May 31 2024

Hackers Weaponizing MS Office-Cracked Versions to Deliver Malware

Category: Cyberweapon,Malwaredisc7 @ 9:36 am
Hackers Weaponizing MS Office-Cracked Versions to Deliver Malware

Attackers in South Korea are distributing malware disguised as cracked software, including RATs and crypto miners, and registering themselves with the Task Scheduler to ensure persistence. 

Even after removing the initial malware, the Task Scheduler triggers PowerShell commands to download and install new variants, which persists because the PowerShell commands keep changing, leaving unpatched systems vulnerable to information theft, proxy abuse, and cryptocurrency mining.  

Attack flow
Attack flow

Malicious actors are leveraging file-sharing platforms to distribute malware disguised as cracked MS Office, which retrieves the download URL and target platform during infection, potentially enabling them to tailor attacks and evade detection.  

Cybercriminals are distributing malware disguised as cracked software. The malware, developed in.NET, uses obfuscation to hide its malicious code, and initially, it accessed Telegram to retrieve a download URL. 

Newer versions contain two Telegram URLs and a Mastodon URL, each with a string linked to a Google Drive or GitHub URL.

The threat actor hides malicious PowerShell commands within these cloud storage locations, using Base64 encoding for further obfuscation, and once executed, these commands install additional malware strains. 

Commands encrypted in Base64
Commands encrypted in Base64

The updater malware, “software_reporter_tool.exe,”  leverages a PowerShell script to download and maintain persistence, which creates a malicious executable at “C:\ProgramData\KB5026372.exe” and uses a compromised 7zip installation (“C:\ProgramData\Google\7z.exe”) to decompress a password-protected archive from GitHub or Google Drive (password: “x”) by mirroring tactics from a previous campaign. 

Malware installation using 7z and PowerShell
Malware installation using 7z and PowerShell

Additionally, the updater registers itself with the Task Scheduler to ensure continuous operation after a reboot, and the scheduled task triggers the PowerShell script for further updates and potential malware installation. 

The attackers deployed Orcus RAT and XMRig on the compromised system.

Orcus RAT can steal information through keylogging, webcam, and screenshot capture, while XMRig mines cryptocurrency. 

 3Proxy’s configuration file
 3Proxy’s configuration file

XMRig is configured to stop mining when resource-intensive programs are running and to terminate processes competing for resources, such as security software installers, while 3Proxy is used to turn the infected machine into a proxy server by adding a firewall rule and injecting itself into a legitimate process. 

 A Korean security program unable to operate properly due to the AntiAV malware
 A Korean security program unable to operate properly due to the AntiAV malware

According to ASEC, PureCrypter downloads and executes further payloads, and AntiAV malware disrupts security products by modifying their configuration files.  

Attackers are distributing malware disguised as popular Korean software (Windows, MS Office, Hangul) through file-sharing sites, and the malware bypasses file detection with frequent updates and utilizes the Task Scheduler for persistence, leading to repeated infections upon removal. 

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Weaponizing MS Office

May 30 2024

Meta says it removed six influence campaigns including those from Israel and China

Category: cyber security,Cyberweapon,Deepfakes,Digital cold war,Disinformationdisc7 @ 9:39 am
https://www.theverge.com/2024/5/29/24167164/meta-covert-influence-campaigns-ai-china-israel

Some inauthentic networks used artificial intelligence in their campaigns to push certain political agendas, according to Meta.

Meta says it cracked down on propaganda campaigns on its platforms, including one that used AI to influence political discourse and create the illusion of wider support for certain viewpoints, according to its quarterly threat report published today. Some campaigns pushed political narratives about current events, including campaigns coming from Israel and Iran that posted in support of the Israeli government.

The networks used Facebook and Instagram accounts to try to influence political agendas around the world. The campaigns — some of which also originated in Bangladesh, China, and Croatia — used fake accounts to post in support of political movements, promote fake news outlets, or comment on the posts of legitimate news organizations.

A network originating in China, for example, consisted of several dozen Instagram and Facebook accounts, pages, and groups and was used to target global Sikh communities, Meta says. Another campaign traced to Israel used more than 500 Facebook and Instagram accounts to pose as local Jewish students, African Americans, and “concerned” citizens praising Israeli military actions and discussing campus antisemitism, among other types of content.

Some of the content shared by those two networks was likely created using generative AI tools, Meta writes. Accounts in the China-based campaign shared AI-generated images, and the Israeli campaign posted AI-generated comments, Meta found. The report says that, for now, AI-powered influence campaigns are not sophisticated enough to evade existing systems of detection.

