Mar 18 2024

Hackers Trick Users To Install Malware Via Weaponized PDF

Category: Malwaredisc7 @ 7:19 am

In a sophisticated cyberattack campaign, malicious actors impersonating Colombian government agencies target individuals across Latin America.

The attackers are distributing emails containing PDF attachments, falsely accusing recipients of traffic violations or other legal infractions.

These deceptive communications are designed to coerce victims into downloading an archive that harbors a VBS script, initiating a multi-stage infection process.

Upon execution, the obfuscated VBS script triggers a PowerShell script, retrieving the final malware payload from legitimate online storage services through a two-step request process.

Infection Process

According to the ANY.RUN report was shared with GBHackers on Security; initially, the script acquires the payload’s address from resources such as textbin.net. It then proceeds to download and execute the payload from the provided address, which could be hosted on various platforms including cdn.discordapp(.)com, pasteio(.)com, hidrive.ionos.com, and wtools.io.

The attackers’ execution chain follows a sequence from PDF to ZIP, then to VBS and PowerShell, and finally to the executable file (EXE).

The culminating payload is identified as one of several known remote access trojans (RATs), specifically AsyncRATnjRAT, or Remcos.

These malicious programs are notorious for their ability to provide unauthorized remote access to the infected systems, posing significant risks to the victims’ privacy and data security.

Here are some notable samples of this campaign: 1, 2, 3, 4.

sample1

This campaign has been meticulously documented, with over 50 operation samples being analyzed.

Cybersecurity professionals and researchers are encouraged to consult the TI Lookup tool for detailed information on these samples, aiding in identifying and mitigating threats related to this campaign.

The Cyberspace Battlefield: A Contemporary Look at Weaponized Cyber Warfare

The technique demonstrated by the attackers in this campaign is not exclusive to Latin American targets and may be adapted for use against various targets in other regions.

The cybersecurity community is urged to remain vigilant and employ robust security measures to protect against such sophisticated threats.

Cybersecurity Threats, Malware Trends, and Strategies – Second Edition: Discover risk mitigation strategies for modern threats to your organization 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Weaponized PDF


Mar 13 2024

Keyloggers, spyware, and stealers dominate SMB malware detections

Category: Cybercrime,Malware,Spywaredisc7 @ 10:56 am

In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.

SMBs ransomware cyberthreat

Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more.

Ransomware remains primary cyberthreat for SMBs

The Sophos report also analyses initial access brokers (IABs)—criminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs they’ve already cracked.

“The value of ‘data,’ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, let’s say attackers deploy an infostealer on their target’s network to steal credentials and then get hold of the password for the company’s accounting software. Attackers could then gain access to the targeted company’s financials and have the ability to funnel funds into their own accounts,” said Christopher Budd, director of Sophos X-Ops research at Sophos.

“There’s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,” added Budd.

While the number of ransomware attacks against SMBs has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack, LockBit was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.

BEC attacks grow in sophistication

Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targeting managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryption—when attackers use an unmanaged device on organizations’ networks to encrypt files on other systems in the network—increased by 62%.

In addition, this past year, Sophos’s Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPs’ remote monitoring and management (RMM) software.

Following ransomware, business email compromise (BEC) attacks were the second highest type of attacks that Sophos IR handled in 2023, according to the report.

These BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.

In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an “invoice.” The download button contained a link to a malicious website.

Mastering Cyber Security Defense to Shield Against Identity Theft, Data breaches, Hackers, and more in the Modern Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: keylogger, Malware, SMB


Feb 09 2024

HijackLoader Expands Techniques to Improve Defense Evasion

Category: Malwaredisc7 @ 10:39 am
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/
  • HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling
  • A recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense evasion
  • CrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection capabilities 

CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities. 

In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach has the potential to make defense evasion stealthier. 

The second technique variation involved an uncommon combination of process doppelgÀnging and process hollowing techniques. This variation increases the complexity of analysis and the defense evasion capabilities of HijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity.

This blog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.

HijackLoader Analysis

Tags: HijackLoader


Jan 18 2024

HOW TO EXPLOIT WINDOWS DEFENDER ANTIVIRUS TO INFECT A DEVICE WITH MALWARE

Category: Antivirus,Malwaredisc7 @ 8:10 am

Trend Micro’s recent threat hunting efforts have uncovered active exploitation of CVE-2023-36025, a vulnerability in Microsoft Windows Defender SmartScreen, by a new strain of malware known as Phemedrone Stealer. This malware targets web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord, stealing data and sending it to attackers via Telegram or command-and-control servers. Phemedrone Stealer, an open-source stealer written in C#, is actively maintained on GitHub and Telegram.

CVE-2023-36025 arises from insufficient checks on Internet Shortcut (.url) files, allowing attackers to bypass Windows Defender SmartScreen warnings by using crafted .url files that download and execute malicious scripts . Microsoft patched this vulnerability on November 14, 2023, but its exploitation in the wild led to its inclusion in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list. Various malware campaigns, including those distributing Phemedrone Stealer, have since incorporated this vulnerability.

INITIAL ACCESS VIA CLOUD-HOSTED MALICIOUS URLS

As per the report, this involves leveraging cloud-hosted URLs that are malicious in nature. The article provides insights into how these URLs are used to initiate the attack, highlighting the strategies employed for distributing the malware and penetrating target systems. Attackers host malicious Internet Shortcut files on platforms like Discord or cloud services, often disguised using URL shorteners. Unsuspecting users who open these files trigger the exploitation of CVE-2023-36025.

DEFENSE EVASION TACTICS

The malicious .url file downloads and executes a control panel item (.cpl) file from an attacker-controlled server. This bypasses the usual security prompt from Windows Defender SmartScreen. The malware employs MITRE ATT&CK technique T1218.002, using the Windows Control Panel process binary to execute .cpl files, which are essentially DLL files.

