Saturday, 28 May 2016

On 04:57 by admin   No comments
Security experts at Palo Alto Networks have spotted a China-linked APT group that has been using a strain of malware that leverages DNS requests for command and control (C&C) communications.
The group is known as Wekby, Dynamite Panda, TG-0416 and APT 18, security experts linked it to the security breach suffered by the Community Health Systems in 2014.

The attackers exploited the Heartbleed vulnerability affecting the OpenSSL to steal 4.5 million patient records.

In July 2015, the Wekby APT group was spotted exploiting the CVE-2015-5119 Flash Player vulnerability in their exploit kits, the exploit code was disclosed as the result of the attack against the Hacking Team.

In the last wave of attacks discovered by the experts at PaloAlto, the Wekby APT group targeted US-based organization using a strain of malware dubbed ‘pisloader.’

The pisloader malware is a variant of the HTTPBrowser RAT that was delivered via HTTP from the following URL:
http://globalprint-us[.]com/proxy_plugin.exe 

The threat actors deliver a malware dropper that adds registry keys for persistence and decrypts and executes the pisloader payload which is obfuscated using a return-oriented programming (ROP) technique.

“This particular command will set the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lsm registry key with a value of “%appdata%\lsm.exe”. After this key is set, the malware proceeds to decrypt a two blobs of data with a single-byte XOR key of 0x54. The resulting data is written to the %appdata%\lsm.exe file path.

After this file is written, the malware executes the newly written lsm.exe file, which contains the Pisloader payload.”

The novelty discovered by the researchers at PaloAlto Networks is that the Pisloader leveraged DNS requests for C&C communications, in this way the malicious code is able to masquerade its activity.
The abuse of DNS queries was already observed by malware researchers, in March 2016 the experts from FireEye discovered a strain of POS malware dubbed Multigrain that steals card data from point-of-sale systems and exfiltrates it over DNS.

The Pisloade periodically sends a DNS beacon request to the C&C server that is hardcoded into the malware.

“The malicious code expects various aspects of the DNS responses to be set in a specific way, or else pisloader will ignore the DNS reply.”

The C2 server replies with a TXT record that can contain various commands for the malware.
The discovery made by experts at PaloAlto Networks demonstrates that the Wekby group is still active and it is involved in high-profile cyber-espionage campaigns using sophisticated malware.

0 comments:

Post a comment