Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malware Detection. Show all posts

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.

LummaC2 Malware Introduces Innovative Anti-Sandbox Technique Utilizing Trigonometry

 

The LummaC2 malware, also known as Lumma Stealer, has introduced a novel anti-sandbox technique that utilizes trigonometry to avoid detection and steal valuable information from infected hosts. Outpost24 security researcher Alberto Marín highlighted this method, stating that it aims to delay the activation of the malware until human mouse activity is identified.

Originally written in the C programming language, LummaC2 has been available on underground forums since December 2022. Subsequent updates have made it more resistant to analysis through techniques like control flow flattening, and it now has the capability to deliver additional payloads.

In its current iteration (v4.0), LummaC2 mandates the use of a crypter by its customers to enhance concealment and prevent the leakage of its raw form.

A significant enhancement involves the utilization of trigonometry to identify human behavior on the compromised endpoint. Marín explained that this technique observes various cursor positions within a short time frame to effectively detect human activity, thereby thwarting detonation in analysis systems that lack realistic mouse movement emulation.

To achieve this, LummaC2 captures the cursor position five times after a predefined sleep interval of 50 milliseconds. It then checks if each captured position differs from its predecessor, repeating the process until all consecutive cursor positions differ. Once these positions meet the requirements, LummaC2 treats them as Euclidean vectors, calculating the angles formed between two consecutive vectors. If all calculated angles are below 45º, LummaC2 v4.0 perceives it as 'human' mouse behavior and proceeds with execution. If any angle exceeds 45º, the malware restarts the process by ensuring mouse movement in a 300-millisecond period and capturing five new cursor positions.

This development coincides with the emergence of new information stealers and remote access trojans like BbyStealer, Trap Stealer, Predator AI, Epsilon Stealer, Nova Sentinel, and Sayler RAT, designed to extract sensitive data from compromised systems.

Predator AI, a actively maintained project, stands out for its capability to attack popular cloud services like AWS, PayPal, Razorpay, and Twilio. It has also incorporated a ChatGPT API for user convenience, as noted by SentinelOne earlier this month.

Marín emphasized that the malware-as-a-service (MaaS) model remains the preferred method for emerging threat actors to conduct complex and lucrative cyberattacks. Information theft, particularly within the realm of MaaS, poses a significant threat, leading to substantial financial losses for both organizations and individuals.

Endpoint Antivirus Detection Has Reached its Apex

 

Endpoint security is a term used to describe cybersecurity services provided to network endpoints, it included providing  Antivirus, email filtering, online filtering, and firewall services. Businesses rely on endpoint security to protect vital systems, intellectual property, customer details, employees, and visitors from ransomware, phishing, malware, and other threats. 

"While the total volume of cyberattacks decreased slightly, malware per device increased for the first period since the pandemic began," said Corey Nachreiner, CSO at WatchGuard. "Zero-day malware increased by only 3% to 67.2 percent in Q3 2021, and malware delivered via Transport Layer Security (TLS) increased from 31.6 percent to 47 percent." 

As consumers update to newer versions of Microsoft Windows and Office, cybercriminals are focused on fresh vulnerabilities — versions of Microsoft's widely used programs. CVE-2018-0802, which exploits a weakness in Microsoft Office's Equation Editor, cracked WatchGuard's top 10 entryway antivirus malware list in Q3, reaching number 6 after appearing on the widespread malware list.

In addition, two Windows software injectors (Win32/Heim.D and Win32/Heri) ranked first and sixth, on the most detected list. In Q3, the Americans were the focus of 64.5 percent of network attacks, compared to 15.5 percent for Europe and 15.5 percent for APAC (20 percent ). 

Following three-quarters of more than 20% increase, a reduction of 21% brought volumes back to Q1 levels. The top ten network attack signatures are responsible for the majority of attacks – The top 10 signatures were responsible for 81 percent of the 4,095,320 hits discovered by IPS in Q3. In fact, 'WEB Remote File Inclusion /etc/passwd' (1054837), which targets older, commonly used Microsoft Internet Information Services (IIS) web servers, was the only new signature in the top ten in Q3. One signature (1059160), a SQL injection, has remained at the top of the list since the second quarter of 2019. 

From application flaws to script-based living-off-the-land attacks, even those with modest skills may use scripting tools like PowerSploit and PowerWare, there were also 10% additional attack scripts than there were in all of 2020, a 666 percent raise over the previous year. 

In total, 5.6 million harmful domains were blocked in the third quarter, including many new malware domains attempting to install crypto mining software, key loggers, and wireless access trojans (RATs), as well as SharePoint sites harvesting Office365 login information. The number of blacklisted domains is down 23% from the past quarter, it is still several times greater than the level seen in Q4 2020.

Ransomware attacks reached 105 percent of 2020 output by the end of September, as expected after the previous quarter, and are on track to exceed 150 percent after the entire year of 2021 data is analyzed. 

According to WatchGuard's investigation, attackers operating with the REvil ransomware-as-a-service (RaaS) operation exploited three zero-day vulnerabilities in Kaseya VSA Remote Monitoring and Management (RMM) applications to deliver ransomware to more than 1,500 organizations and potentially millions of endpoints.

Google Play Protect Fails Malware Detection Test by AV-TEST

 

The integrated malware defense mechanism of Google has yet failed again in an Antivirus Lab Test conducted by AV-TEST, which was a rigorous real-world security test. Between January 2021 and June 2021, the play store ranked lowest amongst all the 15 security Android apps examined. 

A test comprising of 15 safety apps on Android devices reported that the system detected only two-thirds of 20,000 harmful apps. Unlike Google Play Protect, the detection rate of applications from firms such as Bitdefender, McAfee, NortonLifeLock, and Trend Micro came out to be as high as 100%. 

During Google I/O in May 2017, Google unveiled Android mobile threat prevention, which works constantly for scanning more than 100 billion apps every day. Google Play Protect is used on billions of devices ever since, and today provides integrated malware security on more than 2.5 billion Android apps. 

In 2017 Google rolled out Google Play Protect, which helped decrease a large number of vulnerability cases on Android in 2018. Nevertheless, recent studies have shown that although Google Play Protect is installed by default, several malware applications might still target consumers. 

Google Play Protect features device capabilities that help maintain security for devices and data. These on-device services include cloud-based elements that enable Google to upgrade its performance consistently. 

Whereas every program that's loaded and opened on the smartphone is continually running and screening, "the endurance test revealed that this service does not provide particularly good security: every other security app offers better protection than Google Play Protect." 

The safety apps had to uncover more than 3,000 new malware samples including 3,000 existing malware samples, each one month old, in complex testing sessions. The AV-TEST reports that only the five programs – Bitdefender, G DATA, McAfee, NortonLifeLock, and Trend Micro – were in real-time able to identify malware with 100% precision. 

In real-time testing and reference set testing, Google Play Protect could only filter 68.8% of harmful apps from 76.6%. However, Ikarus also scored better than Google Play Protect for security, the lowest-rated third-party security app. 

Google didn't perform very well in respect to inaccuracies in malicious application detection. It found 70 applications to be unsafe, with approximately 10,000 more harmless applications for random testing. 

The best approach to be safe is to have one of the Android device's best-rated third-party apps. It is not a prudent option to rely solely on the Google Play Protect, as this exhaustive test by the AV-TEST demonstrates.