  1. Initial Infection via Malicious .url File (CVE-2023-36025): The attack begins when a user executes a malicious Internet Shortcut (.url) file. This file is designed to bypass Microsoft Windows Defender SmartScreen warnings, typically triggered for files from untrusted sources. The evasion is likely achieved by manipulating the file’s structure or content, making it appear benign.
  2. Execution of a Control Panel Item (.cpl) File: Once executed, the .url file connects to an attacker-controlled server to download a .cpl file. In Windows, .cpl files are used to execute Control Panel items and are essentially Dynamic Link Libraries (DLLs). This step involves the MITRE ATT&CK technique T1218.002, which exploits the Windows Control Panel process binary (control.exe) to execute .cpl files.
  3. Use of rundll32.exe for DLL Execution: The .cpl file, when executed through control.exe, then calls rundll32.exe, a legitimate Windows utility used to run functions stored in DLL files. This step is critical as it uses a trusted Windows process to execute the malicious DLL, further evading detection.
  4. PowerShell Utilization for Payload Download and Execution: The malicious DLL acts as a loader to call Windows PowerShell, a task automation framework. PowerShell is then used to download and execute the next stage of the attack from GitHub.
  5. Execution of DATA3.txt PowerShell Loader: The file DATA3.txt, hosted on GitHub, is an obfuscated PowerShell script designed to be difficult to analyze statically (i.e., without executing it). It uses string and digit manipulation to mask its true intent.
  6. Deobfuscation and Execution of the GitHub-Hosted Loader: Through a combination of static and dynamic analysis, the obfuscated PowerShell commands within DATA3.txt can be deobfuscated. This script is responsible for downloading a ZIP file from the same GitHub repository.
  7. Contents of the Downloaded ZIP File:
    • WerFaultSecure.exe: A legitimate Windows Fault Reporting binary.
    • Wer.dll: A malicious binary that is sideloaded (executed in the context of a legitimate process) when WerFaultSecure.exe is run.
    • Secure.pdf: An RC4-encrypted second-stage loader, presumably containing further malicious code.

This attack is sophisticated, using multiple layers of evasion and leveraging legitimate Windows processes and binaries to conceal malicious activities. The use of GitHub as a hosting platform for malicious payloads is also noteworthy, as it can lend an appearance of legitimacy and may bypass some network-based security controls.

PERSISTENCE AND DLL SIDELOADING

The malware achieves persistence by creating scheduled tasks and uses DLL sideloading techniques. The malicious DLL, crucial for the loader’s functionality, decrypts and runs the second stage loader. It uses dynamic API resolving and XOR-based algorithms for string decryption, complicating reverse engineering efforts.

  1. Malicious DLL (wer.dll) Functionality: It decrypts and runs a second-stage loader. To avoid detection and hinder reverse engineering, it employs API hashing, string encryption, and is protected by VMProtect.
  2. DLL Sideloading Technique: The malware deceives the system into loading the malicious wer.dll by placing it in the application directory, a method that exploits the trust Windows has in its own directories.
  3. Dynamic API Resolving: To avoid detection by static analysis tools, the malware uses CRC-32 hashing for storing API names, importing them dynamically during runtime.
  4. XOR-based String Decryption: An algorithm is used to decrypt strings, with each byte’s key generated based on its position. This method is designed to complicate automated decryption efforts.
  5. Persistence Mechanism: The malware creates a scheduled task to regularly execute WerFaultSecure.exe. This ensures that the malware remains active on the infected system.
  6. Second-Stage Loader (secure.pdf): It’s decrypted using an undocumented function from advapi32.dll, with memory allocation and modification handled by functions from Activeds.dll and VirtualProtect.
  7. Execution Redirection through API Callbacks: The malware cleverly redirects execution flow to the second-stage payload using Windows API callback functions, particularly exploiting the CryptCATCDFOpen function.

Overall, this malware demonstrates a deep understanding of Windows internals, using them to its advantage to stay hidden and maintain persistence on the infected system. The combination of techniques used makes it a complex and dangerous threat.

SECOND-STAGE DEFENSE EVASION

The second-stage loader, known as Donut, is an open-source shellcode that executes various file types in memory. It encrypts payloads without compression and uses the Unmanaged CLR Hosting API to load the Common Language Runtime, creating a new Application Domain for running assemblies.Here’s an overview of how Donut is used for defense evasion and payload execution:

  1. Donut Shellcode Loader:
    • Capabilities: Allows execution of VBScript, JScript, EXE files, DLL files, and .NET assemblies directly in memory.
    • Deployment Options: Can be embedded into the loader or staged from an HTTP or DNS server. In this case, it’s embedded directly into the loader.
  2. Payload Compression and Encryption:
    • Compression Techniques: Supports aPLib, LZNT1, Xpress, and Xpress Huffman through RtlCompressBuffer.
    • Encryption: Uses the Chaskey block cipher for payload encryption. In this instance, only encryption is used, without compression.
  3. Execution Process via Unmanaged CLR Hosting API:
    • CLR Loading: Donut configures to use the Unmanaged CLR Hosting API to load the Common Language Runtime (CLR) into the host process.
    • Application Domain Creation: Creates a new Application Domain, allowing assemblies to run in disposable AppDomains.
    • Assembly Loading and Execution: Once the AppDomain is prepared, Donut loads the .NET assembly and invokes the payload’s entry point.

The use of Donut in this attack is particularly notable for its ability to execute various types of code directly in memory. This method greatly reduces the attack’s visibility to traditional security measures, as it leaves minimal traces on the filesystem. Additionally, the use of memory-only execution tactics, coupled with sophisticated encryption, makes the payload difficult to detect and analyze. The ability to create and use disposable AppDomains further enhances evasion by isolating the execution environment, reducing the chances of detection by runtime monitoring tools. This approach demonstrates a high level of sophistication in evading defenses and executing the final payload stealthily.

PHEMEDRONE STEALER PAYLOAD ANALYSIS

Phemedrone Stealer initializes its configuration and decrypts items like Telegram API tokens using the RijndaelManaged symmetric encryption algorithm. It targets a wide range of applications to extract sensitive information, including Chromium-based browsers, crypto wallets, Discord, FileGrabber, FileZilla, Gecko-based browsers, system information, Steam, and Telegram.

COMMAND AND CONTROL FOR DATA EXFILTRATION

After data collection, the malware compresses the information into a ZIP file and validates the Telegram API token before exfiltrating the data. It sends system information and statistics to the attacker via the Telegram API. Despite the patch for CVE-2023-36025, threat actors continue to exploit this vulnerability to evade Windows Defender SmartScreen protection. The Phemedrone Stealer campaign highlights the need for vigilance and updated security measures against such evolving cyber threats.

