DISC InfoSec blogMalware Archives | Page 4 of 7

Tags: COVID-19, malspam attack, remote access trojan (RAT)

May 09 2022

CERT-UA warns of malspam attacks distributing the Jester info stealer

Category: Malware — DISC @ 8:23 am

CERT-UA warns of malspam attacks distributing the Jester info stealer

The Computer Emergency Response Team of Ukraine (CERT-UA) warns of attacks spreading info-stealing malware Jester Stealer.

The Computer Emergency Response Team of Ukraine (CERT-UA) has detected malspam campaigns aimed at spreading an info-stealer called Jester Stealer.

The malicious messages spotted by the Ukrainian CERT have the subject line “chemical attack” and contain a link to a weaponized Microsoft Excel file. Upon opening the Office documents and activating the embedded macro, the infection process starts.

Government experts observed that malicious executables are downloaded from compromised web resources.

“The government’s team for responding to computer emergencies in Ukraine CERT-UA revealed the fact of mass distribution of e-mails on the topic of “chemical attack” and a link to an XLS-document with a macro.” reads the report published by CERT-UA. “If you open the document and activate the macro, the latter will download and run the EXE file, which will later damage the computer with the malicious program JesterStealer.”

The Jester stealer is able to steal credentials and authentication tokens from Internet browsers, MAIL/FTP / VPN clients, cryptocurrency wallets, password managers, messengers, game programs, and more.

The info-stealer implements anti-analysis capabilities (anti-VM/debug/sandbox), but it doesn’t implement any persistence mechanism. The threat actors exfiltrare data via Telegram using statically configured proxy addresses.

“Stolen data through statically defined proxy addresses (including in the TOR network) is transmitted to the attacker in the Telegram.” continues the report.

The report includes Indicators of Compromise (IoCs).

👇 Please Follow our LI page…

DISC InfoSec

Tags: CERT-UA, malspam attack

fa98add22756cc2041f1dc372c709a4039cd0d6ae000454f728e95165be08abe

May 06 2022

Vulnerable Docker Installations Are A Playhouse for Malware Attacks

Category: Cloud computing,Malware — DISC @ 8:31 am

Vulnerable Docker Installations Are A Playhouse for Malware Attacks

Uptycs researchers identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API.

The Uptycs Threat Research team has identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API port 2375. The attacks are related to crypto miners and reverse shells on the vulnerable servers using base64-encoded commands in the cmdline, built to evade defense mechanisms. This article briefly discusses three types of attacks which we observed lately in our Docker honeypot.

Coinminer attacks
Reverse shell attacks
Kinsing malware attacks

Case 1 – Coinminer Attacks

The coinminer attack chain involves several shell scripts to drop malicious components via deployment of legitimate Docker images on the vulnerable servers (the servers exposed to Docker API).

Malicious Shell Scripts Involved In The Campaign

The threat actors tried to run the Alpine Docker image with chroot command to gain full privileges on the vulnerable server host (a common misconfiguration). The attacker passed curl utility as an argument to the Alpine image which downloads and runs the malicious shell script (hash:

) on the vulnerable server host as shown below (see Figure 1).

*Figure 1: honeypot log – command ran by attacker on the vulnerable server*

Cronb.sh (the miner script)

Securing Docker: The Attack and Defense Way

👇 Please Follow our LI page…

DISC InfoSec

Tags: Docker installation, Securing Docker

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

Apr 26 2022

Nation-state Hackers Target Journalists with Goldbackdoor Malware

Category: Hacking,Information Security,Malware — DISC @ 10:20 pm

Nation-state Hackers Target Journalists with Goldbackdoor Malware

A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.

Sophisticated hackers believed to be tied to the North Korean government are actively targeting journalists with novel malware dubbed Goldbackdoor. Attacks have consisted of multistage infection campaign with the ultimate goal of stealing sensitive information from targets. The campaign is believed to have started in March and is ongoing, researchers have found.

