Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Symantec. Show all posts

North Korean Hacker Group Kimsuky Deploys New Linux Malware 'Gomir' via Trojanized Software Installers

 

North Korean hacker group Kimsuky has unveiled a new Linux malware named "Gomir," a variant of the GoBear backdoor. This development marks a significant advancement in the group's cyber espionage tactics. Kimsuky, linked to North Korea’s military intelligence, the Reconnaissance General Bureau (RGB), has a history of sophisticated cyber attacks aimed primarily at South Korean entities. 

In early February 2024, researchers at SW2, a threat intelligence company, reported a campaign by Kimsuky involving trojanized versions of various software solutions. These included TrustPKI and NX_PRNMAN from SGA Solutions and Wizvera VeraPort. The primary targets were South Korean entities, and the malicious software delivered the Troll Stealer and Go-based Windows malware known as GoBear. 

Further investigation by Symantec, a Broadcom company, revealed that the same campaign also deployed a Linux variant of the GoBear backdoor, dubbed "Gomir." This new malware shares many similarities with its Windows counterpart, featuring direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands. Upon installation, Gomir checks the group ID value to determine if it runs with root privileges on the Linux machine. 

It then copies itself to /var/log/syslogd for persistence, creates a systemd service named ‘syslogd,’ and issues commands to start the service. Following these steps, the original executable is deleted, and the initial process is terminated. To ensure it runs on system reboot, the backdoor attempts to configure a crontab command by creating a helper file ('cron.txt') in the current working directory. If successful, the helper file is removed. Gomir supports 17 operations triggered by commands received from the C2 via HTTP POST requests. 

These operations include pausing communication with the C2 server, executing arbitrary shell commands, reporting the current working directory, probing network endpoints, and more. Notably, these commands are almost identical to those supported by the GoBear Windows backdoor, highlighting the malware's versatility and Kimsuky's ability to adapt its tools across different operating systems. Symantec researchers have pointed out that supply-chain attacks, such as trojanized software installers and fake installers, are a preferred attack method for North Korean espionage actors. 

The choice of software for trojanization seems to be carefully selected to maximize infection rates among South Korean targets. By compromising widely used software solutions, Kimsuky increases its chances of infiltrating targeted systems and exfiltrating valuable data. The implications of Kimsuky's activities are significant. By enhancing their malware capabilities and expanding their target range to include Linux systems, Kimsuky poses a heightened threat to organizations, particularly those in South Korea. 

The use of advanced malware like Gomir demonstrates the group's continuous evolution and sophistication in cyber espionage. Symantec's report on this campaign includes a set of indicators of compromise (IOCs) for multiple malicious tools observed, including Gomir, Troll Stealer, and the GoBear dropper. These IOCs are crucial for cybersecurity professionals to detect and mitigate the impact of these threats. 

As the digital landscape continues to evolve, the need for robust cybersecurity measures becomes ever more critical. Organizations, especially those in high-target regions like South Korea, must remain vigilant and proactive in their defense strategies. This includes regularly updating software, conducting thorough security assessments, and implementing comprehensive threat detection and response mechanisms. 

The emergence of Gomir and similar threats underscores the importance of international cooperation in combating cybercrime. By sharing intelligence and collaborating on cybersecurity initiatives, nations can better protect their critical infrastructure and sensitive data from sophisticated threat actors like Kimsuky.

APT41: Cyberespionage Group Targets Asian Materials Industry


The Chinese-sponsored APT41 cyberespionage group, also known as Blackfly, Barium Bronze Atlas, Double Dragon, Wicked Panda, and Wicked Spider has emerged as one of the most active threat groups since at least 2007. 

The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector. 

The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration. 

In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs. 

It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections. 

Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators. 

Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.  

Hacker Group Cranefly Develops ISS Method

The novel method of reading commands from seemingly innocent Internet Information Services (IIS) logs has been used to install backdoors and other tools by a recently leaked dropper. Cybersecurity experts at Symantec claimed an attacker is utilizing the malware known as Cranefly also known as UNC3524 to install Trojan. Danfuan, another undocumented malware, as well as other tools.

Mandiant reported that Cranefly mainly targeted the emails of individuals who specialized in corporate development, merger and acquisitions, and significant corporate transactions when it was originally founded in May. Mandiant claims that these attackers remained undetected on target networks for at least 18 months by using backdoors on equipment without support for security measures.

