A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple’s new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects,….

On April 8, 2021, we conducted a webinar with Ivan Kwiatkowski and Denis Legezo, Senior Security Researchers from our Global Research & Analysis Team (GReAT), who gave live workshops on practical disassembling, decrypting and deobfuscating authentic malware cases, moderated by GReAT’s own Dan Demeter.

Ivan demonstrated how to strip the obfuscation from the recently discovered Cycldek-related tool, while Denis presented an exercise on reversing the MontysThree’s malware  steganography algorithm. The experts also had a fireside chat with our guest Igor Skochinsky of Hex-Rays.

On top of that, Ivan and Denis introduced the new Targeted Malware Reverse Engineering online self-study course, into which they have squeezed 10 years of their cybersecurity experience. This intermediate-level training is designed for those seeking confidence and practical experience in malware analysis. It includes in-depth analysis of ten fresh real-life targeted malware cases, like MontysThree, LuckyMouse and Lazarus, hands-on learning with an array of reverse engineering tools, including IDA Pro, Hex-Rays decompiler, Hiew, 010 Editor, and 100 hours of virtual lab practice.

In case you missed the webinar – or if you attended but want to watch it again – you can find the video here: Targeted Malware Reverse Engineering Workshop (brighttalk.com).

With so many questions collected during the webinar – thank you all for your active participation! – we lacked the time to answer them all online, we promised we would come up with this blogpost.

Questions on the Cycldek-related tool analysis

How do you decide whether the Cycldek-actors have adopted the DLL side-loading triad technique, or the actors normally using the DLL side-loading triad have adopted the design considerations from Cycldek?
Ivan: It is precisely because we cannot really differentiate between the two that we have been very careful with the attribution of this specific campaign. The best we can say at the moment is that the threat actor behind it is related to Cycldek.
Denis: Even in our training there is another track with .dll search order hijacking – LuckyMouse. I really would not recommend anyone to build attribution based on such a technique, because it’s super wide-spread among the Chinese-speaking actors.
Does the script work automatically, or do you have to add information about the specific code you are working with?
Ivan: The script shown in the webinar was written solely for the specific sample used in the demonstration. I prefer to write small programs addressing very specific issues at first, and only move on to developing generic frameworks when I have to, which is not the case for opaque predicates.
Is the deobfuscation script for the shellcode publicly available?
Ivan: It is derived from a publicly available script. However, my modifications were not made public; if they were, it would make the training a little too easy, wouldn’t it?
Decryption/deobfuscation seems to be very labor-intensive. Have you guys experimented with symbolic execution in order to automate the process? Have you built a framework that you use against multiple families and (data&code) obfuscation or you build tools on ‘as needed’ basis?
Ivan: I have always found it quicker to just write quick scripts to solve the problem instead of spending time on diving into symbolic execution. Same goes for generic frameworks, but who knows? Maybe one day I will need one.
Denis: Decryption/deobfuscation is mostly case-based, I agree, but we also have disassembler plugins to facilitate such tasks. By the way, such a code base and the habits are the reasons that create the threshold to change the disassembler. We have internal framework for asm layer decryption, you will meet him in advanced course, but it’s up to researcher to use it or not.
Any insight into the success rate of this campaign?
Ivan: We were able to identify about a dozen organizations attacked during this campaign. If you want to know more about our findings, please have a look at our blogpost.
Any hint on the code pattern that helped you connect with the Cycledek campaign?
Ivan: You can find more about this in our blogpost. Even more details are available through our private reporting service. Generally speaking, we have a tool called KTAE that performs this task, and of course the memory of samples we have worked on in the past.
About the jump instructions that lead to the same spot – how were they injected there? Manually using a binary editor?
Ivan: The opaque predicates added in the Cycldek shellcode were almost certainly inserted using an automated tool.
I am one of the people using the assembly view. After the noping stage usually I have to suffer the long scrolling. You mentioned there is a way to fix this?”
Ivan: Check out this script I published on GitHub a couple of months ago.
Can xmm* registers and Pxor be used as code patterns Yara signatures?
Ivan: This is in fact one of the signatures I wrote for this piece of malware.

Questions on analysis of the MontysThree’s malware steganography algorithm

Do you think there was a practical reason to use steganography as obfuscation, or the malware developer did it just for fun?
Denis: In my experience, most steps the malefactors take are on purpose, not for fun. With steganography they are trying to fool the network security systems like IDS/IPS: bitmaps are not too suspicious for them. Let me also add that the campaign operators are human, too, so now and again there will be Easter eggs in their products — for example, take a look at the Topinambour track and the phrases used as decryption keys and beaconing.
What image steganography algorithm have you seen hiding in the wild recently, other than LSB?
Denis: As far as I know, it is LSB alright — Microcin, MontysThree. I would expect some tools to be creating such images for the operators. But take a look at the function we ended during the short workshop: depending on the decrypted steganography parameters, it could be not just LSB, but the “less significant half a byte” as well.
Are there any recent malware samples incorporating network steganography in their C&C-channels, the way the DoublePulsar backdoor did using SMB back in 2017?
Denis: I suppose you mean the broken SMB packages. Yes, the last trick of the kind I saw was the rare use of HTTP statuses as C2 commands. You might be surprised to learn how many of them there are in RFCs and how strange some of them are, like “I’m the kettle”.

Reverse Engineering: how to start a career, working routines, the future of the profession

How does one get into malware reverse engineering? What are the good resources to study? How can one find interesting malware samples?
Ivan: You can find a solid introduction at https://beginners.re/. Next, check out https://crackmes.one/ which contains many programs designed to be reverse-engineered, so one can finally move on to malware samples. Worry not about finding the “interesting” ones early on; just try to get good at it, document what you do, and you will find yourself in no time being able to access all the data you could wish for.
Denis: Do you like meditating on the code and trying to understand it? Then I suppose you already have everything you need. I think you should not bother looking for interesting ones in the beginning (if I get your question right) – everything will do. In my experience, the fun ones are written by professional programmers, not malware writers, because they just cannot do away with their habit of structuring the data and code, making it multi-thread safe, etc.
Now an experienced malware reverse engineer, where did you start from? Do you have any solid math/programming background from where you moved on to malware reverse engineering? Or what would be the typical path?
Ivan: I have a software engineering background, and my math expertise is shaky at best. After having met so many people in this field, I can say confidently that there is no typical path beyond being passionate about the subject.
Denis: Personally I have a math/programming background, but I couldn’t agree more: it’s more about passion than any scientific education.
If you are reverse engineering malware, do you work as a team?
Ivan: While several researchers can investigate a campaign together, I usually work on samples alone. The time it takes to wrap up a case may vary between a week and several months, depending on the complexity of the investigation!
Denis: Reversing itself is not the task that is easy to distribute/parallel. In my experience, you would spend more time organizing the process than benefit from the work of several reversers. Typically, I do this part alone, but research is not limited to binary analysis: the quest, the sharing of previous experiences with the same malware/tools, and so forth — it is a team game.
What do you think about AI? Would it help to automate the reverse engineering work?
Ivan: I think at the moment it is still a lot more A than I. I keep hearing sales pitches about how it will revolutionize the infosec industry and I do not want to dismiss them outright. I am sure there are a number of tasks, such as malware classification, where AI could be helpful. Let’s see what the future brings!
Denis: OK, do you use any AI-based code similarity, for example? I do, and you know — my impression so far is we still need meat-based engineers who understand how it works to use it right.
How helpful is static analysis, considering the multiple advanced sandboxing solutions available today?
Ivan: Sandboxing and static analysis will always serve complementary purposes. Static analysis is fast and does not require running the sample. It is great to quickly gather information about what a program might do or for triage. Dynamic analysis takes longer, yields more details, but gives malware an opportunity to detect the sandboxed environment. Then, at the very end, you do static analysis again, which involves reverse-engineering the program with a disassembler and takes the longest. All have their uses.
Denis: Sometimes you need static analysis because of the multiple advanced anti-sandboxing tricks out there. You also reveal far more details through static analysis if you want to create better Yara rules or distinguish a specific part of custom code to attribute samples to specific developers. So it is up to you how deep the rabbit hole should be.

Tips on tools, IDA and other things

Do you contribute to Lumina server? Does Kaspersky have any similar public servers to help us during our analysis?
Ivan: My understanding is that Lumina is most helpful when used by a critical mass of users. As such, I do not think it would make sense to fragment the community across multiple servers. If you are willing to share metadata about the programs you are working on with third-parties, I would recommend to simply go with an Hex-Rays’ instance.
Denis: No, I have never contributed to Lumina so far. I don’t think it is going to be too popular for threat intelligence, but let us wait and see — public Yara repositories are there, so maybe code snippets might also meet the community’s needs.
What tools and techniques do you recommend for calculating the code similarity of samples? Is this possible with IDA Pro?
Ivan: For this, we have developed a commercial solution called KTAE. That’s what we regularly use internally.
Denis: Personally, I am using our KTAE. As far as I know, the creating of custom FLIRT signatures right in IDA could partially cover this need.
Is there any specific reason why you are using IDA under wine? Does it have anything to do with the type of samples you are analyzing?
Denis: I used to have Windows IDA licenses and Linux OS historically, so wine is my way of using disassembler. It does not affect your analysis anyway — choose any samples you want under any OS.
What is your favorite IDA Pro plugin and why?
Ivan: One of the internal plugins developed by Kaspersky. Other than that, I use x64dbgida regularly and have heard great things about Labeless.
Denis: For sure our internal plugins. And it’s not because of the authorship, they just perfectly meet our needs.
Do you have a plan to create/open an API so we can create our own processor modules for decompilers (like SLEIGH in Ghidra)? The goal being to analyze VM-based obfuscation.
Igor: Unlikely to happen in the near future but that’s something we’re definitely keeping in our minds.

If you have any more questions about Ivan’s workshop on the Cycldek-related tool or about the Targeted Malware Reverse Engineering online course, please feel free to drop us a line in the comments box below or contact us on Twitter: @JusticeRage, @legezo and @IgorSkochinsky. We will answer the rest of the questions in our next blogpost – stay tuned!

On April 8, 2021, we conducted a webinar with Ivan Kwiatkowski and Denis Legezo, Senior Security Researchers from our Global Research & Analysis Team (GReAT), who gave live workshops on practical disassembling, decrypting and deobfuscating authentic malware cases, moderated by GReAT’s own Dan Demeter.

Ivan demonstrated how to strip the obfuscation from the recently discovered Cycldek-related tool, while Denis presented an exercise on reversing the MontysThree’s malware  steganography algorithm. The experts also had a fireside chat with our guest Igor Skochinsky of Hex-Rays.

On top of that, Ivan and Denis introduced the new Targeted Malware Reverse Engineering online self-study course, into which they have squeezed 10 years of their cybersecurity experience. This intermediate-level training is designed for those seeking confidence and practical experience in malware analysis. It includes in-depth analysis of ten fresh real-life targeted malware cases, like MontysThree, LuckyMouse and Lazarus, hands-on learning with an array of reverse engineering tools, including IDA Pro, Hex-Rays decompiler, Hiew, 010 Editor, and 100 hours of virtual lab practice.

In case you missed the webinar – or if you attended but want to watch it again – you can find the video here: Targeted Malware Reverse Engineering Workshop (brighttalk.com).

With so many questions collected during the webinar – thank you all for your active participation! – we lacked the time to answer them all online, we promised we would come up with this blogpost.

Questions on the Cycldek-related tool analysis

How do you decide whether the Cycldek-actors have adopted the DLL side-loading triad technique, or the actors normally using the DLL side-loading triad have adopted the design considerations from Cycldek?
Ivan: It is precisely because we cannot really differentiate between the two that we have been very careful with the attribution of this specific campaign. The best we can say at the moment is that the threat actor behind it is related to Cycldek.
Denis: Even in our training there is another track with .dll search order hijacking – LuckyMouse. I really would not recommend anyone to build attribution based on such a technique, because it’s super wide-spread among the Chinese-speaking actors.
Does the script work automatically, or do you have to add information about the specific code you are working with?
Ivan: The script shown in the webinar was written solely for the specific sample used in the demonstration. I prefer to write small programs addressing very specific issues at first, and only move on to developing generic frameworks when I have to, which is not the case for opaque predicates.
Is the deobfuscation script for the shellcode publicly available?
Ivan: It is derived from a publicly available script. However, my modifications were not made public; if they were, it would make the training a little too easy, wouldn’t it?
Decryption/deobfuscation seems to be very labor-intensive. Have you guys experimented with symbolic execution in order to automate the process? Have you built a framework that you use against multiple families and (data&code) obfuscation or you build tools on ‘as needed’ basis?
Ivan: I have always found it quicker to just write quick scripts to solve the problem instead of spending time on diving into symbolic execution. Same goes for generic frameworks, but who knows? Maybe one day I will need one.
Denis: Decryption/deobfuscation is mostly case-based, I agree, but we also have disassembler plugins to facilitate such tasks. By the way, such a code base and the habits are the reasons that create the threshold to change the disassembler. We have internal framework for asm layer decryption, you will meet him in advanced course, but it’s up to researcher to use it or not.
Any insight into the success rate of this campaign?
Ivan: We were able to identify about a dozen organizations attacked during this campaign. If you want to know more about our findings, please have a look at our blogpost.
Any hint on the code pattern that helped you connect with the Cycledek campaign?
Ivan: You can find more about this in our blogpost. Even more details are available through our private reporting service. Generally speaking, we have a tool called KTAE that performs this task, and of course the memory of samples we have worked on in the past.
About the jump instructions that lead to the same spot – how were they injected there? Manually using a binary editor?
Ivan: The opaque predicates added in the Cycldek shellcode were almost certainly inserted using an automated tool.
I am one of the people using the assembly view. After the noping stage usually I have to suffer the long scrolling. You mentioned there is a way to fix this?”
Ivan: Check out this script I published on GitHub a couple of months ago.
Can xmm* registers and Pxor be used as code patterns Yara signatures?
Ivan: This is in fact one of the signatures I wrote for this piece of malware.

Questions on analysis of the MontysThree’s malware steganography algorithm

Do you think there was a practical reason to use steganography as obfuscation, or the malware developer did it just for fun?
Denis: In my experience, most steps the malefactors take are on purpose, not for fun. With steganography they are trying to fool the network security systems like IDS/IPS: bitmaps are not too suspicious for them. Let me also add that the campaign operators are human, too, so now and again there will be Easter eggs in their products — for example, take a look at the Topinambour track and the phrases used as decryption keys and beaconing.
What image steganography algorithm have you seen hiding in the wild recently, other than LSB?
Denis: As far as I know, it is LSB alright — Microcin, MontysThree. I would expect some tools to be creating such images for the operators. But take a look at the function we ended during the short workshop: depending on the decrypted steganography parameters, it could be not just LSB, but the “less significant half a byte” as well.
Are there any recent malware samples incorporating network steganography in their C&C-channels, the way the DoublePulsar backdoor did using SMB back in 2017?
Denis: I suppose you mean the broken SMB packages. Yes, the last trick of the kind I saw was the rare use of HTTP statuses as C2 commands. You might be surprised to learn how many of them there are in RFCs and how strange some of them are, like “I’m the kettle”.

Reverse Engineering: how to start a career, working routines, the future of the profession

How does one get into malware reverse engineering? What are the good resources to study? How can one find interesting malware samples?
Ivan: You can find a solid introduction at https://beginners.re/. Next, check out https://crackmes.one/ which contains many programs designed to be reverse-engineered, so one can finally move on to malware samples. Worry not about finding the “interesting” ones early on; just try to get good at it, document what you do, and you will find yourself in no time being able to access all the data you could wish for.
Denis: Do you like meditating on the code and trying to understand it? Then I suppose you already have everything you need. I think you should not bother looking for interesting ones in the beginning (if I get your question right) – everything will do. In my experience, the fun ones are written by professional programmers, not malware writers, because they just cannot do away with their habit of structuring the data and code, making it multi-thread safe, etc.
Now an experienced malware reverse engineer, where did you start from? Do you have any solid math/programming background from where you moved on to malware reverse engineering? Or what would be the typical path?
Ivan: I have a software engineering background, and my math expertise is shaky at best. After having met so many people in this field, I can say confidently that there is no typical path beyond being passionate about the subject.
Denis: Personally I have a math/programming background, but I couldn’t agree more: it’s more about passion than any scientific education.
If you are reverse engineering malware, do you work as a team?
Ivan: While several researchers can investigate a campaign together, I usually work on samples alone. The time it takes to wrap up a case may vary between a week and several months, depending on the complexity of the investigation!
Denis: Reversing itself is not the task that is easy to distribute/parallel. In my experience, you would spend more time organizing the process than benefit from the work of several reversers. Typically, I do this part alone, but research is not limited to binary analysis: the quest, the sharing of previous experiences with the same malware/tools, and so forth — it is a team game.
What do you think about AI? Would it help to automate the reverse engineering work?
Ivan: I think at the moment it is still a lot more A than I. I keep hearing sales pitches about how it will revolutionize the infosec industry and I do not want to dismiss them outright. I am sure there are a number of tasks, such as malware classification, where AI could be helpful. Let’s see what the future brings!
Denis: OK, do you use any AI-based code similarity, for example? I do, and you know — my impression so far is we still need meat-based engineers who understand how it works to use it right.
How helpful is static analysis, considering the multiple advanced sandboxing solutions available today?
Ivan: Sandboxing and static analysis will always serve complementary purposes. Static analysis is fast and does not require running the sample. It is great to quickly gather information about what a program might do or for triage. Dynamic analysis takes longer, yields more details, but gives malware an opportunity to detect the sandboxed environment. Then, at the very end, you do static analysis again, which involves reverse-engineering the program with a disassembler and takes the longest. All have their uses.
Denis: Sometimes you need static analysis because of the multiple advanced anti-sandboxing tricks out there. You also reveal far more details through static analysis if you want to create better Yara rules or distinguish a specific part of custom code to attribute samples to specific developers. So it is up to you how deep the rabbit hole should be.

Tips on tools, IDA and other things

Do you contribute to Lumina server? Does Kaspersky have any similar public servers to help us during our analysis?
Ivan: My understanding is that Lumina is most helpful when used by a critical mass of users. As such, I do not think it would make sense to fragment the community across multiple servers. If you are willing to share metadata about the programs you are working on with third-parties, I would recommend to simply go with an Hex-Rays’ instance.
Denis: No, I have never contributed to Lumina so far. I don’t think it is going to be too popular for threat intelligence, but let us wait and see — public Yara repositories are there, so maybe code snippets might also meet the community’s needs.
What tools and techniques do you recommend for calculating the code similarity of samples? Is this possible with IDA Pro?
Ivan: For this, we have developed a commercial solution called KTAE. That’s what we regularly use internally.
Denis: Personally, I am using our KTAE. As far as I know, the creating of custom FLIRT signatures right in IDA could partially cover this need.
Is there any specific reason why you are using IDA under wine? Does it have anything to do with the type of samples you are analyzing?
Denis: I used to have Windows IDA licenses and Linux OS historically, so wine is my way of using disassembler. It does not affect your analysis anyway — choose any samples you want under any OS.
What is your favorite IDA Pro plugin and why?
Ivan: One of the internal plugins developed by Kaspersky. Other than that, I use x64dbgida regularly and have heard great things about Labeless.
Denis: For sure our internal plugins. And it’s not because of the authorship, they just perfectly meet our needs.
Do you have a plan to create/open an API so we can create our own processor modules for decompilers (like SLEIGH in Ghidra)? The goal being to analyze VM-based obfuscation.
Igor: Unlikely to happen in the near future but that’s something we’re definitely keeping in our minds.

If you have any more questions about Ivan’s workshop on the Cycldek-related tool or about the Targeted Malware Reverse Engineering online course, please feel free to drop us a line in the comments box below or contact us on Twitter: @JusticeRage, @legezo and @IgorSkochinsky. We will answer the rest of the questions in our next blogpost – stay tuned!

apple-malware.jpg

A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple’s new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects,….

Sorin Mustaca’s aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches.

Read the original article: Brit authorities could legally do an FBI and scrub malware from….

apple-malware.jpg

A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple’s new M1 chips and expand its features to steal confidential information from cryptocurrency apps.
XCSSET came into the spotlight in August 2020 after it was found to spread via modified Xcode IDE projects, which, upon the building, were configured to execute the payload. The malware repackages payload

Would love to know more, but at first glance this looks like a creative US Gov’t cyber intervention that is: – technically astute; – lawful, though some will understandably be uneasy; – going to reduce vulnerability to specific cyber harm. Please tell me what I’ve got wrong! https://t.

shutterstock_hand_scrubbing_brush.jpg

Would love to know more, but at first glance this looks like a creative US Gov’t cyber intervention that is: – technically astute; – lawful, though some will understandably be uneasy; – going to reduce vulnerability to specific cyber harm. Please tell me what I’ve got wrong! https://t.

shutterstock_hand_scrubbing_brush.jpg

Would move for The Greater Good™ actually be good, though?

Comment  UK authorities could lawfully copy the FBI and forcibly remove web shells from compromised Microsoft Exchange server deployments – but some members of the British infosec industry are remarkably quiet about whether this would be a good thing.…

kaspersky-rebranding-in-details-1.jpg

.

Gli esperti di Kaspersky hanno rilevato un codice dannoso nella versione 3.17.18 per il client ufficiale dell’app store APKPure. Ad oggi, la minaccia è stata rilevata e bloccata dai prodotti Kaspersky sui dispositivi di 9.380 utenti. Secondo i ricercatori il codice è stato rilevato….

whatsapp-pink-is-a-virus-spreading-throu

If installed; the fake and malicious WhatsApp pink app takes full control of a targeted device. An unusual baiting technique has appeared with the WhatsApp users receiving links that claim to turn the application’s theme from its trademark green to pink. Simultaneously, it also promises ‘‘new features” that have not been specified.

Two new, and relatively complex, phishing campaigns have been spotted using popular online collabotation tools to lure victims from high-value targets into downloading a malicious loader.

The tactics are relatively complex and convoluted, Sophos explained.

Experts warn of malware campaigns delivering the BazarLoader malware abusing popular collaboration tools like Slack and BaseCamp.

Since January, researchers observed malware campaigns delivering the BazarLoader malware abusing popular collaboration tools like Slack and BaseCamp. The campaigns aimed at employees of large organizations, the messages attempt to trick the victims that they contain important information relating to payroll, contracts, invoices, or customer service inquiries. 

At least in one campaign, threat actors also contacted the victims via phone as part of the attack chain

The BazarLoader malware is a downloader written in C++ that has been active at least since 2020, it was also used by Ryuk operators to gain a foothold in the target networks and then deploy the Ryuk ransomware.

“When a target was convinced to open the documents tied to the spam email, their computer quickly became infected with BazarLoader, which itself acts primarily as a delivery mechanism for other malware.” reads the analysis published by Sophos. “With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack.”

BazarLoader message

Sophos researchers observed a spam sample that attempted to disguise itself as a notification that the employee had been laid off from their job.

The phishing messages include links pointing to Slack or BaseCamp cloud storage, for this reason, they don’t raise suspicion when are received by employees working at an organization that uses the above services.

The URL could be also obfuscated by using a URL shortening service to hide the fact that it points to a file with an .exe extension.

Upon clicking on the link, the BazarLoader malware will be download and executed on the victim’s machine.

Most of the links used in the campaign point directly to a digitally signed executable with an Adobe PDF graphic as its icon. Some of the files’ names observed by the experts are presentation-document.exe, preview-document-[number].exe or annualreport.exe.

Once executed the executable, it will inject a DLL payload into a legitimate process, such as the Windows command shell, cmd.exe.

“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem. The files themselves don’t even use a legitimate .dll file suffix because Windows doesn’t seem to care that they have one; The OS runs the files regardless.” continues the analysis.

