Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Antivirus System. Show all posts

Kasseika Ransomware Employs AntiVirus Driver to Disarm Other Antiviruses

 

Kasseika, a ransomware gang, has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) assault to disable security-related processes on compromised Windows hosts, following groups such as Akira, AvosLocker, BlackByte, and RobbinHood. 

Trend Micro claimed in a research that the technique enables "threat actors to terminate antivirus processes and services in order to deploy ransomware." 

Kasseika, identified by the cybersecurity firm in mid-December 2023, shares similarities with the now-defunct BlackMatter, which formed following DarkSide's disintegration. 

Given that the source code of BlackMatter was never made public after its demise in November 2021, there is evidence to imply that the ransomware strain may have been created by an experienced threat actor who purchased or secured access to the code. 

Modus operandi 

Kasseika attack chains begin with phishing emails to gain access, then drop remote administration tools (RATs) to escalate privileges and propagate across the target network. 

The threat actors have been spotted employing Microsoft's Sysinternals PsExec command-line tool to run a malicious batch script. The script searches for a process called "Martini.exe" and ends it if it is located, thereby guaranteeing the process is only running on one machine. 

The executable's primary task is to disable 991 security tools by downloading and executing the "Martini.sys" driver from a remote server. It is important to note that "viragt64.sys," an authentic signed driver, has been placed on Microsoft's vulnerable driver blocklist and is known as "Martini.sys.” 

The researchers noted that "if Martini.sys does not exist, the malware will terminate itself and not proceed with its intended routine," highlighting the vital role that the driver plays in defence evasion.

After that, "Martini.exe" starts the ransomware payload ("smartscreen_protected.exe"), which uses the RSA and ChaCha20 algorithms to encrypt data. However, not before it terminates all services and processes that are attempting to reach Windows Restart Manager. 

The computer's wallpaper is subsequently modified to display a note requesting a 50 bitcoin payment to a wallet address within 72 hours, or risk paying an additional $500,000 every 24 hours once the deadline elapses. A ransom note is then dumped in every directory that has been encrypted. 

Furthermore, in order to acquire a decryptor, victims are required to send a screenshot of their successful payment to a Telegram channel that is managed by attackers. The Kasseika ransomware also has additional tricks up its sleeve, such as wiping traces of activity from the system's event logs using the wevtutil.exe component.

"The command wevutil.exe efficiently clears the Application, Security, and System event logs on the Windows system," the researchers concluded. "This technique is used to operate discreetly, making it more challenging for security tools to identify and respond to malicious activities.”

Using Blatant Code, a New Nokoyawa Variant Sneaks up on Peers

 

Nokoyawa is a new malware for Windows that first appeared early this year. The first samples gathered by FortiGuard researchers were constructed in February 2022 and contain significant coding similarities with Karma ransomware that can be traced back to Nemty via a long series of variants. 

NOKOYAWA is a ransomware-type piece of malware that the research team discovered and sampled from VirusTotal. It's made to encrypt data and then demands payment to decode it. 

FortiGuard Labs has seen versions constructed to run only on 64-bit Windows, unlike its precursor Karma, which runs on both 32-bit and 64-bit Windows. For customized executions, Nokoyawa provides many command-line options: help, network, document, and Encrypt a single file using the path and dir dirPath. 

Nokoyawa encrypts all local disks and volumes by default if no argument is provided. The "-help" argument is intriguing because it shows that the ransomware creators and the operators who deploy and execute the malware on affected PCs are two independent teams. Nokoyawa encrypts files that do not end in.exe,.dll, or.lnk extensions using multiple threads for speed and efficiency. Furthermore, by verifying the hash of its names with a list of hardcoded hashes, some folders, and their subdirectories are prohibited from encryption.

Nokoyawa produces a fresh ephemeral keypair (victim file keys) for each file before encrypting it. A 64-byte shared secret is produced with Elliptic-Curve Diffie-Hellmann using the victim file's private key and the threat actors' "master" public key (ECDH). For encrypting the contents of each file, the first 32 bytes of this secret key are used as a Salsa20 key, together with the hardcoded nonce 'lvcelvce.' 

RURansom, A1tft, Kashima, and pEaKyBlNdEr are just a few of the ransomware programs that have been looked into. The encryption algorithms they utilize (symmetric or asymmetric) and the ransom size are two key variations between malicious applications of this type. The magnitude of the requested sum can vary dramatically depending on the intended victim. 

How does ransomware get into my system? 

The majority of the additional code was taken exactly from publicly available sources, including the source of the now-defunct Babuk ransomware leaked in September 2021, according to FortiGuard Labs experts. 

