Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malicious Module. Show all posts

On Microsoft Exchange Servers, a New IceApple Exploit Toolkit was Launched

 

Security analysts discovered a new post-exploitation framework that could enable Microsoft Exchange servers to be compromised. This framework, known as IceApple, was created by threat actors who wanted to preserve a low profile while launching long-term attacks to assist reconnaissance and data exfiltration. 

"As of May 2022, IceApple is under active development, with 18 modules seen in operation across several enterprise contexts," CrowdStrike reported. The complex virus was identified in various victim networks and in geographically separate areas, which were detected in late 2021. Victims come from a variety of fields, including technology, academia, and government.

IceApple is unique for being an in-memory framework, implying a threat actor's desire to keep a low forensic footprint and avoid detection, which bears all the signs of a long-term algorithmic mission by creating files that appear to come from Microsoft's IIS web server. While most of the malware has been found on Microsoft Exchange servers, IceApple can function under any Internet Information Services (IIS) web app, making it a dangerous threat.

IceApple activity, as per CrowdStrike researchers, could be linked to nation-state attacks. Although IceApple has not been linked to any single threat actor, many believe it was developed by China. 

The actual number of victims of the attack has not been determined by CrowdStrike, but they do not rule out the possibility that the threat will expand in the following weeks. In this regard, the experts suggested updating any apps used by public and commercial businesses to strengthen the system's protection against this framework. 

The malware can locate and erase files and directories, write data, collect credentials, search Active Directory, and transfer sensitive data due to the framework's various components. These components' build timestamps date back to May 2021.

A Module-Based Malware Spread by Word Document



As a module-based malware, Trickbot a malware family previously captured by FortiGuard Labs and afterward analyzed in 2016. It can broaden its functionalities by downloading new modules from its C&C server and executing them on its victim's device. 

While it was at first recognized as banking Trojan, it has progressively extended out its functionalities to gather credentials from its victims' email accounts, browsers, installed network applications and so on. It is likewise able to send spam to its victim's email contacts, just as deliver other malware to the victim's device, like Emotet. As of late, FortiGuard Labs captured an MS Office Word sample in the wild that is spreading another variation of TrickBot. 

This is how by which it chips away at the victim's machine. At the point when the malevolent Word document is opened with MS Office Word, it requests input, by requesting that the victim click the "Enable Content" button to empower the document's Macro feature. When this is done, its malicious Macro (VBA code) is executed. By going to the Menu "Developer"- > "Visual Basic" we can look at the Macro's VBA modules and code. 

The Macro project is password-protected, so one can't see any of the detailed data until the right password is provided. Luckily, there is an approach to sidestep this protection by changing its binary file. On the form, there is a Label control containing the malignant JS code, sketched out with a red rectangle. One of the VBA modules has an autorun() function which is called consequently when the Word doc opens. The VBA code at that point separates two files onto the victim's framework. 

 One document is "C:\AprilReport\LogsTsg\LogsTsg7\LogsTsg8\List1.bat", with content "cscript/nologo C:\AprilReport\List1.jse", and the other is "C:\AprilReport\List1.jse", with JavaScript code from the label control, which is a tremendously jumbled JavaScript code. At that point, it begins the first extricated file "List1.bat", which calls "script" running the huge JavaScript document "List1.jse". The JavaScript code is heavily muddled. This secures the API function calls and consistent strings from being distinguished. They additionally utilize tons of unknown functions also.

At the point when the code starts, it first waits around for a minute to sidestep any auto-analysis devices by appearing to be dormant. After waiting, it then proceeds with the command "Select * from Win32_Process" to acquire every running procedure. It at that point puts the entirety of the names of these acquired procedures together and verifies whether its length is less than 3100. 

Provided that this is true, it will raise an exception and close. For the most part, on a real computer, this length is bigger than 3100. As of now, it’s better ready to sidestep numerous auto-analysis systems, including Sandboxes and Virtual Machines. 

For the solution for this issue, Fortinet customers are already said to have been shielded from this TrickBot variation by FortiGuard's web filtering, Antivirus, and IPS benefits as follows: The downloading URL is appraised as "Malicious Websites" by the FortiGuard Web Filtering service. The Word doc and downloaded Dll record are distinguished as "VBA/TrickBot.MRVB!tr" and
"W32/TrickBot.EFDC!tr" and further blocked by the FortiGuard AntiVirus administration. 

The IP locations of the C&C server are identified and then blocked by the FortiGuard IPS signature "Trojan.TrickBot".

CamScanner Returns After Being Removed by Google for Having Malware



Researchers at multinational cybersecurity company, Kaspersky Labs, discovered a malicious module in the widely used mobile scanning app, CamScanner. As a result of the discovery, the app was taken down by Google from its play store last week. Seemingly, the iOS version of the app remained unaffected by the malware.

On 5th September 2019, the developers of the popular PDF creator app, announced its comeback on their official Twitter handle. Reportedly, they have removed all advertising SDKs in the latest version of CamScanner, i.e., version 5.12.5, which can be downloaded by the users from Google Play Store.

There were issues in the previous version of the app, however, the app, CamScanner in itself is a completely authentic and widely used application.



According to the researchers at Kaspersky Labs, “Recent versions of the app shipped with an advertising library containing a malicious module,”

“The module is a Trojan-Dropper that means the module extracts and runs another malicious module from an encrypted file included in the app’s resources. This “dropped” malware, in turn, is a Trojan-Downloader that downloads more malicious modules depending on what its creators are up to at the moment,” they added.

The Trojan-Dropper module which is called as “Trojan-Dropper.AndroidOS.Necro.n”  is configured to befool users into signing up for paid subscriptions by showing them intrusive advertisements.