The second campaign, tracked as BazarCall campaign, began in February employs messages claiming that a free trial for an online service the recipient purportedly is currently using will expire in the following days and instruct the recipient into calling an embedded telephone number to opt-out of an expensive paid renewal.

Any way the messages don’t raise suspicion because they don’t include personal information, and don’t contain link and attachment files.

The website has a professional look and instructs the visitors into clicking a button to unsubscribe, then an Office document is provided that once opened starts the infection process.

“In this later form of attack, only people who called the telephone number were given a URL, and instructed to visit the website where they could unsubscribe from these notifications. The well-designed and professional looking websites bury an “unsubscribe” button in a page of frequently asked questions. Clicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware.” continues the analysis.

Researchers speculate both campaigns are associated with the same threat actors which are believed to be developed by the TrickBot operators.

The two samples of BazarLoader malware employed in the campaign use the same TrickBot infrastructure for command and control.

BazarLoader is not sophisticated, experts believe it is in an early stage of development.

“While early versions of the malware were not obfuscated, more recent samples appear to encrypt the strings that might reveal the malware’s intended use. BazarLoader appears to be in an early stage of development and isn’t as sophisticated as more mature families like Trickbot, but does seem to share some intriguing details in common.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BazarLoader malware)

The post Is BazarLoader malware linked to Trickbot operators? appeared first on Security Affairs.

C’est un rapport en guise de signal d’alerte. L’équipe Talos de Cisco a constaté que des cybercriminels ciblent de plus en plus les plateformes de discussions Discord et Slack pour procéder à leurs attaques. Ce choix ne doit rien au hasard et ces deux services ont connu une croissance très importante depuis le début de la pandémie.

cybersecurite.jpg

C’est un rapport en guise de signal d’alerte. L’équipe Talos de Cisco a constaté que des cybercriminels ciblent de plus en plus les plateformes de discussions Discord et Slack pour procéder à leurs attaques. Ce choix ne doit rien au hasard et ces deux services ont connu une croissance très importante depuis le début de la pandémie.

Cybersecurity experts at Trend Micro have recently found a new malicious campaign, through which threat actors can trap or infect its victims with its several sophisticated payloads. This new malicious campaign is entitled as “Operation Overtrap,” and analysts have asserted that the attackers are using the three-pronged attack in this campaign.

Operation%2BOvertrap.PNG?ssl=1

Cybersecurity experts at Trend Micro have recently found a new malicious campaign, through which threat actors can trap or infect its victims with its several sophisticated payloads. This new malicious campaign is entitled as “Operation Overtrap,” and analysts have asserted that the attackers are using the three-pronged attack in this campaign.

Sorin Mustaca’s aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches.

Operation Overtrap – Hackers Attack Online Banking Users Via Bottle Exploit Kit & Banking Malware.

cropped-itsecuritynews.png

Sorin Mustaca’s aggregated IT Security News and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches.

Operation Overtrap – Hackers Attack Online Banking Users Via Bottle Exploit Kit & Banking Malware.

COVID-19-themed threats and Powershell malware are continue to surge, according to new research from McAfee. The cybersecurity firm released the McAfee Threats Report: April 2021, examining cybercriminal activity related to malware and the evolution of cyber threats in the third and fourth quarters of 2020.

flag.png

Original release date: April 15, 2021

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information: 

CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
CISA web page: Supply Chain Compromise
CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

flag.png

Original release date: April 15, 2021

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information: 

CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
CISA web page: Supply Chain Compromise
CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 15, 2021

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information: 

CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
CISA web page: Supply Chain Compromise
CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

What can we say about 2020 that hasn’t already been said? Beliefs were shaken. Values were questioned. Truths were tested. Then COVID happened and things really got crazy.

The World Health Organization declared the coronavirus outbreak a global pandemic on March 12, 2020. That same day cybersecurity got flipped on its head. 

Entire businesses had to transition from mostly in-person workforces to mostly remote. Even schools and hospitals transitioned to online instruction and virtual doctor visits. Sysadmins had to contend with more endpoints, spread across more locations, giving cybercriminals a whole lot of new ways to attack a network. And attack they did.

Heading into 2020, hackers mostly preferred sneak attacks powered by some form of automated malware like a Trojan, carrying a secondary payload, often ransomware. Several months later, hackers were bashing down the front door, favoring brute force attacks on Remote Desktop Protocol (RDP) clients. 

What a difference a year makes.

That got us thinking. In light of these dramatic changes to the threat landscape, what is the current state of trust and confidence when it comes to IT security professionals and their corporate endpoint protection?

The good news and bad news from the front line

The Malwarebytes SMB Cybersecurity Trust & Confidence Report 2021 is a first-of-its-kind survey of the hardworking IT professionals on the front lines of the fight against cyberthreats.

We spoke with 704 CIOs, IT directors, sysadmins, decision makers, and heads of security from businesses across the US, ranging in size from 50 to 999 employees. What did we find?

Let’s start with the good news.

In spite of everything that happened in 2020, stalwart SMBs remain confident that their endpoint protection can handle whatever threats come their way. The vast majority, 95 percent, say they trust their vendor to provide effective cybersecurity. At the same time, more than 90 percent also say their endpoint protection is effective and they’re confident it protects against dangerous threats. 

That’s some unusually high trust and confidence going on here. 

Could this be an example of security hubris (i.e., overconfidence in limited or untested security measures) or can we count on optimistic SMBs as a reliable barometer for overall trust and confidence in the world of technology and e-commerce?

That leads us to the bad news.

Almost half of SMBs, 47 percent, say the endpoint security products they hold in such high regard are very complex and hard to manage. And only a third, 36 percent, of SMBs expected those same endpoint security products to detect every single threat.

Going one step further, a full 56 percent of respondents said it’s not a matter of if but when their organization suffers a successful attack or breach.

Clearly, there’s some cognitive dissonance happening. What SMBs want to believe about their endpoint protection is at odds with what they’re actually experiencing.

We attempted to discover truth of the matter with even more questions:

Q: Are malware threats harder to stop than in years past?A: Definitely.

Q: Has your endpoint protection product ever failed to detect a threat?A: Uh-oh.

Q: Have you tested your endpoint protection product to see if it is detecting cyberthreats in the past 12 months?A: Mostly yes, but testing methods vary and each has its flaws.

Q: What’s at stake if your organization comes under any cyberattack?A: Depends on the size of the organization.

Q: Are you satisfied with the performance of the endpoint protection provider?A: Yes, with some serious caveats.

Q: How does your endpoint protection fall short?A: Reasons vary, but SMBs know a good deal when they see it.

Q: Do hackers prefer to target bigger organizations?A: Everyone thinks they’ve got a target on their back, regardless of size.

The complete answers to these questions and many more await curious readers in Malwarebytes’ SMB Cybersecurity Trust & Confidence Report 2021. 

Download the full report.

The post Malwarebytes releases SMB Cybersecurity Trust & Confidence Report 2021 appeared first on Malwarebytes Labs.

We released our Consumer Malware Protection Test. Any samples that have not been detected e.g. on-access are executed on the test system. A false alarm test is also included. While in the Real-World Protection Test the vector is the web, in the Malware Protection Test the vectors can be e.g. network drives, USB or cover scenarios where the malware is already […]

Der Beitrag Consumer Malware Protection Test March 2021 erschien zuerst auf AV-Comparatives.

data-privacy-law-computer-gavel-scales--

A rather remarkable story has emerged, setting the scene for lively debates about permissible system access. A press release from the US Department of Justice Judge has revealed that the FBI were granted permission to perform some tech support backdoor removal. Bizarrely, they did this without letting the admins know beforehand.

A campaign targeting vulnerable Exchange servers has left web shells scattered everywhere. Those shells are backdoors. They allow attackers to access and creep around inside the compromised networks. Additionally, it seems that not all shells were properly locked down. They fell foul to password reuse. This means criminals figuring out the passwords to other criminals’ web shells could also potentially access the compromised servers. Having those shells lying around on systems for such a long time isn’t a great thing to happen.

When calls to fix systems go unheeded

Despite repeated warnings, and even one-click tools from Microsoft aiming to mitigate the issue, and no small amount of patching, some vulnerable servers remained. Some organisations missed or ignored the mass-massaging about the threat. Or perhaps they just didn’t know what to do to fix the problem. It’s likely that some also patched the vulnerability without also finding and removing the web shells.

This means lots of compromised exchange servers all over the place, just waiting for illicit access to begin all over again. What do you do in this situation? We’ll get to that but before we do, let’s talk about the perils of getting involved in situations. Any situation.

Getting involved in situations. Any situation.

People love to help. Members of the public often get involved in security issues alongside professional researchers and organisations. They may give tip-offs, or send files over, and most commonly, do some work in anti-phishing. It’s fairly easy to do, has a steady stream of ready-made content in their mailboxes to check out, and there’s a lot of places to report it to.

The problem is when individuals who mean well take it a step further without taking appropriate security measures. For example, a popular past time is filling up phish pages with bogus data. This is done to slow down phishers by making their data worthless. If folks aren’t careful, issues can arise.

At the extreme end, the same goes for vigilante style takedown tactics / breaking into servers / deleting data or “hacking back”. It might feel good to wipe large quantities of illegal content from a server you’ve taken control of which belongs to very bad people. But the law of unintended consequences has a way of biting the hand that feeds it. Even if your commands have exactly the effect you expect (and how often does that happen?), in one fell swoop you may have ruined an already ongoing law enforcement investigation, scrubbed the evidence needed to put someone in jail, and now you’re on the wanted list for breaking into a server and doing things you shouldn’t have been.

When the golden rule is broken

The golden “don’t do this” rule is “don’t touch servers and devices you have no permission to access”. It’s a great rule and helps keep people from getting into trouble, and it’s the backbone of computer misuse laws in both the US and the UK.

Where it gets a bit less clear, is when law enforcement agencies are granted permission from a Judge to access previously compromised servers and change things (in this case by deleting web shells). As per the release:

“the FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

The release mentions that “hundreds” of vulnerable computers had shells removed. These removals were done upfront with no knowledge of the system owners beforehand, according to the below:

The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells. For those victims with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search. For those victims whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as a victim’s ISP) who are believed to have that contact information and ask them to provide notice to the victim.

You weren’t home, so we left a message…sort of

It is rather alarming to think that a chunk of these system owners will probably go about their business for years to come with no idea the FBI stopped by to do a bit of digital tidying up. We also wonder how realistic it is to think ISPs will actually do some outreach. Even if they do, the business owners may think the mails are fake. Perhaps they’ll accept them as real, but still have no idea what to do about it. It’s surely unrealistic to think the ISPs will be able to take on an intermediary tech support role in all of this. If the goal is to have ISPs tell affected organisations to get in touch with the FBI directly, that’s still dependent on the victim not ignoring the ISP in the first place.

However you stack it up, it’s a bit of a mess.

“New” changes, a long time coming

The FBI requested a rule change for expanded access powers back in 2014, and it was granted in 2016. Essentially, we’ve known this would happen for some time but perhaps didn’t know quite what form it would take. While coverage of the proposed powers focused on “hacking” systems and talking about the issue in terms of offensive / surveillance capabilities, what we’ve ended up with is something a little different.

At the very least, I don’t think many expected the breakthrough story would be “they cleaned up compromised devices”. The question is, have we seen the opening of a Pandora’s box which really should have stayed shut?

General approval or generally derided?

Many of the arguments against this practice say there’s no real way to know if anything else on the servers was accessed or changed. There’s also the problem that solutions like this tend to breed their own additional complications. Just wait until scammers start pushing “FBI access required: problem detected” messages. It’ll be like the bad old days of fake antivirus pop-ups, except now the law enforcement mentioned is offering to help instead of send you to jail.

On the other hand: despite everyone’s best efforts to notify infected organisations and a massive splash of mainstream media coverage, it’s likely that lots of systems would simply have stayed compromised for a very long time to come if the FBI hadn’t done this. And it isn’t just the organisation that’s targeted that suffers, it’s everyone who depends on that organisation, and everyone who becomes a victim if the compromised system is used to launch further attacks.

So, where does the buck stop, and who specifically is going to stop it? Do you think this was a justified action? Is it acceptable in the most dire of situations, where no help is coming? Does it pave the way for overreach and the feeling your devices are under fire from all quarters?

We’d love to know what you think in the comments.

The post FBI shuts down malware on hundreds of Exchange servers, opens Pandora’s box appeared first on Malwarebytes Labs.

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Group, FIN6, NetWalker, OilRig, Rocke Group, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

acw-041321.png
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Iran’s APT34 Returns with an Updated Arsenal

(published: April 8, 2021)

Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device.
Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Exploitation of Remote Services – T1210 | [MITRE ATT&CK] Spearphishing Attachment – T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol – T1024 | [MITRE ATT&CK] Web Service – T1102 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Scripting – T1064
Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East

New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp

(published: April 7, 2021)

Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.
Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system.
Tags: Android, FlixOnline, WhatsApp

New Cring ransomware hits unpatched Fortinet VPN devices

(published: April 7, 2021)

A new human-operated ransomware strain known as Cring is being exploited by Cring to breach and encrypt industrial sector companies’ networks. The attackers exploit Fortinet SSL VPN servers unpatched against the “CVE-2018-13379” vulnerability. The Cring operators drop customized Mimikatz samples, followed by CobaltStrike after gaining initial access and deploying the ransomware payloads.
Analyst Comment: Malicious actors continuously monitor the internet exposed system for known vulnerabilities. It’s important to install patches on those systems as soon as they are available. If possible internet access to such systems needs to be restricted to avoid exposure. Forensic analysis needs to be performed using tools such as Anomali Match to check if any attacks took place before patches were available.
MITRE ATT&CK: [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] Valid Accounts – T1078
Tags: Ghost, CertUtil, Cobalt Strike, Mimikatz, CobaltStrike, CVE-2019-5591, CVE-2020-12812, CVE-2018-13379, Government, Military, EU, UK, North America

Rocke Group Actively Targeting the Cloud: Wants Your SSH Keys

(published: April 6, 2021)

Rocke Group is a Chinese-based threat actor most known for running cryptojacking malware on Linux machines. The group has been active since 2018 and continues to evolve by modifying its tools and techniques to stay evasive. In 2019, Intezer reported Rocke Group was competing with Pacha Group for cryptomining positioning on Linux-based servers in the cloud.
Analyst Comment: Use strong passwords for SSH, Jenkins, and Redis services. It is also highly recommended to use TLS authentication. Don’t reuse ssh keys. Restrict access to critical internal machines. Enable IPS to detect network scanning and password brute-forcing attempts
MITRE ATT&CK: [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] Permission Groups Discovery – T1069 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Timestomp – T1099 | [MITRE ATT&CK] Brute Force – T1110 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Software Packing – T1045
Tags: kerberods, Pacha Group, Rocke Group, ROCKE GROUP, XMRig, CVE-2018-1000861, CVE-2019-1003000, CVE-2016-3088, China, Middle East

SAP Bugs Under Active Cyberattack, Causing Widespread Compromise

(published: April 6, 2021)

From mid-2020 until today, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances. The activity originates from all over the world, including Hong Kong, India, Japan, the Netherlands, Singapore, South Korea, Taiwan, United States, Vietnam and Yemen. Actors are using the vulnerabilities to establish persistence, for privilege escalation, evasion and, ultimately, complete control of SAP systems, including financial, human capital management and supply-chain applications.
Analyst Comment: SAP is the most widely used enterprise application and it also hosts critical business & user data. According to data, SAP vulnerabilities are being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Command-Line Interface – T1059
Tags: CRM, CVE-2010-5326, CVE-2020-6287, CVE-2018-2380, CVE-2016-3976, CVE-2016-9563, CVE-2020-6207, Banking And Finance, Government, Healthcare, EU, UK, North America, Middle East, SAP

Conti Gang Demands $40M Ransom from Florida School District

(published: April 6, 2021)

The Conti Gang has demanded a $40 million ransom from a Fort Lauderdale, Fla., school district. Attackers stole personal information from students and teachers, disrupted the district’s networks, and caused some services to be unavailable. The incident that was discovered on March 7 at Broward County Public Schools drew limited attention at the time of the attack. But new details have emerged on DataBreaches.net, which recently posted a screenshot of a chat between attackers and a school district official.
Analyst Comment: Educational institutions are among the public entities that have been compromised by ransomware gangs. In the case of schools, there’s little to no discretionary budget, and even core resources are underfunded. That’s usually a catch-22 situation for them as they can’t invest enough in their security & can’t afford to pay up a huge ransom in case they get attacked.
Tags: Conti Gang, money, Conti, Maze gang, NetWalker, Banking And Finance, Education, North America

Apple Mail Zero-Click Security Vulnerability Allows Email Snooping

(published: April 5, 2021)

A zero-click security vulnerability in Apple’s macOS Mail would allow a cyberattacker to add or modify any arbitrary file inside Mail’s sandbox environment. The bug could lead to unauthorized disclosure of sensitive information to a third party; the ability to modify a victim’s Mail configuration, including mail redirects which enables takeover of victim’s other accounts via password resets; and the ability to change the victim’s configuration so that the attack can propagate to correspondents in a worm-like fashion.
Analyst Comment: Vulnerabilities, where the exploit is possible without any user action, are more dangerous as they enable large-scale exploits. This vulnerability has been given a medium severity score as it only allows manipulation of files in $HOME/Library/Mail directory.
MITRE ATT&CK: [MITRE ATT&CK] Email Collection – T1114
Tags: CVE-2020-9922, Apple, macOS, vulnerability

LinkedIn Spear-Phishing Campaign Targets Job Hunters

(published: April 5, 2021)

A threat group called Golden Chickens is delivering the fileless backdoor more_eggs through a spear-phishing campaign targeting professionals on LinkedIn with fake job offers, according to researchers at eSentire. The phishing emails try to trick a victim into clicking on a malicious ZIP file by picking up the victim’s current job title and adding the word ‘position’ at the end, making it appear like a legitimate offer. The group is also selling more_eggs as malware-as-a-service to other cybercriminals, who use it to gain a foothold in victim’s systems to install other types of malware, including banking malware and ransomware.
Analyst Comment: The goal of this spearphishing campaign seems to be targeting people looking for job change rather than people who lost their job. During the work-from-home state we are in, personal and organization devices coexist on the same network. Compromising such user devices can enable access to critical organization data & infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link – T1192 | [MITRE ATT&CK] Permission Groups Discovery – T1069 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Valid Accounts – T1078
Tags: Cobalt Group, Golden Chickens, FIN6, More_Eggs, Evilnum, Banking And Finance, Healthcare

Check Point Research reports that IcedID has entered the global malware index for the first time, taking second place, after exploiting the Covid-19 pandemic to lure new victims Check Point Research’s (CPR) latest Global Threat Index for March 2021 has revealed that the banking trojan IcedID has entered the Index for the first time, taking…

The post March 2021’s Most Wanted Malware: IcedID Banking Trojan Enters Top 10 Following Covid-Related Campaign appeared first on Check Point Software.

Check Point Research reports that IcedID has entered the global malware index for the first time, taking second place, after exploiting the Covid-19 pandemic to lure new victims Check Point Research’s (CPR) latest Global Threat Index for March 2021 has revealed that the banking trojan IcedID has entered the Index for the first time, taking…

The post March 2021’s Most Wanted Malware: IcedID Banking Trojan Enters Top 10 Following Covid-Related Campaign appeared first on Check Point Software.

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: April 2021.

In this edition, we present new findings in our traditional threat statistical categories – as well as our usual malware, sectors, and vectors – imparted in a new, enhanced digital presentation that’s more easily consumed and interpreted.

Historically, our reports detailed the volume of key threats, such as “what is in the malware zoo.” The introduction of MVISION Insights in 2020 has since made it possible to track the prevalence of campaigns, as well as, their associated IoCs, and determine the in-field detections. This latest report incorporates not only the malware zoo but new analysis for what is being detected in the wild.

The Q3 and Q4 2020 findings include:

COVID-19-themed cyber-attack detections increased 114%
New malware samples averaging 648 new threats per minute
1 million external attacks observed against MVISION Cloud user accounts
Powershell threats spiked 208%
Mobile malware surged 118%

Additional Q3 and Q4 2020 content includes:

Leading MITRE ATT&CK techniques
Prominent exploit vulnerabilities
McAfee research of the prolific SUNBURST/SolarWinds campaign

These new, insightful additions really make for a bumper report! We hope you find this new McAfee Labs threat report presentation and data valuable.

Don’t forget keep track of the latest campaigns and continuing threat coverage by visiting our McAfee COVID-19 Threats Dashboard and the MVISION Insights preview dashboard.

The post McAfee Labs Report Reveals Latest COVID-19 Threats and Malware Surges appeared first on McAfee Blogs.

It’s easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

OQ6gbAj6ufi4qy0zWkwSPk_fIP-JiHlAeHAp3CsS

It’s easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

OQ6gbAj6ufi4qy0zWkwSPk_fIP-JiHlAeHAp3CsS

It’s easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Microsoft threat analysts have been tracking activity where contact forms published on websites are abused to deliver malicious links to enterprises using emails with fake legal threats. The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware. Microsoft Defender for Office 365 detects and blocks these emails and protects organizations from this threat.

In this blog, we showcase our analysis on this unique attack and how the techniques behind it help attackers with their malicious goals of finding new ways to infect systems. This threat is notable because:

Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to sign in with their Google credentials.
The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.
This threat shows attackers are always on the hunt for attack paths for infiltrating networks, and they often target services exposed to the internet. Organizations must ensure they have protections against such threats.

While this specific campaign delivers the IcedID malware, the delivery method can be used to distribute a wide range of other malware, which can in turn introduce other threats to the enterprise. IcedID itself is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware. It connects to a command-and-control server and downloads additional implants and tools that allow attackers to perform hands-on-keyboard attacks, steal credentials, and move laterally across affected networks to delivering additional payloads.

We continue to actively investigate this threat and work with partners to ensure that customers are protected. We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs.

Microsoft 365 Defender defends organizations by using advanced technologies informed by Microsoft Defender for Office 365 and backed by security experts. Microsoft 365 Defender correlates signals on malicious emails, URLs, and files to deliver coordinated defense against evasive threats, their payloads, and their spread across networks.

Microsoft Defender for Office 365 supports organizations throughout an attack’s lifecycle, from prevention and detection to investigation, hunting, and remediation–effectively protecting users through a coordinated defense framework.

Tracking malicious content in contact forms

Websites typically contain contact form pages as a way to allow site visitors to communicate with site owners, removing the necessity to reveal their email address to potential spammers.

However, in this campaign, we observed an influx of contact form emails targeted at enterprises by means of abusing companies’ contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections.

Figure 1. Sample contact form that attackers take advantage of by filling in malicious content, which gets delivered to the target enterprises

In this campaign, we tracked that the malicious email that arrives in the recipient’s inbox from the contact form query appears trustworthy as it was sent from trusted email marketing systems, further confirming its legitimacy while evading detection. As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry.

As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download it right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.

Figure 2. A sample email delivered via contact forms that contain malicious content added by attackers

Along with the fake legal threats written in the comments, the message content also includes a link to a sites.google.com page to view the alleged stolen photos for the recipient to view.

Clicking the link brings the recipient to a Google page that requires them to sign in with their Google credentials. Because of this added authentication layer, detection technologies may fail in identifying the email as malicious altogether.

After the email recipient signs in, the sites.google.com page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file. The malicious .js file is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload (a .dat file), which is decrypted by a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, allowing attackers to remotely control the compromised device.

