NanoCore Variant Delivered Through UUE Files

Over the past few weeks, our Phishing Defense Center has observed several emails with malicious PDF attachments that prompt the user to download a .UUE file from Dropbox. UUE files (Unix to Unix Encoding) are files encoded with uuencode, a program that converts binary files to text format for easy transfer while still allowing for the files to be easily opened using Winzip or similar un-archiving applications. When file extensions are not displayed in Windows, the downloaded file looks like any other compressed file (as shown in Figure 1), which makes it harder to spot that this file is indeed malicious.

Figure 1 – Ordy Compressed File Icon

All emails contain the same message body shown in Figure 2, asking users to confirm the payment and customer details as outlined in the attached copy of the Swift advice.

Figure 2 – Email body

The messages had a PDF attachment named “MensajeSWIFTMT103.pdf” (MD5: 8b9a5e36cd1e1ec7dfd7801bfa5afa86, SHA256: 743c9ffe67a80ac84385efc8dc78c84f7b38805285dda49ac6459d17008daa17). The PDF only contains one page, characteristic of malicious PDF documents, and the PDF does not contain any text but only a link to “View File” (as shown in Figure 3).

Figure 3 – PDF Document – View File

The link takes the user to the Dropbox site hxxps://www[.][.]uue?dl=1 to download Ordy.uue (MD5: 673d3a374900a23ecec3acc092fe8dba, SHA256: d476a35f392a1c616f045418ce9c3c6645ac6886a6195ef1ec578e6bbe15a48b). After downloading the file, it appears that a compressed file has been downloaded, as previously discussed. Unpacking the file extracts the executable Ordy.exe (MD5: 1A9E533E870C4B0B5D6126A3E7609601, SHA256: F76A8BED84ED4177626A4B7B3ECED4AEABE93BE8CB500A1B2D5F3A662539C98D), with an Acrobat PDF icon (as shown in Figure 4), which tricks the user in thinking that this is a genuine PDF file.

After executing Ordy.exe, it creates a copy of itself in \AppData\Roaming\taskprocess.exe while Ordy.exe hides itself, and it adds taskprocess.exe to the scheduled tasks (as shown in Figure 5).

Figure 5 – Scheduled Tasks

Additionally, it creates a Registry entry to start itself automatically when Windows starts (as shown in Figure 6).

Figure 6 – Registry Key Entry

The malware reads the machine GUUID and creates a directory in \AppData\Roaming with the GUUID as well as two subfolders: \DPI Subsystem and \Logs. The directory \DPI Subsystem contains a copy of Ordy.exe called dpiss.exe which gets executed after reboot.

The logs directory contains a .dat file with the naming convention of KB_XXXXXXX.dat. Opening the .dat file reveals some hexadecimal values (as shown in Figure 7).

Figure 7 – Hex contents in .dat file

After converting the hexadecimal values from the .dat file to ASCII, it becomes apparent that the malware captures keystrokes and stores them in the .dat file (as shown in Figure 8).

Figure 8 – Ascii decoded hex from .dat file

Analysing the malicious network traffic reveals active communication with IP over TCP port 6777 (as shown in Figure 9). After a three-way handshake is completed, the host and server exchange a PSH, ACK, ACK communication sequence a few times per second. Often, keylogger and remote access trojan malware will communicate using HTTP requests sent to a webserver. However, this TCP communication indicates a different, perhaps more difficult to stop, means for exfiltration.

Figure 9 – Wireshark Capture

Figure 10 – TCPView Outbound Connection to malicious IP

After reboot, dpiss.exe is executed instead of Ordy.exe and a new .dat file is created in \AppData\Roaming\{machineID}\Logs.

This malware application also reveals analysis and sandbox evasion characteristics in which a functional Internet connection is verified and will not attempt to make any outbound connections when executed in a sandboxed environment with restricted Internet access. It still copies itself and adds itself to the registry and scheduled tasks as well as capturing keystrokes, but it only tries to communicate to the server once a valid Internet connection has been established.