MITIGATION

Mitigating the risks associated with CVE-2023-36025 and similar vulnerabilities, especially in the context of the Phemedrone Stealer campaign, involves a multi-layered approach. Here are some key strategies:

  1. Apply Security Patches: Ensure that all systems are updated with the latest security patches from Microsoft, particularly the one addressing CVE-2023-36025. Regularly updating software can prevent attackers from exploiting known vulnerabilities.
  2. Enhance Endpoint Protection: Utilize advanced endpoint protection solutions that can detect and block sophisticated malware like Phemedrone Stealer. These solutions should include behavior-based detection to identify malicious activities.
  3. Educate Users: Conduct security awareness training for all users. Educate them about the dangers of clicking on unknown links, opening suspicious email attachments, and the risks of downloading files from untrusted sources.
  4. Implement Network Security Measures: Use firewalls, intrusion detection systems, and intrusion prevention systems to monitor and control network traffic based on an applied set of security rules.
  5. Secure Email Gateways: Deploy email security solutions that can scan and filter out malicious emails, which are often the starting point for malware infections.
  6. Regular Backups: Regularly back up data and ensure that backup copies are stored securely. In case of a malware infection, having up-to-date backups can prevent data loss.
  7. Use Application Whitelisting: Control which applications are allowed to run on your network. This can prevent unauthorized applications, including malware, from executing.
  8. Monitor and Analyze Logs: Regularly review system and application logs for unusual activities that might indicate a breach or an attempt to exploit vulnerabilities.
  9. Restrict User Privileges: Apply the principle of least privilege by limiting user access rights to only those necessary for their job functions. This can reduce the impact of a successful attack.
  10. Incident Response Plan: Have a well-defined incident response plan in place. This should include procedures for responding to a security breach and mitigating its impact.
  11. Use Secure Web Gateways: Deploy web gateways that can detect and block access to malicious websites, thereby preventing the download of harmful content.
  12. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security gaps in the network.

By implementing these measures, organizations can significantly reduce their risk of falling victim to malware campaigns that exploit vulnerabilities like CVE-2023-36025.

USB Defender | Data Blocker | Blocks Unwanted Data Transfers | Protects Smartphone & Tablets From Public Charging Stations

Learn Malware Removal Techniques: How to remove malwares from a computer

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DEFENDER ANTIVIRUS


Jan 03 2024

Malware using google exploit maintain access

Category: Information Security,Malware,Password Securitydisc7 @ 7:38 am

Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.

According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.

The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).

A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”

This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.

Karthick told The Hacker News that three different token-cookie generation scenarios were tested –

  • When the user is logged in with the browser, in which case the token can be used any number of times.
  • When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.
  • If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.

When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.

“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”

The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”

“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previously disclosed details of the exploit late last year.

“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”

(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)

The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MultiLogin Exploit


Dec 13 2023

HOW TO BYPASS EDRS, AV WITH EASE USING 8 NEW PROCESS INJECTION ATTACKS

Category: Malwaredisc7 @ 7:38 am

In the ever-evolving landscape of cybersecurity, researchers are continually uncovering new methods that challenge existing defense mechanisms. A recent study by SafeBreach, a leader in cybersecurity research, has brought to light a novel process injection technique that exploits Windows thread pools, revealing vulnerabilities in current Endpoint Detection and Response (EDR) solutions. This groundbreaking research not only demonstrates the sophistication of potential cyber threats but also underscores the need for advanced defensive strategies in the digital world. Thread pool exploitation is challenging for EDRs to detect because it uses legitimate system mechanisms for malicious purposes. EDRs often look for known patterns of malicious activity, but when malware hijacks legitimate processes or injects code via expected system behaviors, such as those involving thread pools, it can blend in without raising alarms. Essentially, these techniques don’t leave the typical traces that EDRs are programmed to identify, allowing them to operate under the radar.

UNDERSTANDING PROCESS INJECTION:

Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.

THE ROLE OF WINDOWS THREAD POOLS:

Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.

SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:

  1. Inserting Malicious Work Items:
    • Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
  2. Hijacking Worker Threads:
    • An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
  3. Exploiting Timer Queues:
    • Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
  4. Manipulating I/O Completion Callbacks:
    • Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
  5. Abusing Asynchronous Procedure Calls (APCs):
    • While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
  6. Worker Factory Manipulation:
    • The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
  7. Remote TP_TIMER Work Item Insertion:
    • This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
  8. Queue Manipulation:
    • Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.

These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:

  1. Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
  2. TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
  3. TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
  4. TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
  5. TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
  6. TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
  7. TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
  8. TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.

These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.

MITIGATION

Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:

  1. Enhanced Detection Algorithms:
    • Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
  2. Deep System Monitoring:
    • Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
  3. Regular Security Audits:
    • Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
  4. Advanced Threat Intelligence:
    • Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
  5. Employee Training and Awareness:
    • Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
  6. Behavioral Analysis and Heuristics:
    • Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
  7. Zero Trust Architecture:
    • Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
  8. Regular Software Updates:
    • Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
  9. Isolation of Sensitive Processes:
    • Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
  10. Incident Response Planning:
    • Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.

By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.

Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: BYPASS EDRS, INJECTION ATTACKS


Nov 25 2023

Stuxnet techniques used

Category: Cyber War,Digital cold war,Malwaredisc7 @ 2:55 pm

Stuxnet: The Revenge of Malware: How the Discovery of Malware from the Stuxnet Family Led to the U.S. Government Ban of Kaspersky Lab Anti-Virus Software

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Stuxnet


Nov 21 2023

Increasingly prevalent NetSupport RAT infections reported

Category: Malware,Remote codedisc7 @ 9:30 am

https://www.scmagazine.com/brief/increasingly-prevalent-netsupport-rat-infections-reported

Attacks involving the NetSupport RAT have become increasingly common, The Hacker News reports. More than 15 infections have been observed mostly in organizations in the education, government, and business sectors, in recent weeks, according to a report from VMware Carbon Black researchers. Fraudulent browser updates have been leveraged by threat actors to facilitate the distribution of the SocGholish downloader malware, also known as FakeUpdates, which then uses PowerShell to establish a remote server connection and facilitate the retrieval of a NetSupport RAT-containing ZIP archive file. Researchers also noted that the installation of NetSupport would then enable behavior tracking, file transfers, computer setting alterations, and lateral network movement. “The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns,” said researchers. NetSupport RAT, which was once a remote access tool, was previously reported by Sucuri to have been spread through fake Cloudflare distributed denial-of-service protection pages.

