Information Security News
Three major campaigns using malicious spam (malspam) to distribute malware stopped sending malspam before Christmas--sometime during the week ending on Sunday 2018-12-23. These three campaigns are Emotet (also known as Feodo), Hancitor (also known as Chanitor or Tordal), and Trickbot. But this week, all three campaigns have been sending out malspam again.
Among these campaigns, Emotet is by far the most active. Dozens of indicators are discovered every day as vectors for Emotet infections. Emotet also acts a distributor for other families of malware. So far in 2019, I've seen Emotet retrieve Gootkit and the IcedID banking Trojan. As 2019 progresses, I expect to find examples of Emotet distributing other families of malware like Qakbot and Trickbot, something we saw in 2018.
Today's diary examines recent Emotet malspam and two examples of infection traffic from Tuesday 2019-01-15.
As usual, emails pushing Emotet use Microsoft Word documents with malicious macros. On vulnerable Windows hosts, opening these documents in Microsoft Word and enabling macros will attempt an Emotet infection. So far this week, Emotet malspam had a link to download the Word document, or it's had a Word document directly attached to the email. See the images below for examples.
Network traffic is typical for what we've seen with recent Emotet infections from December 2018. Emotet frequently uses HTTP traffic over non-standard TCP ports (not TCP port 80). This may cause issues when reviewing the infection traffic in Wireshark. Traffic on ports like TCP port 53 (associated with DNS activity like zone transfers) and TCP port 22 (normally associated with SSH) may not be decoded as HTTP in Wireshark. That was the case with two examples of infection traffic I generated on Monday.
Post-infection activity from the first run included Gootkit, which had similar in traffic patterns that I've previously documented. Post-infection activity from the second run included IcedID (also known as Bokbot), something I've also documented.
Indicators of Compromise (IoCs)
The following are indicators from two infections on Tuesday 2019-01-15. Any malicious URLs, IP addresses, and domain names have been "de-fanged" to avoid issues when viewing today's diary.
Malware from the first run:
Malware from the second run:
Emotet Infection traffic from the first run:
Gootkit infection traffic from the first run:
Emotet infection traffic from the second run:
IcedID infection traffic from the second run:
Pcaps of the infection traffic and malware associated with today's diary can be found here.
brad [at] malware-traffic-analysis.net
bambenek \at\ gmail /dot/ com
Today, Microsoft published an advisory on CVE-2019-0624 on a spoofing vulnerability in Skype for Business 2015. It requires a few steps of the attacker and isn't entirely straightforward to execute. They must be an authenticated user and then send a spoofed request that can then perform a XSS on the victim machine at the privilege level of the user using Skype for Business.
Additionally, two advisories were published for Team Foundation Server (2017 and 2018) involving an XSS attack from crafted user-input (CVE-2019-0646) and an information disclosure bug (CVE-2019-0647).
The risk and urgency of applying these isn't an emergency, but if you accept input from untrusted third-parties in TFS or Skype for Business, that may enhance your risk. Due to the sensitivity of what most people use TFS for, you may wish to find a window when your developers are off and get that applied sooner.
No public exploitation has been reported, but the TFS vulnerabilities were publicly disclosed.
bambenek \at\ gmail /dot/ com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.