Weekly Threat Briefs - Fortiguard

Fel Grossi

Level 13
Thread author
Top Poster
Jan 17, 2014

Activity Summary -- Week Ending Jan 25, 2019

FortiGuard Labs has a dedicated team of researchers that look for vulnerabilities and weaknesses in high-impacting programs and applications. The intent is to find the vulnerabilities before the bad actors, and work with the affected vendors to get an effective patch released before the vulnerability is exploited.

In December, the FortiGuard Labs research team discovered a vulnerability in QuartzCore of macOS and iOS. This week, Apple released two updates: macOS 10.14.3 and iOS 12.1.3, which include the fix for this vulnerability with the identifier CVE-2019-6231. The vulnerability could allow a malicious application to be able to allow access to restricted memory.

QuartzCore, also known as CoreAnimation, is a framework used by macOS and iOS to create animatable screen graphics. It uses a unique rendering model where the graphics operations are run in a separate process. The process is WindowServer. On iOS, the process is backboardd. Both of these processes have the right to call setuid.

The serivce named com.apple.CARenderServer in QuartzCore is usually referenced as CARenderServer. This service exists in both macOS and iOS, and can be accessed from the Safari sandbox. There also exists an integer overflow when QuartzCcore handles image objects in the function CA::Render::Image::Decode().

You can get the full details of our analysis on the blog, where we deep dive into the macOS vulnerability [Read More]. Apple spells out more details around their two updates here

Anatova Ranswomare - A new multi-module ransomware has been discovered. Anatova is being reported across the globe, with most detections in the United States, followed by Belgium, Germany, France and the United Kingdom. The malware authors typically use an icon for a game or application as a decoy to entice users to download it.

Anatova, when launched, asks for admin privileges, runs a few checks and then encrypts files on the computer. It then demands 10 DASH coins ($700 value). The ransomware's multi-module feature extends its capabilities to cause further villainous activities, at a later time, potentially becoming an 'all-in-one' tool. Anatova reportedly contains an anti-analysis routine by embedding a memory cleaning procedure that appears to activate under certain conditions. One interesting tactic is checking the username of the logged-in user, if it matches a specific list, then a cleaning process is employed and the ransomware exits. Interestingly, the ransomware also encrypts using some tricks - encrypting most of the strings and using different keys for decrypting them, and relying on dynamic calls. Each victim needs a separate and specific key to unlock the encrypted files. Additionally, to eliminate file recovery opportunities, the ransomware destroys the volume shadow copies overwriting them ten times ensuring no backup local files is possible.

Due to Anatova's obfuscation capabilities and the ability to infect network shares, there is concern that this could be a potentially serious threat. Note that while we have seen ransomware threats trending down in overall numbers of late, this type of threat is still poses a consequential problem and should be taken seriously. For more details: [Read More]

Signatures: W32/Azden.A!tr, W32/Encoder.BHU!tr, W64/Encoder.BHU!tr.ransom

Drupal.Core.database.inc.expandArguments.SQL.Injection -- Drupal is an open-source content-management platform written in PHP and distributed under the GNU General Public License. The standard release of Drupal, Drupal Core, contains features common among content management systems. In 2014, an SQL injection vulnerability was discovered in Drupal Core. The vulnerability is due to insufficient validation of user-supplied data when expanding argument values used in SQL queries.

A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted parameter to a Drupal Core server. Successful exploitation could lead to arbitrary code execution under the security context of the server. This issue lies in the "expandArguments" function found in the database abstraction API in Drupal Core versions 7.x. Prior to version 7.32, this function did not properly construct prepared statements.

Malicious.JavaScript.Obfuscation.Code.Packer.Detection -- This signature helps us gauge the prevalence of popular obfuscation techniques generally used when delivering malicious JavaScript payloads. The signature attempts to detect the most common evasion tactics used to conceal mal-intended JavaScript scripts.

