Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Payloads. Show all posts
Steganography
Cyber Espionage Campaign Malicious Payloads malware PNG Images Steganography

Worok Cyber Espionage Group Employs Malicious PNG Images to Propagate Malware

 

Cybersecurity researchers have unearthed new malware threats manufactured to exploit steganography methodologies. Worok seems to be a complex cyber-espionage operation whose individual stages are still unknown. The campaign's final stage, however, has been identified by two cybersecurity firms.

Worok employs multi-stage malware created to siphon data and target high-profile victims, using steganography ways to conceal parts of the payloads in a plain PNG image file. The new malware was first uncovered by ESET in September. 

The researchers described Worok as a new cyber spying group that employs undocumented tools, including a steganography methodology designed to exfiltrate a malicious payload from a plain PNG image file. 

The cyber espionage group targeted high-profile victims like government agencies, particularly in the Middle East, Southeast Asia, and South Africa. ESET's knowledge of the trouble's attack chain was limited, but the latest report from Avast has provided fresh details regarding this malicious campaign.

According to the Czech security firm, Worok employs a complex multistage design to conceal its activities. The hackers employ sideloading to execute the CLRLoader malware which, in turn, implements the PNGLoader DLL, capable of reading obfuscated code masking in PNG files. 

That code translates to DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft. The info stealer can support multiple commands, including running cmd /c, launching an executable, downloading and uploading data, deleting and renaming files, capturing file information, spy network communications, and extracting metadata. 

While researchers are still trying to put all the pieces together, the latest report from Avast confirms that Worok is a custom operation manufactured to siphon data, spy, and target high- victims in specific parts of the globe. 

“The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails,” Researchers at AVAST explained. “The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.”
Read more »
malware
Cobalt Strike Crypter Crypto keylogger Malicious Payloads malware

'DarkTortilla' Crypter Produces Targeted Malware 

Researchers from Secureworks examined "DarkTortilla," a.NET-based crypter used to distribute both well-known malware and custom payloads. 

Agent Tesla, AsyncRat, NanoCore, and RedLine were among the information stealers and remote access trojans (RATs) delivered by DarkTortilla, which has probably been active since 2015. It was also detected distributing specific payloads like Cobalt Strike and Metasploit.

Software tools known as crypters enable malware to evade detection by security programs by combining encryption, obfuscation, and code manipulation.

Averaging 93 samples each week between January 2021 and May 2022, the highly adjustable and complicated crypter can also be used to send add-ons, such as additional payloads, decoy documents, and executables. It also looks to be particularly popular among hackers.

SecureWorks analysts have discovered code resemblances with a crypter employed by the RATs Crew threat organization between 2008 and 2011 as well as with malware discovered in 2021, Gameloader.

The malicious spam emails that transmit DarkTortilla include archives with an executable for an initial loader that is used to decode and run a core processor module, either hidden within the email itself or downloaded through text-storage websites like Pastebin.

The researchers have found spam email samples in English, German, Italian, Bulgarian, Romanian, and Spanish languages. These emails are adapted to the target's language.

A complex configuration file that enables the core processor to drop add-on packages like keyloggers, clipboard stealers, and cryptocurrency miners is then used to establish persistence and inject the main RAT payload into memory without leaving a trace on the file system.

The anti-tamper safeguards utilized by DarkTortilla are also significant since they guarantee that both processes used to run the components in memory are restarted right away after termination.

A second executable called a WatchDog, which is intended to monitor the targeted process and rerun it if it is destroyed, specifically enables the persistence of the first loader.

In addition to performing anti-VM and anti-sandbox checks, achieving persistence, migrating execution to the 'tmp' folder, processing add-on packages, and migrating execution to its install directory, DarkTortilla's core processor can be configured to do these things.

To prevent interference with the execution of DarkTortilla or the payload, it then injects its payload within the context of the configured subprocess and, if configured, can also provide anti-tamper protections.

This method is similar to the one used by the threat actor Moses Staff, who was discovered earlier this year using a watchdog-based strategy to prevent any interruption of his payloads. Two additional controls are also used to ensure the persistence of the initial loader as well as the continuing execution of the dumped WatchDog software itself.

