Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Windows Defender. Show all posts

New Yunit Infostealer Bypasses Windows Defender and Steals Sensitive Data

 

A new information-stealing malware has been discovered that is capable of exfiltrating a large amount of sensitive information while also disabling antivirus products to create persistence on target endpoints.

CYFIRMA cybersecurity researchers have published a detailed investigation of the infostealer known as Yunit Stealer. Yunit Stealer employs JavaScript to include system utility and cryptography modules, enabling it to do activities such as system information retrieval, command execution, and HTTP queries. It persists on the target device by altering the registry, adding jobs via batch and VBScript, and, finally, by setting exclusions in Windows Defender.

When it comes to infostealing, Yunit is just as effective as any other malware. It can steal system information, browser data (passwords, cookies, autofill information, etc.), and bitcoin wallet information. In addition to passwords, it can keep credit card information that is kept in the browser. 

Once the malware has gathered all of the data it deems useful, it will attempt to exfiltrate it via Discord webhooks or into a Telegram channel. It will also upload it to a remote site and provide a download link for future use. The URL will also include screenshots, allowing the threat actor to access the information while remaining anonymous and evading discovery. Accessing data using encrypted communication channels is also beneficial.

The fact that the Telegram channel was only established on August 31, 2024, and that it only has 12 subscribers, according to CYFIRMA, serves as further evidence that Yunit is a fledgling infostealer that has not yet proven its mettle. As an alternative, the Discord account isn't operational right now. 

Prevention tips 

Keep your systems updated: Regularly updating your operating system and software can help defend against known vulnerabilities that Yunit Stealer could exploit. 

Use trustworthy antivirus software: While Yunit Stealer can disable some antivirus products, choosing a reputable and often updated security solution provides an extra degree of protection. 

Avoid dubious links and downloads. Phishing attacks are frequently the starting point for malware infections. Use caution while opening email attachments or clicking on unexpected URLs. 

Monitor your accounts: Check your online accounts on a regular basis for strange behaviour, particularly those that store sensitive data such as passwords and credit card information.

Microsoft Announced the End of Support for Windows 7 & 8

Microsoft has published a warning over the imminent end of support for Windows 8.1, which would not receive any updates or patches after January 10th, 2023.

According to the research, over 100 million computers were still running Windows 7 as of 2021, giving their owners little time to update them before they face the security hazards associated with utilizing an antiquated browser and operating system.

Windows 8.1 is still the fourth most popular Microsoft operating system in the world, according to the Statcounter team, with 2.45% of all Windows users having it installed on their computers. Given the fact that it will affect millions of individuals and expose numerous PCs to attack, this end of support is quite concerning. 

PCs running Windows XP, 7, or 8 were more prevalent than those running Windows 11 according to a Lansweeper survey of 27 million Windows devices conducted in October.

For systems running Windows 10 2004 or 20H2, Windows 10 21H1 was a minor feature update that was designed to be simple to install. It contained improvements to Windows Defender Application Guard, Windows Management Instrumentation via Group Policy, and support for several Windows Hello-enabled cameras. 

Along with the release of a new Chrome version, Google also disclosed that it will discontinue support for Windows 7 and Windows 8.1 in early 2023. For users to continue receiving new Chrome updates, their device must be running Windows 10 or later.

It would be wise for anyone running an outdated version of Windows to inspect their computers and make some critical adjustments this week. Microsoft has issued the warning because Windows 8.1 will soon stop receiving security updates and patches after January 10, 2023.

LockBit Ransomware Exploits Windows Defender to Load Cobalt Strike Payloads

 

A hacker linked with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been identified exploiting the Windows Defender command-line tool to decrypt and install Cobalt Strike payloads.

According to endpoint security firm SentinelOne, the ransomware operator exploited VMware command-line utility called VMwareXferlogs.exe, to alter VMware tool settings and interface in the targeted operating systems, and downloaded a Cobalt Strike payload. The hacker also leveraged a command line tool associated with Windows Defender named “MpCmdRun.exe to” decrypt and load Cobalt Strike payloads. 

Subsequently, the malicious actor exploited the Log4Shell vulnerability which is the bug found in an open-source logging library employed by apps and services across the internet, and implemented a reconnaissance for thorough observation of the network to download the Cobalt Strike Payload.

