Dec 16 2024

This ZIP File Hack Could Let Malware Bypass Your Antivirus

Category: Antivirus,Malwaredisc7 @ 2:38 pm

WinRAR and ZIP File Exploits

A recently discovered exploit leverages ZIP file concatenation to bypass antivirus detection and deliver malware. This technique involves appending malicious data to a legitimate ZIP file in a manner that confuses some file-handling software. While certain tools may fail to display or detect the appended content, others expose the malicious files, creating a dangerous inconsistency.

The ZIP file format organizes compressed files with a central directory at the end of the archive. By appending new ZIP data to an existing archive, attackers create a “concatenated” file. This approach takes advantage of discrepancies in how ZIP file structures are processed by different software, leaving some tools vulnerable to malicious payloads.

The primary threat lies in how antivirus programs handle these concatenated files. Many fail to fully scan the appended portions of a ZIP archive, allowing embedded malware to evade detection. When unsuspecting users extract such files, they risk executing harmful code, potentially compromising their systems.

Recursive Extraction Defenses: Traditional detection solutions may lack recursive unpacking capabilities, which means they do not parse every layer of a concatenated ZIP file. Threat actors leverage this gap to keep malicious content hidden in nested or concatenated layers that security software may overlook.

Popular tools like WinRAR, which is widely used for managing ZIP archives, are particularly impacted by this flaw. The issue doesn’t stem from the ZIP format itself but from how specific tools and antivirus solutions interpret concatenated data. This underscores the need for both robust software engineering and thorough security testing.

To mitigate the risk, itā€™s crucial for users to keep their antivirus software up to date. Security tools are being enhanced to detect these sophisticated attack methods, but vigilance remains key. Users should be cautious when handling ZIP files, especially those from unfamiliar or untrusted sources, and ensure all files are scanned before opening.

Organizations can further protect themselves by educating employees and enforcing strict file-handling policies. Training users to identify suspicious files and avoid extracting archives without proper scanning can greatly reduce exposure to these attacks. This layered approach, combining technology, awareness, and policy, is essential to defend against evolving cybersecurity threats.

For further details, access the article here

 vCISO Guide for Small & Mid Sized Businesses

DISC LLC is listed on Cynomi vCISO Directory

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services

Tags: Bypass, ZIP File Hack


Nov 18 2024

WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus

Category: Antivirus,Malwaredisc7 @ 9:16 am

A new vulnerability affecting WinRAR and ZIP file extraction tools has been identified, which can allow malware to bypass antivirus programs. Attackers exploit this by embedding malicious scripts within specially crafted ZIP or RAR files, which can evade detection and execute upon extraction. The flaw takes advantage of how some extraction tools handle paths and permissions, potentially leading to unauthorized access and execution. Users are advised to update their software and exercise caution with untrusted compressed files to mitigate the risk of such attacks.

You can read the full article here

Cyber Resilience ā€“ Defence-in-depth principles. Winner of Best Cyber Book of the Year at the Real Cyber Awards 2023.

Understand how information security standards can improve your organization’s security and set it apart from competitors with this introduction to the 2022 updates of ISO 27001 and ISO 27002.

Previous posts on malwares

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot |

Tags: Cyber Resilience, winrar, zip file


Aug 07 2024

Five Techniques for Bypassing Microsoft SmartScreen and Smart App Control (SAC) to Run Malware in Windows

Category: Malware,Windows Securitydisc7 @ 11:41 am

Microsoft SmartScreen

Overview: Microsoft SmartScreen is a cloud-based anti-phishing and anti-malware component that comes integrated with various Microsoft products like Microsoft Edge, Internet Explorer, and Windows. It is designed to protect users from malicious websites and downloads.

Key Features:

  1. URL Reputation:
    • SmartScreen checks the URL of websites against a list of known malicious sites stored on Microsoftā€™s servers. If the URL matches one on the list, the user is warned or blocked from accessing the site.
  2. Application Reputation:
    • When a user downloads an application, SmartScreen checks its reputation based on data collected from other users who have downloaded and installed the same application. If the app is deemed suspicious, the user is warned before proceeding with the installation.
  3. Phishing Protection:
    • SmartScreen analyzes web pages for signs of phishing and alerts the user if a site appears to be trying to steal personal information.
  4. Malware Protection:
    • The system can identify and block potentially malicious software from running on the userā€™s device.
  5. Integration with Windows Defender:
    • SmartScreen works in conjunction with Windows Defender to provide a layered security approach, ensuring comprehensive protection against threats.

How it Works:

  • URL and App Checks:
    • When a user attempts to visit a website or download an application, SmartScreen sends a request to the SmartScreen service with the URL or app details.
    • The service checks the details against its database and returns a verdict to the userā€™s device.
    • Based on the verdict, the browser or operating system either allows, blocks, or warns the user about potential risks.
  • Telemetry and Feedback:
    • SmartScreen collects telemetry data from usersā€™ interactions with websites and applications, which helps improve the accuracy of its threat detection algorithms over time.

Smart App Control (SAC)

Overview: Smart App Control (SAC) is a security feature in Windows designed to prevent malicious or potentially unwanted applications from running on the system. It is an evolution of the earlier Windows Defender Application Control (WDAC) and provides advanced protection by utilizing cloud-based intelligence and machine learning.

Key Features:

  1. Predictive Protection:
    • SAC uses machine learning models trained on a vast amount of data to predict whether an application is safe to run. It blocks apps that are determined to be risky or have no known good reputation.
  2. Cloud-Based Intelligence:
    • SAC leverages Microsoftā€™s cloud infrastructure to continuously update its models and threat intelligence, ensuring that protection is always up-to-date.
  3. Zero Trust Model:
    • By default, SAC assumes that all applications are untrusted until proven otherwise, aligning with the zero trust security model.
  4. Seamless User Experience:
    • SAC operates silently in the background, allowing trusted apps to run without interruptions while blocking potentially harmful ones. Users receive clear notifications and guidance when an app is blocked.
  5. Policy Enforcement:
    • Administrators can define policies to control app execution on enterprise devices, ensuring compliance with organizational security standards.

How it Works:

  • App Analysis:
    • When an app attempts to run, SAC sends its metadata to the cloud for analysis.
    • The cloud service evaluates the app against its machine learning models and threat intelligence to determine its risk level.
  • Decision Making:
    • If the app is deemed safe, it is allowed to run.
    • If the app is determined to be risky or unknown, it is blocked, and the user is notified with an option to override the block if they have sufficient permissions.
  • Policy Application:
    • SAC policies can be customized and enforced across an organization to ensure consistent security measures on all managed devices.

Integration with Windows Security:

  • SAC is integrated with other Windows security features like Microsoft Defender Antivirus, providing a comprehensive defense strategy against a wide range of threats.

Despite the robust protections offered by Microsoft SmartScreen and Smart App Control (SAC), some techniques can sometimes bypass these features through several sophisticated techniques.

1. Signed Malware Bypassing Microsoft SmartScreen and SAC

1. Valid Digital Signatures:

  • Stolen Certificates: Cybercriminals can steal valid digital certificates from legitimate software developers. By signing their malware with these stolen certificates, the malware can appear trustworthy to security features like SmartScreen and SAC.
  • Bought Certificates: Attackers can purchase certificates from Certificate Authorities (CAs) that might not perform thorough background checks. These certificates can then be used to sign malware.

2. Compromised Certificate Authorities:

  • If a Certificate Authority (CA) is compromised, attackers can issue valid certificates for their malware. Even if the malware is signed by a seemingly reputable CA, it can still be malicious.

3. Certificate Spoofing:

  • Advanced attackers may use sophisticated techniques to spoof digital certificates, making their malware appear as if it is signed by a legitimate source. This can deceive security features into trusting the malware.

4. Timing Attacks:

  • Some malware authors time their attacks to take advantage of the period between when a certificate is issued and when it is revoked or added to a blacklist. During this window, signed malware can bypass security checks.

5. Use of Legitimate Software Components:

  • Attackers can incorporate legitimate software components into their malware. By embedding malicious code within a signed, legitimate application, the entire package can be trusted by security features.

6. Multi-Stage Attacks:

  • Initial stages of the malware may appear harmless and thus be signed and trusted. Once the initial stage is executed and trusted by the system, it can download and execute the actual malicious payload.

7. Social Engineering:

  • Users may be tricked into overriding security warnings. For example, if SmartScreen or SAC blocks an application, an attacker might use social engineering tactics to convince the user to manually bypass the block.

