Week 24, 2019

Breaking Bitcoin | Rowhammer | Outlaw

In a quick break from a constant stream of compromises and malware, this week had a number of interesting research articles including a novel application of Rowhammer to leak private keys, a fun malware obfuscation technique using certificate files, and a ton of awesome research coming from the Breaking Bitcoin conference (check out links to videos below).

Events:

Hacks:

  • Gatehub Phishing Emails - malicious actors are attempting to exploit the recent news of the Gatehub hack by enticing users to send their XRP to fake Gatehub addresses.

    Indicators:

    Phishing wallet: r9V1Sz1ZSHC1ApwD1rdN71HWjPaLGWPZAX
    Phishing domains:

    http://www.getahub[.]net/
    https://www.getehub[.]com/ 
    https://www.gatahub[.]net/
    http://www.getehub[.]net/
    http://gattehub[.]net/ 
    https://gatehab[.]com/
     

Malware:

  • Outlaw Hacking Group’s Botnet Observed Spreading Miner, Perl-Based Backdoor - a detailed analysis of still in development backdoor and Monero miner written in Perl. As noted by TrendMicro analysts, the malware codebase does not yet appear to be complete with may parts still left unexecuted. The researchers have also noted an APK file found on one of the C2 servers which may indicate future attacks targeting Android devices.

    Indicators:
    146[.]185[.]171[.]227:443 C&C for Backdoor.Perl.SHELLBOT.AB
    5[.]255[.]86[.]129:3333 C&C for Backdoor.Linux.SSHDOOR.AB
    54[.]37[.]70[.]249/.satan
    54[.]37[.]70[.]249/rp
    hxxp://54[.]37[.]70[.]249/.x15cache
    hxxp://54[.]37[.]70[.]249/dota2.tar.gz
    hxxp://54[.]37[.]70[.]249/fiatlux-1.0.0.apk APK file
    hxxp://mage[.]ignorelist[.]com/dota.tar.gz
    mage[.]ignorelist[.]com
    zergbase[.]mooo[.]com

  • CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner - A deserialization vulnerability in Oracle WebLogic server is used to deploy a cryptominer malware. The attack is particularly interesting due to its use of Windows CertUtil to obfuscate on of the downloaded payloads.

    Indicators:
    sysguard.exe-upx (TROJ_GEN.R002C0GDM19)
    e4bc026aec8a76b887a8fc48726b9c48540fc2aa76eb8e61893da2ee6df6ab3a

    sysupdate.exe (Coinminer.Win64.TOOLXMR.SMA)
    4b9842b6be35665174c78c3e4063c645bd6e10eb333f68e4c7840fe823647bdf

    update.ps1 (Trojan.PS1.MALXMR.MPA)
    c30f42e6f638f3e8218caf73c2190d2a521304431994fd6efeef523cfbaa5e81

    cert.cer (Coinminer.Win32.MALXMR.TIAOODCJ.component)
    3a567b7985b2da76db5e5a1d5554f7c13f375d88a27d6e6d108ad79e797adc9a


    hxxp://139[.]180[.]199[.]167:1012/clean[.]bat
    hxxp://139[.]180[.]199[.]167:1012/config[.]json
    hxxp://139[.]180[.]199[.]167:1012/networkservice[.]exe
    hxxp://139[.]180[.]199[.]167:1012/sysguard[.]exe
    hxxp://139[.]180[.]199[.]167:1012/sysupdate[.]exe
    hxxp://139[.]180[.]199[.]167:1012/update[.]ps1
    hxxp://45.32.28.187:1012
    hxxp://45.32.28.187:1012/cert.cer
    hxxps://pixeldrain[.]com/api/file/bg2Fh-d_
    hxxps://pixeldrain[.]com/api/file/cGsOoTyb
    hxxps://pixeldrain[.]com/api/file/cGsOoTyb/wujnEh-n1
    hxxps://pixeldrain[.]com/api/file/DF1zsieq1
    hxxps://pixeldrain[.]com/api/file/TyodGuTm

Research:

  • Researchers use Rowhammer bit flips to steal 2048-bit crypto key - the latest application of the well known attack to steal private keys from memory. Instead of trying to flip bits in memory, researchers from the University of Michigan, Graz University of Technology, and the University of Adelaide and Data61 have instead used the technique as an effective side channel attack called RAMBleed. The article discusses several defenses which make the attack harder such as ECC and TRR.

  • A Formal Treatment of Deterministic Wallets - a research study into a new ECDSA-based hot/cold wallet scheme based on the BIP32 standard.

  • A Huge List of Cryptocurrency Thefts - an awesome collection of major compromises including their root cause and monetary cost. The list starts from Mt.Gox in 2011 and goes all the way to the more recent Binance hack in May, 2019.

Hope you enjoyed all the fun research articles and conference videos mentioned in this edition of Blockchain Intelligence. See you all next week.