Rat : Remote Access Trojan – Launching Virus Remotely

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: NetSupport RAT


Oct 10 2023

SILENT PREDATOR UNVEILED: DECODING WEBWYRM STEALTHY MALWARE AFFECTING 50 COUNTRIES

Category: Malwaredisc7 @ 8:40 am

DECIPHERING WEBWYRM: AN IN-DEPTH ANALYSIS OF THE PERVASIVE MALWARE THREATENING GLOBAL CYBERSECURITY

In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.

THE EVOLUTIONARY TRAJECTORY OF WEBWYRM

In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious ‘Blue Whale Challenge.’

REFINED MODUS OPERANDI

WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task “packets” or “resets.”

Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of “combo tasks” promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.

CAMPAIGN ENABLERS: TECHNICAL INSIGHTS

WebWyrm’s campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victim’s geographical location.

Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.

INDUSTRIES IN THE CROSSHAIRS

Webwyrm has indiscriminately targeted a plethora of industries, including:

  • IT Services
  • Software Development
  • Mobile App Development
  • User Experience Design
  • Digital Marketing
  • Web Development
  • SEO
  • E-Commerce

DEFENSIVE COUNTERMEASURES

Effective defense against Webwyrm necessitates the adoption of several countermeasures:

  • Origin Tracing of Malefactors via Employment Portals
  • Collaborative Defensive Initiatives
  • Deployment of Rapid Response Teams
  • Implementation of Domain Blacklisting Protocols
  • Asset Seizure
  • Launch of Educational Awareness Campaigns

With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.

Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: WEBWYRM


Sep 22 2023

HOW TO SEND PHISHING OR MALWARE TO TEAMS USERS EVADING TEAMS SECURITY FEATURES

Category: Malware,Phishingdisc7 @ 9:25 am

TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of one’s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.

TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.

TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.

You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.

First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.

The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.

After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.

This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.

Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.

In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:

To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the –sharepoint mytest option.

Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.

By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.

TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.

The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.

You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.

TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.

TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.

If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.

Mitigation
By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.

Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: EVADING TEAMS SECURITY FEATURES



Jul 14 2023

THIS FREE UEFI MALWARE CODE CAN HACK WINDOWS MACHINE FOREVER, EVEN IF HARD DISK IS REMOVED

Category: Malware,Windows Securitydisc7 @ 12:29 pm

The Blacklotus bootkit was developed expressly for Windows, and it first appeared on hacker forums in October of the previous year. It was described as having APT-level capabilities, including the ability to circumvent secure boot and user access control (UAC), as well as the capacity to deactivate security software and defensive mechanisms on victim computers. Threat actors of various skill levels were able to purchase BlackLotus when it was first offered for sale on hacker forums for as little as $5,000, giving them access to malware that is often associated with state-sponsored hacking operations. However, the threat actor concealed the source code and charged clients $200 for rebuilds if they wished to modify the bootkit in any way.c
Microsoft published a set of resources in April that are intended to assist threat hunters in recognizing BlackLotus infections. The National Security Agency (NSA) released some guidelines in June to assist firms in strengthening their defenses against the threat.


Although it has a number of alterations in comparison to the malware’s initial form, the BlackLotus UEFI bootkit’s original source code has been made available to the public on GitHub.

The ‘Baton Drop’ exploit that targets CVE-2022-21894 has been removed from the BlackLotus source code that was released on GitHub on Wednesday. Additionally, the BlackLotus source code now employs the bootlicker UEFI firmware rootkit, although it still retains the majority of the original code.

The fact that the bootkit’s source code is available to the public poses a considerable danger, primarily because it may be paired with newly discovered vulnerabilities to open up previously undiscovered entry points for attacks. BlackLotus was able to utilize the attack despite the fact that CVE-2022-21894 had been fixed the previous year. This was possible because the vulnerable binaries had not been put to the UEFI revocation list. This demonstrates how even vulnerabilities that have been patched may still present long-term, industry-wide supply chain impact.

However, since the source code was leaked, it is now very easy for threat actors to combine the bootkit with new bootloader vulnerabilities, whether they are known or undiscovered. The methods used by the bootkit are no longer cutting edge.

Be careful to adhere to the extensive mitigation guidance that the NSA issued a month ago in order to protect your computers against the BlackLotus UEFI bootkit attack.

Because the source code of the bootkit is now freely accessible, it is feasible that skilled malware writers may design more powerful variations that are able to circumvent both currently available countermeasures and those that will be developed in the future.

How to Hack Like a Legend: Breaking Windows

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: HACK WINDOWS MACHINE


Jun 15 2023

LLM meets Malware: Starting the Era of Autonomous Threat

Category: Malwaredisc7 @ 2:19 am

Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats.

Executive Summary

In this report we shared some insight that emerged during our exploratory research, and proof of concept, on the application of Large Language Models to malware automation, investigating how a potential new kind of autonomous threats would look like in the near future.

  • We explored a potential architecture of an autonomous malware threat based on four main steps: an AI-empowered reconnaissances, reasoning and planning phase, and the AI-assisted execution.
  • We demonstrate the feasibility of using LLM to recognize infected environments and decide which kind of malicious actions could be best suited for the environment.
  • We adopted an iterative code generation approach to leverage LLMs in the complicated task of generating code on the fly to achieve the malicious objectives of the malware agent.
  • Luckily, current general purpose LLM models still have limitations: while incredibly competent, they still need precise instruction to achieve the best results.
  • This new kind of threat has the potential to become extremely dangerous in the future, when computational requirements of LLMs would be low enough to run the agent completely locally, and also with the usage of specific models instead of general purpose ones.