Certain evasion methodologies are constantly being used by threat actors to try to bypass conventional signature matching and outdated AV technology. Important functions being used by these threats include the unescape(), reverse(), and toString() functions. The order in which they appear is also significant and hence analyzed by the signature. We have observed a significant increase of events triggered across our devices related to this specific IPS signature on a daily basis, which suggests this is a popular method by attackers.

Signatures: Malicious.JavaScript.Obfuscation.Code.Packer.Detection

A 'Rocke'-y and Cloudy Start to 2019 -- FortiGuard Labs is aware of recent activity from a malware family coined the Rocke Group that actively targets cloud products. This week, researchers released research on the cryptojacking activity that bypassed cloud security products by simply uninstalling them. The malware targets cloud workload protection platforms (CWPPs). Specifically, the products that appeared to be targeted in this attack were well known Chinese-based cloud security solutions. The malware targets Linux-based servers. It is believed that the Iron cyber-crime group, an APT believed to be of Chinese origin, is behind these attacks.

The steps taken by the malware will ultimately lead to the execution of a Monero cryptocurrency miner on the infected system. To do so, the malware will execute known exploits to attempt to get admin-level access on the machine. This will allow the malware to perform a service uninstall. Thus, the malware will attempt to uninstall various cloud security services popular in China. With the security service uninstalled, the malware will then proceed to download a payload from a server and run it. The malware may also make several attempts to ensure it is the only process in the system to mine for cryptocurrency by killing other processes and blocking other similar cryptomining malware.

Although the steps taken by this malware appear straightforward, incidences like these will only become more prevalent over time as more and more services move to the cloud. In conclusion, it is important to continue to focus on robust cloud security solutions and mitigate these challenges posed to cloud security products.

Signatures: Oracle.WebLogic.Server.wls-wsat.Component.Code.Injection, Linux/CoinMiner.0623!tr


Magecart Attacks: Ecommerce Advertising on the Line? -- FortiGuard Labs is aware of recent activity from the actors behind the recent round of Magecart attacks. Earlier this week, researchers documented yet another Magecart attack on multiple ecommerce websites through code injection into a third-party JavaScript library offered by an advertising company. It appears that the organization responsible for the library has since made the appropriate amends. However, prior to its detection, there were over 250 ecommerce websites documented to be affected.

Magecart is originally an open-source shopping cart. A compromised Magecart is an exploited version of the original that aims to steal payment information through skimming scripts. This most recent documented attack was suspected to be carried out by a new subgroup of Magecart actors dubbed Magecart Group 12. To avoid detection, an obfuscated malicious JavaScript script is injected into an ecommerce site. Then, upon detecting user payment, the malicious script will record form fields and values and encode them in Base64 before sending it to the server. The origin of this attack indicates a European target and/or source as the script attempts to identify English, French, and German keywords.

Signatures: JS/MCart.4C13!tr, JS/MCart.281D!tr, JS/MCart.6850!tr, JS/MCart.9260!tr


Controlling the Control Panel -- The FortiGuard Web Filter team is aware of a phishing campaign that bypasses email security measures via a file attachment with a .cpl extension. Earlier this week, researchers released information on this phishing campaign. The emails claim to be a message from the "Servicio de Impuestos Internos," the Internal Revenue Service of Chile, and appears to target a Spanish-speaking victim. Specifically, the campaign is seen to be targeting South American citizens. The use of these .cpl files as attachments has been seen with other phishing campaigns delivering known banking Trojans, like Banload.

The original functionality of a .cpl file is intended for usage of control panel tools on Windows operating systems. Once the .cpl file has been executed, it will download the second payload to execute an OverByte ICS Logger. Upon successful execution of this payload, this keylogger will attempt to log the victim's banking information and sends it to the C2 server.

The FortiGuard Web Filter team has blacklisted all the IPs and URLs associated with this phishing campaign.