2. How Reputation Hijacking Bypasses Microsoft SmartScreen and SAC

  1. Compromised Legitimate Websites:
    • Method: Attackers compromise a legitimate website that has a strong reputation and inject malicious content or host malware on it.
    • Bypass Mechanism: Since SmartScreen relies on the reputation of websites to determine if they are safe, a website with a previously good reputation may not trigger alerts even if it starts serving malicious content. Users are not warned because the siteā€™s reputation was established before the compromise.
  2. Trusted Domains and Certificates:
    • Method: Attackers use domains with valid SSL certificates issued by trusted Certificate Authorities (CAs) to host malicious content.
    • Bypass Mechanism: SmartScreen and SAC check for valid certificates as part of their security protocols. A valid certificate from a trusted CA makes the malicious site appear legitimate, thus bypassing the security checks that would flag a site with an invalid or self-signed certificate.
  3. Embedding Malware in Legitimate Software:
    • Method: Attackers inject malicious code into legitimate software or its updates.
    • Bypass Mechanism: If the legitimate software has a good reputation and is signed with a valid certificate, SmartScreen and SAC are less likely to flag it. When users update the software, the malicious payload is delivered without triggering security warnings because the update appears to be from a trusted source.
  4. Phishing with Spoofed Emails:
    • Method: Attackers send phishing emails that appear to come from trusted sources, often using spoofed email addresses.
    • Bypass Mechanism: Users are more likely to trust and open emails from familiar and reputable sources. SmartScreen may not always catch these emails, especially if they come from legitimate domains that have been spoofed, leading users to malicious websites or downloads.
  5. Domain and Subdomain Takeover:
    • Method: Attackers take over expired or unused domains and subdomains of reputable sites.
    • Bypass Mechanism: Since the domain or subdomain was previously associated with a legitimate entity, SmartScreen and SAC may continue to trust it based on its historical reputation. This allows attackers to serve malicious content from these domains without raising security flags.
  6. Social Engineering Attacks:
    • Method: Attackers trick users into overriding security warnings by posing as legitimate sources or using persuasive tactics.
    • Bypass Mechanism: Even if SmartScreen or SAC warns users, skilled social engineering can convince them to bypass these warnings. Users might disable security features or proceed despite warnings if they believe the source is trustworthy.

3. How Reputation Seeding Bypasses Microsoft SmartScreen and SAC

Reputation seeding is a tactic where attackers build a positive reputation for malicious domains, software, or email accounts over time before launching an attack. This can effectively bypass security measures like Microsoft SmartScreen and Smart App Control (SAC) because these systems often rely on reputation scores to determine the trustworthiness of an entity. Hereā€™s how reputation seeding works and strategies to mitigate it:

How Reputation Seeding Works

  1. Initial Clean Activity:
    • Method: Attackers initially use their domains, software, or email accounts for legitimate activities. This involves hosting benign content, sending non-malicious emails, or distributing software that performs as advertised without any harmful behavior.
    • Bypass Mechanism: During this period, SmartScreen and SAC observe and record these entities as safe and build a positive reputation for them. Users interacting with these entities during the seeding phase do not encounter any security warnings.
  2. Gradual Introduction of Malicious Content:
    • Method: Over time, attackers start to introduce malicious content slowly. This might involve adding malware to software updates, injecting harmful code into websites, or sending phishing emails from trusted accounts.
    • Bypass Mechanism: Because the entities have already established a positive reputation, initial malicious activities may not be immediately flagged by SmartScreen or SAC, allowing the attackers to reach their targets.
  3. Leveraging Established Trust:
    • Method: Once a strong reputation is established, attackers conduct large-scale malicious campaigns. They leverage the trust built over time to bypass security checks and deceive users.
    • Bypass Mechanism: The established positive reputation causes security systems to consider these entities as low-risk, allowing malware or phishing attempts to bypass filters and reach users without triggering alarms.

Typical Timeframes for Reputation Seeding

  1. Websites:
    • Short-Term (Weeks): Initial establishment of a website with benign content and basic user interactions.
    • Medium-Term (Months): Gaining backlinks, increasing traffic, and more extensive content creation.
    • Long-Term (6+ Months): Strong reputation with significant traffic, positive user interactions, and established trust.
  2. Software:
    • Short-Term (Weeks): Initial distribution and passing basic security checks.
    • Medium-Term (Months): Accumulating downloads, positive user reviews, and routine updates.
    • Long-Term (6+ Months): Strong reputation with widespread usage and consistently positive feedback.
  3. Email Accounts:
    • Short-Term (Weeks): Initial legitimate emails and normal interactions.
    • Medium-Term (1-2 Months): Building trust through regular, benign communication.
    • Long-Term (3+ Months): Established trust with consistent, non-malicious activity.

4 .How Reputation Tampering Bypasses Microsoft SmartScreen and SAC

Reputation tampering, particularly in the context of Smart App Control (SAC), can exploit the way SAC assesses and maintains the reputation of files. Given that SAC might use fuzzy hashing, feature-based similarity comparisons, and machine learning models to evaluate file reputation, attackers can manipulate certain segments of a file without changing its perceived reputation. Hereā€™s a deeper dive into how this works and the potential implications:

How Reputation Tampering Works in SAC

  1. Fuzzy Hashing:
    • Method: Unlike traditional cryptographic hashing, which changes completely with any alteration to the file, fuzzy hashing allows for minor changes without drastically altering the hash value. This means that files with small modifications can still be considered similar to the original.
    • Attack: Attackers modify segments of the file that do not significantly affect the fuzzy hash value, allowing the file to retain its reputation.
  2. Feature-Based Similarity Comparisons:
    • Method: SAC may use feature-based similarity comparisons to evaluate files. These features could include metadata, structural attributes, or specific code patterns that are consistent with known good files.
    • Attack: By understanding which features are used and ensuring that these remain unchanged while modifying other parts of the file, attackers can maintain the fileā€™s good reputation.
  3. Machine Learning Models:
    • Method: Machine learning models in the cloud may analyze files based on patterns learned from a large dataset of known good and bad files. These models might use a variety of indicators beyond simple hashes.
    • Attack: Through trial and error, attackers identify which code sections can be altered without changing the overall pattern recognized by the ML model as benign. They can then inject malicious code into these sections.

5. How LNK stomping Bypasses Microsoft SmartScreen and SAC

LNK stomping is a technique where attackers modify LNK (shortcut) files to execute malicious code while appearing legitimate to users and security systems. By leveraging the flexibility and capabilities of LNK files, attackers can disguise their malicious intentions and bypass security features such as Microsoft SmartScreen and Smart App Control (SAC). Hereā€™s how LNK stomping works and how it can bypass these security features:

How LNK Stomping Works

  1. Creating a Malicious LNK File:
    • Method: Attackers create an LNK file that points to a legitimate executable or document but includes additional commands or scripts that execute malicious code.
    • Example: An LNK file might appear to open a PDF document, but in reality, it executes a PowerShell script that downloads and runs malware.
  2. Modifying Existing LNK Files:
    • Method: Attackers modify existing LNK files on a target system to include malicious commands while retaining their original appearance and functionality.
    • Example: An LNK file for a commonly used application (e.g., a web browser) is modified to first execute a malicious script before launching the application.
  3. Embedding Malicious Code:
    • Method: Attackers embed malicious code directly within the LNK file, taking advantage of the fileā€™s structure and features.
    • Example: An LNK file might contain embedded shell commands that execute when the shortcut is opened.

Understanding the MotW Bypass via LNK File Manipulation

The Mark of the Web (MotW) is a critical security feature used to flag files downloaded from the internet, making them subject to additional scrutiny by antivirus (AV) and endpoint detection and response (EDR) systems, including Microsoft SmartScreen and Smart App Control (SAC). However, certain techniques can bypass this feature, allowing potentially malicious files to evade detection. Here, weā€™ll explore how manipulating LNK (shortcut) files can bypass MotW checks

Manually Creating an LNK File with a Non-Standard Target Path

  1. Locate the PowerShell Script:
    • Ensure you have the path to the PowerShell script, for example, C:\Scripts\MyScript.ps1.
  2. Create the Shortcut:
    • Right-click on the desktop or in the folder where you want to create the shortcut.
    • Select New > Shortcut.
  3. Enter the Target Path:
    • In the ā€œType the location of the itemā€ field, enter the following command with a non-standard path:
    • powershell.exe -File "C:\Scripts\MyScript.ps1."
    • Notice the extra dot at the end of the script path.
  4. Name the Shortcut:
    • Enter a name for your shortcut (e.g., Run MyScript Non-Standard).
    • Click Finish.
  5. Verify the Target Path:
    • Right-click the newly created shortcut and select Properties.
    • In the Target field, you should see:
    • powershell.exe -File "C:\Scripts\MyScript.ps1."
    • Click OK to save the changes.

