Search This Blog

Showing posts with label virus. Show all posts

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The infamous Emotet malware has deployed a new module aimed to steal credit card data saved in the Chrome web browser. According to corporate security firm Proofpoint, which discovered the component on June 6, the credit card stealer, which only targets Chrome, has the capacity to exfiltrate the acquired information to several remote command-and-control (C2) servers. 

The news comes amid a surge in Emotet activity since it was reactivated late last year after a 10-month pause caused by a law enforcement operation that destroyed its attack infrastructure in January 2021. Emotet, attributed to the threat actor TA542 (aka Mummy Spider or Gold Crestwood), is a sophisticated, self-propagating, and modular trojan that is distributed via email campaigns. 

According to Check Point, as of April 2022, Emotet is still the most renowned malware, with a global impact of 6% of organisations worldwide, followed by Formbook and Agent Tesla, with the malware testing new delivery methods using OneDrive URLs and PowerShell in.LNK attachments to circumvent Microsoft's macro restrictions. 

The steady increase in Emotet-related threats is further supported by the fact that the number of phishing emails, which frequently hijack existing correspondence, increased from 3,000 in February 2022 to approximately 30,000 in March, targeting organisations in various countries as part of a large-scale spam campaign. ESET stated that Emotet activity "shifted to a higher gear" in March and April 2022 and that detections increased 100-fold, indicating an 11,000 percent increase during the first four months of the year when compared to the preceding three-month period from September to December 2021. 

Japan, Italy, and Mexico have been frequent targets since the botnet's revival, according to the Slovak cybersecurity firm, with the largest wave recorded on March 16, 2022. 

Dušan Lacika, the senior detection engineer at Dušan Lacika, said, "The size of Emotet's latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March. This suggests that the operators are only using a fraction of the botnet's potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros." 

Researchers from CyberArk also revealed a novel approach for extracting plaintext credentials directly from memory in Chromium-based web browsers. 

"Credential data is stored in Chrome's memory in cleartext format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager," CyberArk's Zeev Ben Porat said.

This includes cookie-related information such as session cookies, which an attacker might harvest and utilise to hijack users' accounts even if they are secured by multi-factor authentication.

Hive Ransomware Employs New 'IPfuscation' Tactic to Conceal Payload

 

Threat researchers have found a new obfuscation strategy employed by the Hive ransomware gang, which utilises IPv4 addresses and a series of conversions that leads to the download of a Cobalt Strike beacon. Threat actors use code obfuscation to conceal the malicious nature of their code from human reviewers or security software to avoid discovery. 

There are a variety of techniques to create obfuscation, each with its own set of benefits and drawbacks, but a new one identified during an incident response involving Hive ransomware reveals that adversaries are coming up with new, subtler ways to accomplish their objective. 

Analysts at Sentinel Labs describe a new obfuscation technique called "IPfuscation," which is another example of how effective basic but sophisticated tactics can be in real-world malware deployment. The new approach was discovered while examining 64-bit Windows executables, each of which contained a payload that delivered Cobalt Strike. 

The payload is disguised as an array of ASCII IPv4 addresses, giving it the appearance of a harmless list of IP addresses. The list could potentially be misconstrued for hard-coded C2 communication information in malware research. A blob of shellcode arises when the file is handed to a converting function (ip2string.h) that converts the string to binary.

Following this step, the virus executes the shellcode either directly through SYSCALLs or through a callback on the user interface language enumerator (winnls.h), resulting in a normal Cobalt Strike stager. 

The following is an example from the Sentinel Labs report: The first hardcoded IP-formatted string is the ASCII string “252.72.131.228”, which has a binary representation of 0xE48348FC (big-endian), and the next “IP” to be translated is “240.232.200.0”, which has a binary representation of 0xC8E8F0. 

Disassembling these “binary representations” indicates the start of shellcode generated by common penetration testing frameworks. The analysts have uncovered additional IPfuscation variants that instead of IPv4 addresses use IPv6, UUIDs, and MAC addresses, all operating in an almost identical manner as was described above.

The conclusion here is that relying simply on static signatures to detect malicious payloads is no longer sufficient. According to the researchers, behavioural detection, AI-assisted analysis, and holistic endpoint security that combines suspicious elements from various locations have a better probability of removing IPfuscation.

BazarBackdoor Abused Windows 10 Application Feature in 'Call me back' Attack

 

In a new phishing campaign spreading the BazarBackdoor malware, a Microsoft Windows 10 app feature is being exploited.

On Thursday, Sophos Labs experts reported that the attack was detected when spam emails were sent to the cybersecurity firm's own employees — but these emails weren't just any spam; they were written with at least a minimal amount of social engineering. 

