Jul 01 2024

New Hacker Group Attacking Systems With 10 Malware At Same Time

Category: Malwaredisc7 @ 8:03 am

A malware campaign of huge magnitude, and perhaps run by just one group, is using artificially nested files for distribution named ‘WEXTRACT.EXE            .MUI’.

More than 50,000 files worldwide featuring this method are delivered by different stealers and loaders such as Redline, RisePro, and Amadey.

Several samples are associated with an Eastern European cybercriminal-linked Autonomous System.

Cybersecurity researchers at OutPost24 recently detected that a new hacker group has been attacking the system with 1o malware at the same time.

10 Malware At Same Time

The “WEXTRACT.EXE            .MUI” malware distribution system is one that makes use of nested cabinet files to distribute a number of malware samples such as stealers and loaders.

This method’s complex execution sequence drops and runs malware in reverse order, which may result in bypassing security measures.

The technique could cause multiple infections as the loaders may download more malware.

From February 2023 through the start of 2024, a massive malware distribution campaign nested multiple malware families, such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.

The campaign developed over time, incorporating obfuscation tools and different distribution methods.

An examination of over two thousand one hundred examples showed some malware combinations in which victims might be infected by several stealers and loaders simultaneously.

This suggests that there was a single actor behind the infrastructure and tactics for this campaign.

Distribution steps of one sample of WEXTRACT (Source – OutPost24)

It is likely that the campaign to distribute malware called “Unfurling Hemlock” buys distribution services from other actors.

Its earliest phases were in email attachments and downloads from hacked or hoax websites.

The infrastructure, mostly based on AS 203727, uses both exclusive and shared IPs for distributing WEXTRACT and other malware.

This indicates one actor or entity that is responsible for the campaign but delegates some of its distribution aspects to others.

The malware campaign uses different C2 URLs and IP addresses, some of which are specific to the WEXTRACT-related malware and others that are common to other campaigns.

The diversity in infrastructure supports the insight that this actor could be supplying samples from other campaigns, possibly encouraged by financial interest.

While the upload locations may not indicate the actual infection sites, the infection sources cut across several countries.

Here below we have mentioned the countries:-

Origin of the samples (Source – OutPost24)

Unlike the usual trend, this huge malware attack mainly targets Western institutions, including Russia.

This operation launched different types of malware simultaneously to increase the possibilities of infection and diversify potential paybacks.

Though not highly developed, this “cluster bomb” method may be adopted by threat actors in the future.

Researchers recommended using the latest anti-malware tools, performing analysis of packed files, and user alertness to be cautious about suspicious downloads and emails.

Evasive Malware: Understanding Deceptive and Self-Defending Threats

CrowdStrike Falcon Go | Premier Antivirus Protection for Small Businesses 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Cluster bomb


Jun 30 2024

Fake IT support sites push malicious PowerShell scripts as Windows fixes

Category: Malware,PowerShell Securitydisc7 @ 9:51 am

Fake IT support sites promote malicious PowerShell “fixes” for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware.

First discovered by eSentire’s Threat Response Unit (TRU), the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator.

In particular, the threat actors are creating fake videos promoting a fix for the 0x80070643 error that millions of Windows users have been dealing with since January.

“There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643),” reads the Windows Update error.

0x80070643 in Windows Update
Source: BleepingComputer

It turns out that Windows Update is displaying an incorrect error message, as it was supposed to display a CBS_E_INSUFFICIENT_DISK_SPACE error on systems with a Windows Recovery Environment (WinRE) partition that’s too small for the update to install.

Microsoft explained that the new security update requires that the WinRE partition have 250 megabytes of free space, and if it doesn’t, you must manually expand the partition yourself.

However, expanding the WinRE partition is complicated, if not impossible, for those whose WinRE is not the last partition on the drive.

Due to this, many are unable to install the security update and are left with the 0x80070643 error message every time they use Windows Update.

These errors have caused many frustrated Windows users to seek a solution online, allowing threat actors to capitalize on their search for a fix.

Fake IT sites promote PowerShell fixes

According to eSentire, threat actors are creating numerous fake IT support sites that are specifically designed to help users with common Windows errors, heavily focusing on the 0x80070643 error.

“In June 2024, eSentire’s Threat Response Unit (TRU) observed an intriguing case involving a Vidar Stealer infection initiated through a fake IT support website (Figure 1),” explains the eSentire report.

“The infection began when the victim performed a web search for solutions to a Windows Update Error code.”

The researchers found two fake IT support sites promoted on YouTube named pchelprwizzards[.]com and pchelprwizardsguide[.]com. While writing this article, BleepingComputer found additional sites at pchelprwizardpro[.]com, pchelperwizard[.]com, and fixedguides[.]com.

Like the other videos eSentire found for the PCHelperWizard typo sites, BleepingComputer also found YouTube videos for the FixedGuides site, also promoting fixes for the 0x80070643 errors.

These sites all offer fixes that either require you to copy and run a PowerShell script or import the contents of a Windows Registry file.

Regardless of which “solution” is used, a PowerShell script will be executed that downloads malware on the device.

eSentire’s report outlines how the PCHelperWizard sites (not to be confused with the legitimate course site) will walk users through copying a PowerShell script into the Windows Clipboard and execute it in a PowerShell prompt.

Malicious PowerShell script disguised as a Windows error fix
Source: BleepingComputer

This PowerShell script contains a Base64 encoded script that will connect to a remote server to download another PowerShell script, which installs the Vidar information-stealing malware on the device.

When the script is finished, it will display a message that the fix was successful and to restart the computer, which will also launch the malware.

The FixedGuides site does it a bit differently, using an obfuscated Windows Registry file to hide autostarts that launch a malicious PowerShell script.

However, when I extracted the strings from the above file, you can see that it contains a valid Registry file that adds a Windows autostart (RunOnce) entry that runs a PowerShell script. This script ultimately downloads and installs information-stealing malware on the computer.

Using either fake fix will result in the information-stealing malware launching after Windows is restarted. Once started, the malware will extract saved credentials, credit cards, cookies, and browsing history from your browser.

Vidar can also steal cryptocurrency wallets, text files, and Authy 2FA authenticator databases, as well as take screenshots of your desktop.

This data is compiled into an archive called a “log,” which is then uploaded to the attacker’s servers. The stolen data is then used to fuel other attacks, such as ransomware attacks, or sold to other threat actors on dark web marketplaces.

However, the infected user is now left with a nightmare, having all their accounts compromised and potentially suffering financial fraud.

While Windows errors can be annoying, it is crucial to download software and fixes only from trusted websites, not from random videos and websites with little or no reputation.

Your credentials have become a valuable commodity and threat actors are coming up with sneaky and creative methods to steal them, so unfortunately, everyone needs to stay vigilant against unusual attack methods.