By following these steps, you can create an LNK file that points to a PowerShell script with a non-standard target path. This can be used for testing how such files interact with security features like SmartScreen and Smart App Control.

Manually Creating an LNK File with a Relative Path

  1. Locate the PowerShell Script:
    • Ensure you have the relative path to the PowerShell script within its directory structure, for example, .\Scripts\MyScript.ps1.
  2. Create the Shortcut:
    • Right-click on the desktop or in the folder where you want to create the shortcut.
    • Select New > Shortcut.
  3. Enter the Target Path:
    • In the ā€œType the location of the itemā€ field, enter the following command with a relative path:
    • powershell.exe -File ".\Scripts\MyScript.ps1"
    • Click Next.
  4. Name the Shortcut:
    • Enter a name for your shortcut (e.g., Run MyScript Relative).
    • Click Finish.
  5. Verify the Target Path:
    • Right-click the newly created shortcut and select Properties.
    • In the Target field, you should see:
    • powershell.exe -File ".\Scripts\MyScript.ps1"
    • Click OK to save the changes.

Manually Creating an LNK File with a multi-level path

To create an LNK file with a multi-level path in the target path array, we need to manipulate the internal structure of the LNK file to contain a non-standard target path. This involves using a utility or script that can handle the creation and modification of LNK files with detailed control over their internal structure.

Hereā€™s a step-by-step guide to creating such an LNK file using PowerShell and a specialized library for handling LNK files, pylnk3, which is a Python-based library. For this example, you will need to have Python installed along with the pylnk3 library.

Step-by-Step Guide

Prerequisites

  1. Install Python:
    • If you donā€™t have Python installed, download and install it from the official website: Python.org.
  2. Install pylnk3 Library:
    • Open a command prompt or terminal and run the following command to install pylnk3:shCopy codepip install pylnk3

Creating a Multi-Level Path LNK File

Create a Python Script to Generate the LNK File:

  • Create a Python script (e.g., create_lnk.py) with the following content:
import lnk

# Define the path for the new shortcut
shortcut_path = "C:\\Users\\Public\\Desktop\\MyScriptShortcutMultiLevel.lnk"

# Create a new LNK file
lnk_file = lnk.lnk_file()

# Set the target path with multi-level path entries
lnk_file.add_target_path_entry("..\\..\\Scripts\\MyScript.ps1")

# Set the arguments for the target executable
lnk_file.command_line_arguments = "-File .\\Scripts\\MyScript.ps1"

# Save the LNK file
with open(shortcut_path, "wb") as f:
    lnk_file.write(f)

print(f"Shortcut created at: {shortcut_path}")

Run the Python Script:

  • Open a command prompt or terminal and navigate to the directory where your Python script is located.
  • Run the script using the following command:shCopy codepython create_lnk.py

Explanation

  • lnk.lnk_file(): Creates a new LNK file object.
  • add_target_path_entry: Adds entries to the target path array. Here, we use a relative path (..\\..\\Scripts\\MyScript.ps1) to simulate a multi-level path.
  • command_line_arguments: Sets the arguments passed to the target executable. In this case, we pass -File .\Scripts\MyScript.ps1.
  • write: Saves the LNK file to the specified path.

Additional Notes

  • Relative Paths: The use of relative paths (..\\..\\) in the target path entries allows us to create a multi-level path structure within the LNK file.
  • Non-Standard Structures: By manipulating the internal structure of the LNK file, we can craft paths that might bypass certain security checks.

Running the LNK File

After creating the LNK file, you can test its behavior by double-clicking it. The crafted LNK file should follow the relative path and execute the target PowerShell script, demonstrating how non-standard paths can be used within an LNK file.

The article ā€œDismantling Smart App Controlā€ by Elastic Security Labs explores the vulnerabilities and bypass techniques of Windows Smart App Control (SAC) and SmartScreen. For more details, you can read the full articleĀ here.

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: Bypassing Microsoft SmartScreen and Smart App Control (SAC)


Jul 01 2024

New Hacker Group Attacking Systems With 10 Malware At Same Time

Category: Malwaredisc7 @ 8:03 am

A malware campaign of huge magnitude, and perhaps run by just one group, is using artificially nested files for distribution named ā€˜WEXTRACT.EXE            .MUIā€™.

More than 50,000 files worldwide featuring this method are delivered by different stealers and loaders such as Redline, RisePro, and Amadey.

Several samples are associated with an Eastern European cybercriminal-linked Autonomous System.

Cybersecurity researchers at OutPost24 recently detected that a new hacker group has been attacking the system with 1o malware at the same time.

10 Malware At Same Time

The ā€œWEXTRACT.EXE            .MUIā€ malware distribution system is one that makes use of nested cabinet files to distribute a number of malware samples such as stealers and loaders.

This methodā€™s complex execution sequence drops and runs malware in reverse order, which may result in bypassing security measures.

The technique could cause multiple infections as the loaders may download more malware.

From February 2023 through the start of 2024, a massive malware distribution campaign nested multiple malware families, such as Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader.

The campaign developed over time, incorporating obfuscation tools and different distribution methods.

An examination of over two thousand one hundred examples showed some malware combinations in which victims might be infected by several stealers and loaders simultaneously.

This suggests that there was a single actor behind the infrastructure and tactics for this campaign.

Distribution steps of one sample of WEXTRACT (Source ā€“ OutPost24)

It is likely that the campaign to distribute malware called ā€œUnfurling Hemlockā€ buys distribution services from other actors.

Its earliest phases were in email attachments and downloads from hacked or hoax websites.

The infrastructure, mostly based on AS 203727, uses both exclusive and shared IPs for distributing WEXTRACT and other malware.

This indicates one actor or entity that is responsible for the campaign but delegates some of its distribution aspects to others.

The malware campaign uses different C2 URLs and IP addresses, some of which are specific to the WEXTRACT-related malware and others that are common to other campaigns.

The diversity in infrastructure supports the insight that this actor could be supplying samples from other campaigns, possibly encouraged by financial interest.

While the upload locations may not indicate the actual infection sites, the infection sources cut across several countries.

Here below we have mentioned the countries:-

Origin of the samples (Source ā€“ OutPost24)

Unlike the usual trend, this huge malware attack mainly targets Western institutions, including Russia.

This operation launched different types of malware simultaneously to increase the possibilities of infection and diversify potential paybacks.

Though not highly developed, this ā€œcluster bombā€ method may be adopted by threat actors in the future.

Researchers recommended using the latest anti-malware tools, performing analysis of packed files, and user alertness to be cautious about suspicious downloads and emails.

Evasive Malware: Understanding Deceptive and Self-Defending Threats

CrowdStrike Falcon Go | Premier Antivirus Protection for Small BusinessesĀ 

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: Cluster bomb


Jun 30 2024

Fake IT support sites push malicious PowerShell scripts as Windows fixes

Category: Malware,PowerShell Securitydisc7 @ 9:51 am

Fake IT support sites promote malicious PowerShell “fixes” for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware.

First discovered by eSentire’s Threat Response Unit (TRU), the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator.

In particular, the threat actors are creating fake videos promoting a fix for theĀ 0x80070643 error thatĀ millions of Windows users have been dealing with since January.

“There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643),” reads the Windows Update error.

0x80070643 in Windows Update
Source: BleepingComputer

It turns out that Windows Update is displaying an incorrect error message, as it was supposed to display a CBS_E_INSUFFICIENT_DISK_SPACE error on systems with a Windows Recovery Environment (WinRE) partition that’s too small for the update to install.

Microsoft explained that the new security update requires that the WinRE partition have 250 megabytes of free space, and if it doesn’t, you must manually expand the partition yourself.

However, expanding the WinRE partition is complicated, if not impossible, for those whose WinRE is not the last partition on the drive.

Due to this, many are unable to install the security update and are left with the 0x80070643 error message every time they use Windows Update.

