A Windows zero-day vulnerability has been exploited in a recent string of ransomware attacks. The attacks involve a new strain of ransomware called Nokoyawa, which leverages the vulnerability to infect and encrypt files on Windows systems.
The libraries were discovered by software supply chain security firm Phylum, which said the ongoing activity is a continuation of a campaign that was first made public in November 2022.
In an initial finding, it was discovered that popular packages including beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow were being mimicked via typosquatting.
For each of the aforementioned, the threat actors deploy between 13 and 38 typosquatting variations in an effort to account for a wide variety of potential mistypes that could lead to the download of the malicious package.
In order to evade detection, the malicious actors deployed a new obfuscation tactic that was not being utilized in the November 2022 wave. Instead, they are now using a random 16-bit combination of Chinese ideographs for function and variable identifiers.
Researchers at Phylum emphasized that the code makes use of the built-in Python functions and a series of arithmetic operations for the string generation system. This way, even if the obfuscation produces a visually striking outcome, it is not extremely difficult to unravel.
"While this obfuscation is interesting and builds up extremely complex and highly obfuscated looking code, from a dynamic standpoint, this is trivial[…]Python is an interpreted language, and the code must run. We simply have to evaluate these instances, and it reveals exactly what the code is doing,” reads a Phylum report.
For taking control of the cryptocurrency transactions, the malicious PyPi packages create a malicious Chromium browser extension in the ‘%AppData%\Extension’ folder, similar to the November 2022 attacks.
It then looks for Windows shortcuts pertaining to Google Chrome, Microsoft Edge, Brave, and Opera, followed by hijacking them to load the malevolent browser extension using the '--load-extension' command line argument.
For example, a Google Chrome shortcut would be hijacked to "C:\Program Files\Google\Chrome\Application\chrome.exe --load-extension=%AppData%\\Extension".
After the web browser is launched, the extension will load, and malicious JavaScript will monitor for cryptocurrency addresses copied to the Windows clipboard. When a crypto address is found, the browser extension will swap it out for a list of addresses that are hardcoded and under the control of the threat actor. By doing this, any sent cryptocurrency transaction funds will be sent to the wallet of the threat actor rather than the intended receiver.
By including cryptocurrency addresses for Bitcoin, Ethereum, TRON, Binance Chain, Litecoin, Ripple, Dash, Bitcoin Cash, and Cosmos in this new campaign, the threat actor has increased the number of wallets that are supported.
These findings illustrate the ever-emerging threats that developers face from supply chain attacks, with threat actors inclining to methods like typosquatting to scam users into installing fraudulent packages.
The malware was discovered by the security firm researchers in June 2022 and was named ‘Mimic.’ According to the researchers, the malware has been “deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted.”
The researchers also found that some of the code in Mimic shared similarities with the infamous Conti ransomware, which was leaked in early 2022 following a number of high-profile incidents.
Mimic ransomware attack begin with targeted victims receiving executable, most likely via an email, that retrieves four files from the target system, including the main payload, ancillary files, and tools to disable Windows Defender.
The researchers’ findings reveal that the ransomware attack largely constituted legitimate files, of which one file contains the malicious payloads. Mimic is a sophisticated strain of ransomware that may use command-line options to target specific files and multiple processor threads to encrypt data more rapidly.
According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enable it to operate with minimum resource consumption, leading to a more effective execution and attack.
One of the best measures advised to the companies is by implementing a multilayered approach, which will provide the most efficient security, including data protection, backup and recovery measures.
Utilizing a range of software that are designed to prevent, mitigate and combat the attacks on personal and business computers will add another layer of protection to the systems.
Moreover, conducting regular vulnerability assessment and patching those vulnerabilities in the systems as soon as security updates become available will additionally aid in combating potential ransomware attack.
As per the reports from observations made by Atlas VPN based on data from threat intelligence platform AV-ATLAS, as many as 1.9 million Linux malware threats were observed in 2022, bringing the figure up 50% year-on-year.
The reports further claimed that most of the Linux malware samples were discovered in the first three months of the year.
In Q1 2022, researchers identified 854,690 new strains. The number later dropped by 3% in Q2, detecting 833,065 new strains.
The number of new detections fell 91% to 75,841 in the third quarter of the year, indicating that Linux malware developers may have taken their time off. The numbers increased once more in the fourth quarter of the year, rising by 117% to 164,697.
Despite the researcher’s observations, Linux remains one of the “highly secure operating systems.”
