Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label DLL. Show all posts
Malwares
Cyber Attacks Cyber Threat Intelligence DLL E-commerce Websites Compromised Malicious Software Malware Attack Malwares

LegionLoader Malware Resurfaces with Evasive Infection Tactics

 

Researchers at TEHTRIS Threat Intelligence have uncovered a new wave of LegionLoader, a malware downloader also known as Satacom, CurlyGate, and RobotDropper. This sophisticated threat has been rapidly gaining momentum, with over 2,000 samples identified in recent weeks. 

According to TEHTRIS, the ongoing campaign began on December 19, 2024, and has since spread globally, with Brazil emerging as the most affected country, accounting for around 10% of reported cases. LegionLoader primarily infects systems through drive-by downloads, where users unknowingly download malicious software from compromised websites. 

Cybercriminals behind this campaign frequently leverage illegal download platforms and unsecured web pages, which are quickly taken down after redirecting victims to Mega cloud storage links containing a single ZIP file. These ZIP archives house a 7-Zip password-protected file, making it difficult for security tools to scan the contents. 

To further deceive users, a separate image file displays the password required for extraction, enticing them to execute the malware. Once extracted, LegionLoader is deployed as an MSI (Microsoft Installer) file, requiring user interaction to execute. TEHTRIS researchers found that antivirus detection rates for these MSI files range between 3 and 9 out of 60, indicating the malware’s ability to evade traditional security measures. 

The MSI file also includes two key anti-sandbox mechanisms: a fake CAPTCHA prompt to prevent automated analysis and a virtual environment detection feature using Advanced Installer. These obstacles make it challenging for security researchers to analyze the malware in controlled environments. Upon execution, LegionLoader extracts multiple files into the system’s %APPDATA% directory, including clean DLLs, executables, and a password-protected archive containing the primary payload. 

The malware then uses UnRar.exe to extract a DLL file, which is sideloaded using obsffmpegmux.exe to execute the next stage of the attack. Notably, the obs.dll payload is crafted to evade detection by security tools. TEHTRIS analysis found that most of its exports are empty, while the few containing code appear intentionally misleading, likely to slow down forensic investigation. 

Further examination using BinDiff revealed that while different obs.dll samples were structurally identical, variations existed in their second-stage payloads. During dynamic analysis, researchers observed shellcode decryption, leading to the execution of another malicious component. This secondary stage communicates with hardcoded command-and-control (C2) servers, though all identified C2 domains were inactive at the time of analysis, preventing further insights into the malware’s final objective. 

If all infection stages are completed, LegionLoader attempts to execute a final payload using rundll32.exe. The malware downloads an additional file, places it in a randomly named directory under %TMP%, and launches it as svchost.exe. Given the use of rundll32.exe, researchers suspect the final payload is another malicious DLL, though its specific function remains unknown.

To protect against LegionLoader, security experts advise avoiding software downloads from unverified sources and implementing behavior-based detection strategies. These proactive measures can help mitigate the risks posed by evolving malware threats.
Read more »
WordDrone
DLL malware Microsoft Word Supply Chain Attack Taiwan WordDrone

New Malware 'WordDrone' Targets Taiwan's Drone Industry

 



Reported by: Acronis (TRU) just published a comprehensive investigation that reveals a highly sophisticated malware operation targeting Taiwan's growing drone industry. Dubbed "WordDrone," the malware deploys a version of Microsoft Word from the 1990s to install a persistent backdoor-the kind of threat that puts the security of companies in Taiwan's growing drone industry in real jeopardy. At this stage, one suspects that strategic military and technological positions of Taiwan provide the rationale behind this breach designed to extract critical information. It is during times when investments by the government in drone technology are accelerating.


How WordDrone Operates

A new malware uses the side-loading technique by which it involves a vulnerable version of Microsoft Word 2010. Using a compromised version of Word, attackers loaded three files on the target system: a legitimate copy of the Microsoft Word application, known as winword, a malicious DLL file named wwlib.dll, and an encrypted additional file with a random name.

