UEFI Threat Moonbounce

[pronto 6]

Servus Community,

our Thor scanner encountered suspicious entries in the log files of both Exchangers tonight. The information points to this vulnerability:

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

I could not find any evidence of detection of the attack in the virus scanner, nor in the firewall. Is this known to you?

Thx & Bye Tom

 

 

Edited March 15, 2022 by Marcos
Screenshots removed

[Marcos 5,070]

Probably FP. To me it looks like a Yara rule merely detected the string "172.105.94.67" in the Received SMTP log file.

[pronto 6]

8 minutes ago, Marcos said:

Probably FP. To me it looks like a Yara rule merely detected the string "172.105.94.67" in the Received SMTP log file.

Since the rule is also called that IP address, it may well be. I can live with that...

BTW: Can you set the screenshots to non-public? I found an email address in a screenshot that I should have made unreadable.

Thx & Bye Tom

[itman 1,659]

Not so sure on the FP verdict.

The IP address is associated with Microcin:

Per the linked Kaspersky article:

Quote

Microcin: a backdoor typically used by the SixLittleMonkeys threat actor, which we have been tracking since 2016. It is worth noting that since its inception, the SixLittleMonkeys group has been using Microcin against various targets, partly against high-profile entities based in Russia and Central Asia.

The implants we observed in this campaign are shipped as DLLs that ought to run in the context of exe, with the primary intent of reading a C2 address from an encrypted configuration file stored in %WINDIR%\debug\netlogon.cfg and reaching out to the server to obtain a further payload. Interestingly, the Trojan holds a scheduling algorithm that would skip any work on Saturdays, checking the local time every hour to determine if Saturday has passed.

Here's another more Kaspersky detailed analysis on this UEFI malware: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf

[itman 1,659]

Here's a Kaspersky detailed analysis on Microcin: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf . Note it can deploy any of 13 different backdoors.

Edited March 15, 2022 by itman

[pronto 6]

8 minutes ago, itman said:

Here's a Kaspersky detailed analysis on Microcin: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf

Puh, like the link before, this is way beyond my knowledge. But I found the complete SMTP handshake in the Exchange log files and it only affects an email address of a colleague who left and the forwarding destination of the emails terminates on a macOS system. So far I could follow Kaspersky's technical explanations that it is probably a Windows based attack vector.

But the question still remains, how could I detect a successful attack?

Thx & Bye Tom

Edited March 15, 2022 by pronto

[itman 1,659]

51 minutes ago, pronto said:

But the question still remains, how could I detect a successful attack?

Per this: https://www.bleepingcomputer.com/news/security/backdoors-in-recent-espionage-attempts-link-to-microcin-malware/ , Eset will detect a stand-alone Microcin attack. However, if it is embedded in the UEFI, all bets are off.

Also of note from the linked MoonBounce Kaspersky article you posted, Kaspersky could not determine how the UEFI got infected.

Edited March 15, 2022 by itman

[pronto 6]

38 minutes ago, itman said:

Eset will detect a stand-alone Microcin attack. However, if it is embedded in the UEFI, all bets are off.

Oh Itman, the world is evil...

Why is this hitting us? How should I proceed now? I feel a little helpless right now...

The good news is, so far it has remained with this one incident. I'll have to see if I can still find that ominous email. I am already very interested in what it has to do with it...

Thx & Bye Tom

[itman 1,659]

22 minutes ago, pronto said:

Why is this hitting us? How should I proceed now?

If the Thor scanner detected inbound network traffic from this IP address, it could have been just a random connection attempt. If the connection to the IP address is outbound, then that's a different story. Note that most gateways will only allow inbound TCP network traffic that is statefull based; i.e. response to prior outbound TCP network traffic.

The key element will be if further Thor detection's occur.

Edited March 15, 2022 by itman

[pronto 6]

21 minutes ago, itman said:

If the Thor scanner detected inbound network traffic from this IP address, it could have been just a random connection attempt. If the connection to the IP address is outbound, then that's a different story. Note that most gateways will only allow inbound TCP network traffic that is statefull based; i.e. response to prior outbound TCP network traffic.

The key element will be if further Thor detection's occur.

It was an incoming e-mail from this suspicious address, but I have not found it yet, or even searched for it. Or actually even several emails with random sender addresses but always the same receiving address. I'll look for this email now and keep watching...

[itman 1,659]

1 hour ago, pronto said:

It was an incoming e-mail from this suspicious address

There are enough detection's; see below screen shot, on VIrusTotal to justify blocking the IP address on the Exchange servers.

An interesting note here is Linode LLC is one of the largest cloud providers in the world: https://www.datacentermap.com/company/linode.html . However, that doesn't preclude malware/malicious actors being hosted on one of their servers.

Edited March 15, 2022 by itman

[itman 1,659]

Looks like "we can put this one to bed."

I got a hold of an initial MoonBounce payload here: hxxps://bazaar.abuse.ch/sample/f0b6c73ee9bd2cee5b0ef10f65386ad1312f01227551cc99ef9997df2372d272/ . Upon extraction of the password protected archive, Eset immediately nailed it:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
3/15/2022 2:24:37 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\f0b6c73ee9bd2cee5b0ef10f65386ad1312f01227551cc99ef9997df2372d272\f0b6c73ee9bd2cee5b0ef10f65386ad1312f01227551cc99ef9997df2372d272.exe;a variant of Win64/MoonBounce.A trojan;deleted;XXXXXX\XXX;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;0571ABE5132604DC55A398C1AE00C95B8955B7E7;

Appears that when Kaspersky wrote their articles on this bugger, they weren't aware of it being delivered as most malware is. Other articles I recently reviewed confirmed the same.

In any case, I would still block that IP address. It might be delivering a MS Word .docx attachment with an embedded macro containing an obfuscated, packed, encrypted, etc.. Microcin payload assuming you haven't disabled MS Office macros as you most certainly should.

Edited March 15, 2022 by itman

[pronto 6]

24 minutes ago, itman said:

Looks like "we can put this one to bed."

Servus Itman,

thank you for your support and research on this issue. I have rarely felt so helpless. The more I read about it, the more frightened I became. Anyway, we have disabled the execution of macros in office applications for a long time and tomorrow I will block the IP at the perimeter gateway.

You also gave me the tip about the Thor scanner, without I wouldn't have noticed anything. Maybe the problem wasn't as big as I made it, but since I had no idea how to track down a possible infection, I just collapsed in panic for a while.

In the meantime I also had the time to take a closer look at the plenty of warnings of the Thor scanner. There were 72 of them. The reason for this was that we received several emails from this IP at once (as described above) and in every line of the SMTP handshake the IP address appeared. Thus Thor generated a warning from every single line.

I'll take a more relaxed look at it tomorrow. Hope it remains so... 🙂

Thx & Bye Tom