To help the cybersecurity community defend its systems from COVID-19-themed threats, Nozomi Networks Labs is conducting threat intelligence research into the evolving situation. For example, we’ve been monitoring a prolific threat actor, very active in Asia, who has recently adapted malware delivery vectors to leverage the COVID-19 pandemic.
Both the initial exploit and the persistence techniques used by this actor, as well as its goals, are very well understood and discussed within the security community. Our new contribution examines how network traffic analysis leads to the detection of compromise by this specific threat actor.
Let’s look at how the Chinoxy Backdoor malware family works and what tools can be used to detect it.
How the Chinoxy Backdroor Malware Exploits COVID-19 to Entrap Victims
The delivery vectors of this new version of the malware family typically take the form of an RTF document exploiting CVE-2017-11882, where the content of the document contains a message specifically crafted to trap intended victims. In this case, the authors focus on exploiting assistance the United Nations is providing to Kyrgyzstan to fight COVID-19.
Once a victim opens the document and the exploit runs successfully, three main artifacts are dropped onto the target machine:
- A persistence mechanism, in this case a lnk file pointing to an executable, that runs when the user logs in
- A clean executable, with a valid digital signature, pointed to by the lnk file
- A DLL containing the implant, which gets sideloaded by the clean executable
Cyber Threat Analysis: Port 443 Is Used to Communicate with C&C Server
Based on the internal state of the DLL, different HTTP headers can be used to communicate back to the Command and Control server (C&C).
A screenshot of the disassembly shows how the HTTP request line is populated at runtime. It uses data fetched from the target machine, such as the system time, thread id and process id.
Infected machines send cleartext HTTP traffic, with destination port 443, to communicate with the C&C server.
Nozomi Networks Labs has developed a SNORT rule, which can be used by everyone in the community, to detect infections. It generates alerts when POST requests, using the request format required by the malware, are seen in network traffic.
# Created by Nozomi Networks Labs
alert tcp any any -> any 443 (msg:"Chinoxy C&C POST Beacon"; flow:established,to_server; content:"POST"; pcre:"/\/[A-F0-9]{16}\/\d{4}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/[A-F0-9]{16} HTTP\/1\.1/"; content:"User-Agent: Mozilla/5.0"; sid:9000071; priority:9; metadata:created_at 2020_04_14;)
The SNORT rule is available from our COVID-19 Cybersecurity and GitHub webpages. Updates will be posted as available.
OT and IoT Security Requires Real-time Network Monitoring
Threat actors are constantly evolving their tools, tactics and procedures. Nonetheless, when they exfiltrate network data, they always leave a trail.
A clear understanding of the activity that takes place in your OT/IoT networks, and the ability to act upon such information, is key to a successful cybersecurity strategy.
References
- https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
- https://attack.mitre.org/techniques/T1073/
- https://attack.mitre.org/techniques/T1071/
WEBINAR & PODCAST
“Interview with Suzanne Spaulding: Dealing with OT & IoT Security in the COVID-19 Era”
Duration: 30 Minutes
As global threat actors, including nation-states, exploit the COVID-19 crisis, OT and IoT security has become a greater challenge.
Watch or listen to this interview with former DHS Undersecretary, Suzanne Spaulding to find out more.
Learn about:
- Her perspective on the emerging threat
- How the potential consequences are driving actions in public and private sectors to manage global cybersecurity risks
Panelists
- Suzanne Spaulding, Former DHS Undersecretary Cybersecurity and Infrastructure Security Agency (CISA)
- Andrea Carcano, Chief Product Officer
- Chris Grove, Technology Evangelist
RESEARCH REPORT
OT/IoT Security Report
Supply Chain and Persistent Ransomware Attacks Reach New Heights – February 2021
Learn about:
- 7 trends defining today’s threat landscape
- 18 specific threats you need to know about
- Recent vulnerability research and exploitation trends
- 7 types of vulnerabilities under active exploitation
- 10 recommendations for securing OT/IoT networks