The downloaded .dat file loads via the rundll32 executable. The rundll32 executable then launches numerous commands related to the following info-stealing capabilities:

Machine discovery
Obtaining machine AV info
Getting IP and system information
Domain information
Dropping SQLite for accessing credentials stored in browser databases

Contact form email campaign attack chains lead to IcedID malware

The diagram in Figure 3 provides a broad illustration of how attackers carry out these malicious email campaigns, starting from identifying their targets’ contact forms and ending with the IcedID malware payload.

Figure 3. Contact form attack chain results in the IcedID payload

We noted a primary and secondary attack chain under the execution and persistence stages. The primary attack chain follows an attack flow from downloading malicious .zip file from the sites.google.com link, all the way to the IcedID payload. The secondary attack chain, on the other hand, appears to be a backup attack flow for when the sites.google.com page in the primary attack chain has already been taken down.

In the secondary chain, users are redirected to a .top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file. Further analysis reveals that the forms contain malicious sites.google.com links that download the IcedID malware.

When run, IcedID connects to a command-and-control server to download modules that run its primary function of capturing and exfiltrating banking credentials and other information. It achieves persistence via schedule tasks. It also downloads implants like Cobalt Strike and other tools, which allow remote attackers to run malicious activities on the compromised system, including collecting additional credentials, moving laterally, and delivering secondary payloads.

Using legal threats as a social engineering tactic

This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering email to inboxes, thereby allowing for “safe” emails that would otherwise be filtered out into spam folders.

In the samples we found, attackers used legal threats as a scare tactic while claiming that the recipients allegedly used their images or illustrations without their consent, and that legal action will be taken against them. There is also a heightened sense of urgency in the email wording, with phrases such as “you could be sued,” and “it’s not legal.” It’s a sly and devious approach since everything else about this email is authentic and legitimate.

We observed more emails sent by attackers on other contact forms that contain similar wording around legal threats. The messages consistently mention a copyright claim lure by a photographer, illustrator, or designer with the same urgency to click the sites.google.com link.

Figure 4. Samples of contact form emails that use the photographer copyright lure with a sites.gooogle.com link

In a typical contact form, users are required to input their name, email address, and a message or comment. In the samples we obtained, attackers used fake names that start with “Mel,” such as “Melanie” or “Meleena,” and used a standard format for their fake email addresses that include a portion of their fake name + words associated photography + three numbers. Some examples include:

mphotographer550@yahoo.com
mephotographer890@hotmail.com
mgallery487@yahoo.com
mephoto224@hotmail.com
megallery736@aol.com
mshot373@yahoo.com

Defending against sophisticated attacks through coordinated defense

As this research shows, adversaries remain motivated to find new ways to deliver malicious email to enterprises with the clear intent to evade detection. The scenarios we observed offer a serious glimpse into how sophisticated attackers’ techniques have grown, while maintaining the goal of delivering dangerous malware payloads such as IcedID. Their use of submission forms is notable because the emails don’t have the typical marks of malicious messages and are seemingly legitimate.

To protect customers from this highly evasive campaign, Microsoft Defender for Office 365 inspects the email body and URL for known patterns. Defender for Office 365 enables this by leveraging its deep visibility into email threats and advanced detection technologies powered by AI and machine learning, backed by Microsoft experts who constantly monitor the threat landscape for new attacker tools and techniques. Expert monitoring is especially critical in detecting this campaign given the delivery method and the nature of the malicious emails.

In addition, the protection delivered by Microsoft Defender for Office 365 is enriched by signals from other Microsoft 365 Defender services, which detect other components of this attack. For example, Microsoft Defender for Endpoint detects the IcedID payload and surfaces this intelligence across Microsoft 365 Defender. With its cross-domain optics, Microsoft 365 Defender correlates threat data on files, URLs, and emails to provide end-to-end visibility into attack chains. This allows us to trace detections of malware and malicious behavior to the delivery method, in this case, legitimate-looking emails, enabling us to build comprehensive and durable protections, even as attackers continue to tweak their campaigns to further evade detection.

By running custom queries using advanced hunting in Microsoft 365 Defender, customers can proactively locate threats related to this attack.

To locate emails that may be related to this activity, run the following query:

EmailUrlInfo
| where Url matches regex @”bsites.google.com/view/(?:id)?d{9,}b”
| join EmailEvents on NetworkMessageId
// Note: Replace the following subject lines with the one generated by your website’s Contact submission form if no results return initially
| where Subject has_any(‘Contact Us’, ‘New Submission’, ‘Contact Form’, ‘Form submission’)

To find malicious downloads associated with this threat, run the following query:

DeviceFileEvents
| where InitiatingProcessFileName in~(“msedge.exe”, “chrome.exe”, “explorer.exe”, “7zFM.exe”, “firefox.exe”, “browser_broker.exe”)
| where FileOriginReferrerUrl has “.php” and FileOriginReferrerUrl has “.top” and FileOriginUrl  has_any(“googleusercontent”, “google”, “docs”)

As this attack abuses legitimate services, it’s also important for customers to review mail flow rules to check for broad exceptions, such those related to IP ranges and domain-level allow lists, that may be letting these emails through.

We also encourage customers to continuously build organizational resilience against email threats by educating users about identifying social engineering attacks and preventing malware infection. Use Attack simulation training in Microsoft Defender for Office 365 to run attack scenarios, increase user awareness, and empower employees to recognize and report these attacks.

 

Emily Hacker with Justin Carroll
Microsoft 365 Defender Threat Intelligence Team

The post Investigating a unique “form” of email delivery for IcedID malware appeared first on Microsoft Security.

Microsoft threat analysts have been tracking activity where contact forms published on websites are abused to deliver malicious links to enterprises using emails with fake legal threats. The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware. Microsoft Defender for Office 365 detects and blocks these emails and protects organizations from this threat.

In this blog, we showcase our analysis on this unique attack and how the techniques behind it help attackers with their malicious goals of finding new ways to infect systems. This threat is notable because:

Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to sign in with their Google credentials.
The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.
This threat shows attackers are always on the hunt for attack paths for infiltrating networks, and they often target services exposed to the internet. Organizations must ensure they have protections against such threats.

While this specific campaign delivers the IcedID malware, the delivery method can be used to distribute a wide range of other malware, which can in turn introduce other threats to the enterprise. IcedID itself is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware. It connects to a command-and-control server and downloads additional implants and tools that allow attackers to perform hands-on-keyboard attacks, steal credentials, and move laterally across affected networks to delivering additional payloads.

We continue to actively investigate this threat and work with partners to ensure that customers are protected. We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs.

Microsoft 365 Defender defends organizations by using advanced technologies informed by Microsoft Defender for Office 365 and backed by security experts. Microsoft 365 Defender correlates signals on malicious emails, URLs, and files to deliver coordinated defense against evasive threats, their payloads, and their spread across networks.

Microsoft Defender for Office 365 supports organizations throughout an attack’s lifecycle, from prevention and detection to investigation, hunting, and remediation–effectively protecting users through a coordinated defense framework.

Tracking malicious content in contact forms

Websites typically contain contact form pages as a way to allow site visitors to communicate with site owners, removing the necessity to reveal their email address to potential spammers.

However, in this campaign, we observed an influx of contact form emails targeted at enterprises by means of abusing companies’ contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections.

Figure 1. Sample contact form that attackers take advantage of by filling in malicious content, which gets delivered to the target enterprises

In this campaign, we tracked that the malicious email that arrives in the recipient’s inbox from the contact form query appears trustworthy as it was sent from trusted email marketing systems, further confirming its legitimacy while evading detection. As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry.

As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download it right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.

Figure 2. A sample email delivered via contact forms that contain malicious content added by attackers

Along with the fake legal threats written in the comments, the message content also includes a link to a sites.google.com page to view the alleged stolen photos for the recipient to view.

Clicking the link brings the recipient to a Google page that requires them to sign in with their Google credentials. Because of this added authentication layer, detection technologies may fail in identifying the email as malicious altogether.

After the email recipient signs in, the sites.google.com page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file. The malicious .js file is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload (a .dat file), which is decrypted by a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, allowing attackers to remotely control the compromised device.

The downloaded .dat file loads via the rundll32 executable. The rundll32 executable then launches numerous commands related to the following info-stealing capabilities:

Machine discovery
Obtaining machine AV info
Getting IP and system information
Domain information
Dropping SQLite for accessing credentials stored in browser databases

Contact form email campaign attack chains lead to IcedID malware

The diagram in Figure 3 provides a broad illustration of how attackers carry out these malicious email campaigns, starting from identifying their targets’ contact forms and ending with the IcedID malware payload.

Figure 3. Contact form attack chain results in the IcedID payload

We noted a primary and secondary attack chain under the execution and persistence stages. The primary attack chain follows an attack flow from downloading malicious .zip file from the sites.google.com link, all the way to the IcedID payload. The secondary attack chain, on the other hand, appears to be a backup attack flow for when the sites.google.com page in the primary attack chain has already been taken down.

In the secondary chain, users are redirected to a .top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file. Further analysis reveals that the forms contain malicious sites.google.com links that download the IcedID malware.

When run, IcedID connects to a command-and-control server to download modules that run its primary function of capturing and exfiltrating banking credentials and other information. It achieves persistence via schedule tasks. It also downloads implants like Cobalt Strike and other tools, which allow remote attackers to run malicious activities on the compromised system, including collecting additional credentials, moving laterally, and delivering secondary payloads.

Using legal threats as a social engineering tactic

This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering email to inboxes, thereby allowing for “safe” emails that would otherwise be filtered out into spam folders.

In the samples we found, attackers used legal threats as a scare tactic while claiming that the recipients allegedly used their images or illustrations without their consent, and that legal action will be taken against them. There is also a heightened sense of urgency in the email wording, with phrases such as “you could be sued,” and “it’s not legal.” It’s a sly and devious approach since everything else about this email is authentic and legitimate.

We observed more emails sent by attackers on other contact forms that contain similar wording around legal threats. The messages consistently mention a copyright claim lure by a photographer, illustrator, or designer with the same urgency to click the sites.google.com link.

Figure 4. Samples of contact form emails that use the photographer copyright lure with a sites.gooogle.com link

In a typical contact form, users are required to input their name, email address, and a message or comment. In the samples we obtained, attackers used fake names that start with “Mel,” such as “Melanie” or “Meleena,” and used a standard format for their fake email addresses that include a portion of their fake name + words associated photography + three numbers. Some examples include:

mphotographer550@yahoo.com
mephotographer890@hotmail.com
mgallery487@yahoo.com
mephoto224@hotmail.com
megallery736@aol.com
mshot373@yahoo.com

Defending against sophisticated attacks through coordinated defense

As this research shows, adversaries remain motivated to find new ways to deliver malicious email to enterprises with the clear intent to evade detection. The scenarios we observed offer a serious glimpse into how sophisticated attackers’ techniques have grown, while maintaining the goal of delivering dangerous malware payloads such as IcedID. Their use of submission forms is notable because the emails don’t have the typical marks of malicious messages and are seemingly legitimate.

To protect customers from this highly evasive campaign, Microsoft Defender for Office 365 inspects the email body and URL for known patterns. Defender for Office 365 enables this by leveraging its deep visibility into email threats and advanced detection technologies powered by AI and machine learning, backed by Microsoft experts who constantly monitor the threat landscape for new attacker tools and techniques. Expert monitoring is especially critical in detecting this campaign given the delivery method and the nature of the malicious emails.

In addition, the protection delivered by Microsoft Defender for Office 365 is enriched by signals from other Microsoft 365 Defender services, which detect other components of this attack. For example, Microsoft Defender for Endpoint detects the IcedID payload and surfaces this intelligence across Microsoft 365 Defender. With its cross-domain optics, Microsoft 365 Defender correlates threat data on files, URLs, and emails to provide end-to-end visibility into attack chains. This allows us to trace detections of malware and malicious behavior to the delivery method, in this case, legitimate-looking emails, enabling us to build comprehensive and durable protections, even as attackers continue to tweak their campaigns to further evade detection.

By running custom queries using advanced hunting in Microsoft 365 Defender, customers can proactively locate threats related to this attack.

To locate emails that may be related to this activity, run the following query:

EmailUrlInfo
| where Url matches regex @”bsites.google.com/view/(?:id)?d{9,}b”
| join EmailEvents on NetworkMessageId
// Note: Replace the following subject lines with the one generated by your website’s Contact submission form if no results return initially
| where Subject has_any(‘Contact Us’, ‘New Submission’, ‘Contact Form’, ‘Form submission’)

To find malicious downloads associated with this threat, run the following query:

DeviceFileEvents
| where InitiatingProcessFileName in~(“msedge.exe”, “chrome.exe”, “explorer.exe”, “7zFM.exe”, “firefox.exe”, “browser_broker.exe”)
| where FileOriginReferrerUrl has “.php” and FileOriginReferrerUrl has “.top” and FileOriginUrl  has_any(“googleusercontent”, “google”, “docs”)

As this attack abuses legitimate services, it’s also important for customers to review mail flow rules to check for broad exceptions, such those related to IP ranges and domain-level allow lists, that may be letting these emails through.

We also encourage customers to continuously build organizational resilience against email threats by educating users about identifying social engineering attacks and preventing malware infection. Use Attack simulation training in Microsoft Defender for Office 365 to run attack scenarios, increase user awareness, and empower employees to recognize and report these attacks.

 

Emily Hacker with Justin Carroll
Microsoft 365 Defender Threat Intelligence Team

The post Investigating a unique “form” of email delivery for IcedID malware appeared first on Microsoft Security.

Microsoft threat analysts have been tracking activity where contact forms published on websites are abused to deliver malicious links to enterprises using emails with fake legal threats. The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware. Microsoft Defender for Office 365 detects and blocks these emails and protects organizations from this threat.

In this blog, we showcase our analysis on this unique attack and how the techniques behind it help attackers with their malicious goals of finding new ways to infect systems. This threat is notable because:

Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to sign in with their Google credentials.
The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.
This threat shows attackers are always on the hunt for attack paths for infiltrating networks, and they often target services exposed to the internet. Organizations must ensure they have protections against such threats.

While this specific campaign delivers the IcedID malware, the delivery method can be used to distribute a wide range of other malware, which can in turn introduce other threats to the enterprise. IcedID itself is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware. It connects to a command-and-control server and downloads additional implants and tools that allow attackers to perform hands-on-keyboard attacks, steal credentials, and move laterally across affected networks to delivering additional payloads.

We continue to actively investigate this threat and work with partners to ensure that customers are protected. We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs.

Microsoft 365 Defender defends organizations by using advanced technologies informed by Microsoft Defender for Office 365 and backed by security experts. Microsoft 365 Defender correlates signals on malicious emails, URLs, and files to deliver coordinated defense against evasive threats, their payloads, and their spread across networks.

Microsoft Defender for Office 365 supports organizations throughout an attack’s lifecycle, from prevention and detection to investigation, hunting, and remediation–effectively protecting users through a coordinated defense framework.

Tracking malicious content in contact forms

Websites typically contain contact form pages as a way to allow site visitors to communicate with site owners, removing the necessity to reveal their email address to potential spammers.

However, in this campaign, we observed an influx of contact form emails targeted at enterprises by means of abusing companies’ contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections.

Figure 1. Sample contact form that attackers take advantage of by filling in malicious content, which gets delivered to the target enterprises

In this campaign, we tracked that the malicious email that arrives in the recipient’s inbox from the contact form query appears trustworthy as it was sent from trusted email marketing systems, further confirming its legitimacy while evading detection. As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry.

As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download it right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.

Figure 2. A sample email delivered via contact forms that contain malicious content added by attackers

Along with the fake legal threats written in the comments, the message content also includes a link to a sites.google.com page to view the alleged stolen photos for the recipient to view.

Clicking the link brings the recipient to a Google page that requires them to sign in with their Google credentials. Because of this added authentication layer, detection technologies may fail in identifying the email as malicious altogether.

After the email recipient signs in, the sites.google.com page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file. The malicious .js file is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload (a .dat file), which is decrypted by a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, allowing attackers to remotely control the compromised device.

The downloaded .dat file loads via the rundll32 executable. The rundll32 executable then launches numerous commands related to the following info-stealing capabilities:

Machine discovery
Obtaining machine AV info
Getting IP and system information
Domain information
Dropping SQLite for accessing credentials stored in browser databases

Contact form email campaign attack chains lead to IcedID malware

The diagram in Figure 3 provides a broad illustration of how attackers carry out these malicious email campaigns, starting from identifying their targets’ contact forms and ending with the IcedID malware payload.

Figure 3. Contact form attack chain results in the IcedID payload

We noted a primary and secondary attack chain under the execution and persistence stages. The primary attack chain follows an attack flow from downloading malicious .zip file from the sites.google.com link, all the way to the IcedID payload. The secondary attack chain, on the other hand, appears to be a backup attack flow for when the sites.google.com page in the primary attack chain has already been taken down.

In the secondary chain, users are redirected to a .top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file. Further analysis reveals that the forms contain malicious sites.google.com links that download the IcedID malware.

When run, IcedID connects to a command-and-control server to download modules that run its primary function of capturing and exfiltrating banking credentials and other information. It achieves persistence via schedule tasks. It also downloads implants like Cobalt Strike and other tools, which allow remote attackers to run malicious activities on the compromised system, including collecting additional credentials, moving laterally, and delivering secondary payloads.

Using legal threats as a social engineering tactic

This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering email to inboxes, thereby allowing for “safe” emails that would otherwise be filtered out into spam folders.

In the samples we found, attackers used legal threats as a scare tactic while claiming that the recipients allegedly used their images or illustrations without their consent, and that legal action will be taken against them. There is also a heightened sense of urgency in the email wording, with phrases such as “you could be sued,” and “it’s not legal.” It’s a sly and devious approach since everything else about this email is authentic and legitimate.

We observed more emails sent by attackers on other contact forms that contain similar wording around legal threats. The messages consistently mention a copyright claim lure by a photographer, illustrator, or designer with the same urgency to click the sites.google.com link.

Figure 4. Samples of contact form emails that use the photographer copyright lure with a sites.gooogle.com link

In a typical contact form, users are required to input their name, email address, and a message or comment. In the samples we obtained, attackers used fake names that start with “Mel,” such as “Melanie” or “Meleena,” and used a standard format for their fake email addresses that include a portion of their fake name + words associated photography + three numbers. Some examples include:

mphotographer550@yahoo.com
mephotographer890@hotmail.com
mgallery487@yahoo.com
mephoto224@hotmail.com
megallery736@aol.com
mshot373@yahoo.com

Defending against sophisticated attacks through coordinated defense

As this research shows, adversaries remain motivated to find new ways to deliver malicious email to enterprises with the clear intent to evade detection. The scenarios we observed offer a serious glimpse into how sophisticated attackers’ techniques have grown, while maintaining the goal of delivering dangerous malware payloads such as IcedID. Their use of submission forms is notable because the emails don’t have the typical marks of malicious messages and are seemingly legitimate.

To protect customers from this highly evasive campaign, Microsoft Defender for Office 365 inspects the email body and URL for known patterns. Defender for Office 365 enables this by leveraging its deep visibility into email threats and advanced detection technologies powered by AI and machine learning, backed by Microsoft experts who constantly monitor the threat landscape for new attacker tools and techniques. Expert monitoring is especially critical in detecting this campaign given the delivery method and the nature of the malicious emails.

In addition, the protection delivered by Microsoft Defender for Office 365 is enriched by signals from other Microsoft 365 Defender services, which detect other components of this attack. For example, Microsoft Defender for Endpoint detects the IcedID payload and surfaces this intelligence across Microsoft 365 Defender. With its cross-domain optics, Microsoft 365 Defender correlates threat data on files, URLs, and emails to provide end-to-end visibility into attack chains. This allows us to trace detections of malware and malicious behavior to the delivery method, in this case, legitimate-looking emails, enabling us to build comprehensive and durable protections, even as attackers continue to tweak their campaigns to further evade detection.

By running custom queries using advanced hunting in Microsoft 365 Defender, customers can proactively locate threats related to this attack.

To locate emails that may be related to this activity, run the following query:

EmailUrlInfo
| where Url matches regex @”bsites.google.com/view/(?:id)?d{9,}b”
| join EmailEvents on NetworkMessageId
// Note: Replace the following subject lines with the one generated by your website’s Contact submission form if no results return initially
| where Subject has_any(‘Contact Us’, ‘New Submission’, ‘Contact Form’, ‘Form submission’)

To find malicious downloads associated with this threat, run the following query:

DeviceFileEvents
| where InitiatingProcessFileName in~(“msedge.exe”, “chrome.exe”, “explorer.exe”, “7zFM.exe”, “firefox.exe”, “browser_broker.exe”)
| where FileOriginReferrerUrl has “.php” and FileOriginReferrerUrl has “.top” and FileOriginUrl  has_any(“googleusercontent”, “google”, “docs”)

As this attack abuses legitimate services, it’s also important for customers to review mail flow rules to check for broad exceptions, such those related to IP ranges and domain-level allow lists, that may be letting these emails through.

We also encourage customers to continuously build organizational resilience against email threats by educating users about identifying social engineering attacks and preventing malware infection. Use Attack simulation training in Microsoft Defender for Office 365 to run attack scenarios, increase user awareness, and empower employees to recognize and report these attacks.

 

Emily Hacker with Justin Carroll
Microsoft 365 Defender Threat Intelligence Team

The post Investigating a unique “form” of email delivery for IcedID malware appeared first on Microsoft Security.

COVID-19 pandemic has confined a big part of the population indoors, doing their work and daily chores online….

The post Malicious malware impacting reviews and ratings of application appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

137-header.jpg

Cyber AI discovered an extensive crypto-mining campaign in cardboard boxes in a disused warehouse. This blog discusses the rise in cryptocurrency farms and what this signals for the international cyber-threat landscape.

ThreatConnect and OPSWAT have delivered a new Playbook for joint customers. This Playbook App will allow you to submit Files for sandbox analysis and retrieve analysis results. In addition to sandboxing, the app lets users retrieve enrichment information for Address, Host, URL, and File IOCs.

OPSWAT Metadefender Cloud Blog

The following capabilities are available:

Automated Malware Sandboxing

As part of a security process, you can automatically send malware to your sandbox. Once sandboxed, you’ll get outputs in the form of file hashes. You can then use these outputs to inform detection and remediation processes in the rest of your security stack.

Enrichment

As part of an investigation, you may come across a familiar file hash and want to see if you’ve seen it and sandboxed it before. You can use ThreatConnect to query OPSWAT MetaDefender Cloud and retrieve this information as part of an enrichment process during a case or investigation.

The following actions are available:

Analyze File
Get File Enrichment
Get Address Enrichment
Get Host Enrichment
Get URL Enrichment
Get File Analysis Results
Advanced Request

Together, ThreatConnect and OPSWAT help you to automate remediation tasks and protect your network from sophisticated attacks. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on how to get the most out of the OPSWAT MetaDefender Cloud Playbook app. If you’re not yet a customer and are interested in ThreatConnect and this integration, contact us at sales@threatconnect.com.

The post ThreatConnect and OPSWAT MetaDefender Cloud: Malware Protection Meets Playbook Power appeared first on ThreatConnect | Risk-Threat-Response.

WormableWhatsApp_blog.jpg

Research by: Aviran Hazum, Bodgan Melnykov & Israel Wenik   Highlights Disguised as a Netflix content enabler app named “FlixOnline,” threat actors distributed newly-discovered Android malware Malware distributed via malicious auto-replies to incoming WhatsApp messages, using payloads received from a remote command & control (C&C) server Malware allowed a malicious actor to distribute phishing attacks, spread…

The post Autoreply attack! New Android malware found in Google Play Store spreads via malicious auto-replies to WhatsApp messages appeared first on Check Point Software.

