Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label WinRAR. Show all posts

APT29 Strikes: WinRAR Exploits in Embassy Cyber Attacks

During the latest wave of cyberattacks, foreign embassies have been the target of a malicious group known as APT29. They have employed a highly complex attack method that takes advantage of weaknesses in WinRAR, a widely used file compression software. There have been shockwaves throughout the cybersecurity world due to this worrisome disclosure, leading to immediate action to strengthen digital defenses.

According to reports from cybersecurity experts, APT29 has ingeniously employed the NGROK feature in conjunction with a WinRAR exploit to infiltrate embassy networks. The NGROK service, designed for secure tunneling to localhost, has been repurposed by hackers to conceal their malicious activities, making detection and attribution a formidable challenge.

WinRAR, a widely used application for compressing and decompressing files, has been targeted due to a specific vulnerability, identified as CVE-2023-38831. This flaw allows the attackers to execute arbitrary code on the targeted systems, giving them unfettered access to sensitive information stored within embassy networks.

The attacks, initially discovered by cybersecurity researchers, have been corroborated by the Ukrainian National Security and Defense Council (RNBO). Their November report outlines the APT29 campaigns, shedding light on the extent of the damage inflicted by these cyber intruders.

The fact that foreign embassies are specifically being targeted by this onslaught is very disturbing. Because these organizations handle so much private, political, and diplomatic data, they are often the focus of state-sponsored cyber espionage. The attackers' capacity to take advantage of flaws in popular software, such as WinRAR, emphasizes the necessity of constant watchfulness and timely software updates to reduce any threats.

Cybersecurity professionals advise companies, particularly those in delicate industries like diplomacy, to conduct extensive security assessments, quickly fix holes, and strengthen their defenses against ever-evolving cyber attacks in reaction to these disclosures. The APT29 attacks highlight the significance of a multi-pronged cybersecurity strategy that incorporates advanced threat detection methods, personnel awareness training, and strong software security procedures.

International cybersecurity organizations must work together as governments struggle with the ever-changing world of cyber threats. The APT29 attacks are a sobering reminder that the digital sphere has turned into a combat zone and that, in order to preserve diplomatic relations and maintain national interests, defense against such threats necessitates a united front.

Russian Hackers use WinRAR as Cyberweapon

Russian hackers are known for their notorious cyber-attacks. They have once again been accused of using a popular file compression software, WinRAR, to launch an attack on a state agency in Ukraine. The attack wiped out the agency’s data, resulting in the loss of important information.

According to reports, the hackers used a malicious version of WinRAR that contained a Trojan horse to infiltrate the agency’s system. Once the software was installed, the Trojan horse allowed the hackers to access sensitive data and execute commands remotely.

It’s not the first time Russian hackers have been accused of using WinRAR as a cyberweapon. In 2018, the group was found to be using a similar tactic to launch a cyber attack on a Ukrainian company.

The incident highlights the growing threat of cyber attacks and the importance of having strong security measures in place. Businesses and organizations need to ensure that they are taking steps to protect their systems from such attacks.

One of the key measures that can be taken is to ensure that all software is updated regularly, as this can help to patch any vulnerabilities that may be present. Additionally, organizations should have a robust backup and disaster recovery plan in place to ensure that they can recover from an attack quickly and with minimal disruption.

It’s also important for organizations to have an incident response plan in place to ensure that they can quickly and effectively respond to a cyber attack. This should include identifying and containing the attack, notifying relevant stakeholders, and taking steps to prevent the attack from spreading further.

As cyber-attacks become increasingly common and sophisticated, it’s important for organizations to take steps to protect their systems and data. By implementing strong security measures and being prepared for the worst-case scenario, businesses can reduce their risk of falling victim to an attack and minimize the impact if it does occur.

Threat Actors Prefer Archive Files for Deploying Malware Infections


Hackers prefer archive files, not MS Office

Archive files like .zip and .rar formats are now popular ways of distributing malware infections. HP Wolf Security report findings conclude that MS office documents weren't the most popular file format used in malware attacks. The company's third-quarter report reveals that archive files showed a 42% attack share, whereas Office recorded a 40% share. 