Malware including ransomware is spread using phishing and social engineering techniques. Malicious software is frequently disguised as or integrated with legitimate files. 

The email addresses were eliminated and were replaced with directions to contact the ransomware authors using a TOR browser and a.onion URL. When you're at the Onion URL, you'll be taken to a page with an online chatbox where you can chat with the operators, negotiate and pay the ransom. 

Researchers from FortiGuard Labs detected a dialogue between a potential victim and the ransomware operator. The threat actors offer free decryption of up to three files based on this chat history to demonstrate that they can decrypt the victim's files.

The ransom amount, in this case, a whopping 1,500,000 (likely in USD), is displayed on the "Instructions" page and can be paid in either BTC (Bitcoin) or XMR(Monero). The operators claim to deliver the tool to decrypt the victim's files after payment.

Given the rising professionalism of certain ransomware efforts, this TOR website could be an attempt to better "branding" or a technique to delegate ransom discussions to a separate team. Surprisingly, the ransom note contains the following content. "Contact us to strike a deal or we'll publish your black s**t to the media," the message says, implying that the victim's data was stolen during the infection.

Drive-by (stealthy and deceptive) downloads, spam email (malicious files attached to or compromised websites linked in emails/messages), untrustworthy download channels (e.g., peer-to-peer sharing networks, unofficial and freeware sites, etc.), illegal software activation ("cracking") tools, online scams, and fake updates are among the most common distribution methods. 

How can we defend from ransomware?

It is strongly advised you only use legitimate and trusted download sources. Furthermore, all apps must be activated and updated through tools given by genuine providers, as third-party tools may infect the system. 

Experts also recommend against opening attachments or links received in questionable emails or messages, as they may contain malware. It is critical to install and maintain a reliable anti-virus program. 

Regular system scans and threats/issues must be removed using security software. If the machine has already been infected with NOKOYAWA, we recommend using Combo Cleaner Antivirus for Windows to automatically remove it.

McAfee Addresses Multiple Critical Bugs in McAfee Agent Software

 

McAfee (now known as Trellix) has fixed two high-severity bugs present in McAfee Agent software for Windows allowing malicious actors to escalate privileges and implement arbitrary code with SYSTEM privileges.

Earlier this week, the firm released a security advisory highlighting two CVEs tracked as CVE-2022-0166 and CVE-2021-31854 impacting previous versions of the McAfee ePolicy Orchestrator (ePO). The company released an updated version of the Agent that effectively remediates the vulnerabilities, both of which received high severity ratings.

McAfee Agent is a client-side feature of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces endpoint policies and deploys antivirus signatures, upgrades, patches, and new products on enterprise endpoints. 

The bug tracked as CVE-2021-31854 is a command Injection flaw in McAfee Agent (MA) for Windows prior to 5.7.5 allows threat actors to inject arbitrary shellcode into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.

The second bug tracked as CVE-2022-0166 is a privilege escalation vulnerability in the McAfee Agent prior to 5.7.5. McAfee Agent uses openssl.cnf during the build process to specify the OPENSSLDIR variable as a subdirectory within the installation directory. A low privilege user could have created subdirectories and executed arbitrary code with SYSTEM privileges by creating the appropriate pathway to the specifically created malicious openssl.cnf file. 

“By placing a specially-crafted openssl.cnf in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed,” reads the advisory published by CERT/CC researchers.

This is not the first instance wherein security researchers have uncovered flaws while examining McAfee's Windows security products. Last year in September, the company addressed another McAfee Agent privilege escalation bug (CVE-2020-7315) identified by Tenable security researcher Clément Notin that allowed local users to execute arbitrary code and kill the antivirus. 

Earlier in 2020, McAfee patched a security vulnerability impacting all editions of its Antivirus software for Windows (i.e., Total Protection, Anti-Virus Plus, and Internet Security) and allowing malicious attackers to escalate privileges and execute code with SYSTEM account authority.

New Mac Malware Samples Highlight The Growing Risk

 


Despite Apple's best attempts, Mac malware exists to keep in mind that Mac malware and viruses are quite rare in the wild. Apple has a number of safeguards in place to protect against such attacks. For example, according to the Security & Privacy settings in System Preferences > Security & Privacy > General, macOS should only allow the installation of third-party applications from the App Store or identified developers. If you were to install something from an unknown developer, Apple would prompt you to verify its legitimacy. 

Apple also has its own built-in anti-malware program and keeps all of the malware definitions in its XProtect file on your Mac, and whenever you download a new app, it checks to see whether any of them are there. This is a feature of Apple's Gatekeeper software, which prevents malware developers from creating apps and certifies that they haven't been changed. 

