Blog entry by Les Bell

Les Bell
by Les Bell - Friday, 11 August 2023, 11:04 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Phishing Email Infection Chain Uses Rusty Injector

A phishing campaign analysed by FortiGuard Labs researchers has revealed the use of a new injector as part of its infection chain. The injector, which is written in the Rust programming language, allows the attackers to base64-encode its shellcode payload and then encrypt it with their choice of AES, RC4 or LZMA in order to evade detection.

The Freeze.rs infection chain.

The infection chain - the injector is derived from the "Freeze.rs" Red Team tool. (image credit: FortiGuard Labs)

The attack is delivered via a malicious PDF attachment to a phishing email; the PDF uses a blurred image to lure the victim into clicking a button, which reads "View Document on Desktop", in front of it. Clicking the button causes the victim's system to download a malicious HTML file; rather than simply using JavaScript to download a malware payload - an action that could easily be spotted by EDR tools - the file uses the search-ms protocol to trigger a search for a specific file on a remote cloud storage server provided by DriveHQ.

While this file displays a PDF file icon, it is actually a .LNK file which executes a PowerShell script. This, in turn, uses regsvr32 to launch the injector from a file called doc.dll. The injector starts by displaying a decoy file, T.pdf, which contains the unblurred text the user expects, executes AA.exe and then force-closes all File Explorer windows.

The doc.dll injector creates a notepad.exe process, then decompresses or decrypts and base64-decodes the shellcode, injecting it into that process; this mirrors the behaviour of a red team tool called "Freeze.rs", which was only launched in May, not long before this campaign started. The shellcode uses code to bypass the Windows Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP) before executing XWorm, a .NET remote access trojan which is capable of enumerating device information, keystroke logging, screenshot capture and remotely controlling the victim system.

The other file, AA.exe, is a downloader programmed in Microsoft Intermediate Language (MSIL) which downloads an obfuscated SYK Crypter carrying a payload which is ultimately decrypted and injected into a process to run the Remcos RAT (actually, a legitimate remote access utility). The AA.exe downloader also remains persistent, by being copied into the "Startup" folder.

Given the extensive detection evasion techniques employed in this campaign, it will prove difficult for anti-malware and EDR tools to respond to it. As always, we have to rely on the user as the last line of defence, alerting them to the use of a button in front of a blurred image to lure them into download the malware. Genuine business documents, such as purchase orders and invoices, simply do not work this way - so don't fall for the lure!

Lin, Cara, Attackers Distribute Malware via Freeze.rs And SYK Crypter, blog post, 9 August 2023. Available online at https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter.

Citizen Lab Uncovers Classic Crypto Vulnerability in Tencent Sogou Input Method

While this particular vulnerability only exists in a virtual keybard for inputting Chinese ideographic characters on Windows, Android and iOS, it carries a lesson for all of us. An analysis of the Tencent Sogou Input Method conducted by University of Toronto's Citizen Lab turned up a classic vulnerability in its "EncryptWall" home-spun encryption system. Given that Sogou Input Method - a predictive keyboard which uses the Wubi 5-stroke character model - has over 455 million monthly active users and accounts for 70% of Chinese input method users, the security of its encryption system is important for users who wish to avoid surveillance.

The Citizen Lab researchers discovered that the EncryptWall system uses its own home-spun method to encrypt requests which are sent to the EncryptWall API endpoints over conventional HTTP protocol. In other words, rather than using HTTPS, which operates using the TLS protocol to encrypt its entire payload - both headers and bodies - Encryptwall tunnels its encrypted traffic over unencrypted HTTP POST requests. The encryption is performed using 256-bit AES (probably 128-bit AES would be fine) with the AES key protected using 1024-bit RSA (probably not strong enough) with PKCS#1.5 padding.

The major vulnerability is in the implementation of AES, which is done using cipher block chaining (CBC) mode. The way this is done renders it vulnerable to a padding oracle attack - an attack which was discovered back in 2002 by Vaudenay. In this attack - a type of chosen ciphertext attack - the attacker is able to send datagrams to a system and examine the returned error codes or messages to see whether they indicate a decryption error or a padding error - and thereby discover the correct key and then the message contents.

It turns out that the iOS implementation of EncryptWall is not vulnerable, for the simple reason that its POST requests are all sent over TLS, which fixed the padding oracle vulnerability several versions ago. However, both the Windows and Android versions are vulnerable.

The lesson for users is obvious: since the researchers disclosed the vulnerability to Tencent, a fix is available and users should update to version 13.7 for Windows, 11.26 for Android and 11.25 for iOS. For software developers, the lesson is an old one: don't try to roll your own cryptographic schemes! It would have been much simpler for the Tencent developers to simply encapsulate their API traffic in TLS, since they would not have had to develop their own crypto implementation - but it would have been more secure, too, since TLS fixed the problem only a year or so after it was discovered, i.e. in 2003.

Knockel, Jeffrey, Zoë Reichert and Mona Wang, “Please do not make it public”: Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping, technical report, 9 August 2023. Available online at https://citizenlab.ca/2023/08/vulnerabilities-in-sogou-keyboard-encryption/.

Vaudenay, Serge, Security Flaws Induced by CBC Padding: Applications to SSL, IPSEC, WTLS..., Advances in Cryptology - EUROCRYPT 2002, pp. 534–545. Available online at http://link.springer.com/chapter/10.1007/3-540-46035-7_35.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.