As for the 0x80070643 errors, if you are unable to resize the WinRE partition, your best bet is to use Microsoft’s Show or Hide Tool to hide the KB5034441 update so that Windows Update no longer offers it on your system and not search on the Internet for a magic fix.

https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-malicious-powershell-scripts-as-windows-fixes/

CrowdStrike Falcon Go | Premier Antivirus Protection for Small Businesses

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Fake IT support sites


May 31 2024

Hackers Weaponizing MS Office-Cracked Versions to Deliver Malware

Category: Cyberweapon,Malwaredisc7 @ 9:36 am

Attackers in South Korea are distributing malware disguised as cracked software, including RATs and crypto miners, and registering themselves with the Task Scheduler to ensure persistence. 

Even after removing the initial malware, the Task Scheduler triggers PowerShell commands to download and install new variants, which persists because the PowerShell commands keep changing, leaving unpatched systems vulnerable to information theft, proxy abuse, and cryptocurrency mining.  

Attack flow
Attack flow

Malicious actors are leveraging file-sharing platforms to distribute malware disguised as cracked MS Office, which retrieves the download URL and target platform during infection, potentially enabling them to tailor attacks and evade detection.  

Cybercriminals are distributing malware disguised as cracked software. The malware, developed in.NET, uses obfuscation to hide its malicious code, and initially, it accessed Telegram to retrieve a download URL. 

Newer versions contain two Telegram URLs and a Mastodon URL, each with a string linked to a Google Drive or GitHub URL.

The threat actor hides malicious PowerShell commands within these cloud storage locations, using Base64 encoding for further obfuscation, and once executed, these commands install additional malware strains. 

Commands encrypted in Base64
Commands encrypted in Base64

The updater malware, “software_reporter_tool.exe,”  leverages a PowerShell script to download and maintain persistence, which creates a malicious executable at “C:\ProgramData\KB5026372.exe” and uses a compromised 7zip installation (“C:\ProgramData\Google\7z.exe”) to decompress a password-protected archive from GitHub or Google Drive (password: “x”) by mirroring tactics from a previous campaign. 

Malware installation using 7z and PowerShell
Malware installation using 7z and PowerShell

Additionally, the updater registers itself with the Task Scheduler to ensure continuous operation after a reboot, and the scheduled task triggers the PowerShell script for further updates and potential malware installation. 

The attackers deployed Orcus RAT and XMRig on the compromised system.

Orcus RAT can steal information through keylogging, webcam, and screenshot capture, while XMRig mines cryptocurrency. 

 3Proxy’s configuration file
 3Proxy’s configuration file

XMRig is configured to stop mining when resource-intensive programs are running and to terminate processes competing for resources, such as security software installers, while 3Proxy is used to turn the infected machine into a proxy server by adding a firewall rule and injecting itself into a legitimate process. 

 A Korean security program unable to operate properly due to the AntiAV malware
 A Korean security program unable to operate properly due to the AntiAV malware

According to ASEC, PureCrypter downloads and executes further payloads, and AntiAV malware disrupts security products by modifying their configuration files.  

Attackers are distributing malware disguised as popular Korean software (Windows, MS Office, Hangul) through file-sharing sites, and the malware bypasses file detection with frequent updates and utilizes the Task Scheduler for persistence, leading to repeated infections upon removal. 

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Weaponizing MS Office


Apr 24 2024

HACKERS HIJACKED THE ESCAN ANTIVIRUS UPDATE MECHANISM IN MALWARE CAMPAIGN

Category: Antivirus,Hacking,Malwaredisc7 @ 9:04 am

A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.

Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.

Threat actors employed two different types of backdoors and targeted large corporate networks

The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.

“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” reads the analysis published by Avast. “The main objective of GuptiMiner is to distribute backdoors within big corporate networks.”

The threat actors behind this campaign exploited a vulnerability in the update mechanism of the Indian antivirus provider eScan that allowed them to carry out a man-in-the-middle attack to distribute the malware. Avast already reported the issue to eScan and the India CERT. eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.

The infection process begins when eScan requests an update from the update server. However, the attackers carry out a MitM attack and replace the legitimate update package with a malicious one. Subsequently, eScan unpacks and installs the package, which results in the sideloading of a DLL by eScan’s clean binaries. This DLL facilitates the continuation of the process, leading to the execution of multiple shellcodes and intermediary PE loaders.

eScan antivirus

The researchers noticed that the downloaded package file is replaced with a malware-laced one on the wire because the process doesn’t use an HTTPS connection. 

Below the infection chain described by Avast:

  1. The eScan updater triggers the update 
  2. The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed) 
  3. A malicious package updll62.dlz is downloaded and unpacked by eScan updater 
  4. The contents of the package contain a malicious DLL (usually called version.dll) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart 
  5. If a mutex is not present in the system (depends on the version, e.g. Mutex_ONLY_ME_V1), the malware searches for services.exe process and injects its next stage into the first one it can find 
  6. Cleanup is performed, removing the update package 

GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.

GuptiMiner connects directly to malicious DNS servers, bypassing the DNS network entirely. This use of the DNS protocol resembles telnet and is not considered DNS spoofing, which typically occurs within the DNS network. Although the servers requested by GuptiMiner exist, it’s likely an evasion tactic.

In the second-stage the shellcode from the PNG file extracts and executes the Gzip loader. This loader is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread that kiads the Stage 3 malware Puppeteer.

Puppeteer orchestrates the core functionality of the malware, including the cryptocurrency mining as well as the backdoor deployment.

Surprisingly, the ultimate payload disseminated by GuptiMiner can be also XMRig, which was somewhat unexpected given the level of sophistication of this campaign.

The researchers speculate that using the miner could be a diversionary tactic.

“During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign.” concludes the report. “What is truly interesting, however, is that this information stealer might come from Kimsuky operations.”

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ESCAN ANTIVIRUS


Apr 05 2024

Hackers Hijack Facebook Pages To Mimic AI Brands & Inject Malware

Category: AI,Hacking,Malwaredisc7 @ 8:08 am

Hackers have been found hijacking Facebook pages to impersonate popular AI brands, thereby injecting malware into the devices of unsuspecting users.

This revelation comes from a detailed investigation by Bitdefender Labs, which has been closely monitoring these malicious campaigns since June 2023.

Recent analyses of malvertising campaigns have revealed a disturbing trend.

Ads are distributing an assortment of malicious software, which poses severe risks to consumers’ devices, data, and identity.

Unwitting interactions with these malware-serving ads could lead to downloading and deploying harmful files, including Rilide Stealer, Vidar Stealer, IceRAT, and Nova Stealer, onto users’ devices.

Rilide Stealer V4: A Closer Look

Bitdefender Labs has spotlighted an updated version of the Rilide Stealer (V4) lurking within sponsored ad campaigns that impersonate popular AI-based software and photo editors such as Sora, CapCut, Gemini AI, Photo Effects Pro, and CapCut Pro.

This malicious extension, targeting Chromium-based browsers, is designed to monitor browsing history, capture login credentials, and even facilitate the withdrawal of crypto funds by bypassing two-factor authentication through script injections.

