MortiAgent Malware and Palo Alto

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

MortiAgent Malware and Palo Alto

MortiAgent Malware is added to the Palo Alto signatures database?

 

It's Palo Alto aware of this Malware?

 

want to stop the MoriAgent malware.

How to configure this in Palo alto to  ?


Accepted Solutions
Highlighted
L3 Networker

Thanks for the response.

Whether Palo alto support will be able to validate the custom signature created?      

Where this IPS should be applied on, Inbound or outbound security rule?

View solution in original post


All Replies
Community Team Member

Hi @Mohammed_Yasin ,

 

I was unable to find MortiAgent in the PAN threat vault:

Palo Alto Networks Threat Vault 

 

That said, I can't find ANY hits on MortiAgent Malware in google either (except for your posts ^_^ ).

 

Did you mean the following TID's that refer to .morti in the PAN Threat Vault ? :

 

Name: Virus/OSX.WGeneric.morti

Unique Threat ID: 183519795

Create Time: 2017-07-29 02:11:02 (UTC)

 

or maybe this one ?

 

Name: Worm/Win32.allaple.morti

Unique Threat ID: 86806904

Create Time: 2015-12-14 10:50:28 (UTC)

 

If you don't mean the above TID's then please provide more information on the malware and/or check how to create custom signatures to help you block it:

How to Create Custom Threat Signatures 

 

Cheers,

-Kiwi.

 
Tags (1)
Highlighted
L3 Networker

Thank you so much for your valuable information.

 

Yes, absolutely I m agree that even I could not able to find it,

Let me share the briefly about the MortiAgent Malware,

 

OVERVIEW

Based on reports from our threat Intel partners, there has been observed, an ongoing

campaign targeting government organizations in various sectors including that of healthcare,

education, diplomacy and telecommunication among others. The campaign involves the

spread of backdoors targeted at agencies within these high value sectors.

 

One among the many backdoors, dubbed MoriAgent - allows attackers to list and fetch victim’s files,

download other files from the C2, and run arbitrary commands on the victim’s machine.

 

The backdoor was earlier associated with the TEMP.Zagros activity targeting the Afghan

communications provider - but the latest reports is indicative of them spreading wings to the

entire Middle East.

 

THREAT DETAILS

Technical Details

According to researchers, MORIAGENT is a fully functional backdoor written in native C++. It

uses statically linked custom libraries to make analysis more difficult. In a recent update to the

malware, a 200 MB random resource was added to avoid anti-virus scans and sandboxes.

Debug messages containing paths were also removed in this version.

 

Also noted is that the malware uses a unique dictionary for Base64 encoding and a specific

implementation of the LZMAT compression library. The command and control (C&C)

configuration of the malware and its ID are written to the registry by the dropper.

 

Researchers have listed spear-phishing email as the most likely method of delivery of the

backdoor.

 

There are three stages to the working of this backdoor

First stage involves the user of a downloader to obtain the other components and stage

them in memory. It contains a number of obfuscation and anti-analysis techniques.

Once the Loader finds that it is running in a safe environment, it decodes the C2 URL

that was hardcoded in the binary - resulting in a URL as per the below syntax, which is

then queried in a loop to obtain orders:

http://[host]/[page].php?c=[backdoor identifier]

 

Second stage DLL Dropper: Operated by the loader, it is invoked using an export

function named ‘init’ as the entry point. A compressed, custom-encoded file is

grabbed from the C&C, based on the file internal ID on the server and hash. The file is

dropped to a location chosen by the attacker. A callback table with commands is

prepared for executing the final payload.

 

Third Stage Payload (MoriAgent This final stage embodies a simple remote

administration tool written in C++, which supports several commands to control the

victim’s machine. After installation, the attacker is capable of listing and fetching

victims files, as well as downloading other files from the C2 and running arbitrary

commands on the machine using a “cmd.exe” shell.

 

During this phase, two types of requests are used.

The first is a ‘beacon’ request, which is sent periodically once per minute and intended

to keep a steady heartbeat to the C2 server, the request has the following format:

http://domain[.]com/Index.php?i=%Info_value%&t=t

 

The second is a ‘beam’ request, which is sent once every 20 beacons and is used to

convey information on the contacting implant, the request has the following pattern

for file execution:

http://domain[.]com/Index.php?i=%Info_value%&t=u&cv=64&ch=%hash_of_a_file%

 

Additionally the backdoor POWERSTATS has also been observed as part of the same

campaign. This version of POWERSTATS achieves self-persistence by creating a registry key or

a scheduled task named GoogleUpdateNT. This involved the execution of a JScript file to pass

the flow to Windows’ Management Interface (WMI) in order to execute an inline Powershell

command.

 

After the installation of MoriAgent and Powerstats, the attacker would most likely be able to

perform lateral movement within the target network.