SentinelOne stated that Windows Defender needs to be vigilant regarding the current scenario as hackers associated with the LockBit ransomware are exploring to abuse “novel living off the land tools” to deploy Cobalt Strike beacons bypassing traditional AV detection tools. 

“Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel ‘living off the land’ tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools,” SentinelOne said. 

“Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls,” the company added. 

The LockBit ransomware has been active since 2019 and it has likely been used to target thousands of organizations. 

Earlier this year in June, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program. The group said it will offer rewards ranging between $1,000 and $1 million to security researchers and ethical or unethical hackers for information regarding vulnerabilities in their website, the ransomware encryption process, the Tox messaging app, and bugs exploiting their Tor infrastructure.

Because of a Flaw in Microsoft Defender, Threat Actors can Evade Detection

 

Threat actors were able to use a vulnerability in Microsoft Defender antivirus on Windows to learn about unscanned places and plant malware there. According to several users, the issue has existed for at least eight years and affects both Windows 10 21H1 and Windows 10 21H2. According to security researchers, the list of locations that are not scanned by Microsoft Defender are insecure and accessible to any local user. 

Windows Defender is an anti-malware component of Microsoft Windows. It was first made available as a free anti-spyware download for Windows XP, and it was then bundled with Windows Vista and Windows 7. It has evolved into a full antivirus solution, replacing Microsoft Security Essentials in Windows 8 and later editions. 

Local users, regardless of their permissions, can query the registry to see which paths Microsoft Defender is not permitted to check for malware or hazardous files. According to Antonio Cocomazzi, a SentinelOne threat researcher who reported the RemotePotato0 vulnerability, there is no protection for this sensitive information, and running the "reg query" command reveals everything that Microsoft Defender is not supposed to scan, whether it is files, folders, extensions, or processes. 

Like any other antivirus software, Microsoft Defender allows customers to specify which locations (local or network) on their PCs should be excluded from malware scanning. Exclusions are routinely used to keep antivirus software from interfering with the operation of legitimate apps that have been incorrectly labeled as malware. Because the list of scanning exceptions differs from user to user, this information is useful for an attacker on the system because it informs them where they can place harmful files without fear of being detected. 

However, Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 enrolls users in particular exclusions based on their server role. These exclusions are not included in the normal exclusion lists. Exclusions for operating system files and server roles are automated because Microsoft Defender Antivirus is incorporated into Windows Server 2016 and later. Custom exclusions, on the other hand, can be specified by users. 

Although a threat actor must have local access in order to obtain the Microsoft Defender exclusions list, this is far from a stumbling block. Many attackers are already accessing stolen business networks in quest of a technique that will allow them to go laterally as silently as possible. 

According to BleepingComputer, the flaw was discovered in May by researcher Paul Bolton. Because Microsoft has yet to patch the flaw, administrators should use group policy to set Microsoft Defender while installing their systems, according to security researchers.

This New Malware Hides Itself Among Windows Defender Exclusions to Avoid Detection

 

On Tuesday, security experts confirmed the existence of a previously undocumented malware strain named "MosaicLoader," which targets people looking for cracked software as part of a global campaign. 

Bitdefender researchers stated in a report shared with The Hacker News, "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service." 

"The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links." 

The malware's name comes from its complex internal structure, which is designed to avoid reverse engineering and escape investigation. MosaicLoader attacks employ a well-known malware delivery technique known as search engine optimization (SEO) poisoning, in which hackers buy ad slots in search engine results to elevate their harmful URLs to the top of the results when users search for keywords linked to pirated software. 

Following a successful infection, the Delphi-based dropper which masquerades as a software installer and serves as an entry point for retrieving next-stage payloads from a remote server and adding local exclusions in Windows Defender for the two downloaded executables in an effort to circumvent antivirus scanning. 

It's important to note that such Windows Defender exclusions can be found in the registry keys listed below: 

1.File and folder exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 

2.File type exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions 

3.Process exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes 

One of the binaries, "appsetup.exe," is designed to attain system persistence, while the second, "prun.exe," is a downloader for a sprayer module that can obtain and deploy a range of attacks from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba. 