Over 17 months from 2021 to May 2022, Secureworks claimed to have found an average of 93 different DarkTortilla samples being posted to the VirusTotal malware database per week. Only roughly nine of the 10,000 samples monitored during that period were used to propagate ransomware, with seven distributing Babuk and two more distributing MedusaLocker.






Read more »
User Privacy
Cobalt Strike Malicious Payloads malware PowerShell SEO User Privacy

Gootkit Loader: Targets Victims via Flawed SEO Tactics

 

Gootkit previously concealed dangerous files using freeware installers and now, it is deceiving users to download these files by engineering them as lawful documents. Looking at a flag for a PowerShell script, researchers were able to stop it from doing any harm and from delivering its payload. This approach was discovered through managed extended detection and response (MxDR). 

In order to compromise unwary users, the creators of the Gootkit access-as-a-service (AaaS) virus have reemerged. Gootkit has a history of disseminating threats including the SunCrypt ransomware, REvil (Sodinokibi) malware, Kronos trojans, and Cobalt Strike via fileless tactics.

The discoveries add to a prior report by eSentire, which stated in January that numerous attacks targeted the staff of accounting and law companies to propagate malware on compromised systems.

Gootkit is a tool of the rising underground ecosystem of access brokers, who are well-known for charging money to provide other hackers access to corporate networks, opening the door for real destructive operations like ransomware.
 
Upgraded Tactics

A search engine user initiates the attack chain by entering a specific query. A website infiltrated by Gootkit operators is displayed among the results using a black SEO method used by hackers.

The website is presented to the victim as an online forum that answers his question directly when they visit it. The malicious.js code, which is used to create persistence and inject a Cobalt Strike binary into the target system's memory, was housed in a ZIP download that was made available by this forum.

"The obfuscated script that was run when the user downloaded and accessed this file used registry stuffing to install a section of encrypted codes in the registry and add scheduled tasks for persistence. Then, utilizing PowerShell's reflective loading of the encrypted registry code, the Cobalt Strike binary that runs entirely in memory was rebuilt," reads Trend Micro's analysis.

Experts drew attention to the fact that proprietary text replacement technology has replaced base64 encoding in encrypted registries.

The Cobalt Strike binary loaded straight into the victim's system's RAM has been seen connecting to the Cobalt Strike C2's IP address, which is 89[.]238[.]185[.]13. The major payload of Cobalt Strike, a tool used for post-exploitation actions, is the beacon component.

Defensive measures

This case demonstrates,  that Gootkit is still active and developing its methods. This danger demonstrates that SEO poisoning continues to be a successful strategy for enticing unwary users. 

User security awareness training, which tries to enable people to identify and defend themselves against the most recent risks, is something that organizations can do to help. 

This incident emphasizes the value of round-the-clock supervision. Notably, cross-platform XDR stopped this assault from getting worse since it allowed us to rapidly isolate the compromised system and prevent the threat from causing more harm to the network.
Read more »
TrickBot
Cyber Crime Malicious Payloads Phishing emails Threat actors TrickBot

Attackers are Using Shipment-Delivery Scams to Lure Victims to Install Trickbot

 

Researchers discovered that threat actors are increasingly deploying scams that impersonate package couriers such as DHL or the United States Postal Service in authentic-looking phishing emails to trick victims into downloading credential-stealing or other malicious payloads. Separately on Thursday, researchers from Avanan, a CheckPoint firm, and Cofense identified current phishing scams that involve malicious links or attachments aimed at infecting computers with Trickbot and other harmful malware. 

Researchers stated the campaigns relied separately on faith in commonly used shipping methods and employees' familiarity with receiving emailed documents linked to shipments to try to provoke further action to hack corporate systems. 

The emails used to send Trickbot in recent delivery service-related campaigns included official USPS branding as well as features such as third-party social-media logos from Facebook, Instagram, LinkedIn, and Twitter, "to make the email look even more credible," researchers said. The emails, however, have a sender address that is totally irrelevant to the USPS, which might easily have alerted someone to their shady motive, they claim.