WormableWhatsApp_blog.jpg

Research by: Aviran Hazum, Bodgan Melnykov & Israel Wenik   Highlights Disguised as a Netflix content enabler app named “FlixOnline,” threat actors distributed newly-discovered Android malware Malware distributed via malicious auto-replies to incoming WhatsApp messages, using payloads received from a remote command & control (C&C) server Malware allowed a malicious actor to distribute phishing attacks, spread…

The post Autoreply attack! New Android malware found in Google Play Store spreads via malicious auto-replies to WhatsApp messages appeared first on Check Point Software.

Research by: Aviran Hazum, Bodgan Melnykov & Israel Wenik

Overview

Check Point Research (CPR) recently discovered malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. If the user downloaded the fake application and unwittingly granted the malware the appropriate permissions, the malware is capable of automatically replying to victim’s’ incoming WhatsApp messages with a payload received from a command-and-control (C&C) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.

General

As the mobile threat landscape evolves, threat actors are always seeking to develop new techniques to evolve and successfully distribute malware. In this specific campaign, Check Point’s researchers discovered a new and innovative malicious threat on the Google Play app store which spreads itself via mobile users’ WhatsApp conversations, and can also send further malicious content via automated replies to incoming WhatsApp messages.

Researchers found the malware hidden within an app on Google Play called ’FlixOnline.’” The app is a fake service that claims to allow users to view Netflix content from all around the world on their mobiles. However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server.

The malware sends the following response to its victims, luring them with the offer of a free Netflix service:

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”

Utilizing this technique, a threat actor could perform a wide range of malicious activities:

Spread further malware via malicious links
Stealing data from users’ WhatsApp accounts
Spreading fake or malicious messages to users’ WhatsApp contacts and groups (for example, work-related groups)
Extort users by threatening to send sensitive WhatsApp data or conversations to all of their contacts

Figure 1 – FlixOnline application on Google Play

 

Technical Analysis

When the application is downloaded from the Play Store and installed, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. The purpose behind obtaining these permissions is:

Overlay allows a malicious application to create new windows on top of other applications. This is usually requested by malware to create a fake “Login” screen for other apps, with the aim of stealing victim’s credentials.
Ignore Battery Optimizations stops the malware from being shut down by the device’s battery optimization routine, even after it is idle for an extended period.
The most prominent permission is the Notification access, more specifically, the Notification Listener service. Once enabled, this permission provides the malware with access to all notifications related to messages sent to the device, and the ability to automatically perform designated actions such as “dismiss” and “reply” to messages received on the device.

 

 

Figure 2 – FlixOnline Permissions Request

After the permissions are granted, the malware displays a landing page it receives from the C&C server and immediately hides its icon so the malware can’t be easily removed. This is done by a service that periodically contacts the C&C and updates the malware’s configuration accordingly.
The service can achieve these goals by using multiple methods. For instance, the service can be triggered by the installation of the application and by an Alarm registered I the BOOT_COMPLETED action, which is called after the device has completed the boot process.

Figures 3 & 4 – Service registration, BOOT_COMPLETE

The response from the C&C contains a configuration with the following field:

Field

Purpose

landing_page
A URL to display to the victim after permission granting.

message_inbox
The message to send as a reply to all incoming messages.

message_limit
Unused, potentially could indicate as an “upper limit” for the amount of messages to send out.

delay
Unused.

url
Unused.

delay_browser
Delay before showing popup with specific URL.

enable_browser
C&C check flag.

enable_webview
Indicates which app to use to open the URL.

webview_url
The URL for the WebView popup activity.

browser_url
URL for the browser popup.

Figure 5 – Contact C&C and configuration parsing

Once this is complete, the malware has everything needed to distribute the payload. With the OnNotificationPosted callback, the malware checks for the package name of the originated application, and if that application is WhatsApp, it will process the notification.

Figure 5 – Check for WhatsApp notifications

First, the malware cancels the notification to hide it from the user and reads the title and content of the notification received. Next, it searches for the component that is responsible for inline replies, which is used to send out the reply using the payload received from the C&C server.

Figure 6 – Notification processing

 

 

Figure 7 – Searching for inline-reply component

 

 

 

 

Figure 8 – Sending out the reply

Responsible disclosure

Check Point Research responsibly notified Google about the malicious application and the details of its research, and Google quickly removed the application from the Play Store. Over the course of 2 months, the “FlixOnline” app was downloaded approximately 500 times.

Conclusion

This wormable Android malware features innovative and dangerous new techniques for spreading itself, and for manipulating or stealing data from trusted applications such as WhatsApp.  It highlights that users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups.
If a user was infected, they should remove the application from their device, and change their passwords.

Stay protected from mobile threats

Check Point Harmony Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce.
Harmony Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.
Learn more.

Appendix 1 – IOCs

FlixOnline – 1d097436927f85b1ab9bf69913071abd0845bfcf1afa186112e91e1ca22e32df

C&C – netflixwatch[.]site

Package Name – com.fab.wflixonline

Certificate – BEC2C0448558729C1EDF4E45AB76B6A3EE6E42B7

The post New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp appeared first on Check Point Research.

News article:

Most troublingly, Activision says that the “cheat” tool has been advertised multiple times on a popular cheating forum under the title “new COD hack.” (Gamers looking to flout the rules will typically go to such forums to find new ways to do so.) While the report doesn’t mention which forum they were posted on (that certainly would’ve been helpful), it does say that these offerings have popped up a number of times. They have also been seen advertised in YouTube videos, where instructions were provided on how gamers can run the “cheats” on their devices, and the report says that “comments [on the videos] seemingly indicate people had downloaded and attempted to use the tool.”

Part of the reason this attack could work so well is that game cheats typically require a user to disable key security features that would otherwise keep a malicious program out of their system. The hacker is basically getting the victim to do their own work for them.

“It is common practice when configuring a cheat program to run it the with the highest system privileges,” the report notes. “Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code signing, etc.”

Detailed report.

Malware Delivered Via Cloud Services Rises

53% of Web traffic is now cloud-related, a 20% year over year increase.
61% of all malware is directly delivered via the cloud.
Malicious Office documents represented 17% of all malware detected.

financial-services-cybersecurity-hygiene

As banks continue to digitize their offerings to optimize efficiency and improve the customer experience, they are exposing themselves to increased levels of malware risk. In order to stay protected, it is essential that financial…

Researchers have discovered a new Android app called “System Update” that is a sophisticated Remote-Access Trojan (RAT). From a news article:

The broad range of data that this sneaky little bastard is capable of stealing is pretty horrifying. It includes: instant messenger messages and database files; call logs and phone contacts; Whatsapp messages and databases; pictures and videos; all of your text messages; and information on pretty much everything else that is on your phone (it will inventory the rest of the apps on your phone, for instance).

The app can also monitor your GPS location (so it knows exactly where you are), hijack your phone’s camera to take pictures, review your browser’s search history and bookmarks, and turn on the phone mic to record audio.

The app’s spying capabilities are triggered whenever the device receives new information. Researchers write that the RAT is constantly on the lookout for “any activity of interest, such as a phone call, to immediately record the conversation, collect the updated call log, and then upload the contents to the C&C server as an encrypted ZIP file.” After thieving your data, the app will subsequently erase evidence of its own activity, hiding what it has been doing.

This is a sophisticated piece of malware. It feels like the product of a national intelligence agency or — and I think more likely — one of the cyberweapons arms manufacturers that sells this kind of capability to governments around the world.

Microsoft describes the “Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. […] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension.”[6]

Since both, the latest version elastic-agent (7.11+) support antivirus detection, I followed the instructions listed here [1] to configure an agent to test its detection capabilities. For my workstation, I used VMware with a fully patched Windows 10 and saved the current configuration with a snapshot. I wanted to combine both of these features; the elastic-agent and the Microsoft sandbox feature [4][5][6] to analyze my malware sample. Since the Microsoft sandbox doesn’t retain anything after it is shutdown, I figure this would be a good alternative vs. restoring my previous VMware snapshot every time I tested a suspicious filename.

One minor inconvenient, if I want to use the agent, I need to add it every time to Elasticsearch to use it. If the elastic-agent isn’t installed, Microsoft Defender is enabled. Here is a list of tools to either install or consider installing in the sandbox when it starts:

Elastic-agent with malware policy (in VMware client and Sandbox client)
MS SysMon
MS TCPView
Consider adding: PowerShell Script Block Logging, example here
Wireshark to capture traffic from host
Other browsers: Chrome & Firefox
PeStudio
Python
Internet Services Simulation Suite: INetSim
Didier Stevens suite of tools
Proxy setup on VMware client to monitor traffic
Any other tools you might find useful during the analysis such as this package by @mentebinaria

When starting the sandbox, using a script configured for this purpose, it can automatically load the tools needed with a batch file (MalwareAnalysis.wsb). Here is my example:

<Configuration>
  <vGPU>Enable</vGPU>
  <AudioInput>Enable</AudioInput>
  <VideoInput>Enable</VideoInput>
  <ProtectedClient>Enable</ProtectedClient>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:Sandbox</HostFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
<LogonCommand>
   <Command>C:usersWDAGUtilityAccountDesktopSandboxSBConfig.bat</Command>
</LogonCommand>
</Configuration>

Because everything is deleted when you shutdown the sandbox (including the browser, it must be reloaded with the current version every time), I needed a way to automatically start/add/load/update what I needed to perform some basic analysis. I use a batch file I preconfigured with everything I needed to accomplish this task. Here is what I have (C:SandboxSBConfig.bat):

REM Copy elastic-agent to C:Program Files
C:WindowsSystem32xcopy.exe /i /s C:UsersWDAGUtilityAccountDesktopSandboxelastic-agent “C:Program Fileselastic-agent”

REM Install Sysmon64, vcredist_x86
C:UsersWDAGUtilityAccountDesktopSandboxSysmon64.exe -i -accepteula
C:UsersWDAGUtilityAccountDesktopSandboxvcredist_x86.exe /q

REM Add Elastic certificate authority to Sandbox
C:WindowsSystem32certutil.exe -addstore root C:UsersWDAGUtilityAccountDesktopSandboxca.crt
C:WindowsSystem32certutil.exe -addstore root C:UsersWDAGUtilityAccountDesktopSandboxstargate.crt

REM Install new Microsoft Edge
start /wait C:UsersWDAGUtilityAccountDesktopSandboxMicrosoftEdgeEnterpriseX64.msi /quiet /norestart

REM Install Python
C:UsersWDAGUtilityAccountDesktopSandboxpython-3.9.2-amd64.exe /quiet InstallAllUsers=1 PrependPath=1 Include_test=0

REM Execute PowerShell scripts
Powershell.exe -executionpolicy remotesigned -File C:UsersWDAGUtilityAccountDesktopSandboxChangeExecutionPolicy.ps1
Powershell.exe -executionpolicy remotesigned -File C:UsersWDAGUtilityAccountDesktopSandboxScriptBlockLogging.ps1

REM Install Wireshark
REM Install npcap manually. Silent only supported with OEM
C:UsersWDAGUtilityAccountDesktopSandboxWireshark-win64-3.4.4.exe /S /D /desktopicon=yes
C:UsersWDAGUtilityAccountDesktopSandboxnpcap-1.20.exe

The file npcap is last because I’m using the free edition vs. the OEM which will ask to finish the installation after it starts the installer. Before you can enable ScriptBlockLogging in the Sandbox, I need to enable the PowerShell ExecutionPolicy to allow RemoteSigned. This is the command in my script to make that change (ChangeExecutionPolicy.ps1):

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

To verify the change was applied, as PowerShell admin, execute the following command:

Get-ExecutionPolicy -List

Producing the following result:

Following the example listed here in this Elastic blog, it is time to create a policy, add the elastic-agent to Elasticsearch (pre-copied with the batch file SBConfig.bat) to run the sample file and monitor its activity. This is the four application part of the policy I configured for my agent:

After launching the script MalwareAnalysis.wsb to start the Sandbox, load, copy and install all the applications from the batch file, it is time to add the elastic-agent to the server, I am ready to launch the suspected malware file for analysis. Last month, my honeypot was uploaded a crypto miner file photo.scr and I’m going to use this file to submit the elastic-agent for analysis.

→ To view the results in Kibana, navigate Security -> Overview -> Detection alert trend
I look for activity that would indicate an alert triggered by malware and filter for the value, then View alerts to examine the flow of the activity. I can then select Analyze the content as to what this photo.scr file accessed or installed on the client. The agent captured 3 alerts:

Next is to expand one of those alerts and analyze the activity, the elastic-agent identified: 1 library, 53 networks and 7 registry:

Network Activty

Registry Activity

Each one of the can be expanded to drill further into what happened on the host.

Indicator of Compromise

SHA256
807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d  Photo.scr
[2021-02-08 07:06:36] [1693] [ftp_21_tcp 29914] [103.232.236.239:64149] info: Stored 1578496 bytes of data

Domains

stafftest[.]ru
iqtesti[.]ru
jobtests[.]ru
prtests[.]ru
qptest[.]ru
pstests[.]ru
testpsy[.]ru
profetest[.]ru
hrtests[.]ru

This is one of many tasks Windows Sandbox could be used such as accessing suspicious sites, running untrusted software and scripts starting with Windows network or vGPU disable, without the fear of impacting your normal Windows installation. These various tasks can be accomplished by creating  separate .wsb Sanbox script.

[1] https://www.elastic.co/blog/how-to-build-a-malware-analysis-sandbox-with-elastic-security
[2] https://www.elastic.co/endpoint-security/
[3] https://www.elastic.co/guide/en/security/current/install-endpoint.html
[4] https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview
[5] https://techcommunity.microsoft.com/t5/windows-kernel-internals/windows-sandbox/ba-p/301849
[6] https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file
[7] https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
[8] https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview
[9] https://github.com/mentebinaria/retoolkit?s=09
[10] https://www.virustotal.com/gui/file/807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d/detection
[11] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

propagating_malware_initial_alarm.jpg

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive Summary

While freeware does not have monetary cost, it may come at a price. There may be limitations to freeware such as infrequent updates, limited support and hidden malicious software. Some freeware programs may have added software packages that can include malicious software such as trojans, spyware, or adware. It’s important to have additional layers of defense to provide that  your environment is protected.

The Managed Threat Detection and Response (MTDR) analyst team was notified of malware on a customer’s assets who frequently uses freeware. The primary piece of malware that was detected by Cisco® Secure Endpoint (formerly AMP for Endpoints) did not appear to be particularly malicious, so the investigation was originally reported as a medium severity. After some time, several alarms were raised due to additional malware that was encountered on multiple assets within the customer’s environment and it was determined they were likely caused by freeware. After some investigating, a report was created by the analyst containing a list of infected machines, files, and their related malware families. The severity of the investigation was changed to a high severity, and the customer was notified based on their incident response plan (IRP) to begin immediate remediation efforts.

Investigation

Initial Alarm Review

Malware Infection

Cisco Secure Endpoint – Threat detected

The Initial alarm was raised due to a piece of malware detected by Cisco® Secure Endpoint that was indicative of a single malware infection. The first detection that emerged appeared to be benign, as it was reported by multiple open source intelligence (OSINT) sites as known-clean files. Due to the detection of this original file, this investigation was set at a medium severity as a precautionary measure.

initial alarm screen for propagating malware

After some time, additional alarms were raised that were indicative of a deeper, more malicious infection. It became clear that additional investigation was necessary. During the investigation, nearly two hundred events of varying malware infections were detected, indicating there was propagating malware.

families of propagating malwaregraph of propagating malware

The detected events of malware were filtered for benign hashes using the AT&T Alien Labs Open Threat Exchange (OTX) as well as other OSINT sites. The malicious files were organized into a report with infected files, hashes, as well as a list of the fifty suspected infected assets. After the report was organized and the additional alarms were posted within the investigation, the severity was increased from medium to high to prompt immediate customer response and quarantine of these threats.

Expanded Investigation

expanded investigation screen

Suspected Root Cause

These alarms are rather common for this customer as they attempt to use many pieces of freeware, which are likely already infected with Trojans, adware and more. Upon further use of OSINT sites, the file that appears to have been propagating across the customer’s network was linked to an interactive advertising company. This company has created over a hundred different toolbars, and these toolbars typically include an optional install of other freeware, which will download if you are not careful. This propagating malware was suspected to have been caused by one of the toolbars.

Customer Interaction

Customer Response(s)

After the investigation was updated, the customer was provided a report and was contacted per their Incident Response Plan (IRP). The customer contacted their team to start working through the infected machines to remove the indicated malicious files. If it was not for the organized layout of the USM platform, this malware infection could’ve been far worse.

fblike20.png linkedin20.png twitter20.png email20.png rss20.png 

Malware Delivered Via Cloud Services Rises

53% of Web traffic is now cloud-related, a 20% year over year increase.
61% of all malware is directly delivered via the cloud.
Malicious Office documents represented 17% of all malware detected.

Original release date: March 17, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and the FBI recommend users and administrators review AA21-076A: TrickBot Malware as well as CISA’s Fact Sheet: TrickBot Malware for guidance on implementing specific mitigation measures to protect against this activity.

 

This product is provided subject to this Notification and this Privacy & Use policy.

They all target Linux systems

For a long time Linux has not been seen as a serious target of threat actors. This operating system makes up such a small percentage of the desktop market share compared to Windows, it’s no surprise why threat actors would focus most of their attention on attacking Windows endpoints.

Times are quickly changing though as the next major battleground moves from traditional on-premise Windows endpoints to Linux-based servers and containers in the cloud. For perspective 90% of the public cloud runs Linux.

Attackers are taking note. Some have started to write new malware from scratch exclusively for Linux, while others are adapting their existing Windows malware to target Linux.

Traditional endpoint protection platforms built to secure Windows are struggling to keep up with Linux threats. If you are in the cloud, make sure you have a security solution compatible with Linux systems, both in terms of threat detection and performance.

Below we highlight 10 Linux malware families targeting the cloud that should be on your radar.

1. TrickBot

It may come as a surprise to some that TrickBot has Linux malware. The popular Windows banking trojan is used as a malware-as-a-service (MaaS) by cybercriminals and nation-state actors mostly in financially motivated campaigns. TrickBot is capable of stealing credentials, spreading through the network, stealing cookies, and deploying ransomware.

At the end of 2019, SentinelOne and NTT reported a new TrickBot threat, called Anchor, which acts as a backdoor and utilizes DNS to communicate with its Command and control (C2) server. In July 2020, researcher Waylon Grange discovered an Anchor sample targeting Linux systems. The Linux variant is not only a backdoor but also has the ability to drop and execute other malware—including the Windows version of TrickBot—with the goal of infecting Windows machines on the same network.

2. Kobalos

ESET researchers discovered a sophisticated multiplatform backdoor called Kobalos. The malware targeted high-performance computers belonging to prominent endpoint security vendors, internet service providers and universities. Kobalos has advanced features including network evasion and anti-forensic techniques. Once a server is compromised, it can be used as a Command and control (C2) server by other compromised servers. It was later discovered that the victims’ hosts contained an OpenSSH backdoor process intended to steal credentials from incoming connections.

3. FreakOut

FreakOut botnet infects Linux systems mostly by exploiting known vulnerabilities. Targeted vulnerable servers include Zend Framework, Liferay and TerraMaster network-attached storage (NAS).

Once the attacker has gained access to the system, they download a python script connecting the victim to a Command and control (C2) server so that the attacker can control the compromised machine. FreakOut has been seen performing all types of malicious activities, from cryptojacking, port scanning, and network sniffing, to spreading to other devices in the network via vulnerability exploits, DDoS attacks and open reverse-shell. FreakOut emphasizes the need for regular security updates as well as runtime security.

4. RansomEXX

RansomEXX, a file-encrypting Trojan once only targeting Windows machines, began attacking Linux machines in late 2020 when it emerged as a multiplatform malware. This threat targets various government entities and tech companies. Recent attacks include the Texas Department of Transportation, Brazilian court system, and business technology giant Konica Minolta.

5. Drovorub

According to the FBI and NSA’s joint alert, Drovorub is the work of APT28, also known as Sofacy or Fancy Bear. Drovorub consists of an implant with a kernel module rootkit, file transfer tool, port forwarding module, and a Command and control (C2) server. Once installed on the victim’s machine, the malware is capable of communicating with the C2 server, downloading/uploading files, executing arbitrary commands with root privileges, and spreading to other hosts on the network. The kernel module rootkit in particular uses various techniques to hide the malware, allowing the implant to stay hidden in the network and attack at any time. Since this threat is associated with a Russian APT group, we assume that its operations targeting Linux are only getting started.

6. WellMess

WellMess is a backdoor with both a Windows and Linux version, each possessing similar capabilities that have been updated since the first release of the malware in 2018. The United Kingdom’s National Cyber Security Centre reports that WellMess has been used in several attempts to steal information from companies developing COVID-19 vaccines. This threat is attributed to Blue Kitsune (aka APT29 or Cozy Bear).

7. GitPaste-12

Discovered in October 2020 by Juniper Threat Labs, this botnet targets Linux-based servers and Internet of Things (IoT) devices. GitPaste-12 uses several known vulnerabilities to exploit its victims, some of those vulnerabilities being Apache Struts (CVE-2017-5638), ASUS routers (CVE-2013-5948), Tenda routers (CVE-2020-10987), and a WebAdmin plugin for opendreambox (CVE-2017-14135). The botnet hosts malicious code on GitHub and Pastebin for backdoors and cryptomining malware.

8. IPStorm

IPStorm is another botnet once only targeted at Windows machines but has made the switch to Linux (and also macOS). IPStorm abuses a legitimate peer-to-peer (P2P) to obscure malicious traffic, allowing the attacker to execute arbitrary code on the infected machine. New Linux variants share code with former Windows versions while also implementing new capabilities including SSH brute-force to spread to additional victims on the cloud network.

IPStorm is among the growing list of cross-platform malware written in Golang being used in attacks on Linux cloud servers.

Download the IPStorm Detection & Response Guide.

9. Cloud Snooper

Cloud Snooper is part of a sophisticated attack utilizing a unique combination of techniques to evade detection, while permitting the malware to communicate freely with its Command and control (C2) server through a firewall. Both Windows and Linux hosts have been infected by this campaign. The complexity of this attack gives us reason to believe the threat actors behind the malware are nation-state backed.

10. Cryptojacking Malware

The recent bull market and increased value of cryptocurrencies has attracted a large number of Linux cryptojacking malware targeting cloud environments. This type of attack exploits the large processing power of cloud computing to maliciously mine for cryptocurrency.

There are many types of cryptojacking malware. Some are based on open-source projects like XMRig Miner, while others are developed from scratch such as Kinsing, the latter which is part of an ongoing campaign compromising servers that have exposed Docker API ports. Besides mining for cryptocurrency, Kinsing has other capabilities. It collects SSH credentials to access other cloud servers hosted on the infrastructure, achieves persistence, and implements defense evasion techniques.

Recent attacks have shown that Linux cryptominers will find their way into the production environment. Make sure you have runtime protection to swat them away in runtime.

Summary

The cloud threat landscape is home to a number of Linux malware and growing. With a 500% increase in Linux-related malware families in the past decade, cloud environments are a prime attack vector for threat actors. If you currently use the cloud or are soon planning to, keep a close eye on these threats.

Traditional Windows EDRs are having a hard time detecting Linux threats. Intezer Protect is defending cloud environments against the latest Linux threats without slowing down performance. Try our free community edition

The post Top 10 Cloud Malware Threats appeared first on Intezer.

If you have any interest in the history of malicious code, chances are you’ve heard or read somewhere that the first piece of malware ever created was a computer worm called Creeper and that spread itself through the ARPANET in 1971. Some sources even mention that it might have been on this very date, i.e. exactly 50 years ago[1].

So does malware really turn 50 today?

