Welcome to the next episode of the Xopero Security Center! This time we are sharing with you information about recently discovered a complex Monero botnet, named Prometei. Among other things, the new threat is using stolen credentials and also takes advantage of SMB exploits. Keep reading.
Prometei botnet exploits Windows SMB to mine for cryptocurrency
The new Prometei botnet uses an extensive modular system and a variety of techniques to compromise systems and hide its presence from end-users in order to mine for Monero (XMR).
The infection chain begins with the attempted compromise of a machine’s Windows Server Message Block (SMB) protocol via SMB vulnerabilities including Eternal Blue.
Mimikatz and brute-force attacks are used to scan for, store, and try out stolen credentials, and any passwords discovered are sent to the operator’s command-and-control (C2) server for reuse by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.
In total, the botnet has over 15 executable modules that are controlled by one main one. The botnet is organized into two main function branches: one C++ branch dedicated to cryptocurrency mining operations, and one – based on .NET – which focuses on credential theft, the abuse of SMB, and obfuscation.
Auxiliary modules have also been bolted-on which can be used by the malware to communicate over TOR or I2P networks, to gather system information, check for open ports, to spread across SMB, and to scan for the existence of any cryptocurrency wallets.
Once a system has been compromised and added to the slave network, the attacker is able to perform a variety of tasks, including executing programs and commands, launching command shells, setting RC4 encryption keys for communication, opening, downloading, and stealing files, and launching cryptocurrency mining operations, among other functions.
So far, Prometei has not break the bank, however the malware has been making the rounds only since March 2020.
New ‘Shadow Attack’ can replace content in digitally signed PDF files
15 out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The academics from the Ruhr-University Bochum in Germany named this technique a Shadow Attack (CVE-2020-9592 and CVE-2020-9596)
The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others.
The main idea behind a Shadow Attack is the concept of “view layers” – different sets of content that are overlaid on top of each other inside a PDF document. A Shadow Attack is when a threat actor prepares a document with different layers and sends it to a victim. The victim digitally signs the document with a benign layer on top, but when the attacker receives it, they change the visible layer to another one.
Because the layer was included in the original document that the victim signed, changing the layer’s visibility doesn’t break the cryptographic signature and allows the attacker to use the legally-binding document for nefarious actions – such as replacing the payment recipient or sum in a PDF payment order or altering contract clauses.
According to the research team three variants of a Shadow Attack exist:
- Hide – when attackers use the PDF standard’s Incremental Update feature to hide a layer, without replacing it with anything else.
- Replace – when attackers use the PDF standard’s Interactive Forms feature to replace the original content with a modified value.
- Hide-and-Replace – when attackers use a second PDF document contained in the original document to replace it altogether.
The research team said they contacted PDF app makers to report this new attack vector and have it patched before going public with their findings. Companies should update their PDF viewer apps as soon as possible.
The ‘Meow’ attack wiped over 1.8k unsecured databases
Hundreds of unsecured databases exposed on the world wide web aggressively destroyed by an unknown attacker.
The attack started recently by hitting Elasticsearch and MongoDB databases. No explanation or even a ransom note. Within the next few days, the attack expanded to other database types and to file systems open on the Internet.
One of the first publicly know victims is VPN provider that claimed not to keep any logs. Discovered by researcher Bob Diachenko, the database was initially secured in July only to become exposed again five days later. And after this, they got ‘meowed.’ Almost all records have got wiped out. The attack appears to be an automated script that overwrites or destroys the data completely.
What’s the purpose of all of this… The bad actors are hitting as much as they can. Whoever is behind the ‘meow’ attack is apparently targeting any database that is insecure and reachable over the internet. These new data-wiping attack affected so far systems running on Cassandra, CouchDB, Redis, Hadoop, Jenkins, as well as network-attached storage devices.
It is very likely that whoever is behind the ‘meow’ attacks will keep on targeting unsecured databases. Administrators should expose only what needs to be exposed and make sure the assets are properly secured.
Malware innovation hidden in your mailbox – OilRig APT starts using a novel C2 channel
OilRig APT is back. This time with a revised backdoor tool called RDAT. Attackers use email as a C2 channel, with attachments that hide data and commands within bitmap images.
The backdoor spotted first in 2017 has gone through several major updates. One of the most interesting – ability to use Exchange Web Services (EWS) to send and receive emails for C2 communications – was added in June 2018. The email-based C2 channel is novel in its design. Attackers use steganography to hide commands and exfiltrates data within BMP images attached to the emails. Such combination results in much lower chances of fast detection.
C2 channel. RDAT communicates with two hardcoded actor-controlled email addresses: koko@acrlee[.]com and h76y@acrlee[.]com. Attackers send email to the actor-controlled email addresses with attached Bitmap image containing hidden messages or data to exfiltrate. It works both ways. RDAT creates an inbox rule to move any incoming C2 messages to the junk folder, then continually looks there for commands, which are hidden within Bitmap images. And so on… In the final act, attackers issue a SOAP request to delete the processed email.
OilRig is also using custom Mimikatz tools for collecting credentials, Bitvise to create SSH tunnels and PowerShell downloaders to perform post-exploitation activities.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. Phishing campaign uses Google Cloud Services to steal Office 365 logins (Bleeping Computer)
2. Emotet botnet is now heavily spreading QakBot malware (Bleeping Computer)
3. Why the internet went haywire last week (ZDNet)
4. Orange Confirms Ransomware Attack Compromising Data of Business Solutions Customers (Hot for Security)
5. Argentine telecom company hit by major ransomware attack (WeLiveSecurity)
6. Eftpos develops micropayment proof-of-concept with Hedera Hashgraph (ZDNet)
7. Smartwatch maker Garmin shuts down services after ransomware attack (The Hacker News)
8. Twitter Breach Highlights Privileged Account Security Issue (Dark Reading)
9. Coinbase stopped scammers from stealing an extra $280,000 during Twitter hack (Hot for Security)
10. Twitter: Hackers Accessed Private Messages for Elite Accounts (Threat Post)