Introduction

Large Language Models started shaping the digital world around us, since the public launch of OpenAI’s ChatGPT everybody spotted a glimpse of a new era where the Large Language Models (LLMs) would profoundly impact multiple sectors soon.

The cyber security industry is not an exception, rather it could be one of the most fertile grounds for such technologies, both for good and also for bad. Researchers in the industry have just scratched the surface of this application, for instance with read teaming application, as in the case of the PentestGPT project, but also, more recently even with malware related applications, in fact, Juniper researchers were using ChatGPT to generate malicious code to demonstrate the speedup in malware writing, and CyberArk’s ones tried to use ChatGPT to realize a polymorphic malware, along with Hays researchers which created another polymorphic AI-powered malware in Python.

Following this trail of this research, we decided to experiment with LLMs in a slightly different manner: our objective was to see if such technology could lead even to a paradigm-shift in the way we see malware and attackers. To do so, we prototyped a sort of “malicious agent” completely written in Powershell, that would be able not only to generate evasive polymorphic code, but also to take some degree of decision based on the context and its “intents”.

Technical Analysis

This is an uncommon threat research article, here the focus is not in a real-world threat actor, instead we deepen an approach that could be likely adopted in the near future by a whole new class of malicious actors, the AI-powered autonomous threat.

A model for Autonomous Threats

First of all we are going to describe a general architecture that could be adopted for such an objective. An architecture which inevitably has common ground with Task-Driven Autonomous Agents like babyAGI or autoGPT. But for the sake of our experimentation, we decided to shape the logic flow of the malicious agent to better match common malware operations.

As anticipated before, our Proof of Concept (PoC) autonomous malware is an AI-enabled Powershell script, designed to illustrate the potential of artificial intelligence in automation and decision-making, with each phase of execution highlighting the adaptability and intelligence of the AI.

Breaking down the state diagram, at high level, the agent runs into the following stages.

Footprinting

During the discovery phase, the AI conducts a comprehensive analysis of the system. Its goal is to create a thorough profile of the operating environment. It examines system properties such as the operating system, installed applications, network setups, and other pertinent information.

This thorough assessment is not just for ensuring the system is ready to go, but also assists the AI in figuring out if it’s working within a controlled environment, whether it’s interacting with a server or a client. One of the crucial determinations it makes is whether it is functioning within a sandboxed environment. Sandboxes are controlled settings, often used for testing or monitoring potentially harmful activities. If the AI detects it is operating within a sandbox, it halts all execution, avoiding unnecessary exposure in a non-targeted environment.

This system data becomes a vital input that lets the malicious-AI make informed decisions and respond appropriately. It provides a comprehensive understanding of its operating environment, similar to a detailed map, allowing it to navigate the system effectively. In this sense, this phase readies the “malicious agent” for the activities that follow.

Reasoning

In the execution phase, the malicious agent maneuvers rely significantly on the context, built on a detailed understanding of the system environment gathered in the earlier analysis phase.

An intriguing aspect of this phase is the AI’s strategic decision-making, which closely emulates strategies used by well-known hacking groups. At the outset, the “malicious agent” mimics a specific, recognized hacking group. The selection of the group isn’t random but is determined by the particular context and conditions of the system.

After deciding which hacking group to mimic, the autonomous agent goes on to devise a comprehensive attack strategy. This strategy is custom-made to the specific system environment and the standard practices of the selected hacking group, for example, it may decide to include password stealing tasks in case it detects the Outlook application rather than install a backdoor account on the server.

Execution

Once the attack strategy is in place, the malicious agent begins to carry out each action in a step-by-step manner. For each action, the AI dynamically creates the necessary code and promptly puts it into action. This could include a broad range of operations, such as attempting privilege escalation, conducting password hunts, or establishing persistence.

However, the AI’s role isn’t just limited to implementation. It consistently keeps an eye on how the system responds to its actions and stays ready for unexpected occurrences. This attentiveness allows the AI to adapt and modify its actions in real time, showcasing its ability for resilience and strategic problem-solving within a changing system environment.

When guided by more specific prompts, AI proves to be exceptionally capable, even to the point of generating functional infostealers on the fly.

This AI-empowered PoC epitomizes the potential of AI in carrying out intricate tasks independently and adjusting to its environment.

Code Generation

One of the fundamental characteristics that set autonomous threats apart is their ability to generate code. Unlike traditional threats, which often require manual control or pre-programmed scripts to adapt and evolve, autonomous threats use AI algorithms to autonomously generate new code segments. This dynamic code generation ability not only allows them to adapt to changing system conditions and defenses but also makes their detection and analysis more challenging.

This process involves the use of specific prompts, allowing the AI to create custom solutions that suit the system’s unique conditions. The AI also takes an active role in monitoring the outcomes of its actions. It continually assesses the results of its code execution. If it detects errors or unsuccessful actions, it uses them as inputs for further processing. By feeding error data back into its processes, the AI can refine and optimize its code generation. This iterative process represents a significant step towards true autonomous problem-solving capabilities, as the AI dynamically adjusts its actions based on their results.

Figure. Iterative code generation and adjustment

Environment Awareness

Autonomous threats take threat intelligence to a new level by being aware of their operating environment. Traditional threats often have a one-size-fits-all approach, attacking systems without fully understanding the environment. In contrast, autonomous threats can actively monitor their environment and adapt their actions accordingly.

The concept of environmental awareness is pivotal in AI-powered cyber threats. This environmental understanding enables the autonomous malware to choose an appropriate course of action based on the context around. For example, it might identify if it’s operating within a sandbox environment or decide to behave differently based on whether it’s operating on a server or client machine.

This awareness also influences the AI’s decision-making process during its operation. It can adjust its behavior according to the context, impersonating a particular known hacker group or choosing a specific attack strategy based on the evaluated system characteristics.

This environment-aware approach could enable malware writers to rely on very sophisticated, and harder to counter, evasion schemes.

Figure. Prompt to evaluate the machine environment

Decision-Making Autonomy

Perhaps the most defining characteristic of autonomous malware is the decision-making autonomy. Unlike traditional threats that rely on pre-programmed behaviors or external control from a human operator, autonomous threats can make independent decisions about their actions.