Not likely. Even leaving aside that according to some sources[2], there may have been a fork bomb[3] program created all the way back in 1969, and therefore the oldest malware might already be over 50 years old, the simple fact is that Creeper wasn’t malware in any sense of the word… Alhough it was probably the first example of a (benign) computer worm ever created.

In the multiple retellings of its legend that may be found both online and in print, we have, however, a prime example of something which is unfortunately relatively common (not just) in infosec. That is repeating of interesting-looking information without checking for any original sources, which might provide context to it. I don’t mind admitting that this is a pet peeve of mine[4] and so I thought that on this day, which may or may not mark the 50th anniversary of the original “run” of Creeper, it might be a good idea to take a look at what we really know about it.

According to the few trustworthy articles on the subject, which cite their sources[5,6], and explanations provided by Ray Tomlinson, who played a significant part in the story of Creeper[7,8], the program was created at BBN technologies at some point in 1971. At that time, BBN was developing the TENEX an operating system for the PDP-10 computer. One of the developers of TENEX was Robert Thomas, who, among other projects, worked on what was called a Resource Sharing Executive, or RSEXEC – an experiment with what was thought of as a “mobile application” concept. RSEXEC was basically supposed to enable a program to “jump” between computers in order for it to always be executed by a machine with unutilized computational resources or with data, which the program needed. As you’ve probably guessed, Creeper was the demonstration program, which resulted from Thomas’s work.

The original application was tested using (at most) 28 computers connected to the ARPANET and running the TENEX OS. Creeper migrated from one system to another, always “removing” itself from the machine, when it was leaving it. What is important to note is that this was done with full agreement and cooperation of operators of all those computers and that the test had no negative effects on them.
All that the Creeper supposedly did on “visited” computers was printing the famous message “I’M THE CREEPER : CATCH ME IF YOU CAN” on a teletype.

Message printed by Creeper[5]

An indeterminate amount of time later, Ray Tomlinson, who worked at BBN Technologies at the same time as Bob Thomas, created a modified version Creeper. The program originally jumped from one machine to another, which meant that there was always only one copy of it on the entire network (computer worms which behave in this way are sometimes called “rabbits”). The new version, which was created by Tomlinson, had the ability to replicate itself, i.e. create multiple copies of itself, which might exist at the same time on different machines (meaning it behaved more like a usual computer worm). This updated version was – once again – not malicious in any way and one may think of it as a demonstration of the concept of distributed computation more than anything else.

Since it was able to replicate itself and it was necessary to make sure it didn’t cause any problems even in case of bugs which might make it hang, Tomlinson also created a program called Reaper. This was a simple piece of code, which visited each of the approximately 28 computers, which might have hosted Creeper, and terminated any instances of Creeper it found running on them.

Due to this behavior, Reaper is sometimes called “the first anti-virus”[9]. Since neither version of Creeper was malicious in any way, depending on your definition of “anti-virus” this title may or may not be applicable. Reaper however almost certainly may be called the first “nematode” (a worm or virus, which removes another worm or virus from a system, on which it is present).

So, based on the history ve’we recounted, what may we say with any sort of certainty regarding the age of malware? Not much. In terms of the age of computer worms, however, chances are good that they really are really turning 50 this year, whether it is today or not. It is a little bit sad that one tends to think of every computer worm as being malicious “by default”, since, as this little trip down the memory lane shows us, it doesn’t necessarily have to be true…

In any case, if you’d like to learn a bit more about the origins of modern malware (and don’t mind low-quality video editing), the following video might be worth your time.

[1] https://www.cybersecurity-insiders.com/a-brief-history-of-cybersecurity/
[2] http://catb.org/~esr/jargon/html/W/wabbit.html
[3] https://en.wikipedia.org/wiki/Fork_bomb
[4] https://untrustednetwork.net/en/2019/10/19/do-automated-tools-really-detect-only-45-of-all-vulnerabilities/
[5] https://corewar.co.uk/creeper.htm
[6] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.137.9511&rep=rep1&type=pdf
[7] https://history-computer.com/the-first-computer-virus-of-bob-thomas-complete-history/
[8] https://nerdology.org/2014/11/qa-with-ray-tomlinson-on-creeper/
[9] https://en.wikipedia.org/wiki/Reaper_(program)

———–
Jan Kopriva@jk0prAlef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

132-header.jpg

Internet-facing RDP servers are an increasingly common vector of compromise. This blog explains how one RDP infection nearly led to the creation of a botnet, had Darktrace AI not alerted the security team as soon as the attack began.

We have recently expanded the integration of Antimalware Scan Interface (AMSI) with Office 365 to include the runtime scanning of Excel 4.0 (XLM) macros, to help antivirus solutions tackle the increase in attacks that use malicious XLM macros. This integration, an example of the many security features released for Microsoft 365 Apps on a regular basis, reflects our commitment to continuously increase protection for Microsoft 365 customers against the latest threats.

Microsoft Defender Antivirus is using this integration to detect and block XLM-based malware, and we encourage other antivirus products to use this open interface to gain better visibility and improve protections against these threats.

XLM macros is a legacy macro language that was made available to Microsoft Excel in 1992, prior to the introduction of Visual Basic for Applications (VBA) in 1993. While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands.

The AMSI instrumentation for VBA has been providing deep visibility into the runtime behavior of VBA macros. Its release in 2018 effectively removed the armor that macro-obfuscation equipped malware with, exposing malicious code to improved levels of scrutiny. Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM.

Like VBA and many other scripting languages abused by malware, XLM code can be obfuscated relatively easily to conceal the real intent of the macro. For example, attackers can hide URLs or file names of executable files from static inspection through simple strings manipulations. Attackers also take advantage of the way macro code persists within the Excel document—while VBA macros are stored in a dedicated OLE stream (and hence can be easily located and extracted), XLM macros do not exist as a separate, well-defined entity. Rather, each XLM macro statement is a formula within a cell. Extracting a whole XLM macro can become a cumbersome task, requiring a cell-by-cell inspection of the whole document.

Screenshot of Microsoft Excel file with malicious XLM macros

Figure 1. Sample malicious XLM macro

In addition, while formulas are typically executed downwards starting from the top, with XLM the macro content can be quite spread out, thanks to control flow statements like RUN, CALL, or GOTO, which allow the switching of execution flow from one column to another. This feature, together with obfuscation, has been abused by attackers to craft documents that could evade static analysis.

AMSI instrumentation for Excel 4.0 (XLM) macros

AMSI is an open interface that allows any application to request the scanning of any data at any time. In a nutshell, this technology provides applications the capability to interface with the installed antivirus solution in order to inspect and scan potentially dangerous data (e.g., a file downloaded from a remote location, or data generated dynamically by an application). Microsoft already utilizes this technology in various applications to detect malicious macros, script-based malware, and other threats:

Office VBA macros
JScript
VBScript
PowerShell
WMI
Dynamically loaded .NET assemblies
MSHTA/Jscript9

The data provided by AMSI is leveraged extensively by Microsoft Defender for Endpoint. It provides important data for machine learning models that process billions of signals every day to identify and block malicious behaviors. The XLM instrumentation is similar to the implementation in VBA and other scripting engines that integrate with AMSI:

Diagram representation of AMSI instrumentation for XLM

Figure 2. AMSI instrumentation for XLM

The XLM language allows a user to write programs that call native runtime functions, as well as external Win32 APIs. In both cases, the interfaces that dispatch the calls to these functions are intercepted and directed to an internal logger. The logger component stores the intercepted functions in text format within a circular buffer. When certain dangerous functions are called, for example the runtime function EXEC or the Win32 API ShellExecute, XLM halts the macro execution and invokes AMSI to request a synchronous scan of the circular buffer containing the functions logged up to that point. Such dangerous functions are called “trigger functions”. If the antivirus identifies the macro as malware, the execution of the macro is aborted and Excel is safely terminated, blocking the attack and preventing the malicious macro from doing any damage. Otherwise, the user experience continues seamlessly.

It’s important to observe that the interception of XLM function calls happens at runtime. This means that the logger component always registers the true behavior of all functions and associated parameters, which may contain URLs, file names, and other important IOCs, regardless of the obfuscation used by the malware.

The following is an example of an XLM macro found in a malicious document:

Screenshot of XLM macro

Figure 3. Sample XLM macro

This malicious macro consists of a series of commands (e.g., RUN, REGISTER, IF, etc.) with related parameters specified by references to other cells. For example, the token $CA$1889 passed to the first function RUN indicates that the string provided as parameter for this function is in the cell at column CA and row 1889.

This is only one of the many ways that XLM-based malware can obfuscate code. Detecting this macro is challenging because it doesn’t expose any suspicious strings or behavior. This is where the power of AMSI comes into play: the instrumentation allows XLM to inspect functions when they are invoked, so that all their parameters have already been de-obfuscated. As a result, the above macro produces a log that looks like the following:

Sample log produced when XLM macro is run

Figure 4. Sample log

The XLM engine determines that the dangerous function ShellExecuteA is being invoked, and subsequently places the macro execution on hold and passes the macro behavioral log to AMSI for scanning. The antivirus now has visibility into a behavioral log that completely exposes all of the data including, API names, URLs, and file names. The log makes it easy to conclude that this macro is trying to download and execute a DLL payload via the tool Rundll32.

Case study: ZLoader campaign

ZLoader is a malware family that has been actively perpetrating financial theft for several years. Like many of its peers, ZLoader operates via aggressive campaigns that rely on social engineering and the abuse of Office documents spread via email.

We have been monitoring the activity of this threat and observed that in the last year the attackers shifted to XLM as their infection vector of choice. The Excel documents have a typical lure message to trick the user into clicking “Enable Content” to allow the macro code to run.

Screenshot of malicious Excel file used in Zloader campaign

Figure 5. Malicious Excel file used in Zloader campaign

A closer look at the document reveals an Excel sheet with an obscure-looking name. That sheet embeds XLM macro formulas, which are stored several rows down to make the sheet look empty. Furthermore, the macro formulas are spread out and obfuscated, hindering static analysis and raising more challenges for identifying intent.

Screenshot of XLM macro used in Zloader campaign

Figure 6. Malicious XLM macro used in ZLoader campaign

Executing and debugging the macro with Excel is not very straightforward either. The macro has long loops that are used to decode and run further obfuscated macro formulas, and the Excel’s debugger doesn’t have the ability to control the execution in a granular way in order to skip loops and break on specific formulas.

However, when this macro runs with the AMSI instrumentation enabled, it produces up to three different logs that are passed to AMSI. The first two look like the following:

Screenshot of log produced when XLM macro used in Zloader campaign is run

Figure 7. Log produced when ZLoader’s XLM macro is run

The image only shows the final part of the log where the interesting activity shows up. We can see that the macro is issuing a new EXEC statement to run a .vbs file via explorer.exe. This EXEC statement causes the execution of the VBScript named EW2H.vbs, which has been decoded and saved to disk by the macro prior to the EXEC line. The VBScript then tries to download and run a binary payload. The macro attempts to do this twice, hence this log (with minor variations) is passed to AMSI twice.

If the above steps fail, the macro resorts to downloading the payload directly, producing the following log for AMSI:

Screenshot of log produced when XLM macro used in Zloader campaign is run

Figure 8. Log produced when ZLoader’s XLM macro is run

The macro defines two URLs, then downloads their content with the API URLDownloadToFileA, and finally invokes the API ShellExecuteA to launch the downloaded payload (the file jxi09.txt) via rundll32.exe. We can infer from this line that the payload is a DLL.

All three logs offer plenty of opportunities to detect malicious behavior and also allow the easy extraction of relevant IOCs like URLs, file names, etc. The initial XLM code in the Excel document is completely obfuscated and contains no usable information, making it tricky to issue static detections that are both effective and durable. With the dynamic nature of AMSI, the runtime behavior can be observed in cleartext, even with obfuscation. Detections based on the logs passed to AMSI also have the advantage of being more robust and generic in nature.

Availability

Runtime inspection of XLM macros is now available in Microsoft Excel and can be used by antivirus solutions like Microsoft Defender Antivirus that are registered as an AMSI provider on the device. This feature is included as an addition to the existing AMSI integration with Office. It’s enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users.

In its default configuration, XLM macros are scanned at runtime via AMSI, except in the following scenarios:

Files opened while macro security settings are set to “Enable all macros”
Files opened from a trusted location
Files that are trusted documents

Administrators can now use the existing Microsoft 365 applications policy control to configure when both XLM and VBA macros are scanned at runtime via AMSI. Get the latest group policy template files.

 

Group Policy setting name
Macro Runtime Scan Scope
Path
User Configuration > Administrative templates > Microsoft Office 2016 > Security Settings

This policy setting specifies the behavior for both the VBA and Excel 4.0 (XLM) runtime scan features. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel. Macros can only be scanned if the antivirus software registers as an Antimalware Scan Interface (AMSI) provider on the device.

If you enable this policy setting, you can choose from the following options to determine the macro runtime scanning behavior:

Disable for all files (not recommended): If you choose this option, no runtime scanning of enabled macros will be performed.

Enable for low trust files: If you choose this option, runtime scanning will be enabled for all files for which macros are enabled, except for the following files:

Files opened while macro security settings are set to “Enable all macros”
Files opened from a trusted location
Files that are Trusted Documents
Files that contain VBA that is digitally signed by a trusted publisher

Enable for all files: If you choose this option, then low trust files are not excluded from runtime scanning. The VBA and XLM runtimes report to an antivirus system certain high-risk code behaviors the macro is about to execute. This allows the antivirus system to indicate whether or not the macro behavior is malicious. If the behavior is determined to be malicious, the Office application closes the session and the antivirus system can quarantine the file. If the behavior is non-malicious, the macro execution proceeds.

Note: When macro runtime scanning is enabled, the runtime performance of affected VBA projects and XLM sheets may be reduced.

If you disable this policy setting, no runtime scanning of enabled macros will be performed.

If you don’t configure this policy setting, “Enable for low trust files” will be the default setting.

Note: This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise.

AMSI improves security for all

AMSI provides deep and dynamic visibility into the runtime behaviors of macros and other scripts to expose threats that hide malicious intent behind obfuscation, junk control flow statements, and many other tricks. Microsoft Defender Antivirus, the built-in antivirus solution on Windows 10, has been leveraging AMSI to uncover a wide range of threats, from common malware to sophisticated attacks. The recent AMSI instrumentation in XLM directly tackles the rise of malware campaigns that abuse this feature. Because AMSI is an open interface, other antivirus solutions can leverage the same visibility to improve protections against threats. Security vendors can learn how to leverage AMSI in their antivirus products here.

At Microsoft, we take full advantage of signals from AMSI. The data generated by AMSI is not only useful for immediate client antimalware detections, but also provides rich signals for Microsoft Defender for Endpoint. In our blog post about AMSI for VBA, we described how these signals are ingested by multiple layers of cloud-based machine learning classifiers and are combined with all other signals. The result is an enhanced protection layer that learns to recognize and block new and unknown threats in real-time.

Figure 9. Example of detection from Microsoft Defender Antivirus based on data inspected by AMSI

Figure 10: Notification from Microsoft Excel after AMSI reported malware detection

Figure 11: Example of Microsoft Defender for Endpoint alert for detection of XLM malware

The visibility provided by AMSI leads to significant improvements in generic and resilient signatures that can stop waves of obfuscated and mutated variants of threats. AMSI-driven protection adds to an extensive multi-layer protection stack in Microsoft Defender for Endpoint, which also includes attack surface reduction, network protection, behavior monitoring and other technologies that protect against macro malware and other similar script-based threats.

The AMSI-enriched visibility provided by Microsoft Defender for Endpoint is further amplified across Microsoft 365 Defender, such that XLM macro threats are detected and blocked on various entry vectors. The orchestration of signal-sharing and coordinated defense in Microsoft 365 ensures that, for example, Microsoft Defender for Office 365 blocks macro malware distributed via email, which is the most common delivery methods for these threats.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

 

Giulia Biagini, Office 365 Threat Research Team

Auston Wallace, Microsoft 365 Security Team

Andrea Lelli, Microsoft 365 Defender Threat Intelligence Team

The post XLM + AMSI: New runtime defense against Excel 4.0 macro malware appeared first on Microsoft Security.

This is weird:

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

Also curious, the malware comes with a mechanism to completely remove itself, a capability that’s typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.

Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.

The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow.

Feels government-designed, rather than criminal or hacker.

Another article. And the Red Canary analysis.

Industrial Control Systems: The New Target of Malware

During 2020, CISA issued 38 cyber alerts ranging from nation-state actors like Iran and North Korea to known ransomware specifically targeting pipeline operations and notably the last alert issued on December 17, 2020, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, for the SolarWinds supply chain attack.

2020 represents a 660% increase in cyber alerts over 2019, during which CISA issued five cyber warnings over the full year.

Organizations across the board also saw a growing number of adversaries targeting and attacking industrial control systems (ICS) and operational technology (OT) networks. It’s a trend that is clearly continuing into the new year (‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town).

And as the attack surface continues to expand for critical infrastructure with owners and operators adopting new technologies to improve operational efficiencies, the increased vulnerabilities and targeting of ICS systems and OT networks is expected to rise.

The post Industrial Control Systems: The New Target of Malware appeared first on Security Boulevard.

GO Download our Report

Malware written in Go has been steadily increasing in the last few years. We have seen both nation state-backed and non-nation state threat actors adopt Go into their toolset.

Our new report outlines the uses of Go malware by threat actors during 2020. It includes an analysis of code connections and IoCs for malware that has been active for years and malware that has never been reported publicly on before. Get your copy of the report.

Nation State-Backed

Before 2020, a Russian nation state-backed threat actor had been using its Go variant of Zebrocy. In 2020, we saw a return of this malware in targeted attacks against Eastern European countries. The samples had overlapping code with older Go Zebrocy samples.

pasted image 0 6

Code similarities between the new Zebrocy sample and older samples

Another Russian nation state-backed threat actor was attributed to a malware called WellMess that is written in Go. According to the UK’s National Cyber Security Centre (NCSC), it was used in attacks against organizations that were part of COVID-19 vaccine research. WellMess has been around for a couple of years but before the NCSC’s report, no attribution to a known threat actor had been made in the public.

A Chinese nation state-backed threat actor utilized a new loader written in Go to execute their malware in some campaigns, and a new threat actor included two malware written in Go in attacks against Tibetan individuals.

Non-Nation State-Backed

On the non-nation state-backed front, crypters, stealers, remote access trojans (RATs), botnets and ransomware were used. Some botnets active before 2020 were still active while some new ones emerged. Some started to target Linux cloud environments.

pasted image 0 6

Genetic analysis between Vaggen ransomware and another malware written by the same threat actor

New samples of IPStorm were discovered attacking Linux machines instead of Windows ones. The majority of botnets targeting Linux machines installed cryptominers or commandeered the machine to take part in distributed denial of service (DDoS) botnets.

pasted image 0 6

Linux variant of IPStorm

Windows machines were targeted by ransomware written in Go. During the year, some new ransomware was used in so-called Big Game Hunting attacks. Nefilim and EKANS infected Whirlpool and Honda respectively.

Future Predictions

It’s likely that the number of Go malware will continue to increase. We have seen threat actors targeting multiple operating systems with malware from the same Go codebase. Traditional Antivirus programs have had a hard time identifying Go malware due to many factors. A detection method based on code reuse has shown to be effective, especially when it comes to detecting when malware families are targeting new platforms.

It’s also likely that attacks from Go malware against cloud environments will increase as more valuable assets are moved to the cloud. Using the security features provided by the hosting providers will not be enough and specialized runtime protection solutions like Intezer Protect will be needed.

2020 Go Malware Round-Up. Download the report.

Shoutout to our colleagues at the following companies whose public reports made it possible for us to produce this round-up.

Alibaba Cloud

Anomali

Antiy

Barracuda

Bitdefender

Broadcom

CCN-CERT

Carbon Black

Cisco Talos

CrowdStrike

Dragos

FireEye

Guardicore Labs

JPCERT>

Kaspersky Labs

LAC

Malwarebytes

NCSC (UK)

Netlab at 360

Palo Alto Networks Unit 42

Proofpoint

PwC

RSA

Sentinel Labs

Sophos

Trend Micro

Volexity

The post Year of the Gopher: 2020 Go Malware Round-Up appeared first on Intezer.

Intezer’s 2021 X-Force Threat Intel Index Highlights

It was a lot of fun collaborating with IBM on their 2021 X-Force Threat Intelligence Index, highlighting how cyberattacks evolved in 2020 as threat actors sought to profit from the COVID-19 pandemic.

In 2019, banking trojans and ransomware were the top innovators in malware code evolution. This year our contributions to the report mainly focused on the Linux threat ecosystem which is fast emerging, evidenced by 56 new malware families discovered in 2020—its highest level ever. We won’t give it all away but below is a preview.

Get your copy of the 2021 X-Force Threat Intelligence Index

Get ahead of the latest Linux cloud threats. Try the free Intezer Protect community edition.

40% Increase in New Linux Malware Families in 2020

The number of new Linux-related malware families discovered in 2020 was 56, far more than the level of innovation found in other threat types. This represented a 40% increase from 2019-2020, with 500% growth from 2010 to 2020.Linux-Malware-Families.png

Investment in Open-Source Malware Threatens Cloud Environments

Threat actors are innovating their malware, particularly malware that targets Linux, the open-source code that supports business-critical cloud infrastructure and data storage.

In the wake of the disruption caused by COVID-19, many businesses accelerated their cloud adoption. A recent Gartner survey found that almost 70% of organizations using cloud services today plan to increase their cloud spending. With Linux currently powering 90% of cloud workloads and a 500% increase in Linux-related malware families in the past decade, cloud environments are becoming a prime target for threat actors.

Intezer and X-Force have observed top threat actors—including Carbanak, APT28 and APT29—turning to open-source malware and creating Linux versions of their traditional malware. Ransomware strains such as RansomEXX and SFile are turning up with Linux versions as well.

Linux Cryptojacking

Cybercriminals are investing heavily in creating new Linux cryptomining malware, suggesting that these criminals aim to exploit the power of cloud computing’s processing power to maliciously obtain cryptocurrency. Attackers are evading classic detection methods, not coincidentally around the time Bitcoin and cryptocurrency started to soar. 

We observed more than 13% new, previously unobserved code in Linux cryptominining malware in 2020. Make sure you have adequate threat detection to swat them away in runtime.

Malware Written in Golang

We observed a 500% increase in Go-written malware in the first six months of 2020. Both nation-state backed and non-nation state threat actors are adopting Go as the programming language of choice to develop cross-platform malware that target both Windows and Linux systems.

It’s likely that attacks from Go malware against cloud environments will increase as more valuable assets are moved to the cloud. Using the security features provided by the hosting providers will not be enough and specialized runtime protection solutions like Intezer Protect will be needed.

How Intezer Can Help

Linux operating systems are the backbone of cloud and hybrid cloud infrastructure. With cloud services enabling organizations with greater flexibility and efficiency for their data, the demand for cloud computing is growing every year. Cybercriminals are taking note, and recognize that cloud environments present opportunities for them as well. In particular, they are investing more time and effort into creating malware tailored to affect Linux systems and cloud environments.

Cloud security demands greater vigilance. You can drastically reduce the likelihood of getting attacked by doing the basics like fixing known vulnerabilities. At the same time, it’s impossible to eliminate all software vulnerabilities. Not every vulnerability is known, not every software has a fix, and patching those that can be fixed takes time.

Add to this the existence of vulnerable third-party software and Living off the Land (LotL) attacks, which is why you also need strong threat detection. When you get attacked in runtime, where actual attacks occur, you need to be able to detect it.

Intezer Protect defends all types of compute resources—including VMs, containers and Kubernetes—against the latest Linux threats in runtime. Try our free community edition

The post 2020 Set a Record for New Linux Malware Families appeared first on Intezer.

