Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label C2. Show all posts

NCSC Unveils “Pigmy Goat” Malware Targeting Sophos Firewalls in Advanced Chinese Cyberattack

 

The National Cyber Security Centre (NCSC) recently disclosed the presence of a Linux malware, “Pigmy Goat,” specifically designed to breach Sophos XG firewall devices. This malware, allegedly developed by Chinese cyber actors, represents a significant evolution in network infiltration tactics due to its complexity and advanced evasion methods. 

This revelation follows Sophos’ recent “Pacific Rim” reports, which detail a five-year campaign involving Chinese threat actors targeting network devices at an unprecedented scale. Among the identified tools, “Pigmy Goat” stands out as a rootkit crafted to resemble legitimate Sophos product files, making it challenging to detect. This strategy is known to use stealth by masking its identity within commonly named system files to evade basic detection protocols. “Pigmy Goat” enables threat actors to establish persistent, unauthorized access to the target’s network. Using the LD_PRELOAD environment variable, it embeds itself in the SSH daemon (sshd), allowing it to intercept and alter incoming connections. 

The malware seeks specific sequences called “magic bytes” to identify backdoor sessions, which it redirects through a Unix socket, thereby concealing its presence from standard security monitoring. Once a connection is established, it communicates with command and control (C2) servers over TLS. The malware cleverly mimics Fortinet’s FortiGate certificate, blending into networks where Fortinet devices are prevalent, to avoid suspicion. This backdoor offers threat actors multiple capabilities to monitor, control, and manipulate the network environment. Through commands from the C2, attackers can remotely open shell access, track network activity, adjust scheduled tasks, or even set up a SOCKS5 proxy, which helps them remain undetected while maintaining control over the network. These actions could allow unauthorized data access or further exploitation, posing significant threats to organizational cybersecurity. 

The NCSC report aligns “Pigmy Goat” with tactics used in “Castletap” malware, which cybersecurity firm Mandiant has linked to Chinese nation-state actors. The report’s insights reinforce concerns over the evolving sophistication in state-sponsored cyber tools aimed at infiltrating critical network infrastructure worldwide. Detection and prevention of “Pigmy Goat” are crucial to mitigating its impact. The NCSC report provides tools for identifying infection, including file hashes, YARA rules, and Snort rules, which can detect specific sequences and fake SSH handshakes associated with the malware. 

Additionally, monitoring for unusual files and behaviours, such as encrypted payloads in ICMP packets or the use of ‘LD_PRELOAD’ within the sshd process, can be effective. These insights empower network defenders to recognize early signs of compromise and respond swiftly, reinforcing defences against this sophisticated threat.

Introducing Stealc, a New Infostealer

Stealc, a new data stealer that has emerged on the dark web, is gaining popularity largely to heavy marketing of its theft capability and resemblances to related viruses like Vidar, Raccoon, Mars, and Redline.

Researchers at SEKOIA.IO in January 2023 came upon a brand-new information thief called Stealc that was marketed in dark web forums. The info-stealer was created by a threat actor going by the handle Plymouth, who claims it supports a broad range of stealing abilities.

Stealc has been promoted on hacker forums by a user going by the handle "Plymouth," who described the malware as having strong data-stealing abilities and a simple administrative interface.Plymouth released multiple iterations of Stealc and shared changelogs on various message boards and a dedicated Telegram channel.

Several Stealc samples were discovered in the wild in February by specialists; these samples resembled raccoons and vidars. More than 40 Stealc C2 servers were found by SEKOIA, indicating the malware's rising ubiquity among cybercriminals that distribute stealers. Considering users who have access to the administration panel can create fresh stealer samples, which raises the likelihood that the virus will spread to more people, this popularity may be explained.

Stealc's functionality

Stealc is capable of stealing private information from widely used online browsers, desktop cryptocurrency wallets, browser extensions for cryptocurrency wallets, and other software including email and instant messaging clients. Stealc implements a programmable data gathering setup and supports a programmable file grabber, in contrast to existing stealers.

Stealc gathers information from the victim's browser, extensions, and programs. If the grabber rules are activated, it also captures files that fit those rules. The malware then deletes both itself and the downloaded DLL files from the infected system after data have been sent to the C2.

The malware is spread by attackers via YouTube videos. Together with links to a download site, the videos offer instructions on how to set up cracked software. This website is used to deceive the victims into downloading malware-filled software. With the use of YARA and Suricata rules, SEKOIA published signals of compromise (IoCs) for such a threat.






Data Theft Feature Added by Russian Nodaria APT

An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.

The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.

If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.

Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.

Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.



