{"id":3463,"date":"2020-12-07T08:04:11","date_gmt":"2020-12-07T07:04:11","guid":{"rendered":"https:\/\/xopero.com\/blog\/?p=3463"},"modified":"2023-08-16T13:31:29","modified_gmt":"2023-08-16T11:31:29","slug":"xanthe-malware-spreads-using-systems-with-exposed-docker-api-warning","status":"publish","type":"post","link":"https:\/\/xopero.com\/blog\/en\/xanthe-malware-spreads-using-systems-with-exposed-docker-api-warning\/","title":{"rendered":"Xanthe malware spreads using systems with exposed Docker API [Warning]"},"content":{"rendered":"\n

Welcome to the next episode of Xopero Security Center<\/a>. This time we are taking a good look into the Xanthe malware. Cisco Talos recently discovered a campaign affecting Linux systems employing a multi-modular botnet that uses various methods to spread across the network. How does it infect vulnerable infrastructures exactly? Check below.<\/p>\n\n\n\n\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

Xanthe malware targets misconfigured Docker servers<\/strong><\/h2>\n\n\n

Xanthe is a Monero cryptomining botnet, which has been exploiting incorrectly configured Docker API installations in order to infect Linux systems.<\/p>\n\n\n\n

Typically crypto miners attack Windows desktop systems \u2013 because the number of possible infection is much larger. But with the growth of cloud environments, there are more and more hosts on the internet that run Linux and that are not as well secured as in-house Windows systems. Non-Windows systems become then quite attractive targets for malicious actors.<\/p>\n\n\n\n

Xanthe, named after the file title of the main spreading script, uses an initial downloader script (pop.sh) to download and run its main bot module (xanthe.sh). This module then downloads and runs four additional modules with various anti-detection and persistence functionalities. These additional four modules include: <\/p>\n\n\n\n

A process-hiding module (libprocesshider.so).
A shell script to disable other miners and security services (xesa.txt).
A shell script to remove Docker containers of competing Docker-targeting cryptomining trojans (fczyo).
And the XMRig binary (as well as a JSON configuration file, config.json).<\/p>\n\n\n\n

The Xanthe attack process<\/p>\n\n\n\n

\"\"
Image: Cisco Talos<\/a><\/figcaption><\/figure><\/div>\n\n\n\n

Once downloaded, the main module is also responsible for spreading to other systems on local and remote networks. It attempts to spread to other known hosts by stealing client-side certificates and connecting to them without the requirement for a password.<\/p>\n\n\n\n

Misconfigured Docker servers are another way that Xanthe spreads. Researchers said that Docker installations can be easily misconfigured and the Docker daemon exposed to external networks with a minimal level of security.<\/p>\n\n\n\n

Recent checking of Shodan shows that there are more than 6,000 incorrectly-configured Docker implementations exposed to the internet. As seen in the case of Xanthe, attackers are actively finding ways to exploit those exposed servers.<\/p>\n\n\n\n

Source<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

TrickBot’s new module aims to infect your UEFI firmware<\/strong><\/h2>\n\n\n

The developers of TrickBot have created a new module that probes for UEFI vulnerabilities. Which means that attackers are looking for a way to take ultimate control over infected machines. No wonder that this new TrickBot feature scares security professionals.<\/p>\n\n\n\n

With access to UEFI firmware, a threat actor would establish on the compromised machine persistence that resists operating system reinstalls or replacing of storage drives. Malicious code planted in the firmware (bootkits) is invisible to security solutions operating on top of the operating system because it loads before everything else, in the initial stage of a computer\u2019s booting sequence.<\/p>\n\n\n

Targeting Intel platforms<\/h5>\n\n\n

TrickBoot is a reconnaissance tool that checks for vulnerabilities in the UEFI firmware of the infected machine. It checks if the UEFI\/BIOS write protection is active using the RwDrv.sys driver from RWEverything, a free utility that allows access to hardware components such as the SPI flash memory chip that stores a system\u2019s BIOS\/UEFI firmware. The threat actor had implemented a mechanism that checked the single-chip chipset on the compromised system.<\/p>\n\n\n\n

The researchers discovered that the role of the module was to run PCH queries to determine the specific model of PCH running on the system, thus identifying the platform. This information also allows the attacker to check if the platform is vulnerable or not.<\/p>\n\n\n\n

