SEI Issues Advice on Ransomware

Original release date: June 01, 2017

The Software Engineering Institute (SEI) of Carnegie Mellon University has released a blog post on best practices for preventing and responding to ransomware. This common malware captures, encrypts, and holds your data to extort a ransom. SEI’s top recommendation to thwart ransomware attacks is to back up your important files regularly.

US-CERT encourages users and administrators to review SEI's blog post and US-CERT's Security Publication on Ransomware for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Misuse of DocuSign Email Addresses Leads to Phishing Campaign

DocuSign, which provides electronic signatures and digital transaction management, reported that email addresses were stolen by an unknown party on May 15. Although the company confirmed that no personal information was shared, DocuSign has reported that a malicious third party gained temporary access to a separate, non-core system that allows it to communicate service-related announcements to users via email. This incident has left a lot of DocuSign individual users and business professionals vulnerable, because the attacker group is trying to exploit the users through phishing emails. Users are receiving mails on their corporate email IDs, in which they are asked to review and sign job-related documents such as accounting invoices, by clicking on the “Review Document” hyperlink in the malicious documents.

Spam email.

The phishing link downloads a document file consisting of malicious code, which when opened injects malware in the system’s process svchost.exe.

Process injection.

The injected process sends a request to the following URLs:

Contacting the remote host.

The malware receives the response:

Response from server.

The response is an encrypted file that could be any of three types:

  • DLL: The common password stealer Pony Loader, aka Fareit.
  • EXE: A similar variant known as Evil Pony.
  • EXE ZLoader: For loading exploit kits and other malware.

The compressed and encrypted stealer component.

The files are aplib compressed and XOR encrypted. The download has to first be decompressed and then decrypted. The first 8 bytes of the file are the XOR key.

The decrypted stealer component.

The DLL file uses a lot of anti-debugging techniques to avoid analysis. It also creates a mutex to avoid its own multiple instances running on the same machine.

Creating the mutex.

The DLL, Pony Loader, steals the username, password, and other information. The following screenshots show code for stealing user credentials from Chrome and Outlook.

Code for stealing Chrome credentials.

Code for stealing Outlook credentials.

The EXE, Evil Pony, steals credentials from FileZilla:

Code for stealing FileZilla credentials.

Once downloaded, these malware monitor a user’s keystrokes, capture personal information such as usernames and passwords, and send this information to the malware originator.

DocuSign has reported that they have taken quick measures to block the unauthorized access and have added further security to their systems. The company has also advised its users to keep their antimalware software updated.

McAfee urges all customers to ensure McAfee’s DAT updates have been applied to ensure the latest protection. We advise customers to be diligent in applying security updates for all the software they use.

SHA256 hashes of the analyzed samples:

  • fff786ec23e6385e1d4f06dcf6859cc2ce0a32cee46d8f2a0c8fd780b3ecf89a: W97M/
  • 5bcd2d8ed243d6a452d336c05581291bc63ee489795e8853b9b90b5f35c207d8: RDN/Generic PWS.y
  • 437351c9ae0a326ed5f5690e99afc6b723c8387f1ed87c39ebcce85f9103c03a: Fareit-FCH
  • 9f346deed73194928feda785dca92add4ff4dd19fbc1352cebaa6766e0f69a38: Generic PWS.o

The post Misuse of DocuSign Email Addresses Leads to Phishing Campaign appeared first on McAfee Blogs.

Putin: “Patriotic” Russian hackers may have interfered in US election

Enlarge / Russian President Vladmir Putin in Saint Petersburg today for the St. Petersburg International Economic Forum, acknowledged today that Russian hackers may have interfered in the US election. (credit: Mikhail Svetlov/Getty Images)

Russian Federation President Vladimir Putin acknowledged today that “patriotically minded” Russian hackers may have been responsible for the breach of the network of the Democratic National Committee and the e-mail accounts of members of Hillary Clinton's presidential campaign, as well as other attempts to interfere in the US presidential elections of 2016 to aid the campaign of Donald Trump.

The admission, which Putin gave in an interview with Reuters, was a reversal of previous Kremlin denials of any Russian involvement in the information operations against Hillary Clinton and the Democrats. Putin continued to deny state involvement in the attacks, instead suggesting that the attacks were staged by Russians acting independently. “If they are patriotically minded, they start making their contributions—which are right, from their point of view—to the fight against those who say bad things about Russia,” he said.

Radio Free Europe posted an excerpt from the interview on Twitter:

Read 2 remaining paragraphs | Comments

WikiLeaks says CIA’s “Pandemic” implant turns servers into malware carriers

Enlarge / One of the pages published Thursday in WikiLeaks' latest Vault 7 release. (credit: WikiLeaks)

WikiLeaks just published details of a purported CIA operation that turns Windows file servers into covert attack machines that surreptitiously infect computers of interest inside a targeted network.

"Pandemic," as the implant is codenamed, turns file servers into a secret carrier of whatever malware CIA operatives want to install, according to documents published Thursday by WikiLeaks. When targeted computers attempt to access a file on the compromised server, Pandemic uses a clever bait-and-switch tactic to surreptitiously deliver malicious version of the requested file. The Trojan is then executed by the targeted computers. A user manual said Pandemic takes only 15 seconds to be installed. The documents didn't describe precisely how Pandemic would get installed on a file server.

In a note accompanying Thursday's release, WikiLeaks officials wrote:

Read 7 remaining paragraphs | Comments