TeamsPhisher is a Python3 software that was designed to make it easier for phishing messages and attachments to be sent to users of Microsoft Teams whose companies or organizations permit connection with outside parties. It is not feasible to transfer files to users of Teams who are not part of oneâs company in most circumstances. Recently, Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) from JUMPSEC published a means to circumvent this limitation by modifying HTTP requests made by Teams in order to change who is sent a message with an attached file.
TeamsPhisher utilizes a number of other techniques, including some of Andrea Santeseâs (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.
TeamsPhisherâs goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.
You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the senderâs Sharepoint.
First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a âgroupâ conversation since TeamsPhisher contains the targetâs email address twice; this is a clever hack from @Medu554 that will circumvent the âSomeone outside your organization messaged you, are you sure you want to view itâ splash screen that might offer our targets a reason to stop and think twice about viewing the message.
The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.
After this first message has been sent, the newly established thread will be visible in the senderâs Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.
This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.
Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.
In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:
To upload the file to a Sharepoint site, you will need to manually give the siteâs name. This would most likely be required in the event if the senderâs tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the âsharepoint mytest option.
Replace TeamPhisherâs standard greeting (âHi,â) with a personalized greeting that will be appended to the message that is supplied by the âmessage option. For instance, âGood afternoon,â or âSales team,â are examples.
By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the âsecurelink option. Itâs possible that this will help shield your virus from the blue team.
TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting âHi Tom, â as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the âpreview option to see whether or not this is a suitable match for the list of emails that you are targeting.
The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the âfriendlyâ name that would be used by the âpersonalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the senderâs Teams. You may log in to check how your message appears and make any required adjustments to it.
You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.
TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.
TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.
If you use the âsecurelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds âlegitimacyâ by sending them via the actual Microsoft login feature.
Mitigation By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.
Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.
New Android Malware Uses Optical Character Recognition to Steal Login Credentials
Besides employing various channels for distribution, these malicious apps, named “CherryBlos” and “FakeTrade,” have been discovered by cybersecurity researchers at Trend Micro to use OCR (Optical Character Recognition) techniques to extract sensitive data from pictures. The shared network infrastructure and certificates indicate the involvement of the same threat actors behind these new Android malware strains. The distribution channels used by these apps include social media, phishing sites, Google Play, and other Android app stores.
Android MalwareUse OCR
In April 2023, CherryBlos malware emerged as an APK file that was found to be promoted on Telegram, Twitter, and YouTube as:-
All the malicious APK files were downloaded from domain-matching websites. Here below, we have mentioned the malicious APK file names and matching domains:-
APK files:
GPTalk
Happy Miner
Robot999
SynthNet
Matching domain names:
chatgptc[.]io
happyminer[.]com
robot999[.]net
synthnet[.]ai
Moreover, the SynthNet app, a malicious version, was downloaded around 1,000 times on Google Play before being reported and removed.
CherryBlos malware targets crypto wallet credentials and alters withdrawal addresses since itâs mainly designed to steal cryptocurrency wallet-related information.
The CherryBlos exploits accessibility service permissions to:-
Fetch config files
Auto-approve permissions
Block app termination
Besides stealing cryptocurrency-related data, CherryBlos also has an extraordinary feature that enables OCR for text extraction from images on the device.
Code to perform OCR on images (Source â Trend Micro)
When EnableImage is true in the config, CherryBlos reads media files, applying OCR for potential mnemonic recognition.
Despite the risk, people save recovery phrase photos on devices, enable malware extracts, and send data to threat actors.
Moreover, the malware also hijacks the Binance app clipboard, then alters the recipient address with the attackerâs, as this enables attackers to initiate illicit fund transfers stealthily.
Recommendations
Here below, we have mentioned all the recommendations offered by the security researchers at Trend Micro:-
Always download apps from the Google Play store and official app stores that are trusted.
Make sure to keep your system, software, and AV tools updated with the available security patches and updates.
To block threats like these and other malware strains, make sure to install a robust and renowned AV solution.
Before allowing any permissions to apps, make sure to cross-check each permissions carefully.
Do not download any unknown attachments received via email.
Suspicious links could be dangerous, so, do not click on any suspicious links.
The Blacklotus bootkit was developed expressly for Windows, and it first appeared on hacker forums in October of the previous year. It was described as having APT-level capabilities, including the ability to circumvent secure boot and user access control (UAC), as well as the capacity to deactivate security software and defensive mechanisms on victim computers. Threat actors of various skill levels were able to purchase BlackLotus when it was first offered for sale on hacker forums for as little as $5,000, giving them access to malware that is often associated with state-sponsored hacking operations. However, the threat actor concealed the source code and charged clients $200 for rebuilds if they wished to modify the bootkit in any way.c Microsoft published a set of resources in April that are intended to assist threat hunters in recognizing BlackLotus infections. The National Security Agency (NSA) released some guidelines in June to assist firms in strengthening their defenses against the threat.
Although it has a number of alterations in comparison to the malwareâs initial form, the BlackLotus UEFI bootkitâs original source code has been made available to the public on GitHub.
The âBaton Dropâ exploit that targets CVE-2022-21894 has been removed from the BlackLotus source code that was released on GitHub on Wednesday. Additionally, the BlackLotus source code now employs the bootlicker UEFI firmware rootkit, although it still retains the majority of the original code.