These threats use advanced AI algorithms to analyze the available information, weigh the potential outcomes of different actions, and choose the most effective course of action. This decision-making process could involve choosing which systems to target, selecting the best method for attack, deciding when to lay dormant to avoid detection, and even determining when to delete themselves to avoid traceability.

This level of autonomy not only makes these threats more resilient to countermeasures, but it also allows them to carry out more complex and coordinated attacks. By making independent decisions, these threats can adapt to changing circumstances, carry out long-term infiltration strategies, and even coordinate with other autonomous threats to achieve their objectives.

Proof of Concept

https://youtube.com/watch?v=W-7Vk3nqVRU%3Ffeature%3Doembed

In this proof of concept (PoC), we launched our AI-enabled script on a Windows client. The script’s execution process is designed to illustrate the potential of AI in automating complex tasks, decision making, and adjusting to the environment.

Firstly, the script initiates with an exhaustive system footprinting. During this phase, the AI takes a thorough survey of the system. The focus is on creating a detailed footprint of the operating environment by examining properties such as the operating system, installed software and other relevant details. This rigorous assessment not only prepares the system for the following actions but also helps the AI understand the context it’s operating within.

Simultaneously, a crucial part of this initial phase is sandbox detection. In fact, if the AI identifies the environment as a sandbox, the execution halts immediately.

Once the AI has confirmed it’s not within a sandbox, and it’s dealing with a client, it proceeds to develop an infostealer — a type of malware that’s designed to gather and extract sensitive information from the system. In this specific case, the AI installs a keylogger to monitor and record keystrokes, providing a reliable method to capture user inputs, including passwords.

Alongside keylogging, during the test sessions, the AI performed password hunting too.

Finally, after gathering all the necessary data, the AI proceeded to the data exfiltration. The AI prepares all the accumulated data for extraction, ensuring it’s formatted and secured in a way that it can be efficiently and safely retrieved from the system.

The demonstration video provides a real-time view of these actions carried out by the AI.

This PoC underlines how an AI system can perform complex tasks, adapt to its environment, and carry out activities that previously required advanced knowledge and manual interaction.

Consideration on Experimentation Session

In all the experiments conducted, a key theme that emerged was the level of exactness needed when assigning tasks to the AI. When presented with vague or wide-ranging tasks, the AI’s output frequently lacked effectiveness and specificity. This highlights an essential trait of AI at its current stage: while incredibly competent, it still needs precise instruction to achieve the best results.

For instance, when tasked to create a generic malicious script, the AI might generate code that tries to cover a wide spectrum of harmful activities. The outcome could be a piece of code that is wide-ranging and inefficient, potentially even drawing unwanted scrutiny due to its excessive system activity.

On the other hand, when given more narrowly defined tasks, the AI demonstrated the capability to create specific components of malware. By steering the AI through smaller, more exact tasks, we could create malicious scripts that were more focused and effective. Each component could be custom-made to carry out its task with a high level of effectiveness, leading to the creation of a cohesive, efficient malware when combined.

This discovery suggests a more efficient method of utilizing AI in cybersecurity — breaking down complex tasks into smaller, manageable objectives. This modular approach allows for the creation of specific code pieces that carry out designated functions effectively and can be assembled into a larger whole.

Conclusion

In conclusion, when we just look in the direction of LLMs and malware combined together, we clearly see a significant evolution in cybersecurity threats, potentially able to lead to a paradigm shift where malicious code operates based on predefined high-level intents.

Their ability to generate code, understand their environment, and make autonomous decisions makes them a formidable challenge for future cybersecurity defenses. However, by understanding these characteristics, we can start to develop effective strategies and technologies to counter these emerging threats.

Luckily, the autonomous malware PoC we set up and the potential upcoming ones have still limitations: they rely on generic language models hosted online, this mean the internet connectivity is, and will be, a requirement for at least some time. But, we are likely going to see the adoption of local LLM models, maybe even special-purpose ones, directly embedded in the future malicious agents.

AI technology is in a rapid-development stage, and even if it is pretty young, its adoption across various sectors is widening, including in the criminal underground.

About the author: B42 Labs researchers

Original post at https://medium.com/@b42labs/llm-meets-malware-starting-the-era-of-autonomous-threat-e8c5827ccc85

Transformers for Natural Language Processing: Build, train, and fine-tune deep neural network architectures for NLP with Python, Hugging Face, and OpenAI’s GPT-3, ChatGPT, and GPT-4

LLM meets Malware: Starting the Era of Autonomous Threat

InfoSec tools | InfoSec services | InfoSec books

Tags: LLM


May 11 2023

Millions of mobile phones come pre-infected with malware, say researchers

Category: Information Security,Malware,Mobile Securitydisc7 @ 12:03 pm

The threat is coming from inside the supply chain

BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.

The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.

“What is the easiest way to infect millions of devices?” posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.

He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.

The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.

“But of course there’s no free stuff,” said Yarochkin, who explained that the firmware started to come with an undesirable feature – silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.

The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.

    The objective of the malware is to steal info or make money from information collected or delivered.

    The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.

    One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.

    “The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.

    Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.

    As for where the threats are coming from, the duo wouldn’t say specifically, although the word “China” showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.

    “Even though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we don’t know for sure at what moment it got into the supply chain,“ said Yarochkin.

    The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.

    “Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin. ¼

    https://www.theregister.com/2023/05/11/bh_asia_mobile_phones/

    #Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

     InfoSec tools | InfoSec services | InfoSec books

    Tags: Mobile phone security, Pegasus


    Apr 30 2023

    JUST FOR $1000 PER MONTH HACK MACOS COMPUTERS WITH THIS UNDETECTABLE MALWARE

    Category: Hacking,MalwareDISC @ 1:14 pm

    A new piece of malware known as Atomic macOS Stealer (AMOS) was recently discovered by researchers as it was being offered for sale on Telegram. The threat actor who is promoting it charges $1,000 each month and continually updates the virus that they are selling. The Atomic macOS Stealer is capable of stealing a variety of information from the computer of the victim, such as passwords saved in the Keychain, comprehensive system information, files from the victim’s desktop and documents folder, and even the macOS password itself.

    One of its many capabilities is the extraction of data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus. This is only one of its many functions. When a threat actor purchases the stealer from the creators of the stealer, they are also given a web panel that is pre-configured and ready to use for managing the victims.