These errors have caused many frustrated Windows users to seek a solution online, allowing threat actors to capitalize on their search for a fix.

Fake IT sites promote PowerShell fixes

According to eSentire, threat actors are creating numerous fake IT support sites that are specifically designed to help users with common Windows errors, heavily focusing on the 0x80070643 error.

“In June 2024, eSentire’s Threat Response Unit (TRU) observed an intriguing case involving a Vidar Stealer infection initiated through a fake IT support website (Figure 1),” explains the eSentire report.

“The infection began when the victim performed a web search for solutions to a Windows Update Error code.”

The researchers found two fake IT support sites promoted on YouTube namedĀ pchelprwizzards[.]com andĀ pchelprwizardsguide[.]com. While writing this article, BleepingComputer found additional sites atĀ pchelprwizardpro[.]com, pchelperwizard[.]com, and fixedguides[.]com.

Like the other videos eSentire found for the PCHelperWizard typo sites, BleepingComputer also found YouTube videos for the FixedGuides site, also promoting fixes for the 0x80070643 errors.

These sites all offer fixes that either require you to copy and run a PowerShell script or import the contents of a Windows Registry file.

Regardless of which “solution” is used, a PowerShell script will be executed that downloads malware on the device.

eSentire’s report outlines how the PCHelperWizard sitesĀ (not to be confused with the legitimate course site) will walk users through copying a PowerShell script into the Windows Clipboard and execute it in a PowerShell prompt.

Malicious PowerShell script disguised as a Windows error fix
Source: BleepingComputer

This PowerShell script contains a Base64 encoded script that will connect to a remote server to download another PowerShell script, which installs the Vidar information-stealing malware on the device.

When the script is finished, it will display a message that the fix was successful and to restart the computer, which will also launch the malware.

The FixedGuides site does it a bit differently, using an obfuscated Windows Registry file to hide autostarts that launch a malicious PowerShell script.

However, when I extracted the strings from the above file, you can see that it contains a valid Registry file that adds a Windows autostart (RunOnce) entry that runs a PowerShell script. This script ultimately downloads and installs information-stealing malware on the computer.

Using either fake fix will result in the information-stealing malware launching after Windows is restarted. Once started, the malware will extract saved credentials, credit cards, cookies, and browsing history from your browser.

Vidar can also steal cryptocurrency wallets, text files, and Authy 2FA authenticator databases, as well as take screenshots of your desktop.

This data is compiled into an archive called a “log,” which is then uploaded to the attacker’s servers. The stolen data is then used to fuel other attacks, such as ransomware attacks, or sold to other threat actors on dark web marketplaces.

However, the infected user is now left with a nightmare, having all their accounts compromised and potentially suffering financial fraud.

While Windows errors can be annoying, it is crucial to download software and fixes only from trusted websites, not from random videos and websites with little or no reputation.

Your credentials have become a valuable commodity and threat actors are coming up with sneaky and creative methods to steal them, so unfortunately, everyone needs to stay vigilant against unusual attack methods.

As for the 0x80070643 errors, if you are unable to resize the WinRE partition, your best bet is to use Microsoft’s Show or Hide Tool to hide the KB5034441 update so that Windows Update no longer offers it on your system and not search on the Internet for a magic fix.

https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-malicious-powershell-scripts-as-windows-fixes/

CrowdStrike Falcon Go | Premier Antivirus Protection for Small Businesses

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: Fake IT support sites


May 31 2024

Hackers Weaponizing MS Office-Cracked Versions to Deliver Malware

Category: Cyberweapon,Malwaredisc7 @ 9:36 am

Attackers in South Korea are distributing malware disguised as cracked software, including RATs and crypto miners, and registering themselves with the Task Scheduler to ensure persistence. 

Even after removing the initial malware, the Task Scheduler triggers PowerShell commands to download and install new variants, which persists because the PowerShell commands keep changing, leaving unpatched systems vulnerable to information theft, proxy abuse, and cryptocurrency mining.  

Attack flow
Attack flow

Malicious actors are leveraging file-sharing platforms to distribute malware disguised as cracked MS Office, which retrieves the download URL and target platform during infection, potentially enabling them to tailor attacks and evade detection.Ā Ā 

Cybercriminals are distributing malware disguised as cracked software. The malware, developed in.NET, uses obfuscation to hide its malicious code, and initially, it accessed Telegram to retrieve a download URL. 

Newer versions contain two Telegram URLs and a Mastodon URL, each with a string linked to a Google Drive or GitHub URL.

The threat actor hides malicious PowerShell commands within these cloud storage locations, using Base64 encoding for further obfuscation, and once executed, these commands install additional malware strains. 

Commands encrypted in Base64
Commands encrypted in Base64

The updater malware, ā€œsoftware_reporter_tool.exe,ā€  leverages a PowerShell script to download and maintain persistence, which creates a malicious executable at ā€œC:\ProgramData\KB5026372.exeā€ and uses a compromised 7zip installation (ā€œC:\ProgramData\Google\7z.exeā€) to decompress a password-protected archive from GitHub or Google Drive (password: ā€œxā€) by mirroring tactics from a previous campaign. 

Malware installation using 7z and PowerShell
Malware installation using 7z and PowerShell

Additionally, the updater registers itself with the Task Scheduler to ensure continuous operation after a reboot, and the scheduled task triggers the PowerShell script for further updates and potential malware installation. 

The attackers deployed Orcus RAT and XMRig on the compromised system.

Orcus RAT can steal information through keylogging, webcam, and screenshot capture, while XMRig mines cryptocurrency. 

Ā 3Proxyā€™s configuration file
 3Proxyā€™s configuration file

XMRig is configured to stop mining when resource-intensive programs are running and to terminate processes competing for resources, such as security software installers, while 3Proxy is used to turn the infected machine into a proxy server by adding a firewall rule and injecting itself into a legitimate process. 

Ā A Korean security program unable to operate properly due to the AntiAV malware
 A Korean security program unable to operate properly due to the AntiAV malware

According to ASEC, PureCrypter downloads and executes further payloads, and AntiAV malware disrupts security products by modifying their configuration files.  

Attackers are distributing malware disguised as popular Korean software (Windows, MS Office, Hangul) through file-sharing sites, and theĀ malwareĀ bypasses file detection with frequent updates and utilizes the Task Scheduler for persistence, leading to repeated infections upon removal.Ā 

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: Weaponizing MS Office


Apr 24 2024

HACKERS HIJACKED THE ESCAN ANTIVIRUS UPDATE MECHANISM IN MALWARE CAMPAIGN

Category: Antivirus,Hacking,Malwaredisc7 @ 9:04 am

A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.

Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.

Threat actors employed two different types of backdoors and targeted large corporate networks

The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.

ā€œGuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attackerā€™s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.ā€ reads the analysis published by Avast. ā€œThe main objective of GuptiMiner is to distribute backdoors within big corporate networks.ā€

The threat actors behind this campaign exploited a vulnerability in the update mechanism of the Indian antivirus provider eScan that allowed them to carry out a man-in-the-middle attack to distribute the malware. Avast already reported the issue to eScan and the India CERT. eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.

The infection process begins when eScan requests an update from the update server. However, the attackers carry out a MitM attack and replace the legitimate update package with a malicious one. Subsequently, eScan unpacks and installs the package, which results in the sideloading of a DLL by eScanā€™s clean binaries. This DLL facilitates the continuation of the process, leading to the execution of multiple shellcodes and intermediary PE loaders.

eScan antivirus

The researchers noticed that the downloaded package file is replaced with a malware-laced one on the wire because the process doesnā€™t use an HTTPS connection. 

Below the infection chain described by Avast:

  1. The eScan updater triggers the update 
  2. The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed) 
  3. A malicious package updll62.dlz is downloaded and unpacked by eScan updater 
  4. The contents of the package contain a malicious DLL (usually called version.dll) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process ā€“ eScan ā€“ and it is loaded next time eScan runs, usually after a system restart 
  5. If a mutex is not present in the system (depends on the version, e.g. Mutex_ONLY_ME_V1), the malware searches for services.exe process and injects its next stage into the first one it can find 
  6. Cleanup is performed, removing the update package 

GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.

GuptiMiner connects directly to malicious DNS servers, bypassing the DNS network entirely. This use of the DNS protocol resembles telnet and is not considered DNS spoofing, which typically occurs within the DNS network. Although the servers requested by GuptiMiner exist, itā€™s likely an evasion tactic.