One of the emails, from the non-existent "Adam Williams," a "Sophos Main Manager Assistant," requested to know why a researcher hadn't addressed a customer's complaint. The email also included a PDF link to the message to make resolution easy. The link, however, was a hoax that demonstrated a "new" approach for spreading the BazarBackdoor malware. 

Sophos researcher Andrew Brandt explained, "In the course of running through an actual infection I realized that this construction of a URL triggers the browser [in my case, Microsoft's Edge browser on Windows 10], to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever's on the other end of that link." 

Sophos stated to be "unfamiliar" with this strategy, which involves exploiting the Windows 10 App installation process to transmit malicious payloads. The phishing bait directs prospective victims to a website that uses the Adobe brand and invites them to click on a button to preview a PDF file. When users move the mouse over the link, the prefix "ms-appinstaller" appears. 

This link then links to a text file called Adobe.appinstaller, which in turn points to a larger file called Adobe_.7.0.0_x64appbundle, which is hosted on a different URL. A warning notification appears and a notice that software has been digitally signed with a certificate issued several months ago. (The certificate authority has been notified of the misuse by Sophos.) 

The victim is then urged to approve the installation of "Adobe PDF Component," and if they comply, the BazarBackdoor malware is installed and launched in seconds. BazarBackdoor is similar to BazarLoader in that it connects via HTTPS, but it is distinguished by the volume of noisy traffic it creates. BazarBackdoor can exfiltrate system data and has been connected to Trickbot and the probable deployment of Ryuk ransomware. 

Brandt stated, "Malware that comes in application installer bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it's likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates."

FiveSys Rootkit Exploits Microsoft-Issued Digital Signature

 

A rootkit termed FiveSys can potentially avoid detection and enter Windows users' PCs by abusing a Microsoft-issued digital signature, as per the Bitdefender security experts, 

Microsoft introduced rigorous requirements for driver packages that aim to receive a WHQL (Windows Hardware Quality Labs) digital signature to prevent certain types of malicious attacks, and starting with Windows 10 build 1607, it prevents kernel-mode drivers from being loaded without such a certificate. 

Malware developers, on the other hand, seem to have discovered a way to bypass Microsoft's certification and obtain digital signatures for their rootkits, allowing them to target victims without raising suspicion. 

Microsoft confirmed in June that intruders had successfully submitted the Netfilter rootkit for certification via the Windows Hardware Compatibility Program. Now, Bitdefender's researchers warn that the FiveSys rootkit also has a Microsoft-issued digital signature, implying that this might soon become an emerging trend in which adversaries successfully verify their malicious drivers and signed by Microsoft. 

According to the researchers, FiveSys is comparable to the Undead malware that was first disclosed a few years ago. Furthermore, the rootkit, like Netfilter, is aimed towards the Chinese gaming industry. 

Bitdefender stated, “The attackers seem to originate from China and target several domestic games. We can confidently attribute this campaign to several threat actors, as their tools share the same functionality but are vastly different in implementation.” 

The rootkit directs Internet traffic to a custom proxy server using a frequently updated autoconfiguration script that comprises a list of domains/URLs. Furthermore, the rootkit can prohibit drivers from the Netfilter and fk_undead malware families from being loaded by using a list of digital signatures. 

Moreover, FiveSys offers a built-in list of 300 supposedly randomly created domains that are encrypted and are intended to circumvent possible takedown attempts. Bitdefender also claims to have discovered multiple user-mode binaries that are used to obtain and execute malicious drivers on target PCs. 

FiveSys appears to use four drivers in all, although only two of them were isolated by the security experts. After discovering the abuse, Microsoft cancelled FiveSys' signature.

While the rootkit is being used to steal login credentials from gaming accounts, it is likely that it may be utilised against other targets in the future. However, by following a few easy cybersecurity safeguards, one can prevent falling prey to such or similar assaults.

Botezatu recommended,  "In order to stay safe, we recommend that users only download software from the vendor's website or from trusted resources. Additionally, modern security solutions can help detect malware – including rootkits – and block their execution before they are able to start." 

ESET: FontOnLake Rootkit Malware Targets Linux Systems

 

Researchers have detected a new campaign that is potentially targeting businesses in Southeast Asia using previously unknown Linux malware that is designed to allow remote access to its administrators, as well as collect credentials and operate as a proxy server. 

The malware group, called "FontOnLake" by the Slovak cybersecurity firm ESET, is reported to entail "well-designed modules" that are constantly modified with a wide range of features, indicating an active development stage. 

According to samples uploaded to VirusTotal, the initial attacks employing this threat may have happened as early as May 2020. The same virus is being tracked by Avast and Lacework Labs under the name HCRootkit. 

ESET researcher Vladislav Hrčka stated, "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks." 