Then, an unconscious download of the malicious DLL by running the benign Microsoft Word file becomes a delivery method to decrypt and run the real payload of malware. This technique is the exploitation of the weakness within how older versions of Microsoft Word treat DLL files: the malicious DLL can actually masquerade as part of Microsoft Office. Such an approach will make WordDrone virtually impossible for any traditional security tool to detect and block since the files that are infected look legitimate to most detection systems.


Detection Evasion Advanced Tactics

Moreover, many of the malicious DLL files are digitally signed using highly recently expired certificates. This kind of approach, a disguise for legitimacy, many security systems employ to verify software, makes detection much more difficult. This strategy gives WordDrone an advantage bypassing defences based on trusting signed binaries, which makes it rather difficult to detect.

After running it, the threat performs a stage of well-crafted operations. The payload begins with a shellcode stub that unpacks and injects an "install.dll" component creating persistence on the affected system. The install.dll file allows malware to be present even after reboots by various techniques: it can install malware as a background service, schedule it as a recurring task, or inject the next phase of malware execution, and does not need permanent installation.


Persistence and Defense Evasion Techniques

It applies advanced techniques in a way that it stays non-observable and keeps running. Its techniques begin with NTDLL unhooking, which disables the setting of security hooks by monitoring software and re-loads a fresh instance of the NTDLL library so that security tools cannot intervene with that. In addition to that, it keeps the EDR quiet. This scan for active security processes sets up blocking rules within Windows Firewall to dampen the functions of identified security tools, effectively disabling detection capabilities that may raise defences against its presence.


Command-and-Control (C2) Communication for Remote Control

Another advanced feature about WordDrone is the ability to communicate with a C2 server, meaning the attackers can control the malware even after it is installed. The communication schedule is hardcoded within the malware by implementing a bit array that states some active hours in a week. The malware requests from the C2 server additional details or more malicious files during active hours based on such a routine.

WordDrone can function over several communication protocols including TCP, TLS, HTTP, HTTPS, and WebSocket, which all make identification and analysis much more difficult of the malware's network activities. Its use of a custom binary format for its communication makes it even more challenging to intercept or to interpret its network traffic for cybersecurity teams.


Possible Supply Chain Attack and Initial Infection Vector

The entry point of the WordDrone malware is not clear. Initial analysis, however, showed malicious files under a well-known Taiwanese ERP software's folder. That makes it likely that the attackers have also compromised the ERP software as part of a supply chain attack, possibly exposing other organisations that make use of the software in different marketplaces.

The attack by WordDrone on the Taiwanese drone industry is an example of vulnerabilities that sectors of strategic importance have to face. Ongoing vigilance from cybersecurity experts gives caution, as defence and technology-related organisations try to win the technological battle with such persistent threats.


Read more »
ZOO
Bumblebee Malware Cyberattacks Cybersecurity DLL Google Malicious program malware ZOO

Google Delivers Bumblebee Malware

 


A malware campaign has recently been detected that uses Google ads and SEO poisoning to spread malware. The malware that attacks corporate users is dubbed Bumblebee. It was discovered that Bumblebee, a malware targeted at enterprise users, is distributed via marketing channels like Google Adwords and SEO poisoning that promote popular software applications such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. BazarLoader's backdoor is intended to be replaced by this malware. 

A tool called BazarLoader assists users in connecting to networks and gaining access to them. Several leading security organizations have stated that it is often the cause of ransomware attacks. 

It is a constant challenge to stay ahead of the new threats that emerge in cybersecurity regularly. BumbleBee malware is used by ransomware gangs as a tool to gain initial access to networks and carry out attacks. An attempt was made by the Conti team to replace the BazarLoader backdoor with this malware, which was discovered in April 2022, but the backdoor has since been removed. 

There was a recent discovery of a dangerous version of BumbleBee malware. As part of the attack chain, PowerSploit was used to inject reflective DLLs into memory, which was a sneaky and dangerous technique. By doing this, existing antivirus products are not able to detect malware when it is loaded into memory, which makes detection and prevention harder, resulting in malware being able to stay undetected.