Endless Zero-Days? - As malicious actors begin to incorporatea artificial intelligence and machine learning into their exploit models, zero-day vulnerabilities and exploits will explode, and the threat landscape will be completely transformed [Read More]

The Security Implications for 5G and IoT - With literally billion of IoT devices interconnected across a meshed edge environment, any device can become the weakest link in the security chain and expose the entire enterprise at risk. Addressing this challenge will require some fundamental shifts in how we think about networking and security [Read More]
Last edited:

Fel Grossi

Level 13
Thread author
Top Poster
Jan 17, 2014

Activity Summary -- Week Ending Feb 1, 2019

FortiGuard Labs researchers discovered a remote code execution vulnerability in some routers shipped by Cerio (CVE-2018-18852). Cerio manufactures a series of network routers directly competing with Asus and Linksys routers. A malicious authenticated user can forge a HTTP request to inject operating system commands that can be executed on the device with higher privileges. Our researchers identified 10 different IoT malware samples which embed the exploit in their arsenal. We have been able to link the malware to the Mirai botnet. This week the zero-day was advertised online and the code is publicly available on GitHub. Our FortiGuard Labs sensors have identified many devices prone to this vulnerability. IoT malware authors are now embedding the code to enslave more online devices.

Once we discovered the vulnerability in October, we created the following signature: Cerio.Save.CGI.POST.Remote.Code.Execution

Additionally, Cisco recently patched several vulnerabilities that FortiGuard researchers discovered late in 2018.

FortiGuard Labs discovered several memory corruption vulnerabilities in Cisco WebEx Network Recording Player and WebEx Player. Their CVE identifiers are CVE-2019-1637, CVE-2019-1640 and CVE-2019-1641. These vulnerabilities exist because the vulnerable software can't correctly parse crafted arf files which cause out-of-bounds memory access. These vulnerabilities could allow malicious users to create remote code execution scenarios.

FortiGuard Labs already released the following FortiGate IPS signatures which cover these specific vulnerabilities:
Cisco.Webex.NRP.Memory.Corruption.CVE-2019-1637, Cisco.Webex.NRP.Memory.Corruption.CVE-2019-1640, Cisco.Webex.NRP.Memory.Corruption.CVE-2019-1641

FortiGuard follows responsible disclosure policy and will only discuss our zero-day vulnerability research once the affected vendor has released a patch.

Palo.Alto.Networks.Firewall.Web.Interface.Remote.Code.Execution -- This signature is related to CVE-2017-15944 and it allows for unauthenticated remote code execution on Palo Alto Networks firewalls through bugs found on the web-management interface. Vulnerable versions are found in PAN-OS 6.1.18 and earlier, PAN-OS 7.0.19 and earlier, and PAN 8.0.5 and earlier.

Unauthenticated remote code execution is possible due to chaining of various vulnerabilities present on the PHP web-management module of the operating system. The first bug is a partial authentication bypass that leverages flawed input sanitization to gain access to all PHP files managed by the HTTP process. The second bug is on the JSON API interface, which has an XML injection vulnerability due to failure to sanitize input XML parameters. This allows for arbitrary directory creation by modification of the cookie value on the JSON request.

Our telemetry is showing an increased detection of this signature.


OpenSSL.ChangeCipherSpec.Injection -- This signature detects attempts made to exploit CVE-2014-0224, which is a bug on OpenSSL before versions 0.9.8za, 1.0.0 (before v. 1.0.0m), and 1.0.1 (before v1.0.1h). The vulnerability occurs when there is improper restriction of the times at which an SSL server may accept and process ChangeCypherSec messages. This may allow an attacker with access to the network to try to perform a man-in-the-middle attack, hence allowing them to potentially steal, decrypt, and manipulate SSL traffic.

The main reason for this flaw, according to the security researchers who discovered this vulnerability, is the ChangeCypherSec message is implemented as an "independent SSL Protocol content type." This is done to prevent sessions stalling. This resulted in the ChangeCypherSec messages not being treated the same as a handshake message.

Signatures: OpenSSL.ChangeCipherSpec.Injection

Hunting for Goblin Panda in Metadata -- FortiGuard Labs is aware of research that discloses how metadata in files may formulate attribution. Earlier this week, research was released showing indicators found in the metadata of RTF files from tools used by APT group Goblin Panda. FortiGuard Labs has been tracking Goblin Panda closely and has released a playbook on tactics used by this APT group.

Goblin Panda has been active as early as 2010. This group appears to have a geopolitical agenda and is seen to target its attacks on nations around the South/Southeast Asia region.

Latest research shows a way to potentially distinguish Goblin Panda samples. Distinct identifiers, in the form of strings, in an RTF's metadata are left behind when the same author or tool is used to create the RTF. This key can then be used to locate other samples. Through further understanding how character escaping may change the identifier, yet more samples may be discovered.

Using this technique for attribution, there are now new indicators that Goblin Panda continues to target Vietnam heavily and is using Vietnamese servers for C2. However, it also shows this group targeting the Philippines, Tibet, and Nepal, among other Southeast Asian countries.

Attribution is not easy. With adversaries often trying to avoid recognition, researchers must find creative counters to these methods.

Signatures: MSOffice/CVE20120158.fam!exploit, MSOffice/CVE_2017_11882.A!exploit, MSOffice/Dropper!exploit.CVE20120158, W32/Agent.PTA!tr, W32/COBEACON_ZJFG.A!tr, W32/CVE_2012_0158.DH!tr, W97M/CVE_2012_0158.AD!exploit, W97M/Generic!exploit

Two in One: GreyEnergy and Zebrocy in the Same Server -- FortiGuard Labs is aware of research that shows some overlap between GreyEnergy and well-known APT group Sofacy (aka Fancy Bear, APT28, STRONTIUM, Sednit). Earlier this week, researchers released a report detailing their activity.

GreyEnergy is understood to be a successor to BlackEnergy. GreyEnergy has primarily been documented to attack industrial control systems.

Zebrocy is a subset of activity attributed to the Sofacy APT. Zebrocy has been attracting attention lately, as there has been a rise in activity.

Zebrocy and GreyEnergy activity has been documented to be using the same servers, and even attacking the same target. Around mid-June of 2018, GreyEnergy appeared to be using these servers in a spear-phishing campaign. Then, about a week later, Zebrocy also released a spear-phishing campaign. Malicious executables downloaded from this campaign by the Zebrocy group were delivered from this server. Both of these attacks seem to be targeting companies in Kazakhstan.

Although conclusions cannot be made to suggest the two sets of activity are working together, this is yet another case to indicate the same tools and resources may be used by multiple threat actors.

Signatures: RTF/CVE201711882.A!exploit, MSOffice/CVE201711882.A!exploit, MSWord/CVE20170199.A!exploit, W32/Agent.SCT!tr, W32/Zebrocy.EZ!tr.bdr


This Is Bogus! TA505 Continues to Target Financial Institutions -- The FortiGuard Web Filtering team is aware of activity from APT group TA505. A few weeks ago, we posted about malware that traces back to TA505 coined "ServHelper" and "FlawedGrace." This week, researchers released further activity from this financially motivated APT group that seems to once again be targeting financial institutions.

It was reported that some well-known banks in South Africa, Chile, India, and Italy were among those targeted by TA505.

Victims of this attack may first receive a phishing email that contains a malicious Excel (.xlsx) attachment. When the attachment is opened, the user is prompted to "Enable Editing." If enabled, the attachment may then attempt to download and execute a dropper. As an effort to disguise malicious background activity, the malware may also open notepad.exe.

The file downloaded is found to be an MSI package that contains a Nullsoft installer. The installer may drop two files into %temp%. One of them is a backdoor named htpd.dat, which is actually a Windows DLL file that exports a function called "bogus." The other file dropped is a VBScript.

Once these two files have been placed into the %temp% folder, the malware will create a help.bat file that runs the "bogus" function in htpd.dat. Two threads are created when bogus gets called. One of them communicates to a C2 server via HTTPS and another receives commands from the server.

FortiGuard Labs has blacklisted all the IOCs related in this incident.