In the second-stage the shellcode from the PNG file extracts and executes the Gzip loader. This loader is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread that kiads the Stage 3 malware Puppeteer.

Puppeteer orchestrates the core functionality of the malware, including the cryptocurrency mining as well as the backdoor deployment.

Surprisingly, the ultimate payload disseminated by GuptiMiner can be also XMRig, which was somewhat unexpected given the level of sophistication of this campaign.

The researchers speculate that using the miner could be a diversionary tactic.

ā€œDuring our research, weā€™ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign.ā€ concludes the report. ā€œWhat is truly interesting, however, is that this information stealer might come from Kimsuky operations.ā€

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: ESCAN ANTIVIRUS


Apr 05 2024

Hackers Hijack Facebook Pages To Mimic AI Brands & Inject Malware

Category: AI,Hacking,Malwaredisc7 @ 8:08 am

Hackers have been found hijacking Facebook pages to impersonate popular AI brands, thereby injecting malware into the devices of unsuspecting users.

This revelation comes from a detailed investigation by Bitdefender Labs, which has been closely monitoring these malicious campaigns since June 2023.

Recent analyses of malvertising campaigns have revealed a disturbing trend.

Ads are distributing an assortment of malicious software, which poses severe risks to consumersā€™ devices, data, and identity.

Unwitting interactions with these malware-serving ads could lead to downloading and deploying harmful files, including Rilide Stealer, Vidar Stealer, IceRAT, and Nova Stealer, onto usersā€™ devices.

Rilide Stealer V4: A Closer Look

Bitdefender Labs has spotlighted an updated version of the Rilide Stealer (V4) lurking within sponsored ad campaigns that impersonate popular AI-based software and photo editors such as Sora, CapCut, Gemini AI, Photo Effects Pro, and CapCut Pro.

This malicious extension, targeting Chromium-based browsers, is designed to monitor browsing history, captureĀ login credentials,Ā and even facilitate the withdrawal of crypto funds by bypassing two-factor authentication through script injections.

Sora Ad campaign
Gemini Ad Campaign

Key Updates in Rilide V4:

  • Targeting of Facebook cookies
  • Masquerading as a Google Translate Extension
  • Enhanced obfuscation techniques to conceal the softwareā€™s true intent

Indicators Of Compromise

Malicious hashes

  • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db ā€“ OpenAI Sora official version setup.msi ā€“ Sora
  • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf ā€“ OpenAI Sora Setup.zip ā€“ Sora
  • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d ā€“ Setup.msi ā€“ Sora
  • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 ā€“ Setup.msi ā€“ Sora
  • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b ā€“ Setup.msi ā€“ Sora
  • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 ā€“ Setup.msi ā€“ Sora
  • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 ā€“ Setup.msi ā€“ Sora
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e ā€“ Capcut Pro For PC.setup.msi ā€“ Capcut
  • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 ā€“ OpenAI ChatGPT-4.5 Version Free.msi ā€“ ChatGPT
  • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf ā€“ Google Gemini AI Ultra Version Updata.msi ā€“ Gemini AI
  • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a ā€“ Photo Effects Pro v3.1.3 Setup.msi ā€“ Photo Effects
  • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 ā€“ Photo Effects Pro v3.1.3 Setup.msi ā€“ Photo Effects
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e ā€“ AISora.setup.msi ā€“ Sora

Vidar Stealer: Evolving Threats

Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

Capable of exfiltrating personal information and crypto from compromised devices, Vidarā€™s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Metaā€™s platform.

Indicators Of Compromise

Malicious hashes

  • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll ā€“ MidJourney
  • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z ā€“ MidJourney

IceRAT: More Than Just A Trojan

Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

Indicators Of Compromise

Malicious hashes

  • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe ā€“ MidJourney
  • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe ā€“ MidJourney
  • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe ā€“ MidJourney
  • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe ā€“ MidJourney
  • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe ā€“ MidJourney
  • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e ā€“ Midjourneys_Setup.exe ā€“ MidJourney
  • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 ā€“ Mid_Setup.exe ā€“ MidJourney
  • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe ā€“ MidJourney

Nova Stealer: The New Kid On The Block

Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

Indicators Of Compromise

Malicious hashes

  • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar ā€“ AI and Life
  • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar ā€“ AI and Life
  • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using todayā€™s AI.pdf.exe ā€“ AI and Life
  • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using todayā€™s AI.xlsx.exe ā€“ AI and Life
  • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe ā€“ Google Digital Marketing
  • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 ā€“ Premium advertising course registration form from Oxford.exe ā€“ Google Digital Marketing
  • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe ā€“ Google Digital Marketing

The Midjourney Saga: AIā€™s Dark Side

The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

Indicators Of Compromise

  • 159.89.120.191
  • 159.89.98.241

As the digital landscape continues to evolve, so does the nature of the threats it maintains.

The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

Key Updates in Rilide V4:

  • Targeting of Facebook cookies
  • Masquerading as a Google Translate Extension
  • Enhanced obfuscation techniques to conceal the softwareā€™s true intent

Indicators Of Compromise

Malicious hashes

  • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db ā€“ OpenAI Sora official version setup.msi ā€“ Sora
  • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf ā€“ OpenAI Sora Setup.zip ā€“ Sora
  • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d ā€“ Setup.msi ā€“ Sora
  • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 ā€“ Setup.msi ā€“ Sora
  • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b ā€“ Setup.msi ā€“ Sora
  • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 ā€“ Setup.msi ā€“ Sora
  • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 ā€“ Setup.msi ā€“ Sora
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e ā€“ Capcut Pro For PC.setup.msi ā€“ Capcut
  • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 ā€“ OpenAI ChatGPT-4.5 Version Free.msi ā€“ ChatGPT
  • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf ā€“ Google Gemini AI Ultra Version Updata.msi ā€“ Gemini AI
  • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a ā€“ Photo Effects Pro v3.1.3 Setup.msi ā€“ Photo Effects
  • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 ā€“ Photo Effects Pro v3.1.3 Setup.msi ā€“ Photo Effects
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e ā€“ AISora.setup.msi ā€“ Sora

Vidar Stealer: Evolving Threats

Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

Capable of exfiltrating personal information and crypto from compromised devices, Vidarā€™s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Metaā€™s platform.

Indicators Of Compromise

Malicious hashes

  • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll ā€“ MidJourney
  • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z ā€“ MidJourney

IceRAT: More Than Just A Trojan

Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

Indicators Of Compromise

Malicious hashes

  • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe ā€“ MidJourney
  • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe ā€“ MidJourney
  • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe ā€“ MidJourney
  • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe ā€“ MidJourney
  • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe ā€“ MidJourney
  • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e ā€“ Midjourneys_Setup.exe ā€“ MidJourney
  • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 ā€“ Mid_Setup.exe ā€“ MidJourney
  • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe ā€“ MidJourney

Nova Stealer: The New Kid On The Block

Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

Indicators Of Compromise

Malicious hashes

  • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar ā€“ AI and Life
  • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar ā€“ AI and Life
  • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using todayā€™s AI.pdf.exe ā€“ AI and Life
  • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using todayā€™s AI.xlsx.exe ā€“ AI and Life
  • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe ā€“ Google Digital Marketing
  • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 ā€“ Premium advertising course registration form from Oxford.exe ā€“ Google Digital Marketing
  • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe ā€“ Google Digital Marketing

The Midjourney Saga: AIā€™s Dark Side

The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

Indicators Of Compromise

  • 159.89.120.191
  • 159.89.98.241

As the digital landscape continues to evolve, so does the nature of the threats it maintains.

The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

The Complete Guide to Software as a Service: Everything you need to know about SaaS

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot

Tags: Hijack Facebook Pages


Mar 18 2024

Hackers Trick Users To Install Malware Via Weaponized PDF

Category: Malwaredisc7 @ 7:19 am

In a sophisticated cyberattack campaign, malicious actors impersonating Colombian government agencies target individuals across Latin America.

The attackers are distributing emails containing PDF attachments, falsely accusing recipients of traffic violations or other legal infractions.

These deceptive communications are designed to coerce victims into downloading an archive that harbors a VBS script, initiating a multi-stage infection process.