SecurityIntelligence-1200x675.jpg

From the front lines of incident response engagements to managed security services, IBM Security X-Force observes attack trends firsthand, yielding insights into the cyber threat landscape. Every year, X-Force collates billions of data points to assess cybersecurity threats to our customers. 

This report — the X-Force Threat Intelligence Index 2021 — represents our latest edition of that yearly assessment. It covers data and findings from January to December 2020 and is meant to assist organizations in understanding current threats and how they evolve, assess risk and prioritize cybersecurity efforts. Research found Linux-related malware threats rising rapidly, threat actors actively spoofing top technology brands and shifting tactics emerging in response to the evolving COVID-19 situation. 

This year’s report includes data from multiple IBM teams, including X-Force Threat Intelligence, X-Force Incident Response, X-Force Red, IBM Managed Security Services and IBM Trusteer, as well as IBM collaborators, such as Quad9 and Intezer. The following are some of the top findings from this data.

Cyber Criminals Take a Page From the Hybrid Cloud Playbook

Linux operating systems power 90% of the cloud workload, providing the backbone of cloud and hybrid cloud infrastructures. With cloud services enabling organizations with greater flexibility, efficiency and strategic value for their data, the demand for cloud computing is growing every year. Cyber criminals are taking note and recognize that cloud environments present opportunities for them as well. In particular, they are investing more time and effort into creating malware tailored to cloud environments.

X-Force collaborator Intezer identified that Linux-based malware grew 40% year-over-year from 2019 to 2020, with 500% growth from 2010 to 2020. In addition, cyber criminals are investing heavily in creating new Linux cryptomining malware, suggesting that these criminals aim to exploit cloud computing’s processing power to maliciously obtain cryptocurrency. X-Force has observed ransomware strains such as RansomEXX and SFile turning up with Linux versions, and Intezer has observed top threat actors — including ITG14, ITG05 and ITG11 — creating Linux versions of their traditional malware.

Figure 1: New Linux malware families discovered per year, 2010-2020 (Source: Intezer)

In addition to Linux malware variants, X-Force analysts have observed threat actors — including big-game-hunting ransomware actors such as Sodinokibi — exploiting cloud services such as MEGA or pCloud to store and leak victim data. 

While cybercriminals’ focus on the cloud is concerning, X-Force threat intelligence recognizes that awareness is key. By staying alert to these new threats, tracking new forms of Linux malware, writing rules to detect them and employing a range of defense-in-depth strategies to secure cloud computing environments, X-Force is helping organizations continue to realize the benefits of the cloud even while cyber criminals focus more effort in this area.

Threat Actors Capitalize on Consumer Trust to Spoof Brands

Spoofing popular brands seems to never go out of style. Cyber criminals in 2020 continually sought to exploit consumer trust in well-known brands by creating malicious domains and fake websites mimicking trusted companies. Similar to last year’s Threat Intelligence Index that covered 2019 trends, Google, YouTube, Facebook, Amazon, Apple and WhatsApp all made the top 10 list, underscoring the popularity of technology and social media domains for actors seeking to plant malware on websites and user devices, steal user credentials or collect payment card information.

In addition, tools that have become critical to communication and collaboration during the 2020 pandemic made it into this year’s top ten: DropBox, PayPal and Microsoft also made the list, probably due to the increased reliance on these services during stay-at-home orders.

Interestingly, Adidas also made the top ten spoofed brands this year, ending up seventh on our list. The majority of Adidas website spoofing occurred in January 2020 and capitalized on the release of a new Adidas Superstar sneaker and the Yeezy sneakers by Kanye West. Many of the spoofed websites would have been convincing to the average sneaker shopper. Yeezy was one of Adidas’ top-selling sneakers, and attackers appear to have taken notice that emerging news from top brands has the potential to facilitate money-making scams.

Figure 2: Image of spoofed Adidas Yeezy sneaker website (Source: X-Force)

Attackers’ Targets and Tactics Shifted With COVID-19 Response Efforts

As the COVID-19 pandemic continues to affect countries, organizations and individuals around the world, attackers continue to adjust their strategy to capitalize on the trend, gain critical information and disrupt networks and supply chains involved in the response for financial or national gain.

IBM’s tracking of COVID-19-related spam reveals a massive increase in such campaigns in March and April 2020 — constituting an over 6000% increase at its highest point, according to our data analysis. In this early campaign, attackers capitalized on worldwide interest in information about the breaking pandemic, spoofing emails from official health resources and government assistance programs. This trend stabilized around June 2020 as the world began settling in to a ‘new normal.’

Since June 2020, COVID-19-related spam has hovered around 1% of all spam X-Force sees, and we anticipate that this trend is likely to continue well into 2021.

Figure 3: COVID-19-related spam trends as a percent of all spam (Source: X-Force)

In addition, threat actors reacted to COVID-19 by directing threat activity toward pharmaceutical companies, health care organizations and supply chains for personal protective equipment (PPE), the evolution of COVID vaccines and its cold chain distribution. In June 2020, X-Force discovered a global spear-phishing campaign targeted at more than 100 high-ranking executives involved in a German government task force charged with obtaining PPE during the pandemic. In October, X-Force uncovered a highly targeted campaign against the COVID-19 vaccine cold chain, probably perpetrated by a nation-state actor seeking information or an opportunity to disrupt vaccine distribution.

Call to Action: Embed Threat Intelligence Into Your Business

The X-Force Threat Intelligence Index 2021 reveals new changes to the cyber threat landscape worldwide. Threat actors’ attack types, techniques and strategies are changing, and adjusting your organization’s security strategy to address these changes can make all the difference for your security posture this year. In particular, some of the top defense mechanisms X-Force recommends reviewing and assessing are:

Have an incident response plan for ransomware and ensure it includes cloud assets and data. X-Force data shows that ransomware is the top attack type for 2021, and attackers are increasingly stealing and leaking sensitive company data in addition to encrypting it. Have a response plan that addresses these techniques. We recommend that the plan includes safely storing and updating backups and recovering from those backups, as well as encrypting sensitive data so it is unreadable if stolen.
Use Quad9 to sidestep spoofed domains. Quad9 is a free tool that quickly detects and blocks malicious domains, keeping your organization safe from attacks that might deploy malware or steal user credentials. X-Force findings show that threat actors actively created new, malicious domains mimicking top brands or pretending to be an official source for COVID-19 information or government relief funds. Blocking out communication with malicious and suspicious websites can help mitigate the threat of phishing and fraud.
Employ defense-in-depth tactics to defend against new malware. Threat actors are developing new malware strains every day — including malware targeting Linux systems and updates to more traditional malware that include anti-detection techniques. Employing a range of tools that can identify malware in addition to techniques used by threat actors immediately before and after malware is deployed can assist your organization in staying on top of these latest threats. Security Event and Incident Management tools, Endpoint Detection tools, cloud workload monitoring and email security tools can assist in building this layered approach.

Throughout the year, IBM X-Force researchers also provide ongoing research and analysis in the form of blogs, white papers, webinars and podcasts, highlighting our insight into advanced threat actors, new malware and new attack methods. In addition, we provide a large body of current, cutting-edge analysis to subscription clients on our Premier Threat Intelligence platform.

Download the Report

If you have experienced a cyber incident and would like immediate assistance from IBM Security X-Force incident response, please call our hotline at 1-888-241-9812 (US) or +001-312-212-8034 (global). Learn more about X-Force’s threat intelligence and incident response services.

The post 2021 X-Force Threat Intelligence Index Reveals Peril From Linux Malware, Spoofed Brands and COVID-19 Targeting appeared first on Security Intelligence.

flag.png

Original release date: January 27, 2021

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.

CISA encourages users and administrators to review Malware Analysis Report MAR-10319053-1.v1 and the SolarWinds advisory for more information on Supernova.

This product is provided subject to this Notification and this Privacy & Use policy.

A vulnerability, which was classified as problematic, was found in Malwarebytes up to 3.x on macOS (Anti-Malware Software). Affected is the function posix_spawn of the component Launch Daemon. Upgrading to version 4.0 eliminates this vulnerability.

Es wurde eine Schwachstelle in Malwarebytes bis 3.x auf macOS (Anti-Malware Software) gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion posix_spawn der Komponente Launch Daemon. Ein Upgrade auf die Version 4.0 vermag dieses Problem zu beheben.

Una vulnerabilità di livello problematico è stata rilevata in Malwarebytes fino 3.x su macOS (Anti-Malware Software). Riguarda la funzione posix_spawn del componente Launch Daemon. L’aggiornamento alla versione 4.0 elimina questa vulnerabilità.

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.

SDfb.jpg

An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly…

Read the original article: Expert launched Malvuln, a project to report flaws in malware The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes. The security expert John Page (aka hyp3rlinx) launched malvuln.

large.png

Last week, I found a malware sample that does nothing fancy, it’s a data stealer but it has an interesting feature. It’s always interesting to have a look at the network flows generated by malware samples. For a while, attackers use GeoIP API services to test if the victim’s computer deserves to be infected… or not! By checking the public IP address used by the victim, an attacker might prevent “friends” to be infected (ex: IP addresses from the attacker’s country) or if the IP address belongs to a security vendor. On the other side, the attacker might decide to infect the computer because it is located in a specific country or belongs to the targeted organization. There is plenty of free APIs that offer this feature. The ISC API provides also the same kind of details (but only the country)

remnux@remnux:~$ curl -s https://isc.sans.edu/api/ip/195.74.193.12?json | jq ‘.ip.ascountry’
“BE”

The sample that I found (SHA256:D196E2BBCAF21D3335D72F8E2F2691474BA625E6B01C4DB41A1F91FC41A5EBDF) has a VT score of 41/69[1]. It uses the .Net framework tool regsvcs.exe[2] to execute malicious code extracted by the first stage file. The malware performs the following queries. First, it queries for the victim’s public IP address with the help of icanhazip.com:

remnux@remnux:~$ curl -s http://icanhazip.com/
81.246.x.x

The second service used is api.mylnikov.org:

remnux@remnux:~$ curl -s ‘https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:0c:29:xx:xx:xx’
{“result”:404, “data”:{}, “message”:6, “desc”:”Object was not found”, “time”:1608552093}

This free service provides geolocation data for WiFi MAC addresses or BSSID. This is also useful to detect the location of the victim. The malware submits the MAC address of the default gateway (in my VM environment) or the BSSID (the MAC address of the wireless access point). In my case, it did not work of course but here is an example of valid BSSID:

remnux@remnux:~$ curl -s ‘https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:0C:42:1F:65:E9’
{“result”:200, “data”:{“lat”: 45.22038682066, “range”: 141.727, “lon”: 16.54741327415, “time”: 1608560868}}

You can see that only latitude and longitude are returned in the JSON data but it’s easy to get back the country/city using another public service:

remnux@remnux:~$ curl -s ‘https://geocode.xyz/45.22,16.54?geoit=json’| jq ‘.state’
“BA”

“api.mylnikov.org” seems to be an interesting observable! 

[1] https://www.virustotal.com/gui/file/d196e2bbcaf21d3335d72f8e2f2691474ba625e6b01c4db41a1f91fc41a5ebdf/detection
[2] https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
[3] https://www.mylnikov.org

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security ConsultantPGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

By Jon Munshaw.
Nothing was normal in 2020. Our ideas of working from offices, in-person meetings, hands-on learning and basically everything else was thrown into disarray early in the year. Since then, we defenders have had to adapt. But so have workers around the globe, and those IT and security professionals in charge of keeping those workers’ information secure.  
Adversaries saw all these changes as an opportunity to capitalize on strained health care systems, schools scrambling…
[[ This is only the beginning! Please visit the blog for the complete entry ]]

Publication date: 11/20/2020

Two Romanian citizens have been arrested for allegedly running the malware encryption services, CyberSeal and Dataprotector, to avoid detection of antivirus software, and the Cyberscan service to test malware against antiviruses.

These services have been offered in the underground market since 2010 for a value of no more than $300 per license, with regular updates and customer support. They have also been used by more than 1.560 cybercriminals with different types of malware.

The police operation, coordinated by the European Cybercrime Centre (EC3), resulted in several house searches in Bucharest and Craiova, and the neutralisation of their backend infrastructure in Romania, Norway and the USA.

11/20/2020

Tags:
Cybercrime, Encryption, Incident, Internet, Malware, Other critical infrastructures

References:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

twitterbitacora.png

Fecha de publicación: 20/11/2020

Dos ciudadanos rumanos han sido arrestados por, presuntamente, administrar los servicios de cifrado de malware, CyberSeal y Dataprotector, para eludir la detección de software antivirus, y el servicio Cyberscan para testear malware frente a antivirus.

Estos servicios han sido ofrecidos en el mercado clandestino desde el 2010 por un valor no superior a los 300 dólares por licencia, contando además con actualizaciones periódicas y soporte para el cliente. Asimismo, han sido utilizados por más de 1.560 ciberdelincuentes con diferentes tipos de malware.

La operación policial, coordinada por el Centro Europeo de Ciberdelincuencia (EC3), resultó en varios registros domiciliarios en Bucarest y Craiova, y en la neutralización de su infraestructura backend en Rumania, Noruega y EEUU.

20/11/2020

Etiquetas:
Cibercrimen, Cifrado, Incidente, Internet, Malware, Otras infraestructuras críticas

Referencias:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

flag.png

Original release date: October 29, 2020

Content: The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DOD) Cyber National Mission Force (CNMF) have identified a malware variant—referred to as Zebrocy—used by a sophisticated cyber actor. In addition, U.S. Cyber Command has released the malware sample to the malware aggregation tool and repository, VirusTotal.

CISA encourages users and administrators to review Malware Analysis Report MAR-10310246r1.v1 and U.S. Cyber Command’s VirusTotal page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

flag.png

Original release date: October 29, 2020

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense Cyber National Mission Force (CNMF) have identified a malware variant—referred to as ComRAT—used by the Russian-sponsored advanced persistent threat (APT) actor Turla. In addition, U.S. Cyber Command has released the malware sample to the malware aggregation tool and repository, VirusTotal.

CISA encourages users and administrators to review Malware Analysis Report MAR-10310246-2.v1 and U.S. Cyber Command’s VirusTotal page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Since 2016, the NJCCIC has gathered cyber threat intelligence information to develop specific threat profiles on Android malware, ATM malware, botnets, cryptocurrency-mining malware, exploit kits, industrial control systems (ICS) malware, iOS malware, macOS malware, point-of-sale malware, ransomware, and trojans.

Original release date: October 6, 2020Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC).

Emotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in July 2020, after a dormant period that began in February. Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.

To secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in this Alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.

Technical Details

Emotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]).The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives (Brute Force: Password Guessing [T1110.001], Valid Accounts: Local Accounts [T1078.003], Remote Services: SMB/Windows Admin Shares [T1021.002]).

Emotet is difficult to combat because of its “worm-like” features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.

Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors. Possible command and control network traffic involved HTTP POST requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string (Application Layer Protocol: Web Protocols [T1071.001]).

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR

Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet (Exploitation of Remote Services [T1210]). Figure 1 lays out Emotet’s use of enterprise techniques.

 

Figure 1: MITRE ATT&CK enterprise techniques used by Emotet

 

Timeline of Activity

The following timeline identifies key Emotet activity observed in 2020.

February: Cybercriminals targeted non-U.S. countries using COVID-19-themed phishing emails to lure victims to download Emotet.[1] July: Researchers spotted emails with previously used Emotet URLs, particularly those used in the February campaign, targeting U.S. businesses with COVID-19-themed lures.[2] August:

Security researchers observed a 1,000 percent increase in downloads of the Emotet loader. Following this change, antivirus software firms adjusted their detection heuristics to compensate, leading to decreases in observed loader downloads.[3]  
Proofpoint researchers noted mostly minimal changes in most tactics and tools previously used with Emotet. Significant changes included:
Emotet delivering Qbot affiliate partner01 as the primary payload and
The Emotet mail sending module’s ability to deliver benign and malicious attachments.[4]

CISA and MS-ISAC observed increased attacks in the United States, particularly cyber actors using Emotet to target state and local governments.

September:

Cyber agencies and researchers alerted the public of surges of Emotet, including compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands. Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.[5],[6],[7],[8] Security researchers from Microsoft identified a pivot in tactics from the Emotet campaign. The new tactics include attaching password-protected archive files (e.g., Zip files) to emails to bypass email security gateways. These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to “view” the documents—an action which actually enables the delivery of malware.[9] Palo Alto Networks reported cyber actors using thread hijacking to spread Emotet. This attack technique involves stealing an existing email chain from an infected host to reply to the chain—using a spoofed identity—and attaching a malicious document to trick recipients into opening the file.[10]

MITRE ATT&CK Techniques

According to MITRE, Emotet uses the ATT&CK techniques listed in table 1.

Table 1: Common exploit tools

Technique

Use

OS Credential Dumping: LSASS Memory [T1003.001]

Emotet has been observed dropping password grabber modules including Mimikatz.

Remote Services: SMB/Windows Admin Shares [T1021.002]

Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.

Obfuscated Files or Information [T1027]

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, cmd.exe arguments, and PowerShell scripts.

Obfuscated Files or Information: Software Packing [T1027.002]

Emotet has used custom packers to protect its payloads.

Network Sniffing [T1040]

Emotet has been observed to hook network APIs to monitor network traffic.

Exfiltration Over C2 Channel [T1041]

Emotet has been seen exfiltrating system information stored within cookies sent within a HTTP GET request back to its command and control (C2) servers.

Windows Management Instrumentation [T1047]

Emotet has used WMI to execute powershell.exe.

Process Injection: Dynamic-link Library Injection [T1055.001]

Emotet has been observed injecting in to Explorer.exe and other processes.

Process Discovery [T1057]

Emotet has been observed enumerating local processes.

Command and Scripting Interpreter: PowerShell [T1059.001]

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.

Command and Scripting Interpreter: Windows Command Shell [T1059.003]

Emotet has used cmd.exe to run a PowerShell script.

Command and Scripting Interpreter: Visual Basic [T1059.005]

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.

Valid Accounts: Local Accounts [T1078.003]

Emotet can brute force a local admin password, then use it to facilitate lateral movement.

Account Discovery: Email Account [T1087.003]

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.

Brute Force: Password Guessing [T1110.001]

Emotet has been observed using a hard-coded list of passwords to brute force user accounts.

Email Collection: Local Email Collection [T1114.001]

Emotet has been observed leveraging a module that scrapes email data from Outlook.

User Execution: Malicious Link [T1204.001]

Emotet has relied upon users clicking on a malicious link delivered through spearphishing.

User Execution: Malicious File [T1204.002]

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.

Exploitation of Remote Services [T1210]

Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation.

Create or Modify System Process: Windows Service [T1543.003]

Emotet has been observed creating new services to maintain persistence.

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]

Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun key to maintain persistence.

Scheduled Task/Job: Scheduled Task [T1053.005]

Emotet has maintained persistence through a scheduled task.

Unsecured Credentials: Credentials In Files [T1552.001]

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

Emotet has been observed dropping browser password grabber modules.

Archive Collected Data [T1560]

Emotet has been observed encrypting the data it collects before sending it to the C2 server.

Phishing: Spearphishing Attachment [T1566.001]

Emotet has been delivered by phishing emails containing attachments.

Phishing: Spearphishing Link [T1566.002]

Emotet has been delivered by phishing emails containing links.

Non-Standard Port [T1571]

Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/Hypertext Transfer Protocol Secure.

Encrypted Channel: Asymmetric Cryptography [T1573.002]

Emotet is known to use RSA keys for encrypting C2 traffic.

Detection

Signatures

MS-ISAC developed the following Snort signature for use in detecting network activity associated with Emotet activity.

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:”[CIS] Emotet C2 Traffic Using Form Data to Send Passwords”; content:”POST”; http_method; content:”Content-Type|3a 20|multipart/form-data|3b 20|boundary=”; http_header; fast_pattern; content:”Content-Disposition|3a 20|form-data|3b 20|name=|22|”; http_client_body; content:!”——WebKitFormBoundary”; http_client_body; content:!”Cookie|3a|”; pcre:”/:?(chrome|firefox|safari|opera|ie|edge) passwords/i”; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)

CISA developed the following Snort signatures for use in detecting network activity associated with Emotet activity. Note: Uniform Resource Identifiers should contain a random length alphabetical multiple directory string, and activity will likely be over ports 80, 8080, or 443.

alert tcp any any -> any $HTTP_PORTS (msg:”EMOTET:HTTP URI GET contains ‘/wp-content/###/'”; sid:00000000; rev:1; flow:established,to_server; content:”/wp-content/”; http_uri; content:”/”; http_uri; distance:0; within:4; content:”GET”; nocase; http_method; urilen:<17; classtype:http-uri; content:”Connection|3a 20|Keep-Alive|0d 0a|”; http_header; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:”EMOTET:HTTP URI GET contains ‘/wp-admin/###/'”; sid:00000000; rev:1; flow:established,to_server; content:”/wp-admin/”; http_uri; content:”/”; http_uri; distance:0; within:4; content:”GET”; nocase; http_method; urilen:<15; content:”Connection|3a 20|Keep-Alive|0d 0a|”; http_header; classtype:http-uri; metadata:service http;)

Mitigations

CISA and MS-ISAC recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private sector—consider applying the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

Block email attachments commonly associated with malware (e.g.,.dll and .exe).
Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
Implement Group Policy Object and firewall rules.
Implement an antivirus program and a formalized patch management process.
Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
Adhere to the principle of least privilege.
Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
Segment and segregate networks and functions.
Limit unnecessary lateral communications.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Enforce multi-factor authentication.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
Enable a firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to suspicious or risky sites.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate access control lists.
Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.
See CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on addressing potential incidents and applying best practice incident response procedures.
See the joint CISA and MS-ISAC Ransomware Guide on how to be proactive and prevent ransomware attacks from happening and for a detailed approach on how to respond to an attack and best resolve the cyber incident.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Resources

MS-ISAC Security Event Primer – Emotet
CISA Alert TA18-201A – Emotet Malware
MITRE ATT&CK – Emotet
MITRE ATT&CK for Enterprise
References
[1] Bleeping Computer: Emotet Malware Strikes U.S. Businesses with COVID-19 Spam [2] IBID [3] Security Lab: Emotet Update Increases Downloads [4] Proofpoint: A Comprehensive Look at Emotet’s Summer 2020 Return [5] ZDNet: France, Japan, New Zealand Warn of Sudden Strike in Emotet Attacks [6] Bleeping Computer: France Warns of Emotet Attacking Companies, Administration [7] ESET: Emotet Strikes Quebec’s Department of Justice: An ESET Analysis [8] ZDNet: Microsoft, Italy, and the Netherlands Warn of Increased Emotet Activity [9] Bleeping Computer: Emotet Double Blunder: Fake ‘Windows 10 Mobile’ and Outdated Messages [10] Palo Alto Networks: Case Study: Emotet Thread Hijacking, an Email Attack Technique Revisions
October 6, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 1, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DOD) Cyber National Mission Force (CNMF) have identified a malware variant—referred to as SLOTHFULMEDIA—used by a sophisticated cyber actor. In addition, U.S. Cyber Command has released the malware sample to the malware aggregation tool and repository, VirusTotal.

CISA encourages users and administrators to review Malware Analysis Report MAR-10303705-1.v1 and U.S. Cyber Command’s VirusTotal page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

Original release date: September 22, 2020Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise frameworks for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the Multi-State Information Sharing & Analysis Center (MS-ISAC).

CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.

Technical Details

LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.

The malware steals credentials through the use of a keylogger to monitor browser and desktop activity (Credentials from Password Stores [T1555]).