Influence campaigns are regularly discovered on social media platforms. Earlier in May, TikTok said it had uncovered and disrupted a dozen such networks on its platform, including one that it traced to China.

Illustration: Nick Barclay / The Verge

How To Efficiently Fight By Digital Means Fake Political News and Blatant Disinformation: How to make sure that truth prevails.

EU tells Meta to crack down on Israel-Hamas disinfo

The Dozen Ds That Drive Israel’s Propaganda 

Iran and Israel Use Media and Propaganda to Try to Shape Post-Attack Reality

Pegasus is listening

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: China-based campaign, Fake Political News, israel propaganda campaign

Dec 05 2023

Hackers Use Weaponized Documents To Attack U.S. Aerospace Industry

Category: Cyberweapon,Cyberweapons,Hackingdisc7 @ 12:33 pm
Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed AeroBlade, which appears to be aimed at carrying out both competitive and commercial cyberespionage.

The threat actor employed spear-phishing as the means of distribution mechanism.

A weaponized document that was delivered as an email attachment reportedly has a malicious VBA macro code embedded in it as well as a remote template injection mechanism to provide the next stage of the payload execution, according to the BlackBerry Threat Research and Intelligence team.

AeroBlade Execution Chain

The network infrastructure and weaponization of the attacker appear to have gone active around September 2022, based on the evidence. 

Researchers estimate that the attack’s offensive phase took place in July 2023 with medium to high confidence. The network infrastructure stayed the same during that period, but the attacker’s toolset increased, making it stealthier.

There were two campaigns found, and there were a few similarities between them, such as:

  • Both lure documents were named “[redacted].docx.”
  • The final payload is a reverse shell.
  • The command-and-control (C2) server IP address is the same.

There were a few differences between the two campaigns, such as:

  • The final payload of the attack is stealthier and uses more obfuscation and anti-analysis techniques.
  • The campaign’s final payload includes an option to list directories from infected victims.
https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig01.png
AeroBlade execution chain

A targeted email containing a malicious document attachment with the filename [redacted].docx is the first sign of an infection.

When the document is opened, it shows text in a purposefully jumbled font and a “lure” message requesting that the potential victim click on it to activate the content in Microsoft Office.

https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig02.png
Malicious document displays text in a scrambled font

The next-stage information is saved in an XML (eXtensible Markup Language) file inside a .dotm file. A.dotm file is a Microsoft Word document template that contains the default layout, settings, and macros for a document.

When the victim manually clicks the “Enable Content” lure message and opens the file, the [redacted].dotm document drops a new file to the system and opens it.

“The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate. In fact, it’s a classic cyber bait-and-switch, performed invisibly right under the victim’s nose”, researchers said.

An executable file that is run on the system via the macro will be the final stage of execution. The final payload is a DLL that connects to a hard-coded C2 server and functions as a reverse shell.  With the use of reverse shells, attackers can force communication and gain total control of the target machine by open ports.

https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig14.png
Example of information collected from infected system

An American aerospace organization was the targeted target of both campaigns, based on the content of the lure message. Its goal was probably to obtain insight into its target’s internal resources to assess its vulnerability to a potential ransom demand.

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber weapon

May 24 2023

Hackers Use Weaponized DOCX File to Deploy Stealthy Malware

Category: Cyberweapon,Hackingdisc7 @ 8:30 am
Hackers Use Weaponized DOCX File to Deploy Stealthy Malware

CERT-UA has identified and addressed a cyber attack on the government information systems of Ukrainian governmental state bodies.

Through investigation, it was discovered that the department’s email address received communications on April 18, 2023, and April 20, 2023, appearing to originate from the authentic email account of the Embassy from Tajikistan (In Ukraine).

Weaponized DOCX File

Suspected to be a result of the compromised state of the embassy, these emails comprised an attachment in the form of a document that contained a macro in the initial case while referring to the same document in the later incident.

When the document is downloaded, and its macro is activated, it creates and opens a DOCX file called “SvcRestartTaskLogon” with a macro that generates another file with the “WsSwapAssessmentTask” macro. 

While it also includes a “SoftwareProtectionPlatform” file categorized as HATVIBE, which can load and execute additional files.

During the course of technical investigation, it was documented that on April 25, 2023, supplementary programs were generated on the computer, possibly facilitated by HATVIBE, under uncertain circumstances.

Here below, we have mentioned those additional generated apps:-

  • LOGPIE keylogger
  • CHERRYSPY backdoor

The files are created with Python and secured with PyArmor, while the “pytransform” module, providing encryption and code obfuscation, is further safeguarded with Themida.

