Bluvector Threat Report Q1 2018

Home , NRG (file format), SamSam, Vector (malware)

BluVector Threat Report Q1 2018

While 2018 began with the massive revelation of Meltdown and Spectre, news about any malware threats that specifically target these CPU vulnerabilities has not yet been reported or confirmed. However, the first quarter has shown that while malware prevention solutions are improving for known threats, adversaries continue to evolve their craft to create attacks that circumvent these solutions. As the financial reward for attackers increases, we expect money to remain the primary driving force throughout the year. Which leads directly into Threat Report’s new category… TABLE OF CONTENTS

3 Threat Report Q1 2018 Threat Chart RANSOMWARE Q1 2018 4 Summary 16 RANSOMWARE: AVCrypt APTs Q1 2018 17 RANSOMWARE: BitPaymer/FriedEx APT: HackingTeam RANSOMWARE: GlobeImposter & 5 18 GandCrab 6 APT: OceanLotus 19 RANSOMWARE: SamSam 7 APT: PZChao 8 APT: Slingshot NOTABLE Q4 2017 THREATS TROJANS Q1 2018 TROJANS Q4 2017 9 TROJAN: AndroRAT 21 TROJAN: ExpensiveWall & Hancitor 10 TROJAN: Dridex 22 TROJAN: Iced Id 11 TROJAN: GhostTeam 23 TROJAN: Marcher 12 TROJAN: LockPOS 24 TROJAN: Orcus Rat 13 TROJAN: OylmpicDestroyer 25 TROJAN: Scarab 14 TROJAN: Snojan RANSOMWARE Q4 2017 MINERS Q1 2018 26 RANSOMWARE: Bad Rabbit RANSOMWARE: DoubleLocker 15 MINER: Smominru 27 Android Threat Report Q1 2018

APTs BitPaymer/ GlobeImposter PZChao 51 Months FriedEx in advance 19 Months 29 Months HackingTeam in advance in advance 21 Months in advance Slingshot Double 34 Months SamSam Locker in advance 12 Months 10 Months in advance in advance OceanLotus 10 Months Scarab in advance 11 Months GandCrab in advance 15 Months in advance AVCrypt RANSOMWARE 50 40 30 20 10 5 Months MONTHS MONTHS MONTHS MONTHS MONTHS in advance Bad Rabbit THREAT FIRST 10 Months PUBLICLY in advance Expensive Wall IDENTIFIED 11 Months AndroRat in advance 7 Months in advance Snojan TROJANS 14 Months in advance Marcher GhostTeam 11 Months 9 Months in advance in advance

Orcus Rat OlympicDestroyer 11 Months 14 Months in advance in advance MINERS Smominru 32 Months in advance IcedID 36 Months in advance Hancitor 35 Months Dridex in advance 32 Months in advance

LockPOS 48 Months in advance BluVector runs all discovered malware samples through historical classifiers to identify when our machine learning engine would have first detected the named threat. BluVector currently supports over 35 file-specific machine learning classifiers.

Mining for Malware of Atlanta was also hit by a highly publicized SamSam ransomware attack in March, which As predicted, Q1 2018 saw the continued rise was still not completely resolved a month later, in prominence of crypto-mining, as the topic of costing $2.7 million to that point. The Baltimore cryptocurrencies remains the focus of the media 9-1-1 Computer Aided Dispatch system was also and the general public. Huge financial incentives knocked offline for approximately 17 hours in late and a lack of regulation continue to draw the March by unnamed ransomware. attention of attackers. Due to the volatility in the values of differing cryptocurrencies, miners have APTs and Trojans: Still Kicking moved away from Bitcoin toward Monero. The most damaging threat comes from the However, crypto-mining is far from the greatest two categories that allow attackers to stealthily threat facing organizations, as reflected by the compromise a network and extract credentials fact that only one Threat Report blog in Q1 dealt and other data: trojans and their stealthier with miner malware, and it was only the use of the cousins, Advanced Persistent Threats (APTs). EternalBlue exploit that made the Smominru miner Cumulatively, they accounted for over 63% of noteworthy. We have added a Miner category to Threat Reports in Q1. Trojans and APTs are highly our Threat Report chart as we expect that there likely to be responsible for – or a large component will be further miner threats in the coming year. of – successful breaches. In January 2018, the Japanese-based cryptocurrency exchange Ransomware Hit List Coincheck was breached, resulting in the theft of a colossal $534 million in the relatively unknown As stated in one of our Q1 Threat Report blogs, NEM coin cryptocurrency. In March, Under Armour the death of ransomware in the face of the announced that data was compromised from 150 popularity of cryptominers has been greatly million accounts related to its MyFitnessPal app. exaggerated. Ransomware continues to pose a significant threat to organizations, with victims Conclusion facing both high monetary and reputational costs as the result of a successful attack. There were To put the relentlessness of attacks and the several high-profile attacks during Q1 which attackers perpetrating them into perspective, it amply demonstrate these impacts. has been reported that the global cybercrime economy generates an annual profit of $1.5 trillion The threat ransomware continues to pose is or roughly the same as Russia’s GDP. To use an demonstrated by ransomware accounting for old cybersecurity adage, attackers only need over 30% of Threat Report blogs in Q1. In February, to succeed once to compromise your network, SamSam ransomware infected 2,000 Colorado defenders need to succeed every time. These Department of Transport (CDOT) systems. A facts and the events of Q1 2018 reinforce the reality week later, once CDOT had 20% of systems back that threat actors have no intention of scaling back online, another SamSam variant reinfected those their attacks. It is important not to be distracted systems, resulting in the staff’s return to pen and by coverage given to one attack vector or class paper. Six weeks after the initial infection, CDOT of attack – distraction has been a powerful tool in reported it had only returned to 80% of its pre- the arsenals of attackers for centuries… just think infection functionality. It stated that recovery costs about why malware trojans are so named. may reach US$1.5 million, which includes the cost of temporarily expanding its core IT team from 25 to 150 “during the peak of the incident.” The City