Upon execution, the obfuscated VBS script triggers a PowerShell script, retrieving the final malware payload from legitimate online storage services through a two-step request process.

https://twitter.com/anyrun_app/status/1768229349151723874#

Infection Process

According to the ANY.RUN report was shared with GBHackers on Security; initially, the script acquires the payloadā€™s address from resources such as textbin.net. It then proceeds to download and execute the payload from the provided address, which could be hosted on various platforms including cdn.discordapp(.)com, pasteio(.)com, hidrive.ionos.com, and wtools.io.

The attackersā€™ execution chain follows a sequence from PDF to ZIP, then to VBS and PowerShell, and finally to the executable file (EXE).

The culminating payload is identified as one of several known remote access trojans (RATs), specifically AsyncRATnjRAT, or Remcos.

These malicious programs are notorious for their ability to provide unauthorized remote access to the infected systems, posing significant risks to the victimsā€™ privacy and data security.

Here are some notable samples of this campaign:Ā 1,Ā 2,Ā 3,Ā 4.

sample1

This campaign has been meticulously documented, with over 50 operation samples being analyzed.

Cybersecurity professionals and researchers are encouraged to consult the TI Lookup tool for detailed information on these samples, aiding in identifying and mitigating threats related to this campaign.

The Cyberspace Battlefield: A Contemporary Look at Weaponized Cyber Warfare

The technique demonstrated by the attackers in this campaign is not exclusive to Latin American targets and may be adapted for use against various targets in other regions.

The cybersecurity community is urged to remain vigilant and employ robust security measures to protect against such sophisticated threats.

Cybersecurity Threats, Malware Trends, and Strategies – Second Edition: Discover risk mitigation strategies for modern threats to your organizationĀ 

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: Weaponized PDF


Mar 13 2024

Keyloggers, spyware, and stealers dominate SMB malware detections

Category: Cybercrime,Malware,Spywaredisc7 @ 10:56 am

In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.

SMBs ransomware cyberthreat

Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deployĀ ransomware, and more.

Ransomware remains primary cyberthreat for SMBs

The Sophos report also analysesĀ initial access brokers (IABs)ā€”criminals who specialize in breaking into computer networks. As seen in the report, IABs are using theĀ dark webĀ to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs theyā€™ve already cracked.

ā€œThe value of ā€˜data,ā€™ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, letā€™s say attackers deploy an infostealer on their targetā€™s network to steal credentials and then get hold of the password for the companyā€™s accounting software. Attackers could then gain access to the targeted companyā€™s financials and have the ability to funnel funds into their own accounts,ā€ saidĀ Christopher Budd, director of Sophos X-Ops research at Sophos.

ā€œThereā€™s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,ā€ added Budd.

While the number of ransomware attacks againstĀ SMBsĀ has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack,Ā LockBitĀ was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.

BEC attacks grow in sophistication

Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targetingĀ managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryptionā€”when attackers use an unmanaged device on organizationsā€™ networks to encrypt files on other systems in the networkā€”increased by 62%.

In addition, this past year, Sophosā€™s Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPsā€™ remote monitoring and management (RMM) software.

Following ransomware,Ā business email compromise (BEC) attacksĀ were the second highest type of attacks that Sophos IR handled in 2023, according to the report.

These BEC attacks and otherĀ social engineeringĀ campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.

In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sendingĀ malicious attachmentsĀ in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an ā€œinvoice.ā€ The download button contained a link to a malicious website.

Mastering Cyber Security Defense to Shield Against Identity Theft, Data breaches, Hackers, and more in the Modern Age

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: keylogger, Malware, SMB


Feb 09 2024

HijackLoader Expands Techniques to Improve Defense Evasion

Category: Malwaredisc7 @ 10:39 am
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/
  • HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling
  • A recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense evasion
  • CrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection capabilities 

CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities. 

In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach has the potential to make defense evasion stealthier. 

The second technique variation involved an uncommon combination of process doppelgƤnging and process hollowing techniques. This variation increases the complexity of analysis and the defense evasion capabilities of HijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity.

This blog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.

HijackLoader Analysis

Tags: HijackLoader


Jan 18 2024

HOW TO EXPLOIT WINDOWS DEFENDER ANTIVIRUS TO INFECT A DEVICE WITH MALWARE

Category: Antivirus,Malwaredisc7 @ 8:10 am

Trend Microā€™s recent threat hunting efforts have uncovered active exploitation of CVE-2023-36025, a vulnerability in Microsoft Windows Defender SmartScreen, by a new strain of malware known as Phemedrone Stealer. This malware targets web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord, stealing data and sending it to attackers via Telegram or command-and-control servers. Phemedrone Stealer, an open-source stealer written in C#, is actively maintained on GitHub and Telegram.

CVE-2023-36025 arises from insufficient checks on Internet Shortcut (.url) files, allowing attackers to bypass Windows Defender SmartScreen warnings by using crafted .url files that download and execute malicious scripts . Microsoft patched this vulnerability on November 14, 2023, but its exploitation in the wild led to its inclusion in the Cybersecurity and Infrastructure Security Agencyā€™s Known Exploited Vulnerabilities list. Various malware campaigns, including those distributing Phemedrone Stealer, have since incorporated this vulnerability.

INITIAL ACCESS VIA CLOUD-HOSTED MALICIOUS URLS

As per theĀ report, this involves leveraging cloud-hosted URLs that are malicious in nature. The article provides insights into how these URLs are used to initiate the attack, highlighting the strategies employed for distributing the malware and penetrating target systems. Attackers host malicious Internet Shortcut files on platforms like Discord or cloud services, often disguised using URL shorteners. Unsuspecting users who open these files trigger the exploitation of CVE-2023-36025.

DEFENSE EVASION TACTICS

The malicious .url file downloads and executes a control panel item (.cpl) file from an attacker-controlled server. This bypasses the usual security prompt from Windows Defender SmartScreen. The malware employs MITRE ATT&CK technique T1218.002, using the Windows Control Panel process binary to execute .cpl files, which are essentially DLL files.

  1. Initial Infection via Malicious .url File (CVE-2023-36025): The attack begins when a user executes a malicious Internet Shortcut (.url) file. This file is designed to bypass Microsoft Windows Defender SmartScreen warnings, typically triggered for files from untrusted sources. The evasion is likely achieved by manipulating the fileā€™s structure or content, making it appear benign.
  2. Execution of a Control Panel Item (.cpl) File: Once executed, the .url file connects to an attacker-controlled server to download a .cpl file. In Windows, .cpl files are used to execute Control Panel items and are essentially Dynamic Link Libraries (DLLs). This step involves the MITRE ATT&CK technique T1218.002, which exploits the Windows Control Panel process binary (control.exe) to execute .cpl files.
  3. Use of rundll32.exe for DLL Execution: The .cpl file, when executed through control.exe, then calls rundll32.exe, a legitimate Windows utility used to run functions stored in DLL files. This step is critical as it uses a trusted Windows process to execute the malicious DLL, further evading detection.
  4. PowerShell Utilization for Payload Download and Execution: The malicious DLL acts as a loader to call Windows PowerShell, a task automation framework. PowerShell is then used to download and execute the next stage of the attack from GitHub.
  5. Execution of DATA3.txt PowerShell Loader: The file DATA3.txt, hosted on GitHub, is an obfuscated PowerShell script designed to be difficult to analyze statically (i.e., without executing it). It uses string and digit manipulation to mask its true intent.
  6. Deobfuscation and Execution of the GitHub-Hosted Loader: Through a combination of static and dynamic analysis, the obfuscated PowerShell commands within DATA3.txt can be deobfuscated. This script is responsible for downloading a ZIP file from the same GitHub repository.
  7. Contents of the Downloaded ZIP File:
    • WerFaultSecure.exe: A legitimate Windows Fault Reporting binary.
    • Wer.dll: A malicious binary that is sideloaded (executed in the context of a legitimate process) when WerFaultSecure.exe is run.
    • Secure.pdf: An RC4-encrypted second-stage loader, presumably containing further malicious code.

This attack is sophisticated, using multiple layers of evasion and leveraging legitimate Windows processes and binaries to conceal malicious activities. The use of GitHub as a hosting platform for malicious payloads is also noteworthy, as it can lend an appearance of legitimacy and may bypass some network-based security controls.

PERSISTENCE AND DLL SIDELOADING

The malware achieves persistence by creating scheduled tasks and uses DLL sideloading techniques. The malicious DLL, crucial for the loaderā€™s functionality, decrypts and runs the second stage loader. It uses dynamic API resolving and XOR-based algorithms for string decryption, complicating reverse engineering efforts.