(Credentials from Password Stores: Credentials from Web Browsers [T1555.003])
(Input Capture: Keylogging [T1056.001])

LokiBot can also create a backdoor into infected systems to allow an attacker to install additional payloads (Event Triggered Execution: Accessibility Features [T1546.008]).
Malicious cyber actors typically use LokiBot to target Windows and Android operating systems and distribute the malware via email, malicious websites, text, and other private messages (User Execution: Malicious File [T1204.002]). See figure 1 for enterprise techniques used by LokiBot.

Figure 1: MITRE ATT&CK enterprise techniques used by LokiBot

Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications, including the following.

February 2020: Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite—a popular video game.[1] August 2019: FortiGuard SE researchers discovered a malspam campaign distributing LokiBot information-stealing payloads in spearphishing attack on a U.S. manufacturing company.[2] August 2019: Trend Micro researchers reported LokiBot malware source code being hidden in image files spread as attachments in phishing emails.[3] June 2019: Netskope uncovered LokiBot being distributed in a malspam campaign using ISO image file attachments.[4] April 2019: Netskope uncovered a phishing campaign using malicious email attachments with LokiBot malware to create backdoors onto infected Windows systems and steal sensitive information.[5] February 2018: Trend Micro discovered CVE-2017-11882 being exploited in an attack using Windows Installer service to deliver LokiBot malware.[6] October 2017: SfyLabs identified cyber actors using LokiBot as an Android banking trojan that turns into ransomware.[7] May 2017: Fortinet reported malicious actors using a PDF file to spread a new LokiBot variant capable of stealing credentials from more than 100 different software tools.[8] March 2017: Check Point discovered LokiBot malware found pre-installed on Android devices.[9] December 2016: Dr.Web researchers identified a new LokiBot variant targeting Android core libraries.[10] February 2016: Researchers discovered the LokiBot Android Trojan infecting the core Android operating system processes.[11] MITRE ATT&CK Techniques

According to MITRE, LokiBot uses the ATT&CK techniques listed in table 1.

Table 1: LokiBot ATT&CK techniques

Technique

Use

System Network Configuration Discovery [T1016]

LokiBot has the ability to discover the domain name of the infected host.

Obfuscated Files or Information [T1027]

LokiBot has obfuscated strings with base64 encoding.

Obfuscated Files or Information: Software Packing [T1027.002]

LokiBot has used several packing methods for obfuscation.

System Owner/User Discovery [T1033]

LokiBot has the ability to discover the username on the infected host.

Exfiltration Over C2 Channel [T1041]

LokiBot has the ability to initiate contact with command and control to exfiltrate stolen data.

Process Injection: Process Hollowing [T1055.012]

LokiBot has used process hollowing to inject into legitimate Windows process vbc.exe.

Input Capture: Keylogging [T1056.001]

LokiBot has the ability to capture input on the compromised host via keylogging.

Application Layer Protocol: Web Protocols [T1071.001]

LokiBot has used Hypertext Transfer Protocol for command and control.

System Information Discovery [T1082]

LokiBot has the ability to discover the computer name and Windows product name/version.

User Execution: Malicious File [T1204.002]

LokiBot has been executed through malicious documents contained in spearphishing emails.

Credentials from Password Stores [T1555]

LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients.

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers.

Hide Artifacts: Hidden Files and Directories [T1564.001]

LokiBot has the ability to copy itself to a hidden file and directory.

Detection

Signatures

CISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity.

alert tcp any any -> any $HTTP_PORTS (msg:”Lokibot:HTTP URI POST contains ‘/*/fre.php’ post-infection”; flow:established,to_server; flowbits:isnotset,.tagged; content:”/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:”POST”; nocase; http_method; pcre:”//(?:alien|lokyd|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|fived?|donemy|animationdkc|love|Masky|vd|lifetn|Ben)/fre.php$/iU”; flowbits:set,.tagged;classtype:http-uri; metadata:service http; metadata:pattern HTTP-P001,)

Mitigations

CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
Keep operating system patches up to date. See Understanding Patches and Software Updates.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Enforce multi-factor authentication. See Supplementing Passwords for more information.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
Enforce a strong password policy. See Choosing and Protecting Passwords.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate access control lists.
Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Resources

Center for Internet Security Security Event Primer – Malware: https://www.cisecurity.org/white-papers/security-event-primer-malware/
MITRE ATT&CK – LokiBot: https://attack.mitre.org/software/S0447/
MITRE ATT&CK for Enterprise: https://attack.mitre.org/matrices/enterprise/

References
[1] Trend Micro: LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File [2] Fortinet: Newly Discovered Infostealer Attack Uses LokiBot [3] ZDNet: LokiBot Malware Now Hides its Source Code in Image Files [4] SecurityWeek: LokiBot and NanoCore Malware Distributed in ISO Image Files [5] Netskope: LokiBot & NanoCore being distributed via ISO disk image files [6] Trend Micro: Attack Using Windows Installer Leads to LokiBot [7] BleepingComputer: LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It [8] Fortinet: New Loki Variant Being Spread via PDF File [9] Check Point: Preinstalled Malware Targeting Mobile Users [10] BleepingComputer: Loki Trojan Infects Android Libraries and System Process to Get Root Privileges [11] New Jersey Cybersecurity & Communications Integration Cell: LokiBot  Revisions
September 22, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

fed-up-person-laptop.jpg

Using knowledge from the ‘cyber frontline’ to improve our ‘Mitigating malware and ransomware’ guidance.

Gartner predicts the financial impact of cyber attacks resulting in fatal casualties will reach more than US$50 billion by 2023
As more physical industrial sites become connected, leaders themselves will be accountable for their security and safety 

In the age of Industry 4.0 and connected industry, we often discuss the relatively new and growing threat of cyber attacks in the context of financial damage. Ransomware, for example, can jam a steel crowbar into operations, leading to downtime, and subsequently hemorrhaging costs. 

As physical industries become connected and therefore vulnerable to attacks, they face the same risks as every other digital organization. 

READ NEXTIIoT smart factories are leaving doors open for cyber attacks

But that’s not quite the extent of it. As warehouses, factories, power plants, and other physical facilities are further laden with sensor-based predictive analytics, remote access technologies, control networks, robotics, and other operational technology (OT), system attacks can quickly lead to physical harm to people, destruction of property or environmental disasters.

Previous malware attacks have demonstrated this potential. The Triton malware was found infecting safety systems in Saudi petrochemical plants in 2017. It gave attackers the ability to remotely shut off fail-safe systems in case there was a poisonous-gas leak or a critical failure — the last layer of defense before human life was at risk. 

There have been spear-phishing attacks on members of the US energy sector. Allegedly determined to be North Korean hackers, attempts have been thwarted but could easily have led to attacks that could devastate the infrastructure of the country. As far back as 2015, a hack of Ukraine’s power grid caused a blackout affecting 200,000 people, while Kaspersky Labs estimates that over 40% of ICS computers on its watch had been attacked by malicious malware at least once in the first half of 2018. 

In the same year, it was reported that the hacking of a control system for a steel mill in Germany meant a blast furnace could not be shut, leading to “massive” damage to the plant, but no reported loss of life. 

These types of incidents on cyber-physical security (CPS) are fortunately rare but set to rapidly increase in the coming years due to a lack of security focus and spending. If business leaders don’t act, they could be held personally accountable when something goes wrong. 

Industrial robots are welding metal part in factory

Industrial robots are welding metal part in factory. Source: Shutterstock

The cyber-physical security threat

Gartner defines CPS as systems engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world — including humans. 

They underpin all connected IT, operational technology (OT), and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical healthcare environments.

Gartner predicts that as this type of threat increases, business leaders will be caught off guard as liability for CPS incidents will “pierce the corporate veil” to personal liability for 75% of CEOs by 2024.

“Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies,” said Katell Thielemann, research vice president at Gartner. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them.

“In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.”

Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach more than US$50 billion by 2023. The firm warns that, even with the actual value of human life in the equation, associated costs for organizations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant. 

“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” said Thielemann. “The more connected CPSs are, the higher the likelihood of an incident occurring.”

YOU MIGHT LIKE

IOT

IIoT smart factories are leaving doors open for cyber attacks

With OT, smart buildings, smart cities, connected cars, and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.

However, many enterprises are not aware of CPSs already deployed in their organization, either due to legacy systems connected to enterprise networks by teams outside of IT or because of new business-driven automation and modernization efforts.

The post CEOs will be held accountable for ‘killer’ malware in future, says Gartner appeared first on TechHQ.

cccs-banner.png

Una severa vulnerabilidad existe en casi todas las versiones firmadas de GRUB2, el cual es usado por la mayoría de los sistemas Linux. De explotarse adecuadamente, permitiría a los atacantes comprometer el proceso de arranque del sistema, incluso si el mecanismo de verificación «Secure Boot» está activo.

La falla fue reportada por Eclypsium el 29 de julio aunque el CVE-2020-10713 asociado tiene fecha del 20 de marzo, y si bien grub2 podría relacionarse más directamente con sistemas Linux, los equipos con arranque dual (o múltiple) abre la puerta a la explotación hacia otros sistemas como Windows.

Se encontró una falla en las versiones previas a 2.06 de grub2. Un atacante puede usar la falla en GRUB 2 para secuestrar y manipular el proceso de verificación de GRUB. Esta falla también permite eludir las protecciones de arranque seguro (Secure Boot). Para poder cargar un kernel no confiable o modificado, un atacante primero necesitaría disponer de acceso al sistema, como obtener acceso físico, tener la posibilidad de alterar una red «pxe-boot» o tener acceso remoto a un sistema en la red con acceso de root. Con este acceso, un atacante podría forjar una cadena para causar un desbordamiento del búfer inyectando una carga maliciosa, que conduzca a la ejecución de código arbitrario dentro de GRUB. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema.

https://cve.mitre.org/cgi-bin//cvename.cgi?name=CVE-2020-10713

Según el reporte de BleepingComputer, ha compartido la vulnerabilidad con los proveedores de sistemas operativos, los fabricantes de computadoras y los CERT/CSIRT. Se espera que hoy mismo se publiquen avisos y mitigaciones posibles de múltiples organizaciones en la industria.

Vemos el problema con baja probabilidad de ocurrencia o al menos con alta dificultad, pues como se indica en la cita del CVE, requiere condiciones especiales para llegar a explotar la vulnerabilidad. Esto no significa que nos podamos despreocupar, más bien debemos estar muy pendientes de las actualizaciones que irán llegando de los diferentes fabricantes.

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Data breach, Colbalt Strike, Lazarus, Misconfigured Tools, and OilRig. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 916000.png

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Cerberus Banking Trojan Team Breaks Up, Source Code Goes to Auction

(published: July 27, 2020)

Android banking trojan, Cerberus has been put up for sale by the malware’s developer. The trojan, which uses overlays to phish banking credentials from users, has been listed with a starting price of $50,000. The operator of Cerberus claims the purchaser will receive the source code, module code, admin panel code, along with the current customer database with a monthly profit of $10,000. The sale of Cerberus is allegedly due to the development team breaking up.Recommendation: Users should be cautious when downloading Android applications, with malicious apps occasionally bypassing Google Play Store protections. It is crucial that all permissions of an application be examined prior to download.Tags: Android Malware, Cerberus, Mobile Malware

Source Code from Dozens of Companies Leaked Online

(published: July 27, 2020)

Source code from a wide range of companies have been leaked due to misconfigured tools. Identified by Tillie Kottmann, the companies include Adobe, Disney, Lenovo, Microsoft, Motorola, Nintendo, among many others. Within the source code the developers’ names, along with hardcoded credentials have been found.Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured software can cause leaks of sensitive information, which could be used for further malicious activity, and cause significant harm to a company’s reputation.Tags: Misconfigured tools, Data breach

Dave Data Breach Affects 7.5 Million Users, Leaked on Hacker Forum

(published: July 26, 2020)

Dave, a fintech company that offers overdraft protection, has suffered a data breach. The breach occurred when threat actors gained access to third-party provider Waydev, which enabled access to user data at Dave. The database contained over seven million user records which included addresses birth dates, email addresses, names, and phone numbers. The actor who stole the database first attempted to sell the breach on a hacker forum, however, they ended up releasing the database for free on another site.Recommendation: Dave is requiring all users to do a password reset, however, users need to be aware they are still at risk if they are using the same password for other sites as well.Tags: Data breach, PII, Third party breach

Russia’s GRU Hackers Hit US Government and Energy Targets

(published: July 24, 2020)

The Federal Bureau of Investigations (FBI) and FireEye both have confirmed a series of campaigns by the Russian GRU associated APT28, aka Fancy Bear. These attacks began in December of 2018 and continued until at least May 2020. The initial vector appears to be spearphishing attacks against a number of US Government, energy, and education organizations. One confirmed victim did not find any evidence of successful phishing but did confirm that attackers had stolen multiple mailboxes from their email servers. Other initial attack vectors include password spaying and brute force. The long term motivation behind these attacks is not clear, but are likely a variation of the past motives of APT28, including US election meddling, and retaliatory attacks against the Olympic Anti-Doping Agency. The broadening of attacks to the US Energy Sector is especially troubling as APT28 is believed to have been behind previous attacks against US and Ukrainian Energy infrastructure and Industry Control Systems (ICS).Recommendation: Defense in-depth, along with well designed and regular employee training is critical to all businesses but especially important for governments and industries. Entities responsible for ICS systems need to be aware of the security issues and vulnerabilities in these systems, and they should never be connected to the internet.Tags: APT28, FancyBear, government, energy sector, spear-phishing

Chinese DJI Drones Come With Backdoor

(published: July 24, 2020)

Researchers from Synacktiv and GRIMM have released reports detailing security issues found within the DJI drone app. Developed by Chinese drone manufacturer Da Jiang Innovations, the app comes with an auto-update function that bypasses the Google Play Store, this function could be used to install malicious software on an Android device and send sensitive information directly to DJI’s servers. The app requests significant permissions (contacts, microphone, camera, location, storage, change network connectivity) and collects a user’s IMSI, IMEI and the serial number of the SIM card used, arguably the servers have almost full control of a users phone exhibiting similarities to a malware C&C server. The app also uses auto-debugging and encryption techniques to stop security researchers. DJI has disputed these claims, calling the findings “typical software concerns” and argued that the US DHS had found no evidence of suspicious data transmission.Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.Tags: Android, drone, backdoor

Garmin Suffers Potential Ransomware Attack

(published: July 24, 2020)

Garmin’s services and applications have been experiencing outages over the previous week and reports of a ransomware attack are beginning to surface. Garmin confirmed that its website and mobile app were both down while also sending notes to its Taiwanese factories that there would be, “two days of planned maintenance.” Researchers from SentinelOne noticed that these outages appeared to correlate with a WastedLocker attack against the company, several employees likewise alleged that Garmin had suffered an attack from WastedLocker. WastedLocker is ransomware believed to have been developed by the Russian group Evil Corp, better known for their Dridex and Bitpaymer attacks. Garmin has currently not commented on a potential attack.Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Garmin, ransomware, Evil Corp, WastedLocker, cybercrime,

MATA: Multi-platform Targeted Malware Framework

(published: July 22, 2020)

Security researchers from Kaspersky have identified a new malware framework called “MATA” that targets Windows, Linux, and macOS operating systems. Researchers believe the malware framework is linked to North Korea based Lazarus APT group. The framework has been used by the threat actors since April 2018 and targeted entities in Poland, Germany, Turkey, Korea, Japan, and India. The targeted industries include a software company, an e-commerce provider, and an Internet Service Provider (ISP). The actors used MATA to perform various objectives on their victims like distributing VHD ransomware and querying victim databases for acquiring customer lists. Analysis revealed that a variant of Manuscrypt malware distributed by Lazarus also shares a similar configuration structure with MATA.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: Lazarus, MATA

OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory

(published: July 22, 2020)

Palo Alto’s Unit42 discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: OilRig, Middle East, Email, C2

Chinese APT Targets India and Hong Kong with Updated MgBot

(published: July 21, 2020)

Researchers from Malwarebytes have released a report detailing the targeting of Indian and Hong Kong entities by an unnamed Chinese APT group. A spearphishing campaign spoofing as an email from the Indian Government Information Security Center was observed targeting Indian government personnel. Once the attached .rar file was downloaded, it would inject a Cobalt Strike variant into the system. Other lure documents themed around Hong Kong immigration to the UK were discovered dropping an updated MgBot loader before injecting Remote Access Trojan (RAT) through the AppMgmt Service on Windows. The RAT’s strings are either obfuscated or use XOR encoding making analysis difficult. The targeting by a Chinese APT is likely due to the current climate between China and India as well as the political tensions in Hong Kong. Malwarebytes believes the actor shares TTPs with well-known Chinese groups such as Rancor, KeyBoy, and APT40; while still not offering attribution, the analysts believe this APT group has been active since 2014 continuously using variants of MgBot throughout.Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.MITRE ATT&CK: [MITRE PRE-ATT&CK] Spearphishing for Information – T1397 | [MITRE ATT&CK] Access Token Manipulation – T1134 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] BITS Jobs – T1197 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] Obfuscated Files or Information – T1027Tags: China, APT, MgBot, Cobalt Strike, India, Hong Kong, spearphishing, lure

Golden Chickens: Evolution Of The MaaS

(published: July 20, 2020)

Researchers from QuoIntelligence observed four new attacks utilizing the tools from e-crime group Golden Chickens who provide Malware-as-a-Service (MaaS) throughout March and April. Researchers attributed each attack with confidence varying from low to moderate to groups GC05, GC06.tmp, and FIN6. During the analysis, it was found that the Golden Chickens group has updated its tools such as TerraLoader, more_eggs, and VenomLNK with new features that incorporate anti-analysis techniques, new string obfuscation and brute force implementation. Golden Chickens MaaS remains as a preferred service provider for top-tier e-crime groups such as FIN6 and Cobalt Group.Recommendation: Financially themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institutions’ policies regarding electron communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.MITRE ATT&CK: [MITRE ATT&CK] Regsvr32 – T1117 | [MITRE ATT&CK] Code Signing – T1116 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Commonly Used Port – T1043 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] Standard Cryptographic Protocol – T1032 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel – T1041 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] CMSTP – T1191Tags: Terra loader, Golden chickens

MAR-17-352-01 HatMan—Safety System Targeted Malware. This malware analysis report discusses the components and capabilities of the HatMan malware and some potential mitigations. Media reporting also refers to this malware as both TRITON and TRISIS.

This updated malware analysis report is a follow-up to the updated malware analysis report titled MAR-17-352-01 HatMan – Safety System Targeted Malware (Updated A) that was published April 10, 2018, on the ICS-CERT website.

More malware designed for air-gapped systems. A British utility sustains a ransomware attack. The US Cyberspace Solarium Commission sees lessons in the pandemic for cybersecurity. Contact-tracing technologies take a step back,maybe a step or two forward. Rob Lee from Dragos comparing the state of ICS security around the world, our guest is Ian Pitt from LogMeIn on lessons learned working remotely during COVID-19. Criminals increase ransomware attacks on hospitals, and swap templates to impersonate government relief agencies.

For links to all of today’s stories check out our CyberWire daily news brief:

https://thecyberwire.com/newsletters/daily-briefing/9/95

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Bugs, Exploit, Healthcare Attacks, Naikon, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 793547.pngFigure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Bugs in Two Related WordPress Plugins Together Risked Over 1 Million Websites

(published: May 10, 2020)

Two critical-severity WordPress plugin vulnerabilities have been identified by the Wordfence security team which could impact over a million WordPress websites. The two plugins affected are Elementor Pro and Ultimate Addons for Elementor, and the researchers have observed active exploitation of the vulnerabilities. Exploiting the Elementor Pro plugin allows for remote code execution attacks, granting a malicious actor the ability to gain full administrative access to WordPress if the site has open user registration. Websites with the “open user registration” option disabled can be exploited using the Ultimate Addons for Elementor registration bypass vulnerability. Developers behind both plugins have patched the flaws in Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2.Recommendation: Users of these WordPress plugins should ensure they are using Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2 or newer which include fixes to the vulnerabilities. All website owners, especially those using WordPress, should keep their installations and plugins up to date to ensure patches are installed as soon as they are available.Tags: Vulnerabilities, WordPress, Plugin, Registration bypass, Remote code execution

Hacker Group Floods Dark Web with Data Stolen From 11 Companies

(published: May 9, 2020)

The threat group known as Shiny Hunters are selling millions of user records for 11 different companies on an undisclosed dark web marketplace. The databases being sold include a combined total of 164.2 million user records, and have been steadily streamed to the marketplace since the beginning of May 2020. As of the time of this writing, the prices for each database ranges between $500 and $5,000 USD. The first reported database belongs to Tokopedia, an Indonesian online store, with over 90 million user records. The other companies reportedly involved are Bhinneka, ChatBooks, Chronicle Of Higher Education, Ggumim, HomeChef, Mindful, Minted, StarTribune, Styleshare, and Zoosk. The affected companies have been contacted by Bleeping Computer, as the data breaches appear legitimate, despite not being 100% confirmed.Recommendation: Individuals that have accounts with any of the impacted companies are strongly advised to change their login credentials immediately. Additionally, it is important to not reuse passwords for multiple sites and services. If the same credentials are used on any other sites, it is suggested that those accounts also be updated with new, unique passwords.Tags: Data breach, Shiny Hunters, Dark web marketplace

Naikon APT: Cyber Espionage Reloaded

(published: May 7, 2020)

Check Point Research have discovered evidence that the Advanced Persistent Threat (APT) group known as “Naikon” have been persistently targeting national government agencies in the Asia Pacific region since 2015 as part of a cyber-espionage campaign. Naikon APT has been using a new type of Remote Access Trojan (RAT) called “Aria-body” as a backdoor into government networks, targeting ministries of foreign affairs, science, and technology in Australia, Brunei, Indonesia, Myanmar, Philippines, Thailand, and Vietnam. Aria-body infects the network and servers of one target, and then uses the compromised infrastructure to launch new attacks, exploiting the trust between departments and governments to increase the chances of success, according to the Check Point report. Naikon threat actors use several different infection methods to deliver the Aria-body RAT, including malicious emails containing a Rich Text Format (RTF) file weaponized with “RoyalRoad” exploit builder malware, or directly via a legitimate executable file, which serves as a loader. These methods are aimed at personnel within target organizations to be able to use the compromised servers to more effectively infiltrate new agencies. According to reports by Kaspersky, ThreatConnect, and Defense Group Inc. in 2015, Niakon is believed to be Chinese-speaking and associated with China’s People’s Liberation Army (PLA) intelligence operations.Recommendation: This Naikon campaign is highly targeted, therefore, it is likely that actors are impersonating government employees or agencies in spearphishing emails. All employees should be educated on the risk of opening attachments or following links received from unknown or unexpected senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment – T1193 | [MITRE ATT&CK] Security Software Discovery – T1063 | [MITRE ATT&CK] System Network Configuration Discovery – T1016Tags: Naikon, APT, China, RAT, Aria-body, RoyalRoad, Malware

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

(published: May 6, 2020)

The private hospital operator Fresenius has been compromised by SNAKE Ransomware. Frentius is the largest European private healthcare provider and has been in high demand for its dialysis service and products used to combat the ongoing COVID-19 pandemic. The SNAKE ransomware is written in Golang and appeared in January 2020, it attempts to identify any processes linked to enterprise management tools and industrial control systems (ICS). This ransomware attack comes after a series of ransomware campaigns targeting health care providers who are attempting to resolve the pandemic.Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Fresenius, SNAKE, Ransomware, COVID-19

Microsoft’s GitHub Account Hacked, Private Repositories Stolen

(published: May 6, 2020)

