InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
A recently discovered exploit leverages ZIP file concatenation to bypass antivirus detection and deliver malware. This technique involves appending malicious data to a legitimate ZIP file in a manner that confuses some file-handling software. While certain tools may fail to display or detect the appended content, others expose the malicious files, creating a dangerous inconsistency.
The ZIP file format organizes compressed files with a central directory at the end of the archive. By appending new ZIP data to an existing archive, attackers create a “concatenated” file. This approach takes advantage of discrepancies in how ZIP file structures are processed by different software, leaving some tools vulnerable to malicious payloads.
The primary threat lies in how antivirus programs handle these concatenated files. Many fail to fully scan the appended portions of a ZIP archive, allowing embedded malware to evade detection. When unsuspecting users extract such files, they risk executing harmful code, potentially compromising their systems.
Recursive Extraction Defenses: Traditional detection solutions may lack recursive unpacking capabilities, which means they do not parse every layer of a concatenated ZIP file. Threat actors leverage this gap to keep malicious content hidden in nested or concatenated layers that security software may overlook.
Popular tools like WinRAR, which is widely used for managing ZIP archives, are particularly impacted by this flaw. The issue doesn’t stem from the ZIP format itself but from how specific tools and antivirus solutions interpret concatenated data. This underscores the need for both robust software engineering and thorough security testing.
To mitigate the risk, it’s crucial for users to keep their antivirus software up to date. Security tools are being enhanced to detect these sophisticated attack methods, but vigilance remains key. Users should be cautious when handling ZIP files, especially those from unfamiliar or untrusted sources, and ensure all files are scanned before opening.
Organizations can further protect themselves by educating employees and enforcing strict file-handling policies. Training users to identify suspicious files and avoid extracting archives without proper scanning can greatly reduce exposure to these attacks. This layered approach, combining technology, awareness, and policy, is essential to defend against evolving cybersecurity threats.
A new vulnerability affecting WinRAR and ZIP file extraction tools has been identified, which can allow malware to bypass antivirus programs. Attackers exploit this by embedding malicious scripts within specially crafted ZIP or RAR files, which can evade detection and execute upon extraction. The flaw takes advantage of how some extraction tools handle paths and permissions, potentially leading to unauthorized access and execution. Users are advised to update their software and exercise caution with untrusted compressed files to mitigate the risk of such attacks.
Overview: Microsoft SmartScreen is a cloud-based anti-phishing and anti-malware component that comes integrated with various Microsoft products like Microsoft Edge, Internet Explorer, and Windows. It is designed to protect users from malicious websites and downloads.
Key Features:
URL Reputation:
SmartScreen checks the URL of websites against a list of known malicious sites stored on Microsoft’s servers. If the URL matches one on the list, the user is warned or blocked from accessing the site.
Application Reputation:
When a user downloads an application, SmartScreen checks its reputation based on data collected from other users who have downloaded and installed the same application. If the app is deemed suspicious, the user is warned before proceeding with the installation.
Phishing Protection:
SmartScreen analyzes web pages for signs of phishing and alerts the user if a site appears to be trying to steal personal information.
Malware Protection:
The system can identify and block potentially malicious software from running on the user’s device.
Integration with Windows Defender:
SmartScreen works in conjunction with Windows Defender to provide a layered security approach, ensuring comprehensive protection against threats.
How it Works:
URL and App Checks:
When a user attempts to visit a website or download an application, SmartScreen sends a request to the SmartScreen service with the URL or app details.
The service checks the details against its database and returns a verdict to the user’s device.
Based on the verdict, the browser or operating system either allows, blocks, or warns the user about potential risks.
Telemetry and Feedback:
SmartScreen collects telemetry data from users’ interactions with websites and applications, which helps improve the accuracy of its threat detection algorithms over time.
Smart App Control (SAC)
Overview: Smart App Control (SAC) is a security feature in Windows designed to prevent malicious or potentially unwanted applications from running on the system. It is an evolution of the earlier Windows Defender Application Control (WDAC) and provides advanced protection by utilizing cloud-based intelligence and machine learning.
Key Features:
Predictive Protection:
SAC uses machine learning models trained on a vast amount of data to predict whether an application is safe to run. It blocks apps that are determined to be risky or have no known good reputation.
Cloud-Based Intelligence:
SAC leverages Microsoft’s cloud infrastructure to continuously update its models and threat intelligence, ensuring that protection is always up-to-date.
Zero Trust Model:
By default, SAC assumes that all applications are untrusted until proven otherwise, aligning with the zero trust security model.
Seamless User Experience:
SAC operates silently in the background, allowing trusted apps to run without interruptions while blocking potentially harmful ones. Users receive clear notifications and guidance when an app is blocked.
Policy Enforcement:
Administrators can define policies to control app execution on enterprise devices, ensuring compliance with organizational security standards.
How it Works:
App Analysis:
When an app attempts to run, SAC sends its metadata to the cloud for analysis.
The cloud service evaluates the app against its machine learning models and threat intelligence to determine its risk level.
Decision Making:
If the app is deemed safe, it is allowed to run.
If the app is determined to be risky or unknown, it is blocked, and the user is notified with an option to override the block if they have sufficient permissions.
Policy Application:
SAC policies can be customized and enforced across an organization to ensure consistent security measures on all managed devices.
Integration with Windows Security:
SAC is integrated with other Windows security features like Microsoft Defender Antivirus, providing a comprehensive defense strategy against a wide range of threats.
Despite the robust protections offered by Microsoft SmartScreen and Smart App Control (SAC), some techniques can sometimes bypass these features through several sophisticated techniques.
1. Signed Malware Bypassing Microsoft SmartScreen and SAC
1. Valid Digital Signatures:
Stolen Certificates: Cybercriminals can steal valid digital certificates from legitimate software developers. By signing their malware with these stolen certificates, the malware can appear trustworthy to security features like SmartScreen and SAC.
Bought Certificates: Attackers can purchase certificates from Certificate Authorities (CAs) that might not perform thorough background checks. These certificates can then be used to sign malware.
2. Compromised Certificate Authorities:
If a Certificate Authority (CA) is compromised, attackers can issue valid certificates for their malware. Even if the malware is signed by a seemingly reputable CA, it can still be malicious.
3. Certificate Spoofing:
Advanced attackers may use sophisticated techniques to spoof digital certificates, making their malware appear as if it is signed by a legitimate source. This can deceive security features into trusting the malware.
4. Timing Attacks:
Some malware authors time their attacks to take advantage of the period between when a certificate is issued and when it is revoked or added to a blacklist. During this window, signed malware can bypass security checks.
5. Use of Legitimate Software Components:
Attackers can incorporate legitimate software components into their malware. By embedding malicious code within a signed, legitimate application, the entire package can be trusted by security features.
6. Multi-Stage Attacks:
Initial stages of the malware may appear harmless and thus be signed and trusted. Once the initial stage is executed and trusted by the system, it can download and execute the actual malicious payload.