Researchers at Stairwell followed up on an initial report from South Korea’s NK News, which revealed that a North Korean APT known as APT37 had stolen info from the private computer of a former South Korean intelligence official. The threat actor–also known as Ricochet Collima, InkySquid, Reaper or ScarCruft—attempted to impersonate NK News and distributed what appeared to be a novel malware in an attempt to target journalists who were using the official as a source, according to the report.

NK News passed details to Stairwell for further investigation. Researchers from the cybersecurity firm uncovered specific details of the malware, called Goldbackdoor. The malware is likely a successor of the Bluelight malware, according to a report they published late last week.

“The Goldbackdoor malware shares strong technical overlaps with the Bluelight malware,” researchers wrote. “These overlaps, along with the suspected shared development resource and impersonation of NK News, support our attribution of Goldbackdoor to APT37.”

APT37 was previously seen using Bluelight as a secondary payload last August in a series of watering hole attacks against a South Korean newspaper that used known Internet Explorer vulnerabilities.

As Stairwell researchers noted, journalists are “high-value targets for hostile governments,” and often the target of cyber-espionage attacks. In fact, one of the biggest security stories of last year was various governments’ use of the NGO Group’s Pegasus spyware against journalists, among other targets.

“[Journalists] often are aggregators of stories from many individuals–sometimes including those with sensitive access,” Stairwell researchers wrote. “Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.”

Multi-Stage Malware

👇 Please Follow our LI page…

DISC InfoSec

Tags: Goldbackdoor Malware

China-linked Hafnium APT leverages Tarrask malware to gain persistence

Apr 13 2022

China-linked Hafnium APT leverages Tarrask malware to gain persistence

Category: APT,Malware — DISC @ 8:28 am

China-linked Hafnium APT leverages Tarrask malware to gain persistence

China-linked Hafnium APT group started using a new piece of new malware to gain persistence on compromised Windows systems.

The China-backed Hafnium cyberespionage group is likely behind a piece of a new malware, dubbed Tarrask, that’s used to maintain persistence on compromised Windows systems, reported Microsoft Threat Intelligence Center (MSTIC) experts.

HAFNIUM primarily targets entities in the United States across multiple industries, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control.

Microsoft Threat Intelligence Center (MSTIC) highlighted the simplicity of the technique employed by the Tarrask malware that creates “hidden” scheduled tasks on the system to maintain persistence.

Tarrask creates new registry keys upon the creation of a new task:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}

“The first subkey, created within the Tree path, matches the name of the scheduled task. The values created within it (Id, Index, and SD) contain metadata for task registration within the system. The second subkey, created within the Tasks path, is a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.” reads the post published by Microsoft.

In the attack analyzed by Mcirosoft, the nation-state actors created a scheduled task named ‘WinUpdate’ via HackTool:Win64/Tarrask to re-establish any dropped connections to the C2 servers.

The attackers deleted the [Security Descriptor] value within the Tree registry path. The security descriptor (SD) defines access controls for running the scheduled task.

The trick consists of erasing the SD value from the Tree registry path to make the task hidden from the Windows Task Scheduler or the schtasks command-line utility. The only way to see the tack is to manually examine the Registry Editor.

The experts pointed out that executing a “reg delete” command to delete the SD value will result in an “Access Denied” error even when run from an elevated command prompt. The only way to delete the SD value is to execute the command within the context of the SYSTEM user. For this reason, the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process.

“The attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.” concludes the report. “As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.”

A Comprehensive Approach to Detect and Analyze Modern Malware

👇 Please Follow our LI page…

Tags: APT, Tarrask malware

macOS-Malware-of-Chinese-Hackers-Storm-Cloud-Exposed-1 Download

Mar 24 2022

macOS Malware of Chinese Hackers Storm Cloud Exposed

Category: Malware — DISC @ 11:44 am

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

Tags: Chinese hackers, Storm Cloud, The Hacker and the State

Phishing and Communication Channels: A Guide to Identifying and Mitigating Phishing Attacks

Feb 25 2022

Ukraine: Belarusian APT group UNC1151 targets military personnel with spear phishing

Category: Information Security,Malware,Phishing — DISC @ 10:02 am

Ukraine: Belarusian APT group UNC1151 targets military personnel with spear phishing

The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel.