    In the event that AMOS is installed, it has the potential to compromise a broad range of data, some of which include the passwords for iCloud Keychain, the password for the macOS system, cookies, passwords, and credit card credentials from browsers like as Chrome, Firefox, Brave, Edge, and Opera, among others. Additionally, it has the ability to compromise cryptocurrency wallets such as Atomic, Binance, Exodus, Electrum, MetaMask, and a great number of others.

    A web panel, a program called Brute MetaMask, logs in Telegram with alerts, and more features are provided to customers by the malicious party that is offering malware as a service.

    The following is the message that the threat actor posted on Telegram while trying to sell the malware:

    After the malware has gained access to a user’s information, it places the information into a ZIP file, compresses it, and then sends it to the malicious party via a command and control server URL.

    It is imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via email or SMS messages as a result of this development, which is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware. The development is also a sign that macOS is becoming a target for cybercriminals to deploy stealer malware.

    To protect against it:

    Only applications from the official Apple App Store should be downloaded and installed on your device.
    Install an antivirus and internet security software package that has a good reputation on your computer.
    Make sure to use secure passwords, and implement multi-factor authentication whenever it’s possible.
    When it is feasible to do so, enable the biometric security capabilities of the device, such as fingerprint or face recognition, so that it can be unlocked.
    Always use caution before clicking on any links that are delivered to you in emails.
    When enabling any permissions, exercise extreme caution.
    Make that all of your software, including operating systems and apps, is up to date.

    The Art of Mac Malware: The Guide to Analyzing Malicious Software

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Mac Malware, MACOS COMPUTERS


    Apr 24 2023

    Preventing Malware & Cyber Attacks: Simple Tips for Your Computer

    Category: Cyber Attack,MalwareDISC @ 8:15 am

    Living without the Internet is hardly imaginable today. However, the anonymity of the internet has led to the flourishing of cyber attacks and malware. Malicious software can cause damage to our devices, steal personal data, and lead to monetary loss. Therefore, protecting your computer from these threats is crucial. This article will outline some methods and resources for protecting your devices from malicious software, and explain why it’s essential to use malware removal at all times.

    Tip #1: Keep Your Operating System and Software Up to Date

    One of the most crucial things you can do to keep your computer secure is to keep your operating system and software up to date. Security patches are frequently released by software developers to address flaws that hackers could exploit. Failing to update your system and software leaves your computer vulnerable to potential threats.

    To ensure that your operating system and software are up to date, it’s important to turn on automatic updates. This will ensure that your system gets updates as soon as they become available. Additionally, you can manually check for updates by accessing the settings for your software or operating system. By doing this, you can be certain that your computer is protected against potential threats.

    Tip #2: Use Antivirus and Anti-Malware Software

    Antivirus and malware removal software are essential tools for protecting your computer against malicious software such as viruses, spyware, and ransomware. These programs scan your computer on a regular basis for malware and remove it if found. By using antivirus and anti-malware software, you can safeguard your computer from malicious attacks and maintain its security.

    When it comes to antivirus and anti-malware software, it’s crucial to choose a reputable and trustworthy option that offers comprehensive protection against various types of malware. With numerous software options available on the market, selecting the right one can be overwhelming. However, by doing some research and selecting the one that meets your needs, you can ensure that your computer remains protected from potential threats.

    Tip #3: Use a Firewall

    firewall is a crucial security system that monitors and controls network traffic, both incoming and outgoing. It serves as a barrier between your computer and the internet, blocking unauthorized access. By utilizing a firewall, you can protect your computer from potential cyber attacks and enhance its security.

    Most operating systems come with a built-in firewall that you can enable by going to your system’s settings. However, you can further increase your computer’s security by installing a third-party firewall. These firewalls offer additional features and customization options that can help you tailor the protection to your needs. By using a firewall, you can safeguard your computer against potential threats and enhance its overall security.

    Tip #4: Use Strong and Unique Passwords

    Using strong and unique passwords is crucial in safeguarding your device against potential cyber attacks. Cybercriminals frequently use automated programs to guess passwords and weak passwords are easily guessed, allowing them to gain access to your computer more easily. By using strong and unique passwords, you can significantly enhance your computer’s security.

    To create a strong password, use a combination of letters, numbers, and symbols. Avoid using common phrases or words that are easily guessed. Additionally, do not use the same password for multiple accounts, as this can leave you vulnerable if one account is compromised. Consider using a password manager to generate and store strong and unique passwords for all your accounts. By taking these steps, you can ensure that your computer remains protected against potential threats.

    Tip #5: Be Wary of Phishing Scams

    Phishing scams are a type of social engineering attack that cybercriminals use to trick people into disclosing sensitive information like passwords and credit card numbers. These scams can be sent via email, text messages, or even social media. Falling prey to a phishing scam can lead to significant financial loss and compromise your personal information.

    To avoid falling victim to phishing scams, it’s important to be cautious of any suspicious emails or messages. Do not click on any unknown links or download any attachments from suspicious sources. Always check the sender’s email address to ensure that it is from a legitimate source.

    If you receive an email that appears to be from your bank or another financial institution, do not provide any sensitive information. Instead, contact the institution directly to confirm the authenticity of the email. By taking these steps, you can protect yourself from phishing scams and keep your personal information secure.

    Tip #6: Use Two-Factor Authentication

    Two-factor authentication (2FA) is a crucial security measure that adds an extra layer of protection to your online accounts. This security measure requires users to provide two forms of identification before accessing their accounts, making it more difficult for cybercriminals to access your information. Two-factor authentication can prevent unauthorized access to your accounts and protect your sensitive information from being compromised.

    Many online services, such as email and social media platforms, offer two-factor authentication as an additional security measure. To enable two-factor authentication, go to your account settings and follow the instructions provided by the service. You can usually choose between receiving a code via text message or using an authentication app. Enabling two-factor authentication can greatly improve the security of your accounts and help keep your personal information safe.

    Tip #7: Back Up Your Data Regularly

    The best practice to protect your data from cyber attacks is to regularly back it up. If your computer is infected with malware or hacked, you might lose all your data. By backing up your data regularly, you can easily restore your data in the event of a cyber attack.