The fact that the bootkitâs source code is available to the public poses a considerable danger, primarily because it may be paired with newly discovered vulnerabilities to open up previously undiscovered entry points for attacks. BlackLotus was able to utilize the attack despite the fact that CVE-2022-21894 had been fixed the previous year. This was possible because the vulnerable binaries had not been put to the UEFI revocation list. This demonstrates how even vulnerabilities that have been patched may still present long-term, industry-wide supply chain impact.
However, since the source code was leaked, it is now very easy for threat actors to combine the bootkit with new bootloader vulnerabilities, whether they are known or undiscovered. The methods used by the bootkit are no longer cutting edge.
Be careful to adhere to the extensive mitigation guidance that the NSA issued a month ago in order to protect your computers against the BlackLotus UEFI bootkit attack.
Because the source code of the bootkit is now freely accessible, it is feasible that skilled malware writers may design more powerful variations that are able to circumvent both currently available countermeasures and those that will be developed in the future.
Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats.
Executive Summary
In this report we shared some insight that emerged during our exploratory research, and proof of concept, on the application of Large Language Models to malware automation, investigating how a potential new kind of autonomous threats would look like in the near future.
We explored a potential architecture of an autonomous malware threat based on four main steps: an AI-empowered reconnaissances, reasoning and planning phase, and the AI-assisted execution.
We demonstrate the feasibility of using LLM to recognize infected environments and decide which kind of malicious actions could be best suited for the environment.
We adopted an iterative code generation approach to leverage LLMs in the complicated task of generating code on the fly to achieve the malicious objectives of the malware agent.
Luckily, current general purpose LLM models still have limitations: while incredibly competent, they still need precise instruction to achieve the best results.
This new kind of threat has the potential to become extremely dangerous in the future, when computational requirements of LLMs would be low enough to run the agent completely locally, and also with the usage of specific models instead of general purpose ones.
Introduction
Large Language Models started shaping the digital world around us, since the public launch of OpenAIâs ChatGPT everybody spotted a glimpse of a new era where the Large Language Models (LLMs) would profoundly impact multiple sectors soon.
The cyber security industry is not an exception, rather it could be one of the most fertile grounds for such technologies, both for good and also for bad. Researchers in the industry have just scratched the surface of this application, for instance with read teaming application, as in the case of the PentestGPT project, but also, more recently even with malware related applications, in fact, Juniper researchers were using ChatGPT to generate malicious code to demonstrate the speedup in malware writing, and CyberArkâs ones tried to use ChatGPT to realize a polymorphic malware, along with Hays researchers which created another polymorphic AI-powered malware in Python.
Following this trail of this research, we decided to experiment with LLMs in a slightly different manner: our objective was to see if such technology could lead even to a paradigm-shift in the way we see malware and attackers. To do so, we prototyped a sort of âmalicious agentâ completely written in Powershell, that would be able not only to generate evasive polymorphic code, but also to take some degree of decision based on the context and its âintentsâ.
Technical Analysis
This is an uncommon threat research article, here the focus is not in a real-world threat actor, instead we deepen an approach that could be likely adopted in the near future by a whole new class of malicious actors, the AI-powered autonomous threat.
A model for Autonomous Threats
First of all we are going to describe a general architecture that could be adopted for such an objective. An architecture which inevitably has common ground with Task-Driven Autonomous Agents like babyAGI or autoGPT. But for the sake of our experimentation, we decided to shape the logic flow of the malicious agent to better match common malware operations.
As anticipated before, our Proof of Concept (PoC) autonomous malware is an AI-enabled Powershell script, designed to illustrate the potential of artificial intelligence in automation and decision-making, with each phase of execution highlighting the adaptability and intelligence of the AI.
Breaking down the state diagram, at high level, the agent runs into the following stages.
Footprinting
During the discovery phase, the AI conducts a comprehensive analysis of the system. Its goal is to create a thorough profile of the operating environment. It examines system properties such as the operating system, installed applications, network setups, and other pertinent information.
This thorough assessment is not just for ensuring the system is ready to go, but also assists the AI in figuring out if itâs working within a controlled environment, whether itâs interacting with a server or a client. One of the crucial determinations it makes is whether it is functioning within a sandboxed environment. Sandboxes are controlled settings, often used for testing or monitoring potentially harmful activities. If the AI detects it is operating within a sandbox, it halts all execution, avoiding unnecessary exposure in a non-targeted environment.
This system data becomes a vital input that lets the malicious-AI make informed decisions and respond appropriately. It provides a comprehensive understanding of its operating environment, similar to a detailed map, allowing it to navigate the system effectively. In this sense, this phase readies the âmalicious agentâ for the activities that follow.
Reasoning
In the execution phase, the malicious agent maneuvers rely significantly on the context, built on a detailed understanding of the system environment gathered in the earlier analysis phase.
An intriguing aspect of this phase is the AIâs strategic decision-making, which closely emulates strategies used by well-known hacking groups. At the outset, the âmalicious agentâ mimics a specific, recognized hacking group. The selection of the group isnât random but is determined by the particular context and conditions of the system.
