Search This Blog

Showing posts with label Palo Alto Networks' Unit 42. Show all posts

Analysis on Agent Tesla's Successor

OriginLogger, a malware that has been hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. Typically, attackers send it as an attachment in harmful spam emails.

Since Agent Tesla and OriginLogger are both commercialized keyloggers, it should not be assumed that one has a distinct advantage over the other in terms of initial droppers. 

Security company Sophos revealed two new versions of the common virus in February 2021, with the ability to steal login information from online browsers, email clients, and VPN clients as well as use the Telegram API for command and control.

According to Unit 42 researcher Jeff White, what has been labeled as Agent Tesla version 3 is OriginLogger, which is alleged to have emerged to fill the gap left by the former after its operators shut down the business.

A YouTube video explaining its features served as the foundation for the cybersecurity company's study, which resulted in the detection of a malware sample "OriginLogger.exe" that was added to the VirusTotal malware archive on May 17, 2022.

The binary is a developer code that enables a purchased client to specify the kind of data to be acquired, including screenshots, the clipboard, and the list of services and programs from which the keys are to be retrieved.

Unlike the IP addresses linked to originpro[.]me, 74.118.138[.]76 resolves to 0xfd3[.]com rather than any OriginLogger domains directly. Turning to this domain reveals that it has MX and TXT entries for mail. originlogger[.]com in the DNS.

Around March 7, 2022, the disputed domain started to resolve to IP 23.106.223[.]47, one octet higher than the IP used for originpro[.]me, which used 46. 

OrionLogger uses both Google Chrome and Microsoft Outlook, both of which were utilized by Unit 42 to locate a GitHub profile with the username 0xfd3 that had two source code repositories for obtaining credentials from those two applications.

Similar to Agent Tesla, OrionLogger is distributed via a fake Word file that, when viewed, is utilized to portray an image of a German passport, a credit card, and several Excel Worksheets that are embedded in it.

The files essentially include a VBA macro that uses MSHTA to call a remote server's HTML page, which contains obfuscated JavaScript code that allows it to access two encoded binaries stored on Bitbucket.

Advertisements from threat actors claim that the malware employs time-tested techniques and can keylog, steal credentials, and screenshots, download additional payloads, post your data in a variety of ways, and try to escape detection.

A corpus analysis of over 1,900 samples reveals that using 181 different bots and SMTP, FTP, web uploads to the OrionLogger panel, and Telegram are the most popular exfiltration methods for returning data to the attacker. The goal of this investigation was to automate and retrieve keylogger configuration-related information.

CISA Updates its Database With 10 New Actively Exploited Vulnerabilities


A high-severity security vulnerability impacting industrial automation software from Delta Electronics was among 10 new actively exploited vulnerabilities that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed in its Known Exploited Vulnerabilities (KEV) Database on Friday.

FCEB agencies are required to address the vulnerabilities by the deadline in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, in order to safeguard their networks from attacks that take advantage of the flaws in the catalog.

Private firms should analyze the Catalog and fix any infrastructure weaknesses, according to experts.

The problem, which has a CVSS score of 7.8, affects DOPSoft 2 versions 2.00.07 and earlier. It is listed as CVE-2021-38406. A successful exploit of the issue could result in the execution of arbitrary code.

Delta Electronics DOPSoft 2's incorrect input validation causes an out-of-bounds write that permits code execution, according to a CISA notice. "Delta Electronics DOPSoft 2 lacks sufficient validation of user-supplied data when parsing specified project files," the alert stated.

Notably, CVE-2021-38406 was first made public as part of an industrial control systems (ICS) advisory that was released in September 2021.

It is crucial to emphasize that the impacted product is no longer being produced and that there are no security updates available to solve the problem. On September 15, 2022, Federal Civilian Executive Branch (FCEB) organizations must abide by the directive.

The nature of the attacks that take advantage of the security issue is not well known, but a recent analysis by Palo Alto Networks Unit 42 identified instances of in-the-wild assaults that took place between February and April 2022.

The development supports the idea that attackers are becoming more adept at using newly reported vulnerabilities as soon as they are made public, which encourages indiscriminate and opportunistic scanning attempts that intend to benefit from postponed patching.

Web shells, crypto miners, botnets, remote access trojans (RATs), initial access brokers (IABs), and ransomware are frequently used in a precise order for the exploitation of these assaults.

CVE-2021-31010 (CVSS score: 7.5), an unpatched hole in Apple's Core Telephony component that could be used to get around sandbox constraints, is another high-severity flaw added to the KEV Catalog. In September 2021, the tech giant corrected the flaw.