For the sixth year in a row, security researcher Patrick Wardle has compiled a list of all new Mac malware threats discovered during the previous year:
  1. ElectroRAT, a cross-platform remote access trojan that first appeared in January.
  2. Silver Sparrow, a malware tool designed specifically for Apple's M1 chip that was released last year.
  3. XLoader, a cross-platform password stealer. It was identified by XLoader to be a rebuilt version of a well-known information stealer named Formbook. 
  4. When analyzing sophisticated watering hole assaults targeting users to the Hong Kong websites of a media outlet and a pro-democracy organization, MacMa (OSX.CDDS) came up with a solution. To install the MacMa backdoor, the attackers used a zero-day privilege escalation vulnerability (CVE-2021-30869) in macOS Catalina. 
  5. XcodeSpy, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike agent on compromised systems.
  6. ElectrumStealer, a cryptocurrency mining tool that Apple inadvertently signed digitally; WildPressure, a cross-platform Python backdoor that Kaspersky discovered targeting industrial companies in the Middle East.
  7. ZuRu, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike.
Cryptominers like ElectroRAT and OSAMiner, adware loaders like Silver Sparrow, information stealers like Xloader and Macma, and cross-platform Trojans like WildPressure were among the most dangerous Mac malware threats last year, according to Willy Leichter, CMO of LogicHub.

Still Paying for Antivirus Software? Experts Said You Don't Need It

 

When we start talking about antivirus products, we are actually trying to deal with anti-malware products. Malware is a catchall term that represents any malicious program that has been designed to damage, disrupt, or take charge of a victim’s computer. Types of malware include not only viruses but spyware, trojan horses, adware, ransomware, and scareware. 

Every year we experience billions of malware attacks worldwide that keep getting sophisticated as cyber threats are constantly evolving and for that matter, millions of people rely on anti-viruses software to protect their systems from threat actors. 

Recently, Josh Brunty, who had a decade-long career in cybersecurity; worked as a digital forensics analyst for the West Virginia State Police, then joined Marshall University and started teaching cybersecurity as a subject and that was the time when he discovered that his father Butch Brunty was still spending a lot of money every year for third-party antivirus protection on his home devices, which he felt unnecessary for most people for years. 

“He was talking about renewing his antivirus. I said, ‘Are you literally paying for antivirus?” Brunty said. “I don’t know how he ended up doing it, but he ended up getting connected to Norton, spending, like $60 a year.” 

Like him, many people use Antivirus software because Antivirus software still centers on its original use: looking for and mitigating software viruses. However, modern devices already coming updated and assuring full protection from cyber threats including monitoring the dark web to see whether someone posts customers’ personal information, etc. Additionally, built-in security protections in most major browsers help greatly and virtual private networks are useful only in specific scenarios, such as streaming video that is restricted in specific regions or countries or getting around government censors like China’s “Great Firewall.” 

“He had no understanding of those two technologies, really. I think he just felt like if he spent the money, the investment of paying for it was going to protect him from everything” Brunty said.

Following the incident, Bob Lord, who led the Democratic National Committee’s cybersecurity strategy for the 2018 and 2020 elections after the party was hacked by Russian intelligence in 2016 warned the users over poor password hygiene. 

“When I look at all the personal account compromises I’ve seen over the past three years, I don’t think any of them were caused by malware. They happened because the victims had poor password hygiene and didn’t have two-factor authentication on their accounts” Lord added.

New Fake AV 'Antivirus System' can't be removed from Safe Mode with networking


These days when malicious softwares, virus and trojans are are so rampant no wonder fake antivirus are also common. A perfect example is “Antivirus System,” a Fake AV analyzed by experts from Webroot.

The antivirus system scans the files of the user and then reports some threats which must be cleared as soon as possible. To remove them the app must be registered which requires certain amount of money.

In addition, the Fake AV also sports some features that are common for legitimate security solutions.(Reports news.softpedia)

In many cases such threats are easy to remove by booting uo the computer in safe mode and scanning the device with authentic antivirus product.

Well the Antivirus System is not that easy to remove since the malware injects itself into the explorer shell, which is loaded in safe mode as well. This hinders the user from starting any executable.

Nevertheless, this does not mean that you just have to waste your money and activate the product since there is always a way out.

At first an antivirus solution should diminish the malware before it affects the system and if it has infected your system these are the steps you should follow:-
*Start your computer in safe mode with command prompt.(this dosen't launch explorer shell, so the fake AV will be inactive.)

*Then, create a new administrator account by typing “control nusrmgr.cpl.”

*Once the account is created, reboot the computer and log in to the new account.

Now this new account is unaffected by the virus and you are free to remove the malicious software off your computer. But beware the next time.