Xiaobing Lin – McAfee Blogs https://www.mcafee.com/blogs Securing Tomorrow. Today. Tue, 12 Jun 2018 18:01:07 +0000 en-US hourly 1 https://wordpress.org/?v=5.4.2 https://www.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Xiaobing Lin – McAfee Blogs https://www.mcafee.com/blogs 32 32 VPNFilter Malware Adds Capabilities to Exploit Endpoints https://www.mcafee.com/blogs/other-blogs/mcafee-labs/vpnfilter-malware-adds-capabilities-to-exploit-endpoints/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/vpnfilter-malware-adds-capabilities-to-exploit-endpoints/#respond Wed, 06 Jun 2018 15:42:24 +0000 https://securingtomorrow.mcafee.com/?p=89414 VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a blog on May 23 with some initial information. In our last post we discussed the three stages of infection and the devices affected by the malware, and how it can maintain a persistent presence […]

The post VPNFilter Malware Adds Capabilities to Exploit Endpoints appeared first on McAfee Blogs.

]]>
VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a blog on May 23 with some initial information.

In our last post we discussed the three stages of infection and the devices affected by the malware, and how it can maintain a persistent presence on an infected device even after a reboot. The malware can also monitor traffic routed through the infected device. (Read the first post for more details.)

In this post we will report new information released by Cisco Talos. The findings reveal that that malware now targets additional devices, including products from Huawei, Asus, D-Link, Ubiquiti Networks, MikroTik, Upvel, ZTE Linksys, Netgear, and TP-Link.

In our previous post, we discussed two modules, a traffic sniffer and Tor, used in Stage 3 of the infection. Now researchers have analysed a third module in the third stage that intercepts network traffic by using a man-in-the-middle attack and injects malicious code while content passes through the router. Using this new module, an attacker can launch an exploit, and perform data exfiltration or a JavaScript injection onto the victim’s device.

The malware added another module that deletes its traces on the infected device. It then clears the flash memory and deletes operating system files, rendering the device inoperable.

The new Stage-3 module’s packet sniffer looks for basic authentication in the traffic content, and also monitors connections for industrial control systems traffic related to the Modbus protocol, which is typically used in SCADA systems. 

Coverage and Mitigation

The aforementioned IOCs are covered as follows:

  • Detection names for files: Linux/VPNFilter
  • V3 DAT with coverage version: 3367
  • V2 DAT with coverage version: 8916

All samples are classified in the GTI cloud as malware, as well as all relevant URLs.

Further Recommendations from the Talos Threat Research Team

  • Reboot SOHO routers and NAS devices to remove the potentially destructive, nonpersistent Stage 2 and Stage 3 malware
  • Work with the manufacturer to ensure that your device is up to date with the latest patches. Apply the updated patches immediately.
  • ISPs should aggressively work with their customers to ensure their devices are patched to the most recent firmware 

Updated Indicators of Compromise and Sample Hashes 

URLs and IP addresses

  • photobucket[.]com/user/millerfred/library
  • photobucket[.]com/user/jeniferaniston1/library
  • photobucket[.]com/user/lisabraun87/library
  • photobucket[.]com/user/eva_green1/library
  • photobucket[.]com/user/suwe8/library
  • photobucket[.]com/user/bob7301/library
  • toknowall[.]com
  • photobucket[.]com/user/amandaseyfried1/library
  • photobucket[.]com/user/nikkireed11/library
  • 4seiwn2ur4f65zo4[.]onion/bin256/update.php
  • zm3lznxn27wtzkwa[.]onion/bin16/update.php
  • photobucket[.]com/user/kmila302/library
  • photobucket[.]com/user/monicabelci4/library
  • photobucket[.]com/user/katyperry45/library
  • photobucket[.]com/user/saragray1/library
  • zuh3vcyskd4gipkm[.]onion/bin32/update.php
  • 6b57dcnonk2edf5a[.]onion/bin32/update.php
  • tljmmy4vmkqbdof4[.]onion/bin32/update.php
  • 46.151.209[.]33
  • 217.79.179[.]14
  • 91.214.203[.]144
  • 94.242.222[.]68
  • 82.118.242[.]124
  • 95.211.198[.]231
  • 195.154.180[.]60
  • 5.149.250[.]54
  • 94.185.80[.]82
  • 91.121.109[.]209
  • 217.12.202[.]40
  • 62.210.180[.]229
  • 91.200.13[.]76

