Search This Blog

Showing posts with label .NET Platform. Show all posts

Telegram Exploited by Attackers to Spread Malware

 

Researchers discovered that cybercriminals are using the Echelon info stealer to attack the crypto-wallets of Telegram users in an attempt to deceive new or naïve members of a cryptocurrency discussion group on the messaging network. 

Researchers from SafeGuard Cyber's Division Seven threat analysis section discovered a sample of Echelon in a cryptocurrency-focused Telegram channel in October, according to an investigation published on Thursday. 

The malware used throughout the campaign is designed to exploit credentials from a variety of messaging and file-sharing channels, such as Discord, Edge, FileZilla, OpenVPN, Outlook, and even Telegram itself, as well as a variety of cryptocurrency wallets, which include AtomicWallet, BitcoinCore, ByteCoin, Exodus, Jaxx, and Monero. 

The campaign was a “spray and pray” effort: “Based on the malware and how it was posted, SafeGuard Cyber believes that it was not part of a coordinated campaign, and was simply targeting new or naïve users of the channel,” according to the report. 

Researchers discovered that attackers had been using the handle "Smokes Night" to disseminate Echelon on the channel, although it's unknown how successful they were. "The post did not appear to be a response to any of the surrounding messages in the channel," they added.

According to the researchers, additional users on the channel didn't even appear to detect anything strange or engage with the post. However, this does not imply that the malware did not reach consumers' devices, according to the experts. 

“We did not see anyone respond to ‘Smokes Night’ or complain about the file, though this does not prove that users of the channel did not get infected,” they wrote. 

The Telegram messaging platform has undoubtedly become a hotspot of activity for hackers, who've already taken advantage of its popularity and large attack surface by distributing malware on the network via bots, rogue accounts, and other methods.

Echelon was delivered to the cryptocurrency channel in the form of a.RAR file called "present).rar," which contained three files: "pass – 123.txt," a benign text document comprising a password; "DotNetZip.dll," a non-malicious class library and toolset for manipulating.ZIP files; and "Present.exe," the malicious executable for the Echelon credential stealer. 

The.NET payload also featured numerous characteristics that made it hard to identify or analyze, such as two anti-debugging capabilities that immediately terminate the process if a debugger or other malware analysis techniques are identified, and obfuscation utilizing the open-source ConfuserEx program. 

According to the researchers, additional characteristics of the malware include computer fingerprinting and the ability to take a screenshot of the victim's workstation. According to the researchers, the Echelon sample taken from the campaign uses a compressed.ZIP file to deliver passwords as well as other stolen data and screenshots back to a command-and-control server.

Utilizing Exposed NuGet Packages Attackers Target .NET Platform

 

An investigation of the off-shelf packages housed in the NuGet repository indicated that 51 unique software components are susceptible to extreme vulnerabilities that are being exploited actively, again highlighting the danger posed on software development by third-party dependencies. 

ReversingLabs Researcher Karl Zanki noted in a paper that there is still an increasing number of cyber events targeting the software supply chain that such modules urgently need to be assessed for safety risk and the attack surface to be minimized. 

NuGet is a .NET platform supported by Microsoft technology that works as a Package Manager to allow developers to exchange reused code. The framework maintains a single repository of more than 264,000 individual packages that have generated more than 109 billion downloads together. 

Of that kind, code is very often wrapped into 'packages' which include compiled code (such DLLs) and other contents required for projects using these packages. NuGet, which specifies how packages for the .NET function are developed, hosted, consumed, and provides tools for each role, is supported by the Microsoft-built code sharing mechanism. NET (including the.NET core). 

"All identified pre-compiled software components in our research were different versions of 7Zip, WinSCP, and PuTTYgen, programs that provide complex compression and network functionality," Zanki explained. "They are continuously updated to improve their functionality and to address known security vulnerabilities. However, sometimes it happens that other software packages get updated but still keep using several years old dependencies containing known vulnerabilities." 

It was discovered in some instances that 'WinSCPHelper' — a remote server file management library that was installed more than 35,000 times — uses an older and vulnerable 5.11.2, and WinSCP 5.17.10 published earlier this month, addresses the essential arbitrary running defect (CVE-2021-3331) that exposes users of the package to vulnerability. 

The researchers have also found that the susceptible version of the "zlib" data compression library is stationary with over 50,000 software components from NuGet packages. This makes the compressor library risky for several known security problems, such as the CVE- 2016-9840, CVE-2016-9841, CVE-2016-9842, or CVE-2016-9843. 

Some of the packages found to be vulnerable to zlib are "DicomObjects" and "librdkafka.redist" both downloaded at least 50 thousand to 18.2 million times.

"Companies developing software solutions need to become more aware of such risks, and need to become more involved in their handling," Zanki said.