Coming up this week on Breaking Badness. Today we discuss: CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware, Son of a Patch, and our fun new game, two truths and a lie.
Here are a few highlights from each article we discussed:
CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware
- I monitor a lot of the usual labels everyone else does you know—sharepoint, microsoft, apple, amazon. Those are the constant scams that are going on all the time. When the uptick in Coronavirus domains started it was overwhelming. I went from seeing a few a day to suddenly hundreds to now we’re in the thousand plus range. Scammers are hoping on this pandemic left and right to try and turn a buck.
- Cornavirusapp[.]site stuck out to me immediately as I was scanning screenshots for these domains because I had already seen a cool page developed by an indie developer named etch on reddit at infection2020[.]com. It was loading his page in an iframe then inserting at the top a “download this Android app to stay informed” request. That Android app I pulled and sent over to Tarik immediately because, well, he’s the malware magician.
- After Chad handed this information over, I reverse engineered the malware and completed:
- Static Code analysis – I Dove into permissions from the manifest, bind_device_admin and code that highlighted screen locking as opposed to file encryption which is more traditional with ransomware.
- Dynamic analysis – which is how it behaves on a network level, file operations didn’t matter because statically there wasn’t any evidence of traditional file locking. Partial ransom notes were stored on Pastebin URLs so they’re generated dynamically, this helps evade some detections that find keywords common in ransom notes.
- The static decryption key caught my eye. I wouldn’t do that if I was writing malware. Then again, keep in mind that just because it isn’t APT-sophisticated doesn’t mean it’s not effective. CovidLock is still an effective ransomware for Android.
- As of today, there has been zero transaction history on the Bitcoin wallet. That being said, that doesn’t mean we don’t have victims, we just have zero that have paid the ransom as of today.
- In terms of attribution, there is a connection through the SSL certificate to some other domains that run some dating and sex scams. Those pages also serve up the app. Those then tie to another registrant that claims to be someone in Morocco, but we all know how dicey WHOIS information can be.
- This is just an absolute mess. I think part of the problem is fear of the unknown here and that’s so easy to leverage with average people. If you are around people it’s all anyone is talking about. The entire world psyche is tuned into this thing and fearful of it. These scams are just going to keep growing. We hope to get ahead of even more of them in the future.
Son of a Patch
- Microsoft’s advisory states that a crafted SMBv3 packet could be used to achieve remote code execution on a vulnerable SMB Server. Exploitation of an unauthenticated SMB Client requires the victim to have connected to an SMBv3 server controlled by the attacker. This affects Windows 10 & Windows server. This is also wormable. So this is bad.
- Kryptos Logic was able to recreate a PoC of exploiting this vulnerability without even having a patch release to reverse engineer. This tells us how trivial this exploit is. I wouldn’t be surprised to see it weaponized in a public exploit code soon.
- This update is installed via typical Microsoft Updates. If you’re using automatic updates—and you should be using automatic updates—you should be taken care of already. If you’re not doing automatic updates go turn on automatic updates. And run your updates.
- It’s a specially crafted packet that can run arbitrary code on a server or client after a buffer overflow. Very reminiscent of NotPetya and WannaCry here. The vulnerability looks to be in the compression code so disabling compression—which Microsoft recommends—mitigates the problem for now. It’s marked as being highly exploitable and likely to be exploited as it is wormable meaning it could replicate between hosts easily.
- The details of this vulnerability leaked online, but no proof of concept code like what happened with NotPetya and WannaCry before. No one has spotted it being exploited in the wild from what I’ve seen. It certainly will start happening though once someone figures it out and drops a Metasploit exploit for it. Then we’ll see yet another wave of SMB malware.
- This vulnerability impacts Windows 10 and the latest server editions
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
Current Scoreboard
This Week’s Hoodie/Goodie Scale
CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware
[Chad]: 6/10 Hoodies
[Tarik]: 6/10 Hoodies
Son of a Patch
[Chad]: 10/10 Hoodies
[Tarik]: 9/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