7. Social Engineering:
Users may be tricked into overriding security warnings. For example, if SmartScreen or SAC blocks an application, an attacker might use social engineering tactics to convince the user to manually bypass the block.
2. How Reputation Hijacking Bypasses Microsoft SmartScreen and SAC
Compromised Legitimate Websites:
Method: Attackers compromise a legitimate website that has a strong reputation and inject malicious content or host malware on it.
Bypass Mechanism: Since SmartScreen relies on the reputation of websites to determine if they are safe, a website with a previously good reputation may not trigger alerts even if it starts serving malicious content. Users are not warned because the site’s reputation was established before the compromise.
Trusted Domains and Certificates:
Method: Attackers use domains with valid SSL certificates issued by trusted Certificate Authorities (CAs) to host malicious content.
Bypass Mechanism: SmartScreen and SAC check for valid certificates as part of their security protocols. A valid certificate from a trusted CA makes the malicious site appear legitimate, thus bypassing the security checks that would flag a site with an invalid or self-signed certificate.
Embedding Malware in Legitimate Software:
Method: Attackers inject malicious code into legitimate software or its updates.
Bypass Mechanism: If the legitimate software has a good reputation and is signed with a valid certificate, SmartScreen and SAC are less likely to flag it. When users update the software, the malicious payload is delivered without triggering security warnings because the update appears to be from a trusted source.
Phishing with Spoofed Emails:
Method: Attackers send phishing emails that appear to come from trusted sources, often using spoofed email addresses.
Bypass Mechanism: Users are more likely to trust and open emails from familiar and reputable sources. SmartScreen may not always catch these emails, especially if they come from legitimate domains that have been spoofed, leading users to malicious websites or downloads.
Domain and Subdomain Takeover:
Method: Attackers take over expired or unused domains and subdomains of reputable sites.
Bypass Mechanism: Since the domain or subdomain was previously associated with a legitimate entity, SmartScreen and SAC may continue to trust it based on its historical reputation. This allows attackers to serve malicious content from these domains without raising security flags.
Social Engineering Attacks:
Method: Attackers trick users into overriding security warnings by posing as legitimate sources or using persuasive tactics.
Bypass Mechanism: Even if SmartScreen or SAC warns users, skilled social engineering can convince them to bypass these warnings. Users might disable security features or proceed despite warnings if they believe the source is trustworthy.
3. How Reputation Seeding Bypasses Microsoft SmartScreen and SAC
Reputation seeding is a tactic where attackers build a positive reputation for malicious domains, software, or email accounts over time before launching an attack. This can effectively bypass security measures like Microsoft SmartScreen and Smart App Control (SAC) because these systems often rely on reputation scores to determine the trustworthiness of an entity. Here’s how reputation seeding works and strategies to mitigate it:
How Reputation Seeding Works
Initial Clean Activity:
Method: Attackers initially use their domains, software, or email accounts for legitimate activities. This involves hosting benign content, sending non-malicious emails, or distributing software that performs as advertised without any harmful behavior.
Bypass Mechanism: During this period, SmartScreen and SAC observe and record these entities as safe and build a positive reputation for them. Users interacting with these entities during the seeding phase do not encounter any security warnings.
Gradual Introduction of Malicious Content:
Method: Over time, attackers start to introduce malicious content slowly. This might involve adding malware to software updates, injecting harmful code into websites, or sending phishing emails from trusted accounts.
Bypass Mechanism: Because the entities have already established a positive reputation, initial malicious activities may not be immediately flagged by SmartScreen or SAC, allowing the attackers to reach their targets.
Leveraging Established Trust:
Method: Once a strong reputation is established, attackers conduct large-scale malicious campaigns. They leverage the trust built over time to bypass security checks and deceive users.
Bypass Mechanism: The established positive reputation causes security systems to consider these entities as low-risk, allowing malware or phishing attempts to bypass filters and reach users without triggering alarms.
Typical Timeframes for Reputation Seeding
Websites:
Short-Term (Weeks): Initial establishment of a website with benign content and basic user interactions.
Medium-Term (Months): Gaining backlinks, increasing traffic, and more extensive content creation.
Long-Term (6+ Months): Strong reputation with significant traffic, positive user interactions, and established trust.
Software:
Short-Term (Weeks): Initial distribution and passing basic security checks.
Medium-Term (Months): Accumulating downloads, positive user reviews, and routine updates.
Long-Term (6+ Months): Strong reputation with widespread usage and consistently positive feedback.
Email Accounts:
Short-Term (Weeks): Initial legitimate emails and normal interactions.
Medium-Term (1-2 Months): Building trust through regular, benign communication.
Long-Term (3+ Months): Established trust with consistent, non-malicious activity.
4 .How Reputation Tampering Bypasses Microsoft SmartScreen and SAC
Reputation tampering, particularly in the context of Smart App Control (SAC), can exploit the way SAC assesses and maintains the reputation of files. Given that SAC might use fuzzy hashing, feature-based similarity comparisons, and machine learning models to evaluate file reputation, attackers can manipulate certain segments of a file without changing its perceived reputation. Here’s a deeper dive into how this works and the potential implications:
How Reputation Tampering Works in SAC
Fuzzy Hashing:
Method: Unlike traditional cryptographic hashing, which changes completely with any alteration to the file, fuzzy hashing allows for minor changes without drastically altering the hash value. This means that files with small modifications can still be considered similar to the original.
Attack: Attackers modify segments of the file that do not significantly affect the fuzzy hash value, allowing the file to retain its reputation.
Feature-Based Similarity Comparisons:
Method: SAC may use feature-based similarity comparisons to evaluate files. These features could include metadata, structural attributes, or specific code patterns that are consistent with known good files.
Attack: By understanding which features are used and ensuring that these remain unchanged while modifying other parts of the file, attackers can maintain the file’s good reputation.
Machine Learning Models:
Method: Machine learning models in the cloud may analyze files based on patterns learned from a large dataset of known good and bad files. These models might use a variety of indicators beyond simple hashes.
Attack: Through trial and error, attackers identify which code sections can be altered without changing the overall pattern recognized by the ML model as benign. They can then inject malicious code into these sections.
5. How LNK stomping Bypasses Microsoft SmartScreen and SAC
LNK stomping is a technique where attackers modify LNK (shortcut) files to execute malicious code while appearing legitimate to users and security systems. By leveraging the flexibility and capabilities of LNK files, attackers can disguise their malicious intentions and bypass security features such as Microsoft SmartScreen and Smart App Control (SAC). Here’s how LNK stomping works and how it can bypass these security features:
How LNK Stomping Works
Creating a Malicious LNK File:
Method: Attackers create an LNK file that points to a legitimate executable or document but includes additional commands or scripts that execute malicious code.
Example: An LNK file might appear to open a PDF document, but in reality, it executes a PowerShell script that downloads and runs malware.
Modifying Existing LNK Files:
Method: Attackers modify existing LNK files on a target system to include malicious commands while retaining their original appearance and functionality.