The report also noticed a sharp rise in popularity for archives, as the formats have seen their usage increase up to 22% since the first quarter of the year. As per the HP Wolf Security team, hackers prefer archive files because they are difficult to detect. 

"Archives are attractive to threat actors because they are easily encrypted, making them difficult for web proxies, sandboxes, and email scanners to detect malware. Moreover, many organizations use encrypted archives for legitimate reasons, making it challenging to reject encrypted archive email attachments by policy," the report said. 

Rise in HTML Smuggling Attacks

Besides the increase in archive files, HP Wolf Security logged a rise in "HTML smuggling" attacks, which, likewise, can escape security measures by using common file types. 

In this case, the user is sent a malicious PDF file containing loads of HTML. When opened, the PDF redirects the user to a fake downloader page for a common reader like Adobe Acrobat. After this, the page attempts to offer an archive file containing the actual malware payload. 

Threat actors prefer Qakbot malware strain

The researchers found that one group in particular, "Qakbot", favors the HTML smuggling technique to get its malware into the end user machines. The group, which went on a rampage during the summer, has restarted its activities. 

Qakbot is a highly effective malware strain that has been used by hackers to steal data and deploy ransomware. Most of these rising campaigns depend on HTML, aiming to compromise systems, moving away from malicious Office documents as the standard delivery method for the malware strain. 

At last, the team discovered that a traditional approach to ransomware is making a comeback. Magniber, aka  "single client ransomware" operation, profits not by attacking big organizations and asking multi-million dollar ransoms but instead it seeks individual PCs, locking up the data and asking users for a $2,500 payout.

The method goes back to the early times of ransomware when individual systems were attacked en masse with hopes of achieving a greater number of successful infections and ransom payments. 

Alex Holland, a senior malware analyst at HP said:

"Every threat actor has a different set of capabilities and resources that factor into what tactics, techniques, and procedures they use. Targeting individuals with single-client ransomware like Magniber requires less expertise, so this style of attack may appeal to threat actors with fewer resources and know-how who are willing to accept lower ransoms from victims"


Clipminer Botnet Made 1.7 Million Dollars From Crypto Mining

 

Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that netted its users at least $1.7 million in transaction hijacking.

Clipminer is built on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers. 

Clipminer is based on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and harvest cryptocurrency on affected computers. Researchers were taken aback by the new malware because it had fast grown in size by the time it was discovered. According to the Symantec team, these operations involved 4375 bitcoin wallet addresses that received stolen monies from victims.

Downloads or pirated software, are used to spread malware; malicious clipminer botnet files are distributed over torrent sites and other pirating methods. This bitcoin miner can be installed on the machine as a WinRAR archive, which will immediately start the extraction process and launch the control panel file, leading to the download of the dynamic link library. 

The infected DLL creates registry values and installs malware in several files in the Windows directory. Those files are named after ransoms so that the profile may be hosted and the main miner's payload can be downloaded and installed afterward. The system receives identification, which is sent on to the C&C server, which then sends out a request for the payload. The malware is delivered as a 10MB file in the Program Files directory. Once the trojan has been successfully executed, scheduled actions are set up to ensure the malware's persistence. To avoid re-infecting the same host, registry modification is also performed.

According to Symantec, the first Clipminer samples began to circulate in January 2021, with malicious activity picking up in February. Ever since the malware has spread over P2P networks, torrent indexers, YouTube videos, and through game and pirated software cracks. To avoid becoming infected with Clipminer or other malware, avoid downloading software from unknown sources. Verify the entered cryptocurrency wallet address before initiating the transaction to protect yourself from a clipboard hijacker.