Sora Ad campaign
Gemini Ad Campaign

Key Updates in Rilide V4:

  • Targeting of Facebook cookies
  • Masquerading as a Google Translate Extension
  • Enhanced obfuscation techniques to conceal the software’s true intent

Indicators Of Compromise

Malicious hashes

  • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db – OpenAI Sora official version setup.msi – Sora
  • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf – OpenAI Sora Setup.zip – Sora
  • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d – Setup.msi – Sora
  • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 – Setup.msi – Sora
  • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b – Setup.msi – Sora
  • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 – Setup.msi – Sora
  • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 – Setup.msi – Sora
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – Capcut Pro For PC.setup.msi – Capcut
  • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 – OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
  • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf – Google Gemini AI Ultra Version Updata.msi – Gemini AI
  • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – AISora.setup.msi – Sora

Vidar Stealer: Evolving Threats

Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.

Indicators Of Compromise

Malicious hashes

  • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll – MidJourney
  • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z – MidJourney

IceRAT: More Than Just A Trojan

Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

Indicators Of Compromise

Malicious hashes

  • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe – MidJourney
  • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe – MidJourney
  • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe – MidJourney
  • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe – MidJourney
  • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe – MidJourney
  • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e – Midjourneys_Setup.exe – MidJourney
  • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 – Mid_Setup.exe – MidJourney
  • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe – MidJourney

Nova Stealer: The New Kid On The Block

Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

Indicators Of Compromise

Malicious hashes

  • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
  • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
  • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
  • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
  • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
  • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 – Premium advertising course registration form from Oxford.exe – Google Digital Marketing
  • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing

The Midjourney Saga: AI’s Dark Side

The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

Indicators Of Compromise

  • 159.89.120.191
  • 159.89.98.241

As the digital landscape continues to evolve, so does the nature of the threats it maintains.

The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

Key Updates in Rilide V4:

  • Targeting of Facebook cookies
  • Masquerading as a Google Translate Extension
  • Enhanced obfuscation techniques to conceal the software’s true intent

Indicators Of Compromise

Malicious hashes

  • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db – OpenAI Sora official version setup.msi – Sora
  • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf – OpenAI Sora Setup.zip – Sora
  • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d – Setup.msi – Sora
  • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 – Setup.msi – Sora
  • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b – Setup.msi – Sora
  • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 – Setup.msi – Sora
  • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 – Setup.msi – Sora
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – Capcut Pro For PC.setup.msi – Capcut
  • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 – OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
  • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf – Google Gemini AI Ultra Version Updata.msi – Gemini AI
  • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – AISora.setup.msi – Sora

Vidar Stealer: Evolving Threats

Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.

Indicators Of Compromise

Malicious hashes

  • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll – MidJourney
  • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z – MidJourney

IceRAT: More Than Just A Trojan

Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

Indicators Of Compromise

Malicious hashes

  • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe – MidJourney
  • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe – MidJourney
  • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe – MidJourney
  • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe – MidJourney
  • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe – MidJourney
  • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e – Midjourneys_Setup.exe – MidJourney
  • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 – Mid_Setup.exe – MidJourney
  • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe – MidJourney

Nova Stealer: The New Kid On The Block

Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

Indicators Of Compromise

Malicious hashes

  • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
  • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
  • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
  • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
  • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
  • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 – Premium advertising course registration form from Oxford.exe – Google Digital Marketing
  • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing

The Midjourney Saga: AI’s Dark Side

The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

Indicators Of Compromise

  • 159.89.120.191
  • 159.89.98.241

As the digital landscape continues to evolve, so does the nature of the threats it maintains.

The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

The Complete Guide to Software as a Service: Everything you need to know about SaaS

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Hijack Facebook Pages


Mar 18 2024

Hackers Trick Users To Install Malware Via Weaponized PDF

Category: Malwaredisc7 @ 7:19 am

In a sophisticated cyberattack campaign, malicious actors impersonating Colombian government agencies target individuals across Latin America.

The attackers are distributing emails containing PDF attachments, falsely accusing recipients of traffic violations or other legal infractions.

These deceptive communications are designed to coerce victims into downloading an archive that harbors a VBS script, initiating a multi-stage infection process.

Upon execution, the obfuscated VBS script triggers a PowerShell script, retrieving the final malware payload from legitimate online storage services through a two-step request process.

Infection Process

According to the ANY.RUN report was shared with GBHackers on Security; initially, the script acquires the payload’s address from resources such as textbin.net. It then proceeds to download and execute the payload from the provided address, which could be hosted on various platforms including cdn.discordapp(.)com, pasteio(.)com, hidrive.ionos.com, and wtools.io.

The attackers’ execution chain follows a sequence from PDF to ZIP, then to VBS and PowerShell, and finally to the executable file (EXE).

The culminating payload is identified as one of several known remote access trojans (RATs), specifically AsyncRATnjRAT, or Remcos.

These malicious programs are notorious for their ability to provide unauthorized remote access to the infected systems, posing significant risks to the victims’ privacy and data security.

Here are some notable samples of this campaign: 1234.

sample1

This campaign has been meticulously documented, with over 50 operation samples being analyzed.

Cybersecurity professionals and researchers are encouraged to consult the TI Lookup tool for detailed information on these samples, aiding in identifying and mitigating threats related to this campaign.

The Cyberspace Battlefield: A Contemporary Look at Weaponized Cyber Warfare

The technique demonstrated by the attackers in this campaign is not exclusive to Latin American targets and may be adapted for use against various targets in other regions.

The cybersecurity community is urged to remain vigilant and employ robust security measures to protect against such sophisticated threats.

Cybersecurity Threats, Malware Trends, and Strategies – Second Edition: Discover risk mitigation strategies for modern threats to your organization 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Weaponized PDF


Mar 13 2024

Keyloggers, spyware, and stealers dominate SMB malware detections

Category: Cybercrime,Malware,Spywaredisc7 @ 10:56 am

In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.

SMBs ransomware cyberthreat

Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more.

Ransomware remains primary cyberthreat for SMBs

The Sophos report also analyses initial access brokers (IABs)—criminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs they’ve already cracked.

“The value of ‘data,’ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, let’s say attackers deploy an infostealer on their target’s network to steal credentials and then get hold of the password for the company’s accounting software. Attackers could then gain access to the targeted company’s financials and have the ability to funnel funds into their own accounts,” said Christopher Budd, director of Sophos X-Ops research at Sophos.

“There’s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,” added Budd.

While the number of ransomware attacks against SMBs has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack, LockBit was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.

BEC attacks grow in sophistication

Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targeting managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryption—when attackers use an unmanaged device on organizations’ networks to encrypt files on other systems in the network—increased by 62%.

In addition, this past year, Sophos’s Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPs’ remote monitoring and management (RMM) software.

Following ransomware, business email compromise (BEC) attacks were the second highest type of attacks that Sophos IR handled in 2023, according to the report.

These BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.

In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an “invoice.” The download button contained a link to a malicious website.

Mastering Cyber Security Defense to Shield Against Identity Theft, Data breaches, Hackers, and more in the Modern Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: keylogger, Malware, SMB


Feb 09 2024

HijackLoader Expands Techniques to Improve Defense Evasion

Category: Malwaredisc7 @ 10:39 am
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/
  • HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling
  • A recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense evasion
  • CrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection capabilities 

CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities. 