This malware contains a keylogger that actively captures keystrokes and transfers them to the server in the hope of capturing login details and other valuable information. While delivery using .UUE files has been around for a while, it is not commonly used at this point, and, to end users, these files appear as genuine compressed files. Most firewalls and endpoint security solutions only alert on or block .zip or .rar file extensions, ignoring .UUE and making it easier for attackers to bypass security solutions.

During analysis, we have observed this malware behaving like NanoCore. NanoCore is a remote access trojan (RAT) that is used to steal sensitive information such as passwords from victim computers.

However, Ordy.exe doesn’t contain any hardcoded “NanoCore” strings which is the reason why current NanoCore Yara rules will not detect this variant of NanoCore. Figure 11 shows the strings typically found in NanoCore samples, while Figure 11 shows the ones found in Ordy.exe.

Figure 11 – Identifiable NanoCore strings

Figure 12 – Ordy.exe strings

NanoCore first appeared in 2013 and has since gained popularity due to its modularity, which allows attackers to expand its functionality and performance. Several cracked versions of NanoCore exist in the wild, allowing attackers to use and modify the core functions to create new variants, and Ordy.exe is no exception. As our research suggests, Ordy closely resembles NanoCore, but the delivery through .UUE files is still very rare and can be seen as an attempt to bypass malware defences. Attackers will continue to create new malware as well as modify existing malware to pass through security perimeters; so, always act on the side of caution and only open links and attachments you trust.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.

Want to Get In Front of Breaches? Be Like the Marines.

Part 1 in our series on being “Left of Breach” in the Phishing Kill Chain.

Too often in the information/cyber security industry, we focus our efforts on mitigation of breaches after they occur, relying on incident response teams to find the needles in the haystack.

According to “Left of Bang: How the Marine Corps’ Combat Hunter Program Can Save Your Life,” (by Patrick Van Horne and Jason A. Riley; Foreword by Steven Pressfield) The Marine’s Combat Hunter training program works on this premise: by understanding what “normal” looks like, we are much more likely to recognize activities and behaviors that are out of place. That recognition, even if based on “gut feel,” becomes the trigger for acting. This approach relies heavily on front-line human assets, not just automation or artificial intelligence, to detect attacks in progress. Most important, it lets you get in front of breaches before they blow up in your face.

Get “Left of Breach.”

In the Marine’s case, it’s acting to get “Left of Bang,” as in bombs and bullets. In anti-phishing programs, it’s getting Left of Breach—taking proactive steps instead of accepting that hackers and other malicious actors will succeed no matter what. In the figure below, it’s everything left of the bullseye.

With a few modifications, the standard security industry kill chain can resemble the Marine Combat Hunter approach.

As you can see in the Phishing Kill Chain above, we focus on baselining an organization and developing human threat reporters throughout the first four steps. This provides 2 things: a starting point for risk analysis and development of targeted simulations (Enumeration, Design, Delivery); and the development of HUMINT (human intelligence), data collection and reporting of suspicious material to incident response teams.

As your anti-phishing program matures, you’ll combine the data your employees report with human-vetted phishing intelligence feeds in Triage. The net: actionable intelligence enabling you to mitigate threats before they happen.

5 steps to getting there:

  1. Be transparent and educate users on standard phishing clues and the purpose of the program.
    • NOTE: Program transparency is key to your success. It builds enthusiasm for the program and a sense of ownership and positive engagement with the organization’s security process.
  2. Baseline your organization’s technical and business process weaknesses for targeting during initial simulations.
  3. Execute diverse simulations and analyze for risk level (e.g. – high susceptibility to active threats)
  4. Design follow-up simulations based on known deficiencies and analysis of initial results.
  5. Stress the importance of reporting in all simulations and awareness activities.

Taking these simple steps is the quickest, most effective way to protect against phishing. Ready to get Left of Breach? Booyah!

Next: part 2 of our “Left of Breach” series examines the first step in the Phishing Kill Chain, Self-Enumeration.