Seeing and Addressing Insider Threats Across Your Distributed Network -- Hackers, cybercriminals, malware infections, and other external threats dominate the headlines. And for good reason. The loss of millions of data records as part of a security breach now seems to be a common occurrence. And as we move towards an integrated digital economy, the impact of a massive or coordinated cyberattack could have devastating consequences. [Read More]
  • Like
Reactions: harlan4096

Fel Grossi

Level 13
Thread author
Top Poster
Jan 17, 2014

Activity Summary -- Week Ending Feb 8, 2019

Jaff Ransomware -- FortiGuard Labs recently published analysis on the Jaff ransomware. This ransomware has been around since early 2017 but was overlooked because the WannaCry ransomware was getting all the attention. However, since that time, the Jaff ransomware has lurked in the shadows while infecting machines around the world. In our FortiGuard Labs analysis, we do a deep dive into the techniques that Jaff uses, and how it represents the ransomware's infection routine in general.

Jaff ransomware commonly arrives as a pdf attachment. Once you open the attachment, it displays a one-line document along with the pop-up message asking whether you want to open the file. If you choose to open the file, it then launches an embedded document that contains instruction on how to remove Marco protection. If you choose to 'Enable Content', any macro within the document will execute. And of course, we know that this document contains a lot of macros, one of which downloads the Jaff binary file. We published the list of macros on our blog site where you can read more details about our analysis overall. [Read More]

Oracle VirtualBox Vulnerability -- FortiGuard Labs researchers discovered a Denial of Service (DoS) vulnerability in Oracle VirtualBox (CVE-2019-2527), in December, 2018. Oracle VirtualBox is the world's most popular cross-platform virtualization application. This DoS vulnerability is caused by a crafted TCP session sent from a virtual machine that causes the NAT process on the host machine to crash, and the VMs in the same NAT network to lose their network connectivity. This DoS vulnerability affects VirtualBox versions prior to 5.2.26 and 6.0.4.

Oracle confirmed our findings and released a patch January 28th. All users of vulnerable versions of Oracle VirtualBox are encouraged to upgrade to the latest VirtualBox version, or apply the latest patches immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature: Oracle.VirtualBox.NatCrash.DoS [Read More]

PowerDNS.Recursive.Out.of.Bounds.Read.DoS -- PowerDNS is an open-source DNS server with features like support for different back ends, scripting, and load balancing. A feature-rich DNS server, PowerDNS is very popular and widely adopted. A flaw was discovered in the PowerDNS Recursor software in late 2018. The vulnerability found exists in PowerDNS Recursor versions 4.1.0 up to 4.1.7 (inclusive) and can lead to a denial-of-service (DoS) if exploited.

The vulnerability found that if a remote attacker constructs a specific query, it may trigger an out-of-bounds read when trying to compute the hash query for a packet cache lookup. This may lead to a system crash and, ultimately, a DoS.

At the time of this writing there were no known methods to achieve remote code execution on the system, but if PowerDNS Recursor is used and managed inside a supervisor like Supervisor or Systemd, it may lead to a system-wide crash.

This CVE has the vulnerability ID CVE-2018-16855 and was assigned on November 26, 2018. Fortinet is recording a significant rise in detections of attempts to exploit this vulnerability since its discovery.

D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution -- D-Link devices are among the most ubiquitous home router solutions globally. A discovery was made that revealed a series of D-Link devices running firmware v1.04 and prior are susceptible to a remote OS command injection via the GetDeviceSettings action on the HNAP interface.

The vulnerability is caused by an error when the HTTP server is parsing requests; a remote attacker can exploit this to achieve remote code execution on the affected device with the privileges of the user running the affected device.

This has been assigned CVE-2015-2051 and it is a trending threat as detected by Fortinet.

Lazarus APT Recruiting Victims with Operation Extreme Job! -- FortiGuard Labs is aware of a phishing campaign that has been active in the past week which has been linked to the APT group Lazarus (aka HIDDEN COBRA). Earlier this week, researchers released details on a phishing campaign posing as a recruitment request containing a malicious Microsoft Word document attachment. This campaign was found to be targeting Korea.

