Jump to content

UEFI Threat Moonbounce


Go to solution Solved by Marcos,

Recommended Posts

Servus Community,

our Thor scanner encountered suspicious entries in the log files of both Exchangers tonight. The information points to this vulnerability:

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

I could not find any evidence of detection of the attack in the virus scanner, nor in the firewall. Is this known to you?

Thx & Bye Tom

 

 

Edited by Marcos
Screenshots removed
Link to comment
Share on other sites

  • Administrators
  • Solution

Probably FP. To me it looks like a Yara rule merely detected the string "172.105.94.67" in the Received SMTP log file.

Link to comment
Share on other sites

8 minutes ago, Marcos said:

Probably FP. To me it looks like a Yara rule merely detected the string "172.105.94.67" in the Received SMTP log file.

Since the rule is also called that IP address, it may well be. I can live with that...

BTW: Can you set the screenshots to non-public? I found an email address in a screenshot that I should have made unreadable.

Thx & Bye Tom

Link to comment
Share on other sites

Not so sure on the FP verdict.

The IP address is associated with Microcin:

Per the linked Kaspersky article:

Quote

Microcin: a backdoor typically used by the SixLittleMonkeys threat actor, which we have been tracking since 2016. It is worth noting that since its inception, the SixLittleMonkeys group has been using Microcin against various targets, partly against high-profile entities based in Russia and Central Asia.

The implants we observed in this campaign are shipped as DLLs that ought to run in the context of exe, with the primary intent of reading a C2 address from an encrypted configuration file stored in %WINDIR%\debug\netlogon.cfg and reaching out to the server to obtain a further payload. Interestingly, the Trojan holds a scheduling algorithm that would skip any work on Saturdays, checking the local time every hour to determine if Saturday has passed.

Eset_UEFI.png.47d3ce8ee7d8f068e0f36d792b76e345.png

Here's another more Kaspersky detailed analysis on this UEFI malware: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf

Link to comment
Share on other sites

Posted (edited)
8 minutes ago, itman said:

Puh, like the link before, this is way beyond my knowledge. But I found the complete SMTP handshake in the Exchange log files and it only affects an email address of a colleague who left and the forwarding destination of the emails terminates on a macOS system. So far I could follow Kaspersky's technical explanations that it is probably a Windows based attack vector.

But the question still remains, how could I detect a successful attack?

Thx & Bye Tom

Edited by pronto
Link to comment
Share on other sites

51 minutes ago, pronto said:

But the question still remains, how could I detect a successful attack?

Per this: https://www.bleepingcomputer.com/news/security/backdoors-in-recent-espionage-attempts-link-to-microcin-malware/ , Eset will detect a stand-alone Microcin attack. However, if it is embedded in the UEFI, all bets are off.

Also of note from the linked MoonBounce Kaspersky article you posted, Kaspersky could not determine how the UEFI got infected.

Edited by itman
Link to comment
Share on other sites

38 minutes ago, itman said:

Eset will detect a stand-alone Microcin attack. However, if it is embedded in the UEFI, all bets are off.

Oh Itman, the world is evil...

Why is this hitting us? How should I proceed now? I feel a little helpless right now...

The good news is, so far it has remained with this one incident. I'll have to see if I can still find that ominous email. I am already very interested in what it has to do with it...

Thx & Bye Tom

Link to comment
Share on other sites

22 minutes ago, pronto said:

Why is this hitting us? How should I proceed now?

If the Thor scanner detected inbound network traffic from this IP address, it could have been just a random connection attempt. If the connection to the IP address is outbound, then that's a different story. Note that most gateways will only allow inbound TCP network traffic that is statefull based; i.e. response to prior outbound TCP network traffic.

The key element will be if further Thor detection's occur.

Edited by itman
Link to comment
Share on other sites

21 minutes ago, itman said:

If the Thor scanner detected inbound network traffic from this IP address, it could have been just a random connection attempt. If the connection to the IP address is outbound, then that's a different story. Note that most gateways will only allow inbound TCP network traffic that is statefull based; i.e. response to prior outbound TCP network traffic.

The key element will be if further Thor detection's occur.

It was an incoming e-mail from this suspicious address, but I have not found it yet, or even searched for it. Or actually even several emails with random sender addresses but always the same receiving address. I'll look for this email now and keep watching...

Link to comment
Share on other sites

1 hour ago, pronto said:

It was an incoming e-mail from this suspicious address

There are enough detection's; see below screen shot, on VIrusTotal to justify blocking the IP address on the Exchange servers.

Eset_IP_Address.thumb.png.5cf6b3f24ae05687c242db01664bbeca.png

An interesting note here is Linode LLC is one of the largest cloud providers in the world: https://www.datacentermap.com/company/linode.html . However, that doesn't preclude malware/malicious actors being hosted on one of their servers.

Edited by itman
Link to comment
Share on other sites

Looks like "we can put this one to bed."

I got a hold of an initial MoonBounce payload here: hxxps://bazaar.abuse.ch/sample/f0b6c73ee9bd2cee5b0ef10f65386ad1312f01227551cc99ef9997df2372d272/ . Upon extraction of the password protected archive, Eset immediately nailed it:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
3/15/2022 2:24:37 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\f0b6c73ee9bd2cee5b0ef10f65386ad1312f01227551cc99ef9997df2372d272\f0b6c73ee9bd2cee5b0ef10f65386ad1312f01227551cc99ef9997df2372d272.exe;a variant of Win64/MoonBounce.A trojan;deleted;XXXXXX\XXX;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;0571ABE5132604DC55A398C1AE00C95B8955B7E7;

Appears that when Kaspersky wrote their articles on this bugger, they weren't aware of it being delivered as most malware is. Other articles I recently reviewed confirmed the same.

In any case, I would still block that IP address. It might be delivering a MS Word .docx attachment with an embedded macro containing an obfuscated, packed, encrypted, etc.. Microcin payload assuming you haven't disabled MS Office macros as you most certainly should.

Edited by itman
Link to comment
Share on other sites

24 minutes ago, itman said:

Looks like "we can put this one to bed."

Servus Itman,

thank you for your support and research on this issue. I have rarely felt so helpless. The more I read about it, the more frightened I became. Anyway, we have disabled the execution of macros in office applications for a long time and tomorrow I will block the IP at the perimeter gateway.

You also gave me the tip about the Thor scanner, without I wouldn't have noticed anything. Maybe the problem wasn't as big as I made it, but since I had no idea how to track down a possible infection, I just collapsed in panic for a while.

In the meantime I also had the time to take a closer look at the plenty of warnings of the Thor scanner. There were 72 of them. The reason for this was that we received several emails from this IP at once (as described above) and in every line of the SMTP handshake the IP address appeared. Thus Thor generated a warning from every single line.

I'll take a more relaxed look at it tomorrow. Hope it remains so... 🙂

Thx & Bye Tom

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...