File Hashes

  • 00C9BBC56388E3FFFC6E53EF846AD269E7E31D631FE6068FF4DC6C09FB40C48B
  • 0424167DA27214CF2BE0B04C8855B4CDB969F67998C6B8E719DD45B377E70353
  • 055BBE33C12A5CDAF50C089A29EAECBA2CCF312DFE5E96183B810EB6B95D6C5A
  • 0649FDA8888D701EB2F91E6E0A05A2E2BE714F564497C44A3813082EF8FF250B
  • 081E72D96B750A38EF45E74D0176BEB982905AF4DF6B8654EA81768BE2F84497
  • 0DC1E3F36DC4835DB978A3175A462AA96DE30DF3E5031C5D0D8308CDD60CBEDE
  • 11533EEDC1143A33C1DEAE105E1B2B2F295C8445E1879567115ADEBFDDA569E2
  • 1367060DB50187ECA00AD1EB0F4656D3734D1CCEA5D2D62F31F21D4F895E0A69
  • 14984EFDD5343C4D51DF7C79FD6A2DFD791AA611A751CC5039EB95BA65A18A54
  • 181408E6CE1A215577C1DAA195E0E7DEA1FE9B785F9908B4D8E923A2A831FCE8
  • 1CB3B3E652275656B3AE824DA5FB330CCCD8B27892FB29ADC96E5F6132B98517
  • 1E741EC9452AAB85A2F7D8682EF4E553CD74892E629012D903B521B21E3A15BF
  • 218233CC5EF659DF4F5FDABE028AB43BC66451B49A6BFA85A5ED436CFB8DBC32
  • 24B3931E7D0F65F60BBB49E639B2A4C77DE83648FF08E097FF0FA6A53F5C7102
  • 29AE3431908C99B0FFF70300127F1DB635AF119EE55CD8854F6D3270B2E3032E
  • 2AA7BC9961B0478C552DAA91976227CFA60C3D4BD8F051E3CA7415CEAEB604CA
  • 2AF043730B632D237964DD6ABD24A7F6DB9DC83AAB583532A1238B4D4188396B
  • 2B39634DCE9E7BB36E338764EF56FD37BE6CD0FAA07EE3673C6E842115E3CEB1
  • 2C2412E43F3FD24D766832F0944368D4632C6AA9F5A9610AB39D23E79756E240
  • 2EF0E5C66F6D46DDEF62015EA786B2E2F5A96D94AB9350DD1073D746B6922859
  • 2FFBE27983BC5C6178B2D447D8121CEFAA5FFA87FE7B9E4F68272CE54787492F
  • 313D29F490619E796057D50BA8F1D4B0B73D4D4C6391CF35BAAAACE71EA9AC37
  • 33D6414DCF91B9A665D38FAF4AE1F63B7AA4589FE04BDD75999A5E429A53364A
  • 350EAA2310E81220C409F95E6E1E53BEADEC3CFFA3F119F60D0DAACE35D95437
  • 36E3D47F33269BEF3E6DD4D497E93ECE85DE77258768E2FA611137FA0DE9A043
  • 375EDEDC5C20AF22BDC381115D6A8CE2F80DB88A5A92EBAA43C723A3D27FB0D6
  • 39DC1ADED01DAAF01890DB56880F665D6CAFAB3DEA0AC523A48AA6D6E6346FFF
  • 3BBDF7019ED35412CE4B10B7621FAF42ACF604F91E5EE8A903EB58BDE15688FF
  • 3BD34426641B149C40263E94DCA5610A9ECFCBCE69BFDD145DFF1B5008402314
  • 3DF17F01C4850B96B00E90C880FDFABBD11C64A8707D24488485DD12FAE8EC85
  • 4497AF1407D33FAA7B41DE0C4D0741DF439D2E44DF1437D8E583737A07EC04A1
  • 47F521BD6BE19F823BFD3A72D851D6F3440A6C4CC3D940190BDC9B6DD53A83D6
  • 4896F0E4BC104F49901C07BC84791C04AD1003D5D265AB7D99FD5F40EC0B327F
  • 48BFCBC3162A0B00412CBA5EFF6C0376E1AE4CFBD6E35C9EA92D2AB961C90342