The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel.

The Ukrainian agency attributes the campaign to the Belarus-linked cyberespionage group tracked as UNC1151.

In mid-January, the government of Kyiv attributed the defacement of tens of Ukrainian government websites to Belarusian APT group UNC1151. Defaced websites were displaying the following message in Russian, Ukrainian and Polish languages.

“Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.” reads a translation of the message.

In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus. In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites. According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

Now Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters, that the Ukrainian government blamed the UNC1151 APT group. Demedyuk explained that the attacks were carried out to cover for more destructive actions behind the scenes.

The nation-state group is using the compromised accounts to target contacts in the victims’ address books. Attackers spear-phishing messages have been sent from email accounts using the domains

i.ua-passport.space

and

id.bigmir.space

The phishing messages used a classic social engineering technique in the attempt to trick victims into providing their information to avoid the permanent suspension of their email accounts.

The phishing attacks are also targeting Ukrainian citizens, reported the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).

Warning ⚠️ A phishing #attack has started against Ukrainians! Citizens' e-mail addresses receive letters with attached files of uncertain nature. The mass distribution of such messages to messengers may happen. #cyberattacks #Ukraine pic.twitter.com/YPvFH2oNk0
— SSSCIP Ukraine (@dsszzi) February 25, 2022

Tags: spear-phishing

Feb 22 2022

Microsoft Safety Scanner

Category: Malware,Security vulnerabilities — DISC @ 10:10 am

Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.

Note
Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run Safety Scanner. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

Important information

The security intelligence update version of the Microsoft Safety Scanner matches the version described in this web page.
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
This tool does not replace your antimalware product. For real-time protection with automatic updates, use Microsoft Defender Antivirus on Windows 11, Windows 10, and Windows 8 or Microsoft Security Essentials on Windows 7. These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on removing difficult threats.

System requirements

Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. For details, refer to the Microsoft Lifecycle Policy.

How to run a scan

Download this tool and open it.
Select the type of scan that you want to run and start the scan.
Review the scan results displayed on screen. For detailed detection results, view the log at %SYSTEMROOT%\debug\msert.log.

To remove this tool, delete the executable file (msert.exe by default).

For more information about the Safety Scanner, see the support article on how to troubleshoot problems using Safety Scanner.

Microsoft: Data-wiping malware disguised as ransomware targets Ukraine again

Category: Information Security,Malware — DISC @ 12:03 pm

Microsoft said today that it has observed a destructive attack taking place in Ukraine where a malware strain has wiped infected computers and then tried to pass as a ransomware attack, but without providing a ransomware payment and recovery mechanism.

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” the Microsoft Threat Intelligence Center said in a blog post late Saturday night.

The OS maker said the affected systems belong to multiple government agencies, non-profits, and information technology organizations, all based in Ukraine.

Microsoft said it has not yet identified the distribution vector or if the attack spread beyond the original Ukrainian targets.

The attack does not appear to be at the same scale and virality as the NotPetya and BadRabbit wiper events that targeted Ukrainian organizations in June and November 2017, respectively, and then spread all across the world.

Just like the NotPetya and BadRabbit wipers, Microsoft said that this recent one also comes with a component that overwrites a computer Master Boot Record (MBR) and prevents them from booting.

The malware corrupts files, rewrites MBR, hides as ransomware

The malware, which Microsoft calls WhisperGate, then replaces the boot-up screen with a ransom note, which, according to Microsoft, includes a ransom fee, a Bitcoin address to receive payments, and a Tox ID to get in contact with the attackers.

In case victims manage to restore their MBR and their boot-up sequence, Microsoft says the malware also corrupts files with a certain extension by overwritting their contents with a fixed number of 0xCC bytes up to a total file size of 1MB.

“After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension,” Microsoft said.

.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP

At the time of writing, the attackers’ Bitcoin address only contains one payment of $5, even if the ransom request is for $10,000.

