NETWORK INTELLIGENCE SECURITY ADVISORYThe major security news items of the month - major threats and security patch advisory. The advisory also includes IOCs and remedia�on steps.

DigestJuly 2019, Edi�on 1.0

IN THIS EDITION:Security Advisory Listing Severity

To know more about our services reach us at info@niiconsul�ng.com or visit www.niiconsul�ng.com

Plurox, a full-featured modular-based backdoor equipped with exploits, API plugins and other capabilities found targeting organizations on a global scale

Deserialized Remote Command Execution vulnerability (CVE-2019-2729) found in XMLDecoder component of Oracle WebLogic Server

Formbook, an info-stealer malware capable of stealing data from web browsers and many other applications, continue to evolve with advanced features to evade detection and maintain persistence

DanaBot Banking Trojan with added ransomware capability foundtargeting Europe, Australia, New Zealand, United States, Canada, and others on a global scale

Security Patch Advisory

High

Adobe Worm Faker found using LOLBins (Living off the land binaries) method and Dynamic Techniques to target organizations on a global scale

ALSO INSIDE

Critical

High

HIgh

Critical

Formbook, an info-stealer malware capable of stealing data from web browsers and many other applications, continue to evolve with advanced features to evade detection and maintain persistence

IMPACT

This poses a serious risk of data breach, financial loss, and might impact the reputation of an organization.

Severity: High

SECURITY ADVISORY

VULNERABILITY

Date: June 13, 2019

INTRODUCTION

Formbook, an info-stealer malware capable of stealing data from web browsers and many other applications, continue to evolve with advanced features to evade detection and maintain persistence. Formbook data-stealing malware capabilities include:• Keystroke logging• Clipboard monitoring• HTTP/HTTPS/SPDY/HTTP2 form and network request grabbing• Browser and email client password grabbing• Capturing screenshots• Bot updating• Downloading and executing files• Bot removing• Launching commands via ShellExecute• Clear browser cookies• Reboot the system• Shutdown the system• Download and unpack ZIP archive Formbook is dropped by malware loader delivered via spam email containing a malicious document or drive-by-download link. The intent of malware loader is to deploy Formbook malware with additional tools and maintain persistence on the system. Malware loader uses packers, encryptions and obfuscations on the Formbook malware as a final payload which would be either in PE or shellcode. New Formbook malware variants are written in several programming languages and use numerous packers and anti-analysis techniques to evade detection by signature-based anti-malware products. The non-encrypted and non-obfuscated payload of Formbook malware never stored on the disk, but instead run within the memory which makes detection of such malware much more difficult.

All Microsoft Windows Workstation and Server are vulnerable.

READ

Formbook Research Hints Large Data Theft Attack Brewing

Plurox, a full-featured modular-based backdoor equipped with exploits, API plugins and other capabilities found targeting organizations on a global scale

VULNERABILITY

IMPACT

This poses a serious risk of data breach, financial loss, and might impact the reputation of an organization.

Severity: Critical

SECURITY ADVISORY

READ

Date: June 19, 2019

INTRODUCTION

Plurox Backdoor is believed to have been delivered through a phishing email or peer-to-peer (P2P) channel. It spread itself over a local network via EternalSilence & EternalBlue exploits, which allows a remote attacker to have unauthorized access, and install miners and other malicious software on victim's computers. It uses the TCP protocol to communicate with the C2 server, and API plugins (UPnP & SMB) are loaded and directly interfaced via two different ports, i.e., TCP Port 135 (MS-RPC) and TCP Port 445 (SMB). The Plurox Backdoor supports seven commands:▪ Download and run files using WinAPI CreateProcess.▪ Update bot.▪ Delete and stop (delete own service, remove from autoload, delete files, remove artefacts from registry).▪ Download and run plugin.▪ Stop plugin.▪ Update plugin (stop the process and delete the file of the old version, load and start a new one).▪ Stop and delete the plugin

Plurox: Modular backdoor Modular Plurox backdoor can spread over local network

All Windows Workstation and Server products are vulnerable.

IP ADDRESSES IP ADDRESSES

178.21.11.90 185.146.157.143 37.140.199.65 194.58.92.63 37.46.131.250 188.93.210.42

obuhov2k.beget.tech webdynamicname.com supportmachine.ru test-saeed.ru jambuild.ru avantagegroup.ru n5230-5228.ru rusdgold.ru sexcelki.ru touch-files.ru excellencekazan.ru files-torrent.ru

Deserialized Remote Command Execution vulnerability (CVE-2019-2729) found in XMLDecoder component of Oracle WebLogic Server

VULNERABILITY

IMPACT

This Deserialized Remote Command Execution vulnerability poses a serious risk of unauthorized access and modification onto the affected Oracle WebLogic Server.

Severity: Critical

SECURITY ADVISORY

READ

Date: June 20, 2019

INTRODUCTION

Easily exploitable vulnerability allows an unauthenticated, remote attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful exploitation of this vulnerability can result in the takeover of Oracle WebLogic Server. This poses a serious risk of unauthorized access and modification onto the affected Oracle WebLogic Server. This vulnerability is widely exploited by Threat Actors to have unauthorized access and host malware onto the compromised Oracle WebLogic Server. Oracle has released patches for Oracle WebLogic Server versions 10.3.6.0.0 and 12.1.3.0.0, and patch for Oracle WebLogic Server 12.2.1.3.0 is yet to (or might have) release but customers can frequently check this link to access released patches for Oracle WebLogic Server.

