إقتباس :Retefe Banking Malware Starts Leveraging EternalBlue

إقتباس :

28 de septiembre de 2017
A recent upgrade in the propagation capabilities of the Retefe banking Trojan (detected by Trend Micro as TROJ_RETEFE.ASUAN), as well as a few other developments in the banking malware landscape this month, shows how malware developers are ramping up their operations.

A recent report details how the developers behind Retefe added a new functionality to the malware that leverages EternalBlue (addressed by MS17-010), an infamous exploit connected to WannaCry and Petya ransomware attacks. Retefe is not the first banking Trojan to upgrade its propagation techniques—TrickBot and Emotet also took inspiration from the WannaCry and Petya outbreaks.

Security researchers noted that this new spate of Retefe campaigns has been spreading across different regions over the past few months. Typically this malware targets users in Austria, Sweden, Switzerland, Japan and recently the United Kingdom. The malware is distributed by malicious emails with “.lnk” shortcuts. If the attachment is opened and permission is given, a PowerShell command is triggered to download a self-extracting archive hosted on a remote server. Within the archive is an obfuscated JavaScript installer that implements the EternalBlue exploit, Eternal Blue then downloads a PowerShell script which installs Retefe. Most other banking Trojans use fake login pages on top of legitimate sites to steal credentials, but Retefe works by modifying the computer’s proxy settings and redirecting traffic to malicious sites hosted on remote servers.

Reports note that on September 20, the implementation of EternalBlue was modified and the module responsible for lateral spreading was removed, “thus avoiding an infinite spreading loop”.

This month’s banking malware landscape

Early this month, a new banking Trojan called Red Alert 2.0 was also ramping up operations and spreading through third-party app stores. This particular malware targets banking and social apps. Once installed, it uses an overlay to steal user credentials that it passes to a remote server. Red Alert 2.0 also blocks incoming calls from banks, presumably to block verification attempts and notifications.

This month also saw the BankBot malware updated. This malware is quite similar to Red Alert: it uses fake overlay screens to steal user credentials and is also capable of hijacking and intercepting SMS messages. Another consequence is that the malware can bypass SMS-based 2-factor authentication. The newer BankBot targets legitimate apps from banks based in 27 different countries, and ten United Arab Emirates (UAE) banking apps were added to their list.

Cybercriminals are constantly developing and adding functionality to their malware, and users should be equally vigilant. EternalBlue is a known exploit, and a patch has been available since March 2017. Users can stay protected by keeping their operating systems updated and using multilayered solutions.

Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security can prevent malware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high fidelity machine learning, web reputation services, behavior monitoring, and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Endpoint Sensor will also be effective in monitoring processes or events that trigger malicious activity.

Trend Micro™ Deep Discovery™ Inspector can detect connections to malicious C&C and help quickly identify the impacted machines on networks, while Trend Micro™ Deep Security™ can stop MS17-010 exploits from the network through its IPS technology.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

All solutions are powered by XGen™ endpoint security, which infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

Publicado en Cybercrime & Digital Threats, Trojan

إقتباس :

trendmicro.com/vinfo/es/security/news/cybercrime-and-digital-threats/retefe-banking-malware-starts-leveraging-eternalblue

إقتباس :

malshare.com/sample.php?action=detail&hash=9b8771374f02f0357e23b312b6793a86 

https://www.virustotal.com/gui/file/168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0

https://virusshare.com/

https://bluesoul.me/files/PMAStarterKit.zip

• MD5DEEP 4.4 and related tools (sha1deep, hashdeep, whirlpooldeep, etc) and 64-bit equivalents.
  