Example: An LNK file for a commonly used application (e.g., a web browser) is modified to first execute a malicious script before launching the application.
Embedding Malicious Code:
Method: Attackers embed malicious code directly within the LNK file, taking advantage of the file’s structure and features.
Example: An LNK file might contain embedded shell commands that execute when the shortcut is opened.
Understanding the MotW Bypass via LNK File Manipulation
The Mark of the Web (MotW) is a critical security feature used to flag files downloaded from the internet, making them subject to additional scrutiny by antivirus (AV) and endpoint detection and response (EDR) systems, including Microsoft SmartScreen and Smart App Control (SAC). However, certain techniques can bypass this feature, allowing potentially malicious files to evade detection. Here, we’ll explore how manipulating LNK (shortcut) files can bypass MotW checks
Manually Creating an LNK File with a Non-Standard Target Path
Locate the PowerShell Script:
Ensure you have the path to the PowerShell script, for example, C:\Scripts\MyScript.ps1.
Create the Shortcut:
Right-click on the desktop or in the folder where you want to create the shortcut.
Select New > Shortcut.
Enter the Target Path:
In the “Type the location of the item” field, enter the following command with a non-standard path:
powershell.exe -File "C:\Scripts\MyScript.ps1."
Notice the extra dot at the end of the script path.
Name the Shortcut:
Enter a name for your shortcut (e.g., Run MyScript Non-Standard).
Click Finish.
Verify the Target Path:
Right-click the newly created shortcut and select Properties.
In the Target field, you should see:
powershell.exe -File "C:\Scripts\MyScript.ps1."
Click OK to save the changes.
By following these steps, you can create an LNK file that points to a PowerShell script with a non-standard target path. This can be used for testing how such files interact with security features like SmartScreen and Smart App Control.
Manually Creating an LNK File with a Relative Path
Locate the PowerShell Script:
Ensure you have the relative path to the PowerShell script within its directory structure, for example, .\Scripts\MyScript.ps1.
Create the Shortcut:
Right-click on the desktop or in the folder where you want to create the shortcut.
Select New > Shortcut.
Enter the Target Path:
In the “Type the location of the item” field, enter the following command with a relative path:
powershell.exe -File ".\Scripts\MyScript.ps1"
Click Next.
Name the Shortcut:
Enter a name for your shortcut (e.g., Run MyScript Relative).
Click Finish.
Verify the Target Path:
Right-click the newly created shortcut and select Properties.
In the Target field, you should see:
powershell.exe -File ".\Scripts\MyScript.ps1"
Click OK to save the changes.
Manually Creating an LNK File with a multi-level path
To create an LNK file with a multi-level path in the target path array, we need to manipulate the internal structure of the LNK file to contain a non-standard target path. This involves using a utility or script that can handle the creation and modification of LNK files with detailed control over their internal structure.
Here’s a step-by-step guide to creating such an LNK file using PowerShell and a specialized library for handling LNK files, pylnk3, which is a Python-based library. For this example, you will need to have Python installed along with the pylnk3 library.
Step-by-Step Guide
Prerequisites
Install Python:
If you don’t have Python installed, download and install it from the official website: Python.org.
Install pylnk3 Library:
Open a command prompt or terminal and run the following command to install pylnk3:shCopy codepip install pylnk3
Creating a Multi-Level Path LNK File
Create a Python Script to Generate the LNK File:
Create a Python script (e.g., create_lnk.py) with the following content:
import lnk
# Define the path for the new shortcut
shortcut_path = "C:\\Users\\Public\\Desktop\\MyScriptShortcutMultiLevel.lnk"
# Create a new LNK file
lnk_file = lnk.lnk_file()
# Set the target path with multi-level path entries
lnk_file.add_target_path_entry("..\\..\\Scripts\\MyScript.ps1")
# Set the arguments for the target executable
lnk_file.command_line_arguments = "-File .\\Scripts\\MyScript.ps1"
# Save the LNK file
with open(shortcut_path, "wb") as f:
lnk_file.write(f)
print(f"Shortcut created at: {shortcut_path}")
Run the Python Script:
Open a command prompt or terminal and navigate to the directory where your Python script is located.
Run the script using the following command:shCopy codepython create_lnk.py
Explanation
lnk.lnk_file(): Creates a new LNK file object.
add_target_path_entry: Adds entries to the target path array. Here, we use a relative path (..\\..\\Scripts\\MyScript.ps1) to simulate a multi-level path.
command_line_arguments: Sets the arguments passed to the target executable. In this case, we pass -File .\Scripts\MyScript.ps1.
write: Saves the LNK file to the specified path.
Additional Notes
Relative Paths: The use of relative paths (..\\..\\) in the target path entries allows us to create a multi-level path structure within the LNK file.
Non-Standard Structures: By manipulating the internal structure of the LNK file, we can craft paths that might bypass certain security checks.
Running the LNK File
After creating the LNK file, you can test its behavior by double-clicking it. The crafted LNK file should follow the relative path and execute the target PowerShell script, demonstrating how non-standard paths can be used within an LNK file.
The article “Dismantling Smart App Control” by Elastic Security Labs explores the vulnerabilities and bypass techniques of Windows Smart App Control (SAC) and SmartScreen. For more details, you can read the full article here.
A malware campaign of huge magnitude, and perhaps run by just one group, is using artificially nested files for distribution named ‘WEXTRACT.EXE .MUI’.
More than 50,000 files worldwide featuring this method are delivered by different stealers and loaders such as Redline, RisePro, and Amadey.
Several samples are associated with an Eastern European cybercriminal-linked Autonomous System.
Cybersecurity researchers at OutPost24 recently detected that a new hacker group has been attacking the system with 1o malware at the same time.
10 Malware At Same Time
The “WEXTRACT.EXE .MUI” malware distribution system is one that makes use of nested cabinet files to distribute a number of malware samples such as stealers and loaders.
This method’s complex execution sequence drops and runs malware in reverse order, which may result in bypassing security measures.
The technique could cause multiple infections as the loaders may download more malware.
From February 2023 through the start of 2024, a massive malware distribution campaign nested multiple malware families, such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.
The campaign developed over time, incorporating obfuscation tools and different distribution methods.
An examination of over two thousand one hundred examples showed some malware combinations in which victims might be infected by several stealers and loaders simultaneously.
This suggests that there was a single actor behind the infrastructure and tactics for this campaign.
Distribution steps of one sample of WEXTRACT (Source – OutPost24)
It is likely that the campaign to distribute malware called “Unfurling Hemlock” buys distribution services from other actors.
Its earliest phases were in email attachments and downloads from hacked or hoax websites.
The infrastructure, mostly based on AS 203727, uses both exclusive and shared IPs for distributing WEXTRACT and other malware.
This indicates one actor or entity that is responsible for the campaign but delegates some of its distribution aspects to others.
The malware campaign uses different C2 URLs and IP addresses, some of which are specific to the WEXTRACT-related malware and others that are common to other campaigns.