Stay on top of recent phishing and malware threats and attacks trends, delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.

10 Ways to Defend Against Business Email Compromise / CEO Email Fraud Scams

Cybercriminals continue to successfully hack and spoof emails to impersonate supervisors, CEOs, and suppliers and then request seemingly legitimate business payments. Because the emails look authentic and seem to come from known authority figures, many employees comply. But later they discover they’ve been tricked into wiring money or depositing checks into criminals’ bank accounts.

The Newest Delivery Method for the Locky Ransomware

Since its introduction in early 2016 and throughout this year, the distribution of the Locky ransomware has been overwhelmingly facilitated by attached script applications written in JScript or Visual Basic. These script applications have been delivered as the content of an attached archive such as a Zip or RAR file delivered as part of the email messages.

Locky Ransomware Keeps Returning After Repeated Absences

It seems that each time the information security community is ready to declare the Locky ransomware dead and gone, phishing threat actors launch new campaigns with new characteristics.

Locky’s presence on the threat landscape dates back to February 2016 when this malware formalized and matured the ransomware business model in phishing emails. Coupled with a tenacious distribution strategy, Locky dominated the phishing markets throughout 2016. Since early 2017, Locky’s presence on the threat landscape has been far more tepid. Its subdued presence on the threat landscape and intermittent distributions led to rumors that Locky was a thing of the past; many people were surprised when new Locky distributions took place. However, it is clear that despite a smaller degree of tenacity in deployment, the criminals using the Locky ransomware still see benefit from its use. And incremental changes in behavior indicate that these criminals are investing in future use, as well.

The most recent iterations of Locky distributions have replayed some of the simplest techniques for this malware’s distribution in phishing emails. The lures used in these phishing emails make vague references to document delivery, unpaid invoices, received voice mails, or receipts for payments, all examples of content used prolifically in the distribution of ransomware and other malware tools. Some standout examples demonstrate the compelling, yet vague messaging used to deliver this destructive malware.

Figure 1 – Locky phishing emails leverage vague, yet compelling narratives

While attackers continue to use similar phishing emails, the most recent Locky binaries demonstrate that small, incremental changes to the malware’s behavior are being implemented. These changes are mostly superficial but serve to break from expected norms in small ways. The first change, and likely the one to garner the most attention, was the use of two new file extensions applied to files encrypted by the ransomware. Previous iterations of Locky deployments have used extensions ranging from the sensible “.locky” to the more esoteric “.osiris”, “.odin”, and “.aesir” extensions.

In the past two weeks, two new, distinctive extensions have been used. The first, “.diablo6”, evokes a more intimidating ethos for the ransomware. Other samples use “.lukitus”, likely evoking the Finnish word for “locking.” Additionally, a more significant modification comes in the command and control callback resources leveraged by the ransomware to report new infections.

One of the simplest techniques for identifying a malware variety and its communications is to match suspicious traffic to known resource paths used by that malware. For many Locky samples in 2017, command and control resources could be identified by the presence of a “/checkupdate” callback URI path. However, this has also been replaced in recent samples that apply the “.lukitus” encrypted file extension by a “/imageload.cgi” resource path. For very tightly-tuned detection schemes, this change could result in the latter being categorized incorrectly because it represents a departure from the established norm for this malware.

Locky “.diablo6” sample check-in URLs


Locky “.lukitis” sample check-in URLs

Figure 2 – Small changes to command and control callback destination

Despite the numerous stories about Locky “comebacks,” each additional return to prominence serves as a reminder that the Locky ransomware and the business model it supports is a valuable monetary strategy for threat actors. As a result, it is unlikely that Locky will be fully unseated as a premier ransomware tool until a truly superior replacement emerges. Until then, it is imperative that network defenders and information security professionals continue to leverage intelligence on the behavior, techniques, and modifications exhibited by criminals deploying the Locky ransomware.

Use PhishMe® to condition your employees to recognize, report, and respond to these growing threats.

