Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malicious Payload. Show all posts

RansomHub Ransomware: Exploiting Trusted Tools to Evade Detection

RansomHub Ransomware: Exploiting Trusted Tools to Evade Detection

Ransomware groups continue to innovate and adapt their tactics to bypass security measures. One such group, RansomHub, reported by Malwarebytes, has recently garnered attention for its sophisticated approach to disabling Endpoint Detection and Response (EDR) systems. By leveraging Kaspersky’s TDSSKiller, a legitimate rootkit removal tool, RansomHub has managed to execute its malicious payloads undetected, posing a significant threat to organizations worldwide.

The Rise of RansomHub

RansomHub is a relatively new player in the ransomware scene, but it has quickly made a name for itself with its advanced techniques and targeted attacks. Unlike traditional ransomware groups that rely on brute force methods or simple phishing campaigns, RansomHub employs a more nuanced strategy. By using legitimate software tools in unexpected ways, they can evade detection and maximize the impact of their attacks.

The Role of Kaspersky’s TDSSKiller

Kaspersky’s TDSSKiller is a well-known tool in the cybersecurity community, designed to detect and remove rootkits from infected systems. Rootkits are a type of malware that can hide the presence of other malicious software, making them particularly dangerous. TDSSKiller is widely trusted and used by security professionals to clean compromised systems.

However, RansomHub has found a way to exploit this tool for malicious purposes. By incorporating TDSSKiller into their attack chain, they can disable EDR software that would otherwise detect and block their ransomware. This tactic is particularly insidious because it uses a trusted tool to carry out malicious actions, making it harder for security teams to identify and respond to the threat.

The Attack Chain

RansomHub’s attack chain typically begins with a phishing email or a compromised website that delivers the initial payload. Once the ransomware is on the target system, it uses a variety of techniques to escalate privileges and gain control over the machine. This is where TDSSKiller comes into play.

By running TDSSKiller, the ransomware can disable EDR software and other security measures that would normally detect and block the attack. With these defenses out of the way, RansomHub can then proceed to encrypt the victim’s files and demand a ransom for their release. In some cases, they also use a credential-harvesting tool called LaZagne to extract sensitive information, further increasing the pressure on the victim to pay the ransom.

Threats Posed by Tools

The use of legitimate tools like TDSSKiller in ransomware attacks highlights a significant challenge for the cybersecurity community. Traditional security measures are often designed to detect and block known malware and suspicious behavior. However, when attackers use trusted tools unexpectedly, these measures can be less effective.

This tactic also underscores the importance of a multi-layered approach to cybersecurity. Relying solely on EDR software or other endpoint protection measures is no longer sufficient. Organizations must implement a comprehensive security strategy that includes network monitoring, threat intelligence, and user education to detect and respond to these advanced threats.

P2Pinfect Worm Now Delivering Ransomware on Redis Servers

 

Cado Security experts warned that the P2Pinfect worm is used in attacks on Redis servers to deliver ransomware and cryptocurrency mining payloads. 

Palo Alto Networks Unit 42 researchers uncovered the P2P worm P2PInfect in July 2023, which targets Redis servers running Linux and Windows operating systems. P2PInfect's ability to target Redis servers running on both Linux and Windows operating systems makes it more expandable and dangerous than other worms.

Cado Security Labs identified a new strain of the P2Pinfect botnet in December 2023, specifically targeting routers, IoT devices, and other embedded devices. This variation was built for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture. The new bot includes enhanced evasion methods, the ability to evade execution in a Virtual Machine (VM) or a debugger, and anti-forensics support for Linux hosts. 

The worm is written in Rust and targets Redis instances using the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0). In September 2023, Cado Security Labs detected a 600x spike in P2Pinfect traffic since August 28. Researchers noted that the malware did not seem to have a goal other than to spread; however, a new upgrade of P2Pinfect has introduced a ransomware and crypto miner payload. 

The most recent campaign began on June 23, based on the TLS certificate used for C2 communications. The malware propagates by leveraging Redis's replication features, where nodes in a distributed cluster follow a leader/follower topology. The attackers exploited this feature by making follower nodes load arbitrary modules, allowing code execution on these nodes. P2Pinfect uses the SLAVEOF command to turn open Redis nodes into followers of a server under the control of its operator. 

“P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. P2Pinfect also features a basic SSH password sprayer, where it will try a few common passwords with a few common users, but the success of this infection vector seems to be a lot less than with Redis, likely as it is oversaturated,” Cado researchers stated. “Upon launch it drops an SSH key into the authorised key file for the current user and runs a series of commands to prevent access to the Redis instance apart from IPs belonging to existing connections.”

The war's primary binary appears to have been changed; it is now built with the Tokio async framework for Rust and includes UPX. The malware's internals have been completely unwritten; researchers discovered that the binary had been stripped and partially obfuscated to make static analysis more challenging. Previously, P2Pinfect maintained persistence by adding it to.bash_logout and running a cron job, however these methods are no longer used. Other behaviours, such as the initial setup, are unaffected.

Unmasking the Trojan: How Hackers Exploit Innocent Games for Malicious Intent


Hackers continue to find ingenious ways to infiltrate organizations and compromise sensitive data. Recently, a peculiar attack vector emerged—one that leverages an unsuspecting source: a Python clone of the classic Minesweeper game. 

In this blog post, we delve into the details of this novel attack and explore the implications for cybersecurity professionals.

The Trojanized Minesweeper Clone

The Setup

The attack begins innocuously enough—an email arrives in an employee’s inbox, seemingly from a legitimate medical center. 

