Skip to main content
An icon of a telephone receiver
Sign In
NEW! Advisories Try For Free

Threat Report-11-15-21

Abcbot(net)

Today, the CRU has pushed out several new detection signatures for multiple recently discovered botnets and the latest Microsoft Excel Remote Code Execution vulnerability (CVE-2021-40442(https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40442)).

The first few signatures we have added to the Perch IDS are built to detect the new Abcbot. This is a new botnet that appears to still be in development with regular updates adding new capabilities. In July, the bot was first discovered by 360 Netlabs (https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/) and was originally a simple webserver scanner. Over the summer, additional capabilities have been added, and it now is capable of nine different DDoS attack methods. The bot has also added the ability to self-update, exploit weak passwords and multiple vulnerabilities, and support worm-like propagation. We have three new signatures capable of detecting Abcbot activity based on the samples we have collected:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Abcbot(net) C2 HTTP Request"; flow:established, to_server; http.uri; content:"/api/"; pcre:"/^(getlist|postip)/RU"; tag:session,5,packets; reference:url, blog.netlab.360.com/abcbot_an_evolving_botnet_en/; flowbits:set,cru_abcbot_api; classtype:trojan-activity; sid:900488; rev:1; metadata: created_at 2021_11_12, updated_at 2021_11_12, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Abcbot(net) C2 Stop Command"; flow:established, to_client; http.stat_code; content:"200"; http.content_type; content:"text/plain"; http.response_body; content:"73746f70|7c|"; startswith; fast_pattern; flowbits:isset,cru_abcbot_api; tag:session,5,packets; reference:url, blog.netlab.360.com/abcbot_an_evolving_botnet_en/; classtype:trojan-activity; sid:900489; rev:1; metadata: created_at 2021_11_12, updated_at 2021_11_12, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Potential Abcbot(net) DGA Detected"; flow:established, to_server; http.host; content:"pages.dev"; endswith; tag:session,5,packets; reference:url, blog.netlab.360.com/abcbot_an_evolving_botnet_en/; classtype:trojan-activity; sid:900490; rev:1; metadata: created_at 2021_11_12, updated_at 2021_11_12, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1520, mitre_technique_name Domain_Generation_Algorithms;)

 

Pinkbot

The CRU has been reviewing samples that are part of a massive botnet referred to as Pink, named for a large number of function names within the bot starting with “pink”. This is a large botnet with a total of 1.6 million infected devices during its peak. Pink is a robust P2P botnet mostly focused on MIPS based fiber routers. The botnet controller is very active and has been observed actively updating firmware of infected devices to combat vendor attempts to fix the problem. Pink is capable of launching massive DDoS attacks, and since it exists on routers can inject HTTP messages (JavaScript advertisements) in traffic routed through infected devices. The following IDS signature (already deployed to all Perch customers), should trigger when an infected device downloads its configuration file:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] PinkBot Configuration Download Filename"; flow:established, to_server; http.method; content:"GET"; http.host; content:"."; offset:1; depth:3; content:"."; within:4; content:"."; within:4; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.uri; content:"dlist.txt"; endswith; nocase; tag:session,5,packets; reference:url, blog.netlab.360.com/pink-en/; classtype:trojan-activity; sid:900491; rev:1; metadata: created_at 2021_11_12, updated_at 2021_11_12;)

 

Excel CVE-2021-40442

Last week was Microsoft’s monthly patch Tuesday when Microsoft traditionally releases security updates for all its products. One of the vulnerabilities patched last week is an Excel RCE. Excel spreadsheets are often a favorite for threat actors to use in phishing attacks, still one of the most common method for initial access (MITRE ATT&CK T1204.002(https://attack.mitre.org/techniques/T1204/002/)). This latest Excel vulnerability allows an attacker to craft a spreadsheet that will download a second malicious spreadsheet from a remote server, capable of running JavaScript without a security prompt. The CRU has obtained a proof-of-concept (PoC) of this exploit and used it to craft an IDS signature that should trigger after the initial spreadsheet is opened and attempts to download the second malicious spreadsheet. As always, this signature has already been deployed to all Perch customers.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Microsoft Excel RCE (CVE-2021-40442)"; flow:established, to_client; http.content_type; content:"application/vnd.ms-excel"; http.response_body; content:"|68 00  74 00 74 00 70 00 3a 00 2f 00 2f 00|"; tag:session,5,packets; classtype:attempted-user; sid:900494; rev:1; metadata: created_at 2021_11_12, updated_at 2021_11_12, cve CVE_2021_40442, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1203, mitre_technique_name Exploitation_for_Client_Execution;)

 

References

https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/

https://blog.netlab.360.com/pink-en/

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40442