One of the main malware strains used by the gang is QUIETEXIT, a backdoor installed on network equipment like cloud services and wireless access point controllers that do not enable antivirus or endpoint monitoring. This allows the attacker to remain undetected for a long time.

Geppei and Danfuan augment Cranefly's arsenal of specialized cyber weapons, with Geppei serving as a dropper by collecting orders from IIS logs that look like normal web access requests delivered to a compromised host.

The most recent Symantec advisory now claims that UNC3524 used Hacktool-based backdoors in some instances. Multiple advanced persistent threat (APT) clusters use the open-source technology Regeorg.
Additionally, Symantec has cautioned that Cranefly is a 'pretty experienced' hacking group as evidenced by the adoption of a new method in conjunction with the bespoke tools and the measures made to conceal their activity.

On its alert and Protection Bulletins website, Symantec lists the indicators of compromise (IoC) for this attack. Polonium is another threat actor that usually focuses on gathering intelligence, and ESET recently saw Polonium utilizing seven different backdoor variants to snoop on Israeli firms.

Cranefly employs this sneaky method to keep a foothold on compromised servers and gather information covertly. As attackers can send commands through various channels, including proxy servers, VPNs, Tor, or online development environments, this method also aids in avoiding detection by investigators and law enforcement.

It is unclear how many systems have been compromised or how often the threat actors may have utilized this technique in ongoing operations.



Clipminer Botnet Made 1.7 Million Dollars From Crypto Mining

 

Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that netted its users at least $1.7 million in transaction hijacking.

Clipminer is built on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers. 

Clipminer is based on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and harvest cryptocurrency on affected computers. Researchers were taken aback by the new malware because it had fast grown in size by the time it was discovered. According to the Symantec team, these operations involved 4375 bitcoin wallet addresses that received stolen monies from victims.

Downloads or pirated software, are used to spread malware; malicious clipminer botnet files are distributed over torrent sites and other pirating methods. This bitcoin miner can be installed on the machine as a WinRAR archive, which will immediately start the extraction process and launch the control panel file, leading to the download of the dynamic link library. 

The infected DLL creates registry values and installs malware in several files in the Windows directory. Those files are named after ransoms so that the profile may be hosted and the main miner's payload can be downloaded and installed afterward. The system receives identification, which is sent on to the C&C server, which then sends out a request for the payload. The malware is delivered as a 10MB file in the Program Files directory. Once the trojan has been successfully executed, scheduled actions are set up to ensure the malware's persistence. To avoid re-infecting the same host, registry modification is also performed.

According to Symantec, the first Clipminer samples began to circulate in January 2021, with malicious activity picking up in February. Ever since the malware has spread over P2P networks, torrent indexers, YouTube videos, and through game and pirated software cracks. To avoid becoming infected with Clipminer or other malware, avoid downloading software from unknown sources. Verify the entered cryptocurrency wallet address before initiating the transaction to protect yourself from a clipboard hijacker.

Chinese APT Actor Tracked as 'Antlion' Targeting Companies in Taiwan

 

It has been almost 18 months since the Chinese state-backed advanced persistent threat (APT) actor tracked as ‘Antlion’ has been attacking financial institutions and manufacturing companies in Taiwan state in a persistent campaign. The researchers at Symantec noted that the threat actors deployed a new custom backdoor named 'xPack' on compromised networks, which gave malicious actors wide access into the victim’s system.

The backdoor was designed to run WMI commands remotely, while it has also been seen that the attackers leveraged EternalBlue exploits in the backdoor. The attackers also interact with SMB shares, and it is also possible that the actors used mounted shares over SMB to transfer data to the command and control (C2) server. 

Furthermore, the attackers have successfully browsed the web through the backdoor, likely using it as a proxy to mask their IP address. Researchers believe that the malware was used in a campaign against Taiwan and had allowed the adversaries to run stealthy cyber-espionage operations. 

While dissecting such an attack, it could be seen that the malicious actors spent 175 days on the compromised network. However, the Symantec cyberthreat unit is studying two other incidents of such kind to determine how the adversary went undetected on the network for as long as 250 days. 

The researcher said that the new custom malware helped threat actors achieve this level of furtiveness; Symantec researchers have also deducted the following custom tools that help xPack in this operation. 