Zeus Panda’s Modular Functions Provide Insight into Botnet Malware Capabilities

One core element of the information security mission is the successful assessment of the risk posed to an organization by a malware sample or malware variety delivered by a phishing email. In 2017, phishers have embraced the use of adaptable and flexible malware to gain initial footholds in a network before monetizing the infected host. The intersection of these two missions creates a scenario in which open-ended, adaptable botnet malware challenges information security professionals to prepare for a wide array of malware capabilities–in some case without much insight into the real risks posed by a malware tool.

However, in some cases a malware tool can reveal most, if not all, of its capabilities in a way that helps an organization identify malware risks. The Zeus Panda botnet malware is one of the more popular malware tools this year, and its use has been documented in numerous phishing attacks. It wholly embodies the principles of a multipurpose botnet tool by providing threat actors with a number of avenues for monetizing infected hosts. The tenacity and creativity with which threat actors have delivered this malware makes it a prominent constituent of the threat landscape but with limited expressions of its capabilities. Yet, understanding those capabilities is crucial for network defenders to understand the impact this malware can have within a protected environment.

Through analysis of behavior exhibited by Zeus Panda samples, PhishMe researchers uncovered a comprehensive assessment of this botnet tool’s capabilities. These capabilities were described through a list of module commands to either execute a task or update a module to support enhanced capabilities. The list below lists some operations for these modules.

Zeus Panda module tasks
mod_execute grab2 user_cookies_get
mod_execute grab2 user_passes_get
mod_execute info get_info
mod_update grab2
mod_update http
mod_update info
mod_update klog
mod_update pony
mod_update socks
mod_update vnc_p
mod_update vnc_p2
mod_update vnc_p3
user_execute url

Figure 1 – Zeus Panda modules provide a great deal of information about its capabilities

These module execution and update references can be interpreted as a guide to the capabilities of the Zeus Panda malware. For example, “grab2 user_cookies_get” and “grab2 user_passes_get” both imply that information stored in a browser cookie cache or password safe may be available to the “grab2” module. This could provide an avenue for threat actors to steal browser-session data or passwords for reuse. Similarly, the “info” module may provide reconnaissance about infected environments via the collection of information about the infected host. This information can be in turn leveraged in conjunction with the “user_execute” command to customize an attack through the deployment of a more specialized malware tool.

Other available modules–“klog”, “pony”, and “socks”–imply keylogger, Pony information stealer, and SOCKS proxy capabilities are available to the threat actor. Each of these would greatly enhance the threat actor’s insight into victim activity, stored passwords and credential data, and the ability to abuse the infected machine as a network proxy or traffic relay respectively. Additionally, a series of VNC modules would give the threat actor an option for full remote control of infected hosts.

Each of these elements from this brief list of module execution and update operations can be used to provide network defenders and information security professionals with an assessment of the risks posed by Zeus Panda. Furthermore, if a sample of this malware is present within a protected environment, comparing network communications and endpoint artifacts with this list of capabilities can help in the response process as well.

As malware creators and phishing threat actors further commoditize malware tools to maximize their opportunities and options regarding infected hosts, collecting intelligence on the capabilities available to those threat actors becomes increasingly important. A comprehensive defense strategy must include response plans and anticipatory defenses to limit a malware’s impact as well as prevent its successful deployment. The first step is empowering email users to recognize phishing techniques and report suspicious emails. Beyond this crucial first step, responders must be empowered to understand the risks posed by the malware these emails deliver to better defend the enterprise.

Don’t become another statistic: PhishMe® is now FREE for small businesses under 500 employees. Learn more.

The PhishMe 2017 Excellence Awards Nominations are Open!

Make your nominations for the 2017 PhishMe® Excellence Awards today!

Every day, 1000s of companies use PhishMe as a cornerstone of their phishing defense program. The PhishMe Excellence Awards recognize the outstanding achievements of security professionals and organizations with innovative, successful anti-phishing and phishing defense programs to minimize the risk and impacts associated with phishing attacks.