0

SERIOUS! infected binary for windows found on the setup tab of next dns dashboard

Hi all,

Im using nextdns for a while now and was thinking of getting my game pc up and running with next dns, then, when i log in and download the offical signed binary from the setup tab, i found out that it was infected by a threat actor from the middle east.  

this file lacks meta information, has been signed and counter signed by next dns and is as of now 4 months old.  Virustotal confirmed it that it was a serious payload 

 

Just a heads up for ya all :) 

the hash on virustotal: 

eac1fddb908b01808edb39588616ff78ceb33dc3bfeb5cdbc1d29a04f873160e

12 replies

null
    • iOS Developer
    • Rob
    • 11 mths ago
    • Reported - view

    False positive?

    VirusTotal now reports zero detections for the Windows executable with the same SHA-256 hash.

      • Jesse_de_Graaf
      • 11 mths ago
      • Reported - view

      Rob Yeah, no. 

      Its not that the binary itself is actually the payload, but rather what it drops. 

      Look again under Relations > dropped files. 

      If you go to Behaviour and look at the matched rules, you will find one very serious.

      • iOS Developer
      • Rob
      • 11 mths ago
      • Reported - view

      Jesse de Graaf nsExec.dll?

      • Jesse_de_Graaf
      • 11 mths ago
      • Reported - view

      Rob The LNK files are flagged as trojan.runner as they inject themself in the windows explorer process through a cmd one liner. its a common and recent payload tactic. besides that,

      it checks for kernel debuggers, has a odd timestamp, opens the clipboard, creates a direct input object ( keylogger ), modifies ASEP, uses taskkill to kill AV and checks for their hooks,  and matches this Sigma rule:

       

      action: global
      title: Oilrig
      status: stable
      description: OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.
      references:
      - https://tdm.socprime.com/tdm/info/Nvw0NkZgaA6d
      - https://app.any.run/tasks/a76f05b4-1634-4fb2-b559-c32d00d550e2/
      - https://app.any.run/tasks/2d717782-6ccf-4bb5-b412-4536cbb870b1/
      - https://app.any.run/tasks/99afd397-1d97-4e97-80c1-6c9b85c26a93/
      - https://app.any.run/tasks/5c2a6265-c8f3-44fc-b3b3-f547f46aa586/
      - https://malpedia.caad.fkie.fraunhofer.de/actor/oilrig
      - https://attack.mitre.org/techniques/T1059/
      - https://attack.mitre.org/techniques/T1053/
      - https://attack.mitre.org/techniques/T1504/
      tags:
      - attack.execution
      - attack.persistence
      - attack.privilege_escalation
      - attack.T1059
      - attack.T1053
      author: Ariel Millahuel
      detection:
        condition: 1 of them
      fields:
      - EventID
      - CommandLine
      - TargetFilename
      - Details
      falsepositives:
      - none
      level: critical
      ---
      logsource:
        product: windows
        service: sysmon
      detection:
        selection1:
          EventID: 11
          TargetFilename|contains:
          - 'nsExec.dll'
          - 'nseEBFB.tmp'
          - 'chkSrv.vbs'
          - 'SCSCAN.xml'
          - 'AnyDesk.exe'
      ---
      logsource:
        category: process_creation
        product: windows
      detection:
        selection2:
          Commandline:
          - cmd.exe" /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
          - schtasks.exe /create /F /tn "SC Scheduled Scan" /xml "C:\Users\admin\AppData\Local\Microsoft\Taskbar\SCSCAN.xml
          - ipconfig /flushdns
          - cmd.exe /c copy "C:\Users\admin\AppData\Local\Temp\\*.doc" "C:\Users\admin\AppData\Roaming\Tmp.doc
          - cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN "InetlSecurityAssistManager" /TR "C:\Users\admin\AppData\Local\Temp\\*.exe" /f
          - cmd.exe" /c start /b schtasks /query /fo csv
          - powershell.exe" -exec bypass -File C:\programdata\Office365DCOMCheck.ps1

      • BaZurk
      • 11 mths ago
      • Reported - view

      Jesse de Graaf Do we have any follow up on this from @NextDNS ?

      • Jesse_de_Graaf
      • 11 mths ago
      • Reported - view

      BaZurk I don't think so, ive downloaded the infected binary and kaspersky KSN stated that it was at least 4 months old and that less than 1.000 KSN members used this file. That is only Kaspersky users.

      • Tairiku_Okami
      • 11 mths ago
      • Reported - view

      Rob OP has confused rules with matches. Rules, OP is referring to, are related to the past malware's action and created upon them, so VT has something to compare it to. Matches display, what part of rules are actually used and there is nothing wrong. 

      • Jesse_de_Graaf
      • 11 mths ago
      • Reported - view

      Tairiku Okami @rob Yes Rules are made on behaviour of known payloads, matches display the file in question ( the next dns binary ) doing similar actions that have been shown in a rule. 

      So, after seeing that it belongs to the critical tag. i avoid it. 

      Or am i missing something.

      • iOS Developer
      • Rob
      • 11 mths ago
      • Reported - view

      Tairiku Okami I’m new to this, but like to learn more, so I hope you can answer Jesse’s response.

    • BaZurk
    • 11 mths ago
    • Reported - view

    Do we have any follow up on this from @NextDNS ?

    • EmmeJac
    • 11 mths ago
    • Reported - view

    OP clearly does not know how to use, nor interpret, the results of Virustotal. Any file you upload to Virustotal will have similar behaviors to known malware. In the end, its all about context.

    The keylogging capabilities does not mean it actually logs keystrokes, infact, all programs have that capability, including your web browser

    Scanning for AV software might be for compatibility reasons.

    Again, it's all about context.

    • Robert
    • 11 mths ago
    • Reported - view

    submitted the file to kaspersky for analysis and they said its safe:

    No malicious software was found in the attached file.

    Best regards, Anastasiya Makarova, Malware Analyst 39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com https://securelist.com https://opentip.kaspersky.com/ - get insights about suspicious files, hashes, URLs, IP addresses or domain names

Content aside

  • 11 mths agoLast active
  • 12Replies
  • 429Views
  • 6 Following