IoT & ICS Security Security Bloggers Network 

COVID-19 Chinoxy Backdoor: A Network Perspective

by Alessandro Di Pinto on April 20, 2020

To help the cybersecurity community defend its systems from COVID-19-themed threats, Nozomi Networks Labs is conducting threat intelligence research into the evolving situation. For example, we’ve been monitoring a prolific threat actor, very active in Asia, who has recently adapted malware delivery vectors to leverage the COVID-19 pandemic.

Both the initial exploit and the persistence techniques used by this actor, as well as its goals, are very well understood and discussed within the security community. Our new contribution examines how network traffic analysis leads to the detection of compromise by this specific threat actor.

Let’s look at how the Chinoxy Backdoor malware family works and what tools can be used to detect it.

A prolific threat actor, active in Asia, sends documents to people in Kyrgyzstan about how the United Nations is helping to fight COVID-19. Nozomi Networks Labs examined how network traffic analysis can detect this specific threat.

How the Chinoxy Backdroor Malware Exploits COVID-19 to Entrap Victims

The delivery vectors of this new version of the malware family typically take the form of an RTF document exploiting CVE-2017-11882, where the content of the document contains a message specifically crafted to trap intended victims. In this case, the authors focus on exploiting assistance the United Nations is providing to Kyrgyzstan to fight COVID-19.

Once a victim opens the document and the exploit runs successfully, three main artifacts are dropped onto the target machine:

  • A persistence mechanism, in this case a lnk file pointing to an executable, that runs when the user logs in
  • A clean executable, with a valid digital signature, pointed to by the lnk file
  • A DLL containing the implant, which gets sideloaded by the clean executable

The threat actor infects systems by getting people to click on an RTF file which claims to be about how the United Nations is helping Kyrgyzstan fight COVID-19.

Cyber Threat Analysis: Port 443 Is Used to Communicate with C&C Server

Based on the internal state of the DLL, different HTTP headers can be used to communicate back to the Command and Control server (C&C).

A screenshot of the disassembly shows how the HTTP request line is populated at runtime. It uses data fetched from the target machine, such as the system time, thread id and process id.

The disassembly screenshot shows how the HTTP request line is populated at runtime. It uses data fetched from the target machine, such as the system time, thread id and process id.
Click to enlarge

Infected machines send cleartext HTTP traffic, with destination port 443, to communicate with the C&C server.

Nozomi Networks Labs has developed a SNORT rule, which can be used by everyone in the community, to detect infections. It generates alerts when POST requests, using the request format required by the malware, are seen in network traffic.

# Created by Nozomi Networks Labs

alert tcp any any -> any 443 (msg:"Chinoxy C&C POST Beacon"; flow:established,to_server; content:"POST"; pcre:"/\/[A-F0-9]{16}\/\d{4}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/[A-F0-9]{16} HTTP\/1\.1/"; content:"User-Agent: Mozilla/5.0"; sid:9000071; priority:9; metadata:created_at 2020_04_14;)

The SNORT rule is available from our COVID-19 Cybersecurity  and GitHub webpages. Updates will be posted as available.

OT and IoT Security Requires Real-time Network Monitoring 

Threat actors are constantly evolving their tools, tactics and procedures. Nonetheless, when they exfiltrate network data, they always leave a trail.

A clear understanding of the activity that takes place in your OT/IoT networks, and the ability to act upon such information, is key to a successful cybersecurity strategy.

References

https://aavar.org/AVAR2019_Papers.pdf  (Curious tale of 8.t used by multiple attack campaigns against South Asian countries)
https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
https://attack.mitre.org/techniques/T1073/
https://attack.mitre.org/techniques/T1071/

Related Live Event

LIVE EVENT

“Interview with Suzanne Spaulding: Dealing with OT & IoT Security in the COVID-19 Era”

Thursday April 23, 2020 11:00 EDT | 30 Minutes

Attend this event to learn about:

As global threat actors, including nation-states, exploit the COVID-19 crisis, OT and IoT security has become a greater challenge.

Join us for a live interview with former DHS Undersecretary, Suzanne Spaulding to learn about:

  • Her perspective on the emerging threat
  • How the potential consequences are driving actions in public and private sectors to manage global cybersecurity risks

Panelists

  • Suzanne Spaulding, Former DHS Undersecretary Cybersecurity and Infrastructure Security Agency (CISA)
  • Andrea Carcano, Chief Product Officer
  • Chris Grove, Technology Evangelist

REGISTER

(Can’t make it? Sign-up to receive the link to the recording.)

Related Links

Nozomi Networks COVID-19 Security Threat Intel and Community Tools

Nozomi Networks Solution

The post COVID-19 Chinoxy Backdoor: A Network Perspective appeared first on Nozomi Networks.


Recent Articles By Author
More from Alessandro Di Pinto

*** This is a Security Bloggers Network syndicated blog from Nozomi Networks authored by Alessandro Di Pinto. Read the original post at: https://www.nozominetworks.com/blog/covid-19-chinoxy-backdoor-a-network-perspective/

Alessandro Di Pinto , , , , , , , , , , , ,