A malicious program often comes packaged as an ISO file, which contains a DLL that has a custom loader inside it, bundled inside an ISO file. The malware was dubbed BUMBLEBEE due to its proprietary user agent "Bumblebee," resulting in its unique name. BumbleBee was observed fetching Cobalt Strike Payloads at the time of analysis by Google's Threat Analysis Group (TAG). 

In an ongoing campaign found by Secureworks, researchers there have discovered trojanized versions of popular apps that are being distributed through Google ads to unsuspecting victims who are being infected with the BumbleBee malicious software. These advertisements advertise Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Using bogus downloads pages, they prompt users to download a Trojanized version of the software after redirecting them to a bogus download page on the internet. 

Google Ads Distribute Malware

In addition, the researchers discovered that a Google advertisement campaign would be used for an upcoming campaign. It has become common practice to use Trojanized versions of popular apps to promote malware loaders to unsuspecting victims through these advertisements. This campaign consisted of a Google advertisement promoting a fake Cisco AnyConnect Secure Mobility Client download page that was marketed by a Google advertisement. 

The page was created on February 16, 2023, under an "appcisco[.]com" domain and hosted on that server. Through this malicious advertisement on Google, the user was taken to an incorrect download page accessed via a compromised WordPress site. There was a fake landing page on the web that promoted an MSI installer that was entitled “cisco-anyconnect-4_9_0195.msi” that installs the malware BumbleBee. 

It is imperative to recognize the risks posed by such campaigns and take appropriate measures to secure the systems and networks affected by them. To detect and prevent such attacks, companies must ensure robust security measures are in place. You must remain vigilant and trained in cybersecurity best practices to protect yourself against these sophisticated attacks.

A cyberattack on Eurocontrol, the European air traffic control organization, did not end at the end of the weekend, as the effects continued until today. According to a report in the Wall Street Journal, the disruptions caused by Russia's KillNet networks did not disrupt flights.      
Read more »
malware
APK Files APT APT actors APT attacks cyber espionage DLL EU European Union Fancy Bear Malicious actor malware

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.
Read more »
WinRAR
Bitcoin C&C Crypto-Mining DLL malware P2P Botnets Symantec Trojan Attacks WinRAR

Clipminer Botnet Made 1.7 Million Dollars From Crypto Mining

 

Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that netted its users at least $1.7 million in transaction hijacking.

Clipminer is built on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers. 

Clipminer is based on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and harvest cryptocurrency on affected computers. Researchers were taken aback by the new malware because it had fast grown in size by the time it was discovered. According to the Symantec team, these operations involved 4375 bitcoin wallet addresses that received stolen monies from victims.

Downloads or pirated software, are used to spread malware; malicious clipminer botnet files are distributed over torrent sites and other pirating methods. This bitcoin miner can be installed on the machine as a WinRAR archive, which will immediately start the extraction process and launch the control panel file, leading to the download of the dynamic link library. 

The infected DLL creates registry values and installs malware in several files in the Windows directory. Those files are named after ransoms so that the profile may be hosted and the main miner's payload can be downloaded and installed afterward. The system receives identification, which is sent on to the C&C server, which then sends out a request for the payload. The malware is delivered as a 10MB file in the Program Files directory. Once the trojan has been successfully executed, scheduled actions are set up to ensure the malware's persistence. To avoid re-infecting the same host, registry modification is also performed.

According to Symantec, the first Clipminer samples began to circulate in January 2021, with malicious activity picking up in February. Ever since the malware has spread over P2P networks, torrent indexers, YouTube videos, and through game and pirated software cracks. To avoid becoming infected with Clipminer or other malware, avoid downloading software from unknown sources. Verify the entered cryptocurrency wallet address before initiating the transaction to protect yourself from a clipboard hijacker.
Read more »
Ransomware Attacks.
APT actors Cyber Attacks DLL Fortinet Iranian hackers Log4Shell Microsoft Exchange Server Ransomware Attacks.

Iranian Hackers Launch Cyberattack Against US and the UK 

 

Secureworks, a cybersecurity firm, has detected a new attack attributed to the Iranian hacker organization known as APT34 or Oilrig, which utilized custom-crafted tools to target a Jordanian diplomat. APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453 are advanced persistent threat (APT) actors known for targeting activists, government organizations, journalists, and other entities. 