The subject line reads, “Personal Web Archive of Medical Documents.” Curiosity piqued, the recipient opens the email and finds a Dropbox link to download a 33MB SCR file. The file claims to contain a web archive of medical documents, but hidden within its code lies a sinister secret.

The Malicious Payload

The SCR file contains two distinct components:

Legitimate Minesweeper Code

  • The attackers cleverly embed code from a Python clone of the classic Minesweeper game. This seemingly harmless code serves as camouflage, distracting security scanners and human reviewers.
  • The Minesweeper game runs as expected, creating a façade of normalcy.

Malicious Python Script

  • Concealed within the Minesweeper code, a malicious Python script lies dormant.
  • When executed, this script connects to a remote server (“anotepad.com”) and downloads additional payloads.
  • The ultimate goal? To install the SuperOps RMM (Remote Monitoring and Management) software—a legitimate tool that provides remote access to compromised systems.

The Threat Actor: UAC-0188

The attack is attributed to a threat actor known as “UAC-0188.” This actor demonstrates a keen understanding of social engineering and exploits users’ trust in seemingly benign applications. By piggybacking on the Minesweeper clone, UAC-0188 bypasses initial scrutiny and gains a foothold within the organization.

Implications and Countermeasures

Organizations must remain vigilant and adopt proactive measures to counter such attacks:

User Awareness

  • Educate employees about phishing tactics and the importance of scrutinizing unexpected attachments.
  • Encourage skepticism—even when the sender appears legitimate.

Behavioral Analysis

  • Implement behavioral analysis tools that detect anomalies in file behavior.
  • Scrutinize code for hidden payloads, especially within seemingly harmless files.

Network Segmentation

  • Isolate critical systems from less secure areas of the network.
  • Limit lateral movement for attackers.

Regular Security Audits

  • Conduct regular audits to identify vulnerabilities.
  • Update security policies and procedures accordingly. 

Hackers Use GitHub Search to Deliver Malware

 

Checkmarx, an application security firm, has discovered that threat actors are altering GitHub search results in order to infect developers with persistent malware.

As part of the campaign, attackers were seen developing fake repositories with popular names and themes, and then boosting their search ranks using automatic updates and fake ratings. 

To avoid detection, the threat actors concealed a harmful payload within Visual Studio project files, resulting in the execution of malware similar to Keyzetsu clipper that targets crypto wallets. The malware is installed continuously on Windows machines and is scheduled to be executed daily. 

The threat actors were observed leveraging GitHub Actions to automatically update the malicious repositories by making minor changes to a file titled 'log', which artificially enhances the repositories' visibility and the possibility of users accessing them. 

Furthermore, the attackers were detected adding fictitious stars to their repositories from various fake identities, tricking users into believing the repositories are popular and genuine. 

“Unsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are more likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden dangers lurking within,” Checkmarx stated. 

The attackers inserted their malicious payload in a Visual Studio project file's pre-build event, causing it to be run automatically across the build process. The payload downloads additional content from certain URLs based on the victim's country, downloads encrypted files from the URLs, extracts and runs their content, and checks the system's IP address to see if it is in Russia. 

On April 3, the attackers began utilising a new URL that pointed to an archived executable file. To avoid detection by security solutions, they padded the executable with an abundance of zeros, preventing scanning.

"The results of our analysis of this malware suggest that the malware contains similarities to the 'Keyzetsu clipper' malware, a relatively new addition to the growing list of crypto wallet clippers commonly distributed through pirated software," Checkmarx said in a press release.

A scheduled task that points to an executable file shortcut is one way that malware tries to remain persistent. Several malicious repositories have received complaints from infected users, suggesting that Checkmarx's effort has been successful. 

In the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely solely on reputation as a metric when using open-source code. These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware,” Checkmarx added.

Ransomware Makes Up 58% of Malware Families Sold as Services

 

Ransomware has emerged as the most pervasive Malware-as-a-Service (MaaS) during the past seven years, according to a new study from the Kaspersky Digital Footprint Intelligence team. Based on analysis of 97 malware families that were disseminated via the dark web and other sites, the study was undertaken. The researchers also discovered that hackers frequently rent infostealers, botnets, loaders, and backdoors to conduct their attacks.

An illegal business concept called malware-as-a-service (MaaS) involves renting out software to commit cyberattacks. Clients of these services are typically provided with a personal account via which they may manage the attack as well as technical support. 

Ransomware the most widely used malware-as-a-Service

In order to determine the popular types, Kaspersky's experts assessed the sale quantities of different malware families as well as mentions, debates, posts, and search advertising on the darknet and other sites regarding MaaS. The dominant force turned out to be ransomware, or malicious software that encrypts data and demands payment to decrypt it. Of all the families supplied under the MaaS model between 2015 and 2022, it accounted for 58%. Ransomware's appeal can be ascribed to its capacity to produce greater earnings than other forms of malware in a shorter amount of time.

Ransomware-as-a-service (RaaS) allows cybercriminals to "subscribe" for nothing. They start paying for the service after the attack occurs after they are partners in the programme. A portion of the victim's ransom payment, usually between 10% and 40% of each transaction, determines the payout amount. Entering the programme, meanwhile, is not an easy undertaking because there are strict qualifications. 

Infostealers made up 24% of malware families offered as a service throughout the analysed time frame. These are malicious software meant to steal information, including usernames, passwords, banking information, browsing history, data from cryptocurrency wallets, and more. 