• EHAGBPSL – Custom C++ loader 
• CheckID – Custom C++ loader based on a similar tool used by the BlackHole RAT 
• JpgRun – Custom C++ loader 
• NetSessionEnum – Custom SMB session enumeration tool 
• Kerberos golden ticket tool based on the Mimikatz credentials stealer 
• ENCODE MMC – Custom bind/reverse file transfer tool 

"There is also evidence that the attackers likely automated the data collection process via batch scripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not actually observed being exfiltrated from the network," explains Symantec.

Iranian Hacker Group Using New Tools to Target Government Agencies of Broader Middle East Region

 

In the part of their attacks on companies and government agencies in the broader Middle East region, an Iranian cyberattack group has begun utilizing new tools, including a custom download utility and commodity ransomware, as per Broadcom's Symantec division. 

Dubbed as Seedworm, the group gives off an impression of being deploying a few variations of a new downloader, known as PowGoop, to the recent targets.

The utilization of the noxious program doesn't demonstrate a shift to ransomware-based cybercrime for the group, yet rather a reception of a more extensive variety of strategies for countering defensive measures. 

The software downloads and decrypts 'obfuscated' PowerShell scripts to run on compromised frameworks, utilizing the basic utility as an approach to execute code. 

The researchers additionally state that the group is sending ransomware, known as Thanos, which previously appeared available to be purchased not long ago and gives off an impression of being utilized by Seedworm for its 'destructive capacities'.

"Looking at Seedworm's history, it is apparent they've been focused on Middle East-based government organizations for years," "We don't believe that they are directly focused on monetary gain. From our standpoint, the Thanos victim organizations [represent] very few [targets] — just a handful at the most," says Vikram Thakur, Symantec's technical director. 

The researchers were moderately sure, nonetheless, in ascribing PowGoop to the Iranian state actor.

"Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East," Symantec researchers stated in their analysis.  
"While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm's part. Any organizations that do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation." 

"There is nothing sophisticated about PowGoop aside from it being custom-made and that it uses multiple layers of encoded PowerShell scripts to effectively download and execute PS-based payloads," Thakur added later.

PowGoop has additionally been identified by various other companies. Security firm Palo Alto Networks associated PowGoop with two ransomware attacks on companies in the Middle East and North Africa at the beginning of September.

LPE Security Flaw Affecting Symantec Allows Attackers to Escalate Privileges on Compromised Devices


Symantec Endpoint Protection recently fixed a local privilege escalation security flaw influencing all software variants before 14.2 RU2 by enabling attackers to raise benefits on undermined devices and execute noxious code utilizing SYSTEM privileges.

Security researcher Peleg Hadar was the person who discovered the Symantec Endpoint Protection LPE bug and shockingly this isn't the first time when a security local privilege escalation issue was reported to a security vendor.

The Symantec Endpoint Protection LPE bug currently tracked as CVE-2019-12758 requires potential attackers to have Administrator privileges to effectively exploit the issue to Hadar. While the danger level of this vulnerability isn't immediately evident, such bugs are normally evaluated with medium and high 'severity' CVSS 3.x base scores.

As indicated by Hadar, attackers misuse DLL search-order hijacking issues, such as this as part multi-stage attacks in the wake of penetrating a target's machine to 'elevate permissions' in order to additionally compromise the device.

“The vulnerability gives attackers the ability to load and execute malicious payloads within the context of a Symantec’s signed process," Hadar states. Symantec albeit effectively tended to the LPE vulnerability in the Symantec Endpoint protection 14.2 RU2 release issued on October 22, 2019.

In any case he further specified that that misuse of the CVE-2019-12758 bug on machines running 'vulnerable' adaptations of Symantec Endpoint Protection could likewise make it feasible for attackers to load and dispatch malevolent code each time the Symantec administrations are loaded on the system, picking up 'persistence' between system reboots.


Indian users third most affected by Formjacking attacks, after the US and Australia


Followed by the US and Australia, Indian users were the most exposed to Formjacking attacks, according to a new survey by cybersecurity firm, Symantec, which has blocked over 2.3 million formjacking attacks globally in the second quarter of 2019.

In 2018, American users faced 33% of the total formjacking attacks; however, during the first half of the year 2019, they became the most exposed to these attacks with more than 50% of all the global detections. On the other hand, India with 5.7% of all the global attacks ranks third, as per the Symantec report.

