Meta Quarterly Adversarial Threat Report Q1 2022. Is it Malicious?
Part-1
On April 7th 2022, Meta released an “Adversarial Threat Report”, a 274.61kb sized benign-looking pdf file. While none of the antiviruses detected any issues with the pdf file, sandbox analysis uncovered something not apparent to the naked eye.
Cyber Threat Intelligence or CTI is a fascinating subject and an ever-growing field of work, different sectors of the modern world are discovering the importance of CTI, whether it’s for Banking, Public, Government, MNC, INC or SMEs. As we learn from the information below, it is becoming an integral part of information security and blue teams, which is gathering much attention, both positively and negatively. Many hi-tech companies are involved in gathering, assessing, publishing, and disseminating the threat exchange to support the corporate community and keep the end-user safe. CTI reports are usually published in pdf format or on a webpage.
How a benign-looking pdf can contain malicious code
A malicious actor can use many features in the PDF without exploiting any existing vulnerability in the firmware and software but vulnerability with the pdf reader itself. Didier Stevens shows how a pdf can be used for malicious activities. In his demonstration, you can see how to embed an executable and launch it when opening the file. Although it is a seven-year-old post, it can still be relevant.
“One of the easiest and most powerful ways to customize PDF files is by using JavaScript.” (Adobe)
In summary, this pdf:
- probably has a token attached
- checks for user input (for check box input)
- detects for debug environment
- looks for CPU clock speed
- Tries to sleep for a long time
- checks for Runtime modules
- can create new processes
- creates registry keys
- deletes files after its execution (possibly to hide tracks)
Related Mitre ATT&CK Matrix:
Tactics: Discovery (ATT&CK ID- TA007)
Query Registry (ATT&CK ID- T1012)
- Reads the computer name
- Checks supported languages
- Reads Microsoft Outlook installation path
- Reads internet explorer settings (browsers are also used as pdf reader)
System Information Discovery (ATT&CK ID- T1082)
- Reads the computer name
- Checks supported languages
Software Discovery (ATT&CK ID- T1518)
- Reads Microsoft Outlook installation path
Indicators of Compromise:
Sandbox analysis generated the following actions, and then the results were compared with previously known trojans and spyware.
Contacted IPs:
184.31.224.145
20.82.209.183
20.82.210.154 (Flagged as malicious IP by CyRadar)
23.22.254.206
23.42.152.145
52.202.204.11
52.5.13.197
54.227.187.23
92.122.117.59
92.123.140.146
Terminated Processes:
The subjected pdf file terminated the following processes after the execution of the file
- C:\Windows\system32\sc.exe start w32time task_started
- C:\Windows\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART
- taskhost.exe SYSTEM
- taskhost.exe $(Arg0)
- C:\Windows\system32\schtasks.exe /delete /f /TN “Microsoft\Windows\Customer Experience Improvement Program\Uploader”
Deleted files:
- Following files deleted exhibits same behaviour as trojan (TrojanDownloader: Win32/Upatre.AZ) .
C:\Users\{USER}\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
Deleted registry key:
- HKLM\System\Acrobatviewercpp304 (Same action was taken by Trojan-PSW)
Registry Keys opened (total 165):
- HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\A70D59A1–8EAD-4F40-AAAB-FBFC460800A4\FriendlyName (Trojans such as “guardian.exe” and “MineCraft.portable.v.1.1.1.exe” opened the registry key with same path)
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
The previous two keys prevent the system from saving shortcuts to documents the user has recently opened. (Mitre ATT&CK ID: TA0005: Defence Evasion)
The pdf wrote udhisapi.dll to the system (it works with UPnP device host)
This behaviour is the same as guardian.exe Trojan (screenshot below)
Mitigation:
Without opening the pdf file, it is not possible to find out if it contains a credential stealing-callback or malicious JavaScript. Sandboxing can be useful if one needs to inspect the pdf without infecting their system.
If the system is already infected then it can still system changes can safely reverted back to a normal state. Mitigation via registry key changes is suggested only for advanced users who understand the risks of making it. Please disable the system restore before making any changes and creating a backup of your important files. Another mitigation to protect against the pdf attacks suggested by Sentinel One.
