//Week in review - 10 Aug 2018

AusCERT Week in Review for 10th August 2018


As another week comes to a close, here’s a collection of articles for you to enjoy.

Have you ever considered the impact cryptomining has on the environment?

On a side note, AusCERT is hiring!

The position is for a Senior Information Security Analyst. If interested, you can find more details at (https://www.seek.com.au/job/36851253).

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet

Date Published: 08/08/2018
Author: Pierluigi Paganini
Excerpt: “In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.


A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.


Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.


There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).


“Recently we discovered the Ramnit C&C server ( which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.”

Exploit kits: summer 2018 review
Date Published: 07/08/2018
Author: Jerome Segura

Excerpt: “In addition, we have witnessed many smaller and unsophisticated attackers using one or two exploits bluntly embedded in compromised websites. In this era of widely-shared exploit proof-of-concepts (PoCs), we are starting to see an increase in what we call “pseudo-exploit kits.” These are drive-by downloads that lack proper infrastructure and are typically the work of a lone author.

In this post, we will review the following exploit kits:


GrandSoft EK

Magnitude EK

GreenFlash Sundown EK

KaiXin EK

Underminer EK


Hacker swipes Snapchat’s source code, publishes it on GitHub
Date Published: 07/08/2018
Author: Matthew Hughes

Excerpt: “The repository has a description of “Source Code for SnapChat,” and is written in Apple’s Objective-C programming language. This strongly suggests that the repo contained part or whole of the company’s iOS application, although there’s no way we can know for certain. It could just as easily be a minor component to the service, or a separate project from the company.


There are two other clues to the identity of the person who published the leaked Snapchat code.


According to the i5xx GitHub account, his name is Khaled Alshehri. This should be taken with a grain of salt, however. For starters, there’s nothing stopping the user from listing a fake name. Furthermore, according to several people TNW has spoken to, the surname “Alshehri”

isn’t especially common in Pakistan.


The profile also links to an online business in Saudi Arabia offering a mixed bag of tech services, from security scanning and iCloud removal, to software development and the sale of iTunes giftcards.”

DeepLocker: How AI Can Power a Stealthy New Breed of Malware
Date Published: 08/08/2018
Author: Marc Ph. Stoecklin
Excerpt: “What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.


The AI model is trained to behave normally unless it is presented with a specific input: the trigger conditions identifying specific victims. The neural network produces the “key” needed to unlock the attack.

DeepLocker can leverage several attributes to identify its target, including visual, audio, geolocation and system-level features. As it is virtually impossible to exhaustively enumerate all possible trigger conditions for the AI model, this method would make it extremely challenging for malware analysts to reverse engineer the neural network and recover the mission-critical secrets, including the attack payload and the specifics of the target. When attackers attempt to infiltrate a target with malware, a stealthy, targeted attack needs to conceal two main components: the trigger condition(s) and the attack payload.


DeepLocker is able to leverage the “black-box” nature of the DNN AI model to conceal the trigger condition. A simple “if this, then that”

trigger condition is transformed into a deep convolutional network of the AI model that is very hard to decipher. In addition to that, it is able to convert the concealed trigger condition itself into a “password”

or “key” that is required to unlock the attack payload.”

ICS Threat Broadens: Nation-State Hackers Are No Longer the Only Game in Town

Date Published: 07/08/2018
Authors: Israel Barak and Ross Rustici
Excerpt: “The honeypot contained bait to entice attackers, including three Internet facing servers (Sharepoint, SQL and domain controller) with remote access services like RDP and SSH and weak passwords. Nothing was done to promote the servers to attackers. However, the servers’ DNS names were registered and the environment’s internal identifiers used a moniker that resembled the name of a major, well-known electricity provider.


Two days after the honeypot was launched, Cybereason determined that a black market seller had discovered it based on a toolset that had been installed in the environment. The tool — xDedic RDP Patch — is commonly found in assets that are being sold in the xDedic black market.

It allows a victim and an attacker to use the same credentials to simultaneously log-in to a machine using RDP (Remote Desktop Protocol).


The seller also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic. The backdoors would allow the asset’s new owner to access the honeypot even if the administrator passwords were changed, a scenario that could have otherwise prevented the adversaries from accessing the servers.”

Here are this week’s noteworthy security bulletins:

1) ESB-2018.2271 – [Linux][Debian] linux kernel: Multiple vulnerabilities
A vulnerability in TCP stream reassembly in the Linux kernel was addressed by a number of vendors this week. Dubbed “SegmentSmack”. The vulnerability allows a remote attacker to crash a vulnerable system by sending a stream of crafted TCP/IP packets. Juniper, F5 Networks and Citrix are among them.

2) ESB-2018.2277 – [Win][UNIX/Linux][FreeBSD] tcp: Denial of service – Remote/unauthenticated
Yet another Denial of Service vulnerability targeting TCP. This vulnerability is centred around an inefficient data structure for holding received TCP segments prior to reassembly. An attacker could cause a Denial of service condition by sending a stream of crafted, segmented TCP traffic contributing to a large number of segments awaiting reassembly, leading to CPU resource exhaustion. A patch has been introduced that limits the reassembly queue size per connection.

3) ESB-2018.2279 – [Printer] HP Ink Printers: Multiple vulnerabilities
Owners of HP Ink printers had cause to be concerned over a buffer overflow vulnerability triggered by a crafted file received over the network. If exploited, the buffer overflow could lead to code execution or a denial of service condition. HP has released firmware updates to address the issue.

Stay safe, stay patched, stay cool and have a good weekend!