The diversity in infrastructure supports the insight that this actor could be supplying samples from other campaigns, possibly encouraged by financial interest.
While the upload locations may not indicate the actual infection sites, the infection sources cut across several countries.
Here below we have mentioned the countries:-
Origin of the samples (Source – OutPost24)
Unlike the usual trend, this huge malware attack mainly targets Western institutions, including Russia.
This operation launched different types of malware simultaneously to increase the possibilities of infection and diversify potential paybacks.
Though not highly developed, this “cluster bomb” method may be adopted by threat actors in the future.
Researchers recommended using the latest anti-malware tools, performing analysis of packed files, and user alertness to be cautious about suspicious downloads and emails.
Fake IT support sites promote malicious PowerShell “fixes” for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware.
First discovered by eSentire’s Threat Response Unit (TRU), the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator.
In particular, the threat actors are creating fake videos promoting a fix for the 0x80070643 error that millions of Windows users have been dealing with since January.
“There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643),” reads the Windows Update error.
0x80070643 in Windows Update Source: BleepingComputer
It turns out that Windows Update is displaying an incorrect error message, as it was supposed to display a CBS_E_INSUFFICIENT_DISK_SPACE error on systems with a Windows Recovery Environment (WinRE) partition that’s too small for the update to install.
Microsoft explained that the new security update requires that the WinRE partition have 250 megabytes of free space, and if it doesn’t, you must manually expand the partition yourself.
However, expanding the WinRE partition is complicated, if not impossible, for those whose WinRE is not the last partition on the drive.
Due to this, many are unable to install the security update and are left with the 0x80070643 error message every time they use Windows Update.
These errors have caused many frustrated Windows users to seek a solution online, allowing threat actors to capitalize on their search for a fix.
Fake IT sites promote PowerShell fixes
According to eSentire, threat actors are creating numerous fake IT support sites that are specifically designed to help users with common Windows errors, heavily focusing on the 0x80070643 error.
“In June 2024, eSentire’s Threat Response Unit (TRU) observed an intriguing case involving a Vidar Stealer infection initiated through a fake IT support website (Figure 1),” explains the eSentire report.
“The infection began when the victim performed a web search for solutions to a Windows Update Error code.”
The researchers found two fake IT support sites promoted on YouTube named pchelprwizzards[.]com and pchelprwizardsguide[.]com. While writing this article, BleepingComputer found additional sites at pchelprwizardpro[.]com, pchelperwizard[.]com, and fixedguides[.]com.
Like the other videos eSentire found for the PCHelperWizard typo sites, BleepingComputer also found YouTube videos for the FixedGuides site, also promoting fixes for the 0x80070643 errors.
These sites all offer fixes that either require you to copy and run a PowerShell script or import the contents of a Windows Registry file.
Regardless of which “solution” is used, a PowerShell script will be executed that downloads malware on the device.
eSentire’s report outlines how the PCHelperWizard sites (not to be confused with the legitimate course site) will walk users through copying a PowerShell script into the Windows Clipboard and execute it in a PowerShell prompt.
Malicious PowerShell script disguised as a Windows error fix Source: BleepingComputer
This PowerShell script contains a Base64 encoded script that will connect to a remote server to download another PowerShell script, which installs the Vidar information-stealing malware on the device.
When the script is finished, it will display a message that the fix was successful and to restart the computer, which will also launch the malware.
The FixedGuides site does it a bit differently, using an obfuscated Windows Registry file to hide autostarts that launch a malicious PowerShell script.
However, when I extracted the strings from the above file, you can see that it contains a valid Registry file that adds a Windows autostart (RunOnce) entry that runs a PowerShell script. This script ultimately downloads and installs information-stealing malware on the computer.
Using either fake fix will result in the information-stealing malware launching after Windows is restarted. Once started, the malware will extract saved credentials, credit cards, cookies, and browsing history from your browser.
Vidar can also steal cryptocurrency wallets, text files, and Authy 2FA authenticator databases, as well as take screenshots of your desktop.
This data is compiled into an archive called a “log,” which is then uploaded to the attacker’s servers. The stolen data is then used to fuel other attacks, such as ransomware attacks, or sold to other threat actors on dark web marketplaces.
However, the infected user is now left with a nightmare, having all their accounts compromised and potentially suffering financial fraud.
While Windows errors can be annoying, it is crucial to download software and fixes only from trusted websites, not from random videos and websites with little or no reputation.
Your credentials have become a valuable commodity and threat actors are coming up with sneaky and creative methods to steal them, so unfortunately, everyone needs to stay vigilant against unusual attack methods.
As for the 0x80070643 errors, if you are unable to resize the WinRE partition, your best bet is to use Microsoft’s Show or Hide Tool to hide the KB5034441 update so that Windows Update no longer offers it on your system and not search on the Internet for a magic fix.
Attackers in South Korea are distributing malware disguised as cracked software, including RATs and crypto miners, and registering themselves with the Task Scheduler to ensure persistence.
Even after removing the initial malware, the Task Scheduler triggers PowerShell commands to download and install new variants, which persists because the PowerShell commands keep changing, leaving unpatched systems vulnerable to information theft, proxy abuse, and cryptocurrency mining.
Attack flow
Malicious actors are leveraging file-sharing platforms to distribute malware disguised as cracked MS Office, which retrieves the download URL and target platform during infection, potentially enabling them to tailor attacks and evade detection.
Cybercriminals are distributing malware disguised as cracked software. The malware, developed in.NET, uses obfuscation to hide its malicious code, and initially, it accessed Telegram to retrieve a download URL.
Newer versions contain two Telegram URLs and a Mastodon URL, each with a string linked to a Google Drive or GitHub URL.
The threat actor hides malicious PowerShell commands within these cloud storage locations, using Base64 encoding for further obfuscation, and once executed, these commands install additional malware strains.
Commands encrypted in Base64
The updater malware, “software_reporter_tool.exe,” leverages a PowerShell script to download and maintain persistence, which creates a malicious executable at “C:\ProgramData\KB5026372.exe” and uses a compromised 7zip installation (“C:\ProgramData\Google\7z.exe”) to decompress a password-protected archive from GitHub or Google Drive (password: “x”) by mirroring tactics from a previous campaign.
Malware installation using 7z and PowerShell
Additionally, the updater registers itself with the Task Scheduler to ensure continuous operation after a reboot, and the scheduled task triggers the PowerShell script for further updates and potential malware installation.
The attackers deployed Orcus RAT and XMRig on the compromised system.
Orcus RAT can steal information through keylogging, webcam, and screenshot capture, while XMRig mines cryptocurrency.
3Proxy’s configuration file
XMRig is configured to stop mining when resource-intensive programs are running and to terminate processes competing for resources, such as security software installers, while 3Proxy is used to turn the infected machine into a proxy server by adding a firewall rule and injecting itself into a legitimate process.
