Spring 2019 Threat of the Quarter: 2018 Top Malware Traits
In 2018 the MS-ISAC observed six malware variants consistently reach The Top 10 Malware list, whereas only one or two variants consistently made the list in previous years. These six malwares, Emotet, Kovter, WannaCry, Gh0st, ZeuS, and CoinMiner, have traits that allow them to be highly effective against SLTT networks, consistently infecting more systems than other types of malware. An examination of the characteristics of these six malware variants revealed five traits: malspam, macro instructions, PowerShell, Server Message Block (SMB), and EternalBlue.
Malspam emails contain malware, links to malware on malicious or compromised websites, or attempt to trick the user into opening malware hidden in an attachment. Due to its ease, low cost, versatility, and success rate, malspam is currently the top vector used to deploy malware. Emotet is an example of a modular banking Trojan that is spread via malspam campaigns. This campaign was recently observed imitating PayPal receipts, shipping notifications, and “past-due” invoices purportedly from a trusted third party. Malspam campaigns disseminating Emotet opportunistically target victims, as recipients of these emails only receive minimally different messages and attachments.
Macro instructions (macros)
Macro instructions (macros) are a set of rules or instructions stating how an input sequence is mapped to replace the output sequence, used to automate repetitive or complex tasks. These instructions are compressed into a smaller form, and when used they are decompressed into the original instruction details. Macros are often used by cyber threat actors to obfuscate the delivery of malicious payloads. Cyber threat actors (CTAs) utilize social engineering to trick end users into opening malicious Microsoft Word or Excel attachments included in malspam emails. Once an end-user opens the attachment, they are prompted to enable macros on the system. If the user allows the use of macros, the malicious payload will automatically run on the system, infecting the end-users system before moving on to the rest of the network. Macros are used by CTAs because the instructions for completing their malicious tasks are compressed into a smaller form allowing the malicious payloads to bypass security scanning.
PowerShell is a task-based command-line shell or user interface, and a scripting language built on .NET, serving as Microsoft’s configuration management framework. This interface allows for task automation that manages operating systems and processes. CTAs often leverage PowerShell once they gain access to a system. This is due to it already being an official administrative tool that would allow them to use the command line and gain access to stored data, as well as access to both local and remote systems across the network. This access allows them to hide malicious commands within the user interface and run them across the network or on one system as if they were put in place by the legitimate administrator, hiding it from security scans. For example, Kovter, a fileless click-fraud malware, hides its malicious modules entirely in the registry. These modules are then injected into the PowerShell process when the infected system restarts, prompting the click fraud process to begin.
Sever Message Block (SMB)
Sever Message Block (SMB) is a Microsoft Windows operating system network file sharing protocol. This protocol is often used by CTAs to travel through a network, spread malware, and exfiltrate or alter information. The CTAs use the system’s ability for remote access to servers as well as its client-to-client communication for this propagation. The protocols, which applications use to read/write and update files, request services from server programs in a computer network, as well as access files on a remote server is used to steal, disclose, alter, or destroy data in the system. For example, Emotet will scrape credentials from the initial infected system and use those to spread via SMB throughout the network. While it spreads it collects data from the system. Once Emotet is done collecting the information it requires, it will drop other types of malware, such as banking trojans or ransomware, which can do any of the above and have full access to the system.
EternalBlue is an exploit that allows CTAs to remotely execute arbitrary code and gain access to a network by sending specially crafted packets. It exploits a software vulnerability in Microsoft’s Windows operating systems (OS) SMB version 1 (SMBv1) protocol. CTAs use this exploit to compromise the entire network and all connected devices. This exploit allows malware to self-propagate, which drastically increases its impact. For example, WannaCry, a crypto-ransomware, was one of the first and most well-known malware using this exploit to spread. WannaCry uses the EternalBlue exploit to spread itself across the network infecting all connected devices and drop the crypto-ransomware payload.
SLTT governments should adhere to the following best practices to limit the effect and risk the organization has from CTAs exploiting these five traits.
To reduce organization contact with malspam, policies and procedures should be implemented. Implementing filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, or file attachments associated with malware, such as .zip files. Have a policy regarding all suspicious emails that specify employees who report them to the security and/or IT departments. Additionally, organizations should mark external emails with a banner denoting it is from an external source, which will assist employees in detecting spoofed emails. The implementation of Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures. Furthermore, organizations should prioritize training to help employees recognize malspam. Training should emphasize that employees not open suspicious emails, click links contained in such emails, post sensitive information online, and never provide usernames, passwords, or personal information to any unsolicited request.
Use Group Policy to block or disable macros from running in Word, Excel, and PowerPoint files from the Internet that are not digitally signed. This setting allows you to block macros from running even if “Enable all macros” is selected in the macros settings. Using this setting, the digitally signature acts as a way of validating who sent the document preventing the accidental enabling of macros on a document containing a malicious payload.
If PowerShell it is not needed, prevent its execution on systems after performing appropriate testing to assess the impact to the environment. This may not always be possible since this is a legitimate tool and has administrative functions. Restrict PowerShell in these cases through execution policy to administrators and execute signed scripts only. Depending on environmental configurations there may be ways to bypass the execution policy. Lastly, to prevent the use of PowerShell for remote execution disable, or at the very least restrict, Windows Remote Management Service.
Use Group Policy to set a Windows Firewall rule to restrict SMB inbound communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At a minimum SLTT governments should create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
Disable SMBv1 on all systems and utilize SMBv2 or SMBv3, after appropriate testing. If unable to disable SMBv1, patch devices with the security update for Microsoft Windows SMBv1. The Microsoft Security Bulletin titled MS17-010 includes the list of affected Windows OS. If unsure whether your version of Windows is vulnerable, use Eset’s tool to check. It should be noted that when patches come out, they should be implemented after appropriate testing. Additionally, apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative privileges). Lastly, use the above recommendations listed under SMB to secure vulnerabilities across all versions. The EternalBlue exploit should not be affecting anyone in the SLTT community because its can be solved with a simple patch or upgrade. MS-ISAC recommends SLTT governments patch their systems after appropriate testing.