No formal attribution just yet

Tags: Data-wiping malware

Jan 14 2022

Threat actors can bypass malware detection due to Microsoft Defender weakness

Category: Malware,Security vulnerabilities — DISC @ 9:15 am

Threat actors can bypass malware detection due to Microsoft Defender weakness

A weakness in the Microsoft Defender antivirus can allow attackers to retrieve information to use to avoid detection.

Threat actors can leverage a weakness in Microsoft Defender antivirus to determine in which folders plant malware to avoid the AV scanning.

Microsoft Defender allows users to exclude locations on their machines that should be excluded from scanning by the security solution.

The knowledge of the list of scanning exceptions allows attackers to know where to store their malicious code to avoid detection. This means that once inside a compromised network, threat actors can decide were store their malicious tools and malware without being detected.

The issue seems to affect Windows 10 21H1 and Windows 10 21H2 since at least eight years, but it does not affect Windows 11.

Noticed that almost 8 years ago when I started in Tech Support. Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension…
— Aura (@SecurityAura) January 12, 2022

SentinelOne threat researcher Antonio Cocomazzi pointed out that the list of scanning exceptions can be accessed by any local user, regardless of its permissions.

Running the “reg query” command it is possible to access the list.

https://twitter.com/splinter_code/status/1481073265380581381?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1481073265380581381%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2F126689%2Fhacking%2Fmicrosoft-defender-weakness.html

Tags: Microsoft Defender weakness

Jan 12 2022

Wormable Windows HTTP hole – what you need to know

Category: Malware — DISC @ 10:17 am

Wormable Windows HTTP hole – what you need to know

Yesterday was the first Patch Tuesday of 2022, with more than 100 security bugs fixed.

We wrote up an overview of the updates, as we do every month, over on our sister site news.sophos.com: First Patch Tuesday of 2022 repairs 102 bugs.

For better or for worse, one update has caught the media’s attention more than any other, namely

CVE-2022-21907

, more fully known as HTTP Protocol Stack Remote Code Execution Vulnerability.

This bug was one of seven of this month’s security holes that could lead to remote code execution (RCE), the sort of bug that means someone outside your network could trick a computer inside your network into running some sort of program without asking for permission first.

No need to log in up front; no pop-up warning at the other end; no Are you sure (Y/N)? questions.

Just give the order, and the malware runs.

That’s the theory, anyway.

RCE bugs considered wormable

One thing to remember about most RCE vulnerabilities is that if you can attack someone else’s computer from outside and instruct it to run a malicious program of your choice…

…then it’s possible, perhaps even probable, that you could tell it to run the very same program that you yourself just used to launch your own attack.

In other words, you might be able to use the vulnerability to locate and infect Victim 1 with malicious program W that instructs Victim 1 to locate and infect Victim 2 with malicious program W that instructs Vicitm 2 to locate Victim 3… and so on, perhaps even ad infinitum.

In an attack like this, we give the program W a special name: we call it a worm.

Worms form a proper subset of a type of malicious software (or malware for short) known generally as computer viruses, the overarching term for self-replicating malware of any sort.

This means that most RCE bugs are, in theory at least, wormable, meaning that they could potentially be exploited to initiate a chain of automatic, self-spreading and self-sustaining malware infections.

The reasoning here is obvious: if an RCE bug allows you to run an arbitrary program of your own choice, such as CALC.EXE or NOTEPAD, then it almost certainly allows you to run a specific program of your choice, such as a worm.

Some bugs are mo r e wormable than others…

The Conficker worm infected its first computer in November 2008 and within a month had infiltrated 1.5 million computers in 195 countries. Banks, telecommunications companies, and critical government networks (including the British Parliament and the French and German military) were infected. No one had ever seen anything like it. By January 2009 the worm lay hidden in at least eight million computers and the botnet of linked computers that it had created was big enough that an attack might crash the world.

Tags: Worm, Wormable Windows HTTP hole

Jan 05 2022

Researchers used electromagnetic signals to classify malware infecting IoT devices

Category: Malware — DISC @ 8:58 am

Researchers used electromagnetic signals to classify malware infecting IoT devices

A team of academics (Duy-Phuc Pham, Damien Marion, Matthieu Mastio and Annelie Heuser) from the Research Institute of Computer Science and Random Systems (IRISA) have devised a new approach that analyzes electromagnetic field emanations from the Internet of Things (IoT) devices to detect highly evasive malware.