  1. Malicious DLL (wer.dll) Functionality: It decrypts and runs a second-stage loader. To avoid detection and hinder reverse engineering, it employs API hashing, string encryption, and is protected by VMProtect.
  2. DLL Sideloading Technique: The malware deceives the system into loading the malicious wer.dll by placing it in the application directory, a method that exploits the trust Windows has in its own directories.
  3. Dynamic API Resolving: To avoid detection by static analysis tools, the malware uses CRC-32 hashing for storing API names, importing them dynamically during runtime.
  4. XOR-based String Decryption: An algorithm is used to decrypt strings, with each byteā€™s key generated based on its position. This method is designed to complicate automated decryption efforts.
  5. Persistence Mechanism: The malware creates a scheduled task to regularly execute WerFaultSecure.exe. This ensures that the malware remains active on the infected system.
  6. Second-Stage Loader (secure.pdf): Itā€™s decrypted using an undocumented function from advapi32.dll, with memory allocation and modification handled by functions from Activeds.dll and VirtualProtect.
  7. Execution Redirection through API Callbacks: The malware cleverly redirects execution flow to the second-stage payload using Windows API callback functions, particularly exploiting the CryptCATCDFOpen function.

Overall, this malware demonstrates a deep understanding of Windows internals, using them to its advantage to stay hidden and maintain persistence on the infected system. The combination of techniques used makes it a complex and dangerous threat.

SECOND-STAGE DEFENSE EVASION

The second-stage loader, known as Donut, is an open-source shellcode that executes various file types in memory. It encrypts payloads without compression and uses the Unmanaged CLR Hosting API to load the Common Language Runtime, creating a new Application Domain for running assemblies.Hereā€™s an overview of how Donut is used for defense evasion and payload execution:

  1. Donut Shellcode Loader:
    • Capabilities: Allows execution of VBScript, JScript, EXE files, DLL files, and .NET assemblies directly in memory.
    • Deployment Options: Can be embedded into the loader or staged from an HTTP or DNS server. In this case, itā€™s embedded directly into the loader.
  2. Payload Compression and Encryption:
    • Compression Techniques: Supports aPLib, LZNT1, Xpress, and Xpress Huffman through RtlCompressBuffer.
    • Encryption: Uses the Chaskey block cipher for payload encryption. In this instance, only encryption is used, without compression.
  3. Execution Process via Unmanaged CLR Hosting API:
    • CLR Loading: Donut configures to use the Unmanaged CLR Hosting API to load the Common Language Runtime (CLR) into the host process.
    • Application Domain Creation: Creates a new Application Domain, allowing assemblies to run in disposable AppDomains.
    • Assembly Loading and Execution: Once the AppDomain is prepared, Donut loads the .NET assembly and invokes the payloadā€™s entry point.

The use of Donut in this attack is particularly notable for its ability to execute various types of code directly in memory. This method greatly reduces the attackā€™s visibility to traditional security measures, as it leaves minimal traces on the filesystem. Additionally, the use of memory-only execution tactics, coupled with sophisticated encryption, makes the payload difficult to detect and analyze. The ability to create and use disposable AppDomains further enhances evasion by isolating the execution environment, reducing the chances of detection by runtime monitoring tools. This approach demonstrates a high level of sophistication in evading defenses and executing the final payload stealthily.

PHEMEDRONE STEALER PAYLOAD ANALYSIS

Phemedrone Stealer initializes its configuration and decrypts items like Telegram API tokens using the RijndaelManaged symmetric encryption algorithm. It targets a wide range of applications to extract sensitive information, including Chromium-based browsers, crypto wallets, Discord, FileGrabber, FileZilla, Gecko-based browsers, system information, Steam, and Telegram.

COMMAND AND CONTROL FOR DATA EXFILTRATION

After data collection, the malware compresses the information into a ZIP file and validates the Telegram API token before exfiltrating the data. It sends system information and statistics to the attacker via the Telegram API. Despite the patch for CVE-2023-36025, threat actors continue to exploit this vulnerability to evade Windows Defender SmartScreen protection. The Phemedrone Stealer campaign highlights the need for vigilance and updated security measures against such evolving cyber threats.

MITIGATION

Mitigating the risks associated with CVE-2023-36025 and similar vulnerabilities, especially in the context of the Phemedrone Stealer campaign, involves a multi-layered approach. Here are some key strategies:

  1. Apply Security Patches: Ensure that all systems are updated with the latest security patches from Microsoft, particularly the one addressing CVE-2023-36025. Regularly updating software can prevent attackers from exploiting known vulnerabilities.
  2. Enhance Endpoint Protection: Utilize advanced endpoint protection solutions that can detect and block sophisticated malware like Phemedrone Stealer. These solutions should include behavior-based detection to identify malicious activities.
  3. Educate Users: Conduct security awareness training for all users. Educate them about the dangers of clicking on unknown links, opening suspicious email attachments, and the risks of downloading files from untrusted sources.
  4. Implement Network Security Measures: Use firewalls, intrusion detection systems, and intrusion prevention systems to monitor and control network traffic based on an applied set of security rules.
  5. Secure Email Gateways: Deploy email security solutions that can scan and filter out malicious emails, which are often the starting point for malware infections.
  6. Regular Backups: Regularly back up data and ensure that backup copies are stored securely. In case of a malware infection, having up-to-date backups can prevent data loss.
  7. Use Application Whitelisting: Control which applications are allowed to run on your network. This can prevent unauthorized applications, including malware, from executing.
  8. Monitor and Analyze Logs: Regularly review system and application logs for unusual activities that might indicate a breach or an attempt to exploit vulnerabilities.
  9. Restrict User Privileges: Apply the principle of least privilege by limiting user access rights to only those necessary for their job functions. This can reduce the impact of a successful attack.
  10. Incident Response Plan: Have a well-defined incident response plan in place. This should include procedures for responding to a security breach and mitigating its impact.
  11. Use Secure Web Gateways: Deploy web gateways that can detect and block access to malicious websites, thereby preventing the download of harmful content.
  12. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security gaps in the network.

By implementing these measures, organizations can significantly reduce their risk of falling victim to malware campaigns that exploit vulnerabilities like CVE-2023-36025.

USB Defender | Data Blocker | Blocks Unwanted Data Transfers | Protects Smartphone & Tablets From Public Charging Stations

Learn Malware Removal Techniques: How to remove malwares from a computer

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: DEFENDER ANTIVIRUS


Jan 03 2024

Malware using google exploit maintain access

Category: Information Security,Malware,Password Securitydisc7 @ 7:38 am

Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.

According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.

The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).

A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”

This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.

Karthick told The Hacker News that three different token-cookie generation scenarios were tested –

  • When the user is logged in with the browser, in which case the token can be used any number of times.
  • When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.
  • If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.

When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.

“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”

The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”

“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previously disclosed details of the exploit late last year.

“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”

(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)

The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MultiLogin Exploit


Dec 13 2023

HOW TO BYPASS EDRS, AV WITH EASE USING 8 NEW PROCESS INJECTION ATTACKS

Category: Malwaredisc7 @ 7:38 am

In the ever-evolving landscape of cybersecurity, researchers are continually uncovering new methods that challenge existing defense mechanisms. A recent study by SafeBreach, a leader in cybersecurity research, has brought to light a novel process injection technique that exploits Windows thread pools, revealing vulnerabilities in current Endpoint Detection and Response (EDR) solutions. This groundbreaking research not only demonstrates the sophistication of potential cyber threats but also underscores the need for advanced defensive strategies in the digital world. Thread pool exploitation is challenging for EDRs to detect because it uses legitimate system mechanisms for malicious purposes. EDRs often look for known patterns of malicious activity, but when malware hijacks legitimate processes or injects code via expected system behaviors, such as those involving thread pools, it can blend in without raising alarms. Essentially, these techniques donā€™t leave the typical traces that EDRs are programmed to identify, allowing them to operate under the radar.

UNDERSTANDING PROCESS INJECTION:

Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.

THE ROLE OF WINDOWS THREAD POOLS:

Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.

SafeBreachā€™s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:

  1. Inserting Malicious Work Items:
    • Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the poolā€™s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
  2. Hijacking Worker Threads:
    • An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
  3. Exploiting Timer Queues:
    • Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
  4. Manipulating I/O Completion Callbacks:
    • Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
  5. Abusing Asynchronous Procedure Calls (APCs):
    • While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
  6. Worker Factory Manipulation:
    • The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
  7. Remote TP_TIMER Work Item Insertion:
    • This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
  8. Queue Manipulation:
    • Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.