A Korean security program unable to operate properly due to the AntiAV malware
According to ASEC, PureCrypter downloads and executes further payloads, and AntiAV malware disrupts security products by modifying their configuration files.
Attackers are distributing malware disguised as popular Korean software (Windows, MS Office, Hangul) through file-sharing sites, and the malware bypasses file detection with frequent updates and utilizes the Task Scheduler for persistence, leading to repeated infections upon removal.
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.
Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.
Threat actors employed two different types of backdoors and targeted large corporate networks
The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.
“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” reads the analysis published by Avast.“The main objective of GuptiMiner is to distribute backdoors within big corporate networks.”
The threat actors behind this campaign exploited a vulnerability in the update mechanism of the Indian antivirus provider eScan that allowed them to carry out a man-in-the-middle attack to distribute the malware. Avast already reported the issue to eScan and the India CERT. eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.
The infection process begins when eScan requests an update from the update server. However, the attackers carry out a MitM attack and replace the legitimate update package with a malicious one. Subsequently, eScan unpacks and installs the package, which results in the sideloading of a DLL by eScan’s clean binaries. This DLL facilitates the continuation of the process, leading to the execution of multiple shellcodes and intermediary PE loaders.
The researchers noticed that the downloaded package file is replaced with a malware-laced one on the wire because the process doesn’t use an HTTPS connection.
Below the infection chain described by Avast:
The eScan updater triggers the update
The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed)
A malicious package updll62.dlz is downloaded and unpacked by eScan updater
The contents of the package contain a malicious DLL (usually called version.dll) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart
If a mutex is not present in the system (depends on the version, e.g. Mutex_ONLY_ME_V1), the malware searches for services.exe process and injects its next stage into the first one it can find
Cleanup is performed, removing the update package
GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.
GuptiMiner connects directly to malicious DNS servers, bypassing the DNS network entirely. This use of the DNS protocol resembles telnet and is not considered DNS spoofing, which typically occurs within the DNS network. Although the servers requested by GuptiMiner exist, it’s likely an evasion tactic.
In the second-stage the shellcode from the PNG file extracts and executes the Gzip loader. This loader is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread that kiads the Stage 3 malware Puppeteer.
Puppeteer orchestrates the core functionality of the malware, including the cryptocurrency mining as well as the backdoor deployment.
Surprisingly, the ultimate payload disseminated by GuptiMiner can be also XMRig, which was somewhat unexpected given the level of sophistication of this campaign.
The researchers speculate that using the miner could be a diversionary tactic.
“During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign.” concludes the report. “What is truly interesting, however, is that this information stealer might come from Kimsuky operations.”
Hackers have been found hijacking Facebook pages to impersonate popular AI brands, thereby injecting malware into the devices of unsuspecting users.
This revelation comes from a detailed investigation by Bitdefender Labs, which has been closely monitoring these malicious campaigns since June 2023.
Recent analyses of malvertising campaigns have revealed a disturbing trend.
Ads are distributing an assortment of malicious software, which poses severe risks to consumers’ devices, data, and identity.
Unwitting interactions with these malware-serving ads could lead to downloading and deploying harmful files, including Rilide Stealer, Vidar Stealer, IceRAT, and Nova Stealer, onto users’ devices.
Rilide Stealer V4: A Closer Look
Bitdefender Labs has spotlighted an updated version of the Rilide Stealer (V4) lurking within sponsored ad campaigns that impersonate popular AI-based software and photo editors such as Sora, CapCut, Gemini AI, Photo Effects Pro, and CapCut Pro.
This malicious extension, targeting Chromium-based browsers, is designed to monitor browsing history, capture login credentials, and even facilitate the withdrawal of crypto funds by bypassing two-factor authentication through script injections.
Sora Ad campaignGemini Ad Campaign
Key Updates in Rilide V4:
Targeting of Facebook cookies
Masquerading as a Google Translate Extension
Enhanced obfuscation techniques to conceal the software’s true intent
Indicators Of Compromise
Malicious hashes
2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db – OpenAI Sora official version setup.msi – Sora
a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf – OpenAI Sora Setup.zip – Sora
e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d – Setup.msi – Sora
021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 – Setup.msi – Sora
92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b – Setup.msi – Sora
32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 – Setup.msi – Sora
c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 – Setup.msi – Sora
0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – Capcut Pro For PC.setup.msi – Capcut
757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 – OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf – Google Gemini AI Ultra Version Updata.msi – Gemini AI
d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – AISora.setup.msi – Sora
Vidar Stealer: Evolving Threats
Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.
Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.
Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.
Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.
Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.
Indicators Of Compromise
Malicious hashes
fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 – Premium advertising course registration form from Oxford.exe – Google Digital Marketing
728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing
The Midjourney Saga: AI’s Dark Side
The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.
Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Indicators Of Compromise
159.89.120.191
159.89.98.241
As the digital landscape continues to evolve, so does the nature of the threats it maintains.
The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.
Key Updates in Rilide V4:
Targeting of Facebook cookies
Masquerading as a Google Translate Extension
Enhanced obfuscation techniques to conceal the software’s true intent
Indicators Of Compromise
Malicious hashes
2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db – OpenAI Sora official version setup.msi – Sora
a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf – OpenAI Sora Setup.zip – Sora
e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d – Setup.msi – Sora
021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 – Setup.msi – Sora
92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b – Setup.msi – Sora
32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 – Setup.msi – Sora
c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 – Setup.msi – Sora
0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – Capcut Pro For PC.setup.msi – Capcut
757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 – OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf – Google Gemini AI Ultra Version Updata.msi – Gemini AI
d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – AISora.setup.msi – Sora
Vidar Stealer: Evolving Threats
Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.
Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.
Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.
Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.
Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.
Indicators Of Compromise
Malicious hashes
fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 – Premium advertising course registration form from Oxford.exe – Google Digital Marketing
728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing
The Midjourney Saga: AI’s Dark Side
The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.
Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Indicators Of Compromise
159.89.120.191
159.89.98.241
As the digital landscape continues to evolve, so does the nature of the threats it maintains.
The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.
In a sophisticated cyberattack campaign, malicious actors impersonating Colombian government agencies target individuals across Latin America.
The attackers are distributing emails containing PDF attachments, falsely accusing recipients of traffic violations or other legal infractions.
These deceptive communications are designed to coerce victims into downloading an archive that harbors a VBS script, initiating a multi-stage infection process.
Upon execution, the obfuscated VBS script triggers a PowerShell script, retrieving the final malware payload from legitimate online storage services through a two-step request process.
According to the ANY.RUN report was shared with GBHackers on Security; initially, the script acquires the payload’s address from resources such as textbin.net. It then proceeds to download and execute the payload from the provided address, which could be hosted on various platforms including cdn.discordapp(.)com, pasteio(.)com, hidrive.ionos.com, and wtools.io.
The attackers’ execution chain follows a sequence from PDF to ZIP, then to VBS and PowerShell, and finally to the executable file (EXE).
The culminating payload is identified as one of several known remote access trojans (RATs), specifically AsyncRAT, njRAT, or Remcos.