In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach has the potential to make defense evasion stealthier. 

The second technique variation involved an uncommon combination of process doppelgänging and process hollowing techniques. This variation increases the complexity of analysis and the defense evasion capabilities of HijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity.

This blog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.

HijackLoader Analysis

Tags: HijackLoader


Jan 18 2024

HOW TO EXPLOIT WINDOWS DEFENDER ANTIVIRUS TO INFECT A DEVICE WITH MALWARE

Category: Antivirus,Malwaredisc7 @ 8:10 am

Trend Micro’s recent threat hunting efforts have uncovered active exploitation of CVE-2023-36025, a vulnerability in Microsoft Windows Defender SmartScreen, by a new strain of malware known as Phemedrone Stealer. This malware targets web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord, stealing data and sending it to attackers via Telegram or command-and-control servers. Phemedrone Stealer, an open-source stealer written in C#, is actively maintained on GitHub and Telegram.

CVE-2023-36025 arises from insufficient checks on Internet Shortcut (.url) files, allowing attackers to bypass Windows Defender SmartScreen warnings by using crafted .url files that download and execute malicious scripts . Microsoft patched this vulnerability on November 14, 2023, but its exploitation in the wild led to its inclusion in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list. Various malware campaigns, including those distributing Phemedrone Stealer, have since incorporated this vulnerability.

INITIAL ACCESS VIA CLOUD-HOSTED MALICIOUS URLS

As per the report, this involves leveraging cloud-hosted URLs that are malicious in nature. The article provides insights into how these URLs are used to initiate the attack, highlighting the strategies employed for distributing the malware and penetrating target systems. Attackers host malicious Internet Shortcut files on platforms like Discord or cloud services, often disguised using URL shorteners. Unsuspecting users who open these files trigger the exploitation of CVE-2023-36025.

DEFENSE EVASION TACTICS

The malicious .url file downloads and executes a control panel item (.cpl) file from an attacker-controlled server. This bypasses the usual security prompt from Windows Defender SmartScreen. The malware employs MITRE ATT&CK technique T1218.002, using the Windows Control Panel process binary to execute .cpl files, which are essentially DLL files.

  1. Initial Infection via Malicious .url File (CVE-2023-36025): The attack begins when a user executes a malicious Internet Shortcut (.url) file. This file is designed to bypass Microsoft Windows Defender SmartScreen warnings, typically triggered for files from untrusted sources. The evasion is likely achieved by manipulating the file’s structure or content, making it appear benign.
  2. Execution of a Control Panel Item (.cpl) File: Once executed, the .url file connects to an attacker-controlled server to download a .cpl file. In Windows, .cpl files are used to execute Control Panel items and are essentially Dynamic Link Libraries (DLLs). This step involves the MITRE ATT&CK technique T1218.002, which exploits the Windows Control Panel process binary (control.exe) to execute .cpl files.
  3. Use of rundll32.exe for DLL Execution: The .cpl file, when executed through control.exe, then calls rundll32.exe, a legitimate Windows utility used to run functions stored in DLL files. This step is critical as it uses a trusted Windows process to execute the malicious DLL, further evading detection.
  4. PowerShell Utilization for Payload Download and Execution: The malicious DLL acts as a loader to call Windows PowerShell, a task automation framework. PowerShell is then used to download and execute the next stage of the attack from GitHub.
  5. Execution of DATA3.txt PowerShell Loader: The file DATA3.txt, hosted on GitHub, is an obfuscated PowerShell script designed to be difficult to analyze statically (i.e., without executing it). It uses string and digit manipulation to mask its true intent.
  6. Deobfuscation and Execution of the GitHub-Hosted Loader: Through a combination of static and dynamic analysis, the obfuscated PowerShell commands within DATA3.txt can be deobfuscated. This script is responsible for downloading a ZIP file from the same GitHub repository.
  7. Contents of the Downloaded ZIP File:
    • WerFaultSecure.exe: A legitimate Windows Fault Reporting binary.
    • Wer.dll: A malicious binary that is sideloaded (executed in the context of a legitimate process) when WerFaultSecure.exe is run.
    • Secure.pdf: An RC4-encrypted second-stage loader, presumably containing further malicious code.

This attack is sophisticated, using multiple layers of evasion and leveraging legitimate Windows processes and binaries to conceal malicious activities. The use of GitHub as a hosting platform for malicious payloads is also noteworthy, as it can lend an appearance of legitimacy and may bypass some network-based security controls.

PERSISTENCE AND DLL SIDELOADING

The malware achieves persistence by creating scheduled tasks and uses DLL sideloading techniques. The malicious DLL, crucial for the loader’s functionality, decrypts and runs the second stage loader. It uses dynamic API resolving and XOR-based algorithms for string decryption, complicating reverse engineering efforts.

  1. Malicious DLL (wer.dll) Functionality: It decrypts and runs a second-stage loader. To avoid detection and hinder reverse engineering, it employs API hashing, string encryption, and is protected by VMProtect.
  2. DLL Sideloading Technique: The malware deceives the system into loading the malicious wer.dll by placing it in the application directory, a method that exploits the trust Windows has in its own directories.
  3. Dynamic API Resolving: To avoid detection by static analysis tools, the malware uses CRC-32 hashing for storing API names, importing them dynamically during runtime.
  4. XOR-based String Decryption: An algorithm is used to decrypt strings, with each byte’s key generated based on its position. This method is designed to complicate automated decryption efforts.
  5. Persistence Mechanism: The malware creates a scheduled task to regularly execute WerFaultSecure.exe. This ensures that the malware remains active on the infected system.
  6. Second-Stage Loader (secure.pdf): It’s decrypted using an undocumented function from advapi32.dll, with memory allocation and modification handled by functions from Activeds.dll and VirtualProtect.
  7. Execution Redirection through API Callbacks: The malware cleverly redirects execution flow to the second-stage payload using Windows API callback functions, particularly exploiting the CryptCATCDFOpen function.

Overall, this malware demonstrates a deep understanding of Windows internals, using them to its advantage to stay hidden and maintain persistence on the infected system. The combination of techniques used makes it a complex and dangerous threat.

SECOND-STAGE DEFENSE EVASION

The second-stage loader, known as Donut, is an open-source shellcode that executes various file types in memory. It encrypts payloads without compression and uses the Unmanaged CLR Hosting API to load the Common Language Runtime, creating a new Application Domain for running assemblies.Here’s an overview of how Donut is used for defense evasion and payload execution:

  1. Donut Shellcode Loader:
    • Capabilities: Allows execution of VBScript, JScript, EXE files, DLL files, and .NET assemblies directly in memory.
    • Deployment Options: Can be embedded into the loader or staged from an HTTP or DNS server. In this case, it’s embedded directly into the loader.
  2. Payload Compression and Encryption:
    • Compression Techniques: Supports aPLib, LZNT1, Xpress, and Xpress Huffman through RtlCompressBuffer.
    • Encryption: Uses the Chaskey block cipher for payload encryption. In this instance, only encryption is used, without compression.
  3. Execution Process via Unmanaged CLR Hosting API:
    • CLR Loading: Donut configures to use the Unmanaged CLR Hosting API to load the Common Language Runtime (CLR) into the host process.
    • Application Domain Creation: Creates a new Application Domain, allowing assemblies to run in disposable AppDomains.
    • Assembly Loading and Execution: Once the AppDomain is prepared, Donut loads the .NET assembly and invokes the payload’s entry point.

