Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malware loader. Show all posts

North Korean Links: Lazarus Group Strikes Again. This time via Unpatched Software Flaws


North Korean hackers spreading malware through legit software

North Korean hackers are spreading malware by exploiting known flaws in genuine software. The Lazarus group targets a version of an undisclosed software product for which vulnerabilities have been documented and solutions are available in a new campaign discovered by Kaspersky researchers.

Despite the vulnerabilities being disclosed and patched, the new advanced persistent threat campaign attacking companies globally used known flaws in a previous version of an unnamed software to encrypt web connection via digital certificates.

Threat actors used software to gain entry points

According to Kaspersky, hackers from the Lazarus group exploited the insecure software and used it as an entry point to breach organizations and encrypt web communication using digital certificates.

North Korea uses "cyber intrusions to conduct both espionage and financial crime in order to project power and finance both their cyber and kinetic capabilities," according to research by Google's Mandiant threat intelligence department. 

UN alleges North Korean links

Under Kim Jong Un's leadership, the DPRK is linked with a variety of state-sponsored hacking teams both at home and abroad that collect espionage on allies, opponents, and defectors, as well as hack banks and steal cryptocurrency. The UN has earlier accused North Korea of using stolen assets to fund the country's long-range missile and nuclear weapons programs, as well as enticing the country's officials.

To control the victim, hackers used SIGNBT malware and the infamous LPEClient tool, which experts have seen in attacks targeting defense contractors, nuclear engineers, and the cryptocurrency sector, and which was discovered in the infamous 3CX supply chain attack. "This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload," said experts.

According to Kaspersky, the developers of the unknown software previously became a target to Lazarus. According to the report, this repeated breach indicates a determined and persistent threat actor with the likely goal of compromising important source code or interfering with the software supply chain.

A deep look into the malware

According to Kaspersky experts, in mid-July, they noticed an increasing number of attacks on many victims utilizing the prone software, and they discovered post-exploitation activity within the genuine software's processes.

To establish and maintain efforts on hacked machines, the threat actor used a variety of techniques, including the development of a file called ualapi.dll in the system folder, which is loaded by default by the spoolsv.exe process at each system boot. According to the experts, Lazarus hackers also built registry entries to run genuine files for the purpose of malicious side-loading, assuring a durable persistence mechanism.

Lazarus used that malware loader to spread additional malware to the victim computers, such as LPEClient and credential dumping applications. The tool allows in extracting victim data as well as downloading additional payloads from a remote server for activation in memory.

As previously stated by the experts, it now uses advanced tactics to improve secrecy while preventing detection, such as deactivating user-mode syscall hooking and restoring system library memory parts.

Fraudulent KeePass Site Uses Google Ads and Punycode to Transfer Malware


A Google Ads campaign was discovered promoting a phoney KeePass download site that transferred malware by posing as the real KeePass domain using Punycode. 

Google has confirmed to be suffering from an ongoing malvertising campaign which has enabled hackers to take out sponsored ads that appear above search results. In the campaign, Google Ads can also be exploited to display the official KeePass domain in the advertisements (https://www.keepass.info), making it difficult for even the most vigilant and security-conscious consumers to identify the problem. 

Online victims who end up clicking on the malicious links navigate through a series of system-profiling redirections that block bot traffic and sandboxes, as illustrated below. 

Malwarebytes, which identified this campaign points out that using Punycode for cybercrime is nothing new. However, when combined with Google Ads misuse, it may indicate a new, risky pattern in the industry. 

Punycode Trick 

 Punycode is an encoding tactic to represent Unicode characters, that helps translate hostnames in any non-Latin script to ASCII so that the DNS (Domain Name System) can interpret them.

For instance, "München" will be converted to "Mnchen-3ya," "α" becomes "mxa," "правда" will be "80aafi6cg," and "도메인" will become "hq1bm8jm9l."

Actors who threaten to abuse Punycode uses Unicode to add one character to domain names that are identical to those of legitimate websites in order to make them appear slightly different.

These types of attacks are labelled as “homograph attacks.” Malwarebytes discovered that the threat actors were using the Punycode "xn—eepass-vbb.info" to transform to "eepass.info," the project's actual domain, but with a little intonation beneath the character "."

Although it is unlikely that most users who visit the decoy site will notice this little visual flaw, it serves as a clear indication of the approach taken in this situation.

The digitally-signed MSI installation 'KeePass-2.55-Setup.msix' that is downloaded by those who click on any download links featured on the false website includes a PowerShell script related to the FakeBat malware loader.

While Google has taken down the original Punycode advertisement, several other ongoing KeePass ads have also been found in the same malware campaign.

This advertisement leads to a domain named ‘keeqass[.]info,’ which executes the same MSIX file that contains the identical FakeBat PowerShell script to download and install malware on the Windows device, just like the Punycode domain.

Apparently, when executed, the FakeBat PowerShell script downloads a GPG-encrypted RAR archive, decrypts it, and extracts it to the %AppData% folder.

Moreover, in the file analyzed by BleepingComputer, the script launches a file called 'mergecap.exe' from the archive.

According to an Intel471 report from early 2023, FakeBat is a malware loader/dropper connected to malvertising activities from at least November 2022.

While Malwarebytes was unable to identify the final malware payload delivered in the campaign, a Sophos report from July 2023 links FakeBat with infostealers like Redline, Ursniff, and Rhadamathys.