The researchers also found that the actor relies on functions from a known firmware exploitation tool and library called fwexpl for the following purposes:<\/p>\n\n\n\n

Read data from hardware IO ports.
Call the rwdrv.sys<\/em> driver to write data to hardware IO ports.
Call the rwdrv.sys<\/em> driver to read data from physical memory addresses.
Call the rwdrv.sys<\/em> driver to write data to physical memory addresses.<\/p>\n\n\n\n

TrickBot developing such a module is a clear indication that the actor is making an effort to expand its grip on compromised systems. The botnet already has thousands of infected machines from which the actor can select the most valuable targets.<\/p>\n\n\n\n

For now the verification targets only Intel platforms (Skylake, Kaby Lake, Coffee Lake, Comet Lake).<\/p>\n\n\n\n

Source<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

Turla Crutch: Keeping the \u201cback door\u201d open<\/strong><\/h2>\n\n\n

ESET researchers found a previously undocumented backdoor and document stealer believed to be attributed to Turla APT group. Dubbed Crutch, it was used from 2015 to, at least, early 2020. They have seen Crutch on the network of a Ministry of Foreign Affairs in a country of the European Union, suggesting that this malware family is only used against very specific targets as is common for many Turla tools.<\/p>\n\n\n\n

Specialists identified similarities between Crutch and Turla\u2019s previous backdoor – Gazer, also known as WhiteBear. Both samples have similar droppers and were dropped at C:\\Intel~intel_upd.exe on the same machine with a five-day interval in September 2017. Aforementioned samples drop CAB files containing the various malware components. The loaders share clearly related PDB paths and decrypt their payloads using the same RC4 key.<\/p>\n\n\n

Data exfiltration<\/h5>\n\n\n

According to ESET, Turla used the Crutch toolset against several machines of the Ministry of Foreign Affairs in a country of the European Union. These tools were designed to exfiltrate sensitive documents and other files to Dropbox accounts Turla operators controlled. The main malicious activity is the staging, compression and exfiltration of documents and various files. Commands are manually executed by the operators. The exfiltration is performed by another backdoor command.<\/p>\n\n\n\n

ESET specialists believe that Crutch is not a first-stage backdoor and is deployed after the operators have first compromised an organization\u2019s network. The first method consists in using a first-stage implant such as Skipper. The second method is the use of PowerShell Empire. It\u2019s not obvious how the malicious script arrived on the machine but probably through another implant although a phishing document cannot be excluded. It should be noted that the PowerShell Empire scripts were using OneDrive and Dropbox.<\/p>\n\n\n\n

Crutch is able to bypass some security layers by abusing legitimate infrastructure \u2013 here Dropbox \u2013 in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.<\/p>\n\n\n\n

The new version of Clutch has following components: The Crutch DLL (outllib.dll), the genuine Outlook Item Finder from Microsoft Outlook, genuine DLL that is a dependency of finder.exe, Crutch config file that contains the Dropbox API token, the genuine RAR utility and a clean version of the Wget utility for Windows.<\/p>\n\n\n\n

Crutch shows that the Turla is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the group has considerable resources to operate such a large and diverse arsenal.<\/p>\n\n\n\n

Source<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

Hundreds of millions of Android users potentially exposed – 8% of apps vulnerable to old bug<\/strong><\/h2>\n\n\n

Hundreds of millions of Android users are potentially exposed to the risk of hack due to the use of Android Play Core Library versions vulnerable to CVE-2020-8913. Some of the apps include Microsoft’s Edge browser, Grindr, OKCupid, and Cisco Teams – all together, 8% of all available Google Play apps! <\/p>\n\n\n\n

The security flaw resides in older versions of Play Core, a very popular Java library provided by Google that developers can embed inside their apps to interact with the official Play Store portal.<\/p>\n\n\n\n

Earlier this year, security researchers from Oversecured discovered a major vulnerability (CVE-2020-8913) in the Play Core library that a malicious app installed on a user’s device could have abused to inject rogue code inside other apps and steal sensitive data \u2014 such as passwords, photos, 2FA codes, and more.<\/p>\n\n\n\n

A demo of such an attack is available below:<\/p>\n\n\n\n

\n