Malware Attackers Could Circumvent a Critical Microsoft MSHTML Flaw Due to a New Exploit

 

A brief phishing campaign was noticed that took advantage of a unique exploit which circumvented a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component, with the purpose of spreading Formbook malware. "The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker," SophosLabs researchers Andrew Brandt and Stephen Ormandy said in a new report. 

CVE-2021-40444 (CVSS score: 8.8) is a remote code execution flaw in MSHTML that might be exploited using carefully designed Microsoft Office documents. Although Microsoft repaired the security flaw in its September 2021 Patch Tuesday releases, it has been used in various attacks since the flaw's information became public. 

The same month, the technology giant discovered a targeted phishing campaign that used the vulnerability to install Cobalt Strike Beacons on affected Windows systems. According to Microsoft Threat Intelligence Center, the assaults exploited the vulnerability as part of an initial access effort that included modified Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure associated with several cybercriminal schemes, including human-operated ransomware, according to Microsoft. 

Sophos found a new campaign that seeks to circumvent the patch's safeguards by modifying a publicly accessible proof-of-concept Office exploit and weaponizing it to distribute Formbook malware. According to the cybersecurity firm, the attack's success can be due to a "too-narrowly focused patch." 

"In the initial versions of CVE-2021-40444 exploits, the malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file," the researchers explained. "When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive." 

The modified attack, known as CAB-less 40444, ran for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were delivered to potential victims. In turn, the RAR file contained a script written in Windows Script Host (WSH) and a Word Document that, when opened, contacted a remote server hosting malicious JavaScript. As a result, the JavaScript code used the Word Document to start the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the Formbook malware payload from an attacker-controlled website. 

The fact that the modified RAR archive files wouldn't operate with older versions of the WinRAR software explains why the exploit vanished after just over a day of use. "Unexpectedly, in this case, users of the much older, obsolete version of WinRAR would have been better protected than users of the most recent release," the researchers wrote. 

Unable to Encrypt Files, the Latest Memento Ransomware Resorts to Using WinRAR

 

Following the discovery of its encryption method via security tools, a new ransomware organization known as Memento took the unique strategy of encrypting files within password-protected directories. The group began operating last month, gaining initial access into victims' networks by abusing a VMware vCenter Server web client flaw. 

CVE-2021-21971 has been assigned to the vCenter bug. Anybody with remote access to TCP/IP port 443 on an unsecured vCenter server could execute admin commands upon that underlying OS. Despite the fact that a solution to this issue was provided in February, many businesses have still yet to update their installations. 

Memento has been leveraging this flaw since April, and a different actor was discovered exploiting it in May to install XMR miners via PowerShell commands. 

Memento commenced its ransomware operations last month by harvesting administrator credentials from the targeted system via vCenter, creating persistence via planned activities, and afterward spreading laterally across the network via RDP via SSH. Throughout the reconnaissance phase, the actors utilized WinRAR to create and exfiltrate a file archive containing the stolen files. 

Ultimately, they used Jetico's BCWipe data cleaning application to eliminate any leftover traces before encrypting the data employing AES using a Python-based ransomware strain. 

Nevertheless, because the PCs lacked anti-ransomware security, Memento's initial attempts to encrypt information were detected and halted even before the damage had been done. 

Memento found a revolutionary approach to avoid identification by security software of inexpensive ransomware: completely bypass encryption and move files into password-protected archives. To accomplish this, the group compresses files in WinRAR archives, generates a complex yet strong password for access security, encodes the key, and afterward deletes the original files. 

According to Sophos analyst Sean Gallagher, the "crypt" method now saves each document in an archive using a.vaultz file extension rather than encrypting the data. Passwords were created as each file was archived. The passwords were then encoded. 

As per the ransom note, the victim must pay 15.95 BTC ($940,000) for the entire recovery or 0.099 BTC ($5,850) per file. 

In the situations reviewed by Sophos, such extortion attempts won't result in a ransom payment as victims utilized existing backups to recover the data. Memento, on the other hand, is a new organization that has lately discovered a successful novel strategy. As a result, they'll almost certainly put it to the test against other organizations.