After deciding which hacking group to mimic, the autonomous agent goes on to devise a comprehensive attack strategy. This strategy is custom-made to the specific system environment and the standard practices of the selected hacking group, for example, it may decide to include password stealing tasks in case it detects the Outlook application rather than install a backdoor account on the server.
Execution
Once the attack strategy is in place, the malicious agent begins to carry out each action in a step-by-step manner. For each action, the AI dynamically creates the necessary code and promptly puts it into action. This could include a broad range of operations, such as attempting privilege escalation, conducting password hunts, or establishing persistence.
However, the AIâs role isnât just limited to implementation. It consistently keeps an eye on how the system responds to its actions and stays ready for unexpected occurrences. This attentiveness allows the AI to adapt and modify its actions in real time, showcasing its ability for resilience and strategic problem-solving within a changing system environment.
When guided by more specific prompts, AI proves to be exceptionally capable, even to the point of generating functional infostealers on the fly.
This AI-empowered PoC epitomizes the potential of AI in carrying out intricate tasks independently and adjusting to its environment.
Code Generation
One of the fundamental characteristics that set autonomous threats apart is their ability to generate code. Unlike traditional threats, which often require manual control or pre-programmed scripts to adapt and evolve, autonomous threats use AI algorithms to autonomously generate new code segments. This dynamic code generation ability not only allows them to adapt to changing system conditions and defenses but also makes their detection and analysis more challenging.
This process involves the use of specific prompts, allowing the AI to create custom solutions that suit the systemâs unique conditions. The AI also takes an active role in monitoring the outcomes of its actions. It continually assesses the results of its code execution. If it detects errors or unsuccessful actions, it uses them as inputs for further processing. By feeding error data back into its processes, the AI can refine and optimize its code generation. This iterative process represents a significant step towards true autonomous problem-solving capabilities, as the AI dynamically adjusts its actions based on their results.
Figure. Iterative code generation and adjustment
Environment Awareness
Autonomous threats take threat intelligence to a new level by being aware of their operating environment. Traditional threats often have a one-size-fits-all approach, attacking systems without fully understanding the environment. In contrast, autonomous threats can actively monitor their environment and adapt their actions accordingly.
The concept of environmental awareness is pivotal in AI-powered cyber threats. This environmental understanding enables the autonomous malware to choose an appropriate course of action based on the context around. For example, it might identify if itâs operating within a sandbox environment or decide to behave differently based on whether itâs operating on a server or client machine.
This awareness also influences the AIâs decision-making process during its operation. It can adjust its behavior according to the context, impersonating a particular known hacker group or choosing a specific attack strategy based on the evaluated system characteristics.
This environment-aware approach could enable malware writers to rely on very sophisticated, and harder to counter, evasion schemes.
Figure. Prompt to evaluate the machine environment
Decision-Making Autonomy
Perhaps the most defining characteristic of autonomous malware is the decision-making autonomy. Unlike traditional threats that rely on pre-programmed behaviors or external control from a human operator, autonomous threats can make independent decisions about their actions.
These threats use advanced AI algorithms to analyze the available information, weigh the potential outcomes of different actions, and choose the most effective course of action. This decision-making process could involve choosing which systems to target, selecting the best method for attack, deciding when to lay dormant to avoid detection, and even determining when to delete themselves to avoid traceability.
This level of autonomy not only makes these threats more resilient to countermeasures, but it also allows them to carry out more complex and coordinated attacks. By making independent decisions, these threats can adapt to changing circumstances, carry out long-term infiltration strategies, and even coordinate with other autonomous threats to achieve their objectives.
In this proof of concept (PoC), we launched our AI-enabled script on a Windows client. The scriptâs execution process is designed to illustrate the potential of AI in automating complex tasks, decision making, and adjusting to the environment.
Firstly, the script initiates with an exhaustive system footprinting. During this phase, the AI takes a thorough survey of the system. The focus is on creating a detailed footprint of the operating environment by examining properties such as the operating system, installed software and other relevant details. This rigorous assessment not only prepares the system for the following actions but also helps the AI understand the context itâs operating within.
Simultaneously, a crucial part of this initial phase is sandbox detection. In fact, if the AI identifies the environment as a sandbox, the execution halts immediately.
Once the AI has confirmed itâs not within a sandbox, and itâs dealing with a client, it proceeds to develop an infostealer â a type of malware thatâs designed to gather and extract sensitive information from the system. In this specific case, the AI installs a keylogger to monitor and record keystrokes, providing a reliable method to capture user inputs, including passwords.
Alongside keylogging, during the test sessions, the AI performed password hunting too.
Finally, after gathering all the necessary data, the AI proceeded to the data exfiltration. The AI prepares all the accumulated data for extraction, ensuring itâs formatted and secured in a way that it can be efficiently and safely retrieved from the system.
The demonstration video provides a real-time view of these actions carried out by the AI.
This PoC underlines how an AI system can perform complex tasks, adapt to its environment, and carry out activities that previously required advanced knowledge and manual interaction.
Consideration on Experimentation Session
In all the experiments conducted, a key theme that emerged was the level of exactness needed when assigning tasks to the AI. When presented with vague or wide-ranging tasks, the AIâs output frequently lacked effectiveness and specificity. This highlights an essential trait of AI at its current stage: while incredibly competent, it still needs precise instruction to achieve the best results.
