Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malicous Files. Show all posts

Free MortalKombat Ransomware Decryptor Released

An open-source universal decryptor for the newly discovered MortalKombat malware, which encrypts files, has been made available by the Romanian cybersecurity firm Bitdefender. The virus has been employed on dozens of victims in the United States, United Kingdom, Turkey, and the Philippines, as per a recent Cisco analysis.

Emails with malware ZIP attachments containing BAT loader scripts are sent to random users by MortalKombat distributors. When the script is run, it will download and run the Laplas Clipper and ransomware binaries on the computer.

Although it has been identified since 2010, Xorist is disseminated as a ransomware constructor, enabling online threat actors to design and alter their own variant of the malware. The MortalKombat decryptor is a standalone executable that doesn't require installation on affected devices. The user may optionally choose a specific place holding backed-up encrypted data. It offers to scan the entire filesystem to find files infected by MortalKombat.

In addition, Bitdefender said that the malware has a clipboard-monitoring feature that targets users of cryptocurrencies particularly. The emails include references to expired cryptocurrency payments and attachments that resemble CointPayments transaction numbers but conceal the malware payload. The ransomware, which encrypts all of a PC's data, including those in virtual machines and the recycle bin, is downloaded by the software after its launch. It takes the victim's background and replaces it with a Mortal Kombat 11 image, hence the name.

In a study by PCrisk, Cisco discovered a leaked version of the Xorist builder, where the builder interface options closely mirrored an actual Xorist ransomware building interface. The creator creates an executable ransomware file that the attackers can further modify. Notably, MortalKombat was used in recent attacks by an unidentified financially motivated malicious attacker as a part of a phishing operation targeted at multiple companies.

Microsoft Fixes Two Zero-Day Vulnerabilities on December Patch Tuesday

 

Microsoft has patched 48 new flaws in its products, including one that attackers are currently employing as well as one that has been made public but is not currently being actively used by attackers. 

In its final monthly security update of the year, the business addressed six vulnerabilities, six of which are significant. 43 vulnerabilities received a significant severity rating, while three problems received a moderate severity grade. 

The update from Microsoft fixes 23 vulnerabilities in Google's Chromium browser technology, which Microsoft's Edge browser is built on, as well as out-of-band CVEs that it fixed over the past month. 

Exploiting a security vulnerability 

CVE-2022-44698, the vulnerability that attackers are actively attempting to exploit, is not one of the more serious issues for which Microsoft today issued updates. The vulnerability enables attackers to get around Windows SmartScreen, a security feature that guards users against dangerous files downloaded from the Internet. 

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft explained. 

According to Kevin Breen, director of cyber-threat research at Immersive Labs, CVE-2022-44698 only poses minimal danger to enterprises. "It has to be used in partnership with an executable file or other malicious code like a document or script file. In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe." 

At the same time, Breen advises users to rapidly repair the problem and not undervalue the threat. 

Another vulnerability, is an elevation of privilege problem in the DirectX Graphics kernel, as defined by Microsoft as a publicly known zero-day but not yet being actively exploited. The company rated the vulnerability (CVE-2022-44710) as having an "important" degree of severity and one that, if abused, would provide an attacker system-level privilege. The business did note that attackers are less likely to take advantage of the weakness. 

Current vulnerabilities to patch 

Three additional severe vulnerabilities were identified by Trend Micro's ZDI in the December Patch Tuesday security update: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699. 

A spoofing flaw in Microsoft Outlook for Mac is CVE-2022-44713. Due to the flaw, an attacker might impersonate a trusted user and trick a victim into believing that an email was sent by one of them. 

ZDI's head of threat awareness Dustin Childs wrote in a blog post, "we don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice.” When coupled with the previously disclosed SmartScreen MoTW bypass issue that attackers are actively using, the vulnerability might prove particularly problematic. 

A PowerShell remote code execution (RCE) flaw known as CVE-2022-41076 enables an authenticated attacker to bypass the PowerShell Remoting Session Configuration and execute arbitrary commands on a vulnerable system, Microsoft added. 

Despite the fact that the attack complexity is considerable, the organization determined that the vulnerability is one that attackers are more likely to exploit. Organizations should be aware of the vulnerability, according to Childs, because it is the kind of issue that hackers frequently use to "live off the land" after getting initial access to a network. 

Uncertain bug count 

It's interesting to note that various manufacturers' opinions on the number of vulnerabilities that Microsoft patched this month varied. For example, ZDI estimated that Microsoft patched 52 vulnerabilities; Talos estimated 48; SANS estimated 74, and Action1 initially estimated 74 before reducing it to 52. 

The problem, according to Johannes Ullrich, dean of research at the SANS Technology Institute, has to do with the various methodologies used to count vulnerabilities. For instance, while some count Chromium vulnerabilities, others do not. 

Security advisories that occasionally accompany Microsoft upgrades are also listed by others, such as SANS, as vulnerabilities. Some researchers do not include the patches that Microsoft occasionally distributes throughout the month and included them in the next Patch Tuesday update. 

"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third-party vendors," Breen added. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser." 

Since the last Patch Tuesday in November, 74 vulnerabilities, according to Breen, have been fixed. For the Edge browser, there are 51 from Microsoft and 23 from Google. "If we exclude both the out-of-band and Google Chromium [patches], 49 patches for vulnerabilities were released today," he concluded. 

A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.