If the bait works and a user clicks on the link to the alleged invoice, they are routed to a domain that downloads a ZIP file, hxxps:/www.zozter[.]com/tracking/tracking[.]php. The unzipped file is an XMLSM spreadsheet called “USPS_invoice_EA19788988US.xlsm” that requires editing due to document protection — a common approach used in fraudulent email campaigns. If a victim goes so far as to enable editing, a malicious PowerShell process is launched, which eventually downloads Trickbot. 

According to Avanan's Jeremey Fuchs, cybersecurity researcher, and analyst, the DHL spoofing assault likewise includes what threat actors want victims to believe is a shipping document, but this time in the form of an attachment. “By spoofing a popular brand, the hackers are hoping to target vulnerable users who are accustomed to checking for shipping notifications,” he wrote. 

This practice has become so widespread that DHL has achieved the dubious distinction of replacing Microsoft at the top of Check Point Software's list of brands most mimicked by threat actors in the fourth quarter of 2021. Scams involving the courier accounted for 23% of all phishing emails during that time period, but the company's name was associated with only 9% of scams in the third quarter. 

Researchers attributed the increase in package delivery frauds to a number of variables. Spoofing DHL made perfect sense in the fourth quarter of last year during the hectic holiday shopping season, according to Jeremey, in a study on the latest DHL-related fraud published Thursday.
Read more »
Vulnerabilities and Exploits
Log4j Bug Malicious Payloads Ransomware attack Vulnerabilities and Exploits

TellYouThePass Resurges and is Now Abusing Log4j to Install Ransomware

 

TellYouThePass, one of the inactive ransomware families, has resurfaced. The ransomware is exploiting the Apache Log4j CVE-2021-44228 vulnerability to target both Linux and Windows-based computers, researchers from KnownSec 404 Team and Sangfor Threat Intelligence Team reported.

A researcher from KnownSec 404 Team first reported authorities on Twitter regarding assaults soon after discovering that the ransomware experienced a sudden surge just after the Log4Shell PoC exploits were published online, later the Sangfor security team confirmed attacks after intercepting the logs. 

“On December 13, Sangfor’s terminal security team and Anfu’s emergency response center jointly monitored ransomware called Tellyouthepass, which has attacked both platforms. Sangfor has captured a large number of Tellyouthepass ransomware interception logs” reads the analysis published by Sangfor. 

It's worth noting that this is not the first instance that Tellyouthepass ransomware has employed severe flaws to launch assaults. As early as last year, the ransomware used Eternal Blue bugs to target multiple organizational units. 

Cybersecurity researchers received 30 samples of TellYouThePass ransomware on December 13, which is relatively high considering the ransomware has remained inactive since the summer of 2020. According to Curated Intelligence, ID-Ransomware (IDR) metric confirmed a surge in the submissions for this ransomware. 

“Curated Intel member @PolarToffee responded with an ID-Ransomware (IDR) metric, proving that on December 13th, more than 30 samples of “TellYouThePass” ransomware were submitted to IDR, indicating that “a very sudden spike in submissions for what is a very old ransomware [that day],” reported Curated Intelligence. 

In recent months, there have been multiple incidents where attackers have exploited the Log4Shell vulnerability. Initially, the flaw was exploited by multiple state-sponsored attackers from China, Iran, North Korea, and Turkey. The financially driven attackers started injecting Monero miners on compromised devices and state-backed hackers began leveraging it to establish footholds for further operations. 

Khonsari ransomware payloads were also identified on self-hosted Minecraft servers by the BitDefender Threat Intelligence Team. The ransomware doesn’t encrypt files with the extensions .ini and .lnk, it employs the AES 128 CBC using PaddingMode.Zeros algorithm for encryption. 

Finally, Conti ransomware gang has added a Log4Shell attack in its armory, allowing attackers to move laterally throughout victims’ networks, secure access to VMware vCenter Server instances, and encrypt virtual machines.
Read more »
Subscribe to: Posts (Atom)