Subscription-based payment methods are used for infostealer services. The cost per month ranges from 100 to 300 dollars in the United States. For instance, Raccoon Stealer, which was cancelled in the first few days of February 2023, could be purchased for 275 dollars per month or 150 dollars per week. According to information provided on the Darknet by its operators, RedLine's rival charges 150 dollars a month and also offers the chance to buy a lifetime licence for 900 dollars. 

Botnets, loaders, and backdoors were found to be present in 18% of malware families offered as services. Since many of these threats share the same objective—uploading and running further malware on the victim's device—they are grouped together as a single threat. 

Prevention tips

Kaspersky experts advise the following to safeguard your business from such threats: 

  • To stop hackers from breaking into your network by taking advantage of vulnerabilities, keep the software updated on all the devices you use.
  • Update your systems with fixes as soon as new vulnerabilities are discovered. Threat actors cannot exploit the vulnerability after it has been downloaded. 
  • To stay informed about the real TTPs employed by threat actors, use the most recent threat intelligence data. 
  • Investigate an adversary's perception of your company's resources with the aid of Kaspersky Digital Footprint Intelligence to quickly identify any potential attack vectors you may have. This also aids in spreading awareness of the threats that cybercriminals are currently posing so that you can timely alter your defences or implement countermeasures and elimination strategies.

BBC, British Airways Among High Profile Victims in Global Supply-Chain Hack

 

A rising number of organisations, including the BBC, British Airways, Boots, and Aer Lingus, are being impacted by a widespread attack.

Staff members have received warnings that personal information, including social security numbers and, in some circumstances, bank information, may have been stolen.

The hackers used a well-known piece of software as a gateway to access numerous businesses simultaneously. There are no reports of money being taken or requests for ransom.

One of the impacted businesses in the UK is the payroll services provider Zellis, which reported that data from eight of its customer organisations had been stolen. 

Organisations are notifying employees on their own, though it wouldn't give names. The BBC informed the staff via email that the stolen data contained staff ID numbers, dates of birth, residential addresses, and national insurance numbers. 

British Airways employees have been told that some of their bank information may have been stolen. The National Cyber Security Centre of the UK stated that it was keeping an eye on the situation and recommended businesses using the affected software to apply security updates.

The attack was initially made public last week when US business Progress Software said that hackers had discovered a way to access its MOVEit Transfer application. The majority of MOVEit's users are in the US, although the programme is well-known throughout the world for safely moving sensitive files.

When the exploit was found, according to Progress Software, it immediately informed its clients and made a security update available for download. 

A company spokeswoman stated that the company is collaborating with the police to "combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products".

Businesses using MOVEit were advised to download a security patch on Thursday by the US Cybersecurity and Infrastructure Security Agency to prevent further breaches. 

However, security researcher Kevin Beaumont claimed that because many impacted companies had not yet installed the remedy, internet scans revealed that thousands of company datasets may still be exposed.

Experts predicted that instead of extorting money from individuals, cybercriminals would try to do so from businesses. Although no public ransom demands have been made as of yet, it is anticipated that cybercriminals will start emailing impacted firms to demand payment. They'll probably threaten to release the info online for other hackers to browse. 

Victim organisations caution personnel to be alert for any dubious communications that could result in additional cyberattacks. Microsoft stated that it felt the perpetrators were connected to the infamous Cl0p ransomware organisation, which is thought to have its base of operations in Russia, despite the fact that no official attribution had been established.

The US tech giant claimed in a blog post that it was attributing assaults to Lace Tempest, a ransomware operator and owner of the Cl0p extortion website where victim data is exposed. According to the business, the hackers who were behind the attack have previously used similar methods to extort victims and steal data. 

"This latest round of attacks is another reminder of the importance of supply chain security," stated John Shier, from cyber security company Sophos. "While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well."

Hackers Target Apple macOS Systems with a Golang Version of Cobalt Strike

 

Threat actors intending to attack Apple macOS systems are likely to pay attention to Geacon, a Cobalt Strike implementation written in the Go programming language. 

The details were accumulated by SentinelOne, which noticed an increase in the quantity of Geacon payloads that have been showing up on VirusTotal lately. 

"While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss explained in a report. 

Red teaming and adversary simulation tool Cobalt Strike was created by Fortra and is well recognised. Illegally cracked versions of the software have been abused by threat actors throughout the years due to its numerous post-exploitation features. While Cobalt Strike's post-exploitation activities mostly targeted Windows, assaults against macOS are rather uncommon. 

A malicious Python package called "pymafka" was created to install a Cobalt Strike Beacon on infected Windows, macOS, and Linux computers. Sonatype, a software supply chain company, revealed details of this package in May 2022. 

The discovery of Geacon artefacts in the wild, however, could alter that. Since February 2020, GitHub has hosted Geacon, a Go version of Cobalt Strike. Additional investigation into two fresh VirusTotal samples posted in April 2023 has linked them to two Geacon versions (geacon_plus and geacon_pro) created in late October by two unidentified Chinese developers, z3ratu1 and H4de5. The geacon_pro project is no longer available on GitHub, but a snapshot from the Internet Archive on March 6, 2023 shows that it can get past antivirus programmes including Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal. 

While geacon_plus supports CobaltStrike versions 4.0 and after, the tool's creator, H4de5, asserts that geacon_pro is primarily meant to handle CobaltStrike versions 4.1 and later. The software is currently at version 4.8. 

One of the artefacts found by SentinelOne, Resume_20230320.app by Xu Yiqing, uses a run-only AppleScript to connect to a remote server and download a Geacon payload. Both Apple silicon and Intel architectures are compatible with it. 