 

 

IMPACT

MoriAgent has the capability to remotely control affected devices and steal data. The

information gained through a successful infection could lead to follow-up attacks - including

unauthorized access to a victim’s network, privilege escalation, data exfiltration, data

modification/destruction, and denial of service.

 

RECOMMENDATIONS

Monitor and block malicious samples/traffic associated with the IOCs in the appendix

 

Implement least privileges policy within the organization:

Reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts.

Control creation and execution of files in important directories.

 

Deploy and update firewalls and configure rules to detect similar patterns

 

Review systems logs and Deploy file monitoring to detect changes to files in web

              directories of a web server.

 

Review system logs and investigate any anomalies, suspicious behavior, or unusual

              login activity such as unorthodox work hours or outside of geographic region.

 

Search for infections with an updated endpoint detection system.

 

Spread awareness among employees to be cautious while vising websites or opening emails.

 

Ensure a secure configuration of web servers. All unnecessary services and ports should

              be disabled or blocked.

 

 

 

The below SNORT rule can be used to detect the MoriAgent Beacon.

 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" MoriAgent Beacon

HTTP Request"; content:"/Index.php?i="; depth:200; content:"&t="; within:64;

content:"HTTP/1.1"; within:64; content:"Content-Type: application/json"; within:32;

content:"Content-Length: 0"; within:90; threshold:type limit,track by_src,count

1,seconds 120; sid:1000001; rev:001;)

 

 

Below are YARA rules to detect POWERSTATS.

 

YARA rule to detect the substitution table used in PowerShell code.

rule SubstitutionTable_in_PowerShell {

meta:

description = "Detect the substitution table used in PowerShell code (2019-2020)"

hash = "A18016AF1E9ACDA5963112EE8BEEB28B"

strings:

$a1 = "Replace('(','a'"

$a2 = "Replace(')','b'"

$a3 = "Replace('{','c'"

$a4 = "Replace('}','d'"

$a5 = "Replace('[','e'"

$a6 = "Replace(']','f'"

condition:

$a1 and

$a2 in (@a1..@a1+200) and

$a3 in (@a1..@a1+200) and

$a4 in (@a1..@a1+200) and

$a5 in (@a1..@a1+200) and

$a6 in (@a1..@a1+200) and

filesize < 100000

}

YARA

 

 

YARA rule to detect PowerStats backdoor.

 

rule POWERSTATS_JscriptLauncher {

meta:

description = "POWERSTATS Jscript Launcher"

hash = "6C97A39A7FFC292BAF8BE1391FCE7DA0"

strings:

$a1 = "$s=(get-content"

$a2 = "Get('Win32_Process').Create(cm"

$a3 = "var cm="

condition:

all of them and filesize < 600

}

 

 

 

YARA rule to detect PowerStats de-obfuscated

 

rule POWERSTATSLite {

meta:

hash = "A18016AF1E9ACDA5963112EE8BEEB28B"

strings:

$a1 = "$global:key"

$a2 = "$global:time"

$a3 = "webreq = [System.Net.WebRequest]::Create($url)"

condition:

all of them and filesize < 3000

}

 

 

YARA rule to detect MoriAgent implant

 

rule MoriAgent {

meta:

description = "C++ MuddyWater implant"

hash = "12755B210EC1171045144480ACD05AA8"

strings:

$f1 = "|x7d873iqq" ascii fullword

$f2 = "ljyfiiwnskt" ascii fullword

$f3 = "htssjhy" ascii fullword

$f4 = "kwjjfiiwnskt" ascii fullword

$f5 = "hqtxjxthpjy" ascii fullword

$f6 = "\\XFXyfwyzu" ascii fullword

$f7 = "\\XFHqjfszu" ascii fullword

$f8 = "ZmilXzwkm{{Umuwz" ascii fullword

$f9 = "^qz|}itXzw|mk|" ascii fullword

$f10 = "_zq|mXzwkm{{Umuwz" ascii fullword

$content = "Content-Type: application/json" ascii fullword

condition:

uint16(0) == 0x5A4D and filesize < 2MB and

$content and 5 of ($f*)

}

 

YARA rule to detect PowerStats Implants

 

rule POWERSTATS_Implants

{ meta:

description = "Detects all POWERSTATS implants"

hash = "A18016AF1E9ACDA5963112EE8BEEB28B"

hash = "409558610BE62655FBA0B1F93F2D9596" hash =

"DD32B95F865374C31A1377E31FA79E87" strings:

$a1 = "if ($resp -ne $null){"

$a2 = "out = $_.Exception.Message"

$a3 = "IEX $cmd -ErrorAction SilentlyContinue"

condition:

all of them and filesize < 50000

}

 

Highlighted
L3 Networker

Thanks for the response.

Whether Palo alto support will be able to validate the custom signature created?      

Where this IPS should be applied on, Inbound or outbound security rule?

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!