pronto 6 Posted March 15, 2022 Share Posted March 15, 2022 (edited) Servus Community, our Thor scanner encountered suspicious entries in the log files of both Exchangers tonight. The information points to this vulnerability: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ I could not find any evidence of detection of the attack in the virus scanner, nor in the firewall. Is this known to you? Thx & Bye Tom Edited March 15, 2022 by Marcos Screenshots removed Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,277 Posted March 15, 2022 Administrators Solution Share Posted March 15, 2022 Probably FP. To me it looks like a Yara rule merely detected the string "172.105.94.67" in the Received SMTP log file. Link to comment Share on other sites More sharing options...
pronto 6 Posted March 15, 2022 Author Share Posted March 15, 2022 8 minutes ago, Marcos said: Probably FP. To me it looks like a Yara rule merely detected the string "172.105.94.67" in the Received SMTP log file. Since the rule is also called that IP address, it may well be. I can live with that... BTW: Can you set the screenshots to non-public? I found an email address in a screenshot that I should have made unreadable. Thx & Bye Tom Link to comment Share on other sites More sharing options...
itman 1,749 Posted March 15, 2022 Share Posted March 15, 2022 Not so sure on the FP verdict. The IP address is associated with Microcin: Per the linked Kaspersky article: Quote Microcin: a backdoor typically used by the SixLittleMonkeys threat actor, which we have been tracking since 2016. It is worth noting that since its inception, the SixLittleMonkeys group has been using Microcin against various targets, partly against high-profile entities based in Russia and Central Asia. The implants we observed in this campaign are shipped as DLLs that ought to run in the context of exe, with the primary intent of reading a C2 address from an encrypted configuration file stored in %WINDIR%\debug\netlogon.cfg and reaching out to the server to obtain a further payload. Interestingly, the Trojan holds a scheduling algorithm that would skip any work on Saturdays, checking the local time every hour to determine if Saturday has passed. Here's another more Kaspersky detailed analysis on this UEFI malware: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf Link to comment Share on other sites More sharing options...
itman 1,749 Posted March 15, 2022 Share Posted March 15, 2022 (edited) Here's a Kaspersky detailed analysis on Microcin: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf . Note it can deploy any of 13 different backdoors. Edited March 15, 2022 by itman Link to comment Share on other sites More sharing options...
pronto 6 Posted March 15, 2022 Author Share Posted March 15, 2022 (edited) 8 minutes ago, itman said: Here's a Kaspersky detailed analysis on Microcin: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf Puh, like the link before, this is way beyond my knowledge. But I found the complete SMTP handshake in the Exchange log files and it only affects an email address of a colleague who left and the forwarding destination of the emails terminates on a macOS system. So far I could follow Kaspersky's technical explanations that it is probably a Windows based attack vector. But the question still remains, how could I detect a successful attack? Thx & Bye Tom Edited March 15, 2022 by pronto Link to comment Share on other sites More sharing options...
itman 1,749 Posted March 15, 2022 Share Posted March 15, 2022 (edited) 51 minutes ago, pronto said: But the question still remains, how could I detect a successful attack? Per this: https://www.bleepingcomputer.com/news/security/backdoors-in-recent-espionage-attempts-link-to-microcin-malware/ , Eset will detect a stand-alone Microcin attack. However, if it is embedded in the UEFI, all bets are off. Also of note from the linked MoonBounce Kaspersky article you posted, Kaspersky could not determine how the UEFI got infected. Edited March 15, 2022 by itman Link to comment Share on other sites More sharing options...
pronto 6 Posted March 15, 2022 Author Share Posted March 15, 2022 38 minutes ago, itman said: Eset will detect a stand-alone Microcin attack. However, if it is embedded in the UEFI, all bets are off. Oh Itman, the world is evil... Why is this hitting us? How should I proceed now? I feel a little helpless right now... The good news is, so far it has remained with this one incident. I'll have to see if I can still find that ominous email. I am already very interested in what it has to do with it... Thx & Bye Tom Link to comment Share on other sites More sharing options...