The STILLARCH malware is employed for searching and exfiltrating files, including data from the LOGPIE keylogger, with file extensions such as:-

  • .~tmp
  • .doc

Further analysis of infrastructure and associated data determined that the group’s targets include organizations from various countries engaging in espionage activities under the code name UAC-0063, which have been monitored since 2021.

To minimize the vulnerability scope, it is advisable to limit user accounts from executing “mshta.exe,” Windows Script Host (“wscript.exe,” “cscript.exe”), and the Python interpreter, thereby reducing the potential attack surface.

InfoSec tools | InfoSec services | InfoSec books

Tags: Weaponized DOCX

Oct 14 2022

Weaponized Mod WhatsApp Version “YoWhatsApp” Attempt to Hack Android Devices

Category: Cyberweapon,HackingDISC @ 8:52 am
Weaponized Mod WhatsApp Version “YoWhatsApp” Attempt to Hack Android Devices

Cybersecurity researchers at Kaspersky Security Labs have recently identified an unofficial version of WhatsApp for Android, which is dubbed by experts “YoWhatsApp.”

This unofficial version of WhatsApp is mainly designed to steal users’ account access keys or login credentials. There are many unofficial versions of legitimate apps that are advertised as being unofficial versions. 

While these unofficial versions lure users by advertising features that the official versions do not have. Though YoWhatsApp is an unofficial version of WhatsApp, but, it’s a fully working messenger with some key additional features like we have mentioned below:- 

  • UI customization
  • Blocking access to individual chats
  • Several emojis

Unofficial WhatsApp: YoWhatsApp

There is no difference between YoWhatsApp and the standard WhatsApp application in terms of permissions. The promotion of this unofficial Android mod is done using ads on popular Android apps such as the following ones: 

  • Snaptube
  • Vidmate

n the latest version of YoWhatsApp, version 2.22.11.75, the threat actors were able to obtain the keys to the WhatsApp accounts of their victims and take full control.

It is claimed that YoWhatsApp will allow users to send files up to 700 MB using their service. While there is a limit of 100 MB per file that can be sent from the official app to your contacts, and this makes the YoWhatsApp more appealing.

In a modified version of WhatsApp, the app sends the user’s access keys to a server located remotely on the developer’s server.

Source: Weaponized Mod WhatsApp Version “YoWhatsApp” Attempt to Hack Android Devices

Recommendations

Here below we have mentioned all the recommendations:-

  • Make sure you only install applications from official stores and websites that you can trust.
  • Make sure that you check what permissions you have given to installed apps.
  • Ensure that your smartphone is protected by a reliable mobile antivirus application.
  • Avoid downloading or installing unofficial mods.

Tags: whatsapp, YoWhatsApp

Jun 06 2022

Red TIM Research discovers a Command Injection with a 9,8 score on Resi

Category: App Security,Backdoor,Cyber Attack,Cyber Threats,CyberweaponDISC @ 8:33 am
Red TIM Research discovers a Command Injection with a 9,8 score on Resi

During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.

It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8.  This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server. 

Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.

RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.

Please note that patches for these specific vulnerabilities have been released by Resi.

Resi

What GEMINI-NET from Resi is

GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.

It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.

Resi

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 â€“ RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NIST
    https://nvd.nist.gov/vuln/detail/CVE-2022-29539

    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 â€“ RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NISThttps://nvd.nist.gov/vuln/detail/CVE-2022-29539
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.

It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.

Secure Application Development


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: command injection, Secure Application Development

Jan 29 2022

The Battle for the World’s Most Powerful Cyberweapon

Category: Cyberweapon,SpywareDISC @ 11:49 am

A Times investigation reveals how Israel reaped diplomatic gains around the world from NSO’s Pegasus spyware — a tool America itself purchased but is now trying to ban.

In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.

The F.B.I. had bought a version of Pegasus, NSO’s premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.

Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.

But by the time the company’s engineers walked through the door of the New Jersey facility in 2019, the many abuses of Pegasus had also been well documented. Mexico deployed the software not just against gangsters but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist whom the government threw in jail. Saudi Arabia used it against women’s rights activists and, according to a lawsuit filed by a Saudi dissident, to spy on communications with Jamal Khashoggi, a columnist for The Washington Post, whom Saudi operatives killed and dismembered in Istanbul in 2018.

The Battle for the World’s Most Powerful Cyberweapon

The World’s Most Terrifying Spyware

Pegasus Spyware – ‘A Privacy Killer’

Finland says it found NSO’s Pegasus spyware on diplomats’ phones

Tags: cyberweapons, diplomats’ phones, Finland, NSO, NSO Group, Pegasus spyware, Pegasus Spyware - 'A Privacy Killer'