At a glance.
- NSA and FBI issue a joint report on GRU malware.
- MacOS malware spreading via compromised Xcode projects.
- ReVoLTE can lead to eavesdropping on encrypted 4G calls.
- Researchers distributed Emotet kill-switch.
NSA and FBI issue a joint report on GRU malware.
The US National Security Agency and the Federal Bureau of Investigation on Thursday issued a very detailed joint report on a previously undisclosed set of Linux malware dubbed "Drovorub," which the report attributes to the Russian GRU's 85th Main Special Service Center (GTsSS), military unit 26165 (more commonly known as APT28 or Fancy Bear). Drovorub consists of "an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server." The malware can download and upload files, execute commands as root, and set up port forwarding with other systems on the network. The report offers comprehensive technical analyses of each component of the toolset, and it's detailed enough to suggest that the US has extensive visibility into GRU operations.
The report also offers mitigations against the malware's persistence and stealth mechanisms. Administrators are urged to update to Linux Kernel 3.7 or later and to ensure their systems are configured "to load only modules with a valid digital signature" by activating UEFI Secure Boot.
Interestingly, the report says "Drovorub," which translates to "woodcutter," is the name the GRU operators themselves assigned to the malware. Dmitri Alperovitch pointed out that "'Drova' is slang in Russian for 'drivers', as in kernel drivers. So the name likely was chosen to mean '(security) driver slayer.'"
Many observers expressed surprise and appreciation at the high level of detail in an NSA publication. The report states, "The release of this advisory furthers NSA’s cybersecurity missions, including its responsibilities to identify and disseminate threats to National Security Systems, Department of Defense information systems, and the Defense Industrial Base, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders."
MacOS malware spreading via compromised Xcode projects.
Researchers at Trend Micro discovered an "unusual" infection chain for the XCSSET macOS malware involving Xcode, Apple's free integrated development environment (IDE). The malware injects itself into a hidden folder in Xcode developer projects on infected systems, so that any apps built with those projects contain the malware. (The researchers aren't sure exactly how the malware first gets onto systems in order to inject itself into projects.) When victims run the compromised apps, the XCSSET information-stealing malware is dropped on their systems.
XCSSET steals data from various apps, takes screenshots, and can act as ransomware. It's also using two zero-days, one in the normal version of Safari and one in Safari's development version. The former flaw is used to read and dump Safari cookies, while the latter vulnerability can be exploited to inject JavaScript into websites using a Universal Cross-site Scripting attack, which is "theoretically capable of modifying almost every part of the user’s browser experience as arbitrary JavaScript-injected code."
Trend Micro notes that some infected projects have shown up in open-source repositories on GitHub, opening the door for supply-chain attacks. The researchers conclude, "The method of distribution used can only be described as clever. Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files." They add that "Project owners should continue to triple-check the integrity of their projects in order to definitely nip unwarranted problems such as a malware infection in the future."
ReVoLTE can lead to eavesdropping on encrypted 4G calls.
Researchers from the Ruhr University in Bochum and New York University Abu Dhabi discovered a flaw in the Voice over LTE (VoLTE) mobile communications protocol that can enable an attacker to access the contents of encrypted 4G phone calls. The technique, dubbed "ReVoLTE," is a layer-two attack that stems from the fact that mobile operators frequently reuse the same keys or use predictable keystreams when calls are made within the same radio connection. As a result, an attacker can obtain this key and decrypt the traffic, but the attack can only be achieved if both the attacker and the victim are using the same mobile tower.
The researchers stress that this same attack vector is applicable to upcoming 5G networks, so they urge mobile operators to begin fixing this flaw now.
Researchers distributed Emotet kill-switch.
ZDNet reports that researchers at Binary Defense discovered a bug in Emotet back in February that enabled them to develop what they describe as a combination of a kill switch and a vaccine for the Trojan. The flaw was introduced by Emotet's developers on February 6th, and it involved the way the malware used a Windows registry key for persistence as well as for various code checks during its execution. This key was predictable since it was based on each device’s volume serial number, which allowed Binary Defense to produce and distribute an automated tool that exploited this feature.
The researchers wrote a short PowerShell script dubbed “EmoCrash” that generated a malformed version of this registry key and triggered a buffer overflow vulnerability during Emotet's installation, which would crash the malware before it finished installing. The tool could be deployed on a system either before or during Emotet's installation process in order to prevent infection. The crash also generated two easily detectable event logs, enabling defenders to identify systems where Emotet was incapacitated.
Binary Defense worked with security research non-profit Team Cymru to distribute the tool to national Computer Emergency Response Teams around the world. The CERTs in turn distributed EmoCrash to the private sector through non-public channels. Emotet's developers patched the flaw on August 6th, which is why Binary Defense is revealing the operation now.