The use of Donut in this attack is particularly notable for its ability to execute various types of code directly in memory. This method greatly reduces the attack’s visibility to traditional security measures, as it leaves minimal traces on the filesystem. Additionally, the use of memory-only execution tactics, coupled with sophisticated encryption, makes the payload difficult to detect and analyze. The ability to create and use disposable AppDomains further enhances evasion by isolating the execution environment, reducing the chances of detection by runtime monitoring tools. This approach demonstrates a high level of sophistication in evading defenses and executing the final payload stealthily.

PHEMEDRONE STEALER PAYLOAD ANALYSIS

Phemedrone Stealer initializes its configuration and decrypts items like Telegram API tokens using the RijndaelManaged symmetric encryption algorithm. It targets a wide range of applications to extract sensitive information, including Chromium-based browsers, crypto wallets, Discord, FileGrabber, FileZilla, Gecko-based browsers, system information, Steam, and Telegram.

COMMAND AND CONTROL FOR DATA EXFILTRATION

After data collection, the malware compresses the information into a ZIP file and validates the Telegram API token before exfiltrating the data. It sends system information and statistics to the attacker via the Telegram API. Despite the patch for CVE-2023-36025, threat actors continue to exploit this vulnerability to evade Windows Defender SmartScreen protection. The Phemedrone Stealer campaign highlights the need for vigilance and updated security measures against such evolving cyber threats.

MITIGATION

Mitigating the risks associated with CVE-2023-36025 and similar vulnerabilities, especially in the context of the Phemedrone Stealer campaign, involves a multi-layered approach. Here are some key strategies:

  1. Apply Security Patches: Ensure that all systems are updated with the latest security patches from Microsoft, particularly the one addressing CVE-2023-36025. Regularly updating software can prevent attackers from exploiting known vulnerabilities.
  2. Enhance Endpoint Protection: Utilize advanced endpoint protection solutions that can detect and block sophisticated malware like Phemedrone Stealer. These solutions should include behavior-based detection to identify malicious activities.
  3. Educate Users: Conduct security awareness training for all users. Educate them about the dangers of clicking on unknown links, opening suspicious email attachments, and the risks of downloading files from untrusted sources.
  4. Implement Network Security Measures: Use firewalls, intrusion detection systems, and intrusion prevention systems to monitor and control network traffic based on an applied set of security rules.
  5. Secure Email Gateways: Deploy email security solutions that can scan and filter out malicious emails, which are often the starting point for malware infections.
  6. Regular Backups: Regularly back up data and ensure that backup copies are stored securely. In case of a malware infection, having up-to-date backups can prevent data loss.
  7. Use Application Whitelisting: Control which applications are allowed to run on your network. This can prevent unauthorized applications, including malware, from executing.
  8. Monitor and Analyze Logs: Regularly review system and application logs for unusual activities that might indicate a breach or an attempt to exploit vulnerabilities.
  9. Restrict User Privileges: Apply the principle of least privilege by limiting user access rights to only those necessary for their job functions. This can reduce the impact of a successful attack.
  10. Incident Response Plan: Have a well-defined incident response plan in place. This should include procedures for responding to a security breach and mitigating its impact.
  11. Use Secure Web Gateways: Deploy web gateways that can detect and block access to malicious websites, thereby preventing the download of harmful content.
  12. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security gaps in the network.

By implementing these measures, organizations can significantly reduce their risk of falling victim to malware campaigns that exploit vulnerabilities like CVE-2023-36025.

USB Defender | Data Blocker | Blocks Unwanted Data Transfers | Protects Smartphone & Tablets From Public Charging Stations

Learn Malware Removal Techniques: How to remove malwares from a computer

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DEFENDER ANTIVIRUS


Jan 03 2024

Malware using google exploit maintain access

Category: Information Security,Malware,Password Securitydisc7 @ 7:38 am

Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.

According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.

The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).

A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”

This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.

Karthick told The Hacker News that three different token-cookie generation scenarios were tested –

  • When the user is logged in with the browser, in which case the token can be used any number of times.
  • When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.
  • If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.

When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.

“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”

The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”

“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previously disclosed details of the exploit late last year.

“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”

(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)

The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MultiLogin Exploit


Dec 13 2023

HOW TO BYPASS EDRS, AV WITH EASE USING 8 NEW PROCESS INJECTION ATTACKS

Category: Malwaredisc7 @ 7:38 am

In the ever-evolving landscape of cybersecurity, researchers are continually uncovering new methods that challenge existing defense mechanisms. A recent study by SafeBreach, a leader in cybersecurity research, has brought to light a novel process injection technique that exploits Windows thread pools, revealing vulnerabilities in current Endpoint Detection and Response (EDR) solutions. This groundbreaking research not only demonstrates the sophistication of potential cyber threats but also underscores the need for advanced defensive strategies in the digital world. Thread pool exploitation is challenging for EDRs to detect because it uses legitimate system mechanisms for malicious purposes. EDRs often look for known patterns of malicious activity, but when malware hijacks legitimate processes or injects code via expected system behaviors, such as those involving thread pools, it can blend in without raising alarms. Essentially, these techniques don’t leave the typical traces that EDRs are programmed to identify, allowing them to operate under the radar.

UNDERSTANDING PROCESS INJECTION:

Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.

THE ROLE OF WINDOWS THREAD POOLS:

Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.

SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:

  1. Inserting Malicious Work Items:
    • Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
  2. Hijacking Worker Threads:
    • An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
  3. Exploiting Timer Queues:
    • Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
  4. Manipulating I/O Completion Callbacks:
    • Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
  5. Abusing Asynchronous Procedure Calls (APCs):
    • While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
  6. Worker Factory Manipulation:
    • The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
  7. Remote TP_TIMER Work Item Insertion:
    • This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
  8. Queue Manipulation:
    • Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.

These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:

  1. Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
  2. TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
  3. TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
  4. TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
  5. TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
  6. TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
  7. TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
  8. TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.

These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.

MITIGATION

Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:

  1. Enhanced Detection Algorithms:
    • Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
  2. Deep System Monitoring:
    • Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
  3. Regular Security Audits:
    • Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
  4. Advanced Threat Intelligence:
    • Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
  5. Employee Training and Awareness:
    • Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
  6. Behavioral Analysis and Heuristics:
    • Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
  7. Zero Trust Architecture:
    • Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
  8. Regular Software Updates:
    • Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
  9. Isolation of Sensitive Processes:
    • Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
  10. Incident Response Planning:
    • Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.