  • 49A0E5951DBB1685AAA1A6D2ACF362CBF735A786334CA131F6F78A4E4C018ED9
  • 4AF2F66D7704DE6FF017253825801C95F76C28F51F49EE70746896DF307CBC29
  • 4BEBA775F0E0B757FF32EE86782BF42E997B11B90D5A30E5D65B45662363ECE2
  • 4BFC43761E2DDB65FEDAB520C6A17CC47C0A06EDA33D11664F892FCF08995875
  • 4C596877FA7BB7CA49FB78036B85F92B581D8F41C5BC1FA38476DA9647987416
  • 4D6CBDE39A81F2C62D112118945B5EEB1D73479386C962ED3B03D775E0DCCFA0
  • 4E022E4E4EE28AE475921C49763EE620B53BF11C2AD5FFFE018AD09C3CB078CC
  • 4FA1854FBEC31F87AE306034FD01567841159CA7793EBA58B90BE5F7FC714D62
  • 4FFE074AD2365DFB13C1C9CE14A5E635B19ACB34A636BAE16FAF9449FB4A0687
  • 51E92BA8DAC0F93FC755CB98979D066234260EAFC7654088C5BE320F431A34FA
  • 579B2E6290C1F7340795E42D57BA300F96AEF035886E80F80CD5D0BB4626B5FC
  • 5BE57B589E5601683218BB89787463CA47CE3B283D8751820D30EEE5E231678C
  • 5CF43C433FA1E253E937224254A63DC7E5AD6C4B3AB7A66EC9DB76A268B4DEEB
  • 5D94D2B5F856E5A1FC3A3315D3CD03940384103481584B80E9D95E29431F5F7A
  • 5DABBCE674B797AAA42052B501FB42B20BE74D9FFCB0995D933FBF786C438178
  • 5E715754E9DA9ED972050513B4566FB922CD87958ECF472D1D14CD76923AE59A
  • 5F6EE521311E166243D3E65D0253D12D1506750C80CD21F6A195BE519B5D697F
  • 638957E2DEF5A8FDA7E3EFEFFF286E1A81280D520D5F8F23E037C5D74C62553C
  • 6449AAF6A8153A9CCBCEF2E2738F1E81C0D06227F5CF4823A6D113568F305D2A
  • 6807497869D9B4101C335B1688782AB545B0F4526C1E7DD5782C9DEB52EE3DF4
  • 6A76E3E98775B1D86B037B5EE291CCFCFFB5A98F66319175F4B54B6C36D2F2BF
  • 6D8877B17795BB0C69352DA59CE8A6BFD7257DA30BD0370EED8428FAD54F3128
  • 6E7BBF25EA4E83229F6FA6B2FA0F880DDE1594A7BEC2AAC02FF7D2D19945D036
  • 7093CC81F32C8CE5E138A4AF08DE6515380F4F23ED470B89E6613BEE361159E1
  • 70C271F37DC8C3AF22FDCAD96D326FE3C71B911A82DA31A992C05DA1042AC06D
  • 776CB9A7A9F5AFBAFFDD4DBD052C6420030B2C7C3058C1455E0A79DF0E6F7A1D
  • 78FEE8982625D125F17CF802D9B597605D02E5EA431E903F7537964883CF5714
  • 797E31C6C34448FBECDA10385E9CCFA7239BB823AC8E33A4A7FD1671A89FE0F6
  • 7A66D65FA69B857BEEEAAEF67EC835900EEE09A350B6F51F51C83919C9223793
  • 7E5DCA90985A9FAC8F115EAACD8E198D1B06367E929597A3DECD452AAA99864B
  • 7EE215469A7886486A62FEA8FA62D3907F59CF9BF5486A5FE3A0DA96DABEA3F9
  • 7F6F7C04826C204E2FC5C1EDDB8332AFE1669A4856229921C227694899E7ADA8
  • 80C20DB74C54554D9936A627939C3C7EA44316E7670E2F7F5231C0DB23BC2114
  • 81CBE57CD80B752386EE707B86F075AD9AB4B3A97F951D118835F0F96B3AE79D
  • 82CD8467E480BCD2E2FC1EFB5257BBE147386F4A7651D1DA2BFD0AB05E3D86B9
