Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malware Detection. Show all posts

JPCERT Shares Tips for Detecting Ransomware Attacks Using Windows Event Logs

 

Japan’s Computer Emergency Response Center (JPCERT/CC) recently revealed strategies to detect ransomware attacks by analyzing Windows Event Logs, offering vital early detection before the attack spreads. JPCERT’s insights focus on identifying digital traces left behind by ransomware within four key types of event logs: Application, Security, System, and Setup logs. These logs reveal valuable clues about the entry points used by attackers and can assist in quicker mitigation. Ransomware attacks often target system vulnerabilities and attempt to encrypt files, delete backups, or modify network settings, leaving detectable traces within the event logs. 

For example, the notorious Conti ransomware can be recognized by multiple event logs connected to the Windows Restart Manager, showing event IDs 10000 and 10001. Other ransomware variants like Akira, Lockbit3.0, and HelloKitty, which share similar encryptor technology, leave comparable logs. Additionally, ransomware such as Phobos records when system backups are deleted, a key indicator of malicious activity. Detecting these logs promptly allows administrators to intervene before damage escalates. Midas ransomware, known for spreading infection via network changes, logs event ID 7040. Similarly, BadRabbit leaves event ID 7045 when installing its encryption component, while Bisamware logs events during the beginning and end of a Windows Installer transaction (event IDs 1040 and 1042). 

Other ransomware strains, like Shade, GandCrab, and Vice Society, create errors related to accessing COM applications and deleting Volume Shadow Copies, which are pivotal for restoring encrypted data. JPCERT’s findings illustrate that monitoring for these specific event IDs in combination with a broader security framework could be a game-changer in ransomware defense. Though older ransomware variants like WannaCry and Petya left no such traces in Windows logs, modern ransomware often does. As a result, tracking these logs offers an effective layer of protection against new threats, helping to prevent encryption and data loss. 

It is important to note that no single method of detection is foolproof. A multi-layered approach that combines monitoring event logs with other security tools and protocols remains crucial for protecting systems from ransomware attacks. By using this event log analysis strategy, organizations can significantly reduce the chances of ransomware spreading undetected, giving them the edge in stopping an attack before it cripples their network.

Godfather Banking Trojan Multiplies, Spreading to 1.2K Variants in 57 Nations

 

Over a thousand variants of the Godfather mobile banking Trojan have been detected in numerous countries worldwide, targeting a wide array of banking applications.

Initially uncovered in 2022, Godfather has emerged as a pervasive malware-as-a-service tool in cybercrime circles, particularly within mobile cybercrime. 

According to Zimperium's 2023 "Mobile Banking Heists Report," Godfather had been focusing on 237 banking apps spanning across 57 countries as of late last year. Its operators redirected stolen financial data to at least nine countries, mainly in Europe and the US. To counteract potential disruptions from security software, the developers of Godfather have been automatically generating new variants for their clients at a remarkable pace.

This trend isn't limited to Godfather alone. Nico Chiaraviglio, Zimperium's chief scientist, warns of a broader escalation in mobile malware campaigns. He notes the emergence of a massive mobile malware family, still undisclosed, boasting over 100,000 distinct samples in circulation. This proliferation represents a significant shift in the mobile threat landscape, indicating a move towards more expansive and sophisticated attacks.

The surge in mobile malware diversity poses a considerable challenge for security measures, particularly those reliant on signature-based detection. Unlike desktop security, where antivirus software is widely adopted, mobile protection remains underutilized, leaving a substantial portion of devices vulnerable. With mobile threats rapidly evolving and diversifying, traditional antivirus programs struggle to keep pace due to the sheer volume and variation of malware samples.

Chiaraviglio suggests that adaptive security solutions, leveraging techniques like code reuse analysis and behavioral analysis powered by artificial intelligence (AI), offer promising avenues for combating this evolving threat landscape. 

By focusing on malware behavior rather than specific code signatures, these solutions can potentially mitigate the impact of constantly evolving malware variants. However, he acknowledges that this is an ongoing challenge, as threat actors continually adapt their tactics to evade detection, potentially leading to the rise of more sophisticated polymorphic malware in the mobile sphere.

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

In an era where digital communication dominates, email remains a fundamental tool for personal and professional correspondence. However, recent research by web browser security startup SquareX has exposed alarming vulnerabilities in email security. 

The study, titled “Security Bite: iCloud Mail, Gmail, Others Shockingly Bad at detecting malware, Study Finds,” highlights the shortcomings of popular email service providers in safeguarding users from malicious attachments.

The State of Email Security

1. The Persistent Threat of Malicious Attachments

  • Despite advancements in cybersecurity, email attachments continue to be a prime vector for malware distribution.
  • Malicious attachments can carry viruses, trojans, ransomware, and other harmful payloads.
  • Users often unknowingly open attachments, leading to compromised devices and data breaches.