These malicious programs are notorious for their ability to provide unauthorized remote access to the infected systems, posing significant risks to the victims’ privacy and data security.
Here are some notable samples of this campaign: 1, 2, 3, 4.
sample1
This campaign has been meticulously documented, with over 50 operation samples being analyzed.
Cybersecurity professionals and researchers are encouraged to consult the TI Lookup tool for detailed information on these samples, aiding in identifying and mitigating threats related to this campaign.
The technique demonstrated by the attackers in this campaign is not exclusive to Latin American targets and may be adapted for use against various targets in other regions.
The cybersecurity community is urged to remain vigilant and employ robust security measures to protect against such sophisticated threats.
In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.
Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more.
Ransomware remains primary cyberthreat for SMBs
The Sophos report also analyses initial access brokers (IABs)—criminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs they’ve already cracked.
“The value of ‘data,’ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, let’s say attackers deploy an infostealer on their target’s network to steal credentials and then get hold of the password for the company’s accounting software. Attackers could then gain access to the targeted company’s financials and have the ability to funnel funds into their own accounts,” said Christopher Budd, director of Sophos X-Ops research at Sophos.
“There’s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,” added Budd.
While the number of ransomware attacks against SMBs has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack, LockBit was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.
BEC attacks grow in sophistication
Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targeting managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryption—when attackers use an unmanaged device on organizations’ networks to encrypt files on other systems in the network—increased by 62%.
In addition, this past year, Sophos’s Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPs’ remote monitoring and management (RMM) software.
Following ransomware, business email compromise (BEC) attacks were the second highest type of attacks that Sophos IR handled in 2023, according to the report.
These BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.
In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an “invoice.” The download button contained a link to a malicious website.
HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling
A recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense evasion
CrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection capabilities
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach has the potential to make defense evasion stealthier.
The second technique variation involved an uncommon combination of process doppelgänging and process hollowing techniques. This variation increases the complexity of analysis and the defense evasion capabilities of HijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity.
This blog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.
Trend Micro’s recent threat hunting efforts have uncovered active exploitation of CVE-2023-36025, a vulnerability in Microsoft Windows Defender SmartScreen, by a new strain of malware known as Phemedrone Stealer. This malware targets web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord, stealing data and sending it to attackers via Telegram or command-and-control servers. Phemedrone Stealer, an open-source stealer written in C#, is actively maintained on GitHub and Telegram.
CVE-2023-36025 arises from insufficient checks on Internet Shortcut (.url) files, allowing attackers to bypass Windows Defender SmartScreen warnings by using crafted .url files that download and execute malicious scripts . Microsoft patched this vulnerability on November 14, 2023, but its exploitation in the wild led to its inclusion in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list. Various malware campaigns, including those distributing Phemedrone Stealer, have since incorporated this vulnerability.
INITIAL ACCESS VIA CLOUD-HOSTED MALICIOUS URLS
As per the report, this involves leveraging cloud-hosted URLs that are malicious in nature. The article provides insights into how these URLs are used to initiate the attack, highlighting the strategies employed for distributing the malware and penetrating target systems. Attackers host malicious Internet Shortcut files on platforms like Discord or cloud services, often disguised using URL shorteners. Unsuspecting users who open these files trigger the exploitation of CVE-2023-36025.
The malicious .url file downloads and executes a control panel item (.cpl) file from an attacker-controlled server. This bypasses the usual security prompt from Windows Defender SmartScreen. The malware employs MITRE ATT&CK technique T1218.002, using the Windows Control Panel process binary to execute .cpl files, which are essentially DLL files.
Initial Infection via Malicious .url File (CVE-2023-36025): The attack begins when a user executes a malicious Internet Shortcut (.url) file. This file is designed to bypass Microsoft Windows Defender SmartScreen warnings, typically triggered for files from untrusted sources. The evasion is likely achieved by manipulating the file’s structure or content, making it appear benign.
Execution of a Control Panel Item (.cpl) File: Once executed, the .url file connects to an attacker-controlled server to download a .cpl file. In Windows, .cpl files are used to execute Control Panel items and are essentially Dynamic Link Libraries (DLLs). This step involves the MITRE ATT&CK technique T1218.002, which exploits the Windows Control Panel process binary (control.exe) to execute .cpl files.
Use of rundll32.exe for DLL Execution: The .cpl file, when executed through control.exe, then calls rundll32.exe, a legitimate Windows utility used to run functions stored in DLL files. This step is critical as it uses a trusted Windows process to execute the malicious DLL, further evading detection.
PowerShell Utilization for Payload Download and Execution: The malicious DLL acts as a loader to call Windows PowerShell, a task automation framework. PowerShell is then used to download and execute the next stage of the attack from GitHub.
Execution of DATA3.txt PowerShell Loader: The file DATA3.txt, hosted on GitHub, is an obfuscated PowerShell script designed to be difficult to analyze statically (i.e., without executing it). It uses string and digit manipulation to mask its true intent.
Deobfuscation and Execution of the GitHub-Hosted Loader: Through a combination of static and dynamic analysis, the obfuscated PowerShell commands within DATA3.txt can be deobfuscated. This script is responsible for downloading a ZIP file from the same GitHub repository.
Contents of the Downloaded ZIP File:
WerFaultSecure.exe: A legitimate Windows Fault Reporting binary.
Wer.dll: A malicious binary that is sideloaded (executed in the context of a legitimate process) when WerFaultSecure.exe is run.
Secure.pdf: An RC4-encrypted second-stage loader, presumably containing further malicious code.
This attack is sophisticated, using multiple layers of evasion and leveraging legitimate Windows processes and binaries to conceal malicious activities. The use of GitHub as a hosting platform for malicious payloads is also noteworthy, as it can lend an appearance of legitimacy and may bypass some network-based security controls.
PERSISTENCE AND DLL SIDELOADING
The malware achieves persistence by creating scheduled tasks and uses DLL sideloading techniques. The malicious DLL, crucial for the loader’s functionality, decrypts and runs the second stage loader. It uses dynamic API resolving and XOR-based algorithms for string decryption, complicating reverse engineering efforts.
Malicious DLL (wer.dll) Functionality: It decrypts and runs a second-stage loader. To avoid detection and hinder reverse engineering, it employs API hashing, string encryption, and is protected by VMProtect.
DLL Sideloading Technique: The malware deceives the system into loading the malicious wer.dll by placing it in the application directory, a method that exploits the trust Windows has in its own directories.
Dynamic API Resolving: To avoid detection by static analysis tools, the malware uses CRC-32 hashing for storing API names, importing them dynamically during runtime.
XOR-based String Decryption: An algorithm is used to decrypt strings, with each byte’s key generated based on its position. This method is designed to complicate automated decryption efforts.
Persistence Mechanism: The malware creates a scheduled task to regularly execute WerFaultSecure.exe. This ensures that the malware remains active on the infected system.