Installing Software via Google Poses Concerns

Researchers and a keystream sample of inquiries claim that while browsing Google for downloads of well-known software has always had certain dangers, in recent months it has become downright risky. 
On Thursday, volunteers at Spamhaus stated that threat researchers were accustomed to receiving a moderate volume of malicious advertising through Google Ads. 

Multiple malware groups, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader, are responsible for the rise. In the past, these groups frequently depended on spam attachments with malicious Microsoft Word papers that had booby-trapped macros. The past month has seen Google Ads develop into the preferred channel for thieves to disseminate their malicious software, which is disguising itself as a legitimate download by mimicking well-known companies including Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, and Thunderbird.

This week, researchers from the security firm Saiflow discovered two flaws in older versions of the Open Charge Point Standard, an open-source protocol used to operate many electric vehicle charging stations (OCPP). An attacker might take control of a charger, disable groups of chargers, or steal electricity from a charger for their own use by utilizing weak instances of the OCPP standard, which is used to communicate between charges and management software. To reduce the risks posed by the vulnerabilities, Saiflow claims to be collaborating with manufacturers of EV chargers.

Hegel from Sentinel One provides one case: Real C2 traffic is masked by Formbook and XLoader's HTTP requests to several sites that are randomly chosen from an embedded list and sent with encoded and encrypted content. The rest of the domains are merely ruses; only one is the actual C2 server. A sample that we examined sent HTTP GET and/or POST requests to the 17 domains (16 endpoints) specified in the IOC table below while encoding and encrypting the HTTP data. The implementation of this technology in particular by XLoader is covered in length in prior research.

The strategy of disguising the genuine C2 domain by beaconing to many domains continues to be supported by earlier studies. The malicious software sends beacons to websites that have valid or unregistered domains. The accompanying figure, which is a snapshot of some of the domains the virus contacts, demonstrates the vast range of domain ages, hosting companies, and registration dates.

The use of decoy domains or other obfuscation techniques to hide the real control servers used in the pervasive MalVirt and other malvertising campaigns continues to be effective unless Google develops new protections. MalVirt also spreads malware that is difficult to detect.


To Avoid Detection, Vidar Stealth Operators Use SM Platforms

 


Several days ago, the commercially available off-the-shelf malware BitRat was observed with a newly discovered distribution method for how it was spread. Now, a new information theft malware called Vidar Stealer has been discovered. This malware uses advanced techniques to exploit popular social media platforms as an intermediary server to send valuable information to the attacker. 

Using Social Media Platforms as a Means of Hiding 

Researchers from AhnLab have discovered that Vidar Stealer is constantly creating throwaway accounts on popular social media platforms, such as TikTok, Telegram, Steam, and Mastodon.  
  • To commit attacks, attackers create their own social media profiles and add identifying characters, along with their C2 address, to the profile. 
  • In addition to its advantages, such traffic can be very challenging to identify and block using trivial security strategies since such traffic is difficult to detect and block. 
  • If the C2 server becomes unavailable or is blocked, attackers can set up an account and edit the account pages from this newly created server. Through this protocol, previously distributed malware can be contacted by the server.  
An In-Depth Look  

The experts discovered that an attacker had taken control of an account on the Ultimate Guitar platform and described how it was operating.  
  • The malware attacks infected systems by decrypting strings and passing garbage codes as arguments used to modify strings by executing string-modifying instructions. 
  • The malware checks the name and username of the computer to determine if it is a Windows Defender emulator. Once detected, the malware automatically ceases to function, and the computer shuts down. 
  • As a next step, a malware file connects to the threat actor's account page to grab the C2 address that is hard-coded inside the binary so the malware can download further information. 
  • This malware variant provides the ability to collect data and compress it into a ZIP file. It does this by encoding it in Base64 before it is transmitted to the C2 server using the latest encryption method. 
Compared to Previous Strategies 

Vidar Stealer is a malware infection that was first identified in 2018. According to researchers, it uses various delivery mechanisms for spreading, including phishing emails and cracked software. 
  • As part of the existing malware variants, data was collected and sent in the format of compressed files containing plaintext data. 
  • A variety of methods have been used in recent campaigns to distribute this malware, including malicious Google Ads, as well as a malware loader called Bumblebee. This malware loader automates the distribution of malware. 
  • Further, experts discovered another piece of malware that was installed on a computer when the victim clicked an ad in a Google search result for the GIMP open-source image editor. This ad led the victim to a typo-squatted domain that contained malware.  
As a result, malware like Vidar Stealer, which uses platforms like Google Chrome and Microsoft Exchange as the intermediate C2, has a longer lifespan. In the opinion of experts, this malware is just one of many that constantly update its delivery methods. This is probably a result of Microsoft's decision to block macros by default in Office files to prevent automated attack attacks.  

Due to this, it is expected that malware will follow this path more often in the future.