Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Rootkit. Show all posts

Hackers Use Avast Bug to Shut Down Security Tools




A recently discovered campaign of cyberattacks makes use of a vulnerable Avast Anti-Rootkit driver to disable system security mechanisms and gain full control over target machines. With this, hackers can successfully avoid detection by security tools and thus pose a severe threat to users and organizations.


Exploiting a Vulnerable Driver

It is leveraging the so-called "bring-your-own-vulnerable-driver" (BYOVD) technique, where an old version of Avast's Anti-Rootkit driver is used. This kernel-mode driver allows hackers to gain access to essential parts of the system and also disable security defenses. The discovery was made by Trellix cybersecurity researchers.

The malware launching the attack, which is described as a variant of an AV Killer, drops a driver named ntfs.bin in the Windows user folder. It subsequently creates a service named aswArPot.sys using the Service Control tool (sc.exe) for registration and activation of the vulnerable driver.  


Targeting Security Processes

After installing the driver, the malware scans the system based on a hardcoded list of 142 processes associated with popular security tools. Such a list includes software from major vendors like McAfee, Sophos, Trend Micro, Microsoft Defender, and ESET. If it finds a match, the malware issues commands to the driver to terminate such security processes, thus effectively disabling system defenses.


Track of Previous Attacks

This abuse technique of the Avast driver has been seen in past attacks. In 2021, researchers found the same driver being used by Cuba ransomware to enable security tools disabling on victim systems. Trend Micro had discovered this technique while studying AvosLocker ransomware in early 2022.

Adding to the risks, SentinelLabs identified two severe vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the Avast Anti-Rootkit driver. These flaws, present since 2016, allowed attackers to escalate privileges and disable security measures. Avast addressed these vulnerabilities in 2021 through security updates, but outdated versions of the driver remain exploitable.  


What Should One Do?

To protect against such attacks, security professionals advise that blocking rules based on the digital signatures or hashes of malicious components should be in place. To this end, Microsoft also provides solutions, such as the vulnerable driver blocklist policy, which is enabled automatically on Windows 11 2022 and later devices. Organizations can further bolster protection by using Microsoft's App Control for Business to ensure systems are protected from driver-based exploits.


This campaign is a persistent threat in which the outdated drivers pose the risks, and proactive security measures are emphasized to fight advanced cyberattacks.


Year-long Cyber Campaign Reveals Potent Backdoor and Custom Implant,

 

A new hacking group has targeted the government, aviation, education, and telecom industries in South and Southeast Asia as part of a highly focused campaign that began in mid-2022 and extended into the first quarter of 2023. 

Broadcom Software's Symantec is monitoring the activity under the insect-themed moniker Lancefly, with the attacks employing a "powerful" backdoor called Merdoor. So far, data suggests that the personalized implant was used as early as 2018. Based on the instruments and the victimology pattern, the campaign's ultimate purpose is intelligence gathering.

"The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec said in an analysis shared with The Hacker News.

"The attackers in this campaign also have access to an updated version of the ZXShell rootkit."

While the precise initial intrusion vector is unknown, it is believed to have entailed the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers. The attack chains eventually lead to the distribution of ZXShell and Merdoor, fully-featured malware capable of communicating with an actor-controlled server for more commands and logging keystrokes.

ZXShell, first discovered by Cisco in October 2014, is a rootkit with several functionalities for harvesting sensitive data from affected hosts. In the past, the use of ZXShell has been linked to several Chinese actors such as APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda).

"The source code of this rootkit is publicly available so it may be used by multiple different groups," Symantec said. "The new version of the rootkit used by Lancefly appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable."

Another Chinese connection is that the ZXShell rootkit is signed by the certificate "Wemade Entertainment Co. Ltd," which Mandiant previously identified as being related to APT41 (aka Winnti) in August 2019.

Lancefly incursions have also been linked to the use of PlugX and its successor ShadowPad, the latter of which has been used by several Chinese state-sponsored entities since 2015. However, it is also known that certificate and tool sharing is common among Chinese state-sponsored groups, making identification to a specific known assault crew challenging.