The team of experts presented their technique at the Annual Computer Security Applications Conference (ACSAC) that took place in December.

The Internet of Things (IoT) devices are privileged targets of threat actors due to the lack of security requirements and the numerous customized firmware and hardware that make it difficult to propose a standardized approach to cyber security.

The researchers proposed a novel approach of using side channel information to identify malware targeting IoT systems. The technique could allow analysts to determine malware type and identity, even when the malicious code is heavily obfuscated to prevent static or symbolic binary analysis.

“In this paper, we concentrate on the ElectroMagnetic (EM) field of an embedded device as a source for malware analysis, which offers several advantages. In fact, EM emanation that is measured from the device is practically undetectable by the malware. Therefore, malware evasion techniques cannot be straightforwardly applied unlike for dynamic software monitoring.” reads a research paper published by the experts. “Also, since a malware does not have control on outside hardware-level events (e.g. on EM emanation, heat dissipation), a protection system relying on hardware features cannot be taken down, even if the malware owns the maximum privilege on the machine. Therefore, with EM emanation it becomes possible to detect stealthy malware (e.g. kernel-level rootkits), which are able to prevent software-based analysis methods.”

Experts pointed out that the approach does not require modifications on the target devices.

“We monitor the Raspberry Pi under the execution of benign and malicious dataset using a low to mid-range measurement setup. It consists of an oscilloscope with 1GHz bandwidth (Picoscope 6407) connected to a H-Field Probe (Langer RF-R 0.3-3), where the EM signal is amplified using a Langer PA-303 +30dB.” continues the paper. “To capture long-time execution of malware in the wild, the signals were sampled at 2MHz sampling rate.”

The team analyzed power side-channel signals using Convolution Neural Networks (CNN) to detect malicious activities on IoT devices.

The collected data is very noisy for this reason the researchers needed a preprocessing step to isolate relevant informative signals. This relevant data was used to train neural network models and machine learning algorithms to classify malware types, binaries, obfuscation methods, and detect the use of packers.

The academics collected 3 000 traces each for 30 malware binaries and 10 000 traces for benign activity. They recorded 100,000 measurement traces from an IoT device that was infected by various strains of malware and realistic benign activity.

The test conducted by the researchers demonstrated that they were able to predict three generic malware types (and one benign class) with an accuracy of 99.82%.

Electromagnetic Signals for Obfuscated Malware Classification

“We have demonstrated in this paper that by using simple neural network models, it is possible to gain considerable information about the state of a monitored device, by observing solely its EM emanations. We were indeed able to not only detect, but also determine the type of real-world malware infecting a Raspberry Pi running a full Linux OS, with an accuracy of 99.89% on a test dataset including 20 000 traces from 30 different malware samples (and five different benign activities).” concludes the paper.” We demonstrated that software obfuscation techniques do not hinder our classification approach, even if the obfuscation technique was not known to the analyst before.”

Feature Hierarchy Mining for Malware Classification

Tags: electromagnetic signals

Dec 31 2021

How to implant a malware in hidden area of SSDs with Flex Capacity feature

Category: Malware — DISC @ 8:02 am

How to implant a malware in hidden area of SSDs with Flex Capacity feature

Researchers devised a series of attacks against SSDs that could allow to implant malware in a location that is not monitored by security solutions.

Korean researchers devised a series of attacks against solid-state drives (SSDs) that could allow to implant malware in specific memory locations bypassing security solutions.

The attacks work against drives with flex capacity features and allow to implant a malicious code in a hidden area of SSDs called over-provisioning. This memory location is used for performance optimization on NAND flash-based storage systems.

“The Micron Flex Capacity feature is designed to unleash the true capabilities of storage media by giving IT administrators the ability to tune their SSDs to meet specific workload characteristics such as performance, capacity and endurance.”