2. The SquareX Study

Researchers collected 100 malicious document samples, categorized into four groups:

  • Original Malicious Documents from Malware Bazaar
  • Slightly Altered Malicious Documents from Malware Bazaar (with changes in metadata and file formats)
  • Malicious Documents modified using attack tools
  • Basic Macro-enabled Documents that execute programs on user devices

These samples were sent via Proton Mail to addresses on iCloud Mail, Gmail, Outlook, Yahoo! Mail, and AOL.

3. Shockingly Bad Detection Rates

The study’s findings were alarming:

  • iCloud Mail and Gmail failed to deliver any of the malicious samples. Their malware detection mechanisms worked effectively.
  • Outlook, Yahoo! Mail, and AOL delivered the samples, leaving users potentially exposed to threats.

Implications and Recommendations

1. User Awareness and Caution

  • Users must exercise caution when opening email attachments, even from seemingly legitimate sources.
  • Educate users about the risks associated with opening attachments, especially those from unknown senders.

2. Email Providers Must Step Up

  • Email service providers need to prioritize malware detection.
  • Regularly update and enhance their security protocols to prevent malicious attachments from reaching users’ inboxes.
  • Collaborate with cybersecurity experts to stay ahead of evolving threats.

3. Multi-Layered Defense

Implement multi-layered security measures:

  • Attachment Scanning: Providers should scan attachments for malware before delivery.
  • Behavioral Analysis: Monitor user behavior to detect suspicious patterns.
  • User Training: Educate users about phishing and safe email practices.

4. Transparency and Reporting

  • Email providers should transparently report their detection rates and improvements.
  • Users deserve to know how well their chosen service protects them.

What next?

Always think before you click. The SquareX study serves as a wake-up call for email service providers. As the digital landscape evolves, robust email security is non-negotiable. Let’s bridge the gaps, protect users, and ensure that our inboxes remain safe havens rather than gateways for malware.

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.

LummaC2 Malware Introduces Innovative Anti-Sandbox Technique Utilizing Trigonometry

 

The LummaC2 malware, also known as Lumma Stealer, has introduced a novel anti-sandbox technique that utilizes trigonometry to avoid detection and steal valuable information from infected hosts. Outpost24 security researcher Alberto Marín highlighted this method, stating that it aims to delay the activation of the malware until human mouse activity is identified.

Originally written in the C programming language, LummaC2 has been available on underground forums since December 2022. Subsequent updates have made it more resistant to analysis through techniques like control flow flattening, and it now has the capability to deliver additional payloads.

In its current iteration (v4.0), LummaC2 mandates the use of a crypter by its customers to enhance concealment and prevent the leakage of its raw form.

A significant enhancement involves the utilization of trigonometry to identify human behavior on the compromised endpoint. Marín explained that this technique observes various cursor positions within a short time frame to effectively detect human activity, thereby thwarting detonation in analysis systems that lack realistic mouse movement emulation.

To achieve this, LummaC2 captures the cursor position five times after a predefined sleep interval of 50 milliseconds. It then checks if each captured position differs from its predecessor, repeating the process until all consecutive cursor positions differ. Once these positions meet the requirements, LummaC2 treats them as Euclidean vectors, calculating the angles formed between two consecutive vectors. If all calculated angles are below 45º, LummaC2 v4.0 perceives it as 'human' mouse behavior and proceeds with execution. If any angle exceeds 45º, the malware restarts the process by ensuring mouse movement in a 300-millisecond period and capturing five new cursor positions.

This development coincides with the emergence of new information stealers and remote access trojans like BbyStealer, Trap Stealer, Predator AI, Epsilon Stealer, Nova Sentinel, and Sayler RAT, designed to extract sensitive data from compromised systems.

Predator AI, a actively maintained project, stands out for its capability to attack popular cloud services like AWS, PayPal, Razorpay, and Twilio. It has also incorporated a ChatGPT API for user convenience, as noted by SentinelOne earlier this month.

Marín emphasized that the malware-as-a-service (MaaS) model remains the preferred method for emerging threat actors to conduct complex and lucrative cyberattacks. Information theft, particularly within the realm of MaaS, poses a significant threat, leading to substantial financial losses for both organizations and individuals.

Endpoint Antivirus Detection Has Reached its Apex

 

Endpoint security is a term used to describe cybersecurity services provided to network endpoints, it included providing  Antivirus, email filtering, online filtering, and firewall services. Businesses rely on endpoint security to protect vital systems, intellectual property, customer details, employees, and visitors from ransomware, phishing, malware, and other threats. 

