Search Results

Coping with Scanners It can be argued that there is no unwanted traffic on the Internet; even scans and DDoS are wanted, usually outbound, by the miscreants running them. However there is a lot of Internet traffic we good folks don’t want, either because it consumes our links, or it shows up in query results and clouds our analysis. We’re solving the issue of scanners using the same global visibility that informs our analysis tools. Graph 1: Shows quantities of traffic matching filters versus total (BARS is Team Cymru’s Botnet Analysis and Reporting System) We built a list of scanners using our global sensor data and then filtered our network visibility based on that list. What did we learn? In a six hour period, 17.535% of all traffic is to or from known scanners. Over a 24 hour period the percentage of traffic involving known scanners is 17.19%. These include port scanners, honeypot interactions, Darknet visits, SCADA probes and more. By allowing an analyst the option of filtering out those scanners, we enable the analyst to fine tune the data to their needs. We’ve found this helps us to focus on the relevant without obviously irrelevant distractions. With the volumes of data we peruse in Augury and our other tools, this is a necessary feature. Otherwise, the flood of data from our expansive visibility becomes a glass of water to a drowning person.

Several public reports[1][2] of a malware family often referred to as AVE_MARIA were made in January 2019. Yoroi, an Internet research company, says the malware sample analyzed for their report[2] contains “AVE_MARIA”, and uses that string as a “hello message” for the malware controller. Also, in a Twitter thread[3] about similar malware, a researcher asked that it be called AVE_MARIA. Here, we review the sample reported by Yoroi and the sample reported by the Twitter account @dvk01uk. We see similarities within the two samples and have found more samples within the AVE_MARIA family. We also discuss AVE_MARIA’s origins and ties to WARZONE RAT. We include many indicator of compromise (IOC) data for several versions of WARZONE RAT. Key Findings AVE_MARIA is a Remote Administration Tool (RAT) offering marketed as WARZONE RAT on hacker forums and on the Web WARZONE RAT is only available as a one- or three-month subscription The same persona selling WARZONE RAT also promotes a free dynamic DNS service, warzonedns[.]com Analysis Yoroi Sample Yoroi shows the SHA256 hash[4] (81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1) of one file they called the “AveMaria payload”, and one domain, anglekeys.warzonedns[.]com, for a command and control (C2) server. Our malware sandboxing confirms this behavior. Yoroi’s analysis and our own show the malware failing to establish a connection to the C2. We see several possible IOCs from our sandbox runs and show them below in Table 1: @dvk01uk Sample Twitter user @dvk01uk[6] reports a malware sample that exhibits similar behavior to the one Yoroi later blogged about. @JR0driguezB replied[7], linking to the Virustotal output[8] of that payload and suggests this malware family be called AVE_MARIA[9]. @James_inthe_box replies[10] with output showing the AVE_MARIA string, as shown in Figure 1. Figure 1 (arrow added): Original: https://twitter.com/James_inthe_box/status/1069971854591291393 We see several possible IOCs from our sandbox runs and show them below in Table 2: There are many overlaps (folder, AV signature, and presence of the string AVE_MARIA) between the Yoroi sample and the @dvk01uk sample. We assess with high confidence that these malware samples are from the same family. warzonedns[.]com When looking through our malware holdings for AVE_MARIA samples, we see many using the domain, warzonedns[.]com[12]. We see over 4,500 malware samples making DNS queries for hostnames within warzonedns[.]com[13]. Of these malware samples, over 75% contained a key IOC[14] for AVE_MARIA. Warzone DDNS Web searches for warzonedns[.]com show a post on the popular hacker forum HackForums. The post (shown in Figure 2), says warzonedns[.]com is a free Dynamic DNS (DDNS) service allowing new users to register with only a username and password. This post also says they “will not ban any users/subdomains”. Figure 2: HackForums Post Announcing WarzoneDNS[.]com DDNS Service ‘Solmyr’ posted this with a description of ‘WARZONE RAT’. The banner at the bottom of this post advertises a “Remote Administration Tool” (RAT) which leads to another forum post on HackForums – a sales thread for WARZONE RAT. Warzone RAT ‘Solmyr’ also posted the initial HackForums post advertising WARZONE RAT[15] (shown in Figure 3). Figure 3: Sales thread for WARZONE RAT on HackForums Later within the same thread, responding to questions about AntiVirus (AV) detection, Solmyr shared this post (shown in Figure 4), containing a link to a service that performs AV scans. Figure 4: Author post for WARZONE RAT on HackForums Figure 5: Results from scanmybin[.]net for WARZONE RAT We do not have the sample from the “scanmybin[.]net” results shown in Figure 5. We do see over 200 samples matching the imphash. Some of the samples related by imphash also show IOCs mentioned above. As of 2019-07-24, HackForums shows 192 completed sales of Warzone RAT via their service. Note that the seller also sells via their Web site, and may sell via other forums as well. Appendix A contains supporting data for the HackForums sales. AVE_MARIA is WARZONE RAT While the file with the MD5 checksum from Figure 5 was not found, a search found over 200 files with that same Imphash (d3ff663beb2af406701e3b4be6a9207a). Many of these have the same compilation timestamp[16]: 2018-09-30 03:49:17. These samples contain the an interesting PE resource, shown in Figure 6: Figure 6: PE resource within samples sharing same Imphash as the WARZONE RAT. This is also present in the “AveMaria payload” from Yoroi blog post[17], and appears in their “Indicator of Compromise” table. Multiple AV vendors confirm that this executable (stored as a PE resource in AVE_MARIA samples) is a UAC bypass[18]. Another Clue Taking a look at a WARZONE RAT version 1.51 sample shows the usual AVE_MARIA strings and some interesting additions (Figure 7): SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList %u.