Talos has investigated a targeted malware campaign against South Korean users. The campaign was active between November 2016 and January 2017, targeting a limited number of people. The infection vector is a Hangul Word Processor document (HWP), a popular alternative to Microsoft Office for South Korean users developed by Hancom.
The malicious document in question is written in Korean with the following title:
5170101-17년_북한_신년사_분석.hwp (translation: 5170101-17 __ North Korea _ New Year _ analysis .hwp)
This document was alleged to be written by the Korean Ministry of Unification and included their logo as a footer on the document.
An interesting twist also came within the analysed malicious document as it attempts to download a file from an official Korean government website: kgls.or.kr (Korean Government Legal Service). The file downloaded is a binary masquerading as a jpeg file that is later executed as part of the infection. It’s likely that the website was compromised by the attackers to try and legitimise the HTTP GET attempts for the final payload, this traffic would potentially not have looked unfamiliar for any system administrators.
The attackers’ infrastructure appeared to be up for a few days at a time with no observed infrastructure re-use occurring. Unfortunately, the compromised sites were all either cleaned or removed by the attackers and Talos were unable to obtain the final payload. This level of operational security is common for sophisticated attackers.
Due to these elements it’s likely that this loader has been designed by a well-funded group in order to target public sector entities in South Korea. Many of these techniques fit the profile of campaigns previously associated with attacks by certain government groups.
Vulnerabilities discovered by Talos
Talos is releasing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from Denial of Service to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. These issues have been addressed in version 188.8.131.52 of the Aerospike Database software.
The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media.
TALOS-2016-0263 (CVE-2016-9049) – Aerospike Database Server Fabric_Worker Socket-Loop Denial-of-Service Vulnerability
TALOS-2016-0265 (CVE-2016-9051) – Aerospike Database Server Client Batch Request Code Execution Vulnerability
TALOS-2016-0267 (CVE-2016-9053) – Aerospike Database Server RW Fabric Message Particle Type Code Execution Vulnerability
‘Magic Hound’ is the code name used to reference a seemingly limited series of malware distribution campaigns that were observed targeting organizations in Saudi Arabia as well as organizations with business interests in Saudi Arabia. Similar to other malware distribution campaigns that Talos has observed and documented, this series of campaigns made use of phishing emails containing links to malicious Word documents hosted on attacker controlled servers. When opened, the malicious documents display a message instructing the user to enable macros in an attempt to entice recipients to execute the attacker’s scripts and download additional malware, thus infecting their systems. Unlike some of the more sophisticated campaigns seen in the wild, in the case of ‘Magic Hound’ the attackers made use of commodity malware and tools. This included tools such as IRC bots and Metasploit Meterpreter payloads as well as an open source Remote Administration Tool (RAT).
Talos is aware of this targeted campaign and we have responded to ensure that customers remain protected from ‘Magic Hound’ as well as other similar campaigns as they are identified and change over time.
Read more »
Discovered by Tyler Bohan of Cisco Talos
Talos is disclosing TALOS-2016-0262 (CVE-2017-2372) and TALOS-2017-0275 (CVE-2017-2374), an out of bounds write vulnerability in Apple GarageBand. GarageBand is a music creation program, allowing users to create and edit music easily and effectively from their Mac computer. GarageBand is installed by default on all Mac computers so there is a significant number of potential victims. This issue was partially resolved on 1/18/17 with a patch which addressed CVE-2017-2372, the patch released on 2/13/17 addressed CVE-2017-2374 resolving the issue.
This particular vulnerability is the result of the way the application parses the proprietary file format used for GarageBand files, .band. The format is broken into chunks with a specific length field for each. This length is controlled by the user and can be leveraged to expose an exploitable condition. This vulnerability could be exploited by a user opening a specially crafted .band file.
A vulnerability (CVE-2016-9244) was recently disclosed affecting various F5 products due to the way in which the products handle Session IDs when the non-default Session Tickets option is enabled. By manipulating the Session IDs provided to affected products, an attacker could potentially leak up to 31 bytes of uninitialized memory. This vulnerability can be used to retrieve potentially sensitive information from affected devices such as SSL session IDs from other sessions, or the contents of uninitialized memory.
This post was authored by Edmund Brumaghin with contributions from Angel Villegas
Talos is constantly monitoring the threat landscape in an effort to identify changes in the way attackers are attempting to target organizations around the world. We identified a unique malware campaign that was distributed via malicious Word documents. The campaign appeared to be targeting victims in Portugal. The malware being distributed was interesting for a variety of reasons. As the author of this malware refers to it as “Athena” in their source code working directory and the fact that the C2 domain used by the malware begins with “athena”, we have identified this malware as “AthenaGo”. We were unable to locate a detailed analysis of this particular malware.
AthenaGo appears to be a Remote Access Trojan (RAT) that also features the capability to download and run additional binaries on infected systems when instructed to do so by an attacker. The malware was written using the Go programming language. Windows-based malware written in Go is not commonly seen in the wild. Additionally the command and control (C2) communications used by the malware made use of Tor2Web proxies, which is part of a trend of increased reliance on these proxying services by various malware authors. As this was an interesting/unique infection chain, Talos decided to examine the malware itself as well as the campaigns that were distributing it.