By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.

Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: BYPASS EDRS, INJECTION ATTACKS


Nov 25 2023

Stuxnet techniques used

Category: Cyber War,Digital cold war,Malwaredisc7 @ 2:55 pm

Stuxnet: The Revenge of Malware: How the Discovery of Malware from the Stuxnet Family Led to the U.S. Government Ban of Kaspersky Lab Anti-Virus Software

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Stuxnet


Nov 21 2023

Increasingly prevalent NetSupport RAT infections reported

Category: Malware,Remote codedisc7 @ 9:30 am

https://www.scmagazine.com/brief/increasingly-prevalent-netsupport-rat-infections-reported

Attacks involving the NetSupport RAT have become increasingly common, The Hacker News reports. More than 15 infections have been observed mostly in organizations in the education, government, and business sectors, in recent weeks, according to a report from VMware Carbon Black researchers. Fraudulent browser updates have been leveraged by threat actors to facilitate the distribution of the SocGholish downloader malware, also known as FakeUpdates, which then uses PowerShell to establish a remote server connection and facilitate the retrieval of a NetSupport RAT-containing ZIP archive file. Researchers also noted that the installation of NetSupport would then enable behavior tracking, file transfers, computer setting alterations, and lateral network movement. “The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns,” said researchers. NetSupport RAT, which was once a remote access tool, was previously reported by Sucuri to have been spread through fake Cloudflare distributed denial-of-service protection pages.

Rat : Remote Access Trojan – Launching Virus Remotely

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: NetSupport RAT


Oct 10 2023

SILENT PREDATOR UNVEILED: DECODING WEBWYRM STEALTHY MALWARE AFFECTING 50 COUNTRIES

Category: Malwaredisc7 @ 8:40 am

DECIPHERING WEBWYRM: AN IN-DEPTH ANALYSIS OF THE PERVASIVE MALWARE THREATENING GLOBAL CYBERSECURITY

In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.

THE EVOLUTIONARY TRAJECTORY OF WEBWYRM

In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious ‘Blue Whale Challenge.’

REFINED MODUS OPERANDI

WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task “packets” or “resets.”

Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of “combo tasks” promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.

CAMPAIGN ENABLERS: TECHNICAL INSIGHTS

WebWyrm’s campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victim’s geographical location.

Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.

INDUSTRIES IN THE CROSSHAIRS

Webwyrm has indiscriminately targeted a plethora of industries, including:

  • IT Services
  • Software Development
  • Mobile App Development
  • User Experience Design
  • Digital Marketing
  • Web Development
  • SEO
  • E-Commerce

DEFENSIVE COUNTERMEASURES

Effective defense against Webwyrm necessitates the adoption of several countermeasures:

  • Origin Tracing of Malefactors via Employment Portals
  • Collaborative Defensive Initiatives
  • Deployment of Rapid Response Teams
  • Implementation of Domain Blacklisting Protocols
  • Asset Seizure
  • Launch of Educational Awareness Campaigns

With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.

Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: WEBWYRM


Sep 22 2023

HOW TO SEND PHISHING OR MALWARE TO TEAMS USERS EVADING TEAMS SECURITY FEATURES

Category: Malware,Phishingdisc7 @ 9:25 am

TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of one’s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.

TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.

TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.

You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.

First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.

The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.

After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.

This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.

Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.

In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:

To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the –sharepoint mytest option.

Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.

By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.

TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.

The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.

You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.

TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.

TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.

If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.

Mitigation
By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.

Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: EVADING TEAMS SECURITY FEATURES



Jul 14 2023

THIS FREE UEFI MALWARE CODE CAN HACK WINDOWS MACHINE FOREVER, EVEN IF HARD DISK IS REMOVED

Category: Malware,Windows Securitydisc7 @ 12:29 pm

The Blacklotus bootkit was developed expressly for Windows, and it first appeared on hacker forums in October of the previous year. It was described as having APT-level capabilities, including the ability to circumvent secure boot and user access control (UAC), as well as the capacity to deactivate security software and defensive mechanisms on victim computers. Threat actors of various skill levels were able to purchase BlackLotus when it was first offered for sale on hacker forums for as little as $5,000, giving them access to malware that is often associated with state-sponsored hacking operations. However, the threat actor concealed the source code and charged clients $200 for rebuilds if they wished to modify the bootkit in any way.c
Microsoft published a set of resources in April that are intended to assist threat hunters in recognizing BlackLotus infections. The National Security Agency (NSA) released some guidelines in June to assist firms in strengthening their defenses against the threat.


Although it has a number of alterations in comparison to the malware’s initial form, the BlackLotus UEFI bootkit’s original source code has been made available to the public on GitHub.

The ‘Baton Drop’ exploit that targets CVE-2022-21894 has been removed from the BlackLotus source code that was released on GitHub on Wednesday. Additionally, the BlackLotus source code now employs the bootlicker UEFI firmware rootkit, although it still retains the majority of the original code.

The fact that the bootkit’s source code is available to the public poses a considerable danger, primarily because it may be paired with newly discovered vulnerabilities to open up previously undiscovered entry points for attacks. BlackLotus was able to utilize the attack despite the fact that CVE-2022-21894 had been fixed the previous year. This was possible because the vulnerable binaries had not been put to the UEFI revocation list. This demonstrates how even vulnerabilities that have been patched may still present long-term, industry-wide supply chain impact.

However, since the source code was leaked, it is now very easy for threat actors to combine the bootkit with new bootloader vulnerabilities, whether they are known or undiscovered. The methods used by the bootkit are no longer cutting edge.

Be careful to adhere to the extensive mitigation guidance that the NSA issued a month ago in order to protect your computers against the BlackLotus UEFI bootkit attack.

Because the source code of the bootkit is now freely accessible, it is feasible that skilled malware writers may design more powerful variations that are able to circumvent both currently available countermeasures and those that will be developed in the future.

How to Hack Like a Legend: Breaking Windows

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: HACK WINDOWS MACHINE


Jun 15 2023

LLM meets Malware: Starting the Era of Autonomous Threat

Category: Malwaredisc7 @ 2:19 am

Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats.

Executive Summary

In this report we shared some insight that emerged during our exploratory research, and proof of concept, on the application of Large Language Models to malware automation, investigating how a potential new kind of autonomous threats would look like in the near future.

  • We explored a potential architecture of an autonomous malware threat based on four main steps: an AI-empowered reconnaissances, reasoning and planning phase, and the AI-assisted execution.
  • We demonstrate the feasibility of using LLM to recognize infected environments and decide which kind of malicious actions could be best suited for the environment.
  • We adopted an iterative code generation approach to leverage LLMs in the complicated task of generating code on the fly to achieve the malicious objectives of the malware agent.
  • Luckily, current general purpose LLM models still have limitations: while incredibly competent, they still need precise instruction to achieve the best results.
  • This new kind of threat has the potential to become extremely dangerous in the future, when computational requirements of LLMs would be low enough to run the agent completely locally, and also with the usage of specific models instead of general purpose ones.