"While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period," Symantec noted. "This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar."

Caketap: A New Unix Rootkit Used to Steal ATM Banking Data

 

Following the activities of LightBasin, a financially motivated group of hackers, threat analysts have discovered a previously undisclosed Unix rootkit that is utilized to capture ATM banking data and execute fraudulent transactions. 

The specific group of adversaries has lately been seen targeting telecom businesses with tailored implants, as well as hacking managed service providers and victimising their clients back in 2020. Researchers present more proof of LightBasin activities in a new paper from Mandiant, focused on bank card fraud and the compromise of critical infrastructure. The new rootkit from LightBasin is a Unix kernel module called "Caketap" that is installed on servers running Oracle Solaris systems. 

Caketap hides network connections, processes, and files when it is loaded; it installs various hooks into system services so that remote commands and configurations can be received. The various commands observed by the analysts are as follows: 

• Add the CAKETAP module back to the loaded modules list 
• Change the signal string for the getdents64 hook 
• Add a network filter (format p) 
• Remove a network filter 
• Set the current thread TTY to not to be filtered by the getdents64 hook 
• Set all TTYs to be filtered by the getdents64 hook \
• Displays the current configuration Caketap's ultimate purpose is to steal financial card and PIN verification data from compromised ATM switch servers and utilise it to enable fraudulent transactions. 

Caketap intercepts data on their way to the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to generate, manage and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. 

Caketap tampers with card verification messages, blocking those that match fraudulent bank cards instead of generating a genuine response. In a second phase, it saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and delivers them to the HSM, ensuring that normal customer transactions are not disrupted and implant operations remain undetected. 

“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” explains Mandiant’s report. 

Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner are further tools related to the actor in prior assaults, all of which Mandiant confirmed are still used in LightBasin attacks. 

LightBasin is a highly skilled threat actor that exploits weak security in mission-critical Unix and Linux systems, which are frequently viewed as intrinsically secure or are mostly ignored due to their obscurity. 

LightBasin and other attackers thrive in this environment, and Mandiant expects them to continue to use the same operating model. In terms of attribution, the analysts noticed some overlaps with the UNC1945 threat cluster, but they don't have enough clear evidence to draw any judgments.

Microsoft: Shrootless Bug Allows Hackers Install macOS Rootkits

 

A new macOS vulnerability found by Microsoft could be used by attackers to circumvent System Integrity Protection (SIP) and conduct arbitrary activities, gain root privileges, and install rootkits on susceptible computers. 

The Microsoft 365 Defender Research Team disclosed the Shrootless vulnerability (now tracked as CVE-2021-30892) to Apple via the Microsoft Security Vulnerability Research Program (MSVR). SIP (also known as rootless) is a macOS security mechanism that prevents potentially dangerous programs from editing protected folders and files by restricting the root user account's ability to conduct operations on protected sections of the OS. 

SIP permits only processes signed by Apple or those with specific entitlements (i.e., Apple software updates and Apple installers) to change these protected sections of macOS. Microsoft researchers found the Shrootless security flaw after finding that the system_installed daemon had the com.apple.rootless.install.inheritable entitlement, which enabled any child process to completely circumvent SIP filesystem limitations. 

Jonathan Bar Or, a principal security researcher at Microsoft stated, "We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others." 

With the security upgrades released on October 26, Apple addressed the security vulnerability. According to Apple's security alert, "a malicious programme may be able to manipulate protected areas of the file system." 

"We want to thank the Apple product security team for their professionalism and responsiveness in fixing the issue," Jonathan Bar Or added.

Microsoft also announced last week that it has discovered new strains of macOS WizardUpdate malware (also known as UpdateAgent or Vigram), which had been upgraded to employ new evasion and persistence techniques. 

The trojan distributes second-stage malware payloads, such as Adload, a malware strain that has been active since late 2017 and is notorious for being able to infect Macs despite Apple's YARA signature-based XProtect built-in antivirus.