The operating system and any applications running on it have no visibility on the over-provisioning, this means that security software is not able to inspect their content looking for a malicious code.

Many storage devices can vary the size of the OP area in real-time to optimize performance. A larger size of the OP area can ensure better performance. The OP area can be set for example by a maximum of 50%. An invalidation data region is created by varying the OP area that can be changed by the user or by the firmware manager. However, a threat actor can reduce the size of the OP area using the firmware manager generating an invalid data area. This attack could lead to an information-disclosing attack.

“Assuming that the hacker can access the management table of the storage device, the hacker can access this invalid data area without any restrictions.” reads the research paper. “Without the need for special forensic equipment, as a computer user, a hacker can access these invalid data areas of the NAND flash memory. Depending on sensitive information is stored in the invalid data area, computer users can feel more or less alarmed by this”

Tags: SSD

Dec 24 2021

Experts warn of a new stealthy loader tracked as BLISTER

Category: Malware,Windows Security — DISC @ 12:17 pm

Experts warn of a new stealthy loader tracked as BLISTER

Security researchers spotted a campaign that is employing a new stealthy malware tracked as BLISTER that targets windows systems.

Elastic Security researchers uncovered a malware campaign that leverages a new malware and a stealthy loader tracked as BLISTER, that uses a valid code signing certificate issued by Sectigo to evade detection.

BLISTER loads second-stage payloads that are executed directly in the memory of the Windows system and maintain persistence. The malicious code has a low detection rate and implements multiple tricks to avoid detection.

“A valid code signing certificate is used to sign malware to help the attackers remain under the radar of the security community. We also discovered a novel malware loader used in the campaign, which we’ve named BLISTER. The majority of the malware samples observed have very low, or no, detections in VirusTotal.” “The infection vector and goals of the attackers remain unknown at this time.”

The certificate used to sign the loader code was issued by Sectigo for a company called Blist LLC, which has an email address from a Russian provider Mail.Ru.

The loader is embedded into legitimate libraries, such as colorui.dll, to avoid raising suspicion, it can be initially written to disk from simple dropper executables.

Upon execution, BLISTER decodes bootstrapping code stored in the resource section with a simple 4-byte XOR routine. The malware authors heavily obfuscated the bootstrapping code that initially sleeps for 10 minutes before executing in an attempt to evade sandbox analysis.

Then the loader decrypts the embedded malware payload, experts reported the use of CobaltStrike and BitRat as embedded payloads. The payload is loaded into the current process or injected into a newly pawned WerFault.exe process.

In order to achieve persistence, BLISTER copy itself to the C:\ProgramData folder and re-names a local copy of rundll32.exe. Then it creates a link to the current user’s Startup folder to launch the malware at logon as a child of explorer.exe.

Elastic’s researchers shared Yara rules for this campaign along with indicators of compromise.

Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

InfoSec is the page where the InfoSec community interacts, and share InfoSec & compliance related information.

“You Become What You Think About Ask; and it shall be given to you Seek; and you shall find Knock; and it shall be opened unto you.”

Tags: BLISTER, InfoSec Page, Malware Analysis, stealthy loader

Dec 23 2021

Crooks bypass a Microsoft Office patch for CVE-2021-40444 to spread Formbook malware

Category: App Security,Malware — DISC @ 9:40 am

Crooks bypass a Microsoft Office patch for CVE-2021-40444 to spread Formbook malware

Cybercriminals have found a way to bypass the patch for a recent Microsoft Office vulnerability tracked as CVE-2021-40444 (CVSS score of 8.8). The bad news is that threat actors are using it to distribute the Formbook malware.

The CVE-2021-40444 is a remote code execution security flaw that affected the MSHTML file format.

the security defect can be exploited to achieve remote code execution on vulnerable systems. An attacker looking to exploit the bug needs to trick the indented victim into opening a maliciously crafted document.

In September Microsoft warned of multiple threat actors, including ransomware operators, that were exploiting the Windows MSHTML remote code execution security flaw in attacks against organizations.

The IT giant said that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, threat actors used weaponized Office documents. The campaigns observed in August 2021 employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites.