Second-Stage Loader (secure.pdf): It’s decrypted using an undocumented function from advapi32.dll, with memory allocation and modification handled by functions from Activeds.dll and VirtualProtect.
Execution Redirection through API Callbacks: The malware cleverly redirects execution flow to the second-stage payload using Windows API callback functions, particularly exploiting the CryptCATCDFOpen function.
Overall, this malware demonstrates a deep understanding of Windows internals, using them to its advantage to stay hidden and maintain persistence on the infected system. The combination of techniques used makes it a complex and dangerous threat.
SECOND-STAGE DEFENSE EVASION
The second-stage loader, known as Donut, is an open-source shellcode that executes various file types in memory. It encrypts payloads without compression and uses the Unmanaged CLR Hosting API to load the Common Language Runtime, creating a new Application Domain for running assemblies.Here’s an overview of how Donut is used for defense evasion and payload execution:
Donut Shellcode Loader:
Capabilities: Allows execution of VBScript, JScript, EXE files, DLL files, and .NET assemblies directly in memory.
Deployment Options: Can be embedded into the loader or staged from an HTTP or DNS server. In this case, it’s embedded directly into the loader.
Payload Compression and Encryption:
Compression Techniques: Supports aPLib, LZNT1, Xpress, and Xpress Huffman through RtlCompressBuffer.
Encryption: Uses the Chaskey block cipher for payload encryption. In this instance, only encryption is used, without compression.
Execution Process via Unmanaged CLR Hosting API:
CLR Loading: Donut configures to use the Unmanaged CLR Hosting API to load the Common Language Runtime (CLR) into the host process.
Application Domain Creation: Creates a new Application Domain, allowing assemblies to run in disposable AppDomains.
Assembly Loading and Execution: Once the AppDomain is prepared, Donut loads the .NET assembly and invokes the payload’s entry point.
The use of Donut in this attack is particularly notable for its ability to execute various types of code directly in memory. This method greatly reduces the attack’s visibility to traditional security measures, as it leaves minimal traces on the filesystem. Additionally, the use of memory-only execution tactics, coupled with sophisticated encryption, makes the payload difficult to detect and analyze. The ability to create and use disposable AppDomains further enhances evasion by isolating the execution environment, reducing the chances of detection by runtime monitoring tools. This approach demonstrates a high level of sophistication in evading defenses and executing the final payload stealthily.
PHEMEDRONE STEALER PAYLOAD ANALYSIS
Phemedrone Stealer initializes its configuration and decrypts items like Telegram API tokens using the RijndaelManaged symmetric encryption algorithm. It targets a wide range of applications to extract sensitive information, including Chromium-based browsers, crypto wallets, Discord, FileGrabber, FileZilla, Gecko-based browsers, system information, Steam, and Telegram.
COMMAND AND CONTROL FOR DATA EXFILTRATION
After data collection, the malware compresses the information into a ZIP file and validates the Telegram API token before exfiltrating the data. It sends system information and statistics to the attacker via the Telegram API. Despite the patch for CVE-2023-36025, threat actors continue to exploit this vulnerability to evade Windows Defender SmartScreen protection. The Phemedrone Stealer campaign highlights the need for vigilance and updated security measures against such evolving cyber threats.
MITIGATION
Mitigating the risks associated with CVE-2023-36025 and similar vulnerabilities, especially in the context of the Phemedrone Stealer campaign, involves a multi-layered approach. Here are some key strategies:
Apply Security Patches: Ensure that all systems are updated with the latest security patches from Microsoft, particularly the one addressing CVE-2023-36025. Regularly updating software can prevent attackers from exploiting known vulnerabilities.
Enhance Endpoint Protection: Utilize advanced endpoint protection solutions that can detect and block sophisticated malware like Phemedrone Stealer. These solutions should include behavior-based detection to identify malicious activities.
Educate Users: Conduct security awareness training for all users. Educate them about the dangers of clicking on unknown links, opening suspicious email attachments, and the risks of downloading files from untrusted sources.
Implement Network Security Measures: Use firewalls, intrusion detection systems, and intrusion prevention systems to monitor and control network traffic based on an applied set of security rules.
Secure Email Gateways: Deploy email security solutions that can scan and filter out malicious emails, which are often the starting point for malware infections.
Regular Backups: Regularly back up data and ensure that backup copies are stored securely. In case of a malware infection, having up-to-date backups can prevent data loss.
Use Application Whitelisting: Control which applications are allowed to run on your network. This can prevent unauthorized applications, including malware, from executing.
Monitor and Analyze Logs: Regularly review system and application logs for unusual activities that might indicate a breach or an attempt to exploit vulnerabilities.
Restrict User Privileges: Apply the principle of least privilege by limiting user access rights to only those necessary for their job functions. This can reduce the impact of a successful attack.
Incident Response Plan: Have a well-defined incident response plan in place. This should include procedures for responding to a security breach and mitigating its impact.
Use Secure Web Gateways: Deploy web gateways that can detect and block access to malicious websites, thereby preventing the download of harmful content.
Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security gaps in the network.
By implementing these measures, organizations can significantly reduce their risk of falling victim to malware campaigns that exploit vulnerabilities like CVE-2023-36025.
Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.
According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.
The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).
A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”
This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.
Karthick told The Hacker News that three different token-cookie generation scenarios were tested –
When the user is logged in with the browser, in which case the token can be used any number of times.
When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.
If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.
When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.
“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”
“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”
The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”
“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previouslydisclosed details of the exploit late last year.
“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”
(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)
In the ever-evolving landscape of cybersecurity, researchers are continually uncovering new methods that challenge existing defense mechanisms. A recent study by SafeBreach, a leader in cybersecurity research, has brought to light a novel process injection technique that exploits Windows thread pools, revealing vulnerabilities in current Endpoint Detection and Response (EDR) solutions. This groundbreaking research not only demonstrates the sophistication of potential cyber threats but also underscores the need for advanced defensive strategies in the digital world. Thread pool exploitation is challenging for EDRs to detect because it uses legitimate system mechanisms for malicious purposes. EDRs often look for known patterns of malicious activity, but when malware hijacks legitimate processes or injects code via expected system behaviors, such as those involving thread pools, it can blend in without raising alarms. Essentially, these techniques don’t leave the typical traces that EDRs are programmed to identify, allowing them to operate under the radar.
UNDERSTANDING PROCESS INJECTION:
Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.
THE ROLE OF WINDOWS THREAD POOLS:
Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.
SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:
Inserting Malicious Work Items:
Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
Hijacking Worker Threads:
An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
Exploiting Timer Queues:
Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
Manipulating I/O Completion Callbacks:
Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
Abusing Asynchronous Procedure Calls (APCs):
While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
Worker Factory Manipulation:
The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
Remote TP_TIMER Work Item Insertion:
This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
Queue Manipulation:
Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.
These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:
Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.
These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.
Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:
Enhanced Detection Algorithms:
Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
Deep System Monitoring:
Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
Regular Security Audits:
Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
Advanced Threat Intelligence:
Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
Employee Training and Awareness:
Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
Behavioral Analysis and Heuristics:
Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
Zero Trust Architecture:
Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
Regular Software Updates:
Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
Isolation of Sensitive Processes:
Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
Incident Response Planning:
Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.
By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.
Attacks involving the NetSupport RAT have become increasingly common, The Hacker News reports. More than 15 infections have been observed mostly in organizations in the education, government, and business sectors, in recent weeks, according to a report from VMware Carbon Black researchers. Fraudulent browser updates have been leveraged by threat actors to facilitate the distribution of the SocGholish downloader malware, also known as FakeUpdates, which then uses PowerShell to establish a remote server connection and facilitate the retrieval of a NetSupport RAT-containing ZIP archive file. Researchers also noted that the installation of NetSupport would then enable behavior tracking, file transfers, computer setting alterations, and lateral network movement. “The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns,” said researchers. NetSupport RAT, which was once a remote access tool, was previously reported by Sucuri to have been spread through fake Cloudflare distributed denial-of-service protection pages.
DECIPHERING WEBWYRM: AN IN-DEPTH ANALYSIS OF THE PERVASIVE MALWARE THREATENING GLOBAL CYBERSECURITY
In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.
THE EVOLUTIONARY TRAJECTORY OF WEBWYRM
In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious ‘Blue Whale Challenge.’
REFINED MODUS OPERANDI
WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task “packets” or “resets.”
Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of “combo tasks” promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.
CAMPAIGN ENABLERS: TECHNICAL INSIGHTS
WebWyrm’s campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victim’s geographical location.
Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.
INDUSTRIES IN THE CROSSHAIRS
Webwyrm has indiscriminately targeted a plethora of industries, including:
IT Services
Software Development
Mobile App Development
User Experience Design
Digital Marketing
Web Development
SEO
E-Commerce
DEFENSIVE COUNTERMEASURES
Effective defense against Webwyrm necessitates the adoption of several countermeasures:
Origin Tracing of Malefactors via Employment Portals
Collaborative Defensive Initiatives
Deployment of Rapid Response Teams
Implementation of Domain Blacklisting Protocols
Asset Seizure
Launch of Educational Awareness Campaigns
With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.
TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of one’s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.
TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.
TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.
You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.
First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.
The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.
After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.
This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.
Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.
In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:
To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the –sharepoint mytest option.
Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.
By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.
TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.
The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.
You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.
TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.
TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.
If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.
Mitigation By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.
Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.
New Android Malware Uses Optical Character Recognition to Steal Login Credentials
Besides employing various channels for distribution, these malicious apps, named “CherryBlos” and “FakeTrade,” have been discovered by cybersecurity researchers at Trend Micro to use OCR (Optical Character Recognition) techniques to extract sensitive data from pictures. The shared network infrastructure and certificates indicate the involvement of the same threat actors behind these new Android malware strains. The distribution channels used by these apps include social media, phishing sites, Google Play, and other Android app stores.
Android MalwareUse OCR
In April 2023, CherryBlos malware emerged as an APK file that was found to be promoted on Telegram, Twitter, and YouTube as:-
All the malicious APK files were downloaded from domain-matching websites. Here below, we have mentioned the malicious APK file names and matching domains:-
APK files:
GPTalk
Happy Miner
Robot999
SynthNet
Matching domain names:
chatgptc[.]io
happyminer[.]com
robot999[.]net
synthnet[.]ai
Moreover, the SynthNet app, a malicious version, was downloaded around 1,000 times on Google Play before being reported and removed.
CherryBlos malware targets crypto wallet credentials and alters withdrawal addresses since it’s mainly designed to steal cryptocurrency wallet-related information.
The CherryBlos exploits accessibility service permissions to:-
Fetch config files
Auto-approve permissions
Block app termination
Besides stealing cryptocurrency-related data, CherryBlos also has an extraordinary feature that enables OCR for text extraction from images on the device.
Code to perform OCR on images (Source – Trend Micro)
When EnableImage is true in the config, CherryBlos reads media files, applying OCR for potential mnemonic recognition.
Despite the risk, people save recovery phrase photos on devices, enable malware extracts, and send data to threat actors.
Moreover, the malware also hijacks the Binance app clipboard, then alters the recipient address with the attacker’s, as this enables attackers to initiate illicit fund transfers stealthily.
Recommendations
Here below, we have mentioned all the recommendations offered by the security researchers at Trend Micro:-
Always download apps from the Google Play store and official app stores that are trusted.
Make sure to keep your system, software, and AV tools updated with the available security patches and updates.
To block threats like these and other malware strains, make sure to install a robust and renowned AV solution.
Before allowing any permissions to apps, make sure to cross-check each permissions carefully.
Do not download any unknown attachments received via email.
Suspicious links could be dangerous, so, do not click on any suspicious links.
The Blacklotus bootkit was developed expressly for Windows, and it first appeared on hacker forums in October of the previous year. It was described as having APT-level capabilities, including the ability to circumvent secure boot and user access control (UAC), as well as the capacity to deactivate security software and defensive mechanisms on victim computers. Threat actors of various skill levels were able to purchase BlackLotus when it was first offered for sale on hacker forums for as little as $5,000, giving them access to malware that is often associated with state-sponsored hacking operations. However, the threat actor concealed the source code and charged clients $200 for rebuilds if they wished to modify the bootkit in any way.c Microsoft published a set of resources in April that are intended to assist threat hunters in recognizing BlackLotus infections. The National Security Agency (NSA) released some guidelines in June to assist firms in strengthening their defenses against the threat.
Although it has a number of alterations in comparison to the malware’s initial form, the BlackLotus UEFI bootkit’s original source code has been made available to the public on GitHub.
The ‘Baton Drop’ exploit that targets CVE-2022-21894 has been removed from the BlackLotus source code that was released on GitHub on Wednesday. Additionally, the BlackLotus source code now employs the bootlicker UEFI firmware rootkit, although it still retains the majority of the original code.
The fact that the bootkit’s source code is available to the public poses a considerable danger, primarily because it may be paired with newly discovered vulnerabilities to open up previously undiscovered entry points for attacks. BlackLotus was able to utilize the attack despite the fact that CVE-2022-21894 had been fixed the previous year. This was possible because the vulnerable binaries had not been put to the UEFI revocation list. This demonstrates how even vulnerabilities that have been patched may still present long-term, industry-wide supply chain impact.
However, since the source code was leaked, it is now very easy for threat actors to combine the bootkit with new bootloader vulnerabilities, whether they are known or undiscovered. The methods used by the bootkit are no longer cutting edge.
Be careful to adhere to the extensive mitigation guidance that the NSA issued a month ago in order to protect your computers against the BlackLotus UEFI bootkit attack.
Because the source code of the bootkit is now freely accessible, it is feasible that skilled malware writers may design more powerful variations that are able to circumvent both currently available countermeasures and those that will be developed in the future.
.webp)
.webp)
