGUST 2018

6 min to read
TOP MIDDLE EAST CYBER THREATS-30 AUGUST 2018

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top two cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

1) Targeted Ransomware Sets Sights on Enterprises

Ryuk, a targeted ransomware, has attacked several enterprises, while encrypting hundreds of PCs, storage devices and data centres in each infected company. Like many other ransomware campaigns, Ryuk includes demands for payment in Bitcoin.
Ryuk’s encryption logic resembles that of the HERMES ransomware and is therefore believed to be a new variant of the same. From the exploitation phase through to the encryption process and up to the ransom demand itself, the carefully operated campaign targets enterprises that can make large payments to get business back on track. Once it has completed all the cryptographic primitives, it encrypts every drive and network share on the victim’s system except for any file or directory containing text from a hardcoded whitelist, which includes “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”.
Attack Description:
The threat actors select companies one at a time and then attack via spear-phishing emails or Internet-exposed and poorly secured Remote Desktop Protocol (RDP) connections. Unlike other ransomware, Ryuk’s encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network−with infection and distribution carried out manually by attackers. This, of course, indicates that extensive network mapping, hacking and credential collection takes place prior to each operation.
The dropper of Ryuk contains 32-bit and 64-bit modules of the ransomware, embedded one after the other in the dropper’s binary. At the beginning of its execution, the dropper generates a 5-letter random file name for seed generation. The payload files are then written into a directory, depending on the version of Windows on victim’s computer. If the version is Windows XP or Windows 2000, the file is created in the directory “\Documents and Settings\Default User\”, otherwise it is created in “\users\Public\”. If this file creation fails, the dropper attempts to write it into its own directory, using its own name and appending the letter ‘V’ as the last character. After creating the file, the dropper checks whether the process is running under Windows on Windows 64 (WoW64) and writes the suitable payload (32 or 64 bit) depending on the result of the check. Finally, before terminating, the dropper calls ShellExecuteW to execute the Ryuk ransomware payload it has just written.
Upon execution, the Ryuk ransomware conducts a Sleep of several seconds and then checks whether it was executed with an argument. If an argument was passed, it will use it as a path to a file that is deleted using DeleteFileW. Based on the malware’s dropper code, this argument would be the path to the dropper itself. Following this, the ransomware kills more than 40 processes and stops more than 180 services by executing taskkill and net stop on a list of predefined service and process names.
Ryuk uses a rather basic injection technique, whereby it first gains a handle on the target process using OpenProcess and allocates a buffer in its address space using VirtualAllocEx. The injected code holds the core functionality used by the ransomware for file encryption. It is started by decrypting a list of API function name strings using a predefined key and an array of string lengths which are then used to dynamically load the corresponding functions.
Recommendations:

  • Limit the execution of scripts to virtual isolated environments instead of network devices.
  • Maintain robust email filtering to reduce the amount of spam and phishing mails.
  • Scan all email attachments before their execution in the domain device.
  • Frequently update and review security policies and user privileges. Limit privileges to domain users, so they only have access to the content they require to perform their tasks.
  • Maintain regular health check-ups and backup points for immediate recovery procedures.
  • Obtain threat intel from multiple feeds to blacklist/block any suspected Indicator of Compromise (IOC).
  • Frequently patch and update security devices via the recommended upgrade path.
  • Change the default listening port for Remote Desktop as this offers effective protection against the latest RDP worms.
  • Make sure the RDP is locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead, place them behind VPNs so that they are accessible to those who have VPN accounts on your network.
  • Use two-factor authentication on highly sensitive systems.
2) Attack of the AdvisorsBot

There has been a growing trend of small, versatile malware that give threat actors the flexibility to launch future attacks by identifying systems of interest that may lend themselves to more significant compromise. The latest attack of this type is AdvisorsBot, an undocumented downloader, which was uncovered in malicious email campaigns attributed to the TA555 threat actor. AdvisorsBot is written in C but it exists in other coding languages such as PowerShell and .NET as well, suggesting the code is under active development.
Attack Description:
The attackers use the AdvisorsBot downloader as a first-stage payload which loads a fingerprinting module that is presumably used to identify targets of interest to further infect with additional modules or payloads.
AdvisorsBot implements several anti-analysis features, such as the use of junk code that makes it very hard to reverse engineer the malware. Most strings are stored as “stack strings” in which the characters of the string are manually pushed onto stack memory with individual instructions. This makes it more difficult to quickly see the strings this malware uses. It also employs Windows API function hashing, which hinders identification of the malware’s functionality and AdvisorsBot is also able to detect virtualized environments.
Most recent attacks use a PowerShell command that then downloads another PowerShell script to execute the embedded shellcode to run the downloader directly in the memory. The communication with the Command and Control (C&C) server is over HTTPs and the C&C sends commands via GET requests. At the time of the analysis, the malware only included support for two commands−it can either load a module or load a shellcode in a thread. It performs the following activities and sends their output back to the C&C:

  • Takes a screenshot and base64 encodes it
  • Extracts Microsoft Outlook account details
  • Runs the following system commands:
  • system info
  • ipconfig /all
  • netstat -f
  • net view
  • task list
  • whoami
  • net group “domain admins” /domain
  • dir %USERPROFILE%\Desktop
  • wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,pathToSignedProductExe

Recommendations:

  • Use a reliable and trusted email security solution.
  • Perform DNS-based blacklisting−either manually or via a script−on a regular basis to block malicious sources based on threat feeds and intel.
  • Enable URL and spam filtering, IPS, IDS, SMTP call-back verification and other security functionalities.
  • Attachments and files received from any source must be primarily scanned before being executed.
  • Disable the use of scripts within the domain PC.
  • Maintain strict privileges and policies for domain devices to limit the accessibility of users.
  • Regularly update and patch security devices such as firewalls, and Web Application Firewalls (WAFs).
  • Use multifactor-authentication for login activities performed within an organization.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
Shaikh Azhar, Cyber Security Analyst at Help AG

Share this article