For instance, when tasked to create a generic malicious script, the AI might generate code that tries to cover a wide spectrum of harmful activities. The outcome could be a piece of code that is wide-ranging and inefficient, potentially even drawing unwanted scrutiny due to its excessive system activity.
On the other hand, when given more narrowly defined tasks, the AI demonstrated the capability to create specific components of malware. By steering the AI through smaller, more exact tasks, we could create malicious scripts that were more focused and effective. Each component could be custom-made to carry out its task with a high level of effectiveness, leading to the creation of a cohesive, efficient malware when combined.
This discovery suggests a more efficient method of utilizing AI in cybersecurity â breaking down complex tasks into smaller, manageable objectives. This modular approach allows for the creation of specific code pieces that carry out designated functions effectively and can be assembled into a larger whole.
Conclusion
In conclusion, when we just look in the direction of LLMs and malware combined together, we clearly see a significant evolution in cybersecurity threats, potentially able to lead to a paradigm shift where malicious code operates based on predefined high-level intents.
Their ability to generate code, understand their environment, and make autonomous decisions makes them a formidable challenge for future cybersecurity defenses. However, by understanding these characteristics, we can start to develop effective strategies and technologies to counter these emerging threats.
Luckily, the autonomous malware PoC we set up and the potential upcoming ones have still limitations: they rely on generic language models hosted online, this mean the internet connectivity is, and will be, a requirement for at least some time. But, we are likely going to see the adoption of local LLM models, maybe even special-purpose ones, directly embedded in the future malicious agents.
AI technology is in a rapid-development stage, and even if it is pretty young, its adoption across various sectors is widening, including in the criminal underground.
BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.
The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.
âWhat is the easiest way to infect millions of devices?â posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.
He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.
The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.
âBut of course thereâs no free stuff,â said Yarochkin, who explained that the firmware started to come with an undesirable feature â silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.
The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.
The objective of the malware is to steal info or make money from information collected or delivered.
The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.
One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.
âThe user of the proxy will be able to use someone elseâs phone for a period of 1200 seconds as an exit node,â said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.
As for where the threats are coming from, the duo wouldnât say specifically, although the word âChinaâ showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.
âEven though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we donât know for sure at what moment it got into the supply chain,â said Yarochkin.
The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.
âBig brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,â said Yarochkin. Âź
A new piece of malware known as Atomic macOS Stealer (AMOS) was recently discovered by researchers as it was being offered for sale on Telegram. The threat actor who is promoting it charges $1,000 each month and continually updates the virus that they are selling. The Atomic macOS Stealer is capable of stealing a variety of information from the computer of the victim, such as passwords saved in the Keychain, comprehensive system information, files from the victimâs desktop and documents folder, and even the macOS password itself.
One of its many capabilities is the extraction of data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus. This is only one of its many functions. When a threat actor purchases the stealer from the creators of the stealer, they are also given a web panel that is pre-configured and ready to use for managing the victims.
In the event that AMOS is installed, it has the potential to compromise a broad range of data, some of which include the passwords for iCloud Keychain, the password for the macOS system, cookies, passwords, and credit card credentials from browsers like as Chrome, Firefox, Brave, Edge, and Opera, among others. Additionally, it has the ability to compromise cryptocurrency wallets such as Atomic, Binance, Exodus, Electrum, MetaMask, and a great number of others.
A web panel, a program called Brute MetaMask, logs in Telegram with alerts, and more features are provided to customers by the malicious party that is offering malware as a service.
The following is the message that the threat actor posted on Telegram while trying to sell the malware:
After the malware has gained access to a userâs information, it places the information into a ZIP file, compresses it, and then sends it to the malicious party via a command and control server URL.
It is imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via email or SMS messages as a result of this development, which is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware. The development is also a sign that macOS is becoming a target for cybercriminals to deploy stealer malware.
To protect against it:
Only applications from the official Apple App Store should be downloaded and installed on your device. Install an antivirus and internet security software package that has a good reputation on your computer. Make sure to use secure passwords, and implement multi-factor authentication whenever itâs possible. When it is feasible to do so, enable the biometric security capabilities of the device, such as fingerprint or face recognition, so that it can be unlocked. Always use caution before clicking on any links that are delivered to you in emails. When enabling any permissions, exercise extreme caution. Make that all of your software, including operating systems and apps, is up to date.
Living without the Internet is hardly imaginable today. However, the anonymity of the internet has led to the flourishing of cyber attacks and malware. Malicious software can cause damage to our devices, steal personal data, and lead to monetary loss. Therefore, protecting your computer from these threats is crucial. This article will outline some methods and resources for protecting your devices from malicious software, and explain why itâs essential to use malware removal at all times.
Tip #1: Keep Your Operating System and Software Up to Date
One of the most crucial things you can do to keep your computer secure is to keep your operating system and software up to date. Security patches are frequently released by software developers to address flaws that hackers could exploit. Failing to update your system and software leaves your computer vulnerable to potential threats.
To ensure that your operating system and software are up to date, itâs important to turn on automatic updates. This will ensure that your system gets updates as soon as they become available. Additionally, you can manually check for updates by accessing the settings for your software or operating system. By doing this, you can be certain that your computer is protected against potential threats.