Microsoft addressed the flaw with the release of Microsoft Patch Tuesday security updates for September 2021.

The availability of Proof-of-concept exploit code for this vulnerability caused a spike in attacks attempting to exploit this issue.

In the initial attacks observed by the researchers, the malicious code downloads a Microsoft Cabinet (CAB) archive containing a malicious executable. The patch developed by Microsoft prevents the execution of the code to download the CAB archive, but now threat actors are bypassing the patch by incorporating a Word document in a specially crafted RAR archive.

Learning Malware Analysis

Tags: Learning Malware Analysis, Microsoft Office patch

Cyber indicators of compromise: a domain ontology for security information and event management Paperback

Dec 20 2021

Pegasus: Google reveals how the sophisticated spyware hacked into iPhones without user’s knowledge

Category: Backdoor,Cyber crime,Cyber Espionage,Cyber Spy,Cyber surveillance,Cyberweapons,Hacking,Malware,Spyware — DISC @ 11:33 am

Pegasus spyware was allegedly used by governments to spy upon prominent journalists, politicians and activists.
A Google blog has revealed how the sophisticated software was used to attack iPhone users.
The software used a vulnerability in iMessages to hack into iPhones without the user’s knowledge.

The Pegasus spyware, developed by Israel’s NSO group, made headlines for being used by governments and regimes across the world including India to spy on journalists, activists, opposition leaders, ministers, lawyers and others. The spyware is accused of hacking into the phones of at least 180 journalists around the world, of which 40 are notable Indian personalities.

Now, a Google blog from the Project Zero team called the attacks technically sophisticated exploits and assessed the software to have capabilities rivalling spywares previously thought to be accessible to only a handful of nations.

The company has also faced multiple lawsuits including one in India where the Supreme Court (SC) set up a three-member panel headed by former SC judge RV Raveendran to probe whether the software was used by the government to spy on journalists and other dissidents.

Apart from India, Apple has also sued the Israeli firm after having patched its security exploit. The company was also banned in the United States after the details of the spyware were revealed. Let’s take a look at how this advanced snooping technology discretely worked on iPhones.

How Pegasus hacked iPhones

According to the Project Zero blog, a sample of the ForcedEntry exploit was worked upon by the team and Apple’s Security Engineering and Architecture (SEAR) group. Pegasus attacks on iPhones were possible due to the ForcedEntry exploit.

Best iPhone in 2021: Which model is right for you? | ZDNet

Pegasus is a spyware (Trojan/Script) that can be installed remotely on devices running on Apple ‘ s iOS & Google ‘ s Android operating systems. It is developed and marketed by the Israeli technology firm NSO Group. NSO Group sells Pegasus to ” vetted governments ” for ” lawful interception ” , which is understood to mean combating terrorism and organized crime, as the firm claims, but suspicions exist that it is availed for other purposes. Pegasus is a modular malware that can initiate total surveillance on the targeted device, as per a report by digital security company Kaspersky. It installs the necessary modules to read the user’s messages and mail, listen to calls, send back the browser history and more, which basically means taking control of nearly all aspects of your digital life. It can even listen in to encrypted audio and text files on your device that makes all the data on your device up for grabs.

Tags: A Privacy Killer, hacked iphone, NSO Group, Pegasus spyware

Comments (1)

Dec 02 2021

VirusTotal Collections allows enhancing the sharing of Indicators of Compromise (IoCs)

Category: Antivirus,Malware — DISC @ 9:42 am

VirusTotal Collections allows enhancing the sharing of Indicators of Compromise (IoCs)

VirusTotal announced VirusTotal Collections, a new service that allows security researchers to share sets of Indicators of Compromise (IoCs).

VirusTotal announced VirusTotal Collections, a new service that allows threat researchers to share Indicators of Compromise (IoCs).

A collection is a live report that includes IoCs associated with a specific threat and it is available for VirusTotal registered users. The reports will also include up-to-date VirusTotal analysis metadata.

“A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our VirusTotal Community (registered users) and they will be enhanced with VirusTotal analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags.” reads the announcement published by Virus Total.