"To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism." 

FontOnLake's toolkit consists of three components: trojanized copies of genuine Linux utilities utilized to load kernel-mode rootkits and user-mode backdoors, all of which interact through virtual files. The C++-based implants themselves are programmed to monitor systems, discreetly perform commands on networks, and steal account passwords. 

A second variation of the backdoor also function as a proxy, modify files, and download arbitrary files, while a third variant, in addition to combining characteristics from the other two backdoors, can run Python scripts and shell commands. 

ESET discovered two variants of the Linux rootkit that are based on an open-source project called Suterusu and share features like hiding processes, files, network connections, and itself, as well as being able to perform file operations and obtain and run the user-mode backdoor. 

Enterprise Password Management 

It is yet unknown how the attackers gained initial network access but the cybersecurity firm highlighted that the malicious actor behind the assaults is "overly cautious" to avoid leaving any traces by depending on multiple, unique command-and-control (C2) servers with different non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer working. 

Hrčka stated, "Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns." 

"As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes."

Chinese Webdav-O Virus Attacked Russian Federal Agencies

 

In 2020, a collection of Chinese state-sponsored threat groups may have been behind a series of targeted attacks on the Russian federal executive authority. The latest study, published by Singapore-based Group-IB, looks into a piece of computer virus known as "Webdav-O" that was discovered in the intrusions, with the cybersecurity firm noticing similarities between the tool and a popular Trojan known as "BlueTraveller," which is linked to a Chinese threat group known as TaskMasters and used in malicious activities with the aim of espionage and plundering confidential documents. 

The report builds on a series of public disclosures in May from Solar JSOC and SentinelOne, both of which revealed a malware called "Mail-O" that was also observed in attacks against Russian federal executive authorities to access the cloud service Mail.ru, with SentinelOne linking it to a variant of another well-known malicious software called "PhantomNet" or "SManager" used by a threat actor dubbed TA428. 

TA428 has been targeting government entities in East Asia since 2013, with a particular focus on those involved in domestic and foreign policy, government information technology, and economic development. Attackers used the Microsoft Equation Editor exploit CVE-2018-0798 to deploy a custom malware called Cotx RAT, according to Proofpoint researchers. This APT gang also employs Poison Ivy payloads, which share command and control (C&C) infrastructure with the newly discovered Cotx attacks.

"Chinese APTs are one of the most numerous and aggressive hacker communities," researchers Anastasia Tikhonova and Dmitry Kupin said. "Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible."

"The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities," Solar JSOC noted, adding the "cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies."

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out. The researchers also point out that evidence implies a big hacking force made up of People's Liberation Army intelligence units may be operating out of China, with the numerous Chinese APT groups tracked by threat intelligence agencies being little more than subgroups.

Companies Unintentionally Exposing Data by Misusing a Virus Scanner




Security analysts from OTORIO have as of late discovered that a huge number of unprotected files from companies over the pharmaceutical, industrial, automotive and food sectors have been unintentionally exposing data including blueprints and intellectual property by misusing Alphabet's virus scanner.

Daniel Bren, CEO at Otorio said that, “From what we found, we could design a very constructive hack. We found files that gave us a blueprint of how to infiltrate the production floor. The companies’ trademarked secrets are on those blueprints,”

All this was however possible on account of VirusTotal, a virus scanner, owned by Alphabet’s cybersecurity subsidiary Chronicle. This virus scanner makes 'scanned documents' accessible to organizations for the identification of malware; be that as it may, a few companies are abusing the virus scanner and are uncovering sensitive documents.

Bren noticed that researchers can gain admittance to the uploaded files with a deal to avoid utilizing the data. Notwithstanding, a few researchers are misusing the service and are 'publishing the incoming documents'.

A representative for VirusTotal said that the company screens all customers before giving them access to the information. “Researchers don’t have searchable access to the file base and customers that are found to abuse any data are cut off,” the spokesperson said.

Nonetheless Otorio had informed VirusTotal about its discoveries in July and the company subsequently acknowledged it concurring that there was a need to bring issues to light about how the administration functions and how security applications ought to be arranged.

Computer at Japanese Monju Nuclear Power Plant infected with Malware


A computer at Japanese Monju Nuclear Power plant control room was recently found to have infected with a piece of virus.

The malware infection does not seems to be part of any kind of targeted attacks.  The malware is said to have found its way into the system after one of the facility's employee updated a video playback program.

The machine in question is one of the eight computers in the control room, used by employees to file paperwork, according to Japan Today.

The server admin noticed an unusual behavior on January 2nd.  According to enformable report, the infected system was accessed over 30 times in five days after the employee performed software update.

The infected machine is said to have stored many sensitive documents including employee data sheets, over 42,000 emails and training logs.