Tip #2: Use Antivirus and Anti-Malware Software
Antivirus and malware removal software are essential tools for protecting your computer against malicious software such as viruses, spyware, and ransomware. These programs scan your computer on a regular basis for malware and remove it if found. By using antivirus and anti-malware software, you can safeguard your computer from malicious attacks and maintain its security.
When it comes to antivirus and anti-malware software, itâs crucial to choose a reputable and trustworthy option that offers comprehensive protection against various types of malware. With numerous software options available on the market, selecting the right one can be overwhelming. However, by doing some research and selecting the one that meets your needs, you can ensure that your computer remains protected from potential threats.
Tip #3: Use a Firewall
A firewall is a crucial security system that monitors and controls network traffic, both incoming and outgoing. It serves as a barrier between your computer and the internet, blocking unauthorized access. By utilizing a firewall, you can protect your computer from potential cyber attacks and enhance its security.
Most operating systems come with a built-in firewall that you can enable by going to your systemâs settings. However, you can further increase your computerâs security by installing a third-party firewall. These firewalls offer additional features and customization options that can help you tailor the protection to your needs. By using a firewall, you can safeguard your computer against potential threats and enhance its overall security.
Tip #4: Use Strong and Unique Passwords
Using strong and unique passwords is crucial in safeguarding your device against potential cyber attacks. Cybercriminals frequently use automated programs to guess passwords and weak passwords are easily guessed, allowing them to gain access to your computer more easily. By using strong and unique passwords, you can significantly enhance your computerâs security.
To create a strong password, use a combination of letters, numbers, and symbols. Avoid using common phrases or words that are easily guessed. Additionally, do not use the same password for multiple accounts, as this can leave you vulnerable if one account is compromised. Consider using a password manager to generate and store strong and unique passwords for all your accounts. By taking these steps, you can ensure that your computer remains protected against potential threats.
Tip #5: Be Wary of Phishing Scams
Phishing scams are a type of social engineering attack that cybercriminals use to trick people into disclosing sensitive information like passwords and credit card numbers. These scams can be sent via email, text messages, or even social media. Falling prey to a phishing scam can lead to significant financial loss and compromise your personal information.
To avoid falling victim to phishing scams, itâs important to be cautious of any suspicious emails or messages. Do not click on any unknown links or download any attachments from suspicious sources. Always check the senderâs email address to ensure that it is from a legitimate source.
If you receive an email that appears to be from your bank or another financial institution, do not provide any sensitive information. Instead, contact the institution directly to confirm the authenticity of the email. By taking these steps, you can protect yourself from phishing scams and keep your personal information secure.
Tip #6: Use Two-Factor Authentication
Two-factor authentication (2FA) is a crucial security measure that adds an extra layer of protection to your online accounts. This security measure requires users to provide two forms of identification before accessing their accounts, making it more difficult for cybercriminals to access your information. Two-factor authentication can prevent unauthorized access to your accounts and protect your sensitive information from being compromised.
Many online services, such as email and social media platforms, offer two-factor authentication as an additional security measure. To enable two-factor authentication, go to your account settings and follow the instructions provided by the service. You can usually choose between receiving a code via text message or using an authentication app. Enabling two-factor authentication can greatly improve the security of your accounts and help keep your personal information safe.
Tip #7: Back Up Your Data Regularly
The best practice to protect your data from cyber attacks is to regularly back it up. If your computer is infected with malware or hacked, you might lose all your data. By backing up your data regularly, you can easily restore your data in the event of a cyber attack.
In conclusion, adhering to the tips and tools mentioned above can not only safeguard your personal or business data but also prevent potential embarrassment and costly fines. Use anti-virus and anti-malware software.
There is evidence that ChatGPT has helped low-skill hackers generate malware, which raises worries about the technology being abused by cybercriminals. ChatGPT cannot yet replace expert threat actors, but security researchers claim there is evidence that it can assist low-skill hackers create malware.
Since the introduction of ChatGPT in November, the OpenAI chatbot has assisted over 100 million users, or around 13 million people each day, in the process of generating text, music, poetry, tales, and plays in response to specific requests. In addition to that, it may provide answers to exam questions and even build code for software.
It appears that malicious intent follows strong technology, particularly when such technology is accessible to the general people. There is evidence on the dark web that individuals have used ChatGPT for the development of dangerous material despite the anti-abuse constraints that were supposed to prevent illegitimate requests. This was something that experts feared would happen. Because of this, experts from forcepoint came to the conclusion that it would be best for them not to create any code at all and instead rely on only the most cutting-edge methods, such as steganography, which were previously exclusively used by nation-state adversaries.
The demonstration of the following two points was the overarching goal of this exercise:
How simple it is to get around the inadequate barriers that ChatGPT has installed.
How simple it is to create sophisticated malware without having to write any code and relying simply on ChatGPT
Initially ChatGPT informed him that malware creation is immoral and refused to provide code.
To avoid this, he generated small codes and manually assembled the executable. The first successful task was to produce code that looked for a local PNG greater than 5MB. The design choice was that a 5MB PNG could readily hold a piece of a business-sensitive PDF or DOCX.
2. Then asked ChatGPT to add some code that will encode the found png with steganography and would exfiltrate these files from computer, he asked ChatGPT for code that searches the Userâs Documents, Desktop, and AppData directories then uploads them to google drive.