"While the total volume of cyberattacks decreased slightly, malware per device increased for the first period since the pandemic began," said Corey Nachreiner, CSO at WatchGuard. "Zero-day malware increased by only 3% to 67.2 percent in Q3 2021, and malware delivered via Transport Layer Security (TLS) increased from 31.6 percent to 47 percent." 

As consumers update to newer versions of Microsoft Windows and Office, cybercriminals are focused on fresh vulnerabilities — versions of Microsoft's widely used programs. CVE-2018-0802, which exploits a weakness in Microsoft Office's Equation Editor, cracked WatchGuard's top 10 entryway antivirus malware list in Q3, reaching number 6 after appearing on the widespread malware list.

In addition, two Windows software injectors (Win32/Heim.D and Win32/Heri) ranked first and sixth, on the most detected list. In Q3, the Americans were the focus of 64.5 percent of network attacks, compared to 15.5 percent for Europe and 15.5 percent for APAC (20 percent ). 

Following three-quarters of more than 20% increase, a reduction of 21% brought volumes back to Q1 levels. The top ten network attack signatures are responsible for the majority of attacks – The top 10 signatures were responsible for 81 percent of the 4,095,320 hits discovered by IPS in Q3. In fact, 'WEB Remote File Inclusion /etc/passwd' (1054837), which targets older, commonly used Microsoft Internet Information Services (IIS) web servers, was the only new signature in the top ten in Q3. One signature (1059160), a SQL injection, has remained at the top of the list since the second quarter of 2019. 

From application flaws to script-based living-off-the-land attacks, even those with modest skills may use scripting tools like PowerSploit and PowerWare, there were also 10% additional attack scripts than there were in all of 2020, a 666 percent raise over the previous year. 

In total, 5.6 million harmful domains were blocked in the third quarter, including many new malware domains attempting to install crypto mining software, key loggers, and wireless access trojans (RATs), as well as SharePoint sites harvesting Office365 login information. The number of blacklisted domains is down 23% from the past quarter, it is still several times greater than the level seen in Q4 2020.

Ransomware attacks reached 105 percent of 2020 output by the end of September, as expected after the previous quarter, and are on track to exceed 150 percent after the entire year of 2021 data is analyzed. 

According to WatchGuard's investigation, attackers operating with the REvil ransomware-as-a-service (RaaS) operation exploited three zero-day vulnerabilities in Kaseya VSA Remote Monitoring and Management (RMM) applications to deliver ransomware to more than 1,500 organizations and potentially millions of endpoints.

Google Play Protect Fails Malware Detection Test by AV-TEST

 

The integrated malware defense mechanism of Google has yet failed again in an Antivirus Lab Test conducted by AV-TEST, which was a rigorous real-world security test. Between January 2021 and June 2021, the play store ranked lowest amongst all the 15 security Android apps examined. 

A test comprising of 15 safety apps on Android devices reported that the system detected only two-thirds of 20,000 harmful apps. Unlike Google Play Protect, the detection rate of applications from firms such as Bitdefender, McAfee, NortonLifeLock, and Trend Micro came out to be as high as 100%. 

During Google I/O in May 2017, Google unveiled Android mobile threat prevention, which works constantly for scanning more than 100 billion apps every day. Google Play Protect is used on billions of devices ever since, and today provides integrated malware security on more than 2.5 billion Android apps. 

In 2017 Google rolled out Google Play Protect, which helped decrease a large number of vulnerability cases on Android in 2018. Nevertheless, recent studies have shown that although Google Play Protect is installed by default, several malware applications might still target consumers. 

Google Play Protect features device capabilities that help maintain security for devices and data. These on-device services include cloud-based elements that enable Google to upgrade its performance consistently. 

Whereas every program that's loaded and opened on the smartphone is continually running and screening, "the endurance test revealed that this service does not provide particularly good security: every other security app offers better protection than Google Play Protect." 

The safety apps had to uncover more than 3,000 new malware samples including 3,000 existing malware samples, each one month old, in complex testing sessions. The AV-TEST reports that only the five programs – Bitdefender, G DATA, McAfee, NortonLifeLock, and Trend Micro – were in real-time able to identify malware with 100% precision. 

In real-time testing and reference set testing, Google Play Protect could only filter 68.8% of harmful apps from 76.6%. However, Ikarus also scored better than Google Play Protect for security, the lowest-rated third-party security app. 

Google didn't perform very well in respect to inaccuracies in malicious application detection. It found 70 applications to be unsafe, with approximately 10,000 more harmless applications for random testing. 

The best approach to be safe is to have one of the Android device's best-rated third-party apps. It is not a prudent option to rely solely on the Google Play Protect, as this exhaustive test by the AV-TEST demonstrates.