Threat actors claim to have gained full access to Microsoft’s private GitHub account, and have stolen over 500GB of data in private Microsoft projects. According to files released to Bleeping Computer by Shiny Hunters, the threat actors behind the breach, the event likely occurred March 28th, 2020, and Microsoft has stated that they are aware and investigating the claims behind the leak. Analysts at Bleeping Computer and cyber intelligence firm Under the Breach are of the opinion that the stolen data does not appear to contain sensitive code data for Windows or Office, and is mostly samples, test projects, and other generic items. Under the Breach did tweet concerns that private API keys or passwords could have inadvertently been left in the private repositories, as this has been done by developers in the past.Recommendation: It’s best practice for GitHub and other repository users to not commit personal config files into source control and to use password management tools and multi-factor authentication. While it is currently unknown how Shiny Hunters gained access into Microsoft’s private GitHub account, malicious actors are known to comb the Internet for config files with credentials listed in plain text to gain access to repositories. Avoid committing these files in the future and be sure to discuss best practices with team members.Tags: Microsoft, GitHub, Shiny Hunters

Warning: Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets

(published: May 5, 2020)

Three critical vulnerabilities have been identified in Citrix ShareFile customer-managed storage zone controllers. Citrix ShareFile, a file sharing solution for businesses, allows employees to securely access and share proprietary and sensitive business data. According to Citrix, the vulnerabilities (CVE-2020-7473, CVE-2020-8982, CVE-2020-8983) if exploited, would allow an unauthenticated malicious actor access to ShareFile users’ documents and folders. According to Nate Warfield, a Senior Security Program Manager for the Microsoft Security Response Center, a search on Shodan revealed close to 2,800 exposed Citrix ShareFile storage servers. Citrix has released a mitigation tool and updates that include fixes for the three vulnerabilities, which affect ShareFile storage zone Controller 5.9.0, 5.8.0, 5.7.0, 5.5.0, and 5.5.0. Citrix warns that even updated storage zone controllers that were created using vulnerable versions are at risk, and must also run the mitigation tool on primary and secondary storage zone controllers.Recommendation: Threat actors are consistently looking for new ways to conduct malicious activity, therefore, it is crucial that your company has security and patch-maintenance policies in place. The security update should be applied as soon as possible to avoid potential exploitation. Citrix ShareFile customers that manage the zones themselves should ensure they are running a supported version and have run the mitigation tool (available at https://support.citrix.com/article/CTX269341, requires login credentials) if necessary.Tags: CVE-2020-7473, CVE-2020-8982, CVE-2020-8983, Citrix, ShareFile

APT Groups Target Healthcare and Essential Services

(published: May 5, 2020)

The US Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert regarding Advanced Persistent Threat (APT) actors targeting COVID-19 response organizations. The targeted entities include: academia, healthcare, local governments, medical research, and pharmaceutical. The unnamed APT groups are using password spraying attacks, which are automated attacks using a list of passwords. The list of passwords could be a combination of previously compromised credentials or common passwords, among others.Recommendation: It is crucial that your company has password policies in place to avoid repetition across accounts, and mandate a level of password complexity that can resist brute force and password-spray attacks. Educate your employees of the dangers that these styles of attacks impose, and why mitigation must be in place prior to an incident taking place. Threat actors of all levels of sophistication are capable of utilizing brute-force and password-spraying attacks, therefore, it is paramount that all companies take steps to avoid these attacks.Tags: APT, COVID-19, Password spraying

Kaiji: New Chinese Linux Malware Turning to Golang

(published: May 4, 2020)

A new Internet of Things (IoT) botnet called, “Kaiji,” that targets IoT devices and servers with SSH brute-force attacks, according to Intezer researchers. The malware utilizes a custom implant, which was dubbed Kaiji by MalwareMustDie, instead of utilizing some publicly-available ones such as Mirai. Kaiji was built by threat actors in the Golang programming language, which has been increasingly utilized by threat actors. The malware only targets root users while conducting its only method of propagation through SSH brute force, and if Kaiji makes a connection it will launch a bash script to begin the installation process.Recommendation: Botnet malware typically takes advantage of internet-connected devices that have been misconfigured, or do not have security updates applied, however, as Kaiji shows there are Internet of Things (IoT) botnets that conduct brute-force attacks. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.Tags: Botnet, IoT, Kaiji, SSH brute force

Live Streaming Adult Site Leaves 7 Terabytes of Private Data Exposed

(published: May 4, 2020)

Researchers at SafetyDetectives have identified an exposed database used by the adult streaming website CAM4[.]com which has leaked over seven terabytes of data related to customers. CAM4 is a website used for livestreaming explicit material to adults and researchers were able to find an unsecured ElasticSearch database containing the personally identifiable information (PII) of the website’s customers. The data leaked includes firstname, surname, credit card data, email addresses and sexual orientation. U.S.A, Brazil and Italy were listed as the largest customer base for the platform with 10.88 billion records identified in the leak.Recommendation: Leaks of this sort may cause affected individuals to be at a greater risk of phishing attacks. Actors can use this information to craft custom emails to increase their chances of malicious activity being approved by the recipient. Individuals who have accounts associated with this incident should change their passwords as soon as possible, particularly if passwords for said accounts are the same to other online accounts. Individuals should also regularly monitor their credit reports for suspicious activity or consider an identity theft protection service.MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190Tags: CAM4, Data leak, PII

Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack

(published: May 4, 2020)

Threat actors over the weekend have been targeting the Ghost publishing platform in resource hijacking campaigns to mine cryptocurrency. Ghost is an open-source platform used for publishing and has over two million customers including Mozilla and DuckDuckGo. Threat actors were leveraging the vulnerabilities registered as “CVE-2020-11651” and “CVE-2020-11652”, which allow for remote code execution capabilities on servers in data centers and in the cloud. The exploit comes from Ghost’s usage of SaltStack, which provides the server management infrastructure of the platform.Recommendation: Cryptocurrency malwares are becoming increasingly common amongst threat actors. As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow or can be exploited by malicious actors. Third-party software vendors must ensure that their software is secure frequently to avoid customers falling victim to cyber threats due to their own vulnerabilities.MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Resource Hijacking – T1496Tags: Ghost, Resource Hijacking, Cryptocurrency mining, CVE-2020-11651, CVE-2020-11652

This section presents an overview of threats related to ransomware activity against municipal institutions, industrial enterprises and critical infrastructure facilities.

cropped-android-chrome-256x256-270x270.p

In the past month, 10 more hospitals have fallen victim to Ryuk attacks in the US

WildPressure APT targets industrial systems in the Middle East. ICS attack tools show increasing commodification. TrickMo works against secure banking. Microsoft warns of RCE vulnerability in the way Windows renders fonts. Click fraud malware found in childrens’ apps sold in Google Play. DarkHotel attacks the World Health Organization. Ransomware hits Parisian hospitals and a British biomedical research firm. More COVID-19 phishbait. Ben Yelin from UMD CHHS on Coronavirus detecting cameras, guest is Allan Liska from Recorded Future on security in the time of Coronavirus.

For links to all of today’s stories check our our CyberWire daily news brief:

https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_24.html

Support our show

Here’s what’s changed in the NCSC’s guidance on mitigating malware and ransomware.

A US gas pipeline operator was infected by malware—your questions answered

Enlarge

Tuesday’s news that a ransomware infection shut down a US pipeline operator for two days has generated no shortage of questions, not to mention a near-endless stream of tweets.

Some observers and arm-chair incident responders consider the event to be extremely serious. That’s because the debilitating malware spread from the unnamed company’s IT network—where email, accounting and other business is conducted—to the company’s operational technology, or OT, network, which automatically monitors and controls critical operations carried out by physical equipment that can create catastrophic accidents when things go wrong.

Others said the reaction to the incident was overblown. They noted that, per the advisory issued on Tuesday, the threat actor never obtained the ability to control or manipulate operations, that the plant never lost control of its operations, and that facility engineers deliberately shut down operations in a controlled manner. This latter group also cited evidence that the infection of the plant’s industrial control systems, or ICS, network appeared to be unintentional on the part of the attackers.

Read 30 remaining paragraphs | Comments

index?i=HMk1rAE9v18:uW4u950oNyE:V_sGLiPB index?i=HMk1rAE9v18:uW4u950oNyE:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA

Brazilians Targeted by Resurfaced CamuBot Malware (02/06/2020)The CamuBot malware has reemerged after a year-long hiatus to resume targeted attacks on the Brazilian financial industry. IBM X-Force researchers assessed CamuBot and found that it impersonates a security application that banks ask users to install and uses tactics similar to those in use by cybercriminal gangs. The attack begins when someone from the attacker’s side phones the victim and instructs him or her over the phone to browse to an infection page that hosts the CamuBot Trojan.EKANS Ransomware Discovered Targeting ICS Operations (02/04/2020)Multiple vendors have been analyzing an industrial control systems (ICS) ransomware that emerged in December and can halt various processes related to ICS operations. Dragos, MalwareHunterTeam, and SentinelOne have all assessed the EKANS (also called Snake) ransomware. In its research, Dragos connected EKANS to the MEGACORTEX ransomware and also determined that EKANS terminates the named processes on vic

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about Trend Micro Zero Day Initiative’s $1.5 million in awards and other noteworthy milestones in 2019. Also, learn about a crafty malware that makes you retype your passwords so it can steal them for credit card information and other personal data.

Read on:

Four Reasons Your Cloud Security is Keeping You Up at Night

Organizations are migrating to the cloud for speed, agility, scalability, and cost-efficiency – but they have realized that it demands equally powerful security management. As the cloud continues to attract more businesses, security teams are spending sleepless nights securing the infrastructure. We can reduce the number of security issues affecting cloud infrastructure; however, we must first conquer the possible reasons for security vulnerabilities.

Trend Micro and Baker Hughes Collaborate to Help Deliver Protection for Critical Infrastructure

Trend Micro announced this week that it will collaborate with Baker Hughes’ Nexus Controls operational technology (OT) security experts through a strategic framework agreement, signed in late 2019. Together the companies aim to provide comprehensive, industry leading guidance and support for enterprises running critical OT environments.

Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud

Trend Micro recently discovered several malicious optimizer, booster and utility apps (detected as AndroidOS_BadBooster.HRX) on Google Play. The apps can access remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices.

Zero Day Initiative Bug Hunters Rake in $1.5M in 2019

Zero Day Initiative, a division of Trend Micro, awarded more than $1.5 million in cash and prizes to bug-hunters throughout 2019, resulting in 1,035 security vulnerability advisories for the year. Most of those advisories (88 percent) were published in conjunction with a patch from the vendor.

ICS in VUCA: Insights from the World‘s Biggest ICS Security Event – S4

Many sessions at this year’s S4 discussed strengthening leadership. The environment surrounding the ICS community is filled with volatility, uncertainty, complexity and ambiguity (VUCA), and it requires strong leadership to drive changes. In this blog, read about the key takeaways coming out of the world’s leading ICS security event, S4.

This Crafty Malware Makes You Retype Your Passwords So It Can Steal Them

A trojan malware campaign is targeting online banking users around the world with the aim of stealing credit card information, finances and other personal details. Detailed by researchers at Fortinet, the Metamorfo banking trojan has targeted users of over 20 online banks in countries around the world including the US, Canada, Peru, Chile, Spain, Brazil, Ecuador and Mexico.

SORA and UNSTABLE: 2 Mirai Variants Target Video Surveillance Storage Systems

Trend Micro researchers encountered two variants of the notorious internet of things (IoT) malware, Mirai, employing a new propagation method. The two variants, namely SORA (detected as IoT.Linux.MIRAI.DLEU) and UNSTABLE (detected as IoT.Linux.MIRAI.DLEV), gain entry through Rasilient PixelStor5000 video surveillance storage systems by exploiting CVE-2020-6756.

Vulnerability in WhatsApp Desktop Exposed User Files

Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim’s system when paired with WhatsApp for iPhone. The vulnerability was discovered by PerimeterX security researcher Gal Weizman, who found he could bypass WhatsApp’s CSP to execute code on a target system using maliciously crafted messages.

Ryuk Ransomware Infects US Government Contractor

The internal system of U.S. government contractor Electronic Warfare Associates (EWA) was infected with Ryuk ransomware last week, ZDNet reported. EWA is a contractor that supplies electronic equipment and services to the Department of Defense (DOD), the Department of Homeland Security (DHS), and the Department of Justice (DOJ).

New Lemon Duck Malware Campaign Targets IoT, Large Manufacturers

Printers, smart TVs and automated guided vehicles that depend on Windows 7 have become the latest targets for cybercriminals leveraging a “self-spreading” variant of the malware Lemon Duck. In a report released Wednesday by TrapX Security, researchers warn manufacturers dependent on IoT devices are targets in a new global campaign leveraging the malware variant.

New Extortion Campaign Threatens Victims of the 2015 Ashley Madison Breach

A new extortion campaign is targeting victims of the Ashley Madison data breach that happened five years ago, Vade Secure reports. Avid Life Media — the company behind the site — was hacked in 2015 by a group known as Impact Team. The actors behind this new campaign tell victims that they will publicize proof of their profile as well as other “embarrassing” activities and demand bitcoins as payment. 

Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan

Threat actors behind the Emotet malware used the novel coronavirus (2019-nCoV) scare as a hook for their spam email campaign against targets in Japan. IBM X-Force reported that the coronavirus spam emails were disguised as official notifications sent by a disability welfare provider and public health centers. The email content warns recipients about the rapid spread of the virus and instructs them to download an attached notice that allegedly contains preventive measures.

Researchers Use Smart Light Bulbs to Infiltrate Networks

Researchers successfully infiltrated networks through a vulnerability in Philips Hue light bulbs. The CVE-2020-6007 vulnerability, which involves the Zigbee communication protocol, can be abused to remotely install malicious firmware in smart light bulbs and spread malware to other internet-of-things (IoT) devices.

What was your biggest takeaway from the S4 ICS security conference this year? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: ZDI Bug Hunters Rake in $1.5M in 2019 and Metamorfo Trojan Malware Campaign Targets Online Banking Users appeared first on .

Researchers simulated a real-looking “Industrial prototyping” organization with fake employees, PLCs, and websites to study the types of cyber-attacks that commonly on such networks. The elaborately fake organization’s website and the network worked on a highly advanced interactive “honeypot” network that worked extensively on attracting the attention of potential hackers.The plan was to create such a legitimate-looking network that no one could even doubt it’s being phony and to accumulate serious information related to cyber-threats and attacks to study and analyze them. Behind researching these threats and attack mechanisms the motive was to dig out the threats that the “Industrial control system” (ICS) sector faces today. Per sources, the sham company specifically let some ports of its network be susceptible to attack and Voila! It got hit with the most cliché of attacks that any IT network faces, including, Ransomware, Malware, Remote Access Trojans (RAT), Crypto-jacking, Online fraud and the “botnet-sty

AWS and Google Cloud are back up after early week unrelated outages. A German automation tool manufacturer discloses a ransomware infestation. Mobile malware in the spies’ toolkit. The FBI’s Protected Voices share election secuirty informaiton. Notes from SecurityWeek’s 2019 ICS Cyber Security Conference. NCSC’s annual report. And people have things to say about backdoors, bribes, and those aliens at Area 51. (Chemtrails, too.) Craig Williams from Cisco Talos with an update on Emotet. Guest is Dave Weinstein from Claroty discussing threats to critical infrastructure.

For links to all of today’s stories check our our CyberWire daily news brief:

https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_24.html 

Support our show

Phishers are impersonating engineering license boards to target U.S. utility organizations with LookBack malware.

Between July 19–25, Proofpoint discovered the LookBack campaign when it came across some spear phishing emails purporting to be from the National Council of Examiners for Engineering and Surveying (NCEES). Each of these emails abused the NCEES logo, spoofed the sender address and reply-to fields, and included both member ID numbers and the signature block of a nonexistent NCEES employee.

Supported by these falsified details, the emails used the pretense of a failed examination to trick employees at U.S. utility organizations into opening a Microsoft Word document named Result Notice.doc. This document leveraged VBA macros to install LookBack malware.

Written in C++, the sample of LookBack analyzed by Proofpoint used a proxy communication tool to send data from the infected host to its command-and-control (C&C) server. This malware enabled digital attackers to delete files, execute commands, take screenshots and assume control of the device’s cursor. It also enabled threat actors to view system, process and file data, a capability they could have used to conduct reconnaissance of a targeted utility.

The Rise of ICS Threats

LookBack comes amid a steady rise of threats targeting organizations’ industrial control systems (ICSs). In October 2018, for instance, the critical water utility ONWASA suffered a ransomware attack that limited the functionality of its computer systems. Just a few months later, WIRED reported that researchers had observed a threat actor called XENOTIME probing the networks of at least 20 U.S. electric system targets. This arrived shortly before FireEye unearthed a phishing campaign that targeted organizations in the energy and utilities, government, and oil and gas sectors.

How to Defend Against LookBack Malware

Organizations can strengthen their defenses against malware like LookBack by integrating phishing intelligence with their security information and event management (SIEM) systems to visualize the entire hierarchy of an attack. Companies should also take a layered approach to email security by embracing SIEM, mail scanning tools, perimeter protection solutions and other utilities.

The post Phishers Impersonate Engineering License Boards to Target Utilities With LookBack Malware appeared first on Security Intelligence.

On August 1, security researchers at Proofpoint reported the details of a spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails, sent between July 19 and July 25, contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.

While Prooftpoint was able to confirm the presence of LookBack malware at three companies, it is likely that the malware has infected other organizations as well. The emails used in the spearphishing campaign falsely appeared to be from the National Council of Examiners for Engineering and Surveying (NCEES), an American nonprofit organization that handles professional licensing for engineers and surveyors. Even fraudulently using the NCEES logo, the emails included Word documents embedded with malicious micros that, once opened, installed and ran the never-before-seen RAT.

Researchers told Threatpost that the emails were blocked before they could infect the unnamed utility companies.

How LookBack Works

According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.

The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.

Has Your Organization Been Exposed to LookBack? Here’s How to Detect It.

Due to the nature of the threat, it’s important to have multiple controls in place to detect the activities related. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails. But beyond SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and the use of traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.

Within 24 hours of the announcement of this attack, the Nozomi Networks Labs team added new rules and signatures to the OT ThreatFeed to help detect LookBack in your environment. This means that alerts will now be triggered for suspicious activity related to the known threat, LookBack, so that you can detect and remediate quickly. For customers using OT ThreatFeed, please make sure that your systems are running the latest version (from August 2, 2019) to enable these new rules.

With cyberthreats against utilities continuing to rise, LookBack is just another reminder that there’s still much work to be done as utility companies continue to strengthen their cyber security.

REGISTER FOR THE WEBINAR
How to Detect LookBack Malware

Tuesday, August 16th, 2019
9:00 AM PDT

REGISTER NOW

Related Links

Proofpoint Blog: LookBack Malware Targets the United States Utilities Sector with Phishing Attacks
SecurityWeek Article: New LookBack Malware Used in Attacks Against U.S. Utilities Sector
Threatpost Article: Nation-State APTs Target U.S. Utilities With Dangerous Malware
Blog: IEC 62351 Standards for Securing Power System Communications
Blog: Advancing IEC Standards for Power Grid Cyber Security
Webpage: Real-time Visibility and Cyber Security for Electric Utilities
Webpage: Mitigating ICS Cyber Incidents
Webpage: Nozomi Network Labs
Webpage: OT ThreatFeed

The post What You Need to Know About LookBack Malware & How to Detect It appeared first on Nozomi Networks.

In malware analysis, extracting the configuration is an important step. Malware configuration contains various types of information which provides a lot of clues in incident handling, for example communication details with other hosts and techniques to perpetuates itself. This time, we will introduce a plugin “MalConfScan with Cuckoo” that automatically extracts malware configuration using MalConfScan (See the previous article) and Cuckoo Sandbox (hereafter “Cuckoo”).
This plugin is available on GitHub. Feel free to download from the webpage below:

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo

About MalConfScan with Cuckoo

“MalConfScan with Cuckoo” is a plugin for Cuckoo, which is an open source sandbox system for dynamic malware analysis. By adding this plugin to Cuckoo, MalConfScan runs on Cuckoo, enabling automatic extraction of malware configuration . Figure 1 shows Cuckoo’s behaviour where “MalConfScan with Cuckoo” is installed.

Figure 1:Behaviour of MalConfScan with CuckooFigure 1:Behaviour of “MalConfScan with Cuckoo”

“MalConfScan with Cuckoo” runs malware on the host machine to extract configuration. When malware is registered on Cuckoo and executed on the host machine, a memory image will be dumped, from which MalConfScan extracts configuration of known malware. Extracted configuration will then be shown in a report. Please see the previous article or the following page for the list of malware that this tool supports.

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan/

Instruction and report example

First, upload malware on Cuckoo that has “MalConfScan with Cuckoo” installed by using Web GUI or commands. An official document from Cuckoo [1] provides details about the upload procedures. When the upload and analysis is completed, a report will be provided as in Figure 2.

Figure 2:Report of MalConfScan with CuckooFigure 2:Report of “MalConfScan with Cuckoo”

Figure 2 shows the configuration of malware Himawari, a variant of RedLeaves which is used in targeted attacks. It is a kind of bot, and the configuration contains C&C server, destination port, protocol, encryption key etc. In this way, “MalConfScan with Cuckoo” can easily extract configuration for known malware.
Additionally, the results can also be obtained in JSON format. report.json records the following data:

“malconfscan”: {
“data”: [
{
“malconf”: [
[
{“Server1”: “diamond.ninth.biz”},
{“Server2”: “diamond.ninth.biz”},
{“Server3”: “diamond.ninth.biz”},
{“Server4”: “diamond.ninth.biz”},
{“Port”: “443”},
{“Mode”: “TCP and HTTP”},
{“ID”: “2017-11-28-MACRO”},
{“Mutex”: “Q34894iq”},
{“Key”: “usotsuki”},
{“UserAgent”: “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)”},
{“Proxy server”: “”},
{“Proxy username”: “”},
{“Proxy password”: “”}
] ],
“vad_base_addr”: “0x04521984”,
“process_name”: “iexplore.exe”,
“process_id”: “2248”,
“malware_name”: “Himawari”,
“size”: “0x00815104”
}
],
},

How to install

The following steps are required before installing “MalConfScan with Cuckoo”:

Install MalConfScan
Apply patches for Cuckoo
Change configuration of Cuckoo

For more information about how to install the tool, please see our wiki on the GitHub:

   MalConfScan-with-Cuckoo Wiki – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki

Ubuntu 18.04
Python 2.7.16
Cuckoo 2.0.6
Volatility 2.6

A blog article by @soji256 explains procedures to install “MalConfScan with Cuckoo”, which can be a good reference.

   Installing the MalConfScan with Cuckoo to Analyze Emotet – Medium
   https://medium.com/@soji256/build-a-malconfscan-with-cuckoo-environment-to-analyze-emotet-ff0c4c589afe

In closing

This plugin enables extracting configuration of known malware from sandbox. Even in case where malware has anti-VM or anti-sandbox function, we can still extract the configuration by spoofing some environmental information.
We will present the details of “MalConfScan” and “MalConfScan with Cuckoo” at the coming Black Hat USA 2019 Arsenal [3]. Feel free to stop by if you are attending Blackhat USA 2019, and we look forward to having active discussion and feedback from analysts.

Tomoaki Tani(Translated by Yukako Uchida)

[1] Cuckoo Docs – Submit an Analysis https://cuckoo.sh/docs/usage/submit.html

[2] “Abnormal Encryption of Himawari” – Japan Security Analyst Conference [Japanese] https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf

[3] MalConfScan with Cuckoo: Automatic Malware Configuration Data Extraction and Memory Forensic – Black Hat USA 2019 https://www.blackhat.com/us-19/arsenal/schedule/index.html#malconfscan-with-cuckoo-automatic-malware-configuration-data-extraction-and-memory-forensic-16914