Security Week 43: Great IoT harvest is coming, as hackers of NATO’s cyberconfus PR, ExPetr ears stick out of Bad Rabbit
Repent, for it is coming! The streets were flooded with crazy preachers with apocalyptic posters, an unusually huge bloody moon rises from the horizon at night, and scientists, who at one time did not receive the Nobel because of too radical ideas, unsuccessfully try to reach the authorities with their shocking discoveries. Something terrible is brewing. It is already close. Well or not. Perhaps this time we were lucky, and in time we received a warning about the impending uprising of the “Internet of things”. NewSky Security found a forum thread on the darknet in which the “black hats” relaxedly discussed the concept and implementation of the attack through CVE-2017-8225, which allows you to merge credentials from Chinese cameras from many different vendors. The two most active participants in the discussion eventually gave birth to two scripts.
The first script looked for devices with CVE-2017-8225 in a very original way - using the Shodan Premium service. The second script follows the list of IP addresses compiled by Shodan and extracts the usernames and passwords of administrators from the devices.
Stop! Botnet infecting IoT devices. It sounds familiar - after all, just recently, CheckPoint researchers warned of a similar botnet. According to their data, a monster called IoTroop at the time of October 19, 2017 already infected more than a million organizations. Not devices. Organizations. Unlike the pioneer Mirai, who threw it onto the device, simply sorting through popular dictionary passwords, IoTroop did not stop there - it also spreads using vulnerabilities (mostly already known). But the fact that the vulnerability is known does not mean at all that it is useless - according to the same CheckPoint, 60% of organizations use at least one IoT device with a known vulnerability, be it a security camera, router or network storage.
Where is the connection? In the thread where the black hats talked, among other things, there was a discussion of the difficulties of getting a shell on the attacked device. Hackers use the reverse shell method when the device broadcasts an administrator session to the management and control server. On the port that listens to the netcat installed there. The same method was discovered by Checkpoint during the IoTroop study, which allows you to associate the discussion participants with the million infected offices.
So far, IoTroop has been quietly spreading without active malicious activity. It’s not known what botovods are waiting for: they may be building up their strength, or maybe they are looking for a generous customer. One thing is clear - when they move on to action, little will not seem to anyone.
Sofacy attacks
News security researchers . Study. Sofacy, aka FancyBear, aka APT28, was caught attacking a very specific group of security people interested in the CyCon conference on cyber warfare organized by the Center for Coordinated Cyber Defense and the Application of Excellence of NATO.
The bait file was a Microsoft Word document containing a dish from the announcement, seamless from the CyCon site, seasoned with a cunning VBA script. This time there are no exploits, the victim opens the file, and a script is launched that does not even think of surfing the Internet. Instead, it crawls into document fields such as 'Subject', 'Company', 'Category', 'Hyperlink base' and 'Comments' and extracts from there some kind of meaningless mishmash of characters.

This is actually not a mishmash - it is a file encoded in base64 and broken into several parts. The script collects and decodes the file, then writes it to disk as netwf.dat and runs it using rundll32.exe. So, this file is a slightly modified dropper Seduploader, the same one that was previously used in Sofacy attacks.
The dropper, in turn, downloads load files from the management server - netwf.bat and netwf.dll, and the VBA script sets the hidden attribute to them. The dropper starts the load, and it takes root in the system. She knows more than enough: capture a picture from the display via the GDI API, retrieve and send data to the server, download and run files. The motives for this attack are unknown, but the focus on military information security specialists shows that the attackers were interested, most likely, not money.
Of course, Petya! Well, who does not know him ...
News . Still, the Bad Rabbit ransomware turned out to be ExPetr / Not Petya's fellow. Our analysts have confirmed the connection between the two attacks. Firstly, both found similar hashing algorithms. Secondly, both domains used the same domains, and in the source codes there was an obvious affinity. To spread the rabbit, hackers broke into a number of popular sites around the world and uploaded a Trojan to them. Visitors received an offer to download a new version of FlashPlayer (is anyone else catching on this ?!). The victims themselves installed a crypto locker, and even gave it all the necessary rights without looking cursing a request from UAC.

Bad Rabbit Distributing Sites
Like ExPetr, Rabbit retrieved credentials from the machine’s memory and crawled further through the local network using WMIC. At the same time, the authors took into account the lesson learned in the ExPetr campaign - Bad Rabbit depicts the Ransomware more convincingly, that is, the honor of encrypting the data and sending the keys to the server, as if it’s really going to decrypt something ...
It’s impossible not to notice that the authors of the campaign became very careful. As soon as security companies launched an investigation, hackers immediately removed the malicious code from all the hacked sites.

Antiquities
PC-FLU family
Dangerous resident viruses infect .COM files by default when they are launched or opened. They write down their TSR copies at address 9A00: xxxx without changing anything in the MCB blocks, which can cause the computer to freeze. Apparently, resident antivirus monitors are looking for memory and trying to get around them. Intercept int21h
Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 42.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.