Registered VirusTotal users will be able to add or remove IoCs to/from the reports.

Security experts often use sharing platforms like Pastebin to share IoCs with the community, now they have a dedicated platform to do it, which is also integrated with the information from Virus Total. Users can create IoC collections in the VirusTotal home page, under the SEARCH tab.

Tags: VirusTotal

Ban on Use of Whatsapp / Likewise Means for Sharing of Official Letters /
Information (Advisory No. 2).

Sep 14 2021

The Pegasus project: key takeaways for the corporate world

Category: Backdoor,Cyber surveillance,Cyberweapons,Information Security,Malware — DISC @ 10:02 pm

https://www.itsecurityguru.org/2021/09/09/the-pegasus-project-key-takeaways-for-the-corporate-world/

Forbidden Stories, a Paris-based non-profit organisation that seeks to ensure the freedom of speech of journalists, recently announced that the Pegasus Project surveillance solution by the Israeli NSO Group selected 50,000 phone numbers for surveillance by its customers following a data leak.

The NSO Group has always maintained that the purpose of the Pegasus Project was for governments to monitor terrorist activity. However, this recent story, if true, could suggest that the solution has been abused for a long period of time and used for other nefarious purposes.

As reported by Forbidden Stories, the leaked data suggests the wide misuse of Pegasus Project and a range of surveillance targets that include human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of states. The NSO Group continues to contend these assertions are based on wrong assumptions and uncorroborated theories. Whether these statements are true or false, they raise interesting considerations for enterprises and government organisations that have a requirement to protect the smartphones of employees who have access to sensitive information.

Pegasus Project is reported to provide NSO Group customers full control of target devices, which makes it a threat of interest. However, it is not the first mobile threat that organisations should be concerned about. In another contested case, SNYK suggested that the Sour Mint threat, a Software Development Kit (SDK) developed by the Chinese mobile ad platform provider Mintegral and used by more than 1,200 apps in the Apple App Store, was responsible for spying on users by activity logging URL-based requests through the app. It was reported that user activity is logged to a third-party server that could potentially include personally identifiable information (PII).

Where things get interesting with Sour Mint is its ability to evade defences by slipping through the Quality Assurance (QA) process of the Apple App Store, which goes to show that even the thoroughness of Apple’s processes were not sufficient to detect malicious code in the case of this threat.

So, with the rise of mobile threats such as Pegasus Project and Sour Mint, how should organisations defend against such threats?

Mobile security s olution review in light of the
WhatsApp Pegas us hack

Tags: Pegasus malware, The Pegasus project

Comments (1)

Aug 12 2021

Cobalt Strike Vulnerability Affects Botnet Servers

Category: Information Security,Malware,Security vulnerabilities — DISC @ 1:09 pm

Cobalt Strike Vulnerability Affects Botnet Servers

The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send.

How to Identify Cobalt Strike on Your Network

Tags: Cobalt Strike Vulnerability

BazarCaller – the malware gang that talks you into infecting yourself

Aug 03 2021

BazarCaller – the malware gang that talks you into infecting yourself

Category: Malware,Security Awareness,Spyware — DISC @ 10:29 am

BazarCaller – the malware gang that talks you into infecting yourself

You’re almost certainly familiar with vishing, a phone-based scam in which cybercriminals leave messages on your voicemail in the hope that you’ll call them back later to find out what’s going on.

In fact, if you have a long-standing phone number, like we do, you may well get more of these scam calls (perhaps even many more of them) than genuine calls, so you’ll know the sort of angle they take, which often goes along these lines:

[Synthetic voice] Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of dollars]. To cancel your subscription or to discuss this renewal, press 1 now.

Sometimes, they’ll read out the number to call them back on, to re-iterate not only that it matches the number that shows up in your call history, but also that it’s a local number, right there in your own town or country.

The crooks do this to “prove” that caller is local too, rather than sitting overseas in some scammy boiler-room call centre, far from the reach of law enforcement and the regulators in your part of the world.

Scam Me If You Can

Tags: BazarCaller, Scam Me If You Can, Spam