Introduction

Large Language Models started shaping the digital world around us, since the public launch of OpenAI’s ChatGPT everybody spotted a glimpse of a new era where the Large Language Models (LLMs) would profoundly impact multiple sectors soon.

The cyber security industry is not an exception, rather it could be one of the most fertile grounds for such technologies, both for good and also for bad. Researchers in the industry have just scratched the surface of this application, for instance with read teaming application, as in the case of the PentestGPT project, but also, more recently even with malware related applications, in fact, Juniper researchers were using ChatGPT to generate malicious code to demonstrate the speedup in malware writing, and CyberArk’s ones tried to use ChatGPT to realize a polymorphic malware, along with Hays researchers which created another polymorphic AI-powered malware in Python.

Following this trail of this research, we decided to experiment with LLMs in a slightly different manner: our objective was to see if such technology could lead even to a paradigm-shift in the way we see malware and attackers. To do so, we prototyped a sort of “malicious agent” completely written in Powershell, that would be able not only to generate evasive polymorphic code, but also to take some degree of decision based on the context and its “intents”.

Technical Analysis

This is an uncommon threat research article, here the focus is not in a real-world threat actor, instead we deepen an approach that could be likely adopted in the near future by a whole new class of malicious actors, the AI-powered autonomous threat.

A model for Autonomous Threats

First of all we are going to describe a general architecture that could be adopted for such an objective. An architecture which inevitably has common ground with Task-Driven Autonomous Agents like babyAGI or autoGPT. But for the sake of our experimentation, we decided to shape the logic flow of the malicious agent to better match common malware operations.

As anticipated before, our Proof of Concept (PoC) autonomous malware is an AI-enabled Powershell script, designed to illustrate the potential of artificial intelligence in automation and decision-making, with each phase of execution highlighting the adaptability and intelligence of the AI.

Breaking down the state diagram, at high level, the agent runs into the following stages.

Footprinting

During the discovery phase, the AI conducts a comprehensive analysis of the system. Its goal is to create a thorough profile of the operating environment. It examines system properties such as the operating system, installed applications, network setups, and other pertinent information.

This thorough assessment is not just for ensuring the system is ready to go, but also assists the AI in figuring out if it’s working within a controlled environment, whether it’s interacting with a server or a client. One of the crucial determinations it makes is whether it is functioning within a sandboxed environment. Sandboxes are controlled settings, often used for testing or monitoring potentially harmful activities. If the AI detects it is operating within a sandbox, it halts all execution, avoiding unnecessary exposure in a non-targeted environment.

This system data becomes a vital input that lets the malicious-AI make informed decisions and respond appropriately. It provides a comprehensive understanding of its operating environment, similar to a detailed map, allowing it to navigate the system effectively. In this sense, this phase readies the “malicious agent” for the activities that follow.

Reasoning

In the execution phase, the malicious agent maneuvers rely significantly on the context, built on a detailed understanding of the system environment gathered in the earlier analysis phase.

An intriguing aspect of this phase is the AI’s strategic decision-making, which closely emulates strategies used by well-known hacking groups. At the outset, the “malicious agent” mimics a specific, recognized hacking group. The selection of the group isn’t random but is determined by the particular context and conditions of the system.

After deciding which hacking group to mimic, the autonomous agent goes on to devise a comprehensive attack strategy. This strategy is custom-made to the specific system environment and the standard practices of the selected hacking group, for example, it may decide to include password stealing tasks in case it detects the Outlook application rather than install a backdoor account on the server.

Execution

Once the attack strategy is in place, the malicious agent begins to carry out each action in a step-by-step manner. For each action, the AI dynamically creates the necessary code and promptly puts it into action. This could include a broad range of operations, such as attempting privilege escalation, conducting password hunts, or establishing persistence.

However, the AI’s role isn’t just limited to implementation. It consistently keeps an eye on how the system responds to its actions and stays ready for unexpected occurrences. This attentiveness allows the AI to adapt and modify its actions in real time, showcasing its ability for resilience and strategic problem-solving within a changing system environment.

When guided by more specific prompts, AI proves to be exceptionally capable, even to the point of generating functional infostealers on the fly.

This AI-empowered PoC epitomizes the potential of AI in carrying out intricate tasks independently and adjusting to its environment.

Code Generation

One of the fundamental characteristics that set autonomous threats apart is their ability to generate code. Unlike traditional threats, which often require manual control or pre-programmed scripts to adapt and evolve, autonomous threats use AI algorithms to autonomously generate new code segments. This dynamic code generation ability not only allows them to adapt to changing system conditions and defenses but also makes their detection and analysis more challenging.

This process involves the use of specific prompts, allowing the AI to create custom solutions that suit the system’s unique conditions. The AI also takes an active role in monitoring the outcomes of its actions. It continually assesses the results of its code execution. If it detects errors or unsuccessful actions, it uses them as inputs for further processing. By feeding error data back into its processes, the AI can refine and optimize its code generation. This iterative process represents a significant step towards true autonomous problem-solving capabilities, as the AI dynamically adjusts its actions based on their results.

Figure. Iterative code generation and adjustment

Environment Awareness

Autonomous threats take threat intelligence to a new level by being aware of their operating environment. Traditional threats often have a one-size-fits-all approach, attacking systems without fully understanding the environment. In contrast, autonomous threats can actively monitor their environment and adapt their actions accordingly.

The concept of environmental awareness is pivotal in AI-powered cyber threats. This environmental understanding enables the autonomous malware to choose an appropriate course of action based on the context around. For example, it might identify if it’s operating within a sandbox environment or decide to behave differently based on whether it’s operating on a server or client machine.

This awareness also influences the AI’s decision-making process during its operation. It can adjust its behavior according to the context, impersonating a particular known hacker group or choosing a specific attack strategy based on the evaluated system characteristics.

This environment-aware approach could enable malware writers to rely on very sophisticated, and harder to counter, evasion schemes.

Figure. Prompt to evaluate the machine environment

Decision-Making Autonomy

Perhaps the most defining characteristic of autonomous malware is the decision-making autonomy. Unlike traditional threats that rely on pre-programmed behaviors or external control from a human operator, autonomous threats can make independent decisions about their actions.

These threats use advanced AI algorithms to analyze the available information, weigh the potential outcomes of different actions, and choose the most effective course of action. This decision-making process could involve choosing which systems to target, selecting the best method for attack, deciding when to lay dormant to avoid detection, and even determining when to delete themselves to avoid traceability.

This level of autonomy not only makes these threats more resilient to countermeasures, but it also allows them to carry out more complex and coordinated attacks. By making independent decisions, these threats can adapt to changing circumstances, carry out long-term infiltration strategies, and even coordinate with other autonomous threats to achieve their objectives.

Proof of Concept

https://youtube.com/watch?v=W-7Vk3nqVRU%3Ffeature%3Doembed

In this proof of concept (PoC), we launched our AI-enabled script on a Windows client. The script’s execution process is designed to illustrate the potential of AI in automating complex tasks, decision making, and adjusting to the environment.