Because of MosaicLoader's broad capabilities, compromised systems can be co-opted into a botnet, which the threat actor can then use to spread a variety of malicious software, including both publicly available and customized malware, to gain, expand, and manage unauthorized access to victim computers and networks. 

The researchers added, "The best way to defend against MosaicLoader is to avoid downloading cracked software from any source."

Besides being against the law, cybercriminals look to target and exploit users searching for illegal software, adding it's essential to check the source domain of every download to make sure that the files are legitimate.

1,500 Businesses Globally were Affected by Kaseya Cyberattack

 

Kaseya, a Miami-based software provider to over 40,000 businesses, reported on July 2 that it was looking into a possible hack. The IT solutions provider for managed service providers (MSPs) and enterprise clients revealed a day later that it had been targeted by a "sophisticated cyberattack." According to CEO Fred Voccola, the ransomware attack has hit between 800 and 1,500 organizations throughout the world. In an interview with Reuters, he said it was impossible to determine the exact impact of the hack because the firms affected were Kaseya's clients. 

REvil, a hacking organization linked to Russia, published a blog on the dark web on Sunday claiming its involvement in the attack. REvil sought $70 million for the data to be restored. REvil has become one of the most well-known ransomware creators in the world. In the last month, it demanded an $11 million payment from the U.S. subsidiary of the world's largest meatpacking company, a $5 million payment from a Brazilian medical diagnostics company, and launched a large-scale attack on dozens, if not hundreds, of companies that use IT management software from Kaseya VSA. 

Kaseya is a company that provides its comprehensive integrated IT management platform to other businesses. It also provides organizations with tools such as VSA (Virtual System/Server Administrator) and other remote monitoring and management solutions for network endpoints. Kaseya also offers compliance systems, service desks, and a platform for service automation. 

According to the FBI, a vulnerability in Kaseya VSA software was used against many MSPs and their clients in the recent supply-chain ransomware campaign. VSA allows a company to control servers and other hardware, as well as software and services, from a remote location. Large enterprises and service providers who manage system administration for companies without their own IT staff utilize the software. 

According to Kevin Beaumont, a security specialist, the REvil ransomware was distributed through an apparent automatic bogus software update in the product. Because the malware had administrator access down to client systems, the MSPs who were attacked were able to infect the systems of their clients.

The attacker quickly disabled administrator access to VSA, according to Beaumont, and then inserted a task called "Kaseya VSA Agent Hot-fix." This phoney update was then pushed out to the entire estate, including MSP client systems. The management agent update was actually REvil ransomware, and non-Kaseya customers were still encrypted. The ransomware allowed hackers to disable antivirus software and run a phoney Windows Defender app, after which the computer's files were encrypted and couldn't be viewed without a key.

Windows 10 New Feature Hunts and Thwarts PUAs/PUPs


Per reports, Microsoft has hinted that the next main version of Windows 10 will come stacked with a fresh security feature that would allow the users to facilitate the Windows Defender’s secret feature that helps hunt and bar the installation of known PUAs (Potentially Unwanted Applications).

PUA’s are also widely known as PUPs that stands for Potentially Unwanted Programs. These aren’t as well known by the users in the cyber-crime world as all the other major threats but are a valid threat nevertheless.

Per sources, these are software that is installed on devices via fooling the targets. The term for which the PUP/PUA stands is self-explanatory with regards to applications or programs that your device may not really need.

PUPs/PUAs go around with tactics like either by employing “silent installs” to dodge user permissions or by “bundling” an unrequired application with the installer of an authentic program.

Sources mention that PUAs most commonly contain applications that alter browser history, hinder security controls, install root certificates, track users and sell their data, and display invasive ads.

As per reports, the May 2020 update is to be rolled out to the users in the last week of this month. Microsoft mentioned that it has added a fresh new feature in its setting panel that would allow users to bar the installation of any unwanted applications or programs in the form of known PUAs/PUPs.

As it turns out, researchers mention that the feature has been available in the Windows Defender for quite a lot of time, but for it to kick start it would need group policies and not the usual Windows user interface.

As per sources, to enable the feature a user must go to ‘Start’, ‘Settings’, ‘Update & Security’, ‘Windows Security’, ‘App & Browser Control’, and finally 'Reputation-based Protection Settings’. Once updated, the feature would show two settings, the above-mentioned feature is disabled by default and would need to be enabled manually. However, Microsoft suggests, enabling both the settings.