3. Then he asked ChatGPT to combine these pices of code and modify it to to divide files into many âchunksâ for quiet exfiltration using steganography.
4. Then he submitted the MVP to VirusTotal and five vendors marked the file as malicious out of sixty nine.
5. This next step was to ask ChatGPT to create its own LSB Steganography method in my program without using the external library. And to postpone the effective start by two minutes.https://www.securitynewspaper.com/2023/01/20/this-new-android-malware-allows-to-hack-spy-on-any-android-phone/embed/#?secret=nN5212UQrX#?secret=8AnjYiGI6e
6. The another change he asked ChatGPT to make was to obfuscate the code which was rejected. Once ChatGPT rejected hisrequest, he tried again. By altering his request from obfuscating the code to converting all variables to random English first and last names, ChatGPT cheerfully cooperated. As an extra test, he disguised the request to obfuscate to protect the codeâs intellectual property. Again, it supplied sample code that obscured variable names and recommended Go modules to construct completely obfuscated code.
7. In next step he uploaded the file to virus total to check
And there we have it; the Zero Day has finally arrived. They were able to construct a very sophisticated attack in a matter of hours by only following the suggestions that were provided by ChatGPT. This required no coding on our part. We would guess that it would take a team of five to ten malware developers a few weeks to do the same amount of work without the assistance of an AI-based chatbot, particularly if they wanted to avoid detection from all detection-based suppliers.
Malware comes in many forms: the unwanted programs can surface as pathogens, spies, or remote controls in computers. Whether itâs a virus, spyware, or a Trojan horse, this harmful software should be kept well away from your computer. What are the different types of malware? We show you how to protect yourself from them and what steps to take if your computer or webspace are affected.
The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal.
“RIG EK is a financially-motivated program that has been active since 2014,” Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News.
“Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.”
Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers.
The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scale coverage.
As a result, visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit.
The exploit server, for its part, detects the user’s browser by parsing the User-Agent string and returns the exploit that “matches the pre-defined vulnerable browser versions.”
“The artful design of the Exploit Kit allows it to infect devices with little to no interaction from the end user,” the researchers said. “Meanwhile, its use of proxy servers makes infections harder to detect.”
Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. The operation was dealt a huge blow in 2017 following a coordinated action that dismantled its infrastructure.
Packers are becoming an increasingly important tool for cybercriminals to use in the commission of illegal acts. On hacker forums, the packer is sometimes referred to as âCrypterâ and âFUD.â Its primary function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors are able to disseminate their malware more quickly and with fewer consequences when they use a packer. It doesnât matter what the payload is, which is one of the primary qualities of a commercial Packer-as-a-Service, which implies that it may be used to pack a variety of different harmful samples. This opens up a lot of opportunities for cybercriminals. Another key quality of the packer is that it is transformational. Because the packerâs wrapper is changed on a frequent basis, it is able to avoid detection by devices designed to enhance security.
According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.
Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including âTrickGate,â âEmotetâs packer,â ânew loader,â âLoncom,â and âNSIS-based crypter.â
At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate,
including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.
PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups.
The Palo Alto Networks Unit 42 incident response team has discovered a new variant of PlugX malware that is distributed via removable USB devices and targets Windows PCs. This should not come as a surprise since 95.6% of new malware or their variants in 2022 targeted Windows.
According to Unit 42 researchers, the new variant was detected when carrying out an incident response post a Black Basta ransomware attack. The researchers uncovered several malware samples and tools on the victimsâ devices. This includes the Brute Ratel C4 red-teaming tool, GootLoader malware, and an old PlugX sample.
PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups. The malware was previously used in many high-profile cyberattacks, such as the 2015 U.S. Government Office of Personnel Management (OPM) breach.
The same backdoor was also used in the 2018 malware attack on the Android devices of minority groups in China. Most recently, in November 2022, researchers linked Google Drive phishing scams to the group infamously known for using PlugX malware.
Scope of Infection
The new variant stood out among other malware because it could infect any attached removable USB device, e.g., floppy, flash, thumb drives, and any system the removable device was plugged into later.
So far, no evidence connects the PlugX backdoor or Gootkit to the Black Basta ransomware group, and researchers believe another actor could have deployed it. Moreover, researchers noted that the malware could copy all Adobe PDF and Microsoft Word documents from the host and places them in a hidden folder on the USB device. The malware itself creates this folder.
Malware Analysis
Unit 42 researchers Jen Miller-Osborn and Mike Harbison explained in their blog post that this variant of PlugX malware is a wormable, second-stage implant. It infects USB devices and stays concealed from the Windows operating file system. The user would not suspect that their USB device is being exploited to exfiltrate data from networks.
PlugXâs USB variant is different because it uses a specific Unicode character called non-breaking space/ U+00A0 to hide files in a USB device plugged into a workstation. This character prevents the Windows OS from rendering the directory name instead of leaving an anonymous folder in Explorer.
Furthermore, the malware can hide actor files in a removable USB device through a novel technique, which even works on the latest Windows OS.
The malware is designed to infect the host and copy the malicious code on any removable device connected to the host by hiding it in a recycle bin folder. Since MS Windows OS by default doesnât show hidden files, the malicious files in recycle bin arenât displayed, but, surprisingly, it isnât shown even with the settings enabled. These malicious files can be viewed/downloaded only on a Unix-like OS or through mounting the USB device in a forensic tool.
