CyberSecurity News Byte – Weekly

Hosted ByJim Guckin

A new podcast has taken possession of my entire soul, like these sweet mornings of spring which I enjoy with my whole heart with souls like mine.

Episode 18: May 16 2022

US college forced to close after cyberattack, Conti Ransomware Attack Spurs State of Emergency in Costa Rica, $7 to rent DCRat to backdoor your network, ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks

Bullet points of key topics + chapter markers
[00:36] US college forced to close after cyberattack
[06:39] Conti Ransomware Attack Spurs State of Emergency in Costa Rica
[12:19] 7 to rent DCRat to backdoor your network
[18:55] ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks

Links

https://www.nbcnews.com/tech/security/ransomware-attack-covid-combine-shutter-illinois-college-rcna24905

https://www.tweaktown.com/news/86082/us-college-forced-to-close-after-cyberattack-posts-goodbye-note/index.html

https://threatpost.com/conti-ransomware-attack-emergency-costa-rica/179560/

https://www.theregister.com/2022/05/09/budgetfriendly_dcrat_malware/

https://threatpost.com/conti-ransomware-attack-emergency-costa-rica/179560/

https://threatpost.com/nerbian-rat-advanced-trick/179600/

NOTES

US college forced to close after cyberattack

  • Lincoln College
    • a liberal-arts school from rural Illinois
    • predominantly Black institution
    • is closed on May 13th 2022
    • 157 years in operations
    • 1 -2 punch on its finances
      • COVID-19
      • Ransomware Attack
    • survived multiple disasters
      • including a major fire in 1912
      • the Spanish flu
      • the Great Depression
      • Both World Wars
      • 2008 global financial crisis
  • December ransomware attack
    • Straw that broke the institution
    • one of more than 1,000 other schools hit by ransomware last year
    • blocked the college from accessing data used in its student recruitment and retention and fundraising efforts

Conti Ransomware Attack Spurs State of Emergency in Costa Rica

  • President Rodrigo Chaves
    • declared a state of national cybersecurity emergency last week
    • following a financially motivated Conti ransomware attack against his administration
    • the state of emergency was one of his first decrees as president
    • Other agencies impacted
      • the Ministry of Labor and Social Security
      • the Ministry of Science, Innovation, Technology and Telecommunications
      • the National Meteorological Institute
      • the entire scope of the damage is not known.
    • Attributed to Conti
      • demanded a ransom of $10 million
      • So, they wouldn’t release stolen information from the Ministry of Finance
      • Russian-speaking ransomware group
      • most ruthless gangs
        • take-no-prisoners approach
        • double extortion
          • which attackers threaten to expose stolen data or use it for future attacks if victims don’t pay by a deadline
        • targeting organizations for which attacks could have life-threatening consequences, such as hospitals, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.
    • Costa Rica so far has declined to pay
      • Conti updating its data-leak site on Monday with 97 percent of the 672 GB of data that the group claims contains information stolen from Costa Rican government agencies

$7 to rent DCRat to backdoor your network

  • How much does a RAT Cost
    • Remote Access Trojan
  • budget-friendly RAT
    • under active development
    • selling on underground Russian forums
      • $7 for a two-month subscription
  • backdoor Windows malware
    • DCRat or DarkCrystal RAT
    • Originally released in 2018
    • redesigned and relaunched 2019
    • loan programmer works to improve it daily.
      • The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins
  • modular architecture and plugin framework
    • espionage
    • data theft
    • distributed denial of service attacks
    • dynamic code execution
      • several different languages
    • Three Components
      • A client executable written in .NET that can steal data
      • A single PHP page that interfaces with the RAT’s backend command-and-control (C2) server
      • An administration tool
  • DCRat administrator tool
    • written in JPHP
      • which is rare, because it produces very large, slow executables
      •  It also has a kill switch, that, if flipped, renders all instances of the administrator tool unusable.
    • once the subscription validation checks are completed
      • the malware subscriber can use the administrator tool to communicate with the command-and-control server
      • configure builds of the client executable
      • submit bug reports to the DCRat author.
  • entire bundle
    • along with plugins
    • plugin development framework
    • other tools
    • hosted on crystalfiles[.]ru
      • they were located at dcrat[.]ru
  • Updates are announced via a Telegram channel
    • which has about 3,000 subscribers.
  • Pricing
    • 500 RUB (about $7 at time of writing) for two-month license
    • 2200 RUB ($31) for a year
    • 4200 RUB ($60) for a lifetime license
  • Both the product’s low price, plus the author’s use of JPHP indicate “a novice malware author who hasn’t yet figured out an appropriate pricing structure

‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks

  • newly discovered remote access trojan (RAT) is spreading
    • via malicious email campaigns using COVID-19 lures
      • includes numerous features to evade analysis
    • The emails claimed to be World Health Organization (WHO)
      • important information regarding COVID-19,
        • throwback to similar phishing campaigns that circulated in 2020 in the early days of the pandemic.
    • Use email like: who.inter.svc@gmail[.]com and announce@who-international[.]com,
      • use as their subject line WHO or World Health Organization.
      • include safety measures related to COVID-19 as well as attachments
        • that also include “covid19” in their names
          • Word documents containing malicious macros.
      • macros are enabled
        • the document reveals information relating to COVID-19 safety, specifically about self-isolation and caring for individuals with COVID-19.
        • Macros-enablement also spurs the document to execute an embedded macro that drops a file that performs a PowerShell process to drop the Nerbian RAT dropper in a 64-bit executable file called UpdateUAV.exe written in Go
  • Dubbed Nerbian RAT
    • Written in the OS-agnostic Go programming language
    • utilizes significant anti-analysis and anti-reversing capabilities
    • Name is based on a named function in the malware code
      • Appears to be derived from “Nerbia,”
      • a fictional place from the novel Don Quixote
  • first observed the RAT
    • being distributed in a low-volume email campaign beginning on April 26
      • messages sent to multiple industries
        • mainly located in Italy, Spain and the United Kingdom
  • Go
    • becoming an increasingly popular language used by threat actors
    • likely due to its lower barrier to entry and ease of use
  • Nerbian Complexity
    • leverages multiple anti-analysis components spread across several stages
      • including multiple open-source libraries
    • the malware shows sophistication
      • working in three distinct phases
      • starts with the malicious document spread via phishing
      • then moves on to the UpdateUAV.exe dropper
        • The dropper performs various environment scans
          • anti-reversing
          • anti-VM checks
          • then executing the Nerbian RAT.
        • the RAT itself is executed via an encrypted configuration file
          • uses extreme caution to ensure data to command-and-control (C&C) is encrypted
            • senda it over Secure Sockets Layer (SSL)
              • to evade inspection by network-scanning tools
    • other RAT things
      • keylogging
        • stores keystrokes in encrypted file
      • screen capture
        • works across all OS platforms.
  • Extreme Vetting
    • dropper performs an extensive vetting of the compromised host
    • will stop execution if it encounters any conditions it doesn’t like
      • the size of the hard disk on the system is less than a certain size
        • i.e., 100GB
      • the name of the hard disk, according to WMI
        • contains “virtual,” “vbox” or “vmware;”
      • MAC address queried returns certain OUI values
      • several reverse engineering/debugging/ memory analysis/memory tampering programsare encountered in the process list
        • DumpIt.exe
        • RAMMap.exe or RAMMap64.exe
        • vmmap.exe

if the amount of time elapsed execution specific functions is deemed “excessive”—which would suggest debugging–by a time measurement function present in the dropper.

Leave a Reply

Your email address will not be published.