%u.%u.%u AVE_MARIA … Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPer1_0Server MaxConnectionsPerServer hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/softokn3.dll hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/msvcp140.dll hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/mozglue.dll hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/vcruntime140.dll hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/freebl3.dll hXXps://github[.]com/solmyr1/nothingtoseehere/raw/master/nss3.dll … Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} … Hey I’m AdminFigure 7: Selected Strings Seen in WARZONE RAT Version 1.51 Sample Unfortunately, the ‘solmyr1’ github account is no longer active. @P3pperP0tts tweeted19 these same findings (Figure 8): Figure 8: Screenshot of Twitter Post Tying ‘solmyr1’ and AVE_MARIA The WARZONE RAT version 1.60 sample shows the AVE_MARIA string but adds ‘warzone160’ and updates the library URLs (Figure 9): warzone160 … SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList %u.%u.%u.%u AVE_MARIA … \Google\Chrome\User Data\Default\Login Data Software\Microsoft\Windows\CurrentVersion\App Paths\ hXXp://warzonedns[.]com/dll/softokn3.dll hXXp://warzonedns[.]com/dll/msvcp140.dll hXXp://warzonedns[.]com/dll/mozglue.dll hXXp://warzonedns[.]com/dll/vcruntime140.dll hXXp://warzonedns[.]com/dll/freebl3.dll hXXp://warzonedns[.]com/dll/nss3.dll … Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} … Hey I’m Admin Figure 9: Selected Strings Seen in WARZONE RAT Version 1.60 Sample Versions up to 1.88 still contain the same ‘warzone160’ string. The DLL URLs observed are still available via warzonedns[.]com (as of 23 July 2019). What we grabbed were legitimate (clean) files; four from Mozilla (all related to Thunderbird) and two from Microsoft. Distinct Versions ‘Solmyr’ occasionally announces updates to WARZONE RAT on HackForums. Here are the dates and releases as posted in the sales thread on HackForums (Table 3): We believe some versions of WARZONE RAT exist that were not announced on HackForums. Table 4 shows IOCs of WARZONE RAT and their possible corresponding version. Question-marked entries we grade as medium confidence of being a distinct version and low confidence of the exact version number. For all others, we assess the data points with medium-to-high confidence. Solmyr The HackForums user “Solmyr” claims to be the author of WARZONE RAT and provides support via: HackForums (private message / forum thread) Warzone[.]io Web site (warzone[.]io) Discord (solmyr#4699) Jabber (solmyr@xmpp.jp) Skype (live:solmyr_12) Email (solmyr[at]warzone[.]io) Solmyr has a YouTube channel called WARZONE RAT[21]. Solmyr also posts on the nulled[.]io forums, offering WARZONE RAT: hXXps://www.nulled[.]to/topic/574717-x-warzone-rat-150-x-native-c-remote-administration-tool-get-ready-for-2019/ Indicators of Compromise This IOC resources for this story are too numerous to include here. Please see our github repo to access the indicators of compromise. References https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/ https://blog.yoroi.company/research/the-ave_maria-malware/ https://twitter.com/dvk01uk/status/1069963251021201409 SHA256 hash of “AveMaria payload” from Yoroi blog post: 81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1 Explanation of what Imphash is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html https://twitter.com/dvk01uk/status/1069963251021201409 https://twitter.com/JR0driguezB/status/1069968365723234305 https://www.virustotal.com/en/file/b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4/analysis/1543934943/ https://twitter.com/JR0driguezB/status/1069971250448089090 https://twitter.com/James_inthe_box/status/1069971854591291393 Explanation of what “Imphash” is: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html We defanged possible malicious domain names and URLs within this report to minimize accidental exposure of report viewers. The full list is available on our github repo. The folder C:\Program Files\Microsoft DN1 gets created during the sandbox operation. https://hackforums[.]net/showthread.php?tid=5897941 https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#file-headers – under the sub-heading “COFF File Header (Object and Image)” https://www.virustotal.com/#/file/81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1/details https://www.virustotal.com/#/file/021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546/detection https://twitter.com/P3pperP0tts/status/1095477422877753344 The page number within the sales thread in HackForums. For example, page 3 is accessible at hXXps://hackforums[.]net/showthread.php?tid=5897941&page=3 https://www.youtube.com/channel/UCnJvHfkjlwL4YERWkuuykSw