“The open-source nature of Linux allows for constant review by the tech community, leading to fewer exploitable security vulnerabilities. Additionally, Linux limits administrative privileges for users and compared to more widely used operating systems like Windows, it still has less malware targeting it,” the researchers added.
While threat actors will not stop chasing flaws in the world’s fifth most popular operating systems, businesses and consumers alike must also be on the lookout, the researchers concluded.
Although Linux is not as popular as Windows or macOS, it is still a widely used operating system. From Android devices (which are built on Linux) to Chromebooks, video cameras, and wearable devices, to all kinds of servers (web servers, database servers, email servers, etc.) there are more than 32 million endpoints operating on Linux.
According to Uptycs security researcher Karthickkumar Kathiresan, the malware campaign is designed to acquire sensitive information like system details, cryptocurrency wallet information, browser histories, cookies, and login credentials of crypto wallets.
In today’s world of cybercrime, which is constantly evolving, one of the most severe forms of malware that one must beware of is the info-stealer. This covert digital burglar may sneak into your devices and networks to steal sensitive information, consequently rendering you vulnerable to identity theft, financial fraud, or more devastating repercussions.
In order to protect oneself from malware attacks like info-stealer, it is advised by Uptycs to update passwords regularly and employ robust security controls with multi-layered visibility and security solutions.
There's no end to the cookie pop-up trouble. Wherever you go on the web, the user screen is hijacked by huge billboard-sized pop-ups that request if it's okay for the site to track us online. Our reply is always a confident "NO."
Still, you have to click the "decline" button every time, and most of the time, it's layered under complicated jargon. Fortunately, there is a browser extension on every platform to restrict and block cookie consent on pop-ups without you having to manually do it.
The simplest way to get rid of irritating cookie prompts is to automate your response to the consent pop-up. On the computer and phone, you can install third-party extensions and applications that automatically hint sites to acknowledge our right to privacy whenever we come across a data collection pop-up on the web. Here's how you can do that.
If you're using Google Chrome, Safari, Firefox, or any other Chromium-based browser like Brave and Microsoft Edge, our best bet against cookie pop-ups is an extension named "Consent-O-Matic."
Many pop-up blocker extensions just prevent the website from displaying a cookie prompt. It can disfigure a page's content and despite clear instructions from GDPR that need clear permission, websites continue to trace the user as they wish when they fail to communicate their consent response. Consent-O-Matic makes sure the website knows we are not OK with any form of tracking.
What makes "Consent-O-Matic" different from the diverse alternatives is how they manage cookie consent prompts. The right-to-privacy pop-ups ask us to select what type of information we don't want to share.
There are various toggles to know if the website can track our clicks, the type of ads we see or interact with, the personal data we voluntarily entered, cookies, etc. And unless we switch off these personally, the sites may still track you even when you disable the decline button.
Consent-O-Matic saves the user trouble of going through all of these. It automatically toggles off all the data collection actions, along with cookies, in a "right to privacy" pop-up.
Another good thing about Consent-O-Matic is that it's open-source and made by experts at Aarhus University in Denmark. It means that it doesn't have any ill motives to track a user and secretly record user data.
A surveillance vendor from Barcelona called Variston IT is believed to deploy spyware on victim devices by compromising various zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of these go back to December 2018.
Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said "their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device."
Variston has a bare-bones website, it claims to provide tailor-made security solutions to its customers, it also makes custom security patches for various types of proprietary systems and assists in the discovery of digital information by law enforcement agencies, besides other services.
Google said "the growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."
The vulnerabilities, which have been fixed by Google, Microsoft, and Mozilla in 2021 and early 2022, are said to have been used as zero-days to help customers deploy whichever malware they want to, on targeted systems.
Heliconia consists of three components called Noise, Files, and Soft, each of these is responsible for installing exploits against vulnerabilities in Windows, Firefox, and Chrome, respectively.
Noise is designed to exploit a security flaw in the Chrome V8 engine JavaScript that was fixed last year in August 2021, along with an unknown sandbox escape method known as "chrome-sbx-gen" to allow the final payload (also called an agent) to be deployed on select devices.
But the attack works only when the victim accesses a malicious webpage intended to trap the user, and then trigger the first-stage exploit.
Google says it came to know about the Heliconia attack framework after it got an anonymous submission in its Chrome bug reporting program. It further said that currently there's no proof of exploitation, after hinting the toolset has shut down or evolved further.
Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0 days before they were fixed.
Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit
Files: a set of Firefox exploits for Linux and Windows.