The IT giant appears to have quietly updated its advisory on May 25, 2022, to add the vulnerability and clarify that it had actually been utilized in attacks, even though there were no signs that the hole was being exploited at the time.

The iPhone manufacturer said that it was aware of a claim that this flaw might have been extensively exploited at the time of release. Citizen Lab and Google Project Zero were credited with making the finding. 

Another noteworthy aspect of the September update is the patching of CVE-2021-30858 and CVE-2021-30860, both of which were used by NSO Group, the company behind the Pegasus spyware, to circumvent the security measures of the operating systems.

This suggests that CVE-2021-31010 may have been linked to the previously described two issues as part of an attack chain to get past the sandbox and execute arbitrary code.

Google Drive & Dropbox Targeted by Russian Hackers

The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.

In recent efforts targeting Western diplomatic stations and foreign embassies globally between early May and June 2022, the threat group APT29 also known as Cozy Bear or Nobelium has embraced this new strategy. However, the phishing documents included a link to a malicious HTML file that was used as a dropper for other harmful files, including a Cobalt Strike payload, to enter the target network.

Google and DropBox were alerted about the operation by Palo Alto Networks, and they took measures to restrict it. Organizations and governments have been cautioned by Unit 42 researchers to maintain a high state of alert. Organizations should be cautious about their capacity to identify, inspect, and block undesirable traffic to legitimate cloud storage providers in light of APT 29's new methods.

APT29, also known as Cozy Bear, Cloaked Ursa, or The Dukes, is a cyber espionage organization that seeks to gather information that supports Russia's geopolitical goals. It also carried out the SolarWinds supply-chain hack, which resulted in the compromising of several US federal agencies in 2020.

The use of cloud services like Dropbox and Google Drive to mask their activity and download further cyberespionage into target locations is what has changed in the most recent versions. According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

The findings also line up with a recent statement from the Council of the European Union that "condemns this appalling behavior in cyberspace" and highlights the rise in hostile cyber actions carried out by Russian threat actors.

In a news release, the EU Council stated that "this increase in harmful cyber actions, in the context of the war against Ukraine, presents intolerable risks of spillover effects, misinterpretation, and possible escalation."

 GALLIUM APT Deployed a New PingPull RAT

According to Palo Alto Networks researchers, the PingPull RAT is a "difficult-to-detect" backdoor that uses the Internet Control Message Protocol (ICMP) for C2 connections. Experts also discovered PingPull variations that communicate with each other using HTTPS and TCP rather than ICMP.

Gallium, a Chinese advanced Trojan horse (APT), has an ancient legacy of cyberespionage on telecommunications companies, dating back to 2012. In 2017, the state-sponsored entity, also called Soft Cell by Cybereason, has been linked to a broader range of attacks aimed at five major Southeast Asian telecom businesses. However, during the last year, the group's victimology has expanded to include financial institutions and government agencies in Afghanistan, Austria, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. 

A threat actor can use PingPull, a Visual C++-based virus, to gain access to a reverse shell and run unauthorized commands on a compromised computer. File operations, detailing storage volumes, and timestamping files are all part of it now. 

The researchers explained that "PingPull samples which use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server." "The C2 server will send commands to the system by responding to these Echo queries with an Echo-Reply packet." 

PingPull variants that use HTTPS and TCP rather than ICMP to interact with its C2 server have been discovered, along with over 170 IP addresses associated with the company since late 2020. Although the threat actor is recognized to exploit internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it's not obvious how the targeted networks are hacked. 

Throughout Southeast Asia, Europe, and Africa, the GALLIUM trojan continues to pose a serious danger to telecommunications, finance, and government organizations. It is recommended all businesses use the results of researchers to inform the implementation of protective measures to guard against this threat group, which has deployed a new capability called PingPull in favor of its espionage efforts.

Backdoor Installed by HelloXD Ransomware , Directed Windows and Linux Devices


HelloXD is ransomware that first appeared in November 2021 and does double extortion assaults. Researchers discovered several variations that affect Windows and Linux computers. 

According to a recent analysis from Palo Alto Networks Unit 42, the malware's creator has developed a new encryptor with unique packing for detection avoidance and encryption algorithm tweaks. This is a substantial deviation from the Babuk code, indicating the author's goal to create a new ransomware strain with possibilities and characteristics to allow for more attacks. 

HelloXD ransomware threat 

HelloXD first emerged to the public on November 30, 2021, and is based on Babuk's leaked code, which was published in September 2021 on a Russian-language cybercrime site. 