• Oracle Security Alert Advisory - CVE-2019-2729• Out-of-band security advisory addresses second Oracle WebLogic Server vulnerability in two months• National Vulnerability Database | CVE-2019-2729 Details

Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, are affected.

WORKAROUND

• Delete the war package and restart the Oracle WebLogic service.• Restrict access to URL Path /_async/* and /wls-wsat/* on Oracle WebLogic Server via the access policy.

REMEDIATION

1. Kindly update Oracle WebLogic Server to the latest version higher than vulnerable versions 10.3.6.0.0, 12.1.3.0.0 or 12.2.1.3.0. 2. Kindly follow temporary workaround and/or keep checking this patch availability link, in case security patch is not available for Oracle WebLogic Server 12.2.1.3.0.

DanaBot Banking Trojan with added ransomware capability found targeting Europe, Australia, New Zealand, United States, Canada, and others on a global scale

VULNERABILITY

IMPACT

This poses a serious risk of data breach, financial loss, and might impact the reputation of an organization.

Severity: High

SECURITY ADVISORY

IP ADDRESSES

Date: June 21, 2019

INTRODUCTION

DanaBot Banking Trojan is distributed through a phishing email containing a malicious drive-by-download link which usually leads to either a JavaScript or PowerShell dropper. It drops executable file as a ransomware payload written in Delphi, during post infection chain. It also drops additional malware such as GootKit and Remcos RAT, to exfiltrate data from compromised systems. DanaBot Banking Trojan comes with following capabilities: ▪ Stealing browsers and FTP clients credentials ▪ Collecting crypto wallets credentials ▪ Running a proxy on an infected machine ▪ Performing Zeus-style web-injects ▪ Taking screenshots and recording video ▪ Providing a remote control via RDP or VNC ▪ Requesting updates via TOR ▪ Bypassing UAC using a WUSA exploit ▪ Requesting updates from C&C server and execute commands. All variants of DanaBot Banking Trojan communicate with the C2 server via a custom TCP-based protocol over 443 port.

192.71.249.51 178.209.51.211 185.92.222.238 89.144.25.104 89.144.25.243 84.54.37.102 149.28.180.182 95.179.186.57 194.76.225.28 185.189.149.235

All Microsoft Windows Workstation and Server are vulnerable.

DOMAINSdemo.maintrump.org kaosutdoaaf.pw kaosutdoaaf6.pw kaosjdoaaf6.pw kadosjdoaaf6.pw kadosjdoaf6.pw kadosjdoafa.pw kadosjdoiafa.pw kdosjdoiafa.pw kduwouewpew.pw kdguwoewpew.pw sfjskdjfwoiewwegroup.tech brekwinarew.site jklfsdkfjhwefjosdf.topjklfsdkfjhwefjosdf.xyz goskilindad.site mon-sta.com lindakiski.top lidaskiheg.space lnet4-data.com net4-data.com lidaskiheg.site bruksialopws.icu

READ

DanaBot Demands a Ransom Payment

Adobe Worm Faker found using LOLBins (Living off the land binaries) method and Dynamic Techniques to target organizations on a global scale

VULNERABILITY

IMPACT

This poses a serious risk of data breach, financial loss, and might impact the reputation of an organization.

Severity: High

SECURITY ADVISORY

IP ADDRESSES

Date: June 21, 2019

INTRODUCTION

The attack is initiated using either phishing email containing a malicious link or Peer-to-Peer public file sharing client hosting malicious files. The file involved in this attack is a ZIP file, which contains a launcher (with Adobe Acrobat Reader icon to trick the user into opening it) and a malicious script (posing as PDF file). Once the user executes the launcher, the malicious script will get invoked and run silently in the background. This malicious script will continue to run by staying hidden and persistent on the compromised system. This malicious script will download Adobe Worm Faker from C2 server using LOLBins method and install it onto the compromised system. Once installed, Adobe Worm Faker will collect system information and other sensitive information to assist remote attacker to decide further what specific attack need to be executes for achieving their intended goals. Adobe Worm Faker also attempts to compromise Data Loss Prevention (DLP) and Antivirus products if found on a compromised system. And also communicates to multiple C2 servers to download varieties of malicious payloads. Remote attackers can use Adobe Worm Faker to gain remote access to the compromised system, exfiltrate data, execute code, download files, dump processes, perform keylogging, or conduct any number of other malicious activities.

105.98.9.222 41.105.50.134 41.105.23.134

All Microsoft Windows Workstation and Server are vulnerable.

DOMAINS

simone.linkpc.net hlem.myq-see.com oahm.duckdns.org maroco.linkpc.net

READ

Adobe worm faker uses lolbins and dynamic techniques to deliver customized payloads

HASHES (SHA-256)

ec37f280c0be6d88c9bf1a018258779a08d051f2276332c8918a841220c78b7d 24cc930967d53dec395dd33a9825156a0bb47f08722f2812ec2cdc7d184faac1 03d53337fe6aedebc24c319bad7570cf08432fd048fed5a2b509d022e5d99163

Security Patch Advisory03rd June 2019 – 09th June 2019 | TRAC-ID: NII19.06.0.2

UBUNTU

Security Patch Advisory

REDHAT

Security Patch Advisory

IBM

NETAPP