Conclusion:
While this innocent-looking pdf with its hidden abilities goes undetected to the average user, it appears to have an agenda other than just a Threat Report, as it can modify the registry keys, write and delete files, contact several IP addresses, check for system and browser settings.
Sandbox analysis highlights that this pdf file exhibits the same malicious behaviour as previously known spyware and trojans, indicating that precautions should be taken when downloading and opening such files; even up-to-date leading antivirus software can fail to detect the system changes created by these benign-looking files. This pdf performed some malicious actions that are neither benign nor unique. It would be interesting to find out if Meta’s FTP server for dissemination of this pdf has been compromised or if there is something else more concerning.
This hash can be used for further analysis: 8cb8e17c047c26619978a377026ca7e02e81ec2001d3c9b100f3611e551f082f
What is Cyber Threat Intelligence?
The definition proposed by Alan Breakspear, “Intelligence is a corporate capability to forecast change in time to do something about it. The capability involves foresight and insight and is intended to identify impending change, which may be positive, representing opportunity, or negative, representing a threat.”
Cyber Threat Intelligence is data on threats. It focuses on collecting data and analysing the processed information to understand better any risk posed to any organisation or industry. CTI helps us protect information technology assets. The objective of any CTI analyst is to produce and deliver relevant, accurate and timely curated information, that is, Intelligence, so the recipient organisation can learn how to protect itself from a potential threat.
What is Meta?
Meta/Facebook is now more than social media apps, and now they are engaged in the design and manufacture of new technologies.
Meta Platforms Inc. (formerly known as Facebook Inc) operates one of the world’s largest social networking websites. Facebook, now known as Meta, was founded in February 2004 in Cambridge, Massachusetts, United States, with headquarters in Menlo Park, California and had a net worth of over USD 600 billion and approximately 3 billion users.
The Company’s products for users are free of charge and available on the Web, mobile Web and mobile platforms, such as Android and iOS. The website enables users to connect, share, discover and communicate with each other. The Company’s platform is a set of tools and application programming interfaces that developers can use to build social apps on Facebook or integrate their Websites with Facebook.
It also offers products that enable advertisers and marketers to engage with users. At the same time, Meta has Facebook, Instagram, WhatsApp, and Oculus VR under its control and is also developing a “Metaverse”, a virtual network of 3D world focussing on social connections.
References
- https://www.fortbendnow.com/cyber-threat-intelligence-market-size-and-share-2022-analysis-by-leading-keyplayers-cisco-check-point-ibm-siemens/
- https://www.virustotal.com/gui/file/8cb8e17c047c26619978a377026ca7e02e81ec2001d3c9b100f3611e551f082f/behavior/VirusTotal%20Jujubox
- https://www.virustotal.com/gui/file/8cb8e17c047c26619978a377026ca7e02e81ec2001d3c9b100f3611e551f082f/behavior/VirusTotal%20Observer
- https://www.virustotal.com/gui/file/8cb8e17c047c26619978a377026ca7e02e81ec2001d3c9b100f3611e551f082f/behavior/Zenbox
- https://www.reddit.com/r/antivirus/comments/tswvt5/is_this_file_a_false_positive_or_not/
- https://www.file.net/process/online-guardian.exe.html
- http://systemmanager.ru/win2k_regestry.en/93170.htm
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/search/adobe%20reader%20and%20acrobat%20.pdf%20vulnerability/10
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_UPATRE.YYSIY/
- https://attack.mitre.org/
- https://security.stackexchange.com/questions/64052/can-a-pdf-file-contain-a-virus
- https://blog.didierstevens.com/2010/03/29/escape-from-pdf/
- https://blog.talosintelligence.com/2017/05/threat-roundup-0505-0512.html
- https://support.adaware.com/hc/en-us/articles/4406774250260-TrojanPSW-Win32-Zbot-7f77406aff
- https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Upatre.AZ
- Alan Breakspear, A New Definition of Intelligence (2012)
- https://www.macrotrends.net/stocks/charts/FB/meta-platforms/net-worth