  • 840BA484395E15782F436A7B2E1EEC2D4BF5847DFD5D4787AE64F3A5F668ED4F
  • 8505ECE4360FAF3F454E5B47239F28C48D61C719B521E4E728BC12D951ECF315
  • 879BE2FA5A50B7239B398D1809E2758C727E584784BA456D8B113FC98B6315A2
  • 8A20DC9538D639623878A3D3D18D88DA8B635EA52E5E2D0C2CCE4A8C5A703DB1
  • 8DE0F244D507B25370394BA158BD4C03A7F24C6627E42D9418FB992A06EB29D8
  • 8F3E1E3F0890AD40D7FA66939561E20C0E5FD2A02B1DEA54F3899AFF9C015439
  • 90EFCAEAC13EF87620BCAAF2260A12895675C74D0820000B3CD152057125D802
  • 94EEFB8CF1388E431DE95CAB6402CAA788846B523D493CF8C3A1AA025D6B4809
  • 952F46C5618BF53305D22E0EAE4BE1BE79329A78AD7EC34232F2708209B2517C
  • 95840BD9A508CE6889D29B61084EC00649C9A19D44A29AEDC86E2C34F30C8BAF
  • 98112BD4710E6FFE389A2BEB13FF1162017F62A1255C492F29238626E99509F3
  • 99944AD90C7B35FB6721E2E249B76B3E8412E7F35F6F95D7FD3A5969EAA99F3D
  • 9B039787372C6043CCE552675E3964BF01DE784D1332DDC33E4419609A6889F1
  • 9B455619B4CBFEB6496C1246BA9CE0E4FFA6736FD536A0F99686C7E185EB2E22
  • A15B871FCB31C032B0E0661A2D3DD39664FA2D7982FF0DBC0796F3E9893AED9A
  • A168D561665221F992F51829E0B282EEB213B8ACA3A9735DBBAECC4D699F66B9
  • A3CF96B65F624C755B46A68E8F50532571CEE74B3C6F7E34EECB514A1EB400CF
  • A41DA0945CA5B5F56D5A868D64763B3A085B7017E3568E6D49834F11952CB927
  • A6E3831B07AB88F45DF9FFAC0C34C4452C76541C2ACD215DE8D0109A32968ACE
  • AB789A5A10B4C4CD7A0EB92BBFCF2CC50CB53066838A02CFB56A76417DE379C5
  • ACF32F21EC3955D6116973B3F1A85F19F237880A80CDF584E29F08BD12666999
  • AE1353E8EFE25B277F52DECFAB2D656541FFDF7FD10466D3A734658F1BC1187A
  • AE74F62881EB224E58F3305BB1DA4F5CB7CCFF53C24AB05DB622807D74E934FB
  • AFACB38EA3A3CAFE0F8DBD26DEE7DE3D0B24CDECAE280A9B884FBAD5ED195DE7
  • B0EDF66D4F07E5F58B082F5B8479D48FBAB3DBE70EBA0D7E8254C8D3A5E852EF
  • B431AEBC2783E72BE84AF351E9536E8110000C53EBB5DB25E89021DC1A83625E
  • B9770EC366271DACDAE8F5088218F65A6C0DD82553DD93F41EDE586353986124
  • BA9FEE47DCC7BAD8A7473405AABF587E5C8D396D5DD5F6F8F90F0FF48CC6A9CE
  • BAD8A5269E38A2335BE0A03857E65FF91620A4D1E5211205D2503EF70017B69C
  • BC51836048158373E2B2F3CDB98DC3028290E8180A4E460129FEF0D96133EA2E
  • BE3DDD71A54EC947BA873E3E10F140F807E1AE362FD087D402EFF67F6F955467
  • BFD028F78B546EDA12C0D5D13F70AB27DFF32B04DF3291FD46814F486BA13693
  • C084C20C94DBBFFED76D911629796744EFF9F96D24529B0AF1E78CDA54CDBF02
  • C0CFB87A8FAED76A41F39A4B0A35AC6847FFC6AE2235AF998EE1B575E055FAC2