What Is It? to spoof an executable file as a PDF.

HackingTeam is an Italian-based purveyor of So far these new variants have been detected in spyware which became notorious for selling its 14 unnamed countries. There is no valid reason main surveillance tool, Remote Control System for these samples to be present on a corporate (RCS), to nation states with a dubious record network, and their presence may indicate of human rights issues, as well as various industrial espionage or other compromise. intelligence and law enforcement agencies. In July 2015, HackingTeam itself was hacked, How Does It Propagate? resulting in the release of over 400GB of internal The malware does not self-propagate. It has been data, including emails, customer lists and RCS’s observed attached to spear phishing emails as source code. The hackers also gained access to an executable file, attempting to appear as a the official HackingTeam Twitter account, which PDF file. This again highlights the importance of they used to publicly announce the hack and user education and awareness programs as a provide links to the data. The data revealed that component of overall security protections. HackingTeam’s employees used poor passwords including “P4ssword”. When/How Did BluVector Detect It?

In the wake of the data breach, HackingTeam Nine samples are publicly available and was forced to request its customers discontinue BluVector’s patented Machine Learning Engine using the RCS product, which cast doubt on the (MLE) detected all of them. Regression testing has continuing viability of the company. Research shown all samples would have been detected by done by Slovakia-based security company ESET all previous MLE models. Owing to differing times describes samples of RCS that were created the samples have been available in the wild, they between September 2015 and October 2017 would have been detected between 21 and 50 and run on Microsoft Windows. Similarities in months prior to their release. coding style and other factors, which they have chosen not to make public, led ESET to be “fully convinced” that these new variants are from HackingTeam and not created by other actors utilizing the previously released source code. The samples make use of VMProtect, which describes itself as “software protection against reversing and cracking.” ESET found no major advances in functionality when compared to earlier variants, which include capabilities for extracting files, intercepting emails and instant messages and covertly activating webcams and microphones. In at least two cases, they found the samples attached to emails where the filename utilized multiple file extensions in order to attempt

What Is It? file. This well-established malicious technique is known as DLL side-loading. It works by placing Since 2014, the OceanLotus Advanced Persistent the malicious DLL file in the same directory Threat (APT) group, also referred to as APT32 as the legitimate, signed DLL and then having and APT-C-00, has been targeting governments the legitimate DLL load the malicious DLL into and corporations in various industries located memory. This appears less suspicious as the in Southeast Asia, especially Vietnam, Laos, loading is performed by a signed, trusted Cambodia and the Philippines. The group is application. believed to be Vietnamese. The backdoor then encrypts its Command and The group’s goal is to install a backdoor allowing Control (C2) traffic. However, if detected and for full access to a system and the data it contains. captured, this traffic can be decrypted, owing to Recently, Slovakian-based security company the fact the encryption key is actually part of the ESET described the latest malware from traffic. OceanLotus. Though previously OceanLotus has utilized backdoor malware running on Macs, How Does It Propagate? these samples run on Microsoft Windows. The malware does not self-propagate. It is OceanLotus utilizes two main attack vectors believed to be attached to spearphishing in order to install the backdoor. The first is emails as an executable file, using the icon the tried and true method of spear phishing of a Microsoft Word or Excel document or emails containing malicious attachments. These convincing users to download and execute attachments are executables but use icons of what they believe to be the installer or updater Microsoft Word and Excel documents in order to for common software such as Firefox. Again, this convince targeted users to execute them. Once highlights the importance of user education and executed, they display a password protected awareness programs as a component of overall document to distract the user while the backdoor security protections. installs itself. When/How Did BluVector Detect It? The second vector is the use of watering hole attacks in order to get targeted users to install Six samples are publicly available and BluVector’s fake installers or updaters for common software, patented Machine Learning Engine detected such as Firefox. A watering hole attack is where all of them. Regression testing has shown four threat actors compromise legitimate websites samples would have been detected 41 months they either know or strongly suspect targeted prior to their release, with the two remaining users will visit. samples being detected 26 and 10 months prior. Once executed, the malware creates a Windows service and deletes the document used as a distraction. The malware then drops a legitimate, digitally-signed DLL (Dynamic Link Library) file from a well-known application and uses it to load the code from a second, malicious dropped DLL