Reports mention, that the “Block Apps” feature will scan for PUAs that have already been downloaded or installed, so if the user’s using a different browser Windows Security would intercept it after it’s downloaded. However, the “Block Downloads” feature hunts the PUAs while they are being downloaded.

Modified TrickBot Trojan can now Steal Windows Active Directory Credentials


TrickBot trojan, a strain of malware that has been around affecting users since 2016 - is now evolved to steal Windows Active Directory credentials. Today, in the cybersecurity ecosystem it is considered as one of the top threats abusing businesses, experts estimate that TrickBot is responsible for compromising more than 250 million email accounts till date. Earlier, TrickBot went a step further while targeting Windows 10 users by disabling Windows defender onto their systems rather than just bypassing the protection. Fundamentally, TrickBot is a banking Trojan and is generally deployed through spearphishing emails like invoices mailed to the accounts department. Typically, it is attached as infected Microsoft Excel or Word documents. The malware can be spread across an organization in a number of ways, one of them is via exploiting vulnerabilities in a protocol called SMB which makes the process of sharing and accessing files on other systems easy for Windows computers.

First identified by Sandor Nemes, a security researcher from Virus Total, this new module of TrickBot dubbed as "ADII" further amplifies the threat it possesses for security, it steals Windows Active Directory information by executing a set of commands.

An Active Directory database is being created and stored into the default C:\Windows\NTDS folder on the domain controller, a server here is acting as the domain controller. Now, all the information including passwords, computers, users, and groups of Windows Active Directory are saved in a file by the name "ntds.dit" in the database. As all the aforementioned information is sensitive in nature, Windows resort to a BootKey that is located in the system component of the Registry and encrypts the information with the help of it. Admins who are responsible for database maintenance use a special tool known as "ntdsutil" to work with that database. Reportedly, standard file operations cannot access the BootKey.

How TrickBot Goes About Stealing Active Directory Credentials?


Administrators use the command "install from media", also known as "ifm", to create a dump of Active Directory. The command leads to the creation of an installation media for setting up new Domain Controllers. The new module "ADII" exploits the ifm command to produce a copy of the Windows Active Directory database; after the database is dumped into the %Temp% folder, the bot collects the information and transfers it to the admin. The collected data can be effective in infecting more systems in the same network and could also be employed by various other malware in search of similar vulnerabilities.

Legitimate Apps That Could Be Exploited To Bypass The Windows Defender: Microsoft’s List



Microsoft recently, published a conspicuous list of application that are legitimate and yet could be exploited by hackers to bypass the Windows defender.


These hackers try to slide into the organizations’ networks and infect them via bypassing the security imparted by the defender.

The hackers usually make use of off-the-land attack tactics where they use the victim’s operating system features or authentic network administration tools to compromise the networks.

The major motive of this project was to comprehend the binaries that were being misused by the attacker.

·       LOLBins- Living Off The Land Binaries
·       LOLScripts- Living Off The Land Scripts
·       LOLLibs- Living Off The Land Libraries
·       GTFOBins- Unix Platform Binaries

The only point of fusing the legitimate app is to stay undetected in order to bypass the security measures of the network.

The LOTL tools are just a way to be as stealthy as possible as be as malignant as possible without even being easily caught.

The following applications are in the list that Microsoft published and recommend to do away with if not in use:
·       addinprocess.exe
·       addinprocess32.exe
·       addinutil.exe
·       bash.exe
·       bginfo.exe[1]
·       cdb.exe
·       csi.exe
·       dbghost.exe
·       dbgsvc.exe
·       dnx.exe
·       fsi.exe
·       fsiAnyCpu.exe
·       kd.exe
·       ntkd.exe
·       lxssmanager.dll
·       msbuild.exe[2]
·       mshta.exe
·       ntsd.exe
·       rcsi.exe
·       system.management.automation.dll
·       windbg.exe
·       wmic.exe

Along with the published list Microsoft has also highly recommended the users to download latest security updates.

In addition it has also provided the “deny file rules” for all apps.

Lateral movement and defense evasion happen to be the mostly used ways to exploit the authentic applications.