  • C2BCDE93227EB1C150E555E4590156FE59929D3B8534A0E2C5F3B21EDE02AFA0
  • C8A82876BEED822226192EA3FE01E3BD1BB0838AB13B24C3A6926BCE6D84411B
  • CA0BB6A819506801FA4805D07EE2EBAA5C29E6F5973148FE25ED6D75089C06A7
  • CCCBF9BFF47B3FD391274D322076847A3254C95F95266EF06A3CA8BE75549A4B
  • CD8CF5E6A40C4E87F6EE40B9732B661A228D87D468A458F6DE231DD5E8DE3429
  • D09F88BAF33B901CC8A054D86879B81A81C19BE45F8E05484376C213F0EEDDA2
  • D1BC07B962CCC6E3596AA238BB7EDA13003EA3CA95BE27E8244E485165642548
  • D1E6EC5761F78899332B170C4CA7158DCCD3463DAB2E58E51E5B6C0D58C7D84F
  • D2DE662480783072B82DD4D52AB6C57911A1E84806C229F614B26306D5981D98
  • D9A60A47E142DDD61F6C3324F302B35FEECA684A71C09657DDB4901A715BD4C5
  • DBEDE977518143BCEE6044ED86B8178C6FC9D454FA346C089523EEDEE637F3BE
  • DD88273437031498B485C380968F282D09C9BD2373EF569952BC7496EBADADDE
  • E6C5437E8A23D50D44EE47AD6E7CE67081E7926A034D2AC4C848F98102DDB2F8
  • E70A8E8B0CD3C59CCA8A886CAA8B60EFB652058F50CC9FF73A90BC55C0DC0866
  • E74AE353B68A1D0F64B9C8306B2DB46DFC760C1D91BFDF05483042D422BFF572
  • E7AEE375215E33FC5AEBD7811F58A09C37D23E660F3250D3C95AEC48AD01271C
  • E7F65AEEC592B047AC1726EF0D8245229041474A2A71B7386E72AD5DB075F582
  • EAF879370387A99E6339377A6149E289655236ACC8DE88324462DCD0F22383FF
  • EC88FE46732D9AA6BA53EED99E4D116B7444AFD2A52DB988EA82F883F6D30268
  • EEB3981771E448B7B9536BA5D7CD70330402328A884443A899696A661E4E64E5
  • EEC5CD045F26A7B5D158E8289838B82E4AF7CF4FC4B9048EAF185B5186F760DB
  • F30A0FE494A871BD7D117D41025E8D2E17CD545131E6F27D59B5E65E7AB50D92
  • F3D0759DFAB3FBF8B6511A4D8B5FC087273A63CBB96517F0583C2CCE3FF788B8
  • F4F0117D2784A3B8DFEF4B5CB7F2583DD4100C32F9EE020F16402508E073F0A1
  • F5D06C52FE4DDCA0EBC35FDDBBC1F3A406BDAA5527CA831153B74F51C9F9D1B0
  • F989DF3AEEDE247A29A1F85FC478155B9613D4A416428188EDA1A21BD481713A
  • FA229CD78C343A7811CF8314FEBBC355BB9BAAB05B270E58A3E5D47B68A7FC7D
  • FA4B286EEAF7D74FE8F3FB36D80746E18D2A7F4C034AE6C3FA4C917646A9E147
  • FC9594611445DE4A0BA30DAF60A7E4DEC442B2E5D25685E92A875ACA2C0112C9
  • FCB6FF6A679CA17D9B36A543B08C42C6D06014D11002C09BA7C38B405B50DEBE
  • FE46A19803108381D2E8B5653CC5DCE1581A234F91C555BBFFF63B289B81A3DC
  • FF118EDB9312C85B0B7FF4AF1FC48EB1D8C7C8DA3C0E1205C398D2FE4A795F4B
  • FF471A98342BAFBAB0D341E0DB0B3B9569F806D0988A5DE0D8560B6729875B3E
  • FF70462CB3FC6DDD061FBD775BBC824569F1C09425877174D43F08BE360B2B58
  • FFB0E244E0DABBAABF7FEDD878923B9B30B487B3E60F4A2CF7C0D7509B6963BA