    In conclusion, adhering to the tips and tools mentioned above can not only safeguard your personal or business data but also prevent potential embarrassment and costly fines.
    Use anti-virus and anti-malware software.

    The Cybersecurity Playbook for Modern Enterprises: An end-to-end guide to preventing data breaches and cyber attacks


    InfoSec Threats
     | InfoSec books | InfoSec tools | InfoSec services


    InfoSec Threats
     | InfoSec books | InfoSec tools | InfoSec services

    Tags: cyber attacks, data breaches, Malware


    Apr 09 2023

    Malware types and analysis

    Category: Information Security,MalwareDISC @ 9:48 am

    Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises, (Windows Internals Supplements)

    Malware analysis reports – Reports and IoCs from the NCSC malware analysis team

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Malware, Malware Analysis, windows malware


    Apr 05 2023

    HOW TO CREATE UNDETECTABLE MALWARE VIA CHATGPT IN 7 EASY STEPS BYPASSING ITS RESTRICTIONS

    Category: AI,ChatGPT,MalwareDISC @ 9:35 am

    There is evidence that ChatGPT has helped low-skill hackers generate malware, which raises worries about the technology being abused by cybercriminals. ChatGPT cannot yet replace expert threat actors, but security researchers claim there is evidence that it can assist low-skill hackers create malware.

    Since the introduction of ChatGPT in November, the OpenAI chatbot has assisted over 100 million users, or around 13 million people each day, in the process of generating text, music, poetry, tales, and plays in response to specific requests. In addition to that, it may provide answers to exam questions and even build code for software.

    It appears that malicious intent follows strong technology, particularly when such technology is accessible to the general people. There is evidence on the dark web that individuals have used ChatGPT for the development of dangerous material despite the anti-abuse constraints that were supposed to prevent illegitimate requests. This was something that experts feared would happen. Because of thisexperts from forcepoint came to the conclusion that it would be best for them not to create any code at all and instead rely on only the most cutting-edge methods, such as steganography, which were previously exclusively used by nation-state adversaries.

    The demonstration of the following two points was the overarching goal of this exercise:

    1. How simple it is to get around the inadequate barriers that ChatGPT has installed.
    2. How simple it is to create sophisticated malware without having to write any code and relying simply on ChatGPT

    Initially ChatGPT informed him that malware creation is immoral and refused to provide code.

    1. To avoid this, he generated small codes and manually assembled the executable.  The first successful task was to produce code that looked for a local PNG greater than 5MB. The design choice was that a 5MB PNG could readily hold a piece of a business-sensitive PDF or DOCX.

     2. Then asked ChatGPT to add some code that will encode the found png with steganography and would exfiltrate these files from computer, he asked ChatGPT for code that searches the User’s Documents, Desktop, and AppData directories then uploads them to google drive.

    3. Then he asked ChatGPT to combine these pices of code and modify it to to divide files into many “chunks” for quiet exfiltration using steganography.

    4. Then he submitted the MVP to VirusTotal and five vendors marked the file as malicious out of sixty nine.

    5. This next step was to ask ChatGPT to create its own LSB Steganography method in my program without using the external library. And to postpone the effective start by two minutes.https://www.securitynewspaper.com/2023/01/20/this-new-android-malware-allows-to-hack-spy-on-any-android-phone/embed/#?secret=nN5212UQrX#?secret=8AnjYiGI6e

    6. The another change he asked ChatGPT to make was to obfuscate the code which was rejected. Once ChatGPT rejected hisrequest, he tried again. By altering his request from obfuscating the code to converting all variables to random English first and last names, ChatGPT cheerfully cooperated. As an extra test, he disguised the request to obfuscate to protect the code’s intellectual property. Again, it supplied sample code that obscured variable names and recommended Go modules to construct completely obfuscated code.

    7. In next step he uploaded the file to virus total to check

    And there we have it; the Zero Day has finally arrived. They were able to construct a very sophisticated attack in a matter of hours by only following the suggestions that were provided by ChatGPT. This required no coding on our part. We would guess that it would take a team of five to ten malware developers a few weeks to do the same amount of work without the assistance of an AI-based chatbot, particularly if they wanted to avoid detection from all detection-based suppliers.

    ChatGPT for Startups

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: ChatGPT malware


    Mar 28 2023

    What is Malware and how to prevent it

    Category: MalwareDISC @ 10:15 am
    How to recognize and remove malware

    What is Malware and how to prevent it

    Malware comes in many forms: the unwanted programs can surface as pathogens, spies, or remote controls in computers. Whether it’s a virus, spyware, or a Trojan horse, this harmful software should be kept well away from your computer. What are the different types of malware? We show you how to protect yourself from them and what steps to take if your computer or webspace are affected.

    1. What exactly is malware and what are the different types?
    2. Who is affected by malware and how do you recognize an attack?
    3. Preventative measures against malware
    4. Use internet applications wisely
    5. How to remove spyware, Trojans, viruses, etc.
    6. Malware on websites
    7. Never underestimate the dangers of malicious software

    Source:

    https://www.ionos.com/digitalguide/server/security/how-to-recognize-and-remove-malware/

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Malware prevention


    Feb 27 2023

    Researchers Share New Insights Into RIG Exploit Kit Malware’s Operations

    Category: MalwareDISC @ 1:09 pm
    RIG Exploit Kit

    The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal.

    “RIG EK is a financially-motivated program that has been active since 2014,” Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News.

    “Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.”

    Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers.

    The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scale coverage.

    As a result, visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit.

    The exploit server, for its part, detects the user’s browser by parsing the User-Agent string and returns the exploit that “matches the pre-defined vulnerable browser versions.”

    “The artful design of the Exploit Kit allows it to infect devices with little to no interaction from the end user,” the researchers said. “Meanwhile, its use of proxy servers makes infections harder to detect.”

    Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORultCryptoBitDridex, Raccoon Stealer, and WastedLoader. The operation was dealt a huge blow in 2017 following a coordinated action that dismantled its infrastructure.

    For more details:

    https://thehackernews.com/2023/02/researchers-share-new-insights-into-rig.html

    Tags: Exploit Kit, Malware Analysis


    Next Page »