The malware features also include file transfer, keylogging, stealing passwords stored in the browser, clipboard data stealing, cookies exfiltration and more.
Threat analysis firm Securonixâs cybersecurity researchers have discovered a new malware dubbed PY#RATION allowing attackers to steal sensitive files and log keystrokes from impacted devices.
Malware Distribution Technique
The malware is distributed through a conventional phishing mechanism in which the email contains a password-protected ZIP archive. When it is unpacked, two shortcut image files appear, titled front.jpg.lkn and back.jpg.lnk. When launched, these files display the front and back of a driverâs license that doesnât exist.
Images used in the scam (Credit: Securonix)
With this, the malicious code is also executed, leading to two new files being downloaded from the internet. These files are titled front.txt and back.txt, later renamed to .bat docs and executed. The malware disguises itself as Cortana virtual assistant to ensure persistence on the system.
What is PY#RATION
PY#RATION is a Python-based malware that displays a RAT (remote access trojan) like behaviour to sustain control over the affected host. The malware has various capabilities and functionalities, such as keylogging and data exfiltration.
However, the unique aspect is that it uses WebSocket for exfiltration and C2 communication, and evades detection from network security solutions and antivirus programs. Leveraging Pythonâs built-in Socket.IO framework that facilitates client and server WebSocket communications, the malware pulls data and gets commands over a single TCP connection through open ports simultaneously.
Moreover, according to a blog post published by Securonix, the attackers use the same C2 address, which the IPVoid checking system is yet to block. Researchers believe this malware is still under active development as they have detected multiple versions since August 2022. The malware receives instructions from the operations through WebSocket and obtains sensitive data.
Potential Dangers
This Python RAT is packed into an executable that uses automated packers such as âpyinstallerâ and âpy2exeâ to convert Python code into Windows executables. This helps inflate payload size (The first detected version 1.0 being 14MB and the last detected version 1.6.0 being 32 MB containing 1000+ lines and additional code).
Infection chain of the PY#RATION python malware (Credit: Securonix)
Researchers claim that the latest version of the payload remains undetected by all except for one antivirus engine listed on VirusTotal.
The malware features include file transfer to and from the C2 server, network enumeration, shell command execution, keylogging, stealing passwords stored in the browser, host enumeration, clipboard data stealing, and cookies exfiltration. Whoâs behind this campaign, the distribution volume, and campaign objectives are still unclear.
The FBI has recently warned the public about search engine ads pushing malware disguised as legitimate software â an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers â anything that can be downloaded, really â via Google and Bing.
The recent explosion of search engine malvertising
Malware peddlers employ a variety of methods to deliver their wares to unsuspecting users:
Malicious links or attachments served via email and messages, or posts on social media, online forums and IM groups
The latter tactic is particularly good at hitting a wide pool of potential targets, since most internet users also use search engines.
Lately, though, they have been overdoing it â or perhaps itâs just that more people have begun noticing it and talking about it online?
Many documented campaigns
HP threat researcher Patrick SchlĂ€pfer says that they have seen âa significant increase in malware distributed through malvertising, with multiple threat actors currently using this technique.â
Some of these campaigns have been going on since late last year, and mostly target users searching to download popular software (e.g., Audacity, Blender 3D, GIMP, Notepad++, Microsoft Teams, Discord, Microsoft OneNote, 7zip, OBS, etc.).
The malicious ads often manage to be the first link users see when searching for software on Google, and point to a (usually typosquatting) domain that resembles the original software manufacturerâs page. Clicking on the download link triggers the download of the malicious package from a file-hosting and sharing service (e.g., Dropbox), an app development platform (e.g., Google Firebase), or a code-hosting service (e.g., GitHub).
Protect yourself and your loved ones
While Google and Microsoft are trying to keep their users safe, itâs becoming obvious that they are failing to keep pace with the rapid change of tricks employed by cybercriminals to push those ads.
As some ads are removed and new ones inevitably spring up, we are forced to do what we can to protect themselves.
Just being aware of this danger and knowing about the prevalence of these malicious ads will help. Also, carefully check whether the URL to which the advertisement points is the correct one (e.g., by comparing it with the official domain listed on the softwareâs Wikipedia page).
If you fail to spot the malicious nature of the ad and the typosquatting site, donât ignore warnings you might get from Microsoft Defender or another security solution you use.
But the best advice may be to completely avoid clicking on Google and Bing ads â either by recognizing them and avoiding them consciously, or by installing an ad-blocking extension that will stop those ads from being displayed. That latter option is perhaps the best one for less tech-savvy users, to completely remove the temptation of willy-nilly clicking on potentially malicious ads â wherever they might pop up.
Google and Microsoft, on the other hand, may want to ramp up their efforts to block this kind of abuse of their ad network, or risk their reputation being dented and more and more users start using ad blockers.
Malware analysis tools are highly essential for Security Professionals who always need to learn many tools, techniques, and concepts to analyze sophisticated Threats and current cyber attacks.
