Saturday, August 27, 2016

New threats in July 2016

New threats in July 2016

(This post is the first in a monthly series highlighting some of the new threats detected by Sky ATP's deep analysis engines.)

 

In July, Sky ATP detected tens of thousands of malicious applications and documents as they passed through SRX firewalls. While most of these were known threats, Sky ATP also detected new malware strains, including multiple forms of ransomware as well as assorted trojans, droppers, spyware, and other potentially unwanted programs. In this post, we'll look at two new ransomware variants, plus an old threat that has evolved into highly-evasive (almost) fileless malware.

 

Early in the Sky ATP analysis pipeline, we run each new sample against a suite of anti-virus engines. AV engines are a fast and efficient way to catch and filter out known threats and their close variants. Removing these known threats from the analysis pipeline as early as possible reduces the load on the more computationally-expensive parts of the pipeline, which includes static analysis engines and full sandbox detonation. But for new threats, hashes and signatures are not enough. In this post, we’ll look at some of the threats we saw in July, which were undetected by numerous AV engines but caught by Sky ATP’s deep analysis.

 

Zepto ransomware

We discussed Locky in previous posts. Zepto is a new variant, but looks and behaves much like Locky, except it uses ".zepto" as the file extension for the encrypted files:

 

zepto_files.pngAs with Locky (and most other ransomware), the victim is notified by pop-up images, text files, and a new desktop background with instructions on how to convert the ransom payment to bitcoin and deliver it via a site on the dark web.

 

zepto_desktop.png

 

Cerber ransomware

Sky ATP’s deep analysis detected a number of variants of the Cerber ransomware that evaded traditional antivirus engines. The ransom process includes an automated voice announcing the infection.

 

 

Kovter's (almost) fileless malware

Some of the most interesting samples detected by our deep analysis pipeline in July were several variants of the Kovter click-fraud malware. This malware strain has become increasingly evasive and maintains almost fileless persistence on a victim’s machine.


Kovter’s foothold begins with obfuscated Javascript and binary content saved in the Windows registry.

 

kovter_registry1.png

 

Kovter's authors use a clever trick to achieve persistence without leaving any of their malware on the actual Windows filesystem. The malware drops a randomly generated file with an arbitrary (but important!) file extension, along with a batch file and a shortcut.

 

kovter_files.png

 

The batch file "opens" the garbage .fcb676eie file with the start command

 

kovter_batch.png

 

Instead of opening the file, a registry key associated with the .fcb676eie extension instructs Windows to execute an altogether different command.

 

kovter_registry2.png

 

This uses Microsoft's mshta engine to execute the obfuscated Javascript stored in the registry. The bulk of the payload is a 5000+ character hexadecimal string, with is decoded and executed with the Javascript eval() function. This produces another Javascript program, this time with a very long string encoded in Base64

 

kovter_js2.png

 

This, in turn, is decoded to form a Powershell script containing raw shellcode that is injected and launched to create a malicious Windows process, using a technique taken from an old Metasploit template.

 

kovter_powershell.png

 

With this convoluted process, the malware can remain on the victim's computer without leaving anything on the filesystem besides the garbage file and its associated batch file and shortcut. Its malicious behavior, however, is still detected by Sky ATP's deep analysis techniques.
 

Until next month...

As mentioned above, these threats are just a few of many detected by Sky ATP's deep analysis engines. Thanks for reading, and please check back next month for another installment in this series!


Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences
                submit to reddit    


from New threats in July 2016

No comments:

Post a Comment