"The unsigned Geacon payload is retrieved from an IP address in China," the researchers explained. "Before it begins its beaconing activity, the user is presented with a two-page decoy document embedded in the Geacon binary. A PDF is opened displaying a resume for an individual named 'Xu Yiqing.'"

The Geacon binary, created by compiling the geacon_plus source code, includes a wide range of features that enable it to download next-stage payloads, exfiltrate data, and improve network connections. 

The second copy is reportedly included into a trojanized app that poses as the SecureLink remote assistance app (SecureLink.app) and primarily targets Intel devices, according to the cybersecurity firm. 

The basic, unsigned programme asks users for permission to access contacts, pictures, reminders, as well as the camera and microphone on the smartphone. The Geacon payload from the geacon_pro project, which connects to a known command-and-control (C2) server in Japan, is the core element of the attack.

LockBit Operators Target Apple MacOS Devices

 

In order to encrypt files on devices running Apple's macOS operating system, the actors behind the LockBit ransomware campaign have created new artifacts. 

It appears that the development marks the first time a large-scale ransomware group has produced a macOS-based payload, as was noted over the weekend by the MalwareHunterTeam. 

Additional samples found by vx-underground demonstrate that the macOS variant has been accessible since November 11, 2022, and has so far managed to avoid being discovered by anti-malware engines. 

The threat actors behind LockBit, a well-known cybercrime gang with ties to Russia, released two significant modifications to the locker in 2021 and 2022. They have been active since late 2019. 

LockBit overtook Cl0p as the second most popular ransomware in March 2023, according to figures made public by Malwarebytes last week, and it was responsible for 93 successful assaults.

The new macOS version ("locker_Apple_M1_64") is still under development and uses an incorrect signature to sign the executable, according to an analysis of the software. As a result, even if it is downloaded and launched on a device, Apple's Gatekeeper security measures will block it from being used. 

Security researcher Patrick Wardle claims that the payload contains files like autorun.inf and ntuser.dat.log, indicating that the ransomware sample was initially intended to attack Windows. 

"While yes it can indeed run on Apple Silicon, that is basically the extent of its impact," Wardle explained. "Thus macOS users have nothing to worry about ...for now!" 

Wardle also drew attention to other security measures put in place by Apple, such as System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC), which stop the execution of unauthorised code and mandate that programmes ask users' permission before accessing protected files and data. 

"This means that without an exploit or explicit user-approval users files will remain protected," Wardle explained. "Still an additional layer or detection/protection may be warranted." 

According to SentinelOne researcher Phil Stokes, the macOS version of LockBit is also a "direct descendant" of the Linux variant and does not "implement any functionality for exfiltrating the data it locks, nor does it have any method of persistence." Stokes described the threat's current state of development. 

In describing the threat's current state of development, SentinelOne researcher Phil Stokes noted that the macOS version of LockBit is also a "direct descendant" of the Linux variant and lacks "any functionality for exfiltrating the data it locks, nor does it have any method of persistence."

It is clear from the results that threat actors are progressively focusing their attention on macOS systems, despite the fact that the artefacts are generally buggy. Since then, a LockBit spokesperson has verified to Bleeping Computer that the macOS encryptor is "actively being developed," indicating that the malware is likely to pose a severe threat to the platform. 

Titan-Stealer: A New Golang-based Info-Stealer Malware


Recently, a new Golang-based information stealer malware, named ‘Titan Stealer’ is being promoted by threat actors in their Telegram channel. Initial details regarding the malware were discovered by cybersecurity researcher Will Thomas in November 2022 by using the IoT search engine Shodan. 

Titan is advertised as a malware builder that enables users to alter the malware binary's functionality and the type of data that will be extracted from a victim's system. 

The malware, when launched, initiates a technique called ‘process hollowing’ in order to disseminate the malicious payloads into the memory of a legitimate process called AppLaunch.exe, Microsoft’s .NET ClickOnce Launch Utility. 

According to a recent report by Uptycs security, researchers Karthickkumar Kathiresan and Shilpesh Trivedi say, “the stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.” 

Targets of The Info Stealer 

The Titan Stealer has been targeting web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. The crypto wallets singled out are Armory, Atomic, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash. 

Additionally, it has the ability to collect data from the Telegram desktop app and compile a list of the host's installed programs. 

The gathered information is then transmitted as a Base64-encoded archive file to a remote server under the attacker's control. Additionally, the malware includes a web panel that enables threat actors to access the stolen data. 

How is the Titan Stealer Operated? 

The exact approach used to distribute the malware is still unclear, but the threat actors have utilized numerous methods, such as phishing, malicious ads, and cracked software. 

"One of the primary reasons [threat actors] may be using Golang for their information stealer malware is because it allows them to easily create cross-platform malware that can run on multiple operating systems, such as Windows, Linux, and macOS," says Cyble in its analysis of Titan Stealer. "Additionally, the Go compiled binary files are small in size, making them more difficult to detect by security software." 

The findings come a little over two months after SEKOIA unveiled Aurora Stealer, another Go-based malware that is being used by a number of criminal actors in their campaigns. 

The malware often spreads through websites that mimic a renowned software, with the same domains being continuously updated to host trojanized versions of different programs. 

It is also found to be taking advantage of a tactic called padding in order to artificially inflate the size of the executables to as much as 260MB by adding random data, in order to evade detection by antivirus software. 

Threat Actors Exploit WeTransfer to Spread Lampion Malware

 

In a new phishing campaign unearthed by Cofense researchers, the Lampion malware is being distributed massively, with hackers exploiting WeTransfer as part of their campaign.