A ransomware gang with an Iranian operational connection has been linked to a succession of file-encrypting malware operations targeting institutions in Israel, the United States, Europe, and Australia.

"Elements of Cobalt Mirage activities have been reported as Phosphorus and TunnelVision," Secureworks, which tracks the cyberespionage group, said today. "The group appears to have switched to financially motivated attacks, including the deployment of ransomware." 

The threat actor used recently obtained access to breach the network of a nonprofit organization in the United States in January 2022, where they built a web shell which was then used to drop further files, according to the researchers. 

The threat actor has seemingly carried out two types of intrusions, one of which involves opportunistic ransomware assaults using genuine tools like BitLocker and DiskCryptor for financial benefit. The second round of attacks is more focused, with the primary purpose of securing access and acquiring intelligence, with some ransomware thrown in for good measure.

Initial access routes are enabled by scanning internet-facing servers for web shells and exploiting them as a route to move laterally and activate the ransomware, which is vulnerable to widely reported holes in Fortinet appliances and Microsoft Exchange Servers. 

The spear-phishing email, which Fortinet discovered, was sent to a Jordanian diplomat and pretended to be from a government colleague, with the email address faked accordingly. The email included a malicious Excel attachment with VBA macro code that creates three files: a malicious binary, a configuration file, and a verified and clean DLL. The macro also adds a scheduled job that runs every four hours to provide the malicious application (update.exe) persistence. 

Another unique discovery concerns two anti-analysis methods used in the macro: the manipulating of sheet visibility in the spreadsheet and a check for the presence of a mouse, both of which may not be available on malware analysis sandbox services.

Secureworks detailed a January 2022 attack on an undisclosed US charity organization but said the exact means by which full volume encryption capability is triggered is unknown. In mid-March 2022, another attack aimed at a US local government network is thought to have used Log4Shell holes in the target's VMware Horizon architecture to perform reconnaissance and network scanning tasks. 

While the group has managed to breach a huge number of targets around the world, the security researchers believe that "their capacity to leverage on that access for financial gain or information collection is limited." Secureworks determines that the group's use of publicly available tools for ransomware activities proves that it is still a threat.
Read more »
Windows
Cyber Security cybercriminals DLL Emotet Trojan Excel File Mallicious URLs Proofpoint TTPs Windows

Emotet is Evolving with Different Delivery Methods

 

Emotet is a well-known botnet and trojan which distributes follow-on malware via Windows platforms.  After a 10-month pause amid a coordinated law enforcement operation to take down its assault infrastructure, Emotet, the work of a cybercrime organization known as TA542 (formerly known as Mummy Spider or Gold Crestwood), marked its comeback late last year. 

Since then, Emotet campaigns have sent tens of thousands of messages to thousands of clients across many geographic regions, with message volumes exceeding one million in some situations. The threat actor behind the popular Emotet botnet is experimenting with new attack methods on a small scale before incorporating them into larger-scale spam campaigns, possibly in response to Microsoft's decision to deactivate Visual Basic for Applications (VBA) macros by default across all of its products.

According to analysts, the malicious actors behind Emotet, TA542, are experimenting with new approaches on a micro level before deploying them on a larger scale. The current wave of attacks is claimed to have occurred between April 4 and April 19, 2022, when prior large-scale Emotet campaigns were halted. 

Researchers from Proofpoint discovered numerous distinguishing characteristics in the campaign, including the usage of OneDrive URLs rather than Emotet's traditional dependence on Microsoft Office attachments or URLs connecting to Office files. Instead of Emotet's previous use of Microsoft Excel or Word documents with VBA or XL4 macros, the campaign employed XLL files, which are a sort of dynamic link library (DLL) file designed to expand the capability of Excel.

Alternatively, these additional TTPs could mean the TA542 is now conducting more targeted and limited-scale attacks in addition to the traditional mass-scale email operations. The lack of macro-enabled Microsoft Excel or Word document attachments is a notable departure from prior Emotet attacks, implying the threat actor is abandoning the tactic to avoid Microsoft's intentions to disable VBA macros by default beginning April 2022. 

