This diagram above, produced by Kryptos Logic, describes how the new email exfiltration module is delivered to existing Emotet infections, and how the module collects and exfiltrated data.
Email extraction module:
Latest C2 IP Addresses (as of 11/1):
TORII IOT Malware
TORII is the name of a new strain of malware that is targeting IoT devices. Initially discovered by Dr. Vesselin Bontchev (aka @vessonsecurity on Twitter), this malware is more than just another IoT cryptocoin miner or Mirai clone. This malware is capable of running on a multitude of different hardware architectures (x86, x64, 68k, ppc, MIPS, ARM, etc.), and has a multitude of different persistence methods for ensuring that infected hosts stay infected.
Like most other IoT botnets, it will attempt to gain initial access by brute forcing systems and exploiting weak credentials. However, unlike other IoT botnets, TORII doesn’t attempt to scan for additional hosts to compromise after infecting a victim, contributing to its lower network profile, and persistence.
According to a blog post (see above) by antivirus company AVAST, it is currently believed that this malware may have emerged some time in 2017. The AVAST blog post has an in-depth analysis of how the malware functions and persists.
C2 Domains and IP addresses:
Thousands of Applications Vulnerable to RCE via jQuery File Upload
jQuery File Upload is a popular open-source package that allows users to upload files to remote systems. It’s both feature rich, and can be deployed on almost any server-side web platform such as PHP, Python, Ruby on Rails, Java and/or Node.js. Recently, it was discovered that there was an issue with the PHP version of jQuery file upload affected all versions prior to version 9.24.1, running with Apache 2.3.9 or greater
The vulnerability was the result of assumptions being made by jQuery File Upload utility assuming that .htaccess configuration options were being honored. However, as of Apache 2.3.9, .htaccess configuration file support is disabled by default. The provided link is to the jQuery File Upload GitHub project. It includes confirmation that the issue has been patched, as well as remediations that can be taken if you cannot patch your system immediately.
Trivial Exploit for X.org Server leads to local privilege escalation
X.org is the backbone for desktop environments on most Linux and BSD systems. On 10/25, a notification for CVE 2018-14665 was made public, and a proof of concept was published by a security research by the handle @hackerfantastic. The proof of concept was able to be fit into a tweet of under 280 characters, underlining how trivial it is to exploit.
This vulnerability affects X11 server versions from 1.19.0 through 1.20.2. X.org has released a security advisory that details patch availability, as well as recommend steps to mitigate the vulnerability in the event you are unable to patch your systems immediately.
Information Security trends
Proofpoint has released the latest edition of their quarterly threat report for Q3 2018. Here is a rundown of some of the things that have caught my eye:
- Email continues to be the top vector for malware distribution and phishing.
- Banking Trojans are the dominant category of malware being distributed today — with Emotet and Panda being the most popular banking trojans.
- Emails featuring malicious URLs (that often direct users to download malicious. documents and/or macro-enabled documents) are replacing emails that directly attach malicious attachments and/or macro-enabled documents).
- Ransomware has all but disappeared, accounts for only 1% of all observed malware.
- Exploit kits have also mysteriously vanished, being replaced by social engineering (e.g. convincing users to download/install fake extensions or antivirus), and/or cryptojacking.
The CIA’s communications suffered a compromise that started in Iran
In 2013, the CIA worked to contain a compromise of their covert communications system. The breach of their communications system, which spanned from 2009 through 2013, was due the utilization of the system far beyond its intended scope. The root cause of the compromise comes from the website having been indexed by Google, and Iranian actors crafting complex queries through Google’s search engine that allowed them to identify sites containing sensitive data relating to CIA operations.
It has been suggested that IT personnel in the agency warned that this system was flawed, and provided alternatives and other recommendations for replacing their current messaging system, and was met with punishment, and assurances that the current system was impenetrable.
Until Next Time
Keep an eye out for the next edition of The Hurricane Labs Foundry. Typically these will be released every two weeks. In the meantime, follow us on Twitter @hurricanelabs for updates!