WeTransfer is an internet-based computer file transfer service that can be utilized free of cost, hence it's a no-cost way to circumvent security software that may not detect URLs in emails. 

The malware authors are sending phishing emails from exploited firm accounts requesting customers to download a "Proof of Payment" document from WeTransfer. 

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the user must open in order for the attack to begin. Upon clicking on the file, the script launches a WScript process that manufactures four VBS files with random names. The first is empty, the second has limited functionality, and the third's sole motive is to launch the fourth script. 

According to Cofense researchers, this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps. The fourth script initiates a new WScript process that links to two hardcoded URLs to retrieve two DLL files concealed inside password-protected ZIPs. The malicious links lead to Amazon AWS instances. 

The ZIP file password is concealed in the script, so the archives are extracted without user communication. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems. 

Subsequently, the malware initiates extracting data from the computer, and bank accounts, and overlaying its own login forms on login pages. These fake bogus forms are stolen and sent to the hacker when users enter their credentials. 

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking users and employing exploited servers to deploy its malicious ZIPs. 

Last year, the malware was identified exploiting cloud services for hosting the malware for the first time, including Google Drive and pCloud. Recently, in March 2022, Cyware reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.

Prevention Tips 

Researchers advised users to apply the following mitigations to defend against malware attacks: 
  • Update software, including operating systems, applications, and firmware frequently 
  • Install OS patches when they are available 
  • Enforce MFA to the greatest extent possible 
  • If you use RDP and/or other potentially risky services, secure and monitor them closely 
  • Employ cryptographic vaults for data safety

LockBit Ransomware Exploits Windows Defender to Load Cobalt Strike Payloads

 

A hacker linked with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been identified exploiting the Windows Defender command-line tool to decrypt and install Cobalt Strike payloads.

According to endpoint security firm SentinelOne, the ransomware operator exploited VMware command-line utility called VMwareXferlogs.exe, to alter VMware tool settings and interface in the targeted operating systems, and downloaded a Cobalt Strike payload. The hacker also leveraged a command line tool associated with Windows Defender named “MpCmdRun.exe to” decrypt and load Cobalt Strike payloads. 

Subsequently, the malicious actor exploited the Log4Shell vulnerability which is the bug found in an open-source logging library employed by apps and services across the internet, and implemented a reconnaissance for thorough observation of the network to download the Cobalt Strike Payload.

SentinelOne stated that Windows Defender needs to be vigilant regarding the current scenario as hackers associated with the LockBit ransomware are exploring to abuse “novel living off the land tools” to deploy Cobalt Strike beacons bypassing traditional AV detection tools. 

“Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel ‘living off the land’ tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools,” SentinelOne said. 

“Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls,” the company added. 

The LockBit ransomware has been active since 2019 and it has likely been used to target thousands of organizations. 

Earlier this year in June, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program. The group said it will offer rewards ranging between $1,000 and $1 million to security researchers and ethical or unethical hackers for information regarding vulnerabilities in their website, the ransomware encryption process, the Tox messaging app, and bugs exploiting their Tor infrastructure.

Hackers are Using LNK Files to Deploy Malicious Payload

 

Earlier this month, researchers at McAfee Labs spotted a sophisticated technique where hackers employed email spam and malicious URLs to deliver LNK files to victims. The files command authentic applications like PowerShell, CMD, and MSHTA to download malicious files. 

LNK files are shortcut files that link to an application or file commonly found on a victim’s desktop or throughout a system and end with an .LNK extension. LNK files can be created by the user or automatically by the Windows operating system. 

To identify the true nature of these files we will go through recently identified Emotet malware. In this particular campaign, the hacker targets the victims’ by manually accessing the attached LNK file. Threat actor replaces the original shortcut icon with that of a .pdf file, so that the unsuspecting victim, once they receive the email attachment, can’t spot the difference with a basic visual inspection. 

But the threat is real. Windows shortcut files can be employed to deploy pretty much any malware onto the target endpoint, and in this case, the Emotet payload is downloaded into the victim’s %TEMP% directory. If successful, the malware will be loaded into memory using “regsvr32.exe”, while the original dropper gets deleted from the %TEMP% directory. 

Precautionary tips 

Emotet is a sophisticated and long-lasting malware that has impacted users globally. Threat Actors are constantly adapting their techniques to stay one step ahead of cybersecurity researchers. McAfee Labs is continuously monitoring the activity of Emotet and has published the guidelines to protect users from malware infection. 

• It is important to note that Emotet is an endpoint threat spread via email, therefore endpoint detection and response (EDR) and antivirus tooling are imperative to disrupting this threat. 

• Don’t keep important files in common locations such as the Desktop, My Documents, etc. 

• Use strong passwords and enforce multi-factor authentication wherever possible. 

• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 

• Use a trusted anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 

• Avoid clicking on untrusted links and email attachments without verifying their authenticity. 

• Conduct regular backup practices and keep those backups offline or in a separate network.

Purple Fox Backdoor Identified in Malicious Telegram Installers

 

A novel technique to target computer systems has been discovered. According to a report published by joint efforts between Minerva Labs cybersecurity team, and a MalwareHunterTeam, trojanized installers of the Telegram messaging application are being circulated online to distribute the Purple Fox malware, a Windows-based rootkit that is used to install further malicious payloads on compromised devices. 

The installer for the malicious Telegram application is a compiled AutoIt script called "Telegram Desktop.exe" that drops two files, the legitimate Telegram installer, and a malicious downloader. While the legitimate Telegram installer dropped alongside the downloader isn't implemented, the AutoIT program does run the downloader TextInputh.exe. 