Formjacking, a new dangerous threat in the cyber world, operates by infecting websites via malicious codes; mainly, these are the websites that involve filling out job applications, government forms, and credit card details. Symantec carried out a comprehensive analysis of formjacking attacks in its Internet Security Threat Report (ISTR) which calls attention to the ways users and websites have been affected by this critical cyber threat in 2018-19.

“We expect this formjacking trend to continue and expand further to steal all kinds of data from web forms, not just payment card data. This also means that we are likely to see more software supply chain attacks. Unfortunately, formjacking is showing no signs of disappearing any time soon. Therefore, operators of online stores need to be aware of the risk and protect their online presence,” reads the report.

How ‘Formjacking’ Works? 

In order to inject malicious JavaScript code on the website, attackers and cybercriminals modify one of the JavaScript files which get loaded along with the website. Then, the malicious JavaScript code makes alterations in the behavior of the selected web process on the infected website which, as a result, allows hackers to unlawfully acquire credit card data and other sensitive information.

According to the findings of Symantec, the websites which are affected by Formjacking attacks stay under its influence for 46 days. A number of websites have fallen prey to formjacking, with publically reported attacks on the websites of major companies like British Airways, Ticketmaster, Feedify, and Newegg.

Warning the consumers around the globe, Candid Wueest, Principal Threat Researcher at Symantec, said, “Each month we discover thousands of formjacking infected websites, which generate millions of dollars for the cybercriminals," warned Candid Wueest, Principal Threat Researcher at Symantec.

"Consumers often don't notice that they have become a victim to a formjacking attack as it can happen on a trusted online store with the HTTPS padlock intact. Therefore, it is important to have a comprehensive security solution that can protect you against formjacking attacks," He added.

Zero-day Vulnerability in Windows Kernel exploited by Duqu worm


Zero-Day Vulnerability found in Windows Kernel by Researchers at the Cryptography and System Security (CrySyS) Lab, as the result of Analyzing the Duqu malware.  CrySys immediately reported to the Microsoft about the vulnerability.

CrySys discovered the Duqu Binaries and confirmed that it is nearly identical to Stuxnet.Thus far, no-one had been able to find the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems.

As the result of Research, CrySys found the installer as Microsoft word document file(.doc) that use a previously unknown kernel vulnerability.  When the .doc file is opened, the Duqu infects the system.

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.

Duqu Infection:

"The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations.", Symantec Report.

Once the system infected by Duqu, the attacker can control the system and infects other organization through the Social Engineering.  In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.

Even though the system didn't have the ability to connect to the Internet , the Malware  configured such that to communicate with C&C Server using other infected system that has Internet connection.

Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

Several Countries become the victim of this Duqu malware.  According to Symantec report, there are 8 countries infected by this malware.

As the result of Analysis, the researcher discovered that malware contacts a server hosted in India.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement

updated whitepaper (version 1.3) from Symantec .

Symantec AdVantage(Anti-Malvertising): Armorize and Symantec partnered and launched


Armorize Technologies(malware blog) and Symantec joined together to fight against Malvertisement. They launched a AdVantage(Anti-Malvertising) Technology, cloud based scanner to detect the malvertising(malware advertisement) in online.

“Malvertising poses a serious risk to online publishers and their customers, reputation and revenue. Highly publicized malvertising infections can damage the reputation of even the most trusted online sites. Symantec AdVantage will provide ad publishers the tools they need to protect their businesses by fighting back against these threats.”
– Fran Rosch, Vice President, Identity and Authentication Services, Symantec Corp.

 Symantec Advantage will scan, detect and report malvertising on websites by automatically alerting publishers and identifying the location of malicious advertisements so customers can remove malicious ads that may damage their business’ reputation. A real-time performance dashboard complements these automatic reports by providing essential insights. For example, Symantec AdVantage will enable customers to compare safe ads to malicious advertisements and discover how and when malvertising occurred by visually tracing and identifying the path and source of infected advertisements .

Symantec AdVantage is scheduled to be made available to publishers and ad networks through a free early access program beginning in November 2011.

The service will be available here:
http://advantage.symantec.com/

Reference:
Few days back, the famous site " KickAssTorrent(KAT.ph)" served malvertising, detected by Armorize.