The post VPNFilter Malware Adds Capabilities to Exploit Endpoints appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/vpnfilter-malware-adds-capabilities-to-exploit-endpoints/feed/ 0
VPNFilter Botnet Targets Networking Devices https://www.mcafee.com/blogs/other-blogs/mcafee-labs/vpnfilter-botnet-targets-networking-devices/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/vpnfilter-botnet-targets-networking-devices/#respond Wed, 23 May 2018 21:28:28 +0000 https://securingtomorrow.mcafee.com/?p=89060 VPNFilter is a botnet with capabilities to support both intelligence collection and destructive cyberattack operations. The Cisco Talos team recently notified members of the Cyber Threat Alliance (CTA) of its findings and published this blog.

The post VPNFilter Botnet Targets Networking Devices appeared first on McAfee Blogs.

]]>
VPNFilter is a botnet with capabilities to support both intelligence collection and destructive cyberattack operations. The Cisco Talos team recently notified members of the Cyber Threat Alliance (CTA) of its findings and published this blog.

The malware is believed to target networking devices, although the malware’s initial infection vector is still unclear. Talos, which first reported this attack, claims that it has impacted at least 500,000 networking devices during the last few years. The malware can persist on infected devices and can steal website credentials and monitor Modbus SCADA protocols. It also implements file collection, command execution, data extraction, and device management and, even worse, it can render some or all of the infected devices unusable.

The known devices affected by VPNFilter are some network-attached storage (NAS) devices such as Linksys, MikroTik, Netgear, and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP.

Malware infection stages

VPNFilter has a three-stage infection.

Stage 1 completes the persistence on the system and uses multiple control mechanisms to find and connect the Stage 2 deployment server.

Stage 2 focuses on file collection, command execution, data extraction, and device management. Some versions possess a self-destruct capability to render itself unusable.

Stage 3 includes two known modules:

  • A traffic sniffer to steal website credentials and monitor Modbus SCADA protocols
  • Tor to communicate with anonymous addresses 

Indicators of compromise and sample hashes

URLs and IPs

photobucket[.]com/user/nikkireed11/library
photobucket[.]com/user/kmila302/library
photobucket[.]com/user/lisabraun87/library
photobucket[.]com/user/eva_green1/library
photobucket[.]com/user/monicabelci4/library
photobucket[.]com/user/katyperry45/library
photobucket[.]com/user/saragray1/library
photobucket[.]com/user/millerfred/library
photobucket[.]com/user/jeniferaniston1/library
photobucket[.]com/user/amandaseyfried1/library
photobucket[.]com/user/suwe8/library
photobucket[.]com/user/bob7301/library
toknowall[.]com

91.121.109[.]209
217.12.202[.]40
94.242.222[.]68
82.118.242[.]124
46.151.209[.]33
217.79.179[.]14
95.211.198[.]231
195.154.180[.]60
5.149.250[.]54
91.200.13[.]76
94.185.80[.]82
62.210.180[.]229
91.200.13[.]76
91.214.203[.]144
6b57dcnonk2edf5a[.]onion/bin32/update.php
tljmmy4vmkqbdof4[.]onion/bin32/update.php
zuh3vcyskd4gipkm[.]onion/bin32/update.php
6b57dcnonk2edf5a[.]onion/bin32/update.php

File hashes

  • First-Stage Malware
    • 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
    • 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
  • Second-Stage Malware
    • 9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
    • d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e
    • 4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b
    • 9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387
    • 37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4
    • 776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
    • 8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
    • 0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
  • Third-Stage Malware
    • f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344
    • afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719

Coverage and mitigation

The aforementioned IOCs are covered as follows:

  • Detection names for files: Linux/VPNFilter and Linux/VPNFilter.a
    • V3 DAT with coverage version: 3353
    • V2 DAT with coverage version: 8902
  • All samples are GTI classified as malware
  • All relevant URLs are GTI classified

Further recommendations from the Talos threat research team:

  • Reboot SOHO routers and NAS devices to remove the potentially destructive, nonpersistent Stage 2 and Stage 3 malware
  • Work with the manufacturer to ensure that your device is up to date with the latest patches. Apply the updated patches immediately.