Palo Alto Networks Unit 42 security researchers Daniel Bunce and Doel Santos said, "Unlike other ransomware, this ransomware does not have an active leak site; instead, it prefers to direct the infected victim to negotiations via Tox chat and onion-based messaging instances." 

The operators of the ransomware family are no exception since they used double extortion to extort cryptocurrencies by exfiltrating a victim's personal data, encrypting key, performing cyber espionage, and threatening to publish it.MicroBackdoor is an open-source malware used for command-and-control (C2) communications to browse the infected system, exfiltrate files, execute orders, and remove traces, according to its developer Dmytro Oleksiuk. 

In March 2022, the Belarusian threat actor nicknamed Ghostwriter (aka UNC1151) used multiple forms of the implant in its cyber operations against Ukrainian governmental agencies. The features of MicroBackdoor allow a hacker to explore the file system, upload and download files, run commands, and delete traces of its activity from compromised PCs. 

Hello XD is a harmful ransomware project in its early stages that is now being deployed in the field. Although infection volumes aren't high now, its active and targeted development paves the way for a more harmful state. By piecing together the actor's digital trail, Unit 42 said it connected the likely Russian vendor behind HelloXD — who passes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme — to further cybercriminals like selling proof-of-concept (PoC) exploits and custom Kali Linux distributions using malicious software. 

During 2019 and 2021, the average lifespan of an enterprise ransomware attack — that is, the period between initial access and ransomware distribution — decreased by 94.34 percent, from nearly two months to just 3.85 days, according to a new report by IBM X-Force.

The role of initial access brokers (IABs) in getting access to victim networks and then selling that access to associates, who then misuse the foothold to install ransomware payloads, has been attributed to the enhanced speed and efficiency trends in the ransomware-as-a-service (RaaS) ecosystem. 

Overall, the data theft by threat actor appears skilled and capable of moving Hello XD forward, so analysts should keep a close eye on its progress.

Palo Alto Networks' Unit 42 Publishes Report on Mespinoza Group


Unit 42 of Palo Alto Networks has examined the Mespinoza gang's latest techniques and practices in identifying its 'cocky' message and its instruments endowed with 'creative names' – but has shown no evidence suggesting that the group has changed to ransomware-as-a-service. 

Mespinoza attacks mostly, demonstrate various trends between different actors and families threatened with ransomware, which make their attacks simple and easy to use. 

The report researchers explained, "As with other ransomware attacks, Mespinoza originates through the proverbial front door – internet-facing RDP servers – mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities. Further costs are saved through the use of numerous open-source tools available online for free, or through the use of built-in tools enabling actors to live off the land, all of which benefits bottom-line expenses and profits." 

Although the MESPINOZA organization has not been as active as the more popular REvil, still its operations have achieved great success: the examination of Unit 42, revealed that victims pay up to $470,000 each for decryption of files, mainly from targets in the US and UK - including a Hackney Council attack last October.

After a victim is in their sight, they may rapidly and accurately proceed from breach to exfiltration to ransomware. One scenario, by no means the quickest, lasted less than three days from breaking the RDP network through network recognition and credential collection, and on the second day the required data were exfiltrated and the ransomware deployed on the third day. 

"Through the use of various open-source tools - mostly designed for use by sysadmins and pen-testers - the Mespinoza actors can move around the network with ease, looking for high-value data for maximum leverage as they go, and staging the latter parts of their attack to encrypt as many systems as possible," stated Alex Hinchliffe, threat intelligence analyst at Unit 42. 

The group has primarily mostly targeted the manufacturers, retailers and medical sector, and the education sector. Unit 42 research also revealed evidence that the Mespinoza Group's previous reports followed in the footsteps of REvil and offered Ransomware-as-a-services.

Communication from the group described as "cocky," by the researchers, could have been mistaken in this respect. Researchers have concluded, "Victim organizations are referred to as 'partners,'" the researchers found. "Use of that term suggests that they try to run the group as a professional enterprise and see victims as business partners who fund their profits." 

"Generally speaking RDP and other remote administration tools have become a high-value target for many cybercriminals and nation-state adversaries because of how simple it is to find them," Hinchliffe told. 

"There's no reason to expose RDP directly to the public internet in this day and age," security researcher Tom Hudson told The Register of the all-too-familiar entry point for Mespinoza's attacks. "If you need RDP access over the internet you should be requiring the use of a VPN with multi-factor authentication enforced." 

While Mespinoza may not be above the copying victims lists of other malware groups, it is evident that its tools are named in another area. The report further notes that a tool for building network tunnels is dubbed 'MagicalSocks.' A component saved on its server is probably called 'HappyEnd.bat.' This is probably used to encapsulate an attack.