The development came after the virus writers addressed an issue last week which prevented potential victims from being compromised when they opened weaponized email attachments.
Read more »
Windows
C2C Cyber Security DLL PDF Exploits PowerShell SEO Windows

The Wizard of Deception: Jupyter Infostealer

 

Researchers recently discovered a new variant of SolarMarker, a malware family which is mostly transmitted using SEO manipulation to persuade people into downloading malicious documents. SolarMarker uses defense evasion to extract auto-fill data, saved passwords, and stored credit card information from victims' web browsers. It offers extra features which are unusual to be seen in info stealers, such as file transfer and command execution from a C2 server.

Jupyter packaged itself with legal executables when it was first detected towards the end of 2020. When it was run, it revealed a PowerShell script that had been obfuscated. The threat group is improving layers of stealth and obfuscation, such as loading the Jupyter Dynamic-Link Library (.DLL) into memory rather than writing the file to disk. Now, it is frequently packaged in massive Windows® installer packages (.MSI) which can reach 100 MB in size. 

To further conceal its motives, these packages are still integrated with legitimate software and signed with valid digital certificates. The installer will load and seek to install the bundled genuine application after installation. However, buried deep within the Trojan installer's code is a small, extensively obfuscated, and encrypted PowerShell script which runs in the background. 

Jupyter has masked itself as a variety of programs and installers. The malware's main file extension has been changed to.MSI, and it executes its obfuscated PowerShell script via several techniques. Jupyter is usually hosted on phony downloading websites which pose as real hosts. These websites typically offer a free PDF book. These can be accessed accidently by a victim or via a link in a spam email. 

It is often packaged with freeware software and certified with unrevoked digital certificates, making the installation appear more authentic. When the Windows installer package is loaded, it will present an installer pop-up for the targeted legitimate application, while loading data and running in the background. 

Jupyter has deployed itself in a variety of ways in the past campaign. The malware usually has two primary files: 
  • An executable and a Windows PowerShell script that contains the harmful code.
  • Some Jupyter variants have also dumped a temporary file (.TMP) into the victim’s %AppData%\Roaming\Temp\ directory, to construct the normal content of Jupyter's main malicious PowerShell script. 

PowerShell is used by the virus to conceal and execute its harmful code without ever publishing itself to disk on the victim's PC. It avoids writing to disk by loading Jupyter's DLL into memory reflectively. DLLs are usually injected into a process from a file written to a disk. 

Reflective DLL injection is a technique for injecting code into a victim process directly from memory rather than from disk. Because the fully un-obfuscated malware does not live on disk, it necessitates the creation of a persistence mechanism, such as registry keys that reload the malware when the victim machine boots up. As a result, Jupyter DLL is difficult to both identify and use. 

Jupyter's basic PowerShell may be split down into six different phases or components. Each phase aids in the achievement of a given objective, function, or capability. Though many Jupyter samples follow the same procedures, differences in Jupyter's PowerShell code exist, and certain samples have been observed to work in slightly different methods to achieve the same goals. 

One can make a modest tweak to the attacker's PowerShell script to save the assembly to disk instead of loading it into memory. This will also assist us in comprehending the operation of this version of SolarMarker. One can see the decompiled code, as well as the names of the classes and functions, are incorrect. Instead, they appear to be obfuscated. 

The SolarMarker backdoor is a.NET C2 client which uses an encrypted channel to interact with the C2 server. HTTP is used for communication, with POST requests being the most common. The data is secured with RSA encryption and symmetric encryption using the Advanced Encryption Standard (AES). Internal reconnaissance is carried out by the client, who gathers basic information about the victim's system and exfiltrates it through an existing C2 channel. The infostealer module has a structure that is quite identical to the backdoor module we discussed earlier, but it has more features.

By reading files relevant to the target browser, the SolarMarker infostealer module obtains login data, cookies, and web data (auto-fill) from web browsers. To decrypt the credentials, SolarMarker uses the API method CryptUnprotectData (DPAPI). 

The usefulness of behavior-based detectors in reducing the stay time of threats inside a network has been recognized by the security industry in recent years. 
Read more »
Subscribe to: Posts (Atom)