When executed, TextInputh.exe designs a folder named ("1640618495") under the C:\Users\Public\Videos\ directory, and then establishes a connection to the C2 to download a 7z utility and a RAR archive (1.rar). The archive contains the payload and the configuration files, while the 7z program unpack .RAR archives and a file used to load a malicious reflectively.DLL.

The next step includes the creation of a registry key to enable persistence on a compromised device, and five further files are dropped into the ProgramData folder to perform functions, including shutting down a wide spectrum of antivirus processes before Purple Fox is eventually executed.

The Purple Fox Trojan comes in two Windows variants i.e. 32-bit and 64-bit. In March last year, Guardicore Labs uncovered novel worm capabilities integrated into the malware, and thousands of susceptible servers were hijacked to host payloads of Purple Fox. 

Last year in October, a new backdoor named FoxSocket was discovered by Trend Micro researchers, which is believed to be a new inclusion to the existing abilities of the malware. The Purple Fox malware is going to be on the radar of security researchers for a while. It has a unique worm functionality and also contains a rootkit. It also employs stealth and has upgraded backdoors. This makes it worth observing and that is why many are keeping tabs on any developments. 

"The beauty of this attack is that every stage is separated to a different file which is useless without the entire file set," the researchers explained. "This helps the attacker protect his files from AV detection."

Telegram Exploited by Attackers to Spread Malware

 

Researchers discovered that cybercriminals are using the Echelon info stealer to attack the crypto-wallets of Telegram users in an attempt to deceive new or naïve members of a cryptocurrency discussion group on the messaging network. 

Researchers from SafeGuard Cyber's Division Seven threat analysis section discovered a sample of Echelon in a cryptocurrency-focused Telegram channel in October, according to an investigation published on Thursday. 

The malware used throughout the campaign is designed to exploit credentials from a variety of messaging and file-sharing channels, such as Discord, Edge, FileZilla, OpenVPN, Outlook, and even Telegram itself, as well as a variety of cryptocurrency wallets, which include AtomicWallet, BitcoinCore, ByteCoin, Exodus, Jaxx, and Monero. 

The campaign was a “spray and pray” effort: “Based on the malware and how it was posted, SafeGuard Cyber believes that it was not part of a coordinated campaign, and was simply targeting new or naïve users of the channel,” according to the report. 

Researchers discovered that attackers had been using the handle "Smokes Night" to disseminate Echelon on the channel, although it's unknown how successful they were. "The post did not appear to be a response to any of the surrounding messages in the channel," they added.

According to the researchers, additional users on the channel didn't even appear to detect anything strange or engage with the post. However, this does not imply that the malware did not reach consumers' devices, according to the experts. 

“We did not see anyone respond to ‘Smokes Night’ or complain about the file, though this does not prove that users of the channel did not get infected,” they wrote. 

The Telegram messaging platform has undoubtedly become a hotspot of activity for hackers, who've already taken advantage of its popularity and large attack surface by distributing malware on the network via bots, rogue accounts, and other methods.

Echelon was delivered to the cryptocurrency channel in the form of a.RAR file called "present).rar," which contained three files: "pass – 123.txt," a benign text document comprising a password; "DotNetZip.dll," a non-malicious class library and toolset for manipulating.ZIP files; and "Present.exe," the malicious executable for the Echelon credential stealer. 

The.NET payload also featured numerous characteristics that made it hard to identify or analyze, such as two anti-debugging capabilities that immediately terminate the process if a debugger or other malware analysis techniques are identified, and obfuscation utilizing the open-source ConfuserEx program. 

According to the researchers, additional characteristics of the malware include computer fingerprinting and the ability to take a screenshot of the victim's workstation. According to the researchers, the Echelon sample taken from the campaign uses a compressed.ZIP file to deliver passwords as well as other stolen data and screenshots back to a command-and-control server.

Critical Flaws Discovered in Linux that Enables DNS Cache Poisoning

 

Researchers at the University of California have unearthed security flaws in the DNS system that could leave vendors at risk of server attacks. 

The hackers can abuse the vulnerability by intercepting the connection from the DNS resolver to the nameserver, thus allowing them to change the server IP addresses linked to several web domains, researchers Keyu Man, Xin’an Zhou, and Zhiyun Qian wrote in a recently published research paper at the ACM CCS 2021 conference. 

"The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers stated. "SAD DNS attack allows an attacker to redirect any traffic (originally destined to a specific domain) to his own server and then become a man-in-the-middle (MITM) attacker, allowing eavesdropping and tampering of the communication." 

The central to the assault is how Linux manages DNS queries on servers, particularly Internet Control Message Protocol (ICMP) packets. The researchers discovered that these behaviors could be used to infer the User Datagram Protocol (UDP) port number between the resolver and nameserver, something that is otherwise randomized and seems impossible to guess. 

"Surprisingly, we uncover novel side channels that have been lurking in the Linux network stack for over a decade and yet were not previously known," the trio explained in their paper, adding that as much as 38% of DNS resolvers are susceptible to attacks.

However, researchers warned that Linux is not the only threat vector for this assault. "The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound, and dnsmasq." 

This particular research was based on a previous set of attacks the researchers uncovered and dubbed "SADDNS." The SADDNS research demonstrated how the rate limit on the UDP system could be used to infer the port for the nameserver connection. DNS cache poisoning was originally discovered by the late Dan Kaminsky in 2008. 