• WinMD5Free v1.20
  
• PEiD v0.95 with KANAL plugin
  
• Strings v2.52
  
• upx 3.91
  
• PEview v0.9.9
  
• Resource Hacker v4.2.5
  
• PEBrowse Professional v10.1.4
  
• PEBrowse64 Professional v6.3.1
  
• PE Explorer 1.99 R6 (Trial)
  
• Process Monitor (procmon) v3.2
  
• Process Explorer (procexp) v16.10
  
• Regshot v1.9.0
  
• ApateDNS v1.0
  
• Netcat (nc) 1.11 and 64-bit build
  
• Wireshark v2.0.3
  
• FakeNet 1.0c (INetSim alternative for Windows)
  
• Combined Volume Set of Intel® 64 and IA-32 Architectures Software Developer’s Manuals
  
• IDA Pro Free v5.0 with FindCrypt plugin, IDA Entropy Plugin
  
• Autoruns v13.51 and autorunsc
  
• OllyDbg v1.10 and v2.01d
  
• OllyDump Plugin
  
• WinDbg x86 and x64 v6.11.1.404
  
• Immunity Debugger (ImmDbg) v1.85
  
• SoftICE 4.05 for w98 and NT/XP (SEE FOOTER)
  
• SoftIceNT 4.2.7 (from 2.7 Driver Studio build) for XP (SEE FOOTER)
  
• OSR Driver Loader v3.0
  
• Poison Ivy RAT 2.3.2 (Password is “malware” with no quotes, if the exe is eaten by your AV)
  
• pwdump6 (as PwDump.exe)
  
• pwdump7
  
• Pass-The-Hash Toolkit v1.4
  
• Metasploit Framework v4.11.7
  
• PyCrypto (Requires Python 2.7)
  
• Snort 2.9.8.2
  
• ScoopyNG v1.0
  
• Mandiant Red Curtain 1.0
  
• ASPack 2.39 (Trial)
  
• PETite v2.4
  
• WinUPack v0.39 Final
  
• Themida 2.4.1.0 (Trial)
  
• shellcode_launcher.exe (Gone from practicalmalwareanalysis.com)
  
• Bochs 2.6.8
  
• Burp Suite 1.7.03
  
• CaptureBAT 2.0.0–5574
  
• Cuckoo 2.0-RC1 (Requires Python)
  
• CFF Explorer (As Explorer Suite 4)
  
• WinHex 18.8.0.0
  
• Import REConstructor (ImpREC) 1.7e
  
• LordPE 1.41 Deluxe
  
• Malcode Analyst Pack
  
• Memoryze 3.0
  
• OfficeMalScanner 0.5
  
• Zynamics BinDiff 4.20 (Key provided by Zynamics)
  
• pdfid.py and pdf-parser.py (Requires Python, obviously)
  
• Sandboxie v5.10
  
• Buster Sandbox Analyzer v1.88 Update 4
  
• TCPView v3.05
  
• The Sleuth Kit 4.2.0 for Windows
  
• VERA v0.3
  
• Volatility 2.5
  
• Yara v1.7.1 x86 and x64
  

https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901

• Set up a safe virtual environment to analyze malware
  
• Quickly extract network signatures and host-based indicators
  
• Use key analysis tools like IDA Pro, OllyDbg, and WinDbg
  
• Overcome malware tricks like obfuscation, anti-disassembly, anti-debugging, and anti-virtual machine techniques
  
• Use your newfound knowledge of Windows internals for malware analysis
  
• Develop a methodology for unpacking malware and get practical experience with five of the most popular packers
  
• Analyze special cases of malware with shellcode, C++, and 64-bit code
  

https://www.youtube.com/watch?v=di0XwRV3rik

https://t.me/at4redotnet/2485

• State-of-the-art suite of tools for malware triage and file analysis.
  
• Analysis for many file formats including PE, Mach-O, ELF, Java, SWF, DEX, PDF, DOC, XLS, RTF, Zip and many more.
  
• Carbon Interactive Disassembler, byte-code disassemblers (.NET MSIL, Java, DEX, ActionScript2/3, VBA, fonts)
  
• Hex editor with layouts
  
• JavaScript debugger
  
• extremely rich Python3 SDK
  
• extension support
  

https://cerbero.io/ea/

https://gofile.io/d/40MlnJ