The document, attached as "Job Descriptions.doc," takes content from real job postings to increase its legitimacy. When opened, and macros have been enabled, the attachment may attempt to run a malicious macro script that drops a PE file ("jusched.exe") into %APPDATA%\Roaming. If successful, this malicious file attempts to connect to a C2 server through HTTP.

The malicious files in this campaign have been linked to multiple previously known threats as far back as 2017. However, there are indications in the metadata that show recent changes have been made. Although it may be premature to make solid conclusions, there appear to be links between this campaign and the Lazarus APT group through similarity of code flow and shared strings.

The Lazarus group is a known actor that is suspected to originate from North Korea. It has been attributed to a wide variety of cyberespionage activity.

Attacks such as these show the continued advancement of malicious actors. Taking a multi-layered protection approach to security is recommended to most effectively avoid such attacks.

Signatures: VBA/Agent.JIC!tr.dldr, VBA/Agent.YE!tr, W32/Agent.IKJH!tr, W32/Agent.73D3!tr.dldr, W32/Agent.F04C!tr.dldr, W32/Agent.081A!tr.dldr

Hungry for Cookies - CookieMiner Mac Malware --
FortiGuard Labs is aware of research reported on the discovery of an OSX coin-mining malware. It is believed that this malware was created from another known macOS miner malware.

This malware, dubbed "CookieMiner," steals cookie data from the victim's browser. It may attempt to steal data relating to cryptocurrency exchanges and services, passwords stored in the browser, and test messaging backup data. It is suspected the combination of this stolen data allows the attacker to bypass multi-factor authentication on the cryptocurrency exchange sites.

The primary goal of the malware appears to be cryptocurrency mining and credential stealing. To do so, it may download a cryptominer to mine for Koto, a lesser-known cryptocurrency. However, the malware, once installed, employs various methods of persistence and may open a backdoor through the use of an open-sourced post-exploitation tool, EmPyre.

This goes to show that cryptomining is still a source of profit for malicious actors. As long as this is the case, it may remain prevalent in the malware landscape.

FortiGuard Labs has detections in place for these known IOCs.

Signatures: MAC/CoinMiner.A!tr, Riskware/CoinMiner, MAC/Agent.BG!tr.bdr


GandCrab Ransomware Campaign Exploits DNS Systems -- The FortiGuard Web Filter team is aware of a malicious campaign that leverages a security issue discovered in a popular DNS system. This week, researchers released details on how a security issue in this DNS system is being leveraged by malicious actors to bypass spam detection. The security issue has been recognized and the company has since released a fix.

Through the security flaw, numerous legitimate domains are used to deliver a malicious email. Because the sender's domain is registered through legitimate channels, it may avoid spam detection. This security issue was used to deliver malware, including the GandCrab ransomware.

Most of the domains involved utilize one of these two DNS servers: NS57.DOMAINCONTROL.COM and NS58.DOMAINCONTROL.COM. The email message that delivers the GandCrab ransomware claims to be DHL deliveries or e-fax messages. An analysis of three separate word documents was made. It was discovered that each of them contained different macros. Contained in the macros were at least two different URLs that led to the download of a malicious payload.

The FortiGuard Web Filter team has the appropriate protections against the IOCs related to this incident.


Seeing and Addressing Insider Threats Across Your Distributed Network -- Hackers, cybercriminals, malware infections, and other external threats dominate the headlines. And for good reason. The loss of millions of data records as part of a security breach now seems to be a common occurrence. And as we move towards an integrated digital economy, the impact of a massive or coordinated cyberattack could have devastating consequences. [Read More]

Fel Grossi

Level 13
Thread author
Top Poster
Jan 17, 2014

Activity Summary -- Week Ending Feb 15, 2019

February's Patch Tuesday brought a bevy of updates from Microsoft and Adobe, each releasing updates for over 70 vulnerabilities affecting their respective products. Yes, you read that right, that is over 140 vulnerabilities overall.

Microsoft released patches for 77 CVEs, along with three advisories, affecting widely-deployed products across their portfolio, including, Internet Explorer, Edge, Exchange Sever, Windows, Office, .Net Framework, and more. Top of your priority list should be patching the Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0626). If exploited, this memory corruption bug would give Domain Administrator privileges that would allow access to domain user credentials. An attacker could run arbitrary code on the DHCP server. The publicly disclosed Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2019-0686) could allow an attacker to access the mailbox of users. While there is no known public exploit, this patch should be considered a priority. Another consideration for urgent patching is the Internet Explorer Information Disclosure Vulnerability (CVE-2019-0676). This vulnerability is already being used to target vulnerable systems. The defect could allow attackers to check for specific files on the victim's hard drive.

Adobe released updates for Acrobat and Reader, Cold Fusion, Flash, and Adobe Creative Cloud Desktop Application. Adobe released an update that addresses a zero-day Adobe Reader vulnerability that, if exploited, would allow maliciously crafted PDF documents to call home and send over the victim's NTLM hash to remote attackers in the form of an SMB request. This vulnerability was publicly disclosed, including a proof-of-concept, before Adobe pushed out the fix. FortiGuard has the following signature available: Adobe.Reader.XFA.NTLM.Information.Disclosure

A full list of the updates can be found on the Microsoft Security Update webpage

Bladabindi.Botnet -- Bladabindi (aliased as njRAT, njWorm) is a prolific and destructive worm that has been around as early as 2012. Researchers have documented counts of infected victims in the order of millions at one point. This malware is known to create a backdoor to the infected machine, log user keystrokes, capture webcam footage, and steal credentials. Bladabindi spreads via unsuspecting drive-by downloads, social engineering, or infected USB drives.

In late 2018, research released details on the rediscovery of an updated version of this malware. It was documented to be using AutoIT and fileless techniques for persistence and evasion. To achieve this, it stores a Base64 encoded value on a registry key that will auto run as a command on PowerShell. Upon running, PowerShell will load and run a malicious payload using reflexive injection. Yet another trick employed by the malware is that the payload that is injected into the PowerShell process is .NET compiled and uses commercial software for obfuscation. The malware also makes extensive use of dynamic DNS systems to avoid detection.

There has been a sizable growth of detected instances on this signature.

Signatures: Bladabindi.Botnet

WordPress.Web.API.Endpoint.Privilege.Escalation --
WordPress versions 4.7.0 and 4.7.1 are vulnerable to a content injection vulnerability found in the WordPress REST API. By default, this feature comes enabled, which makes any default installation of WordPress automatically vulnerable.

The core of the issue lies in a type-juggling issue that occurs while processing API parameters. A series of a few issues led to this vulnerability. First, there was a flaw in the logic behind prioritization. This resulted in the possibility of request parameters being improperly sanitized. Second, a data sanitization logic allowed a user to potentially bypass permissions checking. If bypassed, a user can update an item without first being granted permission. If exploited, an unauthenticated attacker can use manipulated payloads through the REST API and have a page modified with content controlled by them.

This vulnerability has been patched in WordPress version 4.7.2 and is assigned CVE-2017-1001000.

Signatures: WordPress.Web.API.Endpoint.Privilege.Escalation

Teaching an Old Bot New Tricks -- FortiGuard Labs is aware of recent developments of the infamous TrickBot banking Trojan. Earlier this week, researchers released details on the discovery of new functionality of the TrickBot malware - it now has an updated capability of stealing passwords remotely.

TrickBot, a malware that has been attributed with the financially motivated APT TA505, is a well-known banking Trojan. Back in November 2018, FortiGuard Labs released a blog (Deep Analysis of TrickBot New Module pwgrab) detailing the research of a specific TrickBot module named pwgrab. TrickBot is known to use phishing campaigns with malicious Excel attachments to target its victims, and this updated version brings no surprises in that regard. Once a user opens the malicious Excel attachment and enables content to run, the VBA script will download TrickBot. However, this new variant does have some new tricks up its sleeve.

Specifically, this new variant has three new functions that allow for credential stealing of remote desktop access tools. Each function corresponds to a known platform: RDP, PuTTy, and VNC. When run, these functions attempt to steal credentials from the listed platforms. If the credentials are harvested and sent to the C2 server successfully, the attacker may then get remote desktop access capabilities on the victim machine.

This is yet another case to show the constant development behind prolific and persistent malware to advance its capabilities and avoid detection. FortiGuard Labs has the appropriate detections in place for known IOCs.

Signatures: W32/TrickBot.BL!tr


DanaBot Updated with New C2 Communication -- FortiGuard Labs is aware of updates that were discovered in the DanaBot banking Trojan. Earlier this week, researchers released a blog detailing DanaBot's latest advancements.

DanaBot is known to be a sophisticated banking Trojan. This botnet was first seen distributed in mid-2018 as a malspam campaign targeting victims in Australia. The email contained a malicious DOC attachment, and when run with enable content, will download one or more malicious PE files from the C2. An infected victim may have their login, machine information, and credentials for banks and cryptowallets stolen. They may also be subject to web injections on banking sites, and have their machine vulnerable to being remotely accessed.

Since then, DanaBot has appeared to have updated its communication protocols and spread itself to numerous countries in Europe, and has also been seen in the U.S. Among the updates are added malicious plugins that render victims' machines into spambots. The latest updates appeared to only be spreading through malspam in Poland. It also appeared to target already infected victims. Updates to this malware saw several encryption layers in the communication protocol, changes in the architecture used to deploy DanaBot, and changes in commands and identifiers.

The continued persistence of DanaBot shows that the malware continues to update itself to avoid network-based detection. It goes to show that we must continue to monitor and track these families to stay on top of the updates, and a multi-layer approach is absolutely crucial.

Signatures: W32/Danabot.I!tr.spy, W32/Danabot.F!tr.spy, W32/Danabot.O!tr

Qealler - A New and JARring Experience -- The FortiGuard Web Filter recently observed a JAR malware dubbed Qealler in this past week. Earlier this week, researchers released their findings on this new malware developed in Java, which covertly steals personal information from the victim.

To infect a machine, the malicious Qealler JAR file must first be executed by the user. This campaign uses invoice-related files to lure its victims. The malware is executed when a victim double-clicks on the file to open it.

Upon execution, a Java loader that installs a Python credential harvester is downloaded from a compromised site. (The one recorded was hiexsgroup.co[.]uk.) Qealler appears to be obfuscated with a well-known open-source Java bytecode obfuscator. Within the binary, there are other encrypted URLs that the malware may attempt to connect to. These URLs lead to servers that appear to store the second-stage payload.

To steal passwords, the Qealler malware appears to have a customized version of LaZagne, an open-source, post-exploitation password collector. The customized module, stored as a directory with the name "QaZaqne," has much the same functionality of LaZagne. This module has the capability of stealing browser, email, Wi-Fi, and machine passwords, just to name a few. Once the credentials are harvested, it is then encrypted, encoded, and sent to the C2 server along with a unique machine-identifier ID.

FortiGuard Web Filter has the appropriate detections for all the known IOCs and has blacklisted all the associated IPs and URLs.


Using Advanced AI to Stay ahead of Cybercriminals -- As the threat landscape continues to rapidly evolve, it now includes increasingly sophisticated, zero-day malware that traditional security approaches can no longer keep pace with. Staying ahead of today's accelerated cybercrime trends requires adding artificial intelligence (AI) to an organization's network security strategy. [Read More]

Using Services to Fill Critical Security Gaps -- One of the biggest challenges of using a traditional approach to cybersecurity is that it tends to be reactive. This means that security personnel must remain on constant alert, waiting to respond immediately to new trends. This strategy gives cybercriminals a distinct advantage. [Read More]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.