Malware Analysis Tools & Courses
Malware Analysis Courses
Hex Editors
Disassemblers
Detection and Classification
Dynamic Binary Instrumentation
Dynamic Analysis
Deobfuscation
Debugging
Malware Analaysis Courses
Reverse Engineering
Binary Analysis
Decompiler
Bytecode Analysis
Reconstruction
Memory Forensics
Windows Artifacts
Storage and Workflow
Malware samples
Courses
Domain Analysis
Books
Malware Analysis Courses
Here we have listed the best courses list for malware analysis, reverse engineering, exploit development and more..
A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name âhexâ comes from âhexadecimalâ: a standard numerical format for representing binary data.
A disassembler is a computer program that translates machine language into assembly languageâthe inverse operation to that of an assembler.
A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.
This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.
The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding
WinDbgâ multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
X64dbgâ An open-source x64/x32 debugger for windows.
Binary Format and  Binary Analysis
The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.
A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.Generic Decompiler
Metadefender.com â Scan a file, hash or IP address for malware (free).
NetworkTotal â A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
Noriben â Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
Aleph â Open Source Malware Analysis Pipeline System.
CRITs â Collaborative Research Into Threats, a malware and threat repository.
FAME â A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
AnalyzePDFâ A tool for analyzing PDFs and attempting to determine whether they are malicious.
box-js â A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
diStormâ Disassembler for analyzing malicious shellcode.
JS Beautifier â JavaScript unpacking and deobfuscation.
JS Deobfuscator â Deobfuscate simple Javascript that use eval or document.write to conceal its code.
libemu â Library and tools for x86 shellcode emulation.
malpdfobjâ Deconstruct malicious PDFs into a JSON representation.
OfficeMalScanner â Scan for malicious traces in MS Office documents.
olevba â A script for parsing OLE and OpenXML documents and extracting useful information.
Origami PDFâ A tool for analyzing malicious PDFs, and more.
PDF Tools â pdfid, pdf-parser, and more from Didier Stevens.
PDF X-Ray Liteâ A PDF analysis tool, the backend-free version of PDF X-RAY.
peepdf â Python tool for exploring possibly malicious PDFs.
QuickSand â QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
Spidermonkeyâ Mozillaâs JavaScript engine, for debugging malicious JS.
Practice Malware Analysis ToolsÂ
Practice Reverse Engineering. Be careful with malware.
RPISEC Malware Analysis â These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
/r/ReverseEngineeringâ Reverse engineering subreddit, not limited to just malware.
Credits
This list is Created with helping of following Awesome Peoples.
Lenny Zeltser and other contributors for developing REMnux.
Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analystâs Cookbook, which was a big inspiration for creating the list;
An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.
While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.
Evolution of GuLoader Malware
On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTesla, FormBook, Nanocore, NETWIRE, Remcos, and the Parallax RAT using the VBS downloader.
GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems.
It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.
A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected.
GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.
Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.
Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.
There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.
In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking.
Anti-Analysis Techniques
Here below we have mentioned the anti-analysis techniques used:-
Anti-Debugging
Anti-Virtual Machine
Process Hollowing
It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.
Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developersâ machines in order to steal their information.
As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP.
Attack Chainto Deploy Malware
A stealer in this case dropped directly into the main.py file rather than obfuscating the code or being obvious about the attempts to escape detection.
Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attackerâs intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the klgrth.io website, using a simple first stage to get it.
There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, itâs an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.
Malicious Packages
Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-
modulesecurity â âCelestial Stealerâ
informmodule â âLeaf $tealerâ
chazz â first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
randomtime â âANGEL stealerâ
proxygeneratorbil â â@skid STEALERâ
easycordey â â@skid Stealerâ
easycordeyy â â@skid Stealerâ
tomproxies â â@skid STEALERâ
sys-ej â âHyperion Obfuscated codeâ
infosys â â@734 Stealerâ
sysuptoer â âBulkFA Stealerâ
nowsys â âANGEL Stealerâ
upamonkws â âPURE Stealerâ
captchaboy â â@skid STEALERâ
proxybooster â âFade Stealerâ
W4SP Copies
W4SPâs original publication in loTusâs repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.
It has been Phylumâs mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.
It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.
It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.
Satan Stealer
angel-stealer
There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop.Â
W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.
There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.
Microsoft disclosed technical details of a vulnerability in Apple macOS that could be exploited by an attacker to bypass Gatekeeper.
Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature.
The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasnât signed by an Apple developer, you will not be able to run apps that werenât downloaded from Appleâs store if the device is not jailbreaked of course.
The flaw was discovered on July 27, 2022, by Jonathan Bar Or from Microsoft, it is a logic issue that was addressed with improved checks.
âOn July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Appleâs Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call âAchillesâ.â reads the post published by Microsoft.
Microsoft researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.
The experts pointed out that Appleâs Lockdown Mode introduced in July does not prevent the exploitation of the Achilles bug.
The Achilles vulnerability relies on the Access Control Lists (ACLs) permission model to add extremely restrictive permissions to a downloaded file (i.e., âeveryone deny write, writeattr, writeextattr, writesecurity, chownâ), to block the Safari browser from setting the quarantine extended attribute.
Below is the POC developed by Microsoft:
Create a fake directory structure with an arbitrary icon and payload.
Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of âeveryone deny write,writeattr,writeextattr,writesecurity,chownâ). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
Create an archive with the application alongside its AppleDouble file and host it on a web server.