itman 1,749 Posted March 15, 2022 Share Posted March 15, 2022 (edited) 22 minutes ago, pronto said: Why is this hitting us? How should I proceed now? If the Thor scanner detected inbound network traffic from this IP address, it could have been just a random connection attempt. If the connection to the IP address is outbound, then that's a different story. Note that most gateways will only allow inbound TCP network traffic that is statefull based; i.e. response to prior outbound TCP network traffic. The key element will be if further Thor detection's occur. Edited March 15, 2022 by itman Link to comment Share on other sites More sharing options...
pronto 6 Posted March 15, 2022 Author Share Posted March 15, 2022 21 minutes ago, itman said: If the Thor scanner detected inbound network traffic from this IP address, it could have been just a random connection attempt. If the connection to the IP address is outbound, then that's a different story. Note that most gateways will only allow inbound TCP network traffic that is statefull based; i.e. response to prior outbound TCP network traffic. The key element will be if further Thor detection's occur. It was an incoming e-mail from this suspicious address, but I have not found it yet, or even searched for it. Or actually even several emails with random sender addresses but always the same receiving address. I'll look for this email now and keep watching... Link to comment Share on other sites More sharing options...
itman 1,749 Posted March 15, 2022 Share Posted March 15, 2022 (edited) 1 hour ago, pronto said: It was an incoming e-mail from this suspicious address There are enough detection's; see below screen shot, on VIrusTotal to justify blocking the IP address on the Exchange servers. An interesting note here is Linode LLC is one of the largest cloud providers in the world: https://www.datacentermap.com/company/linode.html . However, that doesn't preclude malware/malicious actors being hosted on one of their servers. Edited March 15, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,749 Posted March 15, 2022 Share Posted March 15, 2022 (edited) Looks like "we can put this one to bed." I got a hold of an initial MoonBounce payload here: hxxps://bazaar.abuse.ch/sample/f0b6c73ee9bd2cee5b0ef10f65386ad1312f01227551cc99ef9997df2372d272/ . Upon extraction of the password protected archive, Eset immediately nailed it: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 3/15/2022 2:24:37 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\f0b6c73ee9bd2cee5b0ef10f65386ad1312f01227551cc99ef9997df2372d272\f0b6c73ee9bd2cee5b0ef10f65386ad1312f01227551cc99ef9997df2372d272.exe;a variant of Win64/MoonBounce.A trojan;deleted;XXXXXX\XXX;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;0571ABE5132604DC55A398C1AE00C95B8955B7E7; Appears that when Kaspersky wrote their articles on this bugger, they weren't aware of it being delivered as most malware is. Other articles I recently reviewed confirmed the same. In any case, I would still block that IP address. It might be delivering a MS Word .docx attachment with an embedded macro containing an obfuscated, packed, encrypted, etc.. Microcin payload assuming you haven't disabled MS Office macros as you most certainly should. Edited March 15, 2022 by itman Link to comment Share on other sites More sharing options...
pronto 6 Posted March 15, 2022 Author Share Posted March 15, 2022 24 minutes ago, itman said: Looks like "we can put this one to bed." Servus Itman, thank you for your support and research on this issue. I have rarely felt so helpless. The more I read about it, the more frightened I became. Anyway, we have disabled the execution of macros in office applications for a long time and tomorrow I will block the IP at the perimeter gateway. You also gave me the tip about the Thor scanner, without I wouldn't have noticed anything. Maybe the problem wasn't as big as I made it, but since I had no idea how to track down a possible infection, I just collapsed in panic for a while. In the meantime I also had the time to take a closer look at the plenty of warnings of the Thor scanner. There were 72 of them. The reason for this was that we received several emails from this IP at once (as described above) and in every line of the SMTP handshake the IP address appeared. Thus Thor generated a warning from every single line. I'll take a more relaxed look at it tomorrow. Hope it remains so... 🙂 Thx & Bye Tom Link to comment Share on other sites More sharing options...
Recommended Posts