New Android crypto-miner uses Android Debugging Tool to spread further (Feb 13, 2018)

SonicWall Threats Research team received reports of yet another Android crypto-miner spreading in the wild. Reports suggest this malware comes with worm-like propagation capabilities making it more dangerous compared to the usual crypto-miners that are rising in numbers.

We were able to identify a number of different components belonging to this threat, we will continue to update this post with more information as things get clearer.

Read More…

Fake UPS label creator drops Java-based jRAT Trojan (Feb 09, 2018)

This week, the SonicWall Capture Labs Threat Research Team has seen a java-based trojan delivered via malware spam. These unsolicited emails came very similar as other malspam campaigns, disguised as important messages containing links to download official documents. The sample we analyzed however, came with a link to download a fake UPS shipping label creator.

Infection cycle:

This trojan may use the following variations of filenames:

  • uspslabel.jar
  • Order_2018.jar
  • contract332178.jar
  • scanned_copy.jar
  • receipt_02092018.jar
  • DHL delivery.jar
  • invoice.jar

Read More…

desuCrypt variant named InsaneCrypt spotted in the wild (Feb 9, 2018)

The Sonicwall Capture Labs Threats Research team have come across a variant of the DesuCrypt ransomware called InsaneCrypt. This variant uses RC4 encryption and encrypts files immediately upon execution. Unlike earlier ransomware, there are no threatening countdown timers and ransom payments amounts immediately presented to the victim. Instead, as is the growing trend with most ransomware today, the victim must communicate with the operator via email for further instructions.

Read More…

PHP exif_process NULL Pointer DoS (Feb 9, 2018)

A code execution vulnerability exists in PHP’s exif extension module, which could cause denial of service on the server side. An attacker can exploit this vulnerability by sending a certain crafted JPEG or TIFF file to a web application.

The cause of this vulnerability is due to a null pointer exception during PHP parsing the exif part of a picture file. When handling the exif section, the PHP module will have a series of encoding converter functions.

Read More…

EMC Data Protection Advisor authentication bypass vulnerability (Feb 1, 2018)

The EMC Data Protection Advisor is a data protection management software to unify and automate monitoring, analysis and reporting across on-premises and cloud backup and recovery environments.

An authentication bypass vulnerability exists in EMC Data Protection Advisor. The application has integrated several hidden, hardcoded accounts with privileges, with default passwords:

User: Apollo System Test
Pass: [hidden]

User: emc.dpa.agent.logon
Pass: [hidden]

User: emc.dpa.metrics.logon
Pass: [hidden]

Those accounts could be used for logon via REST APIs on the GUI service listened on HTTP port 9002/9004. An attacker could send a normal HTTP requests, with the hidden accounts credentials, gaining potential admin privileges.

To launch such an attack, first encode the credential with base64 in this format: [user]:[pass].

Read More…