"In SADDNS, the key insight is that a shared resource, i.e., ICMP global rate limit shared between the off-path attacker and victim, can be leveraged to send spoofed UDP probes and infer which ephemeral port is used," researchers stated. "Unfortunately, it is unclear how many more such side channels exist in the network stack." 

To mitigate the risks, the researchers propose a number of solutions, such as randomizing the caching structure, rejecting ICMP redirect messages, and setting proper socket options such as IP_PMTUDISC_OMIT, which instructs an operating system to ignore so-called ICMP messages, and therefore completely mitigates the side channel-related processing in the kernel.

Threat Actors Deploy Linux Backdoor on Hacked E-Stores with Software Skimmer

 

Cybersecurity researchers have uncovered a new hacking strategy that deploys a Linux backdoor on hacked e-commerce servers and exfiltrates customers' personal information, including credit card details. 

According to Sansec researchers, the hackers started automated e-commerce attack probes, testing for dozens of vulnerabilities in e-commerce websites. As soon as one is spotted, the attackers use PHP-coded web skimmer to download and insert fake payment forms into the checkout pages that the hacked online business displays to clients. 

“We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms. After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a web shell and modified the server code to intercept customer data,” the Sansec threat research team stated. 

The Golang-based malware, which was unearthed on the same site by Dutch cyber-security firm Sansec, was downloaded and executed on infiltrated servers as a linux_avp executable. Once deployed, it immediately removes itself from the disk and disguises itself as a "ps -ef" process that would be used to retrieve a list of presently active processes.

While examining the linux_avp backdoor, the researchers discovered that it waits for commands from a Beijing server on Alibaba’s network. Additionally, the malware can gain persistence by inserting a new crontab entry that would redownload the malicious payload from its command-and-control server and reinstall the backdoor if detected and removed or the server restarts. 

Unfortunately, this backdoor remains undetected by anti-malware engines on VirusTotal even though a sample was first uploaded more than one month ago, on October 8th. The uploader might be the linux_avp designer since it was submitted one day after researchers discovered it while examining the e-commerce site breach.

 “Curiously, one individual had submitted the same malware to Virustotal on Oct 8th with the comment test. This was just one day after the successful breach of our customer’s store. The person uploading the malware could very well be the malware author, who wanted to assert that common antivirus engines will not detect their creation,” said researchers.

BotenaGo Botnet is Targeting Millions of Routers and IoT Devices

 

A new botnet malware called BotenaGo has been discovered in the wild. The malware has the capability to exploit millions of susceptible IoT (Internet of Things) products and routers.

Discovered by AT&T labs, BotenaGo is designed using the Go programming language, which has been gaining popularity of late. Threat actors are using it for making payloads that are harder to detect and reverse engineer. 

According to Bleeping Computer, BotenaGo is flagged by only six out of the 62 antivirus engines on VirusTotal, with some falsely identifying it as the Mirai botnet. 

The botnet incorporates 33 exploits for a variety of routers, modems, and NAS devices, with some notable examples given below: 

  • CVE-2015-2051, CVE-2020-9377, CVE-2016-11021: D-Link routers
  •  CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, CVE-2017-6334: Netgear devices 
  • CVE-2019-19824: Realtek SDK based routers 
  • CVE-2017-18368, CVE-2020-9054: Zyxel routers and NAS devices 
  • CVE-2020-10987: Tenda products 
  • CVE-2014-2321: ZTE modems 
  • CVE-2020-8958: Guangzhou 1GE ONU 

“To deliver its exploit, the malware first queries the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions,” reads the blog post published by AT&T. 

“The string “Server: Boa/0.93.15” is mapped to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, allowing the attacker to execute an OS command via a specific web request (CVE-2020-8958).” 

The new botnet targets millions of devices with functions that exploit the above flaws, for example querying Shodan for the string Boa, which is a discontinued open-source web server used in embedded applications, and one that still returns nearly two million internet-facing devices on Shodan. Once installed, the malware will listen on the ports 31412 and 19412, the latter is used to receive the victim IP. Once a connection with information to that port is received, the bot will exploit each vulnerability on that IP address to gain access. 

Furthermore, the security researchers didn't discover an active C2 communication between BotenaGo and an actor-controlled server, these are possible scenarios hypothesized by the experts: 

1. The malware is part of a multi-stage modular malware attack, and it's not the one responsible for handling communications. 

2. BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets. 

3. The malware is still under development and was released in the wild accidentally.

North Korean Hackers Targeting Security Researchers with Trojanized IDA Pro

 

A North Korea-linked hacking group known as Lazarus is likely behind a compromised version of a popular IDA Pro reverse engineering application, in the second Democratic People's Republic of Korea (DPRK) assault against cybersecurity researchers discovered this year.

IDA Pro is an application that converts an executable file into assembly language, allowing cybersecurity experts and programmers to examine legitimate software for bugs and to determine malicious behavior. 

Due to its high cost, some researchers often download a pirated cracked version; as with any pirated software, there is always the risk of running malicious executables. This is exactly what ESET researcher Anton Cherepanov spotted in a compromised version of IDA Pro 7.5, distributed by the Lazarus hacker group. 

Threat actors inject two malicious DLLs named idahelp.dll and win_fw.dll into the IDA pro installer that will be launched when the program is installed. The win_fw.dll file manufactures a new task in the Windows Task Scheduler that executes the idahelper.dll program. 

The idahelper.dll will then link to the devguardmap[.]org site and install malicious payloads believed to be the NukeSped remote access trojan. The installed RAT will allow the cybercriminals to gain access to the security researcher's device to steal files, take screenshots, log keystrokes, or execute further commands. 