These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Hereā€™s how each one could potentially be vulnerable to attacks:

  1. Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
  2. TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
  3. TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
  4. TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
  5. TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
  6. TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
  7. TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
  8. TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.

These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.

MITIGATION

Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:

  1. Enhanced Detection Algorithms:
    • Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
  2. Deep System Monitoring:
    • Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
  3. Regular Security Audits:
    • Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
  4. Advanced Threat Intelligence:
    • Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
  5. Employee Training and Awareness:
    • Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
  6. Behavioral Analysis and Heuristics:
    • Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
  7. Zero Trust Architecture:
    • Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
  8. Regular Software Updates:
    • Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
  9. Isolation of Sensitive Processes:
    • Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
  10. Incident Response Planning:
    • Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.

By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.

Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems.

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: BYPASS EDRS, INJECTION ATTACKS


Nov 25 2023

Stuxnet techniques used

Category: Cyber War,Digital cold war,Malwaredisc7 @ 2:55 pm

Stuxnet: The Revenge of Malware: How the Discovery of Malware from the Stuxnet Family Led to the U.S. Government Ban of Kaspersky Lab Anti-Virus Software

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: Stuxnet


Nov 21 2023

Increasingly prevalent NetSupport RAT infections reported

Category: Malware,Remote codedisc7 @ 9:30 am

https://www.scmagazine.com/brief/increasingly-prevalent-netsupport-rat-infections-reported

Attacks involving the NetSupport RAT have become increasingly common, The Hacker News reports. More than 15 infections have been observed mostly in organizations in the education, government, and business sectors, in recent weeks, according to a report from VMware Carbon Black researchers. Fraudulent browser updates have been leveraged by threat actors to facilitate the distribution of the SocGholish downloader malware, also known as FakeUpdates, which then uses PowerShell to establish a remote server connection and facilitate the retrieval of a NetSupport RAT-containing ZIP archive file. Researchers also noted that the installation of NetSupport would then enable behavior tracking, file transfers, computer setting alterations, and lateral network movement. “The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns,” said researchers. NetSupport RAT, which was once a remote access tool, was previously reported by Sucuri to have been spread through fake Cloudflare distributed denial-of-service protection pages.

Rat : Remote Access Trojan – Launching Virus Remotely

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: NetSupport RAT


Oct 10 2023

SILENT PREDATOR UNVEILED: DECODING WEBWYRM STEALTHY MALWARE AFFECTING 50 COUNTRIES

Category: Malwaredisc7 @ 8:40 am

DECIPHERING WEBWYRM: AN IN-DEPTH ANALYSIS OF THE PERVASIVE MALWARE THREATENING GLOBAL CYBERSECURITY

In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.

THE EVOLUTIONARY TRAJECTORY OF WEBWYRM

In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious ā€˜Blue Whale Challenge.ā€™

REFINED MODUS OPERANDI

WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task ā€œpacketsā€ or ā€œresets.ā€

Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of ā€œcombo tasksā€ promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.

CAMPAIGN ENABLERS: TECHNICAL INSIGHTS

WebWyrmā€™s campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victimā€™s geographical location.

Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.

INDUSTRIES IN THE CROSSHAIRS

Webwyrm has indiscriminately targeted a plethora of industries, including:

  • IT Services
  • Software Development
  • Mobile App Development
  • User Experience Design
  • Digital Marketing
  • Web Development
  • SEO
  • E-Commerce

DEFENSIVE COUNTERMEASURES

Effective defense against Webwyrm necessitates the adoption of several countermeasures:

  • Origin Tracing of Malefactors via Employment Portals
  • Collaborative Defensive Initiatives
  • Deployment of Rapid Response Teams
  • Implementation of Domain Blacklisting Protocols
  • Asset Seizure
  • Launch of Educational Awareness Campaigns

With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.

Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: WEBWYRM


Sep 22 2023

HOW TO SEND PHISHING OR MALWARE TO TEAMS USERS EVADING TEAMS SECURITY FEATURES

Category: Malware,Phishingdisc7 @ 9:25 am

TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users ofĀ Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of oneā€™s company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.

TeamsPhisherĀ utilizes a number of other techniques, including some of Andrea Santeseā€™s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.

TeamsPhisherā€™s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.

You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the senderā€™s Sharepoint.

First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a ā€œgroupā€ conversation since TeamsPhisher contains the targetā€™s email address twice; this is a clever hack from @Medu554 that will circumvent the ā€œSomeone outside your organization messaged you, are you sure you want to view itā€ splash screen that might offer our targets a reason to stop and think twice about viewing the message.

The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.

After this first message has been sent, the newly established thread will be visible in the senderā€™s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.

This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.

Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.

In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:

To upload the file to a Sharepoint site, you will need to manually give the siteā€™s name. This would most likely be required in the event if the senderā€™s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the ā€“sharepoint mytest option.

Replace TeamPhisherā€™s standard greeting (ā€œHi,ā€) with a personalized greeting that will be appended to the message that is supplied by the ā€“message option. For instance, ā€œGood afternoon,ā€ or ā€œSales team,ā€ are examples.

By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the ā€“securelink option. Itā€™s possible that this will help shield your virus from the blue team.

TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting ā€œHi Tom, ā€ as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the ā€“preview option to see whether or not this is a suitable match for the list of emails that you are targeting.

The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the ā€œfriendlyā€ name that would be used by the ā€“personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the senderā€™s Teams. You may log in to check how your message appears and make any required adjustments to it.

You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.

TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.

TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.

If you use the ā€“securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ā€˜legitimacyā€™ by sending them via the actual Microsoft login feature.

Mitigation
By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.

Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: EVADING TEAMS SECURITY FEATURES



Jul 14 2023

THIS FREE UEFI MALWARE CODE CAN HACK WINDOWS MACHINE FOREVER, EVEN IF HARD DISK IS REMOVED

Category: Malware,Windows Securitydisc7 @ 12:29 pm

The Blacklotus bootkit was developed expressly for Windows, and it first appeared on hacker forums in October of the previous year. It was described as having APT-level capabilities, including the ability to circumvent secure boot and user access control (UAC), as well as the capacity to deactivate security software and defensive mechanisms on victim computers. Threat actors of various skill levels were able to purchase BlackLotus when it was first offered for sale on hacker forums for as little as $5,000, giving them access to malware that is often associated with state-sponsored hacking operations. However, the threat actor concealed the source code and charged clients $200 for rebuilds if they wished to modify the bootkit in any way.c
Microsoft published a set of resources in April that are intended to assist threat hunters in recognizing BlackLotus infections. The National Security Agency (NSA) released some guidelines in June to assist firms in strengthening their defenses against the threat.


Although it has a number of alterations in comparison to the malwareā€™s initial form, the BlackLotusĀ UEFIĀ bootkitā€™s original source code has been made available to the public on GitHub.

The ā€˜Baton Dropā€™ exploit that targets CVE-2022-21894 has been removed from the BlackLotus source code that was released on GitHub on Wednesday. Additionally, the BlackLotus source code now employs the bootlicker UEFI firmware rootkit, although it still retains the majority of the original code.

The fact that the bootkitā€™s source code is available to the public poses a considerable danger, primarily because it may be paired with newly discovered vulnerabilities to open up previously undiscovered entry points for attacks. BlackLotus was able to utilize the attack despite the fact that CVE-2022-21894 had been fixed the previous year. This was possible because the vulnerable binaries had not been put to the UEFI revocation list. This demonstrates how even vulnerabilities that have been patched may still present long-term, industry-wide supply chain impact.

However, since the source code was leaked, it is now very easy for threat actors to combine the bootkit with new bootloader vulnerabilities, whether they are known or undiscovered. The methods used by the bootkit are no longer cutting edge.

Be careful to adhere to the extensive mitigation guidance that the NSA issued a month ago in order to protect your computers against the BlackLotus UEFI bootkit attack.

Because the source code of the bootkit is now freely accessible, it is feasible that skilled malware writers may design more powerful variations that are able to circumvent both currently available countermeasures and those that will be developed in the future.

How to Hack Like a Legend: Breaking Windows

CISSP training course

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec books

Tags: HACK WINDOWS MACHINE


Next Page »