FiveSys Rootkit Exploits Microsoft-Issued Digital Signature

 

A rootkit termed FiveSys can potentially avoid detection and enter Windows users' PCs by abusing a Microsoft-issued digital signature, as per the Bitdefender security experts, 

Microsoft introduced rigorous requirements for driver packages that aim to receive a WHQL (Windows Hardware Quality Labs) digital signature to prevent certain types of malicious attacks, and starting with Windows 10 build 1607, it prevents kernel-mode drivers from being loaded without such a certificate. 

Malware developers, on the other hand, seem to have discovered a way to bypass Microsoft's certification and obtain digital signatures for their rootkits, allowing them to target victims without raising suspicion. 

Microsoft confirmed in June that intruders had successfully submitted the Netfilter rootkit for certification via the Windows Hardware Compatibility Program. Now, Bitdefender's researchers warn that the FiveSys rootkit also has a Microsoft-issued digital signature, implying that this might soon become an emerging trend in which adversaries successfully verify their malicious drivers and signed by Microsoft. 

According to the researchers, FiveSys is comparable to the Undead malware that was first disclosed a few years ago. Furthermore, the rootkit, like Netfilter, is aimed towards the Chinese gaming industry. 

Bitdefender stated, “The attackers seem to originate from China and target several domestic games. We can confidently attribute this campaign to several threat actors, as their tools share the same functionality but are vastly different in implementation.” 

The rootkit directs Internet traffic to a custom proxy server using a frequently updated autoconfiguration script that comprises a list of domains/URLs. Furthermore, the rootkit can prohibit drivers from the Netfilter and fk_undead malware families from being loaded by using a list of digital signatures. 

Moreover, FiveSys offers a built-in list of 300 supposedly randomly created domains that are encrypted and are intended to circumvent possible takedown attempts. Bitdefender also claims to have discovered multiple user-mode binaries that are used to obtain and execute malicious drivers on target PCs. 

FiveSys appears to use four drivers in all, although only two of them were isolated by the security experts. After discovering the abuse, Microsoft cancelled FiveSys' signature.

While the rootkit is being used to steal login credentials from gaming accounts, it is likely that it may be utilised against other targets in the future. However, by following a few easy cybersecurity safeguards, one can prevent falling prey to such or similar assaults.

Botezatu recommended,  "In order to stay safe, we recommend that users only download software from the vendor's website or from trusted resources. Additionally, modern security solutions can help detect malware – including rootkits – and block their execution before they are able to start." 

Microsoft Admits of Signing a Rootkit Malware

 

Earlier this month, Microsoft signed a driver called Netfilter that turned out to be a malicious network filter rootkit. Krasten Hahn, a G data malware analyst, first identified the rootkit which he later traced, analyzed, and identified as bearing Microsoft’s seal. 

When Microsoft researchers analyzed the rootkit, it was found that it communicated with Chinese command-and-control IPs (C2) and as it turns out, these belong to one of the companies called Ningbo Zhuo Zhi Innovation Network Technology Co. Ltd. and was labeled as 'Community Chinese Military' by the United States Department of Defense. 

Microsoft said that the threat actor’s goal is to cheat gaming systems. “To use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers,” according to Microsoft’s advisory. 

The company collaborated with Microsoft to analyze and patch any known security holes, including for affected hardware. Users will get clean drivers through Windows Update. Moreover, they added that the rootkit only works if a user authorizes the driver and it obtains administrator-level access on a PC to install the driver. The idea is that Netfilter won’t pose a threat to your PC unless you go out of your way to install it. 

On Friday, Microsoft acknowledged the mistake, saying that the security experts are monitoring the whole incident and have added malware signatures to Windows Defenders. The company has also shared the signatures with security companies. As of Monday morning, 35 security vendors had flagged the file as malicious.

The company has suspended the account and is reviewing the malware signs. However, the actor’s activity is limited to the gaming sector specifically in China, and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time, the company revealed.