ISPs should work aggressively with their customers to ensure their devices are patched to the most recent firmware/

The post VPNFilter Botnet Targets Networking Devices appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/vpnfilter-botnet-targets-networking-devices/feed/ 0
Expiro Malware Is Back and Even Harder to Remove https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/#respond Tue, 31 Oct 2017 13:00:27 +0000 https://securingtomorrow.mcafee.com/?p=79170 File infector malware adds malicious code to current files. This makes removal tricky because deleting infections results in the loss of legitimate files. Although file infectors were more popular in the 1990s and early 2000s, they still pose a significant threat. The complex disinfection process is usually leveraged by malware authors to ensure systems stay […]

The post Expiro Malware Is Back and Even Harder to Remove appeared first on McAfee Blogs.

]]>
File infector malware adds malicious code to current files. This makes removal tricky because deleting infections results in the loss of legitimate files. Although file infectors were more popular in the 1990s and early 2000s, they still pose a significant threat. The complex disinfection process is usually leveraged by malware authors to ensure systems stay infected for a long period. This may explain why complex file infectors such as W32/VirRansom, W32/Sality, W32/Xpaj, and Expiro are still active today.

The Expiro virus is has been around for more than a decade, and the authors continue to update it with more features. Expiro is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.

Recently we discovered a new variant of Expiro with a significant change in its infection routine. In previous variants, Expiro modified and stole code at the entry point and appended the viral payload only at the end of the original file, typical of an appender virus.

The new variant, however, changes the size of the base relocation table and encrypts the addresses inside, causing traditional appender virus repair routines to corrupt files unless they correctly restore the original base relocation table. By adding the encryption, Expiro increases the complexity of analysis and requires a customized repair routine, which makes it hard to combat.

The following screenshots demonstrate this point: The base relocation table of a file infected by the old variant of Expiro is unaffected and the contents are untouched.

Figure 1: The relocation table remains intact when infected by the old Expiro variant.

Figure 2: The relocation table contents are not modified by the old Expiro variant.

The new variant reduces the size of the base relocation table and encrypts portions of it (outlined in red).

Figure 3: The latest Expiro variant reduces the size of the relocation table.

Figure 4: The relocation table encrypted by the latest Expiro variant.

To fix relocations prior to the execution of the original file’s code, the Expiro virus first executes its own malicious payload. It then decrypts the relocation table and dynamically reloads all addresses to make sure the original file can run correctly.

Decryption involves a simple XOR operation with a key hardcoded within the sample.

Figure 5: Relocation table being decrypted using a hardcoded XOR key.

After the decryption, the rest of original base relocation table is recovered.

Figure 6: The EDI register now contains decrypted relocation data.

In recovery step 2, Expiro computes the address that contains the relocation address using the formula Relocation_Address = NewImageBase + Offset + VirtualAddress.

Figure 7: Calculation of the address to be relocated in Expiro’s code.

As we see in the following screenshot, the formula leads to Relocation_Address = 0x950000 + 0x354 + 0x1000, so the address in 0x951354 should be relocated (stored in eax).

Figure 8: Relocation address being calculated.

In recovery step 3, Expiro computes the relocation value using the formula Relocation_Value = OldValue + (NewImageBase – OldImagebase).

Figure 9: Relocation value being computed by Expiro.

In this case, the formula is Relocation _Value = 0x01001354 + (0x00950000 – 0x01000000), so the relocation value is 0x00951354.

Figure 10: Expiro performing relocations on its own.

Using this technique, we can decrypt and repair the entire relocation table of the files infected by Expiro. This also helps us to calculate and replace the relocation table size in an executable’s optional header with the correct values. These changes ensure the infected files can run properly after removing the malicious payload.

 

McAfee products detect Expiro as W32/Expiro.gen.rd and W64/Expiro.d and repair infected files from DAT Version 8665. Users can find additional information at this McAfee Labs Threat Advisory.

SHA-256 hash

  • f15b8fc3ca117ab38e3074adc6208666b2189259e447db8202ef85b9bbfc4537

The post Expiro Malware Is Back and Even Harder to Remove appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/feed/ 0