Select Page

To help the cybersecurity community defend its systems from COVID-19-themed threats, Nozomi Networks Labs is conducting threat intelligence research into the evolving situation. For example, we’ve been monitoring a prolific threat actor, very active in Asia, who has recently adapted malware delivery vectors to leverage the COVID-19 pandemic.

Both the initial exploit and the persistence techniques used by this actor, as well as its goals, are very well understood and discussed within the security community. Our new contribution examines how network traffic analysis leads to the detection of compromise by this specific threat actor.

Let’s look at how the Chinoxy Backdoor malware family works and what tools can be used to detect it.

A prolific threat actor, active in Asia, sends documents to people in Kyrgyzstan about how the United Nations is helping to fight COVID-19. Nozomi Networks Labs examined how network traffic analysis can detect this specific threat.

How the Chinoxy Backdroor Malware Exploits COVID-19 to Entrap Victims

The delivery vectors of this new version of the malware family typically take the form of an RTF document exploiting CVE-2017-11882, where the content of the document contains a message specifically crafted to trap intended victims. In this case, the authors focus on exploiting assistance the United Nations is providing to Kyrgyzstan to fight COVID-19.

Once a victim opens the document and the exploit runs successfully, three main artifacts are dropped onto the target machine:

  • A persistence mechanism, in this case a lnk file pointing to an executable, that runs when the user logs in
  • A clean executable, with a valid digital signature, pointed to by the lnk file
  • A DLL containing the implant, which gets sideloaded by the clean executable

The threat actor infects systems by getting people to click on an RTF file which claims to be about how the United Nations is helping Kyrgyzstan fight COVID-19.

Cyber Threat Analysis: Port 443 Is Used to Communicate with C&C Server

Based on the internal state of the DLL, different HTTP headers can be used to communicate back to the Command and Control server (C&C).

A screenshot of the disassembly shows how the HTTP request line is populated at runtime. It uses data fetched from the target machine, such as the system time, thread id and process id.

The disassembly screenshot shows how the HTTP request line is populated at runtime. It uses data fetched from the target machine, such as the system time, thread id and process id.
Click to enlarge

Infected machines send cleartext HTTP traffic, with destination port 443, to communicate with the C&C server.

Nozomi Networks Labs has developed a SNORT rule, which can be used by everyone in the community, to detect infections. It generates alerts when POST requests, using the request format required by the malware, are seen in network traffic.

# Created by Nozomi Networks Labs

alert tcp any any -> any 443 (msg:"Chinoxy C&C POST Beacon"; flow:established,to_server; content:"POST"; pcre:"/\/[A-F0-9]{16}\/\d{4}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/[A-F0-9]{16} HTTP\/1\.1/"; content:"User-Agent: Mozilla/5.0"; sid:9000071; priority:9; metadata:created_at 2020_04_14;)

The SNORT rule is available from our COVID-19 Cybersecurity  and GitHub webpages. Updates will be posted as available.

OT and IoT Security Requires Real-time Network Monitoring 

Threat actors are constantly evolving their tools, tactics and procedures. Nonetheless, when they exfiltrate network data, they always leave a trail.

A clear understanding of the activity that takes place in your OT/IoT networks, and the ability to act upon such information, is key to a successful cybersecurity strategy.

Related Content

WEBINAR & PODCAST

“Interview with Suzanne Spaulding: Dealing with OT & IoT Security in the COVID-19 Era”

Duration: 30 Minutes

As global threat actors, including nation-states, exploit the COVID-19 crisis, OT and IoT security has become a greater challenge.

Watch or listen to this interview with former DHS Undersecretary, Suzanne Spaulding to find out more.

Learn about:

  • Her perspective on the emerging threat
  • How the potential consequences are driving actions in public and private sectors to manage global cybersecurity risks

Panelists

  • Suzanne Spaulding, Former DHS Undersecretary Cybersecurity and Infrastructure Security Agency (CISA)
  • Andrea Carcano, Chief Product Officer
  • Chris Grove, Technology Evangelist
TI-DS-v20-thumbnail
RESEARCH REPORT

OT/IoT Security Report

Rising IoT Botnets and Shifting Ransomware Escalate Enterprise Risk
2020 1H

Find out about:

  • The OT/IoT threat landscape:
    • IoT malware
    • Ransomware
    • COVID-19-themed malware
  • The tactics and techniques of the most important threat actors
  • The top 2020 ICS vulnerabilities and their ongoing impact on risk
  • Recommendations for securing OT/IoT networks
Share This