"Based on the domain and trojanized application, we attribute this malware to known Lazarus activity, previously reported by Google's Threat Analysis Group and Microsoft," ESET tweeted regarding connection to Lazarus.

A North Korean hacking group, tracked as Zinc by Microsoft, has a long history of targeting security researchers with backdoors and remote access trojans. Earlier this year in January, Google revealed that Lazarus designed a plot to launch a mass-scale social media campaign to create fake personas posing as vulnerability researchers. 

Using these personas, the hackers contact other security researchers regarding potential collaboration in vulnerability research. After establishing contact with a researcher, the hackers sent malicious Visual Studio projects with malware as prebuilt binaries. This includes the Comebacker dynamic link library (DLL) which attempts to perform privilege escalation for processes and the Klackring DLL that registers malicious services on the researcher's device. 

APT groups in North Korea are increasing with each passing day and are directly linked to the regime of Kim Jong Un. Lazarus is the largest and most prolific of those groups and is believed to be responsible for an attack on COVID-19 vaccine makers in December 2020, to steal intellectual property.

Links Detected Between MSHTML Zero-Day Attacks and Ransomware Operations

 

The exploitation of a recently fixed Windows zero-day vulnerability was attributed to known ransomware operators, according to Microsoft and threat intelligence firm RiskIQ.

The existence of the zero-day, called CVE-2021-40444, was revealed on September 7, when Microsoft released countermeasures and cautioned that the vulnerability had been exploited in targeted attacks using specially designed Office documents. 

The vulnerability connected to Office's MSHTML browser engine can and has been misused for remote code execution. As part of its Patch Tuesday updates, Microsoft delivered upgrades on September 14th. 

Microsoft announced the acquisition of RiskIQ in July and posted separate blog posts detailing the attacks exploiting CVE-2021-40444. 

The first exploitation efforts were discovered in mid-August. But Microsoft observed a massive spike in exploitation attempts when the proof-of-concept (PoC) code and other details were made public after the initial announcement. 

As per the company, several threat actors, including ransomware-as-a-service affiliates, have used the public PoC code, but some of the exploitation attempts are part of testing rather than criminal operations. 

The company initially saw less than ten exploitation attempts and leveraged CVE-2021-40444 to deliver custom Cobalt Strike Beacon loaders. Microsoft has identified the attackers as DEV-0413 — DEV is allotted to emerging threat groups or unusual activity. To deliver the malware, they apparently used emails referencing contracts and legal agreements to get the targets to open documents formatted to abuse the MSHTML vulnerability.

Surprisingly, the Cobalt Strike infrastructure utilised in the assaults has earlier been linked to cybercrime organisations known for targeting big corporations with ransomware like Conti and Ryuk. These threat actors are tracked as Wizard Spider (CrowdStrike), UNC1878 (FireEye), DEV-0193, and DEV-0365 (Microsoft).

RiskIQ stated in its blog post, “Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity.” 

The company added, “Instead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact, be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.” 

RiskIQ states that the cyberspies could have gained access to the ransomware infrastructure, or they may have been allowed by the ransomware operators to utilise their infrastructure. Only one group might be involved in espionage and cybercrime, or the two groups use the same bulletproof hosting provider. 

According to Microsoft, the initial malicious document in attacks abusing CVE-2021-40444 emerges from the internet, and it should be labelled as the "mark of the web." 

Microsoft Office should open the document in Protected Mode unless the user specifically allows modification, limiting the misuse. However, if the attackers figure out a means to keep the document from being a “mark of the web,” they may utilise the vulnerability to execute the payload on the page without requiring user input.

Experts Discover Promotheus TDS, An Underground MaaS

 

Cybersecurity experts from Group-IB in its technical research on Promotheus TDS, an underground MaaS (Malware as a service), found that it has been providing service for distribution of various malware variants such as Campo Loader, Buer Loader, Qbot, Hancitor, IcedID, and SocGholish. Promotheus has been in aggressive use in underground forums since last year. It is a platform where one can send emails, perform social engineering and work along traffic. Besides this, TDS (Traffic Direction System) can also be used for web shell execution and redirecting creation and management, work using proxy, compatible with Google accounts, and also enable users against blacklists. 

Security Week reports "typical attack involving Prometheus TDS starts with a malicious email that either carries a HTML file to redirect the victim to a compromised site, a link to a web shell that performs a redirection. Once the victim follows the link, they are redirected to the Prometheus.Backdoor URL where their data is collected and sent to the Prometheus TDS admin panel, which decides how to serve the next stage." The service can be availed for $250 on a monthly basis. Besides providing distribution of malicious files, TDS is also used for redirecting victims to malicious and Phishing sites. 

The first campaign of Promotheus TDS was found in 2021, along with additional active campaigns, and a total of 3000 users have been found till date. TDS includes of an administrator panel that lets hackers to modify different parameters for malware campaigns, consisting download of malicious files, restricting geolocation, operating systems and browser. Third-party compromised sites are used as a leverage between victims and administrative panels. Experts found a PHP file named 'Promotheus' backdoor in one of these sites. 

It is built to steal user data and transmit it. "The service has been used to send malicious emails to more than 3,000 addresses to date. The most active campaign targeted individuals in Belgium (more than 2,000 emails), while the second largest attack targeted US entities (more than 260 emails targeting government agencies and organizations in sectors such as finance, insurance, healthcare, energy and mining, retail, IT, and cybersecurity)," said the Security Week.