Firstly, the script initiates with an exhaustive system footprinting. During this phase, the AI takes a thorough survey of the system. The focus is on creating a detailed footprint of the operating environment by examining properties such as the operating system, installed software and other relevant details. This rigorous assessment not only prepares the system for the following actions but also helps the AI understand the context it’s operating within.

Simultaneously, a crucial part of this initial phase is sandbox detection. In fact, if the AI identifies the environment as a sandbox, the execution halts immediately.

Once the AI has confirmed it’s not within a sandbox, and it’s dealing with a client, it proceeds to develop an infostealer — a type of malware that’s designed to gather and extract sensitive information from the system. In this specific case, the AI installs a keylogger to monitor and record keystrokes, providing a reliable method to capture user inputs, including passwords.

Alongside keylogging, during the test sessions, the AI performed password hunting too.

Finally, after gathering all the necessary data, the AI proceeded to the data exfiltration. The AI prepares all the accumulated data for extraction, ensuring it’s formatted and secured in a way that it can be efficiently and safely retrieved from the system.

The demonstration video provides a real-time view of these actions carried out by the AI.

This PoC underlines how an AI system can perform complex tasks, adapt to its environment, and carry out activities that previously required advanced knowledge and manual interaction.

Consideration on Experimentation Session

In all the experiments conducted, a key theme that emerged was the level of exactness needed when assigning tasks to the AI. When presented with vague or wide-ranging tasks, the AI’s output frequently lacked effectiveness and specificity. This highlights an essential trait of AI at its current stage: while incredibly competent, it still needs precise instruction to achieve the best results.

For instance, when tasked to create a generic malicious script, the AI might generate code that tries to cover a wide spectrum of harmful activities. The outcome could be a piece of code that is wide-ranging and inefficient, potentially even drawing unwanted scrutiny due to its excessive system activity.

On the other hand, when given more narrowly defined tasks, the AI demonstrated the capability to create specific components of malware. By steering the AI through smaller, more exact tasks, we could create malicious scripts that were more focused and effective. Each component could be custom-made to carry out its task with a high level of effectiveness, leading to the creation of a cohesive, efficient malware when combined.

This discovery suggests a more efficient method of utilizing AI in cybersecurity — breaking down complex tasks into smaller, manageable objectives. This modular approach allows for the creation of specific code pieces that carry out designated functions effectively and can be assembled into a larger whole.

Conclusion

In conclusion, when we just look in the direction of LLMs and malware combined together, we clearly see a significant evolution in cybersecurity threats, potentially able to lead to a paradigm shift where malicious code operates based on predefined high-level intents.

Their ability to generate code, understand their environment, and make autonomous decisions makes them a formidable challenge for future cybersecurity defenses. However, by understanding these characteristics, we can start to develop effective strategies and technologies to counter these emerging threats.

Luckily, the autonomous malware PoC we set up and the potential upcoming ones have still limitations: they rely on generic language models hosted online, this mean the internet connectivity is, and will be, a requirement for at least some time. But, we are likely going to see the adoption of local LLM models, maybe even special-purpose ones, directly embedded in the future malicious agents.

AI technology is in a rapid-development stage, and even if it is pretty young, its adoption across various sectors is widening, including in the criminal underground.

About the author: B42 Labs researchers

Original post at https://medium.com/@b42labs/llm-meets-malware-starting-the-era-of-autonomous-threat-e8c5827ccc85

Transformers for Natural Language Processing: Build, train, and fine-tune deep neural network architectures for NLP with Python, Hugging Face, and OpenAI’s GPT-3, ChatGPT, and GPT-4

LLM meets Malware: Starting the Era of Autonomous Threat

InfoSec tools | InfoSec services | InfoSec books

Tags: LLM


May 11 2023

Millions of mobile phones come pre-infected with malware, say researchers

Category: Information Security,Malware,Mobile Securitydisc7 @ 12:03 pm

The threat is coming from inside the supply chain

BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.

The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.

“What is the easiest way to infect millions of devices?” posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.

He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.

The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.

“But of course there’s no free stuff,” said Yarochkin, who explained that the firmware started to come with an undesirable feature – silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.

The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.

    The objective of the malware is to steal info or make money from information collected or delivered.

    The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.

    One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.

    “The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.

    Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.

    As for where the threats are coming from, the duo wouldn’t say specifically, although the word “China” showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.

    “Even though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we don’t know for sure at what moment it got into the supply chain,“ said Yarochkin.

    The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.

    “Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin. ®

    https://www.theregister.com/2023/05/11/bh_asia_mobile_phones/

    #Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

     InfoSec tools | InfoSec services | InfoSec books

    Tags: Mobile phone security, Pegasus


    Apr 30 2023

    JUST FOR $1000 PER MONTH HACK MACOS COMPUTERS WITH THIS UNDETECTABLE MALWARE

    Category: Hacking,MalwareDISC @ 1:14 pm

    A new piece of malware known as Atomic macOS Stealer (AMOS) was recently discovered by researchers as it was being offered for sale on Telegram. The threat actor who is promoting it charges $1,000 each month and continually updates the virus that they are selling. The Atomic macOS Stealer is capable of stealing a variety of information from the computer of the victim, such as passwords saved in the Keychain, comprehensive system information, files from the victim’s desktop and documents folder, and even the macOS password itself.

    One of its many capabilities is the extraction of data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus. This is only one of its many functions. When a threat actor purchases the stealer from the creators of the stealer, they are also given a web panel that is pre-configured and ready to use for managing the victims.

    In the event that AMOS is installed, it has the potential to compromise a broad range of data, some of which include the passwords for iCloud Keychain, the password for the macOS system, cookies, passwords, and credit card credentials from browsers like as Chrome, Firefox, Brave, Edge, and Opera, among others. Additionally, it has the ability to compromise cryptocurrency wallets such as Atomic, Binance, Exodus, Electrum, MetaMask, and a great number of others.

    A web panel, a program called Brute MetaMask, logs in Telegram with alerts, and more features are provided to customers by the malicious party that is offering malware as a service.

    The following is the message that the threat actor posted on Telegram while trying to sell the malware:

    After the malware has gained access to a user’s information, it places the information into a ZIP file, compresses it, and then sends it to the malicious party via a command and control server URL.

    It is imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via email or SMS messages as a result of this development, which is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware. The development is also a sign that macOS is becoming a target for cybercriminals to deploy stealer malware.

    To protect against it:

    Only applications from the official Apple App Store should be downloaded and installed on your device.
    Install an antivirus and internet security software package that has a good reputation on your computer.
    Make sure to use secure passwords, and implement multi-factor authentication whenever it’s possible.
    When it is feasible to do so, enable the biometric security capabilities of the device, such as fingerprint or face recognition, so that it can be unlocked.
    Always use caution before clicking on any links that are delivered to you in emails.
    When enabling any permissions, exercise extreme caution.
    Make that all of your software, including operating systems and apps, is up to date.

    The Art of Mac Malware: The Guide to Analyzing Malicious Software

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Mac Malware, MACOS COMPUTERS


    Next Page »