Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Backdoors. Show all posts

Microsoft Alerts Users as Russian Hackers Target Windows Systems

 

As advancements in AI technology continue to unfold, the specter of cybercrime looms larger each day. Among the chorus of cautionary voices, Microsoft, the eminent IT behemoth, adds its warning to the fray.

Microsoft's Threat Intelligence researchers have issued a stark advisory to Windows users regarding the targeted assaults orchestrated by Russian state-sponsored hackers wielding a sophisticated tool.

These hackers, known in some circles as APT28 or Fancy Bear, but tracked by Microsoft under the moniker Forest Blizzard, have close ties to Russia's GRU military intelligence agency.

GooseEgg, a tool wielded with the aim of siphoning data and surreptitiously establishing backdoors within computer systems. Forest Blizzard, alias APT28, has deployed GooseEgg in a series of calculated strikes targeting governmental entities, educational institutions, and transportation firms across the United States, Western Europe, and Ukraine.

Their modus operandi centers predominantly on the strategic acquisition of intelligence. Evidence suggests that the utilization of GooseEgg may have commenced as early as June 2020, with the possibility of earlier incursions dating back to April 2019.

In response to the threat landscape, a patch addressing a vulnerability identified as CVE-2022-38028 was released by Microsoft in October 2022. GooseEgg, the nefarious tool in the hackers' arsenal, exploits this particular weakness within the Windows Print Spooler service.

Despite its deceptively simple appearance, the GooseEgg program poses an outsized threat, granting attackers elevated permissions and enabling a litany of malicious activities. From the remote execution of malware to the surreptitious installation of backdoors and the seamless traversal of compromised networks, the ramifications are profound and far-reaching.

Researchers Found Custom Backdoors and Spying Tools Used by Polonium Hackers

 

A threat actor identified as Polonium has been linked to over a dozen highly targeted attacks aimed at Israeli entities using seven different custom backdoors, since September 2021.

According to cybersecurity firm ESET, the intrusions targeted organisations in a variety of industries, including engineering, information technology, law, communications, branding and marketing, media, insurance, and social services. Microsoft has given the chemical element-themed moniker Polonium to a sophisticated operational group believed to be based in Lebanon and known to exclusively target Israeli targets. 

The group's activities were first revealed in June when Microsoft announced the suspension of more than 20 malicious OneDrive accounts created by the adversary for command-and-control (C2) purposes.

The use of implants dubbed CreepyDrive and CreepyBox for their potential to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts has been central to the attacks. CreepySnail, a PowerShell backdoor, has also been deployed. ESET's latest discovery of five previously unknown backdoors highlights an active espionage-oriented threat actor that is constantly refining and retooling its malware arsenal.

ESET researcher Matías Porolli said, "The numerous versions and changes Polonium introduced into its custom tools show a continuous and long-term effort to spy on the group's targets. The group doesn't seem to engage in any sabotage or ransomware actions."

The list of bespoke hacking tools is as follows -
  • CreepyDrive/CreepyBox - A PowerShell backdoor that reads and executes commands from a text file stored on OneDrive or Dropbox.
  • CreepySnail - A PowerShell backdoor that receives commands from the attacker's own C2 server
  • DeepCreep - A C# backdoor that reads commands from a text file stored in Dropbox accounts and exfiltrates data
  • MegaCreep - A C# backdoor that reads commands from a text file stored in Mega cloud storage service
  • FlipCreep - A C# backdoor that reads commands from a text file stored in an FTP server and exfiltrates data
  • TechnoCreep - A C# backdoor that communicates with the C2 server via TCP sockets to execute commands and exfiltrate data
  • PapaCreep - A C++ backdoor that can receive and execute commands from a remote server via TCP sockets

PapaCreep, discovered in September 2022, is a modular malware with four distinct components designed to run commands, receive and send commands and their outputs, and upload and download files.

The Slovak cybersecurity firm also discovered several other modules responsible for keystroke logging, screenshot capture, webcam photography, and establishing a reverse shell on the compromised machine. Despite the abundance of malware used in the attacks, the initial access vector used to breach the networks is unknown at this time, though it is suspected that it involved the exploitation of VPN flaws.

Porolli concluded, "Most of the group's malicious modules are small, with limited functionality. They like to divide the code in their backdoors, distributing malicious functionality into various small DLLs, perhaps expecting that defenders or researchers will not observe the complete attack chain."

ESET: FontOnLake Rootkit Malware Targets Linux Systems

 

Researchers have detected a new campaign that is potentially targeting businesses in Southeast Asia using previously unknown Linux malware that is designed to allow remote access to its administrators, as well as collect credentials and operate as a proxy server. 

The malware group, called "FontOnLake" by the Slovak cybersecurity firm ESET, is reported to entail "well-designed modules" that are constantly modified with a wide range of features, indicating an active development stage. 

According to samples uploaded to VirusTotal, the initial attacks employing this threat may have happened as early as May 2020. The same virus is being tracked by Avast and Lacework Labs under the name HCRootkit. 

ESET researcher Vladislav Hrčka stated, "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks." 

"To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism." 

FontOnLake's toolkit consists of three components: trojanized copies of genuine Linux utilities utilized to load kernel-mode rootkits and user-mode backdoors, all of which interact through virtual files. The C++-based implants themselves are programmed to monitor systems, discreetly perform commands on networks, and steal account passwords. 

A second variation of the backdoor also function as a proxy, modify files, and download arbitrary files, while a third variant, in addition to combining characteristics from the other two backdoors, can run Python scripts and shell commands. 

ESET discovered two variants of the Linux rootkit that are based on an open-source project called Suterusu and share features like hiding processes, files, network connections, and itself, as well as being able to perform file operations and obtain and run the user-mode backdoor. 

Enterprise Password Management 

It is yet unknown how the attackers gained initial network access but the cybersecurity firm highlighted that the malicious actor behind the assaults is "overly cautious" to avoid leaving any traces by depending on multiple, unique command-and-control (C2) servers with different non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer working. 

Hrčka stated, "Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns." 

"As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes."

Trojans, Backdoors and Droppers the Top Three Malware Globally?



According to a few recent surveys and analysis conducted by some well-known and influential cybersecurity agencies, there are approximately 3 top malwares that the users should be aware of. 

'Gate-crashing' enterprises and users globally are Trojans, Backdoors, and Droppers which comprise 72 percent of the total cyber-attacks across the globe, as per anonymized statistics from free requests from Kaspersky Threat Intelligence Portal. 

The statistics likewise show that the different sorts of malware that researchers most frequently examine and investigate don't harmonize with the most widespread ones. 

By and large, submitted hashes or dubious uploaded files ended up being Trojans (25 percent of requests), Backdoors, a malware that gives an attacker remote control over a computer (24 percent), and Trojan-Droppers (23 percent) that install different malignant objects. 

Denis Parinov, Acting Head of Threats Monitoring and Heuristic Detection explains "We have noticed that the number of free requests to the Kaspersky Threat Intelligence Portal to check viruses or pieces of code that insert themselves in over other programs, is extremely low less than one percent, but it is traditionally among the most widespread threats detected by endpoint solutions," 

Later added, “Viruses are rarely of interest to researchers, most likely because they lack novelty compared to other threats." 

Despite the fact that Trojans are typically the most widespread type of malware, however, Backdoors and Trojan-Droppers are not as common as they just make up 7 percent and 3 percent of every malevolent file blocked by the Kaspersky endpoint products. 

The researchers say, "This difference can be explained by the fact that researchers are often interested in the final target of the attack, while endpoint protection products are seeking to prevent it at an early stage," 

Nonetheless, in order to develop response and remediation measures, security analysts need to distinguish the objective of the attack, the root of a malignant object, its prominence, and at the end, the report specified that it's the security researchers who need to identify all components within the dropper.

Github Escapes from Octopus Malware that Affected its 26 Software Projects


Github, a platform where every malicious software report is equally different in its place, manages to escape from a malware threat.  Github, an organization that united the world's largest community of coders and software developers, revealed that hackers exploited an open-source platform on its website to distribute malware. The hackers used a unique hacking tool that enabled backdoors in each software project, which the hackers used to infiltrate the software systems.


"While we have seen many cases where the software supply chain was compromised by hijacking developer credentials or typosquatting popular package names, a malware that abuses the build process and its resulting artifacts to spread is both interesting and concerning for multiple reasons," said Github on its security blog. Fortunately, the hackers attempt to exploit the open-source platform was unsuccessful. Still, if it were, on the contrary, hackers could've secured a position in the softwares, which were to be used later by corporate applications and other websites.

Since recent times, open-source websites have become a primary target for hackers. It is because once the hackers exploit backdoor vulnerabilities on open-source platforms, thousands of apps are exposed to remote code execution. As for Github, the company's website currently has more than 10 Million users. In the Github incident, 26 software projects were infected through malicious codes, which is a severe warning for the potential threat of the open-source compromises. The experts have identified the malware as "Octopus Scanner," which is capable of stealing data by deploying remote access codes.

The malware spread with the help of projects using software called Apache Beans, tells Github. "On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself," says Github on its blog. These attacks can be highly threatening as the tactics used here gives the hackers access to various systems.

BazarBackdoor: A Malware similar to Trickbot, targets Corporates


According to cybersecurity experts, a new phishing campaign is allowing malware backdoor entry. The malware which is said to be created by hacking group Trickbot will enable hackers to jeopardize and take control of an organization's network. It is a necessary measure to have a back door for hackers to gain entry access and control the company's network in sophisticated network attacks. It is required in the following cyberattacks- corporate espionage, data extraction attacks, specified ransomware attacks.


According to several reports, the attack was first discovered two weeks ago. The malware is called "BazarBackdoor" or simply "backdoor" by the cybersecurity experts. The malware serves as a tool kit for hackers to gain access to an enterprise's network. Trickbot is said to be the creator of this malware because of BazarBackdoor sharing similar coding, cryptos, and designs.

About BazarBackdoor 

The attacks first start in the form of phishing campaigns that try to lure victims through click baits like 'coronavirus relief funds,' 'customer complaints,' 'COVID reports' or merely a list of downsizing reports that are directly linked to google docs. The hackers, unlike other phishing campaigns, are using creative techniques to lure the users to different landing pages like fake customer complaints page or fake COVID fund relief page. The landing pages either pretend to be a PDF, Word, or Excel document, which can't be viewed appropriately. Hence, a link is provided to the users to view the document appropriately. When the users click the link, the documents get downloaded either in word or PDF format with a 'preview' title. Windows don't have a default file extension; therefore, the user thinks that these files are original. Thus, doing this enables the backdoor entry for the malware.

Attack linked to Trickbot 

According to cybersecurity experts, the malware targets explicitly companies and corporate enterprises. It is likely to be developed by the same hacking group responsible for creating another malware named Trickbot. Trickbot and BazarBackdoor share similar cryptos, and both use the same email patterns to launch their attacks. As a precaution, corporate companies are suggested to stay alert and ask their employees not to open any unknown link sent via email.

Many Android devices had pre-installed backdoor: Google

Earlier this year, Forbes reported how a banking Trojan called Triada had been found on a bunch of brand new budget Android smartphones. Google has now confirmed that threat actors did, indeed, manage to compromise Android smartphones with the installation of a backdoor as part of a supply chain attack.

Two years later, on Thursday, Google has now admitted that criminals in 2017 indeed managed to get an advanced backdoor preinstalled on Android devices, even before these left the factories of manufacturers.

The list of affected devices includes Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20.

To understand what has happened here, we need to go back to 2016 when Kaspersky Lab researchers first uncovered what they called one of the most advanced mobile Trojans Kaspersky malware analysts had ever seen. They named that Trojan "Triada" and explained how it existed mainly in the smartphone's random access memory (RAM) using root privileges to replace system files with malicious ones. Android phones were spotted to have Triada as a preloaded backdoor in 2017.

The firm, Dr. Web’s, researchers had found Triada embedded into one of the OS libraries and located in the system section. Not just that, the Trojan couldn’t be detected or deleted using standard methods.

Triada had, the researchers found, used a call in the Android framework log function instead. In other words, the infected devices had a backdoor installed. This meant that every time an app, any app, attempted to log something the function was called and that backdoor code executed. The Triada Trojan could now execute code in pretty much any app context courtesy of this backdoor; a backdoor that came factory-fitted.

The Mountain View, California-headquartered company initially removed Triada samples from all Android devices using Google Play Protect. But in 2017, it was found that Triada evolved and ultimately became a preloaded backdoor on Android devices. Notably, the latest phones aren't likely to be affected by what has been discovered by Google. The vulnerability did have an impact on various models in the past, though.

Turla Mosquito Hacker Group shift to Open Source Malware


Turla, a hacking group that has been active for over ten years and one of the largest known state-sponsored cyberespionage groups, is showing a shift in its behaviour from using its own creations to leveraging the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor.

While this is not the first time Turla is using generic tools, researchers at ESET say that this is the first time the group has used Metasploit, which is an open-source penetration testing project, as a first stage backdoor.

“In the past, we have seen the group using open-source password dumpers such as Mimikatz,” ESET Research said in a blog post. “However, to our knowledge, this is the first time Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper.”

The typical targets of the attacks remain to be embassies and consulates in Eastern Europe and the group is still using a fake Flash installer to install both the Turla backdoor and the legitimate Adobe Flash Player.

According to the researchers, the compromise occurs when the user downloads a Flash installer from get.adobe.com through HTTP, allowing Turla operators to replace the legitimate Flash executable with a trojanized version by intercepting traffic on a node between the end machine and the Adobe servers.


“We believe the fifth possibility to be excluded, as, to the best of our knowledge, Adobe/Akamai was not compromised,” the post went on to say, assuring that the Adobe website does not seem to have been compromised.

Researchers found, at the beginning of March 2018, that there were some changes in the Mosquito campaign. Where previously, the attack was carried out by dropping a loader and the main backdoor using a fake Flash installer, there is now a change in the way the final backdoor is dropped.


“Turla’s campaign still relies on a fake Flash installer but, instead of directly dropping the two malicious DLLs, it executes a Metasploit shellcode and drops, or downloads from Google Drive, a legitimate Flash installer,” the post read.

The shellcode then downloads a Meterpreter, which gives the attacker the control of the compromised machine, and finally places the final Mosquito backdoor.


Once the attack is executed, the fake Flash installer downloads a legitimate Flash installer from a Google Drive URL and runs it to deceive the user into thinking that the installation went smoothly.

Researchers also say that because of the use of Metasploit, it can be assumed that there is an operator controlling the exploitation manually. More information on Turla can be found in ESET’s whitepaper as well as their recent report on Turla’s change in attacks.

WordPress Plugins containing Backdoor distributed via phishing emails

What would you do when you receive an email offering Pro version of Wordpress plugin for free, if you are a WordPress user? Don't get tempted by such kind of emails, they also give malicious code for free!

Sucuri reported about a phishing emails asking their clients to download Pro-version of "All in one SEO Pack" WordPress plugin.  The email claims that the plugin is $79.00 worth and giving it for free.

"You have been chosen by WordPress to take part in our Customer Rewarding Program.  You are the 23rd from 100 uniques winners." The phishing email reads.

Credit : Sucuri

The download link provided in the email is not linked to WordPress plugin store, it is linked to a zip file hosted in a compromised website.

Security researchers at Sucuri analyzed the plugin and found out that it is modified with a Backdoor which gives attackers full access to the server.

The malicious code in the plugin replaces the index.php file with the malicious code retrieved from the attacker's server.  So, when user visit the site, they either redirected to SPAM sites or to Exploit kits where it will infect the visitor's system.

More than 400 web servers infected with Linux/Cdorked.A Backdoor


Last month, ESET analyzed a new sophisticated and stealthy Apache backdoor "Linux/Cdorked.A" that drive traffic to malicious pages.

Security researchers at ESET observed that more than 400 web servers infected with the backdoor "Linux/Cdorked.A" including 50 Top ranked websites.

In their recent report, ESET noted that the Lighttpd and nginx web servers also are affected by this backdoor.

"we found it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges, nor if the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian."  The report reads.

Researchers still not able to identify how this malicious software was deployed on the affected web servers.

The technical details are available at WeLiveSecurity

Backdoor R2D2 ~Government Trojan discovered by Chaos Computer Club

The Famous European hacker club, Chaos Computer Club(CCC) discovered the backdoor Trojan horse capable of spying on online activity and recording Skype internet calls which, it says, is used by the German police force.

For some years, German courts have allowed the police to deploy a Trojan known colloquially as "Bundestrojaner" ("State Trojan") to record Skype conversations, if they have legal permission for a wiretap.

But the CCC's claim is controversial, as the Trojan they have uncovered has more snooping capabilities than that. For instance, it includes functionality to download updates from the internet, to run code remotely and even to allow remote access to the computer - something specifically in violation of Germany's laws.

The malware has the following of functionality as per the Sophos's analysis:
* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger.
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey.
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls.
* The Trojan attempts to communicate with a remote website.

A CCC spokesperson expressed the group's concern at the discovery:

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired. Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

Was the Trojan horse really written by the German authorities?
We have no way of knowing if the Trojan was written by the German state - and so far, the German authorities aren't confirming any involvement.

The comments in the Trojan's binary code could just as easily be planted by someone mischievously wanting the Trojan to be misidentified as the infamous the Bundestrojaner.

What we can say is that the phrase "0zapftis" has raised some eyebrows amongst the German speakers at SophosLabs. It's a play on a Bavarian phrase "The barrel is open", said by the mayor of Munich when he opens the first barrel of beer at the Oktoberfest.

But there certainly have been claims of German state-sponsored cyber